tidy gha

Author: jayvdb

.github/actions/free-disk-space-windows/action.yaml

@@ -7,6 +7,8 @@ description: >-
   jlumbroso/free-disk-space on Linux, which doesn't have a Windows path.
   Logs disk-free before + after so the reclaimed space is visible.
 
+  Enabling all makes approximately 10Gb free.
+
   Caller is responsible for the `if: runner.os == 'Windows'` guard --
   every step here uses Git Bash with `C:\` mounted at `/c`; running this
   on a non-Windows runner will silently no-op (no /c mount) at best.
@@ -40,23 +42,29 @@ inputs:
       Strawberry Perl) -- ~1 GB combined.
     required: false
     default: "true"
+  keep-image:
+    description: >-
+      Docker image (repo:tag) to preserve during the docker prune.
+      Empty (default) removes every image.
+    required: false
+    default: ""
 
 runs:
   using: composite
   steps:
-    - name: before
+    - name: Disk usage before
       shell: bash --noprofile --norc -euo pipefail {0}
       run: df -h /c
 
-    - name: Android SDK
+    - name: Remove Android SDK
       if: inputs.android == 'true'
       shell: bash --noprofile --norc -euo pipefail {0}
       run: |
         for p in "/c/Android" "/c/Program Files (x86)/Android"; do
           [ -e "$p" ] && { echo "removing $p"; rm -rf -- "$p"; } || true
         done
 
-    - name: hostedtoolcache old Pythons
+    - name: Remove hostedtoolcache old Pythons
       if: inputs.hostedtoolcache-old-pythons == 'true'
       shell: bash --noprofile --norc -euo pipefail {0}
       run: |
@@ -66,7 +74,7 @@ runs:
           rm -rf -- "$p"
         done
 
-    - name: hostedtoolcache old JDKs
+    - name: Remove hostedtoolcache old JDKs
       if: inputs.hostedtoolcache-old-jdks == 'true'
       shell: bash --noprofile --norc -euo pipefail {0}
       run: |
@@ -76,7 +84,7 @@ runs:
           rm -rf -- "$p"
         done
 
-    - name: old .NET SDKs
+    - name: Remove old .NET SDKs
       if: inputs.old-dotnet-sdks == 'true'
       shell: bash --noprofile --norc -euo pipefail {0}
       run: |
@@ -86,7 +94,7 @@ runs:
           rm -rf -- "$p"
         done
 
-    - name: misc SDKs
+    - name: Remove misc SDKs
       if: inputs.misc-sdks == 'true'
       shell: bash --noprofile --norc -euo pipefail {0}
       run: |
@@ -96,6 +104,21 @@ runs:
           [ -e "$p" ] && { echo "removing $p"; rm -rf -- "$p"; } || true
         done
 
-    - name: after
+    - name: Prune docker images and builder cache
+      shell: bash --noprofile --norc -euo pipefail {0}
+      env:
+        KEEP_IMAGE: ${{ inputs.keep-image }}
+      run: |
+        docker images
+        for img in $(docker images --format '{{.Repository}}:{{.Tag}}'); do
+          if [ "$img" != "$KEEP_IMAGE" ]; then
+            docker rmi -f "$img" || true
+          fi
+        done
+        docker container prune -f
+        docker network prune -f
+        docker builder prune -af
+
+    - name: Disk usage after
       shell: bash --noprofile --norc -euo pipefail {0}
       run: df -h /c

.github/actions/install-mise-tools/action.yaml

@@ -1,19 +1,17 @@
 ---
 name: Install mise tools
 description: >-
-  Install mise (via install-mise), then trust the .mise config, and install
-  the toolchain named by the workflow's MISE_ENV (with one retry on transient
+  Runs `install-mise` action, then installs all of the tools in the per-language
+  toolchains named by the workflow's MISE_ENV (with one retry on transient
   HTTP flakes). Shared by check.yaml and test.yaml; the caller must run
   `actions/checkout` before this so .mise/config*.toml exists for `mise trust`.
 
 inputs:
   github-token:
     description: >-
-      GitHub token forwarded as `$GITHUB_TOKEN` to the mise/preinstall steps.
-      Raises the api.github.com rate-limit ceiling on aqua's attestation
-      lookups + tool-asset fetches.
+      GitHub token forwarded as `$GITHUB_TOKEN` to the mise install steps.
     required: true
-  extra-tools:
+  install-action-tools:
     description: >-
       Comma-separated tools to co-install via taiki-e/install-action in the
       same step as mise. Forwarded to install-mise's `extra-tools` input.
@@ -31,11 +29,7 @@ runs:
     - name: Install mise binary
       uses: ./.github/actions/install-mise
       with:
-        extra-tools: ${{ inputs.extra-tools }}
-
-    - name: Show MISE_ENV
-      shell: bash --noprofile --norc -euo pipefail {0}
-      run: echo "MISE_ENV=$MISE_ENV"
+        install-action: ${{ inputs.install-action-tools }}
 
