Enforce Ubuntu runner policy

files/AGENTS.md

@@ -13,6 +13,10 @@ PROJECT_NAME: PROJECT_DESCRIPTION
 - Prefer existing project patterns over new abstractions.
 - Keep changes scoped to the user's request.
 - Do not commit secrets, `.env` files, private keys, certificates, or tokens.
+- Treat `global-runner-1`, `global-runner-2`, and `global-runner-3` as the only available build runners.
+- Run project builds, tests, audits, package jobs, installers, dependency setup, and releases only on Gitea Ubuntu runners with `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04`.
+- Do not run those heavy project commands on the user's local machine. Local checks are limited to lightweight reads and validation that do not install dependencies or create build artifacts.
+- Do not add Windows or macOS runners. Use open-source Linux-compatible tooling or workflow workarounds that run on the Ubuntu runners.
 - Do not rewrite history or run destructive git commands unless explicitly requested.
 - Do not create a release unless explicitly requested.
 - At the start of every user-requested task, briefly check the repository for upstream updates and apply them immediately with a safe fast-forward pull when the working tree is clean. If local changes exist, do not overwrite them; fetch or report the blocker before editing.
@@ -46,6 +50,8 @@ AUDIT_COMMAND
 
 If a command is missing, inspect the project and document the closest safe alternative in `.codex/project.md`.
 
+Run these commands through Gitea Actions on the configured Ubuntu runners, not on the user's local machine.
+
 Keep `.codex/project.md` and this `AGENTS.md` aligned when commands, artifact paths, or release rules change.
 
 ## Artifacts
@@ -80,7 +86,7 @@ ARTIFACT_NAME
 ## Finish Checklist
 
 - `git diff --check` passes.
-- The cheapest reliable verification command has been run, or the reason it could not be run is documented.
+- Lightweight local validation has passed, and the cheapest reliable runner-based verification command has been run through Gitea Actions or the reason it could not be run is documented.
 - README, changelog, security review, and release checklist are updated when the change touches release behavior.
 - `docs/agent-handoff.md` is updated when work is interrupted, risky, or spans multiple sessions.
 - Independent follow-up work has tracker issues, or `docs/agent-handoff.md` explains why issues could not be created.

files/CONTRIBUTING.md

@@ -7,11 +7,13 @@
 - Do not commit secrets, generated credentials, local `.env` files, or private keys.
 - Do not create releases unless explicitly requested.
 - Preserve unrelated user changes.
+- Use only the configured Gitea Ubuntu runners for project builds, tests, audits, packages, installers, dependency setup, and releases. Do not run those commands on the local machine.
+- Do not add Windows or macOS runners; use Linux-compatible workarounds that run on `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04`.
 - Create focused issues for real follow-up work that is outside the current change or can be worked on independently. Do not put secrets, tokens, private data, or sensitive logs in public issues.
 
 ## Before Committing
 
-Run the cheapest reliable verification commands for this project:
+Run the cheapest reliable project verification commands through Gitea Actions:
 
 ```bash
 LINT_COMMAND
@@ -25,7 +27,7 @@ Also run:
 git diff --check
 ```
 
-If a command cannot run, document why in the final response or handoff notes.
+Local checks should stay lightweight and must not install dependencies or create build artifacts. If a runner-based command cannot run, document why in the final response or handoff notes.
 
 ## Pull Requests
 

files/project.md

@@ -24,6 +24,10 @@ README_COMMAND
 
 If a command does not exist, document the closest safe alternative. Do not invent commands that cannot run.
 
+Project build, test, audit, package, installer, dependency setup, and release commands must run on Gitea Ubuntu runners only. Supported labels are `ubuntu-latest`, `ubuntu-24.04`, and `ubuntu-22.04` on `global-runner-1`, `global-runner-2`, and `global-runner-3`.
+
+Local checks are limited to lightweight validation that does not install dependencies or create build artifacts.
+
 ## Stack
 
 ```text
@@ -63,11 +67,11 @@ ARTIFACT_NAME
 Before a release:
 
 1. run the release checklist,
-2. verify CI is green,
+2. verify CI is green on a supported Gitea Ubuntu runner,
 3. verify download links,
 4. update README and changelog,
 5. verify release artifacts exclude Codex kit metadata such as `AGENTS.md`, `.codex/`, `blueprint.md`, `blueprint.json`, template workflows, and agent handoff notes unless the user explicitly wants those shipped,
 6. create a tag,
-7. create the release.
+7. create the release through Gitea Actions or the Gitea API.
 
 Do not create releases unless the user explicitly asks for a release.

files/release-checklist.md

@@ -9,9 +9,11 @@
 ## Quality
 
 - [ ] Working tree is clean.
-- [ ] Lint/type checks pass.
-- [ ] Tests pass or missing tests are documented.
-- [ ] Build succeeds in CI.
+- [ ] Lightweight local validation passes without installing dependencies or creating build artifacts.
+- [ ] Lint/type checks pass on a Gitea Ubuntu runner.
+- [ ] Tests pass on a Gitea Ubuntu runner or missing tests are documented.
+- [ ] Build succeeds in CI on `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04`.
+- [ ] No project build, test, audit, package, installer, dependency setup, or release command was run on the local machine.
 
 ## Security
 
@@ -32,5 +34,5 @@
 
 - [ ] Git tag created.
 - [ ] Release notes written.
-- [ ] Release published.
+- [ ] Release published from Gitea Actions or through the Gitea API, not by running local release tooling.
 - [ ] Post-release download smoke test completed.