diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35c92268f..83676769f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     # ===========================================================================
     backend:
         name: Backend (Go)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -91,7 +91,7 @@ jobs:
     # ===========================================================================
     frontend:
         name: Frontend (Web)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -163,7 +163,7 @@ jobs:
     # ===========================================================================
     rust:
         name: Rust (Stream Server)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 20
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -243,7 +243,7 @@ jobs:
         name: Notify on failure
         needs: [backend, frontend, rust]
         if: failure()
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - name: Summary
               run: echo "## ❌ CI Failed" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 4e1a77a85..6d9304ca3 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -6,13 +6,16 @@ name: E2E Playwright
 # of the ~60s minimal seed.
 
 on:
-    pull_request:
-        branches: [main]
-    push:
-        branches: [main]
-    schedule:
-        # Nightly full run — 03:00 UTC keeps it off the daytime runner pool.
-        - cron: "0 3 * * *"
+    # GATED on Forgejo (single self-hosted runner) — re-enable
+    # selectively when an additional runner with a Docker label
+    # (e.g. ubuntu-latest:docker://...) is provisioned. Until then,
+    # heavy E2E only runs on operator-triggered workflow_dispatch.
+    # pull_request:
+    #     branches: [main]
+    # push:
+    #     branches: [main]
+    # schedule:
+    #     - cron: "0 3 * * *"
     workflow_dispatch:
 
 env:
@@ -43,7 +46,7 @@ jobs:
         # full suite carries pre-existing fixme'd tests. Cron picks up the
         # rest on a 24h cadence.
         name: e2e (${{ (github.event_name == 'pull_request' || github.event_name == 'push') && '@critical' || 'full' }})
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: ${{ (github.event_name == 'pull_request' || github.event_name == 'push') && 20 || 45 }}
 
         # Service containers are managed by act_runner: spawned on the job
diff --git a/.github/workflows/go-fuzz.yml b/.github/workflows/go-fuzz.yml
index 2762d8ca6..2384ab413 100644
--- a/.github/workflows/go-fuzz.yml
+++ b/.github/workflows/go-fuzz.yml
@@ -1,8 +1,9 @@
 name: Go Fuzz Tests
 
 on:
-    schedule:
-        - cron: "0 2 * * *" # Nightly at 2am UTC
+    # GATED — operator-triggered until extra runner capacity exists.
+    # schedule:
+    #     - cron: "0 2 * * *"  # Nightly at 2am UTC
     workflow_dispatch:
 
 env:
@@ -11,7 +12,7 @@ env:
 
 jobs:
     fuzz:
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 15
 
         defaults:
diff --git a/.github/workflows/loadtest.yml b/.github/workflows/loadtest.yml
index 064485ed9..2d0d5baa9 100644
--- a/.github/workflows/loadtest.yml
+++ b/.github/workflows/loadtest.yml
@@ -11,11 +11,10 @@ name: k6 nightly load test
 # pre-launch capacity drills with a longer ramp.
 
 on:
-    schedule:
-        # 02:30 UTC = 04:30 CEST — minimal overlap with the e2e nightly
-        # at 03:00 UTC and well before any business-hours traffic on
-        # staging. Scheduled runs use the default branch (main).
-        - cron: "30 2 * * *"
+    # GATED — k6 hammer is too heavy for the single self-hosted runner.
+    # Re-enable the cron once a dedicated load-test runner exists.
+    # schedule:
+    #     - cron: "30 2 * * *"
     workflow_dispatch:
         inputs:
             duration:
@@ -37,7 +36,7 @@ env:
 jobs:
     loadtest:
         name: k6 mixed scenarios (1650 VU steady)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         timeout-minutes: 30
 
         steps:
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 631b79c3f..f0a9447fc 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -12,7 +12,7 @@ env:
 jobs:
     gitleaks:
         name: Secret Scanning (gitleaks)
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
diff --git a/.github/workflows/trivy-fs.yml b/.github/workflows/trivy-fs.yml
index 7741bb4e0..8d6da1186 100644
--- a/.github/workflows/trivy-fs.yml
+++ b/.github/workflows/trivy-fs.yml
@@ -11,7 +11,7 @@ env:
 jobs:
     trivy-scan:
         name: Trivy FS Scan
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, incus]
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2