ci: run workflows on self-hosted runners

[pheidon]

Summary

• Move non-fallback workflow jobs off GitHub-hosted runner labels and onto OMT self-hosted runner labels.
• Keep explicit hosted fork/fallback paths unchanged where present.
• Align workflow contract tests where this repository has them.

Governing Issue

No linked issue. This follows JT's direct policy request that CI jobs should not run on GitHub-hosted runners unless they are explicit fallbacks.

Validation

• git diff --check
• Workflow YAML parsed successfully
• Hosted-runner policy scan found no non-fallback direct ubuntu-*, macos-*, or windows-* runs-on jobs in this patched worktree
• Workflow YAML parse and policy scan only; no repo-specific build was needed for runner-label-only changes.

Bootstrap Governance

• Changes are scoped to the runner policy request
• Contributor or PR guidance changes are not required
• Auto-merge is enabled, or GitHub plan-limit evidence is recorded and the fallback merge-readiness policy applies
• No real secrets, runtime auth, or machine-local env files are committed

Merge Automation

• Auto-merge is enabled, or the reason it is unavailable or unsafe is noted below

Auto-merge is enabled by JT. This cross-repository runner policy migration should land after CI confirms the self-hosted route.

Notes

• Generated from /home/pheidon/.openclaw/workspace/reports/github-hosted-runner-audit-2026-05-31.md.
• Repositories with explicit fork fallback jobs keep those jobs on GitHub-hosted runners by design.

[athena-omt]

Findings

• scripts/build-native-app.sh:73-90 only looks for */release/Sparkle.framework, but the universal SwiftPM output path used by swift build --arch arm64 --arch x86_64 is .../Release/.... When build-universal-release.sh calls build-native-app.sh --universal, Sparkle-enabled tagged builds will fail to find/copy the framework and abort.
• .github/workflows/release.yml:64-67,118-132 builds the universal release bundle, then immediately rebuilds APW.app with plain ./scripts/build-native-app.sh before notarization and packaging. On the ARM64 release runner that overwrites the universal app bundle with a single-arch one, so the release artifacts are no longer universal.

Summary: the CI runner migration is directionally fine, but the release pipeline still has two blockers that either break the universal app build or undo it before shipping.

Stale review on 6c5b611: de3b901 teaches build-native-app.sh to find Release/Sparkle.framework and removes the second non-universal native-app rebuild before notarization/packaging.