ci: run actions on akash self hosted

[cloud-j-luna]

📝 Description

[Explain what this PR does in 2-3 sentences. Include context about the feature or problem being solved]

🔧 Purpose of the Change

• New feature implementation
• Bug fix
• Documentation update
• Code refactoring
• Dependency upgrade
• Other: CI improvement

✅ Checklist

• I've updated relevant documentation
• Code follows Akash Network's style guide
• I've added/updated relevant unit tests
• Dependencies have been properly updated
• I agree and adhered to the Contribution Guidelines

📎 Notes for Reviewers

[Include any additional context, architectural decisions, or specific areas to focus on]

[coderabbitai]

Walkthrough

Multiple GitHub Actions workflows were updated to execute on a self-hosted runner labeled "akash" instead of the default ubuntu-latest. The runner specifications across six workflow files were modified, while all other workflow logic and steps remain unchanged.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Runner Updates .github/workflows/breakage.yaml, .github/workflows/labeler.yaml, .github/workflows/lint-shell.yaml, .github/workflows/lint.yaml, .github/workflows/release-ts.yaml, .github/workflows/release.yaml, .github/workflows/tests.yaml	Updated runs-on specifications from ubuntu-latest to [self-hosted, akash] across all workflow jobs. No changes to workflow logic, steps, permissions, or conditional logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 From clouds so high to servers near,
We hop on akash, loud and clear,
Self-hosted runners, swift and keen,
The fastest workflows ever seen! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete with key sections unfilled: the main description section lacks explanation of the change and its context, and reviewer notes are empty, though the purpose is specified.	Fill in the Description section explaining what the PR does and why, and add Notes for Reviewers with relevant context about the self-hosted runner migration.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: migrating GitHub Actions workflows to run on an Akash self-hosted runner instead of ubuntu-latest.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/self-hosted

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/lint-shell.yaml (1)

16-18: Update actions/setup-go to v5 for consistency.

This workflow uses actions/setup-go@v3 while other workflows in this PR use @v5. Consider updating for consistency and to benefit from improvements in newer versions.

Proposed fix

-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/lint-shell.yaml around lines 16 - 18, Replace the
actions/setup-go@v3 reference with actions/setup-go@v5 in the workflow so it
matches other workflows and benefits from the newer version; update the uses
line that currently reads "uses: actions/setup-go@v3" to "uses:
actions/setup-go@v5" and keep the existing go-version input (go-version: "${{
env.GOLANG_VERSION }}").

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/labeler.yaml:
- Around line 12-14: The workflow currently uses pull_request_target together
with a self-hosted runner and an actions/checkout@v4 step, which can expose the
runner to untrusted PR code; remove the checkout or switch to a safer
event/runner combination: either (A) change the event from pull_request_target
to pull_request so the job runs in the PR context, or (B) remove
actions/checkout@v4 and keep pull_request_target but run on a GitHub-hosted
runner (replace runs-on: [self-hosted, akash] with a hosted label like
ubuntu-latest) and ensure actions/labeler is invoked only to read
.github/labeler.yaml; also consider restricting permissions/tokens and
referencing actions/labeler explicitly to avoid executing PR-provided code
(check pull_request_target, runs-on, actions/checkout@v4, actions/labeler in the
workflow).

---

Nitpick comments:
In @.github/workflows/lint-shell.yaml:
- Around line 16-18: Replace the actions/setup-go@v3 reference with
actions/setup-go@v5 in the workflow so it matches other workflows and benefits
from the newer version; update the uses line that currently reads "uses:
actions/setup-go@v3" to "uses: actions/setup-go@v5" and keep the existing
go-version input (go-version: "${{ env.GOLANG_VERSION }}").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 62f6580e-8d4f-429c-b0cf-6ad311f58133

📥 Commits

Reviewing files that changed from the base of the PR and between d3fb7c9 and 0009d81.

📒 Files selected for processing (7)

• .github/workflows/breakage.yaml
• .github/workflows/labeler.yaml
• .github/workflows/lint-shell.yaml
• .github/workflows/lint.yaml
• .github/workflows/release-ts.yaml
• .github/workflows/release.yaml
• .github/workflows/tests.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Security consideration: pull_request_target with self-hosted runner.

This workflow uses pull_request_target and checks out code. While actions/labeler only reads configuration files, self-hosted runners with pull_request_target can pose security risks if workflows ever execute code from the PR. The current setup appears safe since it only reads .github/labeler.yaml, but be cautious about adding steps that execute PR-provided code.

🧰 Tools

🪛 actionlint (1.7.11)

[error] 12-12: label "akash" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/labeler.yaml around lines 12 - 14, The workflow currently
uses pull_request_target together with a self-hosted runner and an
actions/checkout@v4 step, which can expose the runner to untrusted PR code;
remove the checkout or switch to a safer event/runner combination: either (A)
change the event from pull_request_target to pull_request so the job runs in the
PR context, or (B) remove actions/checkout@v4 and keep pull_request_target but
run on a GitHub-hosted runner (replace runs-on: [self-hosted, akash] with a
hosted label like ubuntu-latest) and ensure actions/labeler is invoked only to
read .github/labeler.yaml; also consider restricting permissions/tokens and
referencing actions/labeler explicitly to avoid executing PR-provided code
(check pull_request_target, runs-on, actions/checkout@v4, actions/labeler in the
workflow).