The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Claude finished @tac0turtle's task in 1m 0s —— View job

Code Review: Blacksmith Runner Migration

Tasks

• Gather context
• Read changed workflow files
• Analyze changes for security, correctness, and best practices
• Post review feedback

Summary

This PR migrates selected GitHub Actions jobs to Blacksmith runners and adopts Blacksmith-specific Docker build actions. The changes are straightforward and mechanical, but there are a few issues worth calling out before merging.

Security: Unpinned Action Tags (Flagged by GitHub Advanced Security)

The most significant concern raised by the automated security scan is the use of mutable version tags (v1, v2) for the two new Blacksmith actions:

Using mutable tags means the action content can change at any point without notice, which is a supply-chain risk. The pre-existing project actions (e.g., actions/checkout@v6, docker/login-action@v3) have the same pattern, but that's not a reason to introduce more. Pinning to a full commit SHA (e.g., useblacksmith/setup-docker-builder@<full-sha>) is the recommended practice. If the team is comfortable with the existing convention of floating tags, at minimum this should be an explicit and conscious decision.

Inconsistent Runner Migration

Not all jobs were migrated to Blacksmith runners. Several jobs in test.yml were left on ubuntu-latest:

• build_all-apps — ubuntu-latest
• go_mod_tidy_check — ubuntu-latest
• unit_test — ubuntu-latest
• integration_test — ubuntu-latest
• evm-tests — ubuntu-latest
• combine_and_upload_coverage — ubuntu-latest

Only e2e-tests was migrated (to blacksmith-2vcpu-ubuntu-2404). This is likely intentional if Blacksmith was only applied to jobs where Docker build caching provides the biggest benefit, but it's worth confirming this is the desired scope.

Similarly in docker-tests.yml, test-docker-compat at line 57 still runs on ubuntu-latest while the other two jobs (docker-tests and docker-upgrade-tests) were migrated.

Runner Version: ubuntu-2404 vs ubuntu-2204

The PR description mentions blacksmith-4vcpu-ubuntu-2204 as an example runner tag, but the actual workflows use blacksmith-2vcpu-ubuntu-2404 and blacksmith-4vcpu-ubuntu-2404. The jump from Ubuntu 22.04 to 24.04 is a meaningful OS upgrade beyond just switching runner vendors. It's worth verifying that the jobs that were migrated behave correctly on Ubuntu 24.04 (e.g., Go toolchain, Docker daemon behavior, apt package availability).

release-apps.yml: parse-tag job still on ubuntu-latest

The parse-tag job (line 17) remains on ubuntu-latest while build-and-push (line 72) runs on blacksmith-4vcpu-ubuntu-2404. This is reasonable since parse-tag only runs shell scripts, but it is worth noting for consistency.

Minor: Missing cache-from/cache-to in docker-build-push.yml

useblacksmith/build-push-action in docker-build-push.yml (line 44) does not set explicit cache-from/cache-to parameters. The PR description says Blacksmith handles Docker layer caching automatically, which may make this unnecessary, but it is worth verifying with Blacksmith's documentation whether automatic caching covers multi-platform builds (linux/amd64,linux/arm64).

No Functional Regressions Detected

The logic of all workflows is unchanged. Only runner labels and action names were swapped. CI checks are passing and Codecov shows no coverage change, as expected for a CI configuration-only PR.

Overall: The migration is straightforward and CI is green. The primary blocker to address is the unpinned action tags flagged by GitHub Advanced Security. If the team accepts floating version tags as a project-wide convention (matching actions/checkout@v6 etc.), that should be documented and the security alerts suppressed explicitly.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.16%. Comparing base (d4394f6) to head (d5cbefd).

@@            Coverage Diff             @@
##             main    #3035      +/-   ##
==========================================
+ Coverage   61.11%   61.16%   +0.05%     
==========================================
  Files         113      113              
  Lines       11444    11444              
==========================================
+ Hits         6994     7000       +6     
+ Misses       3661     3655       -6     
  Partials      789      789              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.