fix(ci): migrate .github/workflows to self-hosted runner + gate heavy workflows

The forgejo-runner on srv-102v advertises labels `incus:host,self-hosted:host`,
so jobs pinned to `ubuntu-latest` matched no runner and exited in 0s.

- ci.yml / security-scan.yml / trivy-fs.yml: runs-on → [self-hosted, incus]
- e2e.yml / go-fuzz.yml / loadtest.yml: same migration AND gate triggers to
  workflow_dispatch only (push/pull_request/schedule commented out) — single
  self-hosted runner, heavy suites would block the queue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
     # ===========================================================================
     backend:
         name: Backend (Go)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -91,7 +91,7 @@ jobs:
     # ===========================================================================
     frontend:
         name: Frontend (Web)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -163,7 +163,7 @@ jobs:
     # ===========================================================================
     rust:
         name: Rust (Stream Server)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 20
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -243,7 +243,7 @@ jobs:
         name: Notify on failure
         needs: [backend, frontend, rust]
         if: failure()
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - name: Summary
               run: echo "## ❌ CI Failed" >> $GITHUB_STEP_SUMMARY

.github/workflows/e2e.yml

@@ -6,13 +6,16 @@ name: E2E Playwright
 # of the ~60s minimal seed.
 
 on:
-    pull_request:
-        branches: [main]
-    push:
-        branches: [main]
-    schedule:
-        # Nightly full run — 03:00 UTC keeps it off the daytime runner pool.
-        - cron: "0 3 * * *"
+    # GATED on Forgejo (single self-hosted runner) — re-enable
+    # selectively when an additional runner with a Docker label
+    # (e.g. ubuntu-latest:docker://...) is provisioned. Until then,
+    # heavy E2E only runs on operator-triggered workflow_dispatch.
+    # pull_request:
+    #     branches: [main]
+    # push:
+    #     branches: [main]
+    # schedule:
+    #     - cron: "0 3 * * *"
     workflow_dispatch:
 
 env:
@@ -43,7 +46,7 @@ jobs:
         # full suite carries pre-existing fixme'd tests. Cron picks up the
         # rest on a 24h cadence.
         name: e2e (${{ (github.event_name == 'pull_request' || github.event_name == 'push') && '@critical' || 'full' }})
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: ${{ (github.event_name == 'pull_request' || github.event_name == 'push') && 20 || 45 }}
 
         # Service containers are managed by act_runner: spawned on the job

.github/workflows/go-fuzz.yml

@@ -1,8 +1,9 @@
 name: Go Fuzz Tests
 
 on:
-    schedule:
-        - cron: "0 2 * * *" # Nightly at 2am UTC
+    # GATED — operator-triggered until extra runner capacity exists.
+    # schedule:
+    #     - cron: "0 2 * * *"  # Nightly at 2am UTC
     workflow_dispatch:
 
 env:
@@ -11,7 +12,7 @@ env:
 
 jobs:
     fuzz:
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
 
         defaults:

.github/workflows/loadtest.yml

@@ -11,11 +11,10 @@ name: k6 nightly load test
 # pre-launch capacity drills with a longer ramp.
 
 on:
-    schedule:
-        # 02:30 UTC = 04:30 CEST — minimal overlap with the e2e nightly
-        # at 03:00 UTC and well before any business-hours traffic on
-        # staging. Scheduled runs use the default branch (main).
-        - cron: "30 2 * * *"
+    # GATED — k6 hammer is too heavy for the single self-hosted runner.
+    # Re-enable the cron once a dedicated load-test runner exists.
+    # schedule:
+    #     - cron: "30 2 * * *"
     workflow_dispatch:
         inputs:
             duration:
@@ -37,7 +36,7 @@ env:
 jobs:
     loadtest:
         name: k6 mixed scenarios (1650 VU steady)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 30
 
         steps:

.github/workflows/security-scan.yml

@@ -12,7 +12,7 @@ env:
 jobs:
     gitleaks:
         name: Secret Scanning (gitleaks)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:

.github/workflows/trivy-fs.yml

@@ -11,7 +11,7 @@ env:
 jobs:
     trivy-scan:
         name: Trivy FS Scan
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2