selenium: right-size hub + chrome + edge memory limits

Edge node has been OOMKilled 51 times in 5 days (~1 every 2.4h) on a
1Gi memory limit. Chrome runs maxSessions=2 on the same 1Gi cap and
was idling at 684Mi — first concurrent session pushing the node to
~900Mi+ would be the next OOM. Hub was running at 766Mi against a 1Gi
limit (75%); no recent restarts but no headroom either.

Firefox node has been running at 2Gi memory limit for 9 days with
zero restarts — that is the right size for a Selenium 4.27 browser
node under our session profile (screen recording sidecar + 1080p
rendering + page captures). Match it.

Changes:
- Hub:    limit 1Gi -> 1.5Gi, request 512Mi -> 1Gi
- Chrome: limit 1Gi -> 2Gi,   request 512Mi -> 1Gi
- Edge:   limit 1Gi -> 2Gi,   request 512Mi -> 1Gi

CPU left alone on all three — observed utilization is well under the
existing limits (hub 54m / 500m, chrome 185m / 1, edge 11m / 1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/github-runner/Dockerfile

@@ -12,6 +12,15 @@ ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ru
 
 USER root
 
+# Bake the IAmWorkin step-ca root CA into the system trust store. Without
+# this, .NET HttpClient calls from CI tests against *.iamworkin.lan
+# (e.g. https://selenium.iamworkin.lan/session) fail with `PartialChain`
+# because the runner image's default Ubuntu trust bundle doesn't include
+# our internal Root CA. update-ca-certificates regenerates
+# /etc/ssl/certs/ca-certificates.crt, which OpenSSL + .NET on Linux read
+# automatically — no SSL_CERT_FILE env var needed.
+COPY step-ca-root.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt
+
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         autoconf \
@@ -31,6 +40,7 @@ RUN apt-get update \
         pkg-config \
         uuid-dev \
         zlib1g-dev \
+    && update-ca-certificates \
     && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
     && mkdir -p /tmp/ruby-build \
     && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \

apps/github-runner/README.md

@@ -7,7 +7,7 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 
 All repo-scoped Linux runners use:
 
-- `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
+- `localhost/fc-github-runner:v20260525-ruby3.3.11-stepca`, derived from
   `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
@@ -40,14 +40,26 @@ still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
 container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
 `/home/runner/_tool/Ruby` before the runner container starts.
 
+The IAmWorkin step-ca root CA is also baked into the system trust store
+(`/usr/local/share/ca-certificates/iamworkin-step-ca-root.crt`, registered by
+`update-ca-certificates`). Without it, .NET HttpClient calls from CI tests
+against `*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`)
+fail with `PartialChain`. To refresh the bundled cert when the root rotates,
+re-extract from the cluster and overwrite `step-ca-root.crt`:
+
+```bash
+kubectl get secret -n cert-manager step-ca-root \
+  -o jsonpath='{.data.ca\.crt}' | base64 -d > step-ca-root.crt
+```
+
 ```bash
 cd apps/github-runner
-podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
+podman build -t localhost/fc-github-runner:v20260525-ruby3.3.11-stepca .
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
+podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca ruby -v
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
+podman run --rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
   test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
-podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
+podman save localhost/fc-github-runner:v20260525-ruby3.3.11-stepca \
-  -o fc-github-runner-v20260520-ruby3.3.11.tar
+  -o fc-github-runner-v20260525-ruby3.3.11-stepca.tar
 ```
 
 Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
@@ -55,9 +67,9 @@ Deployments:
 
 ```bash
 for node in rke2-server rke2-agent1 rke2-agent2; do
-  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
+  scp fc-github-runner-v20260525-ruby3.3.11-stepca.tar "$node:/tmp/"
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
+  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260525-ruby3.3.11-stepca || true'
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
+  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260525-ruby3.3.11-stepca.tar'
 done
 ```
 

