ci: disable earthly TLS in bot workflows (settings-hash parity with CI)

[skylar-simoncelli]

Problem

rebuild-metadata-bot.yml and rebuild-chainspec-bot.yml run earthly -P on the self-hosted pool without the tls_enabled: false config append that every job in continuous-integration.yml applies. Earthly derives a settings hash from its buildkit config; on mismatch it docker rm -fs the shared earthly-buildkitd and recreates it, cancelling every in-flight earthly build on the box.

Observed on 2026-06-12 (fsn1-runner-01): one /bot rebuild-metadata comment caused 4 buildkitd recreations in 45s (dockerd journal, 08:48:22-08:49:07 UTC) and simultaneously killed three unrelated jobs (+test on #1677 with unlazy force execution: Canceled: context canceled, a Local Environment Tests, another Run tests). The bot jobs themselves also fail (TLS handshake against the non-TLS daemon, no certs provisioned), so users re-trigger and kill more CI each time. Repeated at 09:43 UTC.

Fix

Add the same tls_enabled: false append step the CI jobs use to both bot workflows, between GHCR login and the earthly invocation. This fixes the bots' own failures AND stops them restarting the shared daemon.

Both workflows trigger on issue_comment, so they execute the workflow file from the default branch — this takes effect for all open PRs immediately on merge, no rebases needed.

Testing

After merge, comment /bot rebuild-metadata on any PR and confirm (a) the job passes, (b) docker ps --filter name=earthly-buildkitd on fsn1-runner-01 shows the daemon NOT freshly recreated.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d61c237c0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use the same self-hosted Earthly config as CI

On self-hosted runners, the other Earthly workflows source .envrc before invoking Earthly (for example .github/workflows/continuous-integration.yml:184), and .envrc:29-30 switches them to .earthly/config.selfhosted.yml, which includes both tls_enabled: false and buildkit_additional_args: ["-m", "180Gb"] (.earthly/config.selfhosted.yml:15-20). This bot still runs with EARTHLY_CONFIG: .earthly/config.yml, so appending only TLS leaves its BuildKit settings hash different from CI and the metadata bot can still force-recreate the shared earthly-buildkitd on each run. Use the same self-hosted config (or source .envrc) for the bot invocation instead of patching the default config.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use the same self-hosted Earthly config as CI

On self-hosted runners, the other Earthly workflows source .envrc before invoking Earthly (for example .github/workflows/continuous-integration.yml:648), and .envrc:29-30 switches them to .earthly/config.selfhosted.yml, which includes both tls_enabled: false and buildkit_additional_args: ["-m", "180Gb"] (.earthly/config.selfhosted.yml:15-20). This bot still runs with EARTHLY_CONFIG: .earthly/config.yml, so appending only TLS leaves its BuildKit settings hash different from CI and the chainspec bot can still force-recreate the shared earthly-buildkitd on each run. Use the same self-hosted config (or source .envrc) for the bot invocation instead of patching the default config.

Useful? React with 👍 / 👎.