docs(fc-build-windows): capture runner operator gate

2026-05-20 11:27:21 -05:00
10 changed files with 499 additions and 847 deletions
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -1,448 +0,0 @@
-# Authentik OIDC backend
-# ArgoCD-managed. BlueJay Lab.
-#
-# Stack:
-#   - PostgreSQL 16 StatefulSet (single replica, Longhorn RWO 5Gi)
-#   - Redis 7 Deployment (no persistence — session/cache only)
-#   - Authentik server + worker Deployments (image ghcr.io/goauthentik/server:2024.12.3)
-#   - Media PVC shared between server + worker (Longhorn RWO 2Gi)
-#   - Certificate via step-ca-acme ClusterIssuer
-#   - Traefik IngressRoute at id.iamworkin.lan
-#
-# Secrets come from 1Password item "authentik-credentials" (IAmWorkin vault, id y6i74ch22q5wvm7znquq4nhhcu)
-# via the OnePasswordItem CRD, materialized into k8s Secret authentik/authentik-credentials.
-#
-# Why the discovery URL is /application/o/pimanager/ : Authentik issues per-application OIDC providers.
-# The pimanager OIDC application/provider is created after the cluster pods are healthy (manual or
-# via API once the bootstrap token is available — see Notes substrate).
-
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authentik
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
-
---
-# 1Password operator pulls the authentik-credentials item into a k8s Secret of the same name.
-# Field labels in 1P become Secret keys: AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD, REDIS_PASSWORD,
-# BOOTSTRAP_ADMIN_PASSWORD, BOOTSTRAP_ADMIN_TOKEN, BOOTSTRAP_ADMIN_EMAIL.
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: authentik-credentials
-  namespace: authentik
-spec:
-  itemPath: "vaults/IAmWorkin/items/authentik-credentials"
-
---
-# Shared media volume for server + worker pods.
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: authentik-media
-  namespace: authentik
-spec:
-  storageClassName: longhorn
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 2Gi
-
---
-# PostgreSQL 16 StatefulSet — Authentik's primary store.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: authentik-postgres
-  namespace: authentik
-  labels:
-    app: authentik-postgres
-    argocd.argoproj.io/instance: infra-authentik
-spec:
-  persistentVolumeClaimRetentionPolicy:
-    whenDeleted: Retain
-    whenScaled: Retain
-  podManagementPolicy: OrderedReady
-  serviceName: authentik-postgres
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app: authentik-postgres
-  template:
-    metadata:
-      labels:
-        app: authentik-postgres
-    spec:
-      containers:
-        - name: postgres
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-              name: postgres
-          env:
-            - name: POSTGRES_USER
-              value: authentik
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: POSTGRES_PASSWORD
-            - name: POSTGRES_DB
-              value: authentik
-            - name: POSTGRES_INITDB_ARGS
-              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-          readinessProbe:
-            exec:
-              command: ["pg_isready", "-U", "authentik"]
-            initialDelaySeconds: 5
-            periodSeconds: 5
-          livenessProbe:
-            exec:
-              command: ["pg_isready", "-U", "authentik"]
-            initialDelaySeconds: 30
-            periodSeconds: 30
-          resources:
-            requests: { cpu: 100m, memory: 256Mi }
-            limits: { cpu: 1000m, memory: 1Gi }
-          volumeMounts:
-            - name: pgdata
-              mountPath: /var/lib/postgresql/data
-  volumeClaimTemplates:
-    - metadata:
-        name: pgdata
-      spec:
-        storageClassName: longhorn
-        accessModes: [ReadWriteOnce]
-        volumeMode: Filesystem
-        resources:
-          requests:
-            storage: 5Gi
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: authentik-postgres
-  namespace: authentik
-spec:
-  clusterIP: None
-  selector:
-    app: authentik-postgres
-  ports:
-    - name: postgres
-      port: 5432
-      targetPort: 5432
-
---
-# Redis 7 — session storage + Celery broker. No persistence needed (cache).
