ci: migrate 11 of 13 ci.yml jobs to smithy + add mutants-weekly

Builds on the proven clippy migration (PR description, original
commit on this branch). Two separate concerns:

1) ci.yml — broaden the migration

Migrate every gating job that doesn't need infra we don't have on
the smithy host. Two stay on ubuntu-latest with explicit comments
explaining why; everything else now targets the matching smithy
runner class:

  rust-cpu (12G MemoryHigh)        clippy, test, bench-smoke,
                                   coverage, proptest, fuzz-smoke,
                                   rivet-validate
  lean-mem (24G MemoryHigh)        miri, mutants
  light    (4G  MemoryHigh)        fmt, audit, deny, supply-chain
  ubuntu-latest (kept)             bazel-test (no Bazel on host),
                                   kani (kani-verifier bundles CBMC,
                                   ~100 MB install — not worth pre-
                                   provisioning until kani sees more
                                   use)

The lean-mem class for miri / mutants is deliberate: both are
RAM-aggressive (Miri's borrow tracker, mutants' parallel cargo
invocations). The 24G MemoryHigh ceiling on smithy lean-mem
runners is comfortably above the 12G rust-cpu cap.

2) mutants-weekly.yml — new heavy-quality workflow

Counterpart to the gating `mutants:` job in ci.yml. Different
operational pattern (smithy DD-pattern for "heavy quality"):

  - schedule: 02:00 UTC every Sunday + workflow_dispatch on demand
  - runs-on: lean-mem (24G), timeout-minutes: 720
  - concurrency.cancel-in-progress: false (never cancel a quality run)
  - workflow_dispatch inputs: `shard` (default 0/8 for sanity, "all"
    for the full ~hours pass) + `packages` (space-separated -p list)
  - results land in GITHUB_STEP_SUMMARY (markdown table of
    missed/caught/timeout/unviable) plus an uploaded artefact with
    90-day retention
  - no PR red lights; no auto-Issue filing yet (that's a follow-up
    once the report shape stabilises)

This is the second-pattern pilot the smithy fleet was sized for —
the lean-mem runners have been idle since registration; this puts
them on the work they were labelled for.

Author: avrabe

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
   # ── Fast checks ───────────────────────────────────────────────────────
   fmt:
     name: Format
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -31,9 +31,6 @@ jobs:
 
   clippy:
     name: Clippy
-    # smithy: pilot-migrating this single job to the pulseengine self-hosted
-    # fleet (hetzner-private runner group, rust-cpu class). Other jobs stay
-    # on ubuntu-latest until this one is proven over a few runs.
     runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
@@ -46,7 +43,7 @@ jobs:
   # ── Tests ─────────────────────────────────────────────────────────────
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -68,7 +65,7 @@ jobs:
   # ── Bench compile smoke (fast regression gate) ──────────────────────
   bench-smoke:
     name: Bench compile smoke
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -82,7 +79,7 @@ jobs:
   # ── Security audits ──────────────────────────────────────────────────
   audit:
     name: Security Audit (RustSec)
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     steps:
       - uses: actions/checkout@v4
       - uses: rustsec/audit-check@v2
@@ -91,7 +88,7 @@ jobs:
 
