From 341d1cb268f5db27baa9bf07ab11bf59340a1cf6 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:22:00 +0000
Subject: [PATCH 1/8] ci: harden clj-kondo and zprint, scope lint triggers

- clj-kondo: add unused-value/import, redundant-call, misplaced-docstring,
  aliased-namespace-symbol, non-arg-vec-return-type-hint at :error;
  narrow shadowed-var exclude to [name]
- zprint: :style [:community :how-to-ns] for canonical ns forms
- lint.yml: run only on push to main + pull_request
---
 .clj-kondo/config.edn         | 8 +++++++-
 .github/workflows/lint.yml    | 5 ++++-
 src/vmlinux/gha/artifacts.clj | 7 ++++---
 src/vmlinux/gha/release.clj   | 7 ++++---
 src/vmlinux/krn/build.clj     | 7 ++++---
 src/vmlinux/krn/src.clj       | 7 ++++---
 src/vmlinux/tasks/compile.clj | 9 +++++----
 src/vmlinux/tasks/fmt.clj     | 7 ++++---
 src/vmlinux/tasks/matrix.clj  | 5 +++--
 src/vmlinux/tasks/release.clj | 7 ++++---
 10 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/.clj-kondo/config.edn b/.clj-kondo/config.edn
index 28a8758..378da4b 100644
--- a/.clj-kondo/config.edn
+++ b/.clj-kondo/config.edn
@@ -3,6 +3,8 @@
   :unused-namespace             {:level :error}
   :unused-referred-var          {:level :error}
   :unused-private-var           {:level :error}
+  :unused-value                 {:level :error}
+  :unused-import                {:level :error}
   :unresolved-symbol            {:level :error}
   :unresolved-namespace         {:level :error}
   :unresolved-var               {:level :error}
@@ -10,14 +12,18 @@
   :redundant-do                 {:level :error}
   :redundant-let                {:level :error}
   :redundant-fn-wrapper         {:level :error}
+  :redundant-call               {:level :error}
   :missing-else-branch          {:level :error}
+  :misplaced-docstring          {:level :error}
   :used-underscored-binding     {:level :error}
   :unsorted-required-namespaces {:level :error}
+  :aliased-namespace-symbol     {:level :error}
   :consistent-alias             {:level :error}
   :single-key-in                {:level :error}
   :refer-all                    {:level :error}
   :duplicate-require            {:level :error}
   :namespace-name-mismatch      {:level :error}
+  :non-arg-vec-return-type-hint {:level :error}
   :unexpected-recur             {:level :error}
   :condition-always-true        {:level :error}
-  :shadowed-var                 {:level :error :exclude [name runner]}}}
+  :shadowed-var                 {:level :error :exclude [name]}}}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6585eb4..8573938 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,9 @@
 name: Lint
 
-on: [push, pull_request]
+on:
+  push:
+    branches: [main]
+  pull_request:
 
 permissions:
   contents: read
diff --git a/src/vmlinux/gha/artifacts.clj b/src/vmlinux/gha/artifacts.clj
index 46f654c..e1a256f 100644
--- a/src/vmlinux/gha/artifacts.clj
+++ b/src/vmlinux/gha/artifacts.clj
@@ -1,7 +1,8 @@
 (ns vmlinux.gha.artifacts
-  (:require [babashka.fs :as fs]
-            [clojure.edn :as edn]
-            [vmlinux.krn.build :as build]))
+  (:require
+   [babashka.fs :as fs]
+   [clojure.edn :as edn]
+   [vmlinux.krn.build :as build]))
 
 (defrecord VmLinuxArtifact [artifact-name])
 (defrecord ArtifactMeta [arch version binary sha256-sum])
diff --git a/src/vmlinux/gha/release.clj b/src/vmlinux/gha/release.clj
index 96d7387..c535e71 100644
--- a/src/vmlinux/gha/release.clj
+++ b/src/vmlinux/gha/release.clj
@@ -1,7 +1,8 @@
 (ns vmlinux.gha.release
-  (:require [babashka.fs :as fs]
-            [babashka.process :refer [shell]]
-            [selmer.parser :as p]))
+  (:require
+   [babashka.fs :as fs]
+   [babashka.process :refer [shell]]
+   [selmer.parser :as p]))
 
