.github/workflows: Migrate workflows to Blacksmith runners

[blacksmith-sh]

To whomever may be reviewing this PR,

Blacksmith is the fastest way to run your GitHub Actions.

What does this PR change?

This PR has been automatically generated by a team member in your GitHub organization using Blacksmith's Migration Wizard, or MigWiz for short. This PR changes the following:

1. Your selected workflows will now run on Blacksmith's 2x faster hardware (e.g., runs-on: blacksmith-4vcpu-ubuntu-2204). Learn more about the different instances available to choose from.
2. Your jobs running on Blacksmith will now have all official GitHub and popular third-party cache actions automatically interact with our 4x faster, colocated cache. Learn more about Blacksmith's actions cache.
3. Your GitHub Actions will now actually be observable. Learn more about Blacksmith's logging and other observability features.
4. Your Docker builds will now automatically share their Docker layer cache, resulting in up to 40x faster builds. Learn more about Blacksmith's Docker layer caching.

FAQ

• Is this free? The first 3,000 minutes per month are free.
• Who uses Blacksmith? Clerk, Ashby, VEED, and 600+ others.
• What's the catch? There is none. Merge this thing already.

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Feb 17, 2026, 3:46 PM

[claude]

Claude finished @tac0turtle's task in 1m 0s —— View job

---

Code Review: Blacksmith Runner Migration

Tasks

• Gather context
• Read changed workflow files
• Analyze changes for security, correctness, and best practices
• Post review feedback

---

Summary

This PR migrates selected GitHub Actions jobs to Blacksmith runners and adopts Blacksmith-specific Docker build actions. The changes are straightforward and mechanical, but there are a few issues worth calling out before merging.

---

Security: Unpinned Action Tags (Flagged by GitHub Advanced Security)

The most significant concern raised by the automated security scan is the use of mutable version tags (v1, v2) for the two new Blacksmith actions:

File	Line	Action	Tag
docker-build-push.yml	34	useblacksmith/setup-docker-builder	@v1
docker-build-push.yml	44	useblacksmith/build-push-action	@v2
release-apps.yml	81	useblacksmith/setup-docker-builder	@v1
release-apps.yml	91	useblacksmith/build-push-action	@v2
test.yml	86	useblacksmith/setup-docker-builder	@v1
test.yml	88	useblacksmith/build-push-action	@v2

Using mutable tags means the action content can change at any point without notice, which is a supply-chain risk. The pre-existing project actions (e.g., actions/checkout@v6, docker/login-action@v3) have the same pattern, but that's not a reason to introduce more. Pinning to a full commit SHA (e.g., useblacksmith/setup-docker-builder@<full-sha>) is the recommended practice. If the team is comfortable with the existing convention of floating tags, at minimum this should be an explicit and conscious decision.

---

Inconsistent Runner Migration

Not all jobs were migrated to Blacksmith runners. Several jobs in test.yml were left on ubuntu-latest:

• build_all-apps — ubuntu-latest
• go_mod_tidy_check — ubuntu-latest
• unit_test — ubuntu-latest
• integration_test — ubuntu-latest
• evm-tests — ubuntu-latest
• combine_and_upload_coverage — ubuntu-latest

Only e2e-tests was migrated (to blacksmith-2vcpu-ubuntu-2404). This is likely intentional if Blacksmith was only applied to jobs where Docker build caching provides the biggest benefit, but it's worth confirming this is the desired scope.

Similarly in docker-tests.yml, test-docker-compat at line 57 still runs on ubuntu-latest while the other two jobs (docker-tests and docker-upgrade-tests) were migrated.

---

Runner Version: ubuntu-2404 vs ubuntu-2204

The PR description mentions blacksmith-4vcpu-ubuntu-2204 as an example runner tag, but the actual workflows use blacksmith-2vcpu-ubuntu-2404 and blacksmith-4vcpu-ubuntu-2404. The jump from Ubuntu 22.04 to 24.04 is a meaningful OS upgrade beyond just switching runner vendors. It's worth verifying that the jobs that were migrated behave correctly on Ubuntu 24.04 (e.g., Go toolchain, Docker daemon behavior, apt package availability).

---

release-apps.yml: parse-tag job still on ubuntu-latest

The parse-tag job (line 17) remains on ubuntu-latest while build-and-push (line 72) runs on blacksmith-4vcpu-ubuntu-2404. This is reasonable since parse-tag only runs shell scripts, but it is worth noting for consistency.

---

Minor: Missing cache-from/cache-to in docker-build-push.yml

useblacksmith/build-push-action in docker-build-push.yml (line 44) does not set explicit cache-from/cache-to parameters. The PR description says Blacksmith handles Docker layer caching automatically, which may make this unnecessary, but it is worth verifying with Blacksmith's documentation whether automatic caching covers multi-platform builds (linux/amd64,linux/arm64).

---

No Functional Regressions Detected

The logic of all workflows is unchanged. Only runner labels and action names were swapped. CI checks are passing and Codecov shows no coverage change, as expected for a CI configuration-only PR.

---

Overall: The migration is straightforward and CI is green. The primary blocker to address is the unpinned action tags flagged by GitHub Advanced Security. If the team accepts floating version tags as a project-wide convention (matching actions/checkout@v6 etc.), that should be documented and the security alerts suppressed explicitly.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.16%. Comparing base (d4394f6) to head (d5cbefd).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3035      +/-   ##
==========================================
+ Coverage   61.11%   61.16%   +0.05%     
==========================================
  Files         113      113              
  Lines       11444    11444              
==========================================
+ Hits         6994     7000       +6     
+ Misses       3661     3655       -6     
  Partials      789      789              

Flag	Coverage Δ
combined	61.16% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.