🤖 ci: migrate workflows to Depot runners with tiered sizing

[ThomasK33]

Summary

Switch all GitHub Actions jobs in this repository from GitHub-hosted runners to Depot-managed runners, using tiered sizing for lightweight vs heavy jobs.

Background

We want CI and release workflows to run entirely on Depot runners and right-size compute by job type to improve performance and cost control.

Implementation

• Updated .github/workflows/ci.yaml:
  • Lightweight jobs now use depot-ubuntu-24.04 (changes, lint-actions, codex-comments)
  • Heavy jobs now use depot-ubuntu-24.04-8 (lint, test, e2e-kind, publish-main)
  • Added timeouts on heavy jobs as guardrails:
    • lint: 20m
    • test: 30m
    • e2e-kind: 45m
    • publish-main: 30m
  • Expanded changed-path workflow filter to include .github/actionlint.yaml / .github/actionlint.yml
• Updated .github/workflows/release.yaml:
  • goreleaser now uses depot-ubuntu-24.04-8
  • Added timeout: 60m
• Added .github/actionlint.yaml so actionlint recognizes Depot runner labels as allowed self-hosted labels.

Validation

• make verify-vendor
• make test
• make build
• make lint
• go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10

Risks

Low risk. Changes are isolated to CI/release workflow configuration and actionlint config. Main risk is environment provisioning differences on Depot runners, mitigated by retaining existing job steps and adding timeout guardrails.

---

📋 Implementation Plan

Plan: Move coder-k8s GitHub Actions to Depot runners (tiered sizing)

Context / Why

We want to stop using GitHub-hosted runners entirely and run all CI on Depot GitHub Actions runners, while also right-sizing compute:

• Small/cheap runners for lightweight orchestration (path filtering, action linting).
• Larger runners for CPU-/IO-heavy work (golangci-lint, tests, Kind e2e, Docker builds, GoReleaser).

This should reduce wall-clock time for PR feedback, keep costs predictable, and align with how coder/mux uses Depot for heavier jobs.

Evidence (what was checked)

• coder-k8s workflows currently use GitHub-hosted runners:
  • .github/workflows/ci.yaml (all jobs runs-on: ubuntu-latest)
  • .github/workflows/release.yaml (runs-on: ubuntu-latest)
• coder/mux uses Depot runners for heavier workloads (in its workflows under ./tmpfork/mux/.github/workflows/).
• Depot docs for runner labels/sizes and setup:
  • Depot runner types + sizes (includes Ubuntu 22.04/24.04 -4/-8/-16/... labels)
  • Depot GitHub Actions quickstart (connect GitHub org via Depot GitHub App; runner group settings for public repos)

Prerequisites / one-time setup

1. Depot org + GitHub connection
   • In Depot dashboard: GitHub Actions → Connect to GitHub and install/authorize the Depot GitHub App for the GitHub organization.
   • If the GitHub org requires app approval for private repos, ensure the app is approved/active.
2. Runner group permissions (public repos only)
   • In GitHub org settings: Actions → Runner groups
   • Ensure the Depot runner group allows running on public repositories (if this repo is public).

Why this is required

Depot runners are delivered via a GitHub App + webhook-driven runner provisioning. Without the app connection, any job that specifies runs-on: depot-... will remain queued forever.

Runner sizing strategy (recommended baseline)

Use a simple 2-tier Linux setup:

• Small: depot-ubuntu-24.04 (2 vCPU / 8GB)
• Large: depot-ubuntu-24.04-8 (8 vCPU / 32GB)

Rationale:

• depot-ubuntu-24.04-8 should be a strong speedup vs GitHub’s 2 vCPU runners for Go lint/test and for Docker+Kind.
• Avoid starting at -16 (what coder/mux uses) until we have timings; coder-k8s is smaller and likely doesn’t need 16 vCPU to be efficient.

Job → runner mapping

Workflow	Job	Current	Proposed
ci.yaml	changes	ubuntu-latest	depot-ubuntu-24.04
ci.yaml	lint-actions	ubuntu-latest	depot-ubuntu-24.04
ci.yaml	codex-comments	ubuntu-latest	depot-ubuntu-24.04
ci.yaml	lint	ubuntu-latest	depot-ubuntu-24.04-8
ci.yaml	test	ubuntu-latest	depot-ubuntu-24.04-8
ci.yaml	e2e-kind	ubuntu-latest	depot-ubuntu-24.04-8
ci.yaml	publish-main	ubuntu-latest	depot-ubuntu-24.04-8
release.yaml	goreleaser	ubuntu-latest	depot-ubuntu-24.04-8

Implementation details (repo changes)

1) Update .github/workflows/ci.yaml to use Depot runners

Edit each job’s runs-on:

jobs:
  changes:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04

  lint:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04-8

  test:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04-8

  e2e-kind:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04-8

  lint-actions:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04

  codex-comments:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04

  publish-main:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04-8

Add cost guardrails to large jobs (recommended):

• Set timeout-minutes (e.g., lint: 15, test: 20, e2e-kind: 30, publish-main: 20) to prevent runaway spend.

2) Update .github/workflows/release.yaml to use Depot runners

jobs:
  goreleaser:
-   runs-on: ubuntu-latest
+   runs-on: depot-ubuntu-24.04-8

3) Ensure there are zero GitHub-hosted runner references

• Search .github/workflows/** for ubuntu-latest, windows-latest, macos-latest and replace as needed.
• (Optional) prefer depot-ubuntu-latest if you want an evergreen LTS label instead of pinning 24.04.

Optional: policy for forked PRs

If this repository is public, forked PRs will also execute on Depot runners (cost + untrusted code). Options:

1. Allow forked PRs (default GitHub Actions behavior; no extra changes).
2. Skip CI on forks by adding job-level conditions such as:

if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository

This keeps CI internal-only without falling back to GitHub-hosted runners.

Rollout / validation

1. Make a PR changing only the runner labels (+ any timeouts).
2. Confirm workflows start immediately on Depot (no stuck “Waiting for a runner”).
3. Compare timings in:
   • GitHub Actions job durations
   • Depot dashboard GitHub Actions → Analytics (CPU/memory utilization + sizing hints)
4. Tune sizing based on data:
   • If e2e-kind or publish-main is CPU-starved, bump just those jobs to depot-ubuntu-24.04-16.
   • If large jobs are underutilizing CPU, consider dropping to depot-ubuntu-24.04-4 for cost savings.

Acceptance criteria

• All workflows (ci.yaml, release.yaml) run with only depot-* runner labels (no GitHub-hosted runners).
• Lint/test/e2e/docker-heavy jobs use a larger Depot instance than lightweight jobs.
• First PR run completes successfully and Depot shows the jobs in its dashboard.

---

Generated with mux • Model: openai:gpt-5.3-codex • Thinking: xhigh • Cost: 274253{MUX_COSTS_USD:-unknown}

[ThomasK33]

@codex review

Please review this CI migration to Depot runners with tiered sizing and timeout guardrails.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

https://mux.md/mb3Wl#HW1yc2dD__tLHQ