 (defn- release-tag [sha] (str "release-" sha))
 
diff --git a/src/vmlinux/krn/build.clj b/src/vmlinux/krn/build.clj
index 8748a52..374fb47 100644
--- a/src/vmlinux/krn/build.clj
+++ b/src/vmlinux/krn/build.clj
@@ -1,8 +1,9 @@
 (ns vmlinux.krn.build
   (:refer-clojure :exclude [compile])
-  (:require [babashka.fs :as fs]
-            [babashka.process :refer [shell]]
-            [clojure.string :as str]))
+  (:require
+   [babashka.fs :as fs]
+   [babashka.process :refer [shell]]
+   [clojure.string :as str]))
 
 (defrecord VmLinuxBuild [arch version binary-path sha256-sum])
 
diff --git a/src/vmlinux/krn/src.clj b/src/vmlinux/krn/src.clj
index e917a60..7552989 100644
--- a/src/vmlinux/krn/src.clj
+++ b/src/vmlinux/krn/src.clj
@@ -1,7 +1,8 @@
 (ns vmlinux.krn.src
-  (:require [babashka.fs :as fs]
-            [babashka.process :refer [shell]]
-            [clojure.string :as str]))
+  (:require
+   [babashka.fs :as fs]
+   [babashka.process :refer [shell]]
+   [clojure.string :as str]))
 
 (defrecord KernelSrc [tarball-url checksums-url])
 (defrecord KernelTree [path checksum])
diff --git a/src/vmlinux/tasks/compile.clj b/src/vmlinux/tasks/compile.clj
index cb53936..26de057 100644
--- a/src/vmlinux/tasks/compile.clj
+++ b/src/vmlinux/tasks/compile.clj
@@ -1,8 +1,9 @@
 (ns vmlinux.tasks.compile
-  (:require [manifest :as mf]
-            [vmlinux.gha.artifacts :as artifacts]
-            [vmlinux.krn.build :as kbuild]
-            [vmlinux.krn.src :as src]))
+  (:require
+   [manifest :as mf]
+   [vmlinux.gha.artifacts :as artifacts]
+   [vmlinux.krn.build :as kbuild]
+   [vmlinux.krn.src :as src]))
 
 (defn- by-name [name] (first (filter #(= name (:name %)) mf/builds)))
 
diff --git a/src/vmlinux/tasks/fmt.clj b/src/vmlinux/tasks/fmt.clj
index 650cd11..3b76ece 100644
--- a/src/vmlinux/tasks/fmt.clj
+++ b/src/vmlinux/tasks/fmt.clj
@@ -1,8 +1,9 @@
 (ns vmlinux.tasks.fmt
-  (:require [babashka.deps :as deps]
-            [babashka.fs :as fs]))
+  (:require
+   [babashka.deps :as deps]
+   [babashka.fs :as fs]))
 
-(def ^:private opts {:width 100, :style :community})
+(def ^:private opts {:width 100, :style [:community :how-to-ns]})
 
 (defn- sources [] (map str (fs/glob "." "{src/**/*.clj,manifest.clj}")))
 
diff --git a/src/vmlinux/tasks/matrix.clj b/src/vmlinux/tasks/matrix.clj
index cd09fff..c1e7cea 100644
--- a/src/vmlinux/tasks/matrix.clj
+++ b/src/vmlinux/tasks/matrix.clj
@@ -1,6 +1,7 @@
 (ns vmlinux.tasks.matrix
-  (:require [cheshire.core :as json]
-            [manifest :as mf]))
+  (:require
+   [cheshire.core :as json]
+   [manifest :as mf]))
 
 (def ^:private arch-runner {:x86_64 "ubuntu-24.04", :aarch64 "ubuntu-24.04-arm"})
 
diff --git a/src/vmlinux/tasks/release.clj b/src/vmlinux/tasks/release.clj
index 112351b..ffae946 100644
--- a/src/vmlinux/tasks/release.clj
+++ b/src/vmlinux/tasks/release.clj
@@ -1,7 +1,8 @@
 (ns vmlinux.tasks.release
-  (:require [clojure.java.io :as io]
-            [vmlinux.gha.artifacts :as artifacts]
-            [vmlinux.gha.release :as release]))
+  (:require
+   [clojure.java.io :as io]
+   [vmlinux.gha.artifacts :as artifacts]
+   [vmlinux.gha.release :as release]))
 
 (defn- artifact-dirs
   [dir]

From ac2172ea819206ff76954fd10ba02144f6a236dd Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:24:46 +0000
Subject: [PATCH 2/8] ci: run kernel builds on 32-core larger runners

