Fork CI posture and full-CI runner assumptions

[shiny-code-bot]

Intent

Bring this fork's GitHub Actions posture in line with the runners, secrets, and validation policy that actually exist for cbusillo/codex.

Parent: #1

Current Evidence

As of June 10, 2026:

• Latest lightweight checks on main pass: ci, cargo-deny, and Codespell.
• rust-ci-full is red on main, for example run https://github.com/cbusillo/codex/actions/runs/27162299123.
• The failure pattern appears infrastructural/config-related rather than caused by the latest metadata-only PR:
  • many full-CI matrix jobs fail almost immediately;
  • failed jobs show no assigned runner name/group;
  • workflow labels include upstream/private assumptions such as codex-linux-x64, codex-linux-arm64, codex-windows-x64, codex-windows-arm64, and macos-15-xlarge.
• PR CI for recent changes has been passing, so this is mainly a fork workflow policy problem.

Finish Line

Decide and implement the fork's intended CI policy:

• which workflows run automatically on PRs and main;
• whether rust-ci-full should run automatically in this fork or only manually/release-gated;
• what self-hosted runner labels, groups, and secrets are expected for Codex Lab packaging and full Rust CI;
• which checks, if any, should be required by branch protection;
• whether .github/github.json should be introduced now to record the repo's actual workflow, runner, release, and cleanup policy.

Guardrails

• Do not cargo-cult upstream OpenAI runner assumptions into this fork.
• Do not make checks required until the workflow names and runner availability are known.
• Keep normal PR validation lightweight enough for routine fork work.
• Preserve heavier validation where it is intentionally release/manual/preflight gated.