internal/ci: switch to Namespace GitHub Actions runners

Namespace offers runners for GitHub actions with Ubuntu, MacOS,
and Windows, much like GitHub. However, it has two main advantages:

* Cost per minute; for the same CPU and memory, GitHub costs about
  four times as much.

* Caching; Namespace offers volume mount caching, which is way faster
  than fetching and uploading compressed cache archives as GitHub does.

* Advanced caching; Namespace also offer out-of-the-box caching for
  toolchains such as Go, as can be seen by `with: cache: "go"` below.
  They also offer transparent system-wide caching for Docker images,
  git checkouts, and toolchain downloads such as from actions/setup-go.

The runner profiles used below were set up by me, to cost the same per
minute as our old slow runners on GitHub, but have four times as much
CPU power. Rather than about 2 CPUs per runner, we now have 8.
Overall, we see roughly a 2.5x speed-up in CPU-intensive job steps,
and the cost of setup and cleanup for the cache is now near-zero.

A cache-less run before and after Namespace sees the following wins:
* Go 1.24.x, Linux   - 9m50s -> 3m46s
* Go 1.24.x, MacOS   - 2m10s -> 1m13s
* Go 1.24.x, Windows - 4m36s -> 1m38s

Take particular note of how much faster Windows is on Namespace;
we were running into issues with slow Windows filesystems on GitHub.

We will be able to see what performance looks like before and after
Namespace on warm caches once this change lands in master.
Given that CI runs on a warm cache spend at least 10-30s just fetching
and extracting the cache, and they usually spend 2-3m running Go tests,
I expect such CI runs with a warm cache to see a similar ~2x speed-up.

Signed-off-by: Daniel Martí <[email protected]>
Change-Id: I4f428d3382da7b414c31ae29f8f836e269fcf073
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1217532
Reviewed-by: Paul Jolly <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>
Unity-Result: CUE porcuepine <[email protected]>

Author: mvdan

.github/workflows/evict_caches.yaml

@@ -10,7 +10,7 @@ jobs:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
     if: ${{github.repository == 'cue-lang/cue'}}
-    runs-on: ubuntu-24.04
+    runs-on: namespace-profile-ubuntu-24-04-amd64-8x16
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

.github/workflows/push_tip_to_trybot.yaml

@@ -6,7 +6,7 @@ jobs:
     defaults:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
-    runs-on: ubuntu-24.04
+    runs-on: namespace-profile-ubuntu-24-04-amd64-8x16
     if: ${{github.repository == 'cue-lang/cue'}}
     steps:
       - name: Write netrc file for cueckoo Gerrithub

.github/workflows/release.yaml

@@ -16,7 +16,7 @@ jobs:
     defaults:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
-    runs-on: ubuntu-24.04
+    runs-on: namespace-profile-ubuntu-24-04-amd64-8x16
     if: ${{github.repository == 'cue-lang/cue'}}
     steps:
       - name: Checkout code

.github/workflows/tip_triggers.yaml

@@ -11,7 +11,7 @@ jobs:
     defaults:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
-    runs-on: ubuntu-24.04
+    runs-on: namespace-profile-ubuntu-24-04-amd64-8x16
     if: ${{github.repository == 'cue-lang/cue'}}
     steps:
       - name: Trigger unity build

.github/workflows/trybot.yaml

@@ -23,9 +23,9 @@ jobs:
           - 1.23.x
           - 1.24.x
         runner:
-          - ubuntu-24.04
-          - macos-14
-          - windows-2022
+          - namespace-profile-ubuntu-24-04-amd64-8x16
+          - namespace-profile-macos-15-arm64-6x14
+          - namespace-profile-windows-2022-amd64-8x16
     runs-on: ${{ matrix.runner }}
     if: |-
       (contains(github.event.head_commit.message, '
@@ -77,51 +77,29 @@ jobs:
 