---
 src/vmlinux/tasks/matrix.clj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/vmlinux/tasks/matrix.clj b/src/vmlinux/tasks/matrix.clj
index c1e7cea..17dd289 100644
--- a/src/vmlinux/tasks/matrix.clj
+++ b/src/vmlinux/tasks/matrix.clj
@@ -3,7 +3,7 @@
    [cheshire.core :as json]
    [manifest :as mf]))
 
-(def ^:private arch-runner {:x86_64 "ubuntu-24.04", :aarch64 "ubuntu-24.04-arm"})
+(def ^:private arch-runner {:x86_64 "ubuntu-24.04-32core", :aarch64 "ubuntu-24.04-arm-32core"})
 
 (defn matrix
   []

From d617cc51d04cf7816c5808501681fca1087d3694 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:26:53 +0000
Subject: [PATCH 3/8] ci: gate manual builds behind a contributor permission
 check

---
 .github/workflows/build-vmlinux.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/build-vmlinux.yml b/.github/workflows/build-vmlinux.yml
index 8744f29..3659f52 100644
--- a/.github/workflows/build-vmlinux.yml
+++ b/.github/workflows/build-vmlinux.yml
@@ -11,7 +11,25 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  authorize:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Verify the actor is a contributor
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          ACTOR: ${{ github.actor }}
+        run: |
+          set -euo pipefail
+          perm="$(gh api "repos/$REPO/collaborators/$ACTOR/permission" --jq '.permission')"
+          echo "$ACTOR has '$perm' permission on $REPO"
+          case "$perm" in
+            admin|maintain|write) ;;
+            *) echo "::error::$ACTOR lacks write access; only contributors may run this workflow"; exit 1 ;;
+          esac
+
   prepare:
+    needs: authorize
     runs-on: ubuntu-24.04
     outputs:
       matrix: ${{ steps.gen.outputs.matrix }}

From 9e3e99fe3edb8504f8b8c830c062fde92b0a662b Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:33:53 +0000
Subject: [PATCH 4/8] ci: use ultralarge runners; drop redundant authorize gate

workflow_dispatch already restricts manual runs to write-access contributors.
---
 .github/workflows/build-vmlinux.yml | 18 ------------------
 src/vmlinux/tasks/matrix.clj        |  2 +-
 2 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/.github/workflows/build-vmlinux.yml b/.github/workflows/build-vmlinux.yml
index 3659f52..8744f29 100644
--- a/.github/workflows/build-vmlinux.yml
+++ b/.github/workflows/build-vmlinux.yml
@@ -11,25 +11,7 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  authorize:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Verify the actor is a contributor
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPO: ${{ github.repository }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          set -euo pipefail
-          perm="$(gh api "repos/$REPO/collaborators/$ACTOR/permission" --jq '.permission')"
-          echo "$ACTOR has '$perm' permission on $REPO"
-          case "$perm" in
-            admin|maintain|write) ;;
-            *) echo "::error::$ACTOR lacks write access; only contributors may run this workflow"; exit 1 ;;
-          esac
-
   prepare:
-    needs: authorize
     runs-on: ubuntu-24.04
     outputs:
       matrix: ${{ steps.gen.outputs.matrix }}
diff --git a/src/vmlinux/tasks/matrix.clj b/src/vmlinux/tasks/matrix.clj
index 17dd289..33542e0 100644
--- a/src/vmlinux/tasks/matrix.clj
+++ b/src/vmlinux/tasks/matrix.clj
@@ -3,7 +3,7 @@
    [cheshire.core :as json]
    [manifest :as mf]))
 
-(def ^:private arch-runner {:x86_64 "ubuntu-24.04-32core", :aarch64 "ubuntu-24.04-arm-32core"})
+(def ^:private arch-runner {:x86_64 "ultralarge-24.04-x64", :aarch64 "ultralarge-24.04-aarch64"})
 
 (defn matrix
   []

From be505609a3a6ab6ef99b4c6729dddad3cbacc1e5 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:37:21 +0000
Subject: [PATCH 5/8] fix(release): idempotent create + retry asset uploads

Asset upload raced api<->uploads.github.com replication lag (HTTP 404).
Retry with backoff + --clobber; create is now idempotent so a re-run after
a partial publish reuses the existing release-<sha> instead of asserting.
---
 src/vmlinux/gha/release.clj | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/vmlinux/gha/release.clj b/src/vmlinux/gha/release.clj
index c535e71..57a7a6d 100644
--- a/src/vmlinux/gha/release.clj
+++ b/src/vmlinux/gha/release.clj
@@ -24,15 +24,24 @@
       :exit
       zero?))
 
