ci: use GitHub-hosted release runners

Author: therealaleph

.github/workflows/release-drafter.yml

@@ -6,8 +6,7 @@
 # `docs/changelog/v<ver>.md` is prefilled.
 #
 # Cost: one ubuntu-latest job per relevant PR/push event, single API
-# call, no compile, no tests. Zero contention with the self-hosted
-# Hetzner runners that release.yml uses.
+# call, no compile, no tests.
 
 name: release-drafter
 

.github/workflows/release.yml

@@ -31,42 +31,31 @@ permissions:
   packages: write
 
 # Runner strategy:
-#   - Linux + Android + mipsel:       self-hosted (mhrv-hetzner-*, Hetzner
-#                                     8-core / 31 GB Ubuntu 24.04 box with
-#                                     Rust, Android SDK+NDK, Docker, all
-#                                     cross-compile toolchains pre-installed).
-#                                     Two runners registered for parallelism.
-#   - macOS arm64 + amd64, Windows:   GitHub-hosted (we don't self-host those
-#                                     OSes; the free minutes on a public repo
-#                                     are plenty for those two platforms).
+#   - Linux + Android + mipsel:       GitHub-hosted Ubuntu runners.
+#   - macOS arm64 + amd64, Windows:   GitHub-hosted native OS runners.
 #
-# Why self-hosted: GH-hosted 2-core runners were spending ~13 min cold per
-# release; on the Hetzner box a cold linux-amd64 build is 1m9s, and warm
-# builds with Swatinem/rust-cache are sub-minute. Keeps the toolchain warm,
-# and more importantly keeps target/ warm via the rust-cache action.
+# Why hosted: the repo no longer keeps persistent release builders
+# registered. Each release job provisions only the tools it needs, while
+# Swatinem/rust-cache keeps target/ and cargo registry rebuild cost sane.
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
         include:
-          # Pin to Ubuntu 22.04 GLIBC target (GLIBC 2.35) so the glibc builds
-          # load on any distro ≥ Ubuntu 22.04 / Debian 12 / Mint 21 / Fedora 36.
-          # On self-hosted this is a Rust-side choice (cargo target triple),
-          # not an OS-of-the-runner choice — the runner itself is Ubuntu 24.04
-          # (GLIBC 2.39), but we link against the 2.35-era glibc via the
-          # x86_64-unknown-linux-gnu target triple which pins to the oldest
-          # GLIBC symbol version rustc is willing to emit. Users behind tight
-          # internet who can't dist-upgrade keep working.
+          # Pin the runner to Ubuntu 22.04 and use the
+          # x86_64-unknown-linux-gnu target so glibc builds stay compatible
+          # with Ubuntu 22.04 / Debian 12 / Mint 21 / Fedora 36 era systems.
+          # Users behind tight internet who can't dist-upgrade keep working.
           - target: x86_64-unknown-linux-gnu
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-linux-amd64
           - target: aarch64-unknown-linux-gnu
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-linux-arm64
           - target: arm-unknown-linux-gnueabihf
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-raspbian-armhf
           - target: x86_64-apple-darwin
             os: macos-latest
@@ -89,10 +78,10 @@ jobs:
           # x86_64-pc-windows-gnu (windows-amd64) which covers ~99% of
           # active Windows installs (incl. all WoA64 emulation).
           - target: x86_64-unknown-linux-musl
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-linux-musl-amd64
           - target: aarch64-unknown-linux-musl
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-linux-musl-arm64
           # OpenWRT MT7621 (soft-float mipsel 32-bit). Dozens of cheap
           # home routers run this chipset and they *specifically* need
@@ -103,7 +92,7 @@ jobs:
           # `continue-on-error: true` so a regression here doesn't block
           # the rest of the release. Issue #26.
           - target: mipsel-unknown-linux-musl
-            os: [self-hosted, linux, x64, mhrv-build]
+            os: ubuntu-22.04
             name: mhrv-rs-openwrt-mipsel-softfloat
             mipsel_softfloat: true
 
