refactor(ci): adopt og_basketball CI patterns

- Create taskfiles/ci.yml with setup, check, build, bundle, notarize
  tasks using Taskfile fingerprinting and idempotent status checks
- Rewrite composite action with robust Windows setup (direct
  rustup-init, VC++ runtime, cargo-binstall ZIP, Defender exclusions),
  macOS PATH (cargo/mise/homebrew), and Taskfile fingerprint cache
- Replace tauri-apps/tauri-action with task ci:build/bundle/notarize
  in release.yml for direct cargo tauri control
- Switch Linux runners to blacksmith-4vcpu-ubuntu-2404
- Add useblacksmith/setup-docker-builder for ARM64 cross-compilation
- Add Windows bootstrap (git/pwsh) and CONFIG passthrough for signing
- Simplify test.yml path filters, add workflow_dispatch trigger
- Split lint into rust-lint (macOS) and deno-lint (Blacksmith) jobs
- Add build matrix with task ci:check across macOS/Linux/Windows
- Add Swatinem/rust-cache for Linux/Windows ephemeral runners

Author: pythoninthegrass

.github/actions/setup-tauri-build/action.yml

@@ -1,5 +1,5 @@
 name: 'Setup Tauri Build Environment'
-description: 'Install Node.js, Rust, and frontend deps for Tauri builds'
+description: 'Install Task, Node.js, and platform deps for Tauri builds'
 
 inputs:
   node-version:
@@ -9,72 +9,30 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Add Homebrew to PATH
+    - name: Setup macOS self-hosted runner PATH
       if: runner.os == 'macOS'
       shell: bash
-      run: echo "/opt/homebrew/bin:/opt/homebrew/sbin" >> $GITHUB_PATH
-
-    - name: Install macOS system dependencies
-      if: runner.os == 'macOS'
-      shell: bash
-      run: |
-        export HOMEBREW_NO_AUTO_UPDATE=1
-        brew list cmake &>/dev/null && echo "cmake already installed" || brew install cmake
-
-    - name: Install Linux system dependencies
-      if: runner.os == 'Linux'
-      shell: bash
       run: |
-        sudo apt-get update
-        sudo apt-get install -y libwebkit2gtk-4.1-dev build-essential curl wget file \
-          libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev \
-          libasound2-dev cmake zlib1g-dev libgtk-3-dev
+        echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+        echo "$HOME/.local/share/mise/shims" >> $GITHUB_PATH
+        echo "/opt/homebrew/bin:/opt/homebrew/sbin" >> $GITHUB_PATH
 
-    - name: Install Windows system dependencies
+    - name: Setup Windows PATH
       if: runner.os == 'Windows'
       shell: pwsh
       run: |
-        choco install cmake --installargs 'ADD_CMAKE_TO_PATH=System' -y
-        choco install rustup.install -y
+        echo "$env:USERPROFILE\.cargo\bin" >> $env:GITHUB_PATH
+        $gitPath = (Get-ItemProperty 'HKLM:\SOFTWARE\GitForWindows' -ErrorAction SilentlyContinue).InstallPath
+        if ($gitPath) { echo "$gitPath\usr\bin" >> $env:GITHUB_PATH }
 
     - name: Install Task
       uses: go-task/setup-task@v1
 
     - name: Setup Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.node-version }}
 
-    - name: Setup Rust (non-Windows)
-      if: runner.os != 'Windows'
-      uses: actions-rust-lang/setup-rust-toolchain@v1
-      with:
-        toolchain: stable
-
-    - name: Setup Rust (Windows)
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: |
-        # Refresh PATH to pick up choco-installed rustup
-        Import-Module $env:ChocolateyInstall\helpers\chocolateyProfile.psm1
-        refreshenv
-        # Ensure rustup-managed binaries take precedence over chocolatey
-        $cargobin = Join-Path $env:USERPROFILE '.cargo\bin'
-        echo $cargobin >> $env:GITHUB_PATH
-        # Pin nightly toolchain via env var (overrides any default)
-        echo "RUSTUP_TOOLCHAIN=nightly-2026-02-09" >> $env:GITHUB_ENV
-        rustup toolchain install nightly-2026-02-09 --no-self-update --target x86_64-pc-windows-msvc
-        rustup default nightly-2026-02-09
-        # Parallelism: match build.ps1 settings
-        $cpus = [Environment]::ProcessorCount
-        $buildJobs = [Math]::Max(1, $cpus - 2)
-        $rustThreads = [Math]::Max(1, [Math]::Round($cpus * 0.8))
-        echo "CARGO_BUILD_JOBS=$buildJobs" >> $env:GITHUB_ENV
-        echo "RUSTFLAGS=-Zthreads=$rustThreads" >> $env:GITHUB_ENV
-        echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=$rustThreads" >> $env:GITHUB_ENV
-        rustc --version
-        cargo --version
-
     - name: Install frontend dependencies (non-Windows)
       if: runner.os != 'Windows'
       shell: bash
@@ -86,3 +44,89 @@ runs:
       shell: pwsh
       working-directory: ./app/frontend
       run: npm ci
+
+    - name: Restore Taskfile fingerprint cache
+      uses: actions/cache@v4
+      with:
+        path: .task
+        key: task-${{ runner.os }}-${{ hashFiles('taskfiles/ci.yml') }}
+        restore-keys: |
+          task-${{ runner.os }}-
+
+    - name: Setup CI environment (macOS/Linux)
+      if: runner.os != 'Windows'
+      shell: bash
+      run: task ci:setup
+
+    - name: Install system dependencies (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        $ProgressPreference = 'SilentlyContinue'
+        # VC++ runtime must come first — choco NSIS installers (rustup-init.exe, etc.)
+        # require it to launch and fail with SxS errors on bare Server 2019 without it.
+        $out = Join-Path $env:TEMP 'vc_redist.x64.exe'
+        (New-Object Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/vc_redist.x64.exe', $out)
+        $proc = Start-Process -FilePath $out -ArgumentList '/install','/quiet','/norestart' -Wait -PassThru
+        # 0=success  1638=already installed  3010=reboot needed (safe to ignore in CI)
+        if ($proc.ExitCode -notin @(0, 1638, 3010)) { exit $proc.ExitCode }
+
+        $toInstall = @()
+        if (-not (Get-Command cmake -ErrorAction SilentlyContinue)) { $toInstall += 'cmake' }
+        if (-not (Get-Command 7z   -ErrorAction SilentlyContinue)) { $toInstall += '7zip' }
+        if ($toInstall.Count -gt 0) {
+          choco install @toInstall -y
+          if ($toInstall -contains 'cmake') {
+            echo "$env:ProgramFiles\CMake\bin" >> $env:GITHUB_PATH
+          }
+        }
+
+        # rustup via direct download — choco spawns a grandchild process whose SxS
+        # activation context predates the vc_redist install above, causing a
+        # side-by-side configuration error. A direct Start-Process call works.
+        if (-not (Get-Command rustup -ErrorAction SilentlyContinue)) {
+          $rustupInit = Join-Path $env:TEMP 'rustup-init.exe'
+          (New-Object Net.WebClient).DownloadFile(
+            'https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe',
+            $rustupInit
+          )
+          $proc = Start-Process -FilePath $rustupInit `
+            -ArgumentList '-y','--default-toolchain','none','--no-modify-path' `
+            -Wait -PassThru
+          if ($proc.ExitCode -ne 0) { exit $proc.ExitCode }
+        }
+
+    - name: Install cargo-binstall (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        if (-not (Get-Command cargo-binstall -ErrorAction SilentlyContinue)) {
+          $zip = Join-Path $env:TEMP "cargo-binstall.zip"
+          $bin = Join-Path $env:USERPROFILE ".cargo\bin"
+          $url = "https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-pc-windows-msvc.zip"
+          New-Item -ItemType Directory -Force -Path $bin | Out-Null
+          (New-Object Net.WebClient).DownloadFile($url, $zip)
+          Expand-Archive -Path $zip -DestinationPath $bin -Force
+          Remove-Item $zip
+        }
+
+    - name: Setup CI environment (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: task ci:setup
+
+    - name: Windows Defender exclusions
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        Add-MpPreference -ExclusionPath "$env:USERPROFILE\.cargo"
+        Add-MpPreference -ExclusionPath "$env:GITHUB_WORKSPACE"
+        Add-MpPreference -ExclusionPath "$env:GITHUB_WORKSPACE\target"
+
+    - name: Cargo cache (Linux/Windows runners)
+      if: runner.os == 'Linux' || runner.os == 'Windows'
+      uses: Swatinem/rust-cache@v2
+      with:
+        cache-on-failure: "true"
+      env:
+        CARGO_INCREMENTAL: "0"

.github/workflows/release-please.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   release-please:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}