[CI] Switch from buildjet to blacksmith runners

[manny-yes]

Description

Switch to a new runner service, Blacksmith, since BuildJet is shutting down.

Changes:

• Replace mentions of buildjet runners
• Update Ubuntu release to 24.04
• Expand triggers to make CI runnable on-demand via workflow dispatch

Notes

Closes https://github.com/onflow/ff-sre-infrastructure/issues/1167.

Summary by CodeRabbit

• Chores
  • Upgraded CI/test runners across workflows and test matrices to a modern runtime for improved build performance and consistency.
  • Added manual workflow dispatch support for on‑demand runs.
  • Improved secure-build handling with controlled parallelism and added run‑URL logging for clearer build visibility.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43a8292e-bf14-425a-839e-0a5538bb5c22

📥 Commits

Reviewing files that changed from the base of the PR and between 96e4a61 and fb4376e.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• tools/test_matrix_generator/matrix.go

---

📝 Walkthrough

Walkthrough

Replace CI runner labels with blacksmith-*-ubuntu-2404 across workflows and test-matrix configs, add a workflow_dispatch trigger to CI, and add a trigger-and-wait post-step to image_builds to invoke and log secure build runs.

Changes

Cohort / File(s)	Summary
CI Workflow \.github/workflows/ci.yml	Added workflow_dispatch trigger and replaced multiple runner labels (ubuntu-latest / buildjet-*) with blacksmith-*-ubuntu-2404 across jobs and matrix entries.
Image Build Workflow \.github/workflows/image_builds.yml	Set max-parallel: 1 for secure-build matrix; added convictional/trigger-workflow-and-wait@v1.6.5 step (id: trigger-secure-build) and a step to print the secure build run URL using SECURE_BUILDS_REPO.
Test Matrix Configs tools/test_matrix_generator/default-test-matrix-config.json, tools/test_matrix_generator/insecure-module-test-matrix-config.json, tools/test_matrix_generator/integration-module-test-matrix-config.json	Replaced buildjet-*vcpu-ubuntu-* runner identifiers with blacksmith-*vcpu-ubuntu-2404 variants for engine/module/network/subpackage entries.
Matrix Generator Code & Tests tools/test_matrix_generator/matrix.go, tools/test_matrix_generator/matrix_test.go	Changed default CI runner constant to blacksmith-4vcpu-ubuntu-2404; updated test string literals to match new runner identifiers.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
actor Developer
participant CI as "CI Workflow (image_builds)"
participant Trigger as "convictional/trigger-workflow-and-wait"
participant Secure as "Secure Build Workflow"
Developer->>CI: start image build (matrix)
CI->>Trigger: invoke trigger-secure-build step
Trigger->>Secure: trigger secure build run
Secure-->>Trigger: return run ID / status
Trigger-->>CI: provide run URL / status
CI->>Developer: echo secure build run URL

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped from ubuntu to blacksmith's new gate,
Replaced old runner signs, set dispatch to wait,
I nudged a trigger, watched a secure build start,
Printed its run link and carried it in my heart —
A tiny rabbit cheering CI with a thump and a skate.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: switching CI runners from buildjet to blacksmith across the entire codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch manny/1167-implement-ci-runner-changes-for-flow-go

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/image_builds.yml:
- Around line 149-152: The log prints a reconstructed URL using
vars.SECURE_BUILDS_REPO and steps.trigger-secure-build.outputs.workflow_id which
can be wrong if the dispatched repo differs; instead use the action's actual
output: replace the echo that builds the URL with the workflow_url output from
the trigger step (steps.trigger-secure-build.outputs.workflow_url) so the
printed "Secure build for ${matrix.role}" link exactly matches the triggered run
from convictional/trigger-workflow-and-wait@v1.6.5.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 911b4d8e-55ac-4fe5-8615-785128dff8df

📥 Commits

Reviewing files that changed from the base of the PR and between 7ae06ba and 96e4a61.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/image_builds.yml
• tools/test_matrix_generator/default-test-matrix-config.json
• tools/test_matrix_generator/insecure-module-test-matrix-config.json
• tools/test_matrix_generator/integration-module-test-matrix-config.json
• tools/test_matrix_generator/matrix_test.go