   deny:
     name: Cargo Deny
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     steps:
       - uses: actions/checkout@v4
       - uses: EmbarkStudios/cargo-deny-action@v2
@@ -100,7 +97,7 @@ jobs:
   coverage:
     name: Code Coverage
     needs: [test]
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -132,7 +129,9 @@ jobs:
   # ── Miri (undefined behavior, pointer provenance) ───────────────────
   miri:
     name: Miri
-    runs-on: ubuntu-latest
+    # lean-mem class — Miri allocates aggressively and benefits from the 24G
+    # MemoryHigh ceiling on smithy lean-mem runners over the 12G rust-cpu cap.
+    runs-on: [self-hosted, linux, x64, lean-mem]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -155,7 +154,7 @@ jobs:
   # parser/scheduler invariants get exercised on every change.
   proptest:
     name: Proptest (extended)
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -169,7 +168,10 @@ jobs:
   mutants:
     name: Mutation Testing
     needs: [test]
-    runs-on: ubuntu-latest
+    # lean-mem — many parallel cargo invocations, RAM pressure under -j 4.
+    # The full-workspace exhaustive run lives in mutants-weekly.yml; this
+    # gating job stays narrow (spar-analysis) with a survivor ratchet.
+    runs-on: [self-hosted, linux, x64, lean-mem]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
@@ -206,7 +208,7 @@ jobs:
   # ── Fuzz smoke (60s per target on PRs) ──────────────────────────────
   fuzz-smoke:
     name: Fuzz smoke (60s/target)
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     # Only run on PRs — pushes to main hit the nightly workflow instead.
     if: github.event_name == 'pull_request'
     steps:
@@ -232,7 +234,7 @@ jobs:
   # ── Supply chain verification ───────────────────────────────────────
   supply-chain:
     name: Supply Chain (cargo-vet)
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -249,7 +251,7 @@ jobs:
   # in artifacts/, safety/stpa/, and rivet.yaml.
   rivet-validate:
     name: Rivet validate (artifacts)
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -275,6 +277,9 @@ jobs:
   # Time budget: cold cache ≤30 min, warm ≤5 min (per #135).
   bazel-test:
     name: Bazel test (//...)
+    # Stays on ubuntu-latest until Bazel is installed on the smithy host.
+    # Tracked as a follow-up: smithy/group_vars/all.yml could add a
+    # bazel apt-installable. Until then, hosted handles this.
     runs-on: ubuntu-latest
     continue-on-error: true
     timeout-minutes: 35
@@ -321,6 +326,10 @@ jobs:
   #   3. At that point, extend MAX_TASKS from 4 to 8 and re-tune unwinds.
   kani:
     name: Kani Bounded Model Checking
+    # Stays on ubuntu-latest because kani-verifier bundles CBMC (~100 MB)
+    # which we don't pre-install on smithy. Once smithy ships Kani as a
+    # toolchain, switch to rust-cpu (the verification is RAM-modest but
+    # CPU-bound; CBMC is single-threaded per harness).
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:

