From 1be447dc83f3a88403393c9790aa2fff722ec39b Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Sat, 6 Jun 2026 14:25:47 +1000 Subject: [PATCH] ci: run publish job on GitHub-hosted runner for reliable Sigstore egress MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The self-hosted ARC pods have intermittent DNS/egress failures to *.sigstore.dev (Fulcio + Rekor), which kept failing build-provenance and SBOM attestation — a different attest step each run — and blocked the crates.io publish behind them. crates.io stayed clean (publish is sequenced after attestation), but 0.2.1 could not be published. Move the publish job to ubuntu-latest, which has reliable egress to Sigstore and crates.io. The job is infrequent and free on public repos. CI/test/fuzz jobs stay on the self-hosted `cachekit` runner where the persistent cargo cache helps and external attestation egress is not needed. --- .github/workflows/release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 574a217..54f4a35 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,11 @@ jobs: # refs/heads/main stops a feature branch from publishing its own Cargo.toml). # Explicit == 'true' avoids relying on string-coercion of the action output. if: ${{ needs.release-please.outputs.release_created == 'true' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }} - runs-on: cachekit + # GitHub-hosted: the self-hosted ARC pods have unreliable DNS/egress to Sigstore + # (Fulcio/Rekor), which intermittently fails build-provenance + SBOM attestation + # and blocks publish. A hosted runner has reliable egress to Sigstore + crates.io, + # and the publish job is infrequent + free on public repos. + runs-on: ubuntu-latest permissions: contents: read id-token: write