chore: Migrate Windows runners to Blacksmith for cost and performance

[jandroav]

Summary

• Migrates GitHub Actions Windows runners from windows-latest to blacksmith-2vcpu-windows-2025
• Updates 6 reusable workflow files used by many downstream repositories
• Updates artifact name references to use new runner name

Benefits

• ~50% cost reduction for Windows CI/CD
• ~2x performance improvement (gaming CPUs with higher single-thread performance)
• Rapid provisioning (< 3 seconds boot time)
• 400MB/s cache throughput (4x GitHub's cache performance)

Changes

File	Changes
os-extension-test.yml	Updated default OS and matrix fallback
pro-extension-test.yml	Updated os and os-test defaults, matrix fallback, artifact name
pro-extension-build-for-liquibase.yml	Updated OS default and artifact download name
extension-attach-artifact-release.yml	Updated OS default and artifact download name
cleanup-individual-artifacts.yml	Updated matrix OS list
publish-for-liquibase.yml	Updated OS list passed to build workflow

Test plan

• Manual workflow dispatch to validate Windows runner is correctly identified
• Verify all Windows-specific steps execute correctly
• Confirm artifact generation and naming works
• Test downstream repository that does NOT override os parameter
• Test downstream repository that DOES override os parameter

Rollback

If issues arise, override the os parameter in calling workflows:

with:
  os: '["ubuntu-latest", "windows-latest"]'

DAT-21557

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates GitHub Actions workflows to migrate Windows runners from windows-latest to blacksmith-2vcpu-windows-2025 across multiple workflows. Several workflows also add or reuse steps to parse OS names from inputs and use parsed values when constructing artifact names and download steps.

Changes

Cohort / File(s)	Summary
Simple matrix update .github/workflows/cleanup-individual-artifacts.yml	Replaced windows-latest with blacksmith-2vcpu-windows-2025 in the strategy matrix.
Input defaults + artifact naming .github/workflows/extension-attach-artifact-release.yml, .github/workflows/pro-extension-build-for-liquibase.yml	Changed inputs.os default to include blacksmith-2vcpu-windows-2025; added step(s) to parse OS names from inputs and updated artifact download names to use parsed ubuntu_os / windows_os.
Matrix, inputs, parsing, artifact refs .github/workflows/os-extension-test.yml, .github/workflows/pro-extension-test.yml	Replaced windows-latest with blacksmith-2vcpu-windows-2025 in inputs and matrices; added/renamed parsing steps to extract both ubuntu_os and windows_os; updated artifact naming and download steps to use parsed OS outputs.
Publish workflow matrix update .github/workflows/publish-for-liquibase.yml	Build job OS matrix entry changed to use blacksmith-2vcpu-windows-2025 instead of windows-latest.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix artifact naming mismatch for Blacksmith Ubuntu runners #441 — Adds OS-runner parsing and updates artifact naming to use parsed OS values; closely related changes to workflow artifact handling.

Suggested reviewers

• sayaliM0412
• abrackx

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: migrating Windows runners from windows-latest to blacksmith-2vcpu-windows-2025 across multiple workflows.
Description check	✅ Passed	The description is well-organized and directly related to the changeset, detailing the migration, benefits, affected files, test plan, and rollback instructions.
Linked Issues check	✅ Passed	All code changes directly align with DAT-21557 objectives: replacing windows-latest with blacksmith-2vcpu-windows-2025 across six workflow files, updating artifact references, and maintaining rollback paths.
Out of Scope Changes check	✅ Passed	All changes are in-scope: six workflow files updated with consistent Windows runner migration and artifact name updates as required by DAT-21557. No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/pro-extension-test.yml (2)

516-516: Update outdated comment.

The comment states "macOS and Windows are always *-latest", but line 536 now uses blacksmith-2vcpu-windows-2025 for Windows artifacts. This contradicts the implementation.

📝 Proposed fix

-          # Blacksmith only supports Ubuntu/Linux, so macOS and Windows are always *-latest
+          # Extract Ubuntu runner name (could be ubuntu-latest or blacksmith-2vcpu-ubuntu-2404)
+          # macOS uses macos-latest; Windows uses blacksmith-2vcpu-windows-2025

---

1-645: Change job ID combineJars to combine-jars to comply with naming guidelines.

Job and step IDs in workflows must use lower-kebab-case. The combineJars job at line 484 uses camelCase and should be renamed to combine-jars. Update all references to this job accordingly (including the needs dependencies in downstream jobs).

