OMT-Global · jmcte · May 31, 2026 · May 31, 2026
@@ -28,11 +28,7 @@ env:
 jobs:
   publish_and_verify:
     name: publish-and-verify
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     env:
       GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
       SYNOLOGY_RUNNER_BASE_DIR: /volume1/docker/github-runner-fleet

@@ -20,11 +20,7 @@ permissions:
 jobs:
   security:
     name: rg-security
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6

@@ -14,11 +14,7 @@ permissions:
 jobs:
   scorecard:
     name: openssf-scorecard
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write

@@ -21,11 +21,7 @@ env:
 jobs:
   codeql:
     name: codeql
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
@@ -37,11 +33,7 @@ jobs:
   dependency_review:
     name: dependency-review
     if: github.event_name == 'pull_request'
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6
@@ -52,11 +44,7 @@ jobs:
 
   osv:
     name: osv
-    runs-on:
-      - self-hosted
-      - linux
-      - shell-only
-      - public
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6

@@ -67,7 +67,7 @@ GITHUB_API_URL=https://api.github.com
 LUME_RUNNER_BASE_DIR='${lume_base_dir}'
 LUME_RUNNER_ENV_FILE='${lume_base_dir}/runner.env'
 COMPOSE_PROJECT_NAME=github-runner-fleet
-RUNNER_VERSION=2.333.0
+RUNNER_VERSION=2.334.0
 EOF
   install -m 0600 "${temp_path}" "${env_path}"
   rm -f "${temp_path}"

@@ -46,6 +46,8 @@ describe("Lume pool scripts", () => {
     expect(installRuntime).toContain("Library/Application Support/github-runner-fleet/controller");
     expect(installRuntime).toContain("rsync -a --delete");
     expect(installRuntime).toContain("pnpm --dir");
+    expect(installRuntime).toContain("RUNNER_VERSION=2.334.0");
+    expect(installRuntime).not.toContain("RUNNER_VERSION=2.333.0");
     expect(installRuntime).toContain("install_lume_controller_runtime");
     expect(installRuntime).toContain('if [[ -f "${runtime_env}" ]]');
     expect(installRuntime.indexOf('if [[ -f "${runtime_env}" ]]')).toBeLessThan(

@@ -3,10 +3,8 @@ import path from "node:path";
 import YAML from "yaml";
 import { describe, expect, test } from "vitest";
 
-const shellSafePublicRunner = ["self-hosted", "linux", "shell-only", "public"];
-
 describe("release workflow", () => {
-  test("publishes on shell-safe self-hosted runners, verifies the pushed tag, and can create a repo release from main", () => {
+  test("publishes on GitHub-hosted runners, verifies the pushed tag, and can create a repo release from main", () => {
     const workflow = YAML.parse(
       fs.readFileSync(
         path.resolve(".github/workflows/release-image.yml"),
@@ -41,7 +39,7 @@ describe("release workflow", () => {
       "id-token": "write",
       attestations: "write"
     });
-    expect(job["runs-on"]).toEqual(shellSafePublicRunner);
+    expect(job["runs-on"]).toBe("ubuntu-latest");
     expect(job.env).toMatchObject({
       GITHUB_PAT: "${{ secrets.GITHUB_TOKEN }}",
       SYNOLOGY_RUNNER_BASE_DIR: "/volume1/docker/github-runner-fleet"

@@ -6,7 +6,7 @@ import { describe, expect, test } from "vitest";
 const shellSafePublicRunner = ["self-hosted", "linux", "shell-only", "public"];
 
 describe("security and reusable workflows", () => {
-  test("keeps security scans on shell-safe self-hosted runners with Security tab upload", () => {
+  test("keeps security scans on GitHub-hosted runners with Security tab upload", () => {
     const workflow = YAML.parse(
       fs.readFileSync(path.resolve(".github/workflows/security.yml"), "utf8")
     ) as { permissions: Record<string, string>; jobs: Record<string, Record<string, unknown>> };
@@ -16,7 +16,7 @@ describe("security and reusable workflows", () => {
       "security-events": "write"
     });
     for (const job of Object.values(workflow.jobs)) {
-      expect(job["runs-on"]).toEqual(shellSafePublicRunner);
+      expect(job["runs-on"]).toBe("ubuntu-latest");
     }
     expect(String(JSON.stringify(workflow))).toContain("github/codeql-action/init");
     expect(String(JSON.stringify(workflow))).toContain("dependency-review-action");
@@ -43,15 +43,15 @@ describe("security and reusable workflows", () => {
       "id-token": "write",
       "security-events": "write"
     });
-    expect(workflow.jobs.scorecard["runs-on"]).toEqual(shellSafePublicRunner);
+    expect(workflow.jobs.scorecard["runs-on"]).toBe("ubuntu-latest");
     expect(String(JSON.stringify(workflow))).toContain(
       "ossf/scorecard-action@v2.4.3"
     );
     expect(String(JSON.stringify(workflow))).toContain("publish_results");
   });
 
   test("exposes rg-ci, rg-security, and rg-release as workflow_call artifacts", () => {
-    for (const fileName of ["rg-ci.yml", "rg-security.yml", "rg-release.yml"]) {
+    for (const fileName of ["rg-ci.yml", "rg-release.yml"]) {
       const workflow = YAML.parse(
         fs.readFileSync(path.resolve(".github/workflows", fileName), "utf8")
       ) as { on: Record<string, unknown>; jobs: Record<string, Record<string, unknown>> };
@@ -61,5 +61,14 @@ describe("security and reusable workflows", () => {
         expect(job["runs-on"]).toEqual(shellSafePublicRunner);
       }
     }
+
+    const rgSecurity = YAML.parse(
+      fs.readFileSync(path.resolve(".github/workflows/rg-security.yml"), "utf8")
+    ) as { on: Record<string, unknown>; jobs: Record<string, Record<string, unknown>> };
+
+    expect(rgSecurity.on).toHaveProperty("workflow_call");
+    for (const job of Object.values(rgSecurity.jobs)) {
+      expect(job["runs-on"]).toBe("ubuntu-latest");
+    }
   });
 });