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: authentik-redis
-  namespace: authentik
-  labels:
-    app: authentik-redis
-    argocd.argoproj.io/instance: infra-authentik
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: authentik-redis
-  template:
-    metadata:
-      labels:
-        app: authentik-redis
-    spec:
-      containers:
-        - name: redis
-          image: redis:7-alpine
-          args:
-            - "--save"
-            - ""
-            - "--appendonly"
-            - "no"
-            - "--requirepass"
-            - "$(REDIS_PASSWORD)"
-          env:
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: REDIS_PASSWORD
-          ports:
-            - containerPort: 6379
-              name: redis
-          readinessProbe:
-            tcpSocket: { port: 6379 }
-            initialDelaySeconds: 5
-            periodSeconds: 5
-          livenessProbe:
-            tcpSocket: { port: 6379 }
-            initialDelaySeconds: 30
-            periodSeconds: 30
-          resources:
-            requests: { cpu: 50m, memory: 64Mi }
-            limits: { cpu: 500m, memory: 256Mi }
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: authentik-redis
-  namespace: authentik
-spec:
-  selector:
-    app: authentik-redis
-  ports:
-    - name: redis
-      port: 6379
-      targetPort: 6379
-
---
-# Authentik server Deployment — HTTP frontend on :9000.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: authentik-server
-  namespace: authentik
-  labels:
-    app: authentik-server
-    argocd.argoproj.io/instance: infra-authentik
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate  # shares /media RWO PVC with worker
-  selector:
-    matchLabels:
-      app: authentik-server
-  template:
-    metadata:
-      labels:
-        app: authentik-server
-    spec:
-      securityContext:
-        # Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
-        # root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
-        # non-root container can mkdir /media/public during the tenant_files migration.
-        fsGroup: 1000
-      containers:
-        - name: server
-          image: ghcr.io/goauthentik/server:2024.12.3
-          args: ["server"]
-          ports:
-            - containerPort: 9000
-              name: http
-            - containerPort: 9443
-              name: https
-          env:
-            - name: AUTHENTIK_SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: AUTHENTIK_SECRET_KEY
-            - name: AUTHENTIK_REDIS__HOST
-              value: authentik-redis
-            - name: AUTHENTIK_REDIS__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: REDIS_PASSWORD
-            - name: AUTHENTIK_POSTGRESQL__HOST
-              value: authentik-postgres
-            - name: AUTHENTIK_POSTGRESQL__NAME
-              value: authentik
-            - name: AUTHENTIK_POSTGRESQL__USER
-              value: authentik
-            - name: AUTHENTIK_POSTGRESQL__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: POSTGRES_PASSWORD
-            - name: AUTHENTIK_BOOTSTRAP_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: BOOTSTRAP_ADMIN_PASSWORD
-            - name: AUTHENTIK_BOOTSTRAP_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: BOOTSTRAP_ADMIN_TOKEN
-            - name: AUTHENTIK_BOOTSTRAP_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: BOOTSTRAP_ADMIN_EMAIL
-            - name: AUTHENTIK_DISABLE_UPDATE_CHECK
-              value: "true"
-            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
-              value: "false"
-            - name: AUTHENTIK_LOG_LEVEL
-              value: info
-          # First-boot Authentik can take 3+ min on the migration phase
-          # (waiting on DB lock while worker also runs migrations). Initial
-          # delays are generous so kubelet doesn't kill the pod mid-migration;
-          # periodSeconds keeps post-startup probing responsive.
-          readinessProbe:
-            httpGet:
-              path: /-/health/ready/
-              port: 9000
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 12
-          livenessProbe:
-            httpGet:
-              path: /-/health/live/
-              port: 9000
-            initialDelaySeconds: 300
-            periodSeconds: 30
-            timeoutSeconds: 10
-            failureThreshold: 3
-          startupProbe:
-            httpGet:
-              path: /-/health/live/
-              port: 9000
-            initialDelaySeconds: 30
-            periodSeconds: 15
-            timeoutSeconds: 10
-            failureThreshold: 40  # 30s + 40*15s = 10.5 min budget
-          resources:
-            requests: { cpu: 150m, memory: 512Mi }
-            limits: { cpu: 1500m, memory: 1Gi }
-          volumeMounts:
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: media
-          persistentVolumeClaim:
-            claimName: authentik-media
-
---
-# Authentik worker Deployment — runs Celery background tasks.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: authentik-worker
-  namespace: authentik
-  labels:
-    app: authentik-worker
-    argocd.argoproj.io/instance: infra-authentik
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate  # shares /media RWO PVC with server
-  selector:
-    matchLabels:
-      app: authentik-worker
-  template:
-    metadata:
-      labels:
-        app: authentik-worker
-    spec:
-      securityContext:
-        # Same as server pod — non-root uid 1000 needs PVC group write.