           # Dump env for good measure
           go env
-      - id: go-mod-cache-dir
-        name: Get go mod cache directory
-        run: echo "dir=$(go env GOMODCACHE)" >> ${GITHUB_OUTPUT}
-      - id: go-cache-dir
-        name: Get go build/test cache directory
-        run: echo "dir=$(go env GOCACHE)" >> ${GITHUB_OUTPUT}
-      - if: |-
-          (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ${{ steps.go-mod-cache-dir.outputs.dir }}/cache/download
-            ${{ steps.go-cache-dir.outputs.dir }}
-          key: ${{ runner.os }}-${{ matrix.go-version }}-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-${{ matrix.go-version }}
-      - if: |-
-          ! (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
-        uses: actions/cache/restore@v4
+      - if: matrix.runner != 'namespace-profile-windows-2022-amd64-8x16'
+        uses: namespacelabs/nscloud-cache-action@v1
         with:
-          path: |-
-            ${{ steps.go-mod-cache-dir.outputs.dir }}/cache/download
-            ${{ steps.go-cache-dir.outputs.dir }}
-          key: ${{ runner.os }}-${{ matrix.go-version }}-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-${{ matrix.go-version }}
+          cache: go
       - if: |-
           github.repository == 'cue-lang/cue' && (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || github.ref == 'refs/heads/ci/test')
+          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
         run: go clean -testcache
       - run: go run cuelang.org/go/cmd/cue login --token=${{ secrets.NOTCUECKOO_CUE_TOKEN }}
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Early git and code sanity checks
         run: go run ./internal/ci/checks
       - if: |-
           ((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || !(matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+          Dispatch-Trailer: {"type":"')))) || !(matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Test
         run: go test ./...
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Test with -race
         env:
           GORACE: atexit_sleep_ms=10
         run: go test -race ./...
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Test on 32 bits
         env:
           GOARCH: "386"
@@ -131,38 +109,38 @@ jobs:
       - id: auth
         if: |-
           github.repository == 'cue-lang/cue' && (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: gcloud auth for end-to-end tests
         uses: google-github-actions/auth@v2
         with:
           credentials_json: ${{ secrets.E2E_GCLOUD_KEY }}
       - if: |-
           github.repository == 'cue-lang/cue' && (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: gcloud setup for end-to-end tests
         uses: google-github-actions/setup-gcloud@v2
       - if: |-
           github.repository == 'cue-lang/cue' && (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
-          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+          Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: End-to-end test
         env:
           CUE_TEST_TOKEN: ${{ secrets.E2E_PORCUEPINE_CUE_TOKEN }}
         run: |-
           cd internal/_e2e
           go test -race
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Go checks
         run: |-
           go vet ./...
           go mod tidy
           (cd internal/_e2e && go test -run=-)
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: staticcheck
         uses: dominikh/staticcheck-action@v1
         with:
           version: "2025.1"
           install-go: false
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Check all git tags are available
         run: |-
           cd $(mktemp -d)
@@ -178,7 +156,7 @@ jobs:
           	echo "Did you forget about refs/attic branches? https://github.com/cue-lang/cue/wiki/Notes-for-project-maintainers"
           	exit 1
           fi
-      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ubuntu-24.04')
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'namespace-profile-ubuntu-24-04-amd64-8x16')
         name: Generate
         run: go generate ./...
       - if: always()

.github/workflows/trybot_dispatch.yaml

@@ -11,7 +11,7 @@ jobs:
     defaults:
       run:
         shell: bash --noprofile --norc -euo pipefail {0}
-    runs-on: ubuntu-24.04
+    runs-on: namespace-profile-ubuntu-24-04-amd64-8x16
     if: ${{ ((github.ref == 'refs/heads/ci/test') && false) || github.event.client_payload.type == 'trybot' }}
     steps:
       - name: Write netrc file for cueckoo Gerrithub

internal/ci/base/gerrithub.cue

@@ -244,6 +244,7 @@ evictCaches: bashWorkflow & {
 			steps: [
 				for v in checkoutCode {v},
 
+				// TODO(mvdan): remove once we've fully moved to Namespace runners.
 				githubactions.#Step & {
 					name: "Delete caches"
 					run:  """

internal/ci/base/github.cue

@@ -4,9 +4,9 @@ package base
 
 import (
 	"encoding/json"
-	"list"
 	"strings"
 	"strconv"
+
 	"cue.dev/x/githubactions"
 )
 
