ci: migrate workflows to smithy self-hosted runners

[avrabe]

Summary

Migrates 12 of 24 GitHub Actions jobs across ci.yml, fuzz.yml, release.yml, and validate-shared.yml from GitHub-hosted runners to the smithy self-hosted fleet (hetzner-private runner group on pulseengine-ci-01). Follows the migration playbook and matches the patterns landed in pulseengine/spar#201, pulseengine/rivet#262, pulseengine/kiln#247, and pulseengine/gale#35.

Coverage

Class	Count	Jobs
rust-cpu (12 G)	9	rivet-validate, validate, benchmark, self-optimization (ci.yml); fuzz (fuzz.yml); test-shared, test-workspace, integration-test, check-api-stability (validate-shared.yml)
light (4 G)	3	format (ci.yml); coverage (fuzz.yml); verify-architecture (validate-shared.yml)
lean-mem (24 G)	0	—

Stays on hosted

Job	File	Reason
clippy	ci.yml	sudo apt-get install z3 — Z3 not on smithy
test	ci.yml	matrix spans macOS + Windows
build	ci.yml	matrix spans macOS + Windows
coverage	ci.yml	sudo rm -rf to free disk
verify	ci.yml	sudo apt-get install z3
wasm-build	ci.yml	sudo mkdir/tar to install wasi-sdk into /opt
rocq-proofs	ci.yml	Nix + Bazel (out of scope per playbook)
differential	ci.yml	sudo apt-get install binaryen
build-native	release.yml	matrix spans macOS + Windows
build-wasm	release.yml	sudo for wasi-sdk install
release	release.yml	sudo mv for oras + Cosign keyless OIDC tied to GitHub-hosted identity
format-and-lint	validate-shared.yml	sudo apt-get install z3

Each kept-hosted runs-on: has a one-line comment naming the reason.

Workarounds applied

None new — every migrated job is a clean one-line runs-on: change. The repo doesn't currently use EmbarkStudios/cargo-deny-action, rustsec/audit-check, or obi1kenobi/cargo-semver-checks-action, so the playbook's documented action-replacement workarounds aren't needed here. The existing cargo-semver-checks step in validate-shared.yml already uses direct cargo install + invocation, which works on smithy as-is.

Follow-ups (out of scope here)

• If smithy ships z3 and binaryen in toolchains, four more jobs (clippy, verify, differential, format-and-lint) become trivially migratable.
• If we rewrite the wasi-sdk install to extract under $HOME instead of /opt, wasm-build (ci.yml + release.yml) becomes migratable too.

Test plan

• All migrated jobs land on rust-cpu / light runners and complete green
• Hosted jobs (test, build, etc.) still run on GitHub-hosted as before
• No changes to artifact uploads / release flow
• Compile cache primes on first run; second push is faster on the same branch

Rollback

Revert this commit. All runs-on: flips back to ubuntu-latest and the next run uses GitHub-hosted compute.