-        fsGroup: 1000
-      containers:
-        - name: worker
-          image: ghcr.io/goauthentik/server:2024.12.3
-          args: ["worker"]
-          env:
-            - name: AUTHENTIK_SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: AUTHENTIK_SECRET_KEY
-            - name: AUTHENTIK_REDIS__HOST
-              value: authentik-redis
-            - name: AUTHENTIK_REDIS__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: REDIS_PASSWORD
-            - name: AUTHENTIK_POSTGRESQL__HOST
-              value: authentik-postgres
-            - name: AUTHENTIK_POSTGRESQL__NAME
-              value: authentik
-            - name: AUTHENTIK_POSTGRESQL__USER
-              value: authentik
-            - name: AUTHENTIK_POSTGRESQL__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-credentials
-                  key: POSTGRES_PASSWORD
-            - name: AUTHENTIK_DISABLE_UPDATE_CHECK
-              value: "true"
-            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
-              value: "false"
-            - name: AUTHENTIK_LOG_LEVEL
-              value: info
-          resources:
-            requests: { cpu: 100m, memory: 256Mi }
-            limits: { cpu: 1000m, memory: 768Mi }
-          volumeMounts:
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: media
-          persistentVolumeClaim:
-            claimName: authentik-media
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: authentik-server
-  namespace: authentik
-spec:
-  selector:
-    app: authentik-server
-  ports:
-    - name: http
-      port: 9000
-      targetPort: 9000
-    - name: https
-      port: 9443
-      targetPort: 9443
-
---
-# step-ca leaf certificate for id.iamworkin.lan.
-# step-ca container resolver uses pfSense Unbound, so the public A record for id.iamworkin.lan
-# MUST exist before this Certificate is applied (cert-manager HTTP-01 will silently 2h-backoff
-# otherwise). Added 2026-05-25 via scripts/pfsense-add-id-host.py.
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-  namespace: authentik
-spec:
-  secretName: authentik-tls
-  dnsNames:
-    - id.iamworkin.lan
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik
-  namespace: authentik
-spec:
-  entryPoints: [websecure]
-  routes:
-    - match: Host(`id.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: authentik-server
-          port: 9000
-  tls:
-    secretName: authentik-tls
--- a/apps/fc-build-windows/README.md
+++ b/apps/fc-build-windows/README.md
@@ -0,0 +1,263 @@
+# fc-build-windows runner gate
+
+Status: OPEN-WITH-OPERATOR-ACTION as of 2026-05-20.
+
+This directory is intentionally not a live runner deployment. It records the
+exact gate for bringing up the Windows self-hosted runner fleet without faking
+capacity in GitHub or Kubernetes.
+
+## Lane evidence
+
+- `D:\git\FlowerCore\FlowerCore.Notes\docs\dashboards\decisions-waiting.html`
+  lines 15078-15085: Q-MR-82 says the Updater Windows Sandbox E2E run is
+  queued and `bluejay-ws-sandbox-1` is offline.
+- `D:\git\FlowerCore\FlowerCore.Notes\memory\project_morning_routine_8_2026_05_20.md`:
+  Morning Routine #8 carries Q-MR-82 as the fleet-wide Windows runner gap.
+- `D:\git\FlowerCore\FlowerCore.Notes\docs\standards\sprint-37-codex-dispatch-log-2026-05-19.md`
+  lines 76, 84-85, and 97: keep BLUEJAY-WS out of runner plans, merge Linux
+  runner expansion separately, and keep true Windows-only workflows parked on
+  the Windows runner host substrate path.
+- `D:\git\FlowerCore\FlowerCore.Notes\docs\ai-agents\codex-prompts\2026-05-20-xxxxl-sprint-42-orchestrator-briefs.md`
+  lane Cx-5: land a deployment only if a Windows runner image/substrate is
+  ready; otherwise commit an operator-action gate.
+- `D:\git\FlowerCore\FlowerCore.Notes\memory\feedback_bluejay_ws_never_a_github_runner.md`:
+  BLUEJAY-WS is operator-only territory; Windows runners belong on a dedicated
+  KubeVirt Windows VM such as `ci1` or a sibling VM.