     # Optional npm backend, installed before the main `mise install`.
     # Only useful when js env is loaded (it's the backend for npm:* tools, all
@@ -51,15 +45,23 @@ runs:
       run: mise run setup-aube
 
     - name: Install mise tools
+      id: install-mise-tools
+      continue-on-error: true
       shell: bash --noprofile --norc -euo pipefail {0}
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
       run: |
         mise run preinstall
-        # Retry once on transient api.github.com 5xx during the aqua attestation
-        # / asset fetches: the first attempt re-uses what's already on disk, so
-        # the retry usually clears single-tool HTTP flakes in seconds.
-        mise install || { echo "::warning::mise install failed, retrying once"; mise install; }
+        mise install
+
+    - name: Install mise tools (retry)
+      if: steps.install-mise-tools.outcome == 'failure'
+      shell: bash --noprofile --norc -euo pipefail {0}
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+      run: |
+        sleep 20
+        mise install
 
     # Delete mise's auto-generated `mise.cmd` shim on Windows so cmd's PATH
     # search falls through to the real `mise.exe` at `~/.cargo/bin/mise.exe`

.github/actions/install-mise/action.yaml

@@ -1,28 +1,31 @@
 ---
 name: Install mise
 description: >-
-  Install the mise binary (and cargo-binstall as its source-build backend)
-  via taiki-e/install-action, and on Windows add mise's file-shim dir to
-  PATH so subsequent steps can resolve mise-managed tools by bare name.
-  Shared by every workflow that runs `mise` on the runner. For the heavier
-  "also install everything named by MISE_ENV" flow, use install-mise-tools.
+  Install the mise binary via taiki-e/install-action, and on Windows add mise's
+  file-shim dir to PATH so subsequent steps can resolve mise-managed tools by
+  bare name.
 
 inputs:
-  extra-tools:
+  install-action-tools:
     description: >-
-      Comma-separated tools to co-install via taiki-e/install-action in the
-      same step as mise (cheaper than a second install-action call). Use the
-      same syntax as install-action's `tool:` input.
+      Comma-separated tools to co-install via taiki-e/install-action.
     required: false
     default: ""
 
 runs:
   using: composite
   steps:
+    - name: Verify actions/checkout has run
+      shell: bash --noprofile --norc -euo pipefail {0}
+      run: git rev-parse --is-inside-work-tree >/dev/null
+
     - name: Install mise (and any extra tools)
       uses: taiki-e/install-action@v2
       with:
-        tool: cargo-binstall,mise@2026.6.5${{ inputs.extra-tools && ',' || '' }}${{ inputs.extra-tools }}
+        tool: |
+          cargo-binstall
+          mise@2026.6.5
+          ${{ inputs.install-action-tools }}
 
     # taiki-e/install-action's mise manifest stages only `mise.exe`; mise's
     # per-tool `.cmd` "file" shims under `%LOCALAPPDATA%\mise\shims` aren't
@@ -42,10 +45,10 @@ runs:
       # arbitrary-code-execution shape doesn't apply.
       run: echo "$LOCALAPPDATA\mise\shims" >> "$GITHUB_PATH" # zizmor: ignore[github-env]
 
-    # Marks the checked-out .mise/config*.toml as trusted so subsequent mise
-    # invocations don't error out with "Config files are not trusted". The
-    # caller must run actions/checkout BEFORE this composite action so the
-    # config files are on disk.
     - name: Trust mise config
       shell: bash --noprofile --norc -euo pipefail {0}
       run: mise trust
+
+    - name: Show MISE_ENV
+      shell: bash --noprofile --norc -euo pipefail {0}
+      run: echo "MISE_ENV=$MISE_ENV"

.github/workflows/dependencies.yaml

@@ -47,10 +47,7 @@ jobs:
       - name: Install mise + dependency-scan tools
         uses: ./.github/actions/install-mise
         with:
-          extra-tools: cargo-deny,cargo-unmaintained,coreutils,osv-scanner,ripgrep
-
-      - name: Show MISE_ENV
-        run: echo "MISE_ENV=$MISE_ENV"
+          install-action-tools: cargo-deny,cargo-unmaintained,coreutils,osv-scanner,ripgrep
 
       - name: Generate config/osv-scanner.toml from config/deny.toml
         run: mise run gen:osv-scanner

