ci: run publish job on GitHub-hosted runner for reliable Sigstore egress

[27Bslash6]

What

Move the publish job from runs-on: cachekit (self-hosted ARC) to runs-on: ubuntu-latest. CI/test/fuzz jobs are unchanged.

Why

The ARC pods have intermittent DNS/egress failures to *.sigstore.dev. Across three publish attempts for 0.2.1, a different Sigstore step failed each time:

• Fulcio cert error (build-provenance)
• cargo-sbom persistent-cache bug (fixed separately in ci: make crate publish re-runnable and fix cargo-sbom install on persistent cache #41)
• rekor.sigstore.dev ... ECONNREFUSED 0.0.0.0:443 (SBOM attest) — hostname resolving to 0.0.0.0

Publish is sequenced after attestation, so these flakes blocked the crates.io publish (crates.io stayed clean — no partial publish). A GitHub-hosted runner has reliable egress to Sigstore + crates.io.

Cost

Free — ubuntu-latest standard runners are unlimited/free on public repos. The job runs only on release/dispatch.

ci: type — non-releasing. After merge: gh workflow run release.yml publishes 0.2.1 with full build-provenance + SBOM attestation.

Summary by CodeRabbit

• Chores
  • Improved release process reliability to reduce intermittent publishing failures.

[coderabbitai]

Wondering what really moved? Review this PR in Change Stack to inspect semantic changes, definitions, and references.

Walkthrough

The publish job in the release workflow is reconfigured to run on ubuntu-latest instead of the self-hosted cachekit runner. Comments document that this hosted runner provides more reliable network egress to Sigstore/Fulcio and crates.io, reducing intermittent provenance and SBOM attestation failures.

Changes

Publish Job Runner Configuration

Layer / File(s)	Summary
Publish job runner migration to ubuntu-latest .github/workflows/release.yml	The runs-on field is switched from the self-hosted cachekit label to ubuntu-latest. New comments explain that hosted runners offer more reliable outbound connectivity to Sigstore/Fulcio and crates.io, mitigating intermittent DNS and egress issues that block provenance and SBOM attestation during publishing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• cachekit-io/saas#121: Related runner selection changes across workflows; this PR switches a publish job to hosted ubuntu-latest whilst that issue addresses migrations to cachekit ARC runners.

Possibly related PRs

• cachekit-io/cachekit-core#41: Modifies the same .github/workflows/release.yml publish job with related improvements to publishing reliability, including cargo-sbom installation idempotency and publish gating adjustments.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: moving the publish job from a self-hosted runner to a GitHub-hosted runner for improved Sigstore network reliability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/publish-on-hosted-runner

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/release.yml (2)

76-81: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update stale comment referencing self-hosted runner infrastructure.

Lines 77-80 reference "the self-hosted runner's CARGO_HOME (/cache/cargo)" and its persistent volume, but the job now runs on ubuntu-latest (line 51). GitHub-hosted runners have ephemeral filesystems, so the --force flag is no longer required (though harmless). This comment will mislead future maintainers about the runner environment.

📝 Proposed fix to update the comment

       - name: Install cargo-sbom
-        # --force is required: the self-hosted runner's CARGO_HOME (/cache/cargo) is a
-        # persistent volume, so the binary survives between runs and a plain install
-        # exits 101 ("binary `cargo-sbom` already exists"). --force reinstalls the
-        # --locked pinned version idempotently.
+        # Install cargo-sbom with --locked to pin the exact version from Cargo.lock.
+        # --force ensures idempotent reinstall if the binary already exists.
         run: cargo install cargo-sbom --locked --force

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 76 - 81, The comment above the
"Install cargo-sbom" step incorrectly claims a persistent self-hosted
CARGO_HOME; update the comment to reflect that this job runs on GitHub-hosted
ubuntu-latest with an ephemeral filesystem and that --force is not required (but
harmless), or simply remove the misleading reference; locate the step named
"Install cargo-sbom" (the run: cargo install cargo-sbom --locked --force) and
replace the existing lines explaining a persistent /cache/cargo with a short
note about ubuntu-latest's ephemeral runner or no comment at all.

Source: Learnings

---

29-29: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add mandatory version comments to action pins.

Lines 29 and 35 use full 40-char SHA pins but are missing version comments. As per coding guidelines, all actions in .github/workflows/** must be pinned to full 40-char SHA with a version comment (e.g., @<sha> # v2).

📌 Proposed fix to add version comments

Line 29:

-      - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349
+      - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2

Line 35:

-      - uses: googleapis/release-please-action@8b8fd2cc23b2e18957157a9d923d75aa0c6f6ad5
+      - uses: googleapis/release-please-action@8b8fd2cc23b2e18957157a9d923d75aa0c6f6ad5 # v4

Also applies to: 35-35

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 29, The action pins at "uses:
actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349" (and
the similar 40-char SHA pin at line 35) are missing the required version
comment; update each pinned action to append the appropriate version comment
(e.g., " # v2") after the SHA so the line reads like "uses:
actions/create-github-app-token@<40-char-sha> # v2" to comply with the
repository workflow pinning guideline.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 76-81: The comment above the "Install cargo-sbom" step incorrectly
claims a persistent self-hosted CARGO_HOME; update the comment to reflect that
this job runs on GitHub-hosted ubuntu-latest with an ephemeral filesystem and
that --force is not required (but harmless), or simply remove the misleading
reference; locate the step named "Install cargo-sbom" (the run: cargo install
cargo-sbom --locked --force) and replace the existing lines explaining a
persistent /cache/cargo with a short note about ubuntu-latest's ephemeral runner
or no comment at all.
- Line 29: The action pins at "uses:
actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349" (and
the similar 40-char SHA pin at line 35) are missing the required version
comment; update each pinned action to append the appropriate version comment
(e.g., " # v2") after the SHA so the line reads like "uses:
actions/create-github-app-token@<40-char-sha> # v2" to comply with the
repository workflow pinning guideline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 01ed006c-00ec-4909-9fd6-5a96e3ad35e7

📥 Commits

Reviewing files that changed from the base of the PR and between dcf016f and 1be447d.

📒 Files selected for processing (1)

• .github/workflows/release.yml