+(defn- upload!
+  [tag asset]
+  (loop [attempt 1]
+    (let [exit (:exit (shell {:continue true} "gh" "release" "upload" tag asset "--clobber"))]
+      (cond
+        (zero? exit) :ok
+        (< attempt 6) (do (Thread/sleep (* attempt 2000)) (recur (inc attempt)))
+        :else (throw (ex-info (str "gh release upload failed for " asset) {:asset asset}))))))
+
 (defn create
   [sha vmlinux-builds]
-  (assert (not (exists? sha)) (str "release already exists: " (release-tag sha)))
   (let [tag (release-tag sha)]
-    (shell "gh" "release" "create" tag "--title" (title sha) "--notes" (notes sha))
+    (when-not (exists? sha)
+      (shell "gh" "release" "create" tag "--title" (title sha) "--notes" (notes sha)))
     (->> vmlinux-builds
          (mapv (fn [build]
                  (future (let [asset (str (fs/parent (:binary-path build)) "/" (asset-name build))]
                            (fs/copy (:binary-path build) asset {:replace-existing true})
-                           (shell "gh" "release" "upload" tag asset)))))
+                           (upload! tag asset)))))
          (run! deref))
     tag))

From f0dbbc7ea5a32db7b888247748c7cd8e27de6588 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:37:30 +0000
Subject: [PATCH 6/8] style: zprint release.clj

---
 src/vmlinux/gha/release.clj | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/vmlinux/gha/release.clj b/src/vmlinux/gha/release.clj
index 57a7a6d..3d6918d 100644
--- a/src/vmlinux/gha/release.clj
+++ b/src/vmlinux/gha/release.clj
@@ -28,10 +28,9 @@
   [tag asset]
   (loop [attempt 1]
     (let [exit (:exit (shell {:continue true} "gh" "release" "upload" tag asset "--clobber"))]
-      (cond
-        (zero? exit) :ok
-        (< attempt 6) (do (Thread/sleep (* attempt 2000)) (recur (inc attempt)))
-        :else (throw (ex-info (str "gh release upload failed for " asset) {:asset asset}))))))
+      (cond (zero? exit) :ok
+            (< attempt 6) (do (Thread/sleep (* attempt 2000)) (recur (inc attempt)))
+            :else (throw (ex-info (str "gh release upload failed for " asset) {:asset asset}))))))
 
 (defn create
   [sha vmlinux-builds]

From 72f3b569ed5e9d6bc8299d3ba98f194392cf2103 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:38:13 +0000
Subject: [PATCH 7/8] release: drop --clobber from asset upload

---
 src/vmlinux/gha/release.clj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/vmlinux/gha/release.clj b/src/vmlinux/gha/release.clj
index 3d6918d..dba938e 100644
--- a/src/vmlinux/gha/release.clj
+++ b/src/vmlinux/gha/release.clj
@@ -27,7 +27,7 @@
 (defn- upload!
   [tag asset]
   (loop [attempt 1]
-    (let [exit (:exit (shell {:continue true} "gh" "release" "upload" tag asset "--clobber"))]
+    (let [exit (:exit (shell {:continue true} "gh" "release" "upload" tag asset))]
       (cond (zero? exit) :ok
             (< attempt 6) (do (Thread/sleep (* attempt 2000)) (recur (inc attempt)))
             :else (throw (ex-info (str "gh release upload failed for " asset) {:asset asset}))))))

From 545a022163c7c75a523d93254a85e2f074eb4396 Mon Sep 17 00:00:00 2001
From: Marko Vejnovic <marko@simci.dev>
Date: Tue, 23 Jun 2026 21:38:50 +0000
Subject: [PATCH 8/8] release: rename create param vmlinux-builds -> assets

---
 src/vmlinux/gha/release.clj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/vmlinux/gha/release.clj b/src/vmlinux/gha/release.clj
index dba938e..eeded7a 100644
--- a/src/vmlinux/gha/release.clj
+++ b/src/vmlinux/gha/release.clj
@@ -33,11 +33,11 @@
             :else (throw (ex-info (str "gh release upload failed for " asset) {:asset asset}))))))
 
 (defn create
-  [sha vmlinux-builds]
+  [sha assets]
   (let [tag (release-tag sha)]
     (when-not (exists? sha)
       (shell "gh" "release" "create" tag "--title" (title sha) "--notes" (notes sha)))
-    (->> vmlinux-builds
+    (->> assets
          (mapv (fn [build]
                  (future (let [asset (str (fs/parent (:binary-path build)) "/" (asset-name build))]
                            (fs/copy (:binary-path build) asset {:replace-existing true})