check-mirrors: run on GitHub-hosted runner

Minimizing the amount of code running on the website machine is
important to avoid potential security vulnerabilities.

Since we now need to fetch Zig (rather than it being preinstalled), also
update `check-mirrors` to the latest Zig dev version. We'll want to do
this soon anyway due to ziglang/zig#24316 blocking #492.

Author: mlugg

.github/workflows/check-mirrors.yml

@@ -5,16 +5,27 @@ on:
   pull_request: { paths: ["assets/community-mirrors.ziggy"] }
 jobs:
   check:
-    runs-on: [self-hosted, website]
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-        with: { clean: false }
-      - name: Check Mirrors
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install Zig
+        # We can't use mlugg/setup-zig, because that Action uses the community mirror list, which
+        # this workflow is in the "supply chain" for. Instead, just directly fetch a tarball from
+        # ziglang.org. This is **not** a recommended strategy for most users, but rather a special
+        # case due to the role this repository plays in maintaining the mirror list.
         run: |
-          cd check-mirrors
-          /home/ci/deps/zig-linux-x86_64-0.14.0/zig build run -- ../assets/community-mirrors.ziggy "$GITHUB_STEP_SUMMARY"
+          curl -L 'https://ziglang.org/builds/zig-x86_64-linux-0.15.0-dev.885+e83776595.tar.xz' | tar -xJ
+          mv 'zig-x86_64-linux-0.15.0-dev.885+e83776595' zig
+          echo "$PWD/zig" >>"$GITHUB_PATH"
+
+      - name: Check Mirrors
+        run: zig build --build-file check-mirrors/build.zig
+               run -- assets/community-mirrors.ziggy "$GITHUB_STEP_SUMMARY"
+
   notify-failure:
-    runs-on: [self-hosted, website]
+    runs-on: ubuntu-latest
     needs: [check]
     if: ${{ always() && (github.event_name != 'pull_request') && (needs.check.result == 'failure' || needs.check.result == 'timed_out') }}
     steps:

check-mirrors/main.zig

@@ -121,7 +121,7 @@ pub fn main() Allocator.Error!u8 {
     defer http_client.deinit();
 
     const mirrors: []Mirror = mirrors: {
-        const raw = std.fs.cwd().readFileAllocOptions(arena, mirrors_path, 1024 * 1024 * 8, null, 1, 0) catch |err| {
+        const raw = std.fs.cwd().readFileAllocOptions(arena, mirrors_path, 1024 * 1024 * 8, null, .of(u8), 0) catch |err| {
             std.debug.panic("failed to read mirrors file '{s}': {s}", .{ mirrors_path, @errorName(err) });
         };
         const parsed = ziggy.parseLeaky([]const Mirror.Parsed, arena, raw, .{}) catch |err| {