From 6e58cb39971f4787f91455e6742ccd4236a24dd9 Mon Sep 17 00:00:00 2001
From: Ray Walker <ray@27b.io>
Date: Sun, 17 May 2026 11:09:30 +1000
Subject: [PATCH 1/2] ci: fall back to ubuntu-latest for fork PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub Actions disables self-hosted runners for fork PRs by security
policy — external contributors' PRs would otherwise hang forever on
'waiting for runner'. Adding a conditional runs-on resolves to:

  - same-repo PRs and push: cachekit-lean / cachekit (existing behavior,
    cheap on the self-hosted infra)
  - fork PRs: ubuntu-latest (GitHub-hosted, available to forks)

Applied to all 8 jobs in ci.yml. Also removes the misleading
"needs DinD" comment on test-integration — it uses GHA service
containers, which work natively on ubuntu-latest. The original
cachekit (full self-hosted) was for compute, not Docker.

No new permissions required; the change is a pure scheduler hint.
---
 .github/workflows/ci.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1e1e934..c067bd8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   lint:
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -33,7 +33,7 @@ jobs:
         run: pnpm type-check
 
   test:
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     strategy:
       fail-fast: false
       matrix:
@@ -60,7 +60,10 @@ jobs:
         run: pnpm test
 
   test-integration:
-    runs-on: cachekit # needs DinD for Redis service container
+    # Fork PRs fall back to ubuntu-latest (GHA disables self-hosted runners
+    # for forks by security policy). The redis service container below works
+    # on either runner — the original DinD note was misleading.
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit' }}
     services:
       redis:
         image: redis:7-alpine
@@ -96,7 +99,7 @@ jobs:
           CI: true
 
   coverage:
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -124,7 +127,7 @@ jobs:
           fail_ci_if_error: false
 
   security:
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -158,7 +161,7 @@ jobs:
 
   smoke-test:
     name: Package smoke test (ESM + CJS)
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     needs: [test]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -219,7 +222,7 @@ jobs:
 
   ci-success:
     name: CI Success
-    runs-on: cachekit-lean
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit-lean' }}
     needs: [lint, test, test-integration, coverage, security, smoke-test]
     if: always()
     steps:

From de275e1bf3c8466370c7dd587fd04a383d2d2cbb Mon Sep 17 00:00:00 2001
From: Ray Walker <ray@27b.io>
Date: Sun, 17 May 2026 11:19:58 +1000
Subject: [PATCH 2/2] docs(ci): clarify why test-integration uses cachekit, not
 cachekit-lean
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous comment claimed the DinD note on the original runner choice
was "misleading" — it wasn't. I was wrong.

Verified against ARC runner specs (kubectl get autoscalingrunnerset):
- cachekit:       DOCKER_HOST set, TLS certs mounted, full DinD
- cachekit-lean:  no Docker env, runs as user 1001, service account
                  literally named cachekit-lean-gha-rs-no-permission

The redis service container needs Docker on the host. cachekit-lean
can't host it; only cachekit can. The runner-name difference between
test-integration and every other job is intentional and load-bearing —
flattening to cachekit-lean would break integration tests on internal
runs.

Comment now reflects that constraint accurately so future readers
(including reviewers) don't repeat the suggestion.
---
 .github/workflows/ci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c067bd8..20f1fe0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -61,8 +61,11 @@ jobs:
 
   test-integration:
     # Fork PRs fall back to ubuntu-latest (GHA disables self-hosted runners
-    # for forks by security policy). The redis service container below works
-    # on either runner — the original DinD note was misleading.
+    # for fork PRs by security policy). Internal/push runs use 'cachekit'
+    # (NOT 'cachekit-lean') because the redis service container below
+    # requires Docker on the host: cachekit-lean is a locked-down rootless
+    # pod with no DOCKER_HOST and no docker socket, so services would fail
+    # to start. ubuntu-latest has Docker preinstalled.
     runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'cachekit' }}
     services:
       redis: