feat(ci): Standardize matrix job names to prevent dupes, move jobs to macos-14 (#3447)

This should be faster than the Intel runners. Seems to be at least twice
as fast for uncached builds compared to `ubuntu-22.04`.

- [x] ~~Move elixir checks to `macos-14`~~ can't; Depends on `docker`
and `erlef/setup-beam`
- [x] Add macOS targets to rust checks
- [x] Move swift build to macos-14
- [x] Move kotlin build to macos-14
- [x] Name all jobs that are required for merge group to not depend on
job config
- [x] Update PR branch protection rules

.github/workflows/_codeql.yml

@@ -4,8 +4,8 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
+    name: analyze-${{ matrix.working-directory }}
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-14') || 'ubuntu-22.04' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       actions: read

.github/workflows/_elixir.yml

@@ -342,6 +342,7 @@ jobs:
         run: mix ecto.seed
 
   acceptance-test:
+    name: acceptance-test-${{ matrix.MIX_TEST_PARTITION }}
     permissions:
       checks: write
     runs-on: ubuntu-22.04

.github/workflows/_kotlin.yml

@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   static-analysis:
-    runs-on: ubuntu-22.04
+    runs-on: macos-14
     defaults:
       run:
         working-directory: ./kotlin/android
@@ -31,7 +31,7 @@ jobs:
         run: ./gradlew spotlessCheck
 
   build:
-    runs-on: ubuntu-22.04
+    runs-on: macos-14
     defaults:
       run:
         working-directory: ./kotlin/android
@@ -66,9 +66,6 @@ jobs:
           # TODO: See https://github.com/firezone/firezone/issues/2311
           # TODO: See https://github.com/firezone/firezone/issues/2309
           ./gradlew testReleaseUnitTest
-      - name: Android Test Report
-        uses: asadmansr/android-test-report-action@v1.2.0
-        if: "!cancelled()"
       - name: Upload release
         if: ${{ github.event_name == 'workflow_dispatch' || (github.ref == 'refs/heads/main' && contains(github.event.head_commit.modified, 'elixir/VERSION')) }}
         env:

.github/workflows/_rust.yml

@@ -12,19 +12,20 @@ permissions:
 
 jobs:
   static-analysis:
+    name: static-analysis-${{ matrix.runs-on }}
     strategy:
       fail-fast: false
       matrix:
         runs-on:
           # We only need to run static analysis checks per OS family
           - ubuntu-22.04
-          - macos-13
+          - macos-14
           - windows-2022
         # TODO: https://github.com/rust-lang/cargo/issues/5220
         include:
           - runs-on: ubuntu-22.04
             packages: # Intentionally blank as a package catch-all linter
-          - runs-on: macos-13
+          - runs-on: macos-14
             packages: -p connlib-client-apple -p snownet
           - runs-on: windows-2022
             packages: -p connlib-client-shared -p firezone-windows-client -p snownet
@@ -41,6 +42,7 @@ jobs:
           cargo clippy --all-targets --all-features ${{ matrix.packages }} -- -D warnings
 
   test:
+    name: test-${{ matrix.runs-on }}
     strategy:
       fail-fast: false
       matrix:
@@ -54,6 +56,8 @@ jobs:
             packages: -p connlib-client-apple -p snownet
           - runs-on: macos-13
             packages: -p connlib-client-apple -p snownet
+          - runs-on: macos-14
+            packages: -p connlib-client-apple -p snownet
           - runs-on: windows-2019
             packages: -p firezone-windows-client -p connlib-client-shared -p snownet
           - runs-on: windows-2022
@@ -66,6 +70,7 @@ jobs:
 
   # This should be identical to `build-push-windows-release-artifacts` in `cd.yml` except for the Github permissions, needs tag, and uploading step
   build-tauri:
+    name: build-tauri-${{ matrix.artifact }}
     runs-on: windows-2019
     defaults:
       run:
@@ -75,11 +80,11 @@ jobs:
       # The matrix is 1x1 to match the style of build-push-linux-release-artifacts
       # In the future we could try to cross-compile aarch64-windows here.
       matrix:
-        name:
+        include:
           - package: firezone-windows-client
             artifact: windows-client
     env:
-      BINARY_DEST_PATH: ${{ matrix.name.artifact }}
+      BINARY_DEST_PATH: ${{ matrix.artifact }}
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-node
@@ -98,7 +103,7 @@ jobs:
           # I'm running the multi-process test here because I don't think it can be
           # embedded in a test binary. It requires the client to call subcommands
           # from its own exe.
-          cargo run -p firezone-windows-client -- debug test-ipc
+          cargo run -p ${{ matrix.package }} -- debug test-ipc
 
           pnpm build
 

.github/workflows/_static-analysis.yml

@@ -4,7 +4,7 @@ on:
 
 jobs:
   version-check:
-    runs-on: ubuntu-22.04
+    runs-on: macos-14
     steps:
       - uses: actions/checkout@v4
       - name: Check version is up to date
@@ -20,19 +20,19 @@ jobs:
             exit 1
           fi
   global-linter:
-    runs-on: ubuntu-22.04
+    runs-on: macos-14
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.9"
+          python-version: "3.11"
       - uses: actions/cache/restore@v4
         name: Restore Python Cache
         with:
           path: ~/.cache/pip
-          key: ubuntu-22.04-${{ runner.arch }}-pip-${{ hashFiles('requirements.txt') }}
+          key: macos-14-${{ runner.arch }}-pip-${{ hashFiles('requirements.txt') }}
           restore-keys: |
-            ubuntu-22.04-${{ runner.arch }}-pip-
+            macos-14-${{ runner.arch }}-pip-
       - name: Install Python Dependencies
         run: |
           pip install -r requirements.txt
@@ -45,4 +45,4 @@ jobs:
         name: Save Python Cache
         with:
           path: ~/.cache/pip
-          key: ubuntu-22.04-${{ runner.arch }}-pip-${{ hashFiles('requirements.txt') }}
+          key: macos-14-${{ runner.arch }}-pip-${{ hashFiles('requirements.txt') }}

.github/workflows/_swift.yml

@@ -5,21 +5,20 @@ on:
 
 jobs:
   build:
+    name: build-${{ matrix.sdk }}
     runs-on: ${{ matrix.runs-on }}
     strategy:
       fail-fast: false
       matrix:
         include:
           - sdk: macosx
-            runs-on: macos-13
+            runs-on: macos-14
             platform: macOS
             destination: platform=macOS
-            xcode: "15.0"
           - sdk: iphoneos
-            runs-on: macos-13
+            runs-on: macos-14
             platform: iOS
             destination: generic/platform=iOS
-            xcode: "15.0"
     permissions:
       contents: read
       id-token: 'write'
@@ -30,7 +29,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-rust
         with:
-          targets: aarch64-apple-darwin aarch64-apple-ios
+          targets: aarch64-apple-darwin aarch64-apple-ios x86_64-apple-darwin
       - uses: actions/cache/restore@v4
         name: Restore Swift DerivedData Cache
         with:
@@ -95,11 +94,7 @@ jobs:
           ONLY_ACTIVE_ARCH: no
           # Needed because `productbuild` doesn't support picking this up automatically like Xcode does
           INSTALLER_CODE_SIGN_IDENTITY: "3rd Party Mac Developer Installer: Firezone, Inc. (47R2M6779T)"
-          REQUESTED_XCODE_VERSION: ${{ matrix.xcode }}
         run: |
-          # Set Xcode version to use if provided
-          [[ ! -z "$REQUESTED_XCODE_VERSION" ]] && sudo xcode-select -s /Applications/Xcode_$REQUESTED_XCODE_VERSION.app
-
           # Copy xcconfig
           cp Firezone/xcconfig/release.xcconfig Firezone/xcconfig/config.xcconfig
 

.github/workflows/ci.yml

@@ -34,6 +34,7 @@ jobs:
   # less overhead to keep things in GH actions. See work on building these
   # in GCP with Cloud Build: https://github.com/firezone/firezone/pull/2234
   build-images:
+    name: build-images-${{ matrix.image_name }}
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -140,6 +141,7 @@ jobs:
           tags: ${{ steps.build_docker_tags.outputs.tags }}
 
   snownet-integration-tests:
+    name: snownet-integration-tests-${{ matrix.name }}
     needs: build-images
     runs-on: ubuntu-22.04
     permissions:
@@ -151,11 +153,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        file: [
-          'docker-compose.lan.yml',
-          'docker-compose.wan-hp.yml',
-          'docker-compose.wan-relay.yml',
-        ]
+        include:
+          - file: docker-compose.lan.yml
+            name: lan
+          - file: docker-compose.wan-hp.yml
+            name: wan-hp
+          - file: docker-compose.wan-relay.yml
+            name: wan-relay
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/gcp-docker-login
@@ -168,7 +172,7 @@ jobs:
           timeout 600 docker compose -f rust/snownet-tests/${{ matrix.file }} up --exit-code-from dialer --abort-on-container-exit
 
   integration-tests:
-    name: Integration Test ${{ matrix.test_name }}
+    name: integration-tests-${{ matrix.test_name }}
     needs: build-images
     runs-on: ubuntu-22.04
     permissions:

.tool-versions

@@ -6,4 +6,4 @@ erlang 26.1.2
 terraform 1.6.6
 
 # Used for static analysis
-python 3.9.13
+python 3.11.7

kotlin/android/app/build.gradle.kts

@@ -221,6 +221,6 @@ cargo {
 }
 
 tasks.matching { it.name.matches(Regex("merge.*JniLibFolders")) }.configureEach {
-    inputs.dir(File(buildDir, "rustJniLibs/android"))
+    inputs.dir(layout.buildDirectory.file("rustJniLibs/android"))
     dependsOn("cargoBuild")
 }

kotlin/android/build.gradle.kts

@@ -23,5 +23,5 @@ plugins {
 }
 
 tasks.register("clean", Delete::class) {
-    delete(rootProject.buildDir)
+    delete(layout.buildDirectory)
 }