OMT-Global · jmcte · May 31, 2026 · May 31, 2026 · May 31, 2026 · May 31, 2026
@@ -12,6 +12,9 @@ on:
 permissions:
   contents: read
 
+env:
+  SHELL: /bin/bash
+
 concurrency:
   group: ci-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -20,17 +23,20 @@ jobs:
   test_self_hosted_trusted:
     name: test
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
       - run: pnpm test:coverage
@@ -108,17 +114,20 @@ jobs:
   linux_docker_contract_trusted:
     name: linux docker contract
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
       - run: pnpm install --frozen-lockfile
       - name: Render Linux Docker runner manifests
         run: |
@@ -140,13 +149,12 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
       - run: pnpm install --frozen-lockfile
       - name: Render Windows Docker runner manifests
         shell: pwsh
@@ -165,17 +173,20 @@ jobs:
   lume_macos_contract_trusted:
     name: lume macos contract
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: macos-latest
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - xcode
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
       - run: pnpm test
@@ -208,13 +219,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
       - run: pnpm test

@@ -29,7 +29,11 @@ jobs:
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude'))
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 30
     permissions:
       contents: write

@@ -15,6 +15,7 @@ permissions:
 env:
   NODE_VERSION: '20'
   PYTHON_VERSION: '3.12'
+  SHELL: /bin/bash
 
 defaults:
   run:
@@ -23,7 +24,11 @@ defaults:
 jobs:
   changes:
     name: Detect Relevant Changes
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     outputs:
       app: ${{ steps.filter.outputs.app }}
       ci: ${{ steps.filter.outputs.ci }}
@@ -57,7 +62,11 @@ jobs:
 
   fast-checks:
     name: Fast Checks
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 15
     needs: changes
     if: >-
@@ -69,21 +78,24 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
-
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
 
       - name: Run fast checks
         run: bash scripts/ci/run-fast-checks.sh
 
   validate-secrets:
     name: Validate Secrets
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 10
     if: >-
       github.event.pull_request.draft == false &&
@@ -110,14 +122,13 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
-
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
 
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
@@ -141,7 +152,11 @@ jobs:
 
   ci-gate:
     name: CI Gate
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     if: always()
     needs:
       - changes

@@ -22,10 +22,17 @@ concurrency:
   group: release-image-${{ github.ref }}
   cancel-in-progress: false
 
+env:
+  SHELL: /bin/bash
+
 jobs:
   publish_and_verify:
     name: publish-and-verify
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     env:
       GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
       SYNOLOGY_RUNNER_BASE_DIR: /volume1/docker/github-runner-fleet
@@ -34,14 +41,13 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10.32.1
-
       - uses: actions/setup-node@v6
         with:
           node-version: "24"
-          cache: pnpm
+
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10.32.1
 
       - run: pnpm install --frozen-lockfile
 
@@ -59,6 +65,24 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Ensure envsubst is available
+        run: |
+          set -euo pipefail
+          if command -v envsubst >/dev/null 2>&1; then
+            exit 0
+          fi
+
+          if [[ "$(id -u)" == "0" ]] && command -v apt-get >/dev/null 2>&1; then
+            apt-get update
+            apt-get install -y --no-install-recommends gettext-base
+          elif command -v sudo >/dev/null 2>&1 && command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update
+            sudo apt-get install -y --no-install-recommends gettext-base
+          else
+            echo "envsubst is required by cosign-installer." >&2
+            exit 1
+          fi
+
       - uses: sigstore/cosign-installer@v4.1.2
 
       - id: release_meta

@@ -24,20 +24,26 @@ on:
 permissions:
   contents: read
 
+env:
+  SHELL: /bin/bash
+
 jobs:
   ci:
     name: rg-ci
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v6
-        with:
-          version: ${{ inputs.package-manager-version }}
       - uses: actions/setup-node@v6
         with:
           node-version: ${{ inputs.node-version }}
-          cache: pnpm
+      - uses: pnpm/action-setup@v6
+        with:
+          version: ${{ inputs.package-manager-version }}
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
       - run: pnpm test

@@ -29,7 +29,11 @@ permissions:
 jobs:
   release:
     name: rg-release
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v6
@@ -48,6 +52,23 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ inputs.image-ref }}
+      - name: Ensure envsubst is available
+        run: |
+          set -euo pipefail
+          if command -v envsubst >/dev/null 2>&1; then
+            exit 0
+          fi
+
+          if [[ "$(id -u)" == "0" ]] && command -v apt-get >/dev/null 2>&1; then
+            apt-get update
+            apt-get install -y --no-install-recommends gettext-base
+          elif command -v sudo >/dev/null 2>&1 && command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update
+            sudo apt-get install -y --no-install-recommends gettext-base
+          else
+            echo "envsubst is required by cosign-installer." >&2
+            exit 1
+          fi
       - uses: sigstore/cosign-installer@v4.1.2
       - run: cosign sign --yes ${{ inputs.image-ref }}@${{ steps.build.outputs.digest }}
       - uses: actions/attest-build-provenance@v3

@@ -20,7 +20,11 @@ permissions:
 jobs:
   security:
     name: rg-security
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6

@@ -14,7 +14,11 @@ permissions:
 jobs:
   scorecard:
     name: openssf-scorecard
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - linux
+      - shell-only
+      - public
     permissions:
       contents: read
       id-token: write