wavekat · wavekat-eason · May 18, 2026 · May 18, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,39 +11,39 @@
 
 jobs:
   changes:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     outputs:
       audio-lab-backend: ${{ steps.filter.outputs.audio-lab-backend }}
       audio-lab-frontend: ${{ steps.filter.outputs.audio-lab-frontend }}
      cv-explorer: ${{ steps.filter.outputs.cv-explorer }}
    steps:
      - uses: actions/checkout@v6
      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
            audio-lab-backend:
              - 'tools/audio-lab/backend/**'
              - 'tools/audio-lab/Cargo.toml'
              - 'tools/audio-lab/Cargo.lock'
              - 'tools/audio-lab/Makefile'
              - 'Makefile'
              - '.github/workflows/ci.yml'
            audio-lab-frontend:
              - 'tools/audio-lab/frontend/**'
              - 'tools/audio-lab/Makefile'
              - 'Makefile'
              - '.github/workflows/ci.yml'
            cv-explorer:
              - 'tools/cv-explorer/worker/**'
              - 'tools/cv-explorer/web/**'
              - 'Makefile'
              - '.github/workflows/ci.yml'

   audio-lab-backend:
     needs: changes
     if: ${{ needs.changes.outputs.audio-lab-backend == 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
@@ -72,7 +72,7 @@
   audio-lab-frontend:
     needs: changes
     if: ${{ needs.changes.outputs.audio-lab-frontend == 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v4
@@ -95,7 +95,7 @@
   cv-explorer:
     needs: changes
     if: ${{ needs.changes.outputs.cv-explorer == 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v4

diff --git a/.github/workflows/cv-deploy.yml b/.github/workflows/cv-deploy.yml
@@ -10,34 +10,34 @@
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - uses: actions/checkout@v6
 
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
          cache-dependency-path: |
            tools/cv-explorer/worker/package-lock.json
            tools/cv-explorer/web/package-lock.json

      - name: Install dependencies
        run: |
          cd tools/cv-explorer/worker && npm ci
          cd ../web && npm ci

      - name: Run D1 migrations
        run: cd tools/cv-explorer/worker && npx wrangler d1 migrations apply cv-explorer --remote
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}

      - name: Build frontend
        run: cd tools/cv-explorer/web && npm run build

      - name: Deploy worker
        run: cd tools/cv-explorer/worker && npx wrangler deploy
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
diff --git a/.github/workflows/cv-runner-provision.yml b/.github/workflows/cv-runner-provision.yml
@@ -32,110 +32,110 @@
 
 jobs:
   provision:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - name: Azure Login
         uses: azure/login@v3
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Generate runner registration token
        id: token
        env:
          GH_TOKEN: ${{ secrets.GH_PAT }}
        run: |
          TOKEN=$(gh api \
            --method POST \
            -H "Accept: application/vnd.github+json" \
            /repos/${{ github.repository }}/actions/runners/registration-token \
            --jq '.token')
          echo "::add-mask::$TOKEN"
          echo "reg_token=$TOKEN" >> "$GITHUB_OUTPUT"

      - name: Create VM
        id: vm
        uses: azure/cli@v3
        with:
          inlineScript: |
            set -euo pipefail

            RUNNER_NAME="${{ env.RUNNER_PREFIX }}-$(date +%s)"
            RG="${{ vars.AZURE_RESOURCE_GROUP }}"
            LOCATION="${{ vars.AZURE_LOCATION }}"
            MAX_MINUTES=$(( ${{ inputs.max_hours }} * 60 ))

            echo "Creating VM: $RUNNER_NAME (size=${{ inputs.vm_size }}, disk=${{ inputs.disk_size_gb }}GB)"

            az vm create \
              --resource-group "$RG" \
              --location "$LOCATION" \
              --name "$RUNNER_NAME" \
              --image Ubuntu2404 \
              --size "${{ inputs.vm_size }}" \
              --os-disk-size-gb "${{ inputs.disk_size_gb }}" \
              --os-disk-delete-option Delete \
              --nic-delete-option Delete \
              --admin-username azureuser \
              --generate-ssh-keys \
              --public-ip-sku Standard

            echo "VM created. Installing runner agent..."

            az vm run-command invoke \
              --resource-group "$RG" \
              --name "$RUNNER_NAME" \
              --command-id RunShellScript \
              --scripts "
                set -e