🧹 Nitpick comments (1)

.github/workflows/pro-extension-test.yml (1)

533-537: Consider dynamic Windows OS parsing for consistency.

Unlike Ubuntu (lines 509-524), the Windows artifact name is hardcoded to blacksmith-2vcpu-windows-2025. If callers override the os input to use a different Windows runner (e.g., for rollback as mentioned in the PR), the combineJars job will fail to download the correct artifacts.

For consistency and flexibility, consider adding similar parsing logic for Windows:

# Extract Windows runner name
WINDOWS_OS=$(echo "${OS_INPUT}" | jq -r '.[] | select(contains("windows"))' | head -n1)
echo "windows_os=${WINDOWS_OS}" >> $GITHUB_OUTPUT

Then use ${{ steps.parse-os.outputs.windows_os }} on line 536.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8fee179 and 840adaa.

📒 Files selected for processing (6)

• .github/workflows/cleanup-individual-artifacts.yml
• .github/workflows/extension-attach-artifact-release.yml
• .github/workflows/os-extension-test.yml
• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/pro-extension-test.yml
• .github/workflows/publish-for-liquibase.yml

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

.github/workflows/*.yml: Validate GitHub Actions workflow syntax using actionlint for all workflow files
Update self-references from @main to @new-version in all workflow files when releasing a new version of build-logic
Use GitHub App Tokens (with LIQUIBASE_GITHUB_APP_ID and LIQUIBASE_GITHUB_APP_PRIVATE_KEY) for cross-repo operations instead of GITHUB_TOKEN
Use AWS Secrets Manager via OIDC with role LIQUIBASE_VAULT_OIDC_ROLE_ARN and region us-east-1 for accessing /vault/liquibase secrets

.github/workflows/*.yml: Use two-space indentation in YAML workflow files
Job and step ids in workflows must use lower-kebab-case
Environment variables must use UPPER_SNAKE_CASE in workflows
Keep workflow inputs descriptive and defaulted; document new inputs at the top of each workflow file

Files:

• .github/workflows/cleanup-individual-artifacts.yml
• .github/workflows/extension-attach-artifact-release.yml
• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/os-extension-test.yml
• .github/workflows/pro-extension-test.yml
• .github/workflows/publish-for-liquibase.yml

🧠 Learnings (7)

📓 Common learnings

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Update self-references from `main` to `new-version` in all workflow files when releasing a new version of build-logic

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Update self-references from `main` to `new-version` in all workflow files when releasing a new version of build-logic

Applied to files:

• .github/workflows/extension-attach-artifact-release.yml
• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/pro-extension-test.yml
• .github/workflows/publish-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Use reusable workflows stored in `.github/workflows/` with DRY (Don't Repeat Yourself) approach for CI/CD logic across Liquibase extensions

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/publish-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:50.027Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: For packaging changes, dry-run against `src/liquibase` assets and verify generated artifacts remain in expected paths

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/publish-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:50.027Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: Use `act -W .github/workflows/os-extension-test.yml` with mocked secrets in `.secrets` for local smoke tests

Applied to files:

• .github/workflows/os-extension-test.yml
• .github/workflows/pro-extension-test.yml
• .github/workflows/publish-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Use AWS Secrets Manager via OIDC with role `LIQUIBASE_VAULT_OIDC_ROLE_ARN` and region `us-east-1` for accessing `/vault/liquibase` secrets

Applied to files:

• .github/workflows/publish-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Use GitHub App Tokens (with LIQUIBASE_GITHUB_APP_ID and LIQUIBASE_GITHUB_APP_PRIVATE_KEY) for cross-repo operations instead of GITHUB_TOKEN

Applied to files:

• .github/workflows/publish-for-liquibase.yml

🔇 Additional comments (9)

.github/workflows/cleanup-individual-artifacts.yml (1)

23-23: LGTM: Windows runner updated consistently.

The matrix OS update to blacksmith-2vcpu-windows-2025 is correct and will automatically flow through to the artifact deletion step on line 28.

.github/workflows/publish-for-liquibase.yml (1)

37-37: LGTM: Windows runner migration applied correctly.

The OS array now includes blacksmith-2vcpu-windows-2025 and maintains all three platforms (Ubuntu, macOS, Windows) required for the multiplatform artifact build.

.github/workflows/pro-extension-build-for-liquibase.yml (2)

14-14: LGTM: Default OS input updated consistently.