+
+## Live probe summary
+
+Commands run on 2026-05-20 from `D:\git\FlowerCore\bluejay-infra`:
+
+```powershell
+$env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
+kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"`t"}{.metadata.labels.kubernetes\.io/os}{"`n"}{end}'
+```
+
+Result: `rke2-agent1`, `rke2-agent2`, and `rke2-server` all report
+`kubernetes.io/os=linux`. There is no Windows Kubernetes node, so Windows
+containers on RKE2 cannot satisfy `fc-build-windows`.
+
+```powershell
+kubectl -n kubevirt-vms get vm,vmi,pods -o wide
+```
+
+Result: KubeVirt is healthy and `ci1` is `Running` / `Ready=True` on
+`rke2-agent1` with VMI IP `10.42.103.35`.
+
+```powershell
+virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml port-forward vm/ci1.kubevirt-vms 15985:5985
+```
+
+Result during port tests: `dial tcp 10.42.103.35:5985: connect: no route to
+host`. The same result was seen for RDP 3389 and SSH 22. The VM exists, but it
+is not remotely reachable for runner bootstrap from this lane.
+
+```powershell
+gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
+  --jq '.runners[]? | {name,status,busy,labels:[.labels[].name]}'
+gh run list --repo astoltz/FlowerCore.Updater `
+  --workflow "Updater Windows Sandbox E2E" --limit 5
+```
+
+Result: GitHub has one Updater runner, `bluejay-ws-sandbox-1`, with
+`status=offline`; run `26150689447` is still `queued`.
+
+## Feasibility classification
+
+### Option A: Windows containers on RKE2
+
+Not feasible without operator-physical infrastructure work. Kubernetes Windows
+containers require a Windows node. The current cluster has Linux-only RKE2
+nodes.
+
+### Option B: KubeVirt Windows VM
+
+Partially present, not deployable from this lane.
+
+`apps/kubevirt-vms/ci1.yaml` already defines a Windows Server 2025 KubeVirt VM
+using `localhost/fc-win-server-2025:v1`, and the live VM is running. However:
+
+- the guest is not reachable over RDP, WinRM, or SSH through `virtctl
+  port-forward`;
+- the current root disk is a `containerDisk`, so runner installation inside the
+  running guest is not a durable fleet state unless the first-boot automation
+  re-registers on every boot or the VM is moved to a persistent PVC-backed
+  disk;
+- FC.Updater `Updater Windows Sandbox E2E` uses
+  `[self-hosted, windows, windows-sandbox]`, while `fc-build-windows` build jobs
+  use `[self-hosted, windows, fc-build-windows]`. Do not advertise
+  `windows-sandbox` until Windows Sandbox has been proven in the guest.
+
+### Option C: bluejay-ws-sandbox-1
+
+Operator-only emergency fallback. GitHub shows it registered but offline. The
+current memory says BLUEJAY-WS must not be a fleet runner host, so this lane
+does not start or re-register it. If the operator deliberately overrides the
+policy to drain an emergency queue, start the existing visible runner console
+from the BLUEJAY-WS desktop and treat that as temporary break-glass, not the
+permanent Q-MR-82 closure.
+
+## Operator action plan
+
+### 1. Pick the Windows host class
+
+Use `ci1` or a sibling Windows Server 2025 VM for WPF build/test jobs that need
+`fc-build-windows`.
+
+Use a Windows 11 Pro/Enterprise KubeVirt VM for Updater or WorldBuilder
+Windows Sandbox gates, unless Windows Sandbox support is explicitly proven on
+the selected guest. The workflow labels must match the real capability:
+
+- WPF build runner: `self-hosted,windows,fc-build-windows,ci1`
+- Sandbox runner: `self-hosted,windows,windows-sandbox,ci-sandbox1`
+
+### 2. Make the VM reachable and durable
+
+From BLUEJAY-WS:
+
+```powershell
+$env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
+kubectl -n kubevirt-vms get vm,vmi,pods -o wide
+virtctl --kubeconfig $env:KUBECONFIG vnc ci1 -n kubevirt-vms
+virtctl --kubeconfig $env:KUBECONFIG port-forward vm/ci1.kubevirt-vms 13389:3389
+virtctl --kubeconfig $env:KUBECONFIG port-forward vm/ci1.kubevirt-vms 15985:5985
+```
+
+Before runner registration, fix the current port-forward failure. The expected
+state is that RDP or WinRM accepts a connection through the control plane.
