ci: enforce ubuntu-only public runners

Author: rldyourmnd

.github/branch-protection/main.json

@@ -3,9 +3,7 @@
   "maintainer_access": "maintainer can administer; required checks still apply to pushes",
   "required_status_checks": [
     "Fast validation (ubuntu)",
-    "Fast validation (macos)",
     "Runtime smoke (ubuntu)",
-    "Runtime smoke (macos)",
     "Release dry-run",
     "MCP runtime pin freshness",
     "No-paid static security",

.github/workflows/README.md

@@ -9,7 +9,7 @@ runner labels and keep third-party actions pinned to full commit SHAs.
 
 | Workflow | Purpose |
 | --- | --- |
-| `validate.yml` | Fast validation, optional runtime/release/MCP scopes, Linux and macOS coverage. |
+| `validate.yml` | Fast validation and optional runtime/release/MCP scopes on Ubuntu standard runners. |
 | `security-static.yml` | Action pin validation, actionlint, text security scan, ShellCheck, Pyright, Semgrep. |
 | `secret-scan.yml` | Gitleaks history scan for accidental secrets. |
 | `codeql.yml` | CodeQL code scanning for the adapter source surface. |
@@ -33,5 +33,7 @@ runner labels and keep third-party actions pinned to full commit SHAs.
 
 - Public adapter CI must stay on standard GitHub-hosted runner labels only.
 - No self-hosted or non-standard runner labels.
+- Default, required, scheduled, and release workflows use Ubuntu standard
+  runners only under the owner zero-paid-risk policy.
 - Workflow artifacts must set explicit retention and stay at or below 30 days.
 - Heavy or drift-oriented checks use schedules/manual dispatch where practical.

.github/workflows/validate.yml

@@ -18,11 +18,6 @@ on:
           - release
           - mcp
           - full
-      include_macos:
-        description: Also run the selected validation scope on macOS.
-        required: true
-        default: true
-        type: boolean
 
 permissions:
   contents: read
@@ -72,46 +67,6 @@ jobs:
             pytest.stderr.log
           retention-days: 14
 
-  fast-macos:
-    name: Fast validation (macos)
-    if: |
-      github.event_name != 'workflow_dispatch' ||
-      (inputs.include_macos && (inputs.scope == 'fast' || inputs.scope == 'runtime' || inputs.scope == 'release' || inputs.scope == 'mcp' || inputs.scope == 'full'))
-    runs-on: macos-latest
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Set up validation runtime
-        uses: ./.github/actions/setup-codex-runtime
-        with:
-          install-codex: "false"
-          install-dart: "false"
-
-      - name: Bootstrap fullrepo agent context
-        run: scripts/sync_fullrepo_branch.sh --bootstrap-init
-
-      - name: Run fast validation
-        shell: bash
-        run: |
-          set -euo pipefail
-          scripts/validate_fast.sh 2>pytest.stderr.log
-          python3 scripts/classify_ci_noise.py --strict pytest.stderr.log
-
-      - name: Upload test reports
-        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: fast-validation-macos
-          path: |
-            pytest.xml
-            coverage.xml
-            pytest.stderr.log
-          retention-days: 14
-
   runtime-ubuntu:
     name: Runtime smoke (ubuntu)
     if: |
@@ -157,51 +112,6 @@ jobs:
           path: diagnostics/ci
           retention-days: 14
 
-  runtime-macos:
-    name: Runtime smoke (macos)
-    if: |
-      github.event_name != 'workflow_dispatch' ||
-      (inputs.include_macos && (inputs.scope == 'runtime' || inputs.scope == 'full'))
-    runs-on: macos-latest
-    timeout-minutes: 40
-    env:
-      CODEX_HOME: /tmp/rldyour-codex-home
-      RLDYOUR_MCP_CAPABILITY_LIST_ONLY: "1"
-      RLDYOUR_MCP_CAPABILITY_ALLOW_MISSING_ENV: "1"
-      RLDYOUR_SKIP_LSP_HEALTH: "1"
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Set up validation runtime
-        uses: ./.github/actions/setup-codex-runtime
-
-      - name: Run runtime validation
-        run: scripts/validate_runtime.sh --codex-home "$CODEX_HOME" --strict-runtime
-
-      - name: Write validation summary
-        if: success()
-        run: |
-          {
-            echo "## rldyour Codex validation"
-            echo "- OS: ${RUNNER_OS}"
-            echo "- Ref: ${GITHUB_REF}"
-            echo "- SHA: ${GITHUB_SHA}"
-            echo "- Checks: installer, quick strict doctor, Codex hooks/list trust smoke, hook smoke, fullrepo sync smoke"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Collect diagnostics
-        if: failure()
-        run: scripts/collect_diagnostics.sh --output diagnostics/ci
-
-      - name: Upload diagnostics
-        if: failure()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: diagnostics-macos
-          path: diagnostics/ci
-          retention-days: 14
-
   release:
     name: Release dry-run
     if: |

CHANGELOG.md

@@ -7,6 +7,12 @@ The format follows Keep a Changelog, and marketplace/plugin versions follow Sema
 ## [Unreleased]
 
 
+## [1.1.13] - 2026-05-31
+
+### Changed
+
+- Align public adapter CI with Ubuntu-only zero-paid-risk runner policy.
+
 ## [1.1.12] - 2026-05-30
 
 ### Changed

VERSION

@@ -1 +1 @@
-1.1.12
+1.1.13

docs/observability.md

@@ -41,7 +41,10 @@ GitHub Actions writes:
 - failure diagnostic artifacts under `diagnostics/ci`;
 - standard workflow logs for validation, doctor, bootstrap, and dependency checks.
 
-The `validate` workflow is manual-only. Ubuntu is the default runner for cost control; macOS is enabled only when the manual `include_macos` input is true because macOS runner minutes are materially more expensive. The workflow exposes `fast`, `runtime`, `release`, `mcp`, and `full` scopes so an agent can run exactly the requested gate instead of paying for every gate on every push.
+The `validate` workflow uses Ubuntu standard runners only under the owner
+zero-paid-risk public adapter policy. It exposes `fast`, `runtime`, `release`,
+`mcp`, and `full` scopes so an agent can run exactly the requested gate instead
+of running every gate on every push.
 
 The manual `dependency-check` workflow and the `validate` workflow's `mcp`/`full` scopes upload `dependency-check.json` for MCP pin freshness diagnostics.
 

docs/release-process.md

@@ -39,7 +39,7 @@ python3 scripts/release_sbom.py > diagnostics/sbom.spdx.json
 ```
 
 6. Commit with a Conventional Commit message.
-7. Push to `main`, publish `fullrepo` when agent-only files changed, then manually run the `validate` workflow with `scope=full`; set `include_macos=true` when the release needs Linux/macOS parity proof.
+7. Push to `main`, publish `fullrepo` when agent-only files changed, then manually run the `validate` workflow with `scope=full` on the Ubuntu standard runner.
 8. Create the release from `.github/workflows/release.yml` after the requested manual CI scope is green. The workflow validates `VERSION` and `CHANGELOG.md`, builds a deterministic `tar.gz`, writes `release-manifest.json`, writes generated SPDX SBOM evidence, exports the GitHub dependency graph SPDX SBOM from the dependency graph SBOM endpoint when available, creates artifact attestations, and publishes the GitHub Release.
 
 Release tags use the exact SemVer value from `VERSION` without a `v` prefix, for example `0.2.0`.

plugins/rldyour-browser/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-browser",
-  "version": "1.1.12",
+  "version": "1.1.13",
   "description": "Браузерная проверка и debug для Playwright/DevTools. EN: Browser validation and debugging workflows.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-design/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-design",
-  "version": "1.1.12",
+  "version": "1.1.13",
   "description": "Дизайн/Figma/UI workflow с tokens, i18n, FSD и browser proof. EN: Design implementation workflows.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-explore/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-explore",
-  "version": "1.1.12",
+  "version": "1.1.13",
   "description": "Исследование docs, upstream и web evidence. EN: Technical and web research skills.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",