chore: migrate CI/release to ARC self-hosted runners (#93)

* chore: use ARC self-hosted runner for CI

* chore: use ARC self-hosted runner for release workflow

* fix: harden ARC runner migration with security and reliability safeguards

- Fall back to `ubuntu-latest` for fork PRs to prevent untrusted code
  execution on self-hosted ARC runners
- Add `timeout-minutes: 60` to all CI and release jobs (self-hosted
  runners have no default timeout unlike GitHub-hosted 6h limit)
- Write `NPM_TOKEN` to `$RUNNER_TEMP/.npmrc` instead of `~/.npmrc` to
  prevent secret persistence on self-hosted runners
- Set `NPM_CONFIG_USERCONFIG` to point publish step to temp `.npmrc`
- Add `concurrency` group to CI workflow to cancel superseded runs

---------

Co-authored-by: anandgupta42 <anand@altimate.ai>

Author: govindpawa

.github/workflows/ci.yml

@@ -6,10 +6,15 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   typescript:
     name: TypeScript
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'arc-runner-altimate-code' }}
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
@@ -39,7 +44,8 @@ jobs:
 
   lint:
     name: Lint
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'arc-runner-altimate-code' }}
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
@@ -56,7 +62,8 @@ jobs:
 
   python:
     name: Python ${{ matrix.python-version }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'arc-runner-altimate-code' }}
+    timeout-minutes: 60
     strategy:
       matrix:
         python-version: ["3.10", "3.11", "3.12"]

.github/workflows/release.yml

@@ -15,7 +15,8 @@ env:
 jobs:
   build:
     name: Build (${{ matrix.os }})
-    runs-on: ubuntu-latest
+    runs-on: arc-runner-altimate-code
+    timeout-minutes: 60
     permissions:
       contents: read
     strategy:
@@ -58,7 +59,8 @@ jobs:
   publish-npm:
     name: Publish to npm
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: arc-runner-altimate-code
+    timeout-minutes: 60
     permissions:
       contents: read
     steps:
@@ -87,7 +89,7 @@ jobs:
           merge-multiple: true
 
       - name: Configure npm auth
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > "$RUNNER_TEMP/.npmrc"
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -115,14 +117,16 @@ jobs:
           OPENCODE_RELEASE: "1"
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_USERCONFIG: ${{ runner.temp }}/.npmrc
           GH_REPO: ${{ env.GH_REPO }}
           GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
 
   # Engine publish runs without waiting for build — it builds from source and
   # doesn't need CLI binary artifacts. This allows it to run in parallel.
   publish-engine:
     name: Publish engine to PyPI
-    runs-on: ubuntu-latest
+    runs-on: arc-runner-altimate-code
+    timeout-minutes: 60
     environment: pypi
     permissions:
       contents: read
@@ -152,7 +156,8 @@ jobs:
   github-release:
     name: Create GitHub Release
     needs: [build, publish-npm]
-    runs-on: ubuntu-latest
+    runs-on: arc-runner-altimate-code
+    timeout-minutes: 60
     permissions:
       contents: write
     steps: