chore: optimize runners

[GabrielePicco]

Summary by CodeRabbit

Release Notes

• Chores
  • Updated CI/CD pipeline configuration across multiple workflows for improved efficiency and optimized resource allocation.
  • Enhanced release validation process with automated version alignment checks.
  • Refined notification filtering to reduce unnecessary alerts.
  • Adjusted workflow trigger conditions to run on relevant code changes only.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates six GitHub Actions workflow files to optimize CI/CD infrastructure efficiency and release processes. The changes migrate multiple jobs from custom blacksmith runners to GitHub-hosted ubuntu-latest runners, downsize integration test shards from 8vcpu to 4vcpu blacksmith instances, and add path-based trigger filters to unit and integration test workflows to prevent unnecessary runs. A new validate-release-branch job is introduced to check version alignment on push events to release branches, while existing publish jobs are gated to run only on non-push events. Finally, Slack notification filtering is updated to ignore review submissions from the ChatGPT Codex Connector bot.

Suggested reviewers

• thlorenz
• lucacillario

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/optimize-ci-cost

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3ffb1e6ddd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26ab4320a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish-packages.yml (1)

1-1: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit least-privilege permissions for this workflow.

This workflow publishes artifacts/packages and consumes multiple secrets, but it relies on default token permissions. Please declare explicit permissions (top-level or per-job) to avoid accidental over-privilege.

Also applies to: 20-24

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-packages.yml at line 1, The workflow "Publish
ephemeral validator packages and crates" lacks explicit permissions; add a
top-level (or per-job) permissions block to enforce least privilege by declaring
only the scopes needed for publishing: e.g., permissions: contents: read and
packages: write (and any additional minimal scopes your jobs require, such as
id-token: write only if you use OIDC). Update the workflow YAML to include this
permissions block at the top level (or inside the publish job) so the
GITHUB_TOKEN is constrained rather than using default token permissions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-packages.yml:
- Line 27: The workflow currently uses the floating tag "actions/checkout@v4";
pin this to the full commit SHA for that release to harden supply-chain
integrity by replacing the uses line with "actions/checkout@<FULL_COMMIT_SHA>"
(obtain the canonical v4 commit SHA from the actions/checkout repository release
or tags on GitHub), commit the change, and ensure any other workflows using
actions/checkout are similarly pinned.

---

Outside diff comments:
In @.github/workflows/publish-packages.yml:
- Line 1: The workflow "Publish ephemeral validator packages and crates" lacks
explicit permissions; add a top-level (or per-job) permissions block to enforce
least privilege by declaring only the scopes needed for publishing: e.g.,
permissions: contents: read and packages: write (and any additional minimal
scopes your jobs require, such as id-token: write only if you use OIDC). Update
the workflow YAML to include this permissions block at the top level (or inside
the publish job) so the GITHUB_TOKEN is constrained rather than using default
token permissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 80d9c1ed-35fc-47fc-b3d2-dc658f2d9dc8

📥 Commits

Reviewing files that changed from the base of the PR and between dad3765 and 26ab432.

📒 Files selected for processing (6)

• .github/workflows/ci-fmt.yml
• .github/workflows/ci-lint.yml
• .github/workflows/ci-test-integration.yml
• .github/workflows/ci-test-unit.yml
• .github/workflows/publish-packages.yml
• .github/workflows/slack-notify.yml