The default OS array now uses blacksmith-2vcpu-windows-2025. Note that when combineJars: true, callers should ensure all three platforms (Ubuntu, macOS, Windows) are included in the os input, as the combineJars job expects artifacts from all three platforms.

---

295-295: LGTM: Artifact download name updated consistently.

The Windows artifact download name correctly references blacksmith-2vcpu-windows-2025, matching the artifact name pattern generated during upload (line 230) when matrix.os is set to the new runner.

.github/workflows/extension-attach-artifact-release.yml (2)

31-31: LGTM: Default OS updated to Blacksmith runner.

The default OS input correctly includes blacksmith-2vcpu-windows-2025. Callers can override this input if needed, maintaining backward compatibility.

---

246-246: LGTM: Windows artifact download name aligned with new runner.

The artifact name correctly matches the upload pattern from line 216 when the matrix uses blacksmith-2vcpu-windows-2025.

.github/workflows/os-extension-test.yml (1)

19-19: OS defaults and matrix fallback correctly use consistent runner name.

The blacksmith-2vcpu-windows-2025 runner reference is consistent across both the default input (line 19) and matrix fallback (line 186). The workflow file complies with syntax and naming conventions (2-space indentation, proper YAML structure).

.github/workflows/pro-extension-test.yml (2)

14-19: LGTM! Windows runner migration in input defaults.

The defaults for os and os-test inputs have been correctly updated to use the Blacksmith Windows runner, maintaining the JSON array format and backward compatibility through input overrides.

---

301-301: LGTM! Matrix fallback correctly updated.

The fallback value for the test matrix matches the updated default on line 19, ensuring consistency when os-test input is not provided.

[jandroav]

Code Review Fix Applied

During review, I identified a critical issue where hardcoded Windows artifact names in the combineJars jobs would cause failures when callers override the os input parameter.

Issue

The artifact download steps had hardcoded blacksmith-2vcpu-windows-2025 (and in some cases ubuntu-latest), but the artifact upload uses the dynamic matrix.os value from inputs. This meant:

1. If a downstream repo called the workflow with os: '["ubuntu-latest", "windows-latest"]' (for rollback/testing)
2. The build job would create artifacts named *-windows-latest-*
3. The combineJars job would look for *-blacksmith-2vcpu-windows-2025-*
4. Workflow would fail because artifact not found

Fix

Added dynamic OS name parsing in combineJars jobs for the following files:

• pro-extension-test.yml
• pro-extension-build-for-liquibase.yml
• extension-attach-artifact-release.yml

The fix extracts the actual OS names from the os input parameter using jq, ensuring artifact names match between build and download steps.

Rollback Strategy Now Works

With this fix, the documented rollback approach will work correctly:

with:
  os: '["ubuntu-latest", "windows-latest"]'

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/pro-extension-build-for-liquibase.yml (1)

280-293: Consider adding validation for empty OS parsing results.

The parsing logic is correct per the established pattern. However, if a caller provides an OS array that doesn't include "ubuntu" or "windows" (e.g., only macOS), the respective output will be empty, causing artifact download failures.

♻️ Optional: Add validation to fail fast with a clear error

          WINDOWS_OS=$(echo "${OS_INPUT}" | jq -r '.[] | select(contains("windows"))' | head -n1)
          echo "windows_os=${WINDOWS_OS}" >> $GITHUB_OUTPUT
          echo "Parsed Windows OS: ${WINDOWS_OS}"
+         # Validate required OS values
+         if [ -z "${UBUNTU_OS}" ]; then
+           echo "::warning::No Ubuntu OS found in inputs - Ubuntu artifact download will fail"
+         fi
+         if [ -z "${WINDOWS_OS}" ]; then
+           echo "::warning::No Windows OS found in inputs - Windows artifact download will fail"
+         fi

.github/workflows/extension-attach-artifact-release.yml (1)

231-244: Consider extracting OS parsing into a reusable composite action.

This parsing logic is duplicated across multiple workflow files (also in pro-extension-build-for-liquibase.yml and likely others in this PR). Based on learnings, extending composite setup actions in .github/actions/ is preferred over duplicating boilerplate in workflows.

This could be a small composite action like .github/actions/parse-os-inputs/action.yml that accepts the OS JSON array and outputs ubuntu_os and windows_os. This would centralize the logic and make future changes easier.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 840adaa and be4c1b5.

