ci: run release on github-hosted runner for npm provenance

coderdan · coderdan · commit bd5ed44b398e · 2026-06-02T13:49:28.000+10:00
OIDC trusted publishing auto-generates provenance attestations, which npm
only accepts from github-hosted runners — Blacksmith (self-hosted) runners
are rejected with E422 ("Unsupported GitHub Actions runner environment:
self-hosted"). Move the release job to ubuntu-latest so publishing succeeds
with provenance. Release runs are infrequent, so losing Blacksmith build
speed here is an acceptable trade for signed provenance.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,10 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   release:
     name: Release
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    # GitHub-hosted (not Blacksmith): npm provenance attestations, which are
+    # generated automatically by OIDC trusted publishing, are only accepted
+    # from github-hosted runners — self-hosted runners are rejected with E422.
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v6
