Use only self-hosted runners.

Author: shimkiv

.github/workflows/ci.yml

@@ -62,7 +62,7 @@ jobs:
     name: Run checks and tests
     # We run only one of the matrix options on the toffee `hetzner-1` self-hosted GitHub runner.
     # Only in this configuration we enable tests with the code coverage data gathering.
-    runs-on: ${{ matrix.rust_toolchain_version == '1.74' && 'hetzner-1' || 'ubuntu-latest' }}
+    runs-on: [hetzner-proof-systems-runners-group-1]
     env:
       RUST_TOOLCHAIN_COVERAGE_VERSION: "1.74"
     strategy:
@@ -72,7 +72,6 @@ jobs:
         # It might be related to boxroot dependency, and we would need to bump
         # up the ocaml-rs dependency
         ocaml_version: ["4.14"]
-        os: ["ubuntu-latest"]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -150,19 +149,16 @@ jobs:
           make install-test-deps
 
       - name: Doc tests
-        if: ${{ matrix.rust_toolchain_version != env.RUST_TOOLCHAIN_COVERAGE_VERSION }}
         run: |
           eval $(opam env)
           make test-doc
 
       - name: Run non-heavy tests without the code coverage
-        if: ${{ matrix.rust_toolchain_version != env.RUST_TOOLCHAIN_COVERAGE_VERSION }}
         run: |
           eval $(opam env)
           make nextest
 
       - name: Run heavy tests without the code coverage
-        if: ${{ matrix.rust_toolchain_version == env.RUST_TOOLCHAIN_COVERAGE_VERSION }}
         run: |
           eval $(opam env)
           make nextest-heavy

docker-compose.yml

@@ -0,0 +1,86 @@
+name: proof-systems-github-runners
+
+networks:
+  proof-systems:
+    driver: bridge
+
+services:
+  proof-systems-runner-1:
+    image: ${GITHUB_RUNNER_DOCKER_IMAGE}
+    environment:
+      REPO_URL: ${GITHUB_RUNNERS_REPO_URL}
+      RUNNER_NAME: ${GITHUB_RUNNER_NAME_PERFIX}-1
+      RUNNER_TOKEN: ${GITHUB_RUNNER_1_TOKEN}
+      RUNNER_WORKDIR: /tmp/${GITHUB_RUNNER_NAME_PERFIX}-1/work
+      RUNNER_GROUP: ${GITHUB_RUNNERS_GROUP}
+      RUNNER_SCOPE: "${GITHUB_RUNNER_SCOPE}"
+      LABELS: linux,x64,${GITHUB_RUNNERS_GROUP},${GITHUB_RUNNER_NAME_PERFIX}-1
+    security_opt:
+      # needed on SELinux systems to allow docker container to manage other docker containers
+      - label:disable
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/tmp/${GITHUB_RUNNER_NAME_PERFIX}-1:/tmp/${GITHUB_RUNNER_NAME_PERFIX}-1"
+      # note: a quirk of docker-in-docker is that this path
+      # needs to be the same path on host and inside the container,
+      # docker mgmt cmds run outside of docker but expect the paths from within
+
+  proof-systems-runner-2:
+    image: ${GITHUB_RUNNER_DOCKER_IMAGE}
+    environment:
+      REPO_URL: ${GITHUB_RUNNERS_REPO_URL}
+      RUNNER_NAME: ${GITHUB_RUNNER_NAME_PERFIX}-2
+      RUNNER_TOKEN: ${GITHUB_RUNNER_2_TOKEN}
+      RUNNER_WORKDIR: /tmp/${GITHUB_RUNNER_NAME_PERFIX}-2/work
+      RUNNER_GROUP: ${GITHUB_RUNNERS_GROUP}
+      RUNNER_SCOPE: "${GITHUB_RUNNER_SCOPE}"
+      LABELS: linux,x64,${GITHUB_RUNNERS_GROUP},${GITHUB_RUNNER_NAME_PERFIX}-2
+    security_opt:
+      # needed on SELinux systems to allow docker container to manage other docker containers
+      - label:disable
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/tmp/${GITHUB_RUNNER_NAME_PERFIX}-2:/tmp/${GITHUB_RUNNER_NAME_PERFIX}-2"
+      # note: a quirk of docker-in-docker is that this path
+      # needs to be the same path on host and inside the container,
+      # docker mgmt cmds run outside of docker but expect the paths from within
+
+  proof-systems-runner-3:
+    image: ${GITHUB_RUNNER_DOCKER_IMAGE}
+    environment:
+      REPO_URL: ${GITHUB_RUNNERS_REPO_URL}
+      RUNNER_NAME: ${GITHUB_RUNNER_NAME_PERFIX}-3
+      RUNNER_TOKEN: ${GITHUB_RUNNER_3_TOKEN}
+      RUNNER_WORKDIR: /tmp/${GITHUB_RUNNER_NAME_PERFIX}-3/work
+      RUNNER_GROUP: ${GITHUB_RUNNERS_GROUP}
+      RUNNER_SCOPE: "${GITHUB_RUNNER_SCOPE}"
+      LABELS: linux,x64,${GITHUB_RUNNERS_GROUP},${GITHUB_RUNNER_NAME_PERFIX}-3
+    security_opt:
+      # needed on SELinux systems to allow docker container to manage other docker containers
+      - label:disable
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/tmp/${GITHUB_RUNNER_NAME_PERFIX}-3:/tmp/${GITHUB_RUNNER_NAME_PERFIX}-3"
+      # note: a quirk of docker-in-docker is that this path
+      # needs to be the same path on host and inside the container,
+      # docker mgmt cmds run outside of docker but expect the paths from within
+
+  proof-systems-runner-4:
+    image: ${GITHUB_RUNNER_DOCKER_IMAGE}
+    environment:
+      REPO_URL: ${GITHUB_RUNNERS_REPO_URL}
+      RUNNER_NAME: ${GITHUB_RUNNER_NAME_PERFIX}-4
+      RUNNER_TOKEN: ${GITHUB_RUNNER_4_TOKEN}
+      RUNNER_WORKDIR: /tmp/${GITHUB_RUNNER_NAME_PERFIX}-4/work
+      RUNNER_GROUP: ${GITHUB_RUNNERS_GROUP}
+      RUNNER_SCOPE: "${GITHUB_RUNNER_SCOPE}"
+      LABELS: linux,x64,${GITHUB_RUNNERS_GROUP},${GITHUB_RUNNER_NAME_PERFIX}-4
+    security_opt:
+      # needed on SELinux systems to allow docker container to manage other docker containers
+      - label:disable
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/tmp/${GITHUB_RUNNER_NAME_PERFIX}-4:/tmp/${GITHUB_RUNNER_NAME_PERFIX}-4"
+      # note: a quirk of docker-in-docker is that this path
+      # needs to be the same path on host and inside the container,
+      # docker mgmt cmds run outside of docker but expect the paths from within