+
+For durability, either:
+
+- move the runner VM to a persistent PVC-backed root disk; or
+- keep `containerDisk` and bake first-boot runner registration into the sysprep
+  flow using a non-expiring credential lookup path.
+
+Do not install a runner by hand into a transient VM and call Q-MR-82 closed.
+
+### 3. Install runner prerequisites inside the VM
+
+Run in an elevated PowerShell session in the Windows runner guest:
+
+```powershell
+winget install Microsoft.DotNet.SDK.10 --silent
+winget install Microsoft.DotNet.DesktopRuntime.8 --silent
+winget install Microsoft.PowerShell --silent
+winget install Git.Git --silent
+winget install Microsoft.VisualStudio.2022.BuildTools --silent
+winget install Google.Chrome --silent
+```
+
+For a Sandbox-capable runner only:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All
+Restart-Computer -Force
+```
+
+After reboot:
+
+```powershell
+Get-CimInstance -ClassName Win32_OptionalFeature -Filter "Name='Containers-DisposableClientVM'"
+Test-Path C:\Windows\System32\WindowsSandbox.exe
+```
+
+### 4. Register repo-scoped GitHub runners
+
+The `astoltz` account uses repo-scoped runners. Generate a fresh one-hour
+registration token per repo immediately before `config.cmd`.
+
+From a trusted operator shell with `gh` authenticated:
+
+```powershell
+$repos = @(
+  "FlowerCore.Updater",
+  "FlowerCore.WorldBuilder",
+  "FlowerCore.DeviceManagement"
+)
+
+foreach ($repo in $repos) {
+  $token = gh api -X POST "/repos/astoltz/$repo/actions/runners/registration-token" --jq .token
+  $repoSlug = $repo.ToLowerInvariant().Replace("flowercore.", "").Replace(".", "-")
+  $runnerDir = "C:\fc-ghr\$repoSlug-fc-build-windows"
+
+  New-Item -ItemType Directory -Force -Path $runnerDir | Out-Null
+  Set-Location $runnerDir
+
+  if (-not (Test-Path ".\config.cmd")) {
+    Invoke-WebRequest `
+      -Uri "https://github.com/actions/runner/releases/download/v2.323.0/actions-runner-win-x64-2.323.0.zip" `
+      -OutFile "actions-runner.zip"
+    Add-Type -AssemblyName System.IO.Compression.FileSystem
+    [System.IO.Compression.ZipFile]::ExtractToDirectory((Resolve-Path actions-runner.zip), $runnerDir)
+  }
+
+  .\config.cmd `
+    --url "https://github.com/astoltz/$repo" `
+    --token $token `
+    --name "ci1-$repoSlug-fc-build-windows" `
+    --labels "self-hosted,windows,fc-build-windows,ci1" `
+    --work "_work" `
+    --unattended `
+    --replace
+
+  .\svc.ps1 install
+  .\svc.ps1 start
+}
+```
+
+For Updater Sandbox E2E, register only after the guest proves Sandbox support,
+and use `windows-sandbox` labels:
+
+```powershell
+$token = gh api -X POST "/repos/astoltz/FlowerCore.Updater/actions/runners/registration-token" --jq .token
+.\config.cmd `
+  --url "https://github.com/astoltz/FlowerCore.Updater" `
+  --token $token `
+  --name "ci-sandbox1-updater" `
+  --labels "self-hosted,windows,windows-sandbox,ci-sandbox1" `
+  --work "_work" `
+  --unattended `
+  --replace
+```
+
+Keep registration tokens out of Git and logs. The durable credential source for
+automation should be the existing 1Password item named `GitHub PAT (Runner
+Registration)`, used only to mint short-lived repo registration tokens.
+
+### 5. Verify GitHub and workflow pickup
+
+```powershell
+gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
+  --jq '.runners[] | select(.labels[].name == "windows-sandbox") | {name,status,busy,labels:[.labels[].name]}'
+
+gh api /repos/astoltz/FlowerCore.DeviceManagement/actions/runners `
+  --jq '.runners[] | select(.labels[].name == "fc-build-windows") | {name,status,busy,labels:[.labels[].name]}'
+
+gh run list --repo astoltz/FlowerCore.Updater `
+  --workflow "Updater Windows Sandbox E2E" --limit 3
+```
+
+Q-MR-82 can be marked resolved only after the Updater run moves from `queued` to
+`in_progress` or `completed` on an online runner, or after the affected WPF
+build repos show online `fc-build-windows` repo-scoped runners and their queued
+jobs start.
