From bd5ed44b398e835e1c89f2686b8a08f6d95a205d Mon Sep 17 00:00:00 2001
From: Dan Draper <dan@cipherstash.com>
Date: Tue, 2 Jun 2026 13:49:28 +1000
Subject: [PATCH] ci: run release on github-hosted runner for npm provenance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OIDC trusted publishing auto-generates provenance attestations, which npm
only accepts from github-hosted runners — Blacksmith (self-hosted) runners
are rejected with E422 ("Unsupported GitHub Actions runner environment:
self-hosted"). Move the release job to ubuntu-latest so publishing succeeds
with provenance. Release runs are infrequent, so losing Blacksmith build
speed here is an acceptable trade for signed provenance.
---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6896bda6..bbfbc47c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,10 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   release:
     name: Release
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    # GitHub-hosted (not Blacksmith): npm provenance attestations, which are
+    # generated automatically by OIDC trusted publishing, are only accepted
+    # from github-hosted runners — self-hosted runners are rejected with E422.
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v6