@@ -68,7 +68,7 @@ installGo: {
 checkoutCode: {
 	#actionsCheckout: githubactions.#Step & {
 		name: "Checkout code"
-		uses: "actions/checkout@v4"
+		uses: "actions/checkout@v4" // TODO(mvdan): switch to namespacelabs/nscloud-checkout-action@v1 once Windows supports caching
 
 		// "pull_request_target" builds will by default use a merge commit,
 		// testing the PR's HEAD merged on top of the master branch.
@@ -151,105 +151,32 @@ curlGitHubAPI: {
 	"""#
 }
 
-setupGoActionsCaches: {
-	// #readonly determines whether we ever want to write the cache back. The
-	// writing of a cache back (for any given cache key) should only happen on a
-	// protected branch. But running a workflow on a protected branch often
-	// implies that we want to skip the cache to ensure we catch flakes early.
-	// Hence the concept of clearing the testcache to ensure we catch flakes
-	// early can be defaulted based on #readonly. In the general case the two
-	// concepts are orthogonal, hence they are kept as two parameters, even
-	// though in our case we could get away with a single parameter that
-	// encapsulates our needs.
-	#readonly:       *false | bool
-	#cleanTestCache: *!#readonly | bool
-	#goVersion:      string
-	#additionalCacheDirs: [...string]
-	#os: string
-
-	let goModCacheDirID = "go-mod-cache-dir"
-	let goCacheDirID = "go-cache-dir"
-
-	// cacheDirs is a convenience variable that includes
-	// GitHub expressions that represent the directories
-	// that participate in Go caching.
-	let cacheDirs = list.Concat([[
-		"${{ steps.\(goModCacheDirID).outputs.dir }}/cache/download",
-		"${{ steps.\(goCacheDirID).outputs.dir }}",
-	], #additionalCacheDirs])
-
-	let cacheRestoreKeys = "\(#os)-\(#goVersion)"
-
-	let cacheStep = githubactions.#Step & {
-		with: {
-			path: strings.Join(cacheDirs, "\n")
-
-			// GitHub actions caches are immutable. Therefore, use a key which is
-			// unique, but allow the restore to fallback to the most recent cache.
-			// The result is then saved under the new key which will benefit the
-			// next build. Restore keys are only set if the step is restore.
-			key:            "\(cacheRestoreKeys)-${{ github.run_id }}"
-			"restore-keys": cacheRestoreKeys
-		}
-	}
-
-	let readWriteCacheExpr = "(\(isProtectedBranch) || \(isTestDefaultBranch))"
-
-	// pre is the list of steps required to establish and initialise the correct
-	// caches for Go-based workflows.
-	[
-		// TODO: once https://github.com/actions/setup-go/issues/54 is fixed,
-		// we could use `go env` outputs from the setup-go step.
-		githubactions.#Step & {
-			name: "Get go mod cache directory"
-			id:   goModCacheDirID
-			run:  #"echo "dir=$(go env GOMODCACHE)" >> ${GITHUB_OUTPUT}"#
-		},
-		githubactions.#Step & {
-			name: "Get go build/test cache directory"
-			id:   goCacheDirID
-			run:  #"echo "dir=$(go env GOCACHE)" >> ${GITHUB_OUTPUT}"#
-		},
-
-		// Only if we are not running in readonly mode do we want a step that
-		// uses actions/cache (read and write). Even then, the use of the write
-		// step should be predicated on us running on a protected branch. Because
-		// it's impossible for anything else to write such a cache.
-		if !#readonly {
-			cacheStep & {
-				if:   readWriteCacheExpr
-				uses: "actions/cache@v4"
-			}
-		},
-
-		cacheStep & {
-			// If we are readonly, there is no condition on when we run this step.
-			// It should always be run, becase there is no alternative. But if we
-			// are not readonly, then we need to predicate this step on us not
-			// being on a protected branch.
-			if !#readonly {
-				if: "! \(readWriteCacheExpr)"
-			}
-
-			uses: "actions/cache/restore@v4"
-		},
-
-		if #cleanTestCache {
-			// All tests on protected branches should skip the test cache.  The
-			// canonical way to do this is with -count=1. However, we want the
-			// resulting test cache to be valid and current so that subsequent CLs
-			// in the trybot repo can leverage the updated cache. Therefore, we
-			// instead perform a clean of the testcache.
-			//
-			// Critically we only want to do this in the main repo, not the trybot
-			// repo.
-			githubactions.#Step & {
-				if:  "github.repository == '\(githubRepositoryPath)' && (\(isProtectedBranch) || github.ref == 'refs/heads/\(testDefaultBranch)')"
-				run: "go clean -testcache"
-			}
-		},
-	]
-}
+setupGoActionsCaches: [
+	// Our runner profiles on Namespace are already configured to only update
+	// the cache when they run from one of the protected branches.
+	githubactions.#Step & {
+		uses: "namespacelabs/nscloud-cache-action@v1"
+		with: cache: "go"
+	},
+
+	// All tests on protected branches should skip the test cache.  The
+	// canonical way to do this is with -count=1. However, we want the
+	// resulting test cache to be valid and current so that subsequent CLs
+	// in the trybot repo can leverage the updated cache. Therefore, we
+	// instead perform a clean of the testcache.
+	//
+	// Critically we only want to do this in the main repo, not the trybot
+	// repo.
+	//
+	// TODO(mvdan): rethink for Namespace, where trimming the cache size is irrelevant.
+	// A better approach there is likely to set GOFLAGS=-count=1 for "go test",
+	// assuming that does not interfere with other commands like "go vet",
+	// as -count=1 is the canonical way to disable test caching.
+	githubactions.#Step & {
+		if:  "github.repository == '\(githubRepositoryPath)' && (\(isProtectedBranch) || \(isTestDefaultBranch))"
+		run: "go clean -testcache"
+	},
+]
 