                # Install Node.js 22
                curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
                apt-get install -y nodejs jq

                # Create runner user and workspace
                useradd -m runner
                mkdir -p /home/runner/actions-runner
                cd /home/runner/actions-runner

                # Download latest GitHub Actions runner
                RUNNER_VERSION=\$(curl -s https://api.github.com/repos/actions/runner/releases/latest | jq -r .tag_name | sed 's/v//')
                curl -sL -o actions-runner.tar.gz https://github.com/actions/runner/releases/download/v\${RUNNER_VERSION}/actions-runner-linux-x64-\${RUNNER_VERSION}.tar.gz
                tar xzf actions-runner.tar.gz
                rm actions-runner.tar.gz
                chown -R runner:runner /home/runner/actions-runner

                # Register as persistent runner (stays online for multiple jobs)
                su - runner -c 'cd /home/runner/actions-runner && ./config.sh \
                  --url https://github.com/${{ github.repository }} \
                  --token ${{ steps.token.outputs.reg_token }} \
                  --name $RUNNER_NAME \
                  --labels cv-sync \
                  --unattended'

                # Install and start as a systemd service
                cd /home/runner/actions-runner
                ./svc.sh install runner
                ./svc.sh start

                # Schedule auto-shutdown as safety net
                shutdown -P +${MAX_MINUTES} 'Auto-shutdown: max_hours reached'
              "

            echo "runner_name=$RUNNER_NAME" >> "$GITHUB_OUTPUT"
            echo "Runner $RUNNER_NAME is online with label 'cv-sync'"

      - name: Job summary
        run: |
          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
          ## Runner Provisioned

          | Setting | Value |
          |---------|-------|
          | **VM name** | \`${{ steps.vm.outputs.runner_name }}\` |
          | **Size** | ${{ inputs.vm_size }} |
          | **Disk** | ${{ inputs.disk_size_gb }} GB |
          | **Auto-shutdown** | ${{ inputs.max_hours }} hours |
          | **Runner label** | \`cv-sync\` |

          **Next:** trigger the **CV: Dataset Sync** workflow.
          EOF
diff --git a/.github/workflows/cv-sync.yml b/.github/workflows/cv-sync.yml
@@ -79,54 +79,54 @@
           R2_BUCKET_NAME: ${{ vars.CV_EXPLORER_R2_BUCKET }}
 
   cleanup:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     needs: sync
     if: false # Disabled during debugging — re-enable when stable
     steps:
      - name: Azure Login
        uses: azure/login@v3
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Delete runner VM and associated resources
        uses: azure/cli@v3
        with:
          inlineScript: |
            set -euo pipefail

            RG="${{ vars.AZURE_RESOURCE_GROUP }}"

            # Find VMs with the cv-sync prefix
            VMS=$(az vm list --resource-group "$RG" --query "[?starts_with(name, 'cv-sync-')].name" -o tsv)

            for VM in $VMS; do
              echo "Deleting VM: $VM"
              az vm delete \
                --resource-group "$RG" \
                --name "$VM" \
                --yes \
                --force-deletion true

              # Delete leftover networking resources (Azure auto-names these with suffixes)
              echo "Deleting NSG: ${VM}NSG"
              az network nsg delete --resource-group "$RG" --name "${VM}NSG" 2>/dev/null || true
              echo "Deleting Public IP: ${VM}PublicIP"
              az network public-ip delete --resource-group "$RG" --name "${VM}PublicIP" 2>/dev/null || true
              echo "Deleting VNET: ${VM}VNET"
              az network vnet delete --resource-group "$RG" --name "${VM}VNET" 2>/dev/null || true
            done

            echo "Cleanup complete."

      - name: Job summary
        run: |
          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
          ## Dataset Sync Complete

          | Setting | Value |
          |---------|-------|
          | **Dataset ID** | \`${{ inputs.dataset_id }}\` |
          | **Split** | \`${{ inputs.split }}\` |

          Runner VM has been cleaned up.
          EOF
diff --git a/.github/workflows/publish-smart-turn.yml b/.github/workflows/publish-smart-turn.yml
@@ -39,7 +39,7 @@ permissions:
 
 jobs:
   stage-and-publish:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     timeout-minutes: 20
 
     steps:

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   release-please:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, wavekat-ci]
     steps:
       - uses: googleapis/release-please-action@v4
         id: release