.github/workflows/docker-windows.yaml

@@ -30,26 +30,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # `base` controls which Dockerfile is built; `runner` picks the host
-        # GHA runner. `nanoserver` is the minimal ~120 MB lane; `servercore`
-        # is the heavier ~1.25 GB lane with a fuller Windows runtime (used
-        # by Dockerfile.windows). Both run on each Windows runner version
-        # so we exercise the ltsc2022/ltsc2025 base-image pair against the
-        # matching runner kernel. Workflow-level MISE_ENV is the standard
-        # set; Dockerfile.nanoserver pins its own narrower MISE_ENV via an
-        # ENV that overrides the inherited ARG (Nano can't install python
-        # or dotnet).
         include:
           - runner: windows-2022
             base: nanoserver
+            windows_version: ltsc2022
           - runner: windows-2025
             base: nanoserver
-            build_arg: "--build-arg WINDOWS_VERSION=ltsc2025"
+            windows_version: ltsc2025
           - runner: windows-2022
             base: servercore
+            windows_version: ltsc2022
           - runner: windows-2025
             base: servercore
-            build_arg: "--build-arg WINDOWS_VERSION=ltsc2025"
+            windows_version: ltsc2025
     name: build (${{ matrix.runner }}, ${{ matrix.base }})
     timeout-minutes: 120
     env:
@@ -65,6 +58,7 @@ jobs:
           persist-credentials: false
 
       - name: Show MISE_ENV
+        if: matrix.base == 'servercore'
         run: echo "MISE_ENV=$MISE_ENV"
 
       # Hosted Windows runners don't reliably leave the Docker daemon running, so
@@ -75,40 +69,10 @@ jobs:
           sc query docker | grep -q RUNNING || net start docker
           docker version
 
-      # Reclaim runner C:\ before any docker work. Windows `docker build`
-      # stages HCS layer scratch under `C:\Windows\SystemTemp`, so every GB
-      # we free here is a GB that doesn't go to disk-pressure failures
-      # inside the build. Preinstalled trees we never touch (Android, old
-      # Python / JDK versions, old .NET SDKs, misc DB SDKs) come out first;
-      # the docker-prune step below clears any layer-cache leftovers.
       - name: Free disk space on Windows runner
         uses: ./.github/actions/free-disk-space-windows
-
-      # Free runner disk before the build. The Server Core lane has been hitting
-      # "There is not enough space on the disk" during the conda-clang-tools
-      # install inside `mise install`. `docker system prune -af` clears any
-      # unused images/containers from earlier matrix entries on the same
-      # runner; `docker builder prune -af` clears BuildKit's layer cache.
-      # Disk-free is logged before + after so we can see how much each prune
-      # actually reclaims on this runner image -- adjust the cleanup set up or
-      # down based on the delta.
-      - name: Free disk space before docker build
-        env:
-          PS_DISKFREE: Get-PSDrive C | Select-Object -Property Used,Free | Format-List
-        run: |
-          freespace() { powershell.exe -NoProfile -Command "$PS_DISKFREE"; }
-          echo "::group::disk-free BEFORE prune"
-          freespace
-          echo "::endgroup::"
-          echo "::group::docker system prune -af"
-          docker system prune -af
-          echo "::endgroup::"
-          echo "::group::docker builder prune -af"
-          docker builder prune -af
-          echo "::endgroup::"
-          echo "::group::disk-free AFTER prune"
-          freespace
-          echo "::endgroup::"
+        with:
+          keep-image: mcr.microsoft.com/windows/${{ matrix.base }}:${{ matrix.windows_version }}
 
       - name: Prepare mise and Github token for the build context
         run: |
@@ -139,7 +103,10 @@ jobs:
           DOCKERFILE: ${{ steps.dockerfile.outputs.dockerfile }}
           IMAGE_TAG: ${{ steps.dockerfile.outputs.tag }}
         run: |
-          args="-f $DOCKERFILE ${{ matrix.build_arg }} --build-arg MISE_ENV"
+          args="-f $DOCKERFILE --build-arg MISE_ENV"
+          if [ "${{ matrix.runner }}" != "windows-2022" ]; then
+            args="$args --build-arg WINDOWS_VERSION=${{ matrix.windows_version }}"
+          fi
           args="$args --target build-minimal -t $IMAGE_TAG"
           docker build $args .
 
@@ -181,7 +148,10 @@ jobs:
             target=precompile
             tag=""
           fi
-          args="-f $DOCKERFILE ${{ matrix.build_arg }} --build-arg MISE_ENV"
+          args="-f $DOCKERFILE --build-arg MISE_ENV"
+          if [ "${{ matrix.runner }}" != "windows-2022" ]; then
+            args="$args --build-arg WINDOWS_VERSION=${{ matrix.windows_version }}"
+          fi
           args="$args --target $target $tag"
           docker build $args .
 

.github/workflows/test.yaml

@@ -107,7 +107,7 @@ jobs:
         if: runner.os == 'Linux'
         run: |
           sudo apt-get update
-          sudo apt-get install -y mesa-vulkan-drivers
+          sudo apt-get install -y --no-install-recommends mesa-vulkan-drivers
 
       - name: Install mise + tools
         uses: ./.github/actions/install-mise-tools