📒 Files selected for processing (3)

• .github/workflows/extension-attach-artifact-release.yml
• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/pro-extension-test.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pro-extension-test.yml

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

.github/workflows/*.yml: Validate GitHub Actions workflow syntax using actionlint for all workflow files
Update self-references from @main to @new-version in all workflow files when releasing a new version of build-logic
Use GitHub App Tokens (with LIQUIBASE_GITHUB_APP_ID and LIQUIBASE_GITHUB_APP_PRIVATE_KEY) for cross-repo operations instead of GITHUB_TOKEN
Use AWS Secrets Manager via OIDC with role LIQUIBASE_VAULT_OIDC_ROLE_ARN and region us-east-1 for accessing /vault/liquibase secrets

.github/workflows/*.yml: Use two-space indentation in YAML workflow files
Job and step ids in workflows must use lower-kebab-case
Environment variables must use UPPER_SNAKE_CASE in workflows
Keep workflow inputs descriptive and defaulted; document new inputs at the top of each workflow file

Files:

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/extension-attach-artifact-release.yml

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Update self-references from `main` to `new-version` in all workflow files when releasing a new version of build-logic

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: Extend composite setup actions in `.github/actions/` rather than duplicating boilerplate in workflows

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: Treat every workflow change as production code: run `actionlint`, execute representative `act` scenarios, and capture logs from a consuming repository

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Use reusable workflows stored in `.github/workflows/` with DRY (Don't Repeat Yourself) approach for CI/CD logic across Liquibase extensions

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml

📚 Learning: 2025-12-01T16:18:36.824Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T16:18:36.824Z
Learning: Applies to .github/workflows/*.yml : Update self-references from `main` to `new-version` in all workflow files when releasing a new version of build-logic

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/extension-attach-artifact-release.yml

📚 Learning: 2025-12-01T16:18:50.027Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: For packaging changes, dry-run against `src/liquibase` assets and verify generated artifacts remain in expected paths

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml

📚 Learning: 2025-11-20T17:40:30.649Z

Learnt from: jnewton03
Repo: liquibase/build-logic PR: 441
File: .github/workflows/pro-extension-test.yml:524-524
Timestamp: 2025-11-20T17:40:30.649Z
Learning: In GitHub Actions workflows, the jq command `echo "$INPUT" | jq -r '.[] | select(contains("ubuntu"))' | head -n1` correctly extracts the first Ubuntu runner name from a JSON array. The `.[]` unpacks array elements (one per line), `select()` filters matches, `-r` outputs raw strings (not JSON), and `head -n1` takes the first result.

Applied to files:

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/extension-attach-artifact-release.yml

📚 Learning: 2025-12-01T16:18:50.027Z

Learnt from: CR
Repo: liquibase/build-logic PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T16:18:50.027Z
Learning: Applies to .github/workflows/*.yml : Keep workflow inputs descriptive and defaulted; document new inputs at the top of each workflow file

Applied to files:

• .github/workflows/extension-attach-artifact-release.yml

🔇 Additional comments (5)

.github/workflows/pro-extension-build-for-liquibase.yml (2)

14-14: LGTM - Windows runner updated to Blacksmith.

The default OS input correctly includes the new blacksmith-2vcpu-windows-2025 runner alongside ubuntu-latest, aligning with the PR objective for cost and performance improvements.

---

295-311: LGTM - Dynamic artifact naming supports rollback flexibility.

The artifact download steps now correctly use the parsed OS names, ensuring consistency between the build and combineJars jobs regardless of whether callers use default or overridden OS values.

.github/workflows/extension-attach-artifact-release.yml (3)

31-31: LGTM - Default OS updated consistently.

The default OS input is updated to use blacksmith-2vcpu-windows-2025, matching the pattern established in other workflows in this PR.

---

246-262: LGTM - Artifact downloads correctly use parsed OS values.

The dynamic artifact naming ensures that the combineJars job can correctly download artifacts regardless of which runner names are used (default Blacksmith or overridden to windows-latest for rollback).

---

73-73: Minor: Matrix fallback differs from default OS input.

The matrix fallback '["ubuntu-latest"]' only includes Ubuntu, while the default input at line 31 includes both Ubuntu and Windows. If inputs.os is somehow empty/falsy, the build would only run on Ubuntu, which may be intentional for a minimal fallback but could cause artifact download failures in the combineJars job if it expects Windows artifacts.

This appears to be a pre-existing pattern. Please verify this fallback behavior is intentional for edge cases where inputs.os might be empty.

[jnewton03]

@jandroav is this still relevant?