+
+## Break-glass BLUEJAY-WS command
+
+Only if the operator explicitly overrides the "BLUEJAY-WS is not a runner"
+policy to drain a queue:
+
+```powershell
+Set-Location C:\fc-ghr\updater-sandbox
+.\run.cmd
+```
+
+If a Windows service exists:
+
+```powershell
+Get-Service 'actions.runner.*'
+Start-Service 'actions.runner.*'
+```
+
+This does not close Q-MR-82 permanently. It is a temporary queue drain until a
+dedicated VM runner is online.
--- a/apps/fc-build-windows/kustomization.yaml
+++ b/apps/fc-build-windows/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - operator-gate-configmap.yaml
--- a/apps/fc-build-windows/operator-gate-configmap.yaml
+++ b/apps/fc-build-windows/operator-gate-configmap.yaml
@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-build-windows-operator-gate
+  namespace: kubevirt-vms
+  labels:
+    app.kubernetes.io/name: fc-build-windows
+    app.kubernetes.io/component: operator-gate
+    app.kubernetes.io/part-of: github-runner
+    flowercore.io/q-card: Q-MR-82
+  annotations:
+    flowercore.io/outcome: OPEN-WITH-OPERATOR-ACTION
+    flowercore.io/live-runner: "false"
+data:
+  outcome: OPEN-WITH-OPERATOR-ACTION
+  gate.md: |
+    Do not treat this ConfigMap as runner capacity.
+
+    Current probe, 2026-05-20:
+    - RKE2 nodes are linux-only; Windows containers require a Windows node.
+    - KubeVirt `ci1` is Running/Ready, but RDP 3389, WinRM 5985, and SSH 22
+      through `virtctl port-forward` return `connect: no route to host`.
+    - GitHub Updater runner list has only `bluejay-ws-sandbox-1`, status
+      offline. Updater Windows Sandbox E2E run 26150689447 remains queued.
+
+    Required operator action:
+    1. Make a dedicated Windows VM reachable and durable.
+    2. Install .NET 10 SDK, .NET 8 Desktop Runtime, Git, VS Build Tools, and
+       PowerShell 7.
+    3. Register repo-scoped runners with short-lived GitHub registration tokens.
+    4. Add `fc-build-windows` labels only to WPF build-capable guests.
+    5. Add `windows-sandbox` labels only after Sandbox support is proven.
+  registration-token-pattern.ps1: |
+    $repo = "FlowerCore.Updater"
+    $token = gh api -X POST "/repos/astoltz/$repo/actions/runners/registration-token" --jq .token
+    $runnerDir = "C:\fc-ghr\updater-fc-build-windows"
+
+    New-Item -ItemType Directory -Force -Path $runnerDir | Out-Null
+    Set-Location $runnerDir
+
+    # Install the Actions runner package here if config.cmd is absent.
+    .\config.cmd `
+      --url "https://github.com/astoltz/$repo" `
+      --token $token `
+      --name "ci1-updater-fc-build-windows" `
+      --labels "self-hosted,windows,fc-build-windows,ci1" `
+      --work "_work" `
+      --unattended `
+      --replace
+
+    .\svc.ps1 install
+    .\svc.ps1 start
+  verification.ps1: |
+    gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
+      --jq '.runners[] | {name,status,busy,labels:[.labels[].name]}'
+
+    gh run list --repo astoltz/FlowerCore.Updater `
+      --workflow "Updater Windows Sandbox E2E" --limit 3
+
+    $env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
+    kubectl -n kubevirt-vms get vm,vmi,pods -o wide
--- a/apps/github-runner/.gitattributes
+++ b/apps/github-runner/.gitattributes
@@ -1,2 +0,0 @@
-*.sh text eol=lf
-Dockerfile text eol=lf
--- a/apps/github-runner/Dockerfile
+++ b/apps/github-runner/Dockerfile
@@ -1,44 +0,0 @@
-FROM myoung34/github-runner:latest
-
-ARG RUBY_VERSION=3.3.11
-ARG RUBY_MINOR=3.3
-ARG RUBY_BUILD_VERSION=v20260326
-ARG RUNNER_UID=1001
-ARG RUNNER_GID=1001
-
-ENV RUNNER_TOOL_CACHE=/home/runner/_tool
-ENV RUNNER_RUBY_TOOLCACHE=/opt/runner-toolcache
-ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ruby/${RUBY_MINOR}/x64/bin:${PATH}"
-
-USER root
-
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        autoconf \
-        bison \
-        build-essential \
-        ca-certificates \
-        curl \
-        libdb-dev \
-        libffi-dev \
-        libgdbm-dev \
-        libgmp-dev \
-        libncurses-dev \
-        libreadline-dev \