 // isProtectedBranch is an expression that evaluates to true if the
 // job is running as a result of pushing to one of protectedBranchPatterns.

internal/ci/github/trybot.cue

@@ -40,12 +40,6 @@ workflows: trybot: _repo.bashWorkflow & {
 			strategy:  _testStrategy
 			"runs-on": "${{ matrix.runner }}"
 
-			let _setupGoActionsCaches = _repo.setupGoActionsCaches & {
-				#goVersion: goVersionVal
-				#os:        runnerOSVal
-				_
-			}
-
 			let installGo = _repo.installGo & {
 				#setupGo: with: "go-version": goVersionVal
 				_
@@ -63,7 +57,9 @@ workflows: trybot: _repo.bashWorkflow & {
 
 				// cachePre must come after installing Node and Go, because the cache locations
 				// are established by running each tool.
-				for v in _setupGoActionsCaches {v},
+				for v in _repo.setupGoActionsCaches {v & {
+					if: string | *"\(matrixRunner) != '\(_repo.windowsMachine)'" // TODO(mvdan): remove the condition once Windows supports caching
+				}},
 
 				_repo.loginCentralRegistry,
 
@@ -92,8 +88,6 @@ workflows: trybot: _repo.bashWorkflow & {
 		}
 	}
 
-	let runnerOS = "runner.os"
-	let runnerOSVal = "${{ \(runnerOS) }}"
 	let matrixRunner = "matrix.runner"
 	let goVersion = "matrix.go-version"
 	let goVersionVal = "${{ \(goVersion) }}"

internal/ci/repo/repo.cue

@@ -26,9 +26,9 @@ protectedBranchPatterns: [defaultBranch, releaseBranchPattern]
 botGitHubUser:      "cueckoo"
 botGitHubUserEmail: "[email protected]"
 
-linuxMachine:   "ubuntu-24.04"
-macosMachine:   "macos-14"
-windowsMachine: "windows-2022"
+linuxMachine:   "namespace-profile-ubuntu-24-04-amd64-8x16"
+macosMachine:   "namespace-profile-macos-15-arm64-6x14"
+windowsMachine: "namespace-profile-windows-2022-amd64-8x16"
 
 // Use the latest Go version for extra checks,
 // such as running tests with the data race detector.