runners: add github-runner-updater Deployment

FlowerCore.Updater had only the offline bluejay-ws-sandbox-1 Windows
runner registered (the specialized fcsetup E2E target) and no Linux
self-hosted runner, leaving the repo with no Linux PR-CI capacity for
any future workflow. Modeled on github-runner-pimanager (Sprint 32
long-tail final entry, 2026-05-25); two replicas with per-pod emptyDir
caches to keep ReadWriteOnce PVC contention out of the picture.

Also registers github-runner-updater in the LinuxRunnerRepos +
ScaledLinuxRunnerDeployments fleet-lint sets so future suite repairs
treat the entry as canonically required (the 6 pre-existing lint
failures on this file family are orthogonal: initContainer single-
container count assertion + fc-updater IngressRoute POST allowlist
+ DM ApplicationSet convention drift).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/github-runner/github-runner.yaml

@@ -4030,6 +4030,140 @@ spec:
         - name: tmp
           emptyDir: {}
       restartPolicy: Always
+---
+# Runner for FlowerCore.Updater. Two replicas use per-pod emptyDir caches, so
+# backlog can drain without sharing a ReadWriteOnce PVC. Added 2026-05-26 to
+# close the runner-fleet gap that left the repo with only the offline
+# windows-sandbox runner and no Linux PR-CI capacity for future workflows.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: github-runner-updater
+  namespace: github-runner
+  labels:
+    app.kubernetes.io/name: github-runner-updater
+    app.kubernetes.io/component: runner
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    flowercore.io/created-by: argocd
+    flowercore.io/runner-repo: updater
+    flowercore.io/github-repo: FlowerCore.Updater
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: github-runner-updater
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: github-runner-updater
+        app.kubernetes.io/component: runner
+        app.kubernetes.io/part-of: flowercore
+        flowercore.io/created-by: argocd
+        flowercore.io/runner-repo: updater
+        flowercore.io/github-repo: FlowerCore.Updater
+    spec:
+      serviceAccountName: github-runner
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+      initContainers:
+        - name: setup-runner-home
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
+          imagePullPolicy: Never
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              fi
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+          volumeMounts:
+            - name: runner-home
+              mountPath: /home/runner
+      containers:
+        - name: runner
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
+          imagePullPolicy: Never
+          env:
+            - name: REPO_URL
+              value: "https://github.com/astoltz/FlowerCore.Updater"
+            - name: RUNNER_NAME_PREFIX
+              value: "rke2-linux-updater"
+            - name: RUNNER_WORKDIR
+              value: "/tmp/runner/work"
+            - name: EPHEMERAL
+              value: "true"
+            - name: LABELS
+              value: "self-hosted,linux,fc-build-linux"
+            - name: HOME
+              value: "/home/runner"
+            - name: DOTNET_INSTALL_DIR
+              value: "/home/runner/.dotnet"
+            - name: DOTNET_CLI_TELEMETRY_OPTOUT
+              value: "1"
+            - name: DOTNET_NOLOGO
+              value: "1"
+            - name: DOTNET_GENERATE_ASPNET_CERTIFICATE
+              value: "false"
+            - name: DOTNET_CLI_HOME
+              value: "/home/runner"
+            - name: NUGET_PACKAGES
+              value: "/home/runner/.nuget/packages"
+            - name: XDG_CACHE_HOME
+              value: "/home/runner/.cache"
+            - name: RUNNER_TOOL_CACHE
+              value: "/home/runner/_tool"
+            - name: ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: github-runner-token
+                  key: credential
+            - name: RUN_AS_ROOT
+              value: "false"
+          resources:
+            requests:
+              cpu: "500m"
+              memory: "1Gi"
+            limits:
+              cpu: "2000m"
+              memory: "4Gi"
+          volumeMounts:
+            - name: runner-home
+              mountPath: /home/runner
+            - name: nuget-cache
+              mountPath: /home/runner/.nuget/packages
+            - name: tmp
+              mountPath: /tmp
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - "pgrep -f Runner.Listener > /dev/null"
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            failureThreshold: 3
+      volumes:
+        - name: runner-home
+          emptyDir: {}
+        - name: nuget-cache
+          emptyDir:
+            sizeLimit: 2Gi
+        - name: tmp
+          emptyDir: {}
+      restartPolicy: Always
 
 # Long-tail runner pattern:
 #

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -67,6 +67,7 @@ public sealed class FleetManifestLintTests
         ["github-runner-chat"] = "https://github.com/astoltz/FlowerCore.Chat",
         ["github-runner-mysql"] = "https://github.com/astoltz/FlowerCore.MySQL",
         ["github-runner-kiosk-linux"] = "https://github.com/astoltz/FlowerCore.Kiosk.Linux",
+        ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater",
     };
 
     private static readonly HashSet<string> ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal)
@@ -80,6 +81,7 @@ public sealed class FleetManifestLintTests
         "github-runner-chat",
         "github-runner-mysql",
         "github-runner-kiosk-linux",
+        "github-runner-updater",
     };
 
     private static readonly IReadOnlyDictionary<string, string> WritableRunnerEnv = new Dictionary<string, string>(StringComparer.Ordinal)