ci: optimise CI pipeline with parallel jobs and modern tooling

Comprehensive CI pipeline refactoring reducing total runtime by ~30 seconds
while improving maintainability and fail-fast behaviour.

Pipeline restructuring:
- Consolidate prefligit-checks.yml into rust-checks.yml
- Split into three parallel jobs for maximum efficiency:
  * fast-checks: prek + formatting checks
  * clippy: linting without sccache (analysis doesn't need compilation cache)
  * tests: full test suite with sccache for compilation benefits
- Add concurrency group to cancel outdated runs on new pushes
- Fast failure on pre-commit or formatting issues saves runner time

Prek (pre-commit runner):
- Replace prefligit with prek (project renamed due to typosquatting concerns)
- Remove unnecessary prek cache that was adding overhead
- Update pre-commit-config.yaml: fix-byte-order-marker replaces deprecated check-byte-order-marker

uv/uvx tooling:
- Migrate from rust-toolchain action to uvx for ~50% faster toolchain installation
- Use uv/uvx as universal package/tool installer (similar to npx)
- Handles both prek and rustup installation efficiently
- Respect rust-toolchain.toml via 'uvx rustup show' for version consistency
- Disable Python dependency tracking in uv cache (not needed for Rust)

Renovate integration:
- Add workflow for automated dependency updates
- Configure to scan .forgejo/ directories for GitHub Actions
- Set rate limits: 2 PRs/hour, 3 concurrent max
- Enable manual dry-run mode for testing

GitHub Actions compatibility:
- Make sccache steps conditional for fork compatibility
- Use create-github-app-token v1 (v2 requires Node.js 24, incompatible with Forgejo)
- Update actions/cache v3→v4 fixing deprecation warnings
- Rename element.yml to clients-element.yml for clarity

.forgejo/workflows/prefligit-checks.yml

@@ -1,22 +0,0 @@
-name: Checks / Prefligit
-
-on:
-  push:
-  pull_request:
-permissions:
-  contents: read
-
-jobs:
-  prefligit:
-    runs-on: ubuntu-latest
-    env:
-      FROM_REF: ${{ github.event.pull_request.base.sha || (!github.event.forced && ( github.event.before != '0000000000000000000000000000000000000000'  && github.event.before || github.sha )) || format('{0}~', github.sha) }}
-      TO_REF: ${{ github.sha }}
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - uses: ./.forgejo/actions/prefligit
-      with:
-        extra_args: --all-files --hook-stage manual

.forgejo/workflows/renovate.yml

@@ -0,0 +1,64 @@
+name: Renovate
+on:
+  schedule:
+    # Run at 2am UTC daily
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: 'Dry run mode'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+      logLevel:
+        description: 'Log level'
+        required: false
+        default: 'info'
+        type: choice
+        options:
+          - 'debug'
+          - 'info'
+          - 'warn'
+          - 'error'
+  push:
+    branches:
+      - main
+    paths:
+      - '.forgejo/workflows/renovate.yml'
+      - 'renovate.json'
+
+jobs:
+  renovate:
+    name: Renovate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v40.1.0
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          configurationFile: renovate.json
+        env:
+          # Platform settings
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+
+          # Repository settings
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+
+          # Behaviour settings
+          RENOVATE_DRY_RUN: ${{ inputs.dryRun || 'false' }}
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+
+          # Forgejo/Gitea specific
+          RENOVATE_GIT_AUTHOR: 'Renovate Bot <renovate@noreply.${{ github.server_url }}>'
+
+          # PR settings
+          RENOVATE_PR_HOURLY_LIMIT: '2'
+          RENOVATE_PR_CONCURRENT_LIMIT: '3'

.forgejo/workflows/rust-checks.yml

@@ -2,10 +2,16 @@ name: Checks / Rust
 
 on:
   push:
+  pull_request:
+
+# Cancel in-progress runs when a new push is made to the same branch
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  format:
-    name: Format
+  fast-checks:
+    name: Prek & Format
     runs-on: ubuntu-latest
 
     steps:
@@ -14,11 +20,20 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install rust
-        uses: ./.forgejo/actions/rust-toolchain
+      - name: Install uv
+        uses: https://github.com/astral-sh/setup-uv@v6
         with:
-          toolchain: "nightly"
-          components: "rustfmt"
+          enable-cache: true
+          ignore-nothing-to-cache: true
+          cache-dependency-glob: ''
+
+      - name: Run prek (formerly prefligit)
+        run: uvx prek run --show-diff-on-failure --color=always -v --all-files --hook-stage manual
+
+      - name: Install rust nightly with rustfmt
+        run: |
+          uvx rustup override set nightly
+          uvx rustup component add rustfmt
 
       - name: Check formatting
         run: |
@@ -34,29 +49,29 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install rust
-        uses: ./.forgejo/actions/rust-toolchain
+      - name: Install uv
+        uses: https://github.com/astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          ignore-nothing-to-cache: true
+          cache-dependency-glob: ''  # Disable Python dependency tracking for Rust project
 