@@ -114,26 +103,6 @@ jobs:
     continue-on-error: ${{ matrix.mipsel_softfloat == true }}
 
     steps:
-      # Heal any root-owned leftovers from a previous mipsel docker
-      # build that failed before its post-step chown could run. The
-      # docker container writes target/ as root, and if cargo errors
-      # inside the container the outer `sudo chown -R` line never
-      # executes (bash -e exits on the docker non-zero), leaving root-
-      # owned files that fail every subsequent `actions/checkout@v4`
-      # workspace clean with `EACCES: permission denied unlink`. This
-      # step is a no-op on a clean runner, so cheap to keep always-on.
-      # Self-hosted only; GitHub-hosted runners get a fresh VM each run.
-      - name: Pre-checkout — clean root-owned files (self-hosted only)
-        if: contains(matrix.os, 'self-hosted')
-        run: |
-          if [ -d "$GITHUB_WORKSPACE/target" ]; then
-            sudo rm -rf "$GITHUB_WORKSPACE/target" || true
-          fi
-          # Stale .rustc_info.json at the workspace root is the
-          # specific file `actions/checkout` errors on; nuke any
-          # other root-owned scraps that may be sitting there too.
-          sudo find "$GITHUB_WORKSPACE" -maxdepth 2 -uid 0 -exec rm -rf {} + 2>/dev/null || true
-
       - uses: actions/checkout@v4
 
       # Skip the host-level rustup install for mipsel-softfloat — that
@@ -145,10 +114,6 @@ jobs:
       # 'mipsel-unknown-linux-musl' is unavailable for download", which
       # fails the job before the docker step ever runs.
       #
-      # On self-hosted this action is mostly a no-op: rustup is already
-      # installed and the standard target triples are pre-added. It
-      # still verifies the target is present and is cheap enough to keep
-      # as a safety net.
       # Per-matrix-entry toolchain selection. Default is `stable` (latest)
       # for every target except where `rust_toolchain` is explicitly pinned
       # — currently just i686-pc-windows-msvc, which needs 1.77.2 to keep
@@ -159,19 +124,9 @@ jobs:
           toolchain: ${{ matrix.rust_toolchain || 'stable' }}
           targets: ${{ matrix.target }}
 
-      # Cache target/ + cargo registry across runs — this is the big
-      # self-hosted speedup. Without it, actions/checkout@v4's default
-      # `git clean -ffdx` wipes target/ between runs and every build is
-      # cold. With it, warm builds are sub-minute even for the full
-      # release profile.
-      #
-      # cache-bin: false is MANDATORY on our self-hosted runners. With
-      # the default (true), rust-cache aggressively prunes $CARGO_HOME/bin
-      # of binaries it didn't install via `cargo install`, including the
-      # `rustup` binary that cargo/rustc/etc. are symlinked to. The next
-      # job then hits "command not found" or a broken-symlink TOML parse
-      # error from a stale cargo. We want target/ + registry caching, NOT
-      # bin pruning. rustup is pre-installed on the runners anyway.
+      # Cache target/ + cargo registry across runs. cache-bin: false keeps
+      # the cache focused on build artifacts and registry state instead of
+      # pruning tool binaries installed by setup actions.
       - uses: Swatinem/rust-cache@v2
         if: matrix.mipsel_softfloat != true
         with:
@@ -182,13 +137,11 @@ jobs:
           key: ${{ matrix.target }}-${{ matrix.rust_toolchain || 'stable' }}
           cache-bin: "false"
 
-      # eframe needs a few system libs on Linux for window management, keyboard,
-      # and OpenGL/X11/Wayland. Gated to GitHub-hosted runners only — the
-      # self-hosted runners pre-install all of these once at setup time, and
-      # letting multiple parallel matrix jobs race on `sudo apt-get install`
-      # fights over /var/lib/apt/lists/lock and fails them all.
+      # eframe needs a few system libs on Linux for window management,
+      # keyboard, and OpenGL/X11/Wayland. Only the x86_64 GNU Linux job
+      # builds the UI on Linux, so the cross and musl jobs skip this.
       - name: Install Linux eframe system deps
-        if: runner.os == 'Linux' && runner.environment == 'github-hosted'
+        if: matrix.target == 'x86_64-unknown-linux-gnu'
         run: |
           sudo apt-get update
           sudo apt-get install -y \
@@ -198,24 +151,22 @@ jobs:
             libx11-dev \
             libgl1-mesa-dev libglib2.0-dev libgtk-3-dev
 
-      # Cross-compile toolchains. Same story as above — gated to hosted
-      # runners; self-hosted has gcc-aarch64-linux-gnu + gcc-arm-linux-gnueabihf
-      # pre-installed, and the linker entries live in
-      # /home/ghrunner/cargo-{01,02}/config.toml (seeded once at runner
-      # setup time, picked up via CARGO_HOME env).
+      # Cross-compile toolchains for hosted Ubuntu runners.
       - name: Install aarch64 cross-compile toolchain (Linux only)
-        if: matrix.target == 'aarch64-unknown-linux-gnu' && runner.environment == 'github-hosted'
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-aarch64-linux-gnu
+          mkdir -p ~/.cargo
           echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config.toml
           echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
 