.github/workflows/mutants-weekly.yml

@@ -0,0 +1,135 @@
+name: Mutants Weekly
+
+# Heavy-quality counterpart to the gating `mutants:` job in ci.yml.
+# That one runs on every PR with a survivor-count ratchet against
+# spar-analysis only. THIS one runs across the whole workspace on a
+# weekly cadence (and on demand) — no gating, just a long-form
+# quality signal you read async.
+#
+# Resource posture (DD: see smithy/artifacts/design-decisions.yaml):
+#   - lean-mem runners (24 G MemoryHigh, 24 G usable per job)
+#   - 12 h timeout cap
+#   - never cancel an in-flight run; let it finish even when overlapping refs land
+#   - results land in the run's GITHUB_STEP_SUMMARY + an uploaded artefact
+#     (90-day retention) — no PR red lights, no Issue auto-filing yet
+#     (that's a future iteration once the report shape stabilises)
+
+on:
+  schedule:
+    - cron: "0 2 * * 0"      # 02:00 UTC every Sunday
+  workflow_dispatch:
+    inputs:
+      shard:
+        description: "Mutant shard, e.g. '0/8' (default), '1/8', or 'all' for the full workspace pass (~hours)."
+        required: false
+        default: "0/8"
+      packages:
+        description: "Cargo packages to mutate (space-separated -p list, empty = whole workspace)."
+        required: false
+        default: ""
+
+concurrency:
+  group: mutants-weekly
+  # Quality jobs don't cancel; an interrupted mutation report is worse
+  # than a delayed one. Two overlapping runs share the lean-mem pool;
+  # cgroup limits keep each within 24 G.
+  cancel-in-progress: false
+
+jobs:
+  mutants:
+    name: cargo-mutants ${{ github.event.inputs.shard || 'shard 0/8' }}
+    runs-on: [self-hosted, linux, x64, lean-mem]
+    timeout-minutes: 720
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@nightly
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          # Distinct cache key from the gating mutants — different mutation
+          # set, different sccache hit profile.
+          shared-key: mutants-weekly
+
+      - name: Install cargo-mutants
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-mutants
+
+      - name: Resolve inputs
+        id: cfg
+        run: |
+          SHARD="${{ github.event.inputs.shard || '0/8' }}"
+          PACKAGES="${{ github.event.inputs.packages }}"
+          PKGS_FLAG=""
+          if [ -n "$PACKAGES" ]; then
+            for p in $PACKAGES; do
+              PKGS_FLAG="$PKGS_FLAG -p $p"
+            done
+          fi
+          SHARD_FLAG=""
+          if [ "$SHARD" != "all" ]; then
+            SHARD_FLAG="--shard $SHARD"
+          fi
+          echo "shard=$SHARD" >> $GITHUB_OUTPUT
+          echo "shard_flag=$SHARD_FLAG" >> $GITHUB_OUTPUT
+          echo "pkgs_flag=$PKGS_FLAG" >> $GITHUB_OUTPUT
+          echo "Effective: cargo mutants ${PKGS_FLAG:-(workspace)} $SHARD_FLAG --timeout 180 --jobs 8 --output mutants-out -- --lib"
+
+      - name: Run cargo-mutants
+        id: run
+        # `|| true` so the report still uploads even when survivors exist;
+        # the next step decides exit status from the missed.txt content.
+        run: |
+          set -o pipefail
+          cargo mutants \
+            ${{ steps.cfg.outputs.pkgs_flag }} \
+            ${{ steps.cfg.outputs.shard_flag }} \
+            --timeout 180 \
+            --jobs 8 \
+            --output mutants-out \
+            --no-shuffle \
+            -- --lib \
+            || echo "cargo-mutants exited non-zero (survivors expected; see report)"
+
+      - name: Summarise to job summary
+        if: always()
+        run: |
+          MISSED=0
+          [ -f mutants-out/missed.txt ] && MISSED=$(wc -l < mutants-out/missed.txt | tr -d ' ')
+          CAUGHT=0
+          [ -f mutants-out/caught.txt ] && CAUGHT=$(wc -l < mutants-out/caught.txt | tr -d ' ')
+          UNVIABLE=0
+          [ -f mutants-out/unviable.txt ] && UNVIABLE=$(wc -l < mutants-out/unviable.txt | tr -d ' ')
+          TIMEOUT=0
+          [ -f mutants-out/timeout.txt ] && TIMEOUT=$(wc -l < mutants-out/timeout.txt | tr -d ' ')
+          {
+            echo "## cargo-mutants weekly — ${{ steps.cfg.outputs.shard }}"
+            echo
+            echo "Runner: \`$(hostname)\` (${SMITHY_RUNNER_CLASS:-unknown class})"
+            echo
+            echo "| Outcome | Count |"
+            echo "|---------|------:|"
+            echo "| 🟥 Missed  (test suite did not catch) | $MISSED |"
+            echo "| 🟩 Caught  (test suite caught)        | $CAUGHT |"
+            echo "| ⏱  Timeout                           | $TIMEOUT |"
+            echo "| ⚪ Unviable (build failed)           | $UNVIABLE |"
+            echo
+            if [ "$MISSED" -gt 0 ] && [ -f mutants-out/missed.txt ]; then
+              echo "<details><summary>First 50 missed mutants</summary>"
+              echo
+              echo '```'
+              head -50 mutants-out/missed.txt
+              echo '```'
+              echo "</details>"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload mutants report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: mutants-out-${{ github.run_id }}
+          path: mutants-out/
+          retention-days: 90