From b4fc89b12c120348797fd10fa5cb7a0822228a62 Mon Sep 17 00:00:00 2001 From: Jeff Larson Date: Wed, 10 Jun 2026 03:27:29 -0700 Subject: [PATCH 1/3] ci: run ui + chart jobs on watcher-runners MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the lightweight ui (setup-node + npm) and chart (helm lint) jobs to the self-hosted watcher-runners — they bring their own tooling and run fine on ARM. server stays on GitHub-hosted: its postgres service container needs a local Docker daemon, which the ARC runners don't have (image builds offload to remote BuildKit). image was already on watcher-runners. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 44a3482..97171ef 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,8 @@ permissions: jobs: server: + # Stays on GitHub-hosted: the watcher-runners (ARC, no local Docker — image + # builds offload to remote BuildKit) can't run the postgres service container. runs-on: ubuntu-latest services: postgres: @@ -35,7 +37,7 @@ jobs: - run: cargo test --locked # runs the ingest->query integration test against the service DB ui: - runs-on: ubuntu-latest + runs-on: watcher-runners defaults: run: working-directory: ui @@ -50,7 +52,7 @@ jobs: - run: npm run build chart: - runs-on: ubuntu-latest + runs-on: watcher-runners steps: - uses: actions/checkout@v6 - name: Install helm From 1a4722c994b988607f2aacec54e1a36e214148ea Mon Sep 17 00:00:00 2001 From: Jeff Larson Date: Wed, 10 Jun 2026 03:31:17 -0700 Subject: [PATCH 2/3] ci: install helm via azure/setup-helm (no sudo on ARC runners) The get-helm-3 script sudo-installs to /usr/local/bin, which fails on the watcher-runners (no_new_privileges blocks sudo). setup-helm uses the tool cache. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 97171ef..d8f7d43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,8 +55,9 @@ jobs: runs-on: watcher-runners steps: - uses: actions/checkout@v6 - - name: Install helm - run: curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash + # setup-helm installs to the tool cache (no sudo). get-helm-3's sudo install + # fails on the ARC runners, which run with no_new_privileges. + - uses: azure/setup-helm@v4 - run: helm lint chart # One image now: the server builds the UI and embeds it (rust-embed), so there From 7f7663127ec89251ef5b326fe98560c576d5325f Mon Sep 17 00:00:00 2001 From: Jeff Larson Date: Wed, 10 Jun 2026 03:34:21 -0700 Subject: [PATCH 3/3] ci: use azure/setup-helm@v5 (latest; node24 runtime) v5.0.0 is the current release; the only change from v4 is the node20->node24 runtime bump, already proven on these runners (checkout@v6 is node24 too). Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d8f7d43..d6d057d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,7 +57,7 @@ jobs: - uses: actions/checkout@v6 # setup-helm installs to the tool cache (no sudo). get-helm-3's sudo install # fails on the ARC runners, which run with no_new_privileges. - - uses: azure/setup-helm@v4 + - uses: azure/setup-helm@v5 - run: helm lint chart # One image now: the server builds the UI and embeds it (rust-embed), so there