-      - uses: https://github.com/actions/create-github-app-token@v2
-        id: app-token
-        with:
-          app-id: ${{ vars.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          github-api-url: https://api.github.com
-          owner: ${{ vars.GH_APP_OWNER }}
-          repositories: ""
-      - name: Install sccache
-        uses: ./.forgejo/actions/sccache
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-      - run: sudo apt-get update
-      - name: Install system dependencies
-        uses: https://github.com/awalsh128/cache-apt-pkgs-action@v1
+      - name: Install Rust toolchain
+        run: |
+          # Install toolchain from rust-toolchain.toml
+          uvx rustup show  # This will auto-install from rust-toolchain.toml
+
+      - name: Update APT package lists
+        run: sudo apt-get update
+
+      - name: Cache system packages
+        uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
         with:
           packages: clang liburing-dev
-          version: 1
+          version: 1.0
+
       - name: Cache Rust registry
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/git
@@ -64,12 +79,8 @@ jobs:
             ~/.cargo/registry
             !~/.cargo/registry/src
           key: rust-registry-${{hashFiles('**/Cargo.lock') }}
-      - name: Timelord
-        uses: ./.forgejo/actions/timelord
-        with:
-          key: sccache-v0
-          path: .
-      - name: Clippy
+
+      - name: Run Clippy lints
         run: |
           cargo clippy \
             --workspace \
@@ -80,13 +91,11 @@ jobs:
             -- \
             -D warnings
 
-      - name: Show sccache stats
-        if: always()
-        run: sccache --show-stats
-
-  cargo-test:
-    name: Cargo Test
+  tests:
+    name: Tests
     runs-on: ubuntu-latest
+    env:
+      SCCACHE_ENABLED: ${{ vars.GH_APP_ID != '' && secrets.GH_APP_PRIVATE_KEY != '' }}
 
     steps:
       - name: Checkout repository
@@ -94,29 +103,29 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install rust
-        uses: ./.forgejo/actions/rust-toolchain
+      - name: Install uv
+        uses: https://github.com/astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          ignore-nothing-to-cache: true
+          cache-dependency-glob: ''  # Disable Python dependency tracking for Rust project
 
-      - uses: https://github.com/actions/create-github-app-token@v2
-        id: app-token
-        with:
-          app-id: ${{ vars.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          github-api-url: https://api.github.com
-          owner: ${{ vars.GH_APP_OWNER }}
-          repositories: ""
-      - name: Install sccache
-        uses: ./.forgejo/actions/sccache
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-      - run: sudo apt-get update
-      - name: Install system dependencies
-        uses: https://github.com/awalsh128/cache-apt-pkgs-action@v1
+      - name: Install Rust toolchain
+        run: |
+          # Install toolchain from rust-toolchain.toml
+          uvx rustup show  # This will auto-install from rust-toolchain.toml
+
+      - name: Update APT package lists
+        run: sudo apt-get update
+
+      - name: Cache system packages
+        uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
         with:
           packages: clang liburing-dev
-          version: 1
+          version: 1.0
+
       - name: Cache Rust registry
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/git
@@ -124,12 +133,32 @@ jobs:
             ~/.cargo/registry
             !~/.cargo/registry/src
           key: rust-registry-${{hashFiles('**/Cargo.lock') }}
-      - name: Timelord
+
+      - name: Create GitHub App token for sccache
+        if: env.SCCACHE_ENABLED == 'true'
+        uses: https://github.com/actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          github-api-url: https://api.github.com
+          owner: ${{ vars.GH_APP_OWNER }}
+          repositories: ""
+
+      - name: Setup sccache
+        if: env.SCCACHE_ENABLED == 'true'
+        uses: ./.forgejo/actions/sccache
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup Timelord
+        if: env.SCCACHE_ENABLED == 'true'
         uses: ./.forgejo/actions/timelord
         with:
           key: sccache-v0
           path: .
-      - name: Cargo Test
+
+      - name: Run Cargo tests
         run: |
           cargo test \
             --workspace \
@@ -139,6 +168,6 @@ jobs:
             --all-targets \
             --no-fail-fast
 
-      - name: Show sccache stats
-        if: always()
+      - name: Display sccache statistics
+        if: always() && env.SCCACHE_ENABLED == 'true'
         run: sccache --show-stats

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
-        - id: check-byte-order-marker
+        - id: fix-byte-order-marker
         - id: check-case-conflict
         - id: check-symlinks
         - id: destroyed-symlinks

renovate.json

@@ -22,5 +22,30 @@
     "tikv-jemalloc-ctl",
     "opentelemetry-rust",
     "tracing-opentelemetry"
-  ]
+  ],
+  "github-actions": {
+    "enabled": true,
+    "fileMatch": [
+      "(^|/)\\.forgejo/workflows/[^/]+\\.ya?ml$",
+      "(^|/)\\.forgejo/actions/[^/]+/action\\.ya?ml$",
+      "(^|/)\\.github/workflows/[^/]+\\.ya?ml$",
+      "(^|/)\\.github/actions/[^/]+/action\\.ya?ml$"
+    ]
+  },
+  "packageRules": [
+    {
+      "description": "Auto-merge minor and patch updates for GitHub Actions",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": false
+    },
+    {
+      "description": "Group all non-major GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "github-actions-non-major"
+    }
+  ],
+  "prConcurrentLimit": 3,
+  "prHourlyLimit": 2
 }