       - name: Install armhf cross-compile toolchain (Linux only)
-        if: matrix.target == 'arm-unknown-linux-gnueabihf' && runner.environment == 'github-hosted'
+        if: matrix.target == 'arm-unknown-linux-gnueabihf'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-arm-linux-gnueabihf
+          mkdir -p ~/.cargo
           echo '[target.arm-unknown-linux-gnueabihf]' >> ~/.cargo/config.toml
           echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config.toml
 
@@ -284,11 +235,10 @@ jobs:
           # Always chown back, even if docker exits non-zero. The previous
           # form (`docker run …; sudo chown …`) ran chown only on success
           # because bash -e short-circuits on the docker failure; that
-          # left target/ root-owned and broke `actions/checkout@v4` on
-          # every subsequent self-hosted run with EACCES on
-          # target/.rustc_info.json. The `trap … EXIT` runs the chown
-          # whether docker succeeded or failed, so a transient mipsel
-          # compile regression never poisons the runner workspace.
+          # left target/ root-owned for later steps in the same job. The
+          # `trap … EXIT` runs the chown whether docker succeeded or failed,
+          # so a transient mipsel compile regression never poisons the
+          # workspace.
           set +e
           trap 'sudo chown -R "$(id -u):$(id -g)" target 2>/dev/null || true' EXIT
           docker run --rm -v "$PWD":/src -w /src \
@@ -408,24 +358,21 @@ jobs:
   # x86_64, x86) via cargo-ndk and drops the .so files into the Gradle
   # project's jniLibs/ tree, which then packages them into a single
   # universal APK. Users pick it once, no per-ABI split.
-  #
-  # Runs on self-hosted. The runner has Android SDK + NDK r26c + cargo-ndk
-  # pre-installed under /opt/android-sdk; the env block below points Gradle
-  # at those paths so we don't re-download ~1 GB of SDK per release.
   android:
-    runs-on: [self-hosted, linux, x64, mhrv-build]
+    runs-on: ubuntu-latest
     env:
-      ANDROID_SDK_ROOT: /opt/android-sdk
-      ANDROID_HOME: /opt/android-sdk
-      ANDROID_NDK_HOME: /opt/android-sdk/ndk/26.2.11394342
-      ANDROID_NDK_ROOT: /opt/android-sdk/ndk/26.2.11394342
-      JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+      ANDROID_SDK_ROOT: /usr/local/lib/android/sdk
+      ANDROID_HOME: /usr/local/lib/android/sdk
+      ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/26.2.11394342
+      ANDROID_NDK_ROOT: /usr/local/lib/android/sdk/ndk/26.2.11394342
     steps:
       - uses: actions/checkout@v4
 
-      # Rust toolchain: idempotent on self-hosted (targets already present),
-      # kept here so the workflow still works if we ever run it on a GH-hosted
-      # fallback.
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
       - uses: dtolnay/rust-toolchain@stable
         with:
           targets: aarch64-linux-android,armv7-linux-androideabi,x86_64-linux-android,i686-linux-android
@@ -434,9 +381,6 @@ jobs:
       # release builds back-to-back with LTO is where the cold cost comes
       # from; rust-cache brings warm runs down to ~3–4 min from ~9 min cold.
       # cache-bin: false — see the rationale on the matrix build job above.
-      # On top of that, `cargo-ndk` lives in /usr/local/bin/ on our runners
-      # (not $CARGO_HOME/bin), specifically so rust-cache's default bin
-      # pruning can't delete it.
       - uses: Swatinem/rust-cache@v2
         with:
           key: android-universal
@@ -446,6 +390,11 @@ jobs:
           workspaces: |
             . -> target
 
+      - name: Install Android NDK and cargo-ndk
+        run: |
+          yes | "$ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager" "ndk;26.2.11394342"
+          cargo install cargo-ndk --locked
+
       # `./gradlew :app:assembleRelease` triggers cargoBuildRelease first
       # which invokes cargo-ndk with all four targets, then Gradle packages
       # the APK (release buildType signed with the committed release.jks —
@@ -583,11 +532,8 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-  # release + telegram: lightweight aggregation jobs kept on GH-hosted
-  # ubuntu-latest. They only download artifacts and call APIs — no build
-  # tooling needed, no benefit from moving to self-hosted, and keeping them
-  # off the self-hosted runners avoids contention with Linux build jobs from
-  # the next tag if two releases overlap.
+  # release + telegram: lightweight aggregation jobs on GitHub-hosted
+  # ubuntu-latest. They only download artifacts and call APIs.
   release:
     needs: [build, android]
     runs-on: ubuntu-latest