apps/github-runner/github-runner.yaml

@@ -22,7 +22,7 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
-#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
+#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
 #   under /opt/runner-toolcache; setup-runner-home copies it into
 #   /home/runner/_tool because the runner-home emptyDir masks image content
 #   under /home/runner at runtime.
@@ -157,7 +157,7 @@ spec:
       # honors the deeper mount.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -178,7 +178,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             # GitHub org/repo targeting.
@@ -334,7 +334,7 @@ spec:
       # rather than re-applied per repo as flipped lanes land.
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -355,7 +355,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -472,7 +472,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -493,7 +493,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -604,7 +604,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -625,7 +625,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -736,7 +736,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -757,7 +757,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -868,7 +868,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -889,7 +889,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1003,7 +1003,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1024,7 +1024,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1135,7 +1135,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1156,7 +1156,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1267,7 +1267,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1288,7 +1288,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1399,7 +1399,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1420,7 +1420,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1533,7 +1533,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1554,7 +1554,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1667,7 +1667,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1688,7 +1688,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1802,7 +1802,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1823,7 +1823,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -1936,7 +1936,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -1957,7 +1957,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2070,7 +2070,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2091,7 +2091,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2204,7 +2204,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2225,7 +2225,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2337,7 +2337,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2358,7 +2358,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2471,7 +2471,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2492,7 +2492,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2604,7 +2604,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2625,7 +2625,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2737,7 +2737,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2758,7 +2758,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -2870,7 +2870,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -2891,7 +2891,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3003,7 +3003,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3024,7 +3024,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3136,7 +3136,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3157,7 +3157,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3270,7 +3270,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3291,7 +3291,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3404,7 +3404,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3425,7 +3425,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3538,7 +3538,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3559,7 +3559,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3672,7 +3672,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3693,7 +3693,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL
@@ -3806,7 +3806,7 @@ spec:
         fsGroup: 1001
       initContainers:
         - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           command:
             - sh
@@ -3827,7 +3827,7 @@ spec:
               mountPath: /home/runner
       containers:
         - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
           imagePullPolicy: Never
           env:
             - name: REPO_URL

apps/github-runner/step-ca-root.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWqgAwIBAgIRAPY357G6ow6zMAL5+4bS2kkwCgYIKoZIzj0EAwIwQDEa
+MBgGA1UEChMRSUFtV29ya2luIEFDTUUgQ0ExIjAgBgNVBAMTGUlBbVdvcmtpbiBB
+Q01FIENBIFJvb3QgQ0EwHhcNMjYwMzA4MTgwNzExWhcNMzYwMzA1MTgwNzExWjBA
+MRowGAYDVQQKExFJQW1Xb3JraW4gQUNNRSBDQTEiMCAGA1UEAxMZSUFtV29ya2lu
+IEFDTUUgQ0EgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ2n04X1
+JZo5Zdq/i1Idv8+fqwZyAzBh7whbqj0SWsJL8UWRabCMqYCs7+dXO0xRSzqkwFDL
+x+vooOai8RgRNhajRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
+AgEBMB0GA1UdDgQWBBRnuPPQR6iM/H6vOluiU3Sygayz8jAKBggqhkjOPQQDAgNI
+ADBFAiEArQK9dYPGmAZsdYnjziuFVVE5NKZUcceYvGfGC+tLXUsCIAudF2zJrCRq
+3mK50ZZET/fwTkJwiEF4824mjP8p1CKM
+-----END CERTIFICATE-----

apps/selenium/selenium-grid.yaml

@@ -132,13 +132,18 @@ spec:
           initialDelaySeconds: 10
           periodSeconds: 5
           timeoutSeconds: 5
+        # Hub baseline working set ~766Mi on 2026-05-25 (75% of prior 1Gi
+        # limit). Bump to 1.5Gi / 1Gi to keep ~50% headroom; matches the
+        # stampede-buffer pattern documented for multus
+        # (feedback_k8s_cni_multus_sizing). CPU left alone — observed 54m
+        # against a 500m limit, no contention.
         resources:
           limits:
             cpu: 500m
-            memory: 1Gi
+            memory: 1536Mi
           requests:
             cpu: 250m
-            memory: 512Mi
+            memory: 1Gi
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -198,13 +203,18 @@ spec:
             port: 5555
           initialDelaySeconds: 15
           periodSeconds: 5
+        # Chromium-based browser node. Bumped from 1Gi -> 2Gi (req 512Mi
+        # -> 1Gi) on 2026-05-25 — Edge had 51 OOMKills in 5d on the
+        # original 1Gi cap (~1 OOM every 2.4h), and Chrome at maxSessions=2
+        # was running 684Mi idle on the same cap. Matches the Firefox node's
+        # tested-stable 2Gi limit. CPU unchanged.
         resources:
           limits:
             cpu: '1'
-            memory: 1Gi
+            memory: 2Gi
           requests:
             cpu: 500m
-            memory: 512Mi
+            memory: 1Gi
         volumeMounts:
         - mountPath: /dev/shm
           name: dshm
@@ -378,13 +388,18 @@ spec:
             port: 5555
           initialDelaySeconds: 15
           periodSeconds: 5
+        # Chromium-based browser node. Bumped from 1Gi -> 2Gi (req 512Mi
+        # -> 1Gi) on 2026-05-25 — Edge had 51 OOMKills in 5d on the
+        # original 1Gi cap (~1 OOM every 2.4h), and Chrome at maxSessions=2
+        # was running 684Mi idle on the same cap. Matches the Firefox node's
+        # tested-stable 2Gi limit. CPU unchanged.
         resources:
           limits:
             cpu: '1'
-            memory: 1Gi
+            memory: 2Gi
           requests:
             cpu: 500m
-            memory: 512Mi
+            memory: 1Gi
         volumeMounts:
         - mountPath: /dev/shm
           name: dshm