-        libssl-dev \
-        libyaml-dev \
-        patch \
-        pkg-config \
-        uuid-dev \
-        zlib1g-dev \
-    && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
-    && mkdir -p /tmp/ruby-build \
-    && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \
-    && /tmp/ruby-build/install.sh \
-    && rm -rf /tmp/ruby-build /tmp/ruby-build.tar.gz /var/lib/apt/lists/*
-
-COPY install-ruby-toolcache.sh /usr/local/bin/install-ruby-toolcache.sh
-
-RUN chmod +x /usr/local/bin/install-ruby-toolcache.sh \
-    && RUBY_VERSION="${RUBY_VERSION}" RUBY_MINOR="${RUBY_MINOR}" TOOLCACHE_ROOT="${RUNNER_RUBY_TOOLCACHE}" RUNNER_UID="${RUNNER_UID}" RUNNER_GID="${RUNNER_GID}" /usr/local/bin/install-ruby-toolcache.sh \
-    && ruby -v
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -7,17 +7,12 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.

 All repo-scoped Linux runners use:

- `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
-  `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
- Ruby 3.3.11 seeded into `/home/runner/_tool/Ruby/3.3/x64` from the baked
-  `/opt/runner-toolcache` copy so `ruby/setup-ruby@v1` can discover it on
-  self-hosted `ubuntu-20.04-x64` runners

 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. Every other repo-scoped runner uses
@@ -33,34 +28,6 @@ Sprint 32 final long-tail wave adds 16 two-replica Deployments:
 `FlowerCore.Provisioning`, `FlowerCore.Redis`, `FlowerCore.MessageBoard`, and
 `FlowerCore.MenuBoard`.

-## Image Build
-
-Ruby is baked with a pinned `ruby-build` release and Ruby patch version. The pod
-still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
-container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
-`/home/runner/_tool/Ruby` before the runner container starts.
-
-```bash
-cd apps/github-runner
-podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
-podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
-  test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
-podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
-  -o fc-github-runner-v20260520-ruby3.3.11.tar
-```
-
-Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
-Deployments:
-
-```bash
-for node in rke2-server rke2-agent1 rke2-agent2; do
-  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
-  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
-done
-```
-
 ## Post-Merge Proof

 After the PR is merged and ArgoCD syncs, verify the runner fleet:
@@ -69,14 +36,6 @@ After the PR is merged and ArgoCD syncs, verify the runner fleet:
 kubectl -n github-runner get deploy,pods,pvc
 ```

-Verify the Ruby toolcache in a fresh pod:
-
-```bash
-kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- ruby -v
-kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- sh -c \
-  'echo "$RUNNER_TOOL_CACHE" && test -f "$RUNNER_TOOL_CACHE/Ruby/3.3/x64.complete"'
-```
-
 Verify GitHub registration for the repo-scoped runners:

 ```bash
@@ -110,10 +69,6 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
  `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
  present on the runner pod.
- `ruby/setup-ruby@v1` says self-hosted runners must install Ruby in
-  `$RUNNER_TOOL_CACHE`: check that the init container copied
-  `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` and that
-  `/home/runner/_tool/Ruby/3.3/x64.complete` exists.
 - `404` during runner registration: the fine-grained PAT is valid but missing
  repository access for that repo. Add the repo to the PAT access list; the PAT
  value does not change.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
@@ -22,16 +22,11 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
-#   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
-#   under /opt/runner-toolcache; setup-runner-home copies it into
-#   /home/runner/_tool because the runner-home emptyDir masks image content
-#   under /home/runner at runtime.
 #
 # Credentials:
 #   OnePasswordItem "GitHub PAT (Runner Registration)" syncs Secret
-#   github-runner-token with field "credential". The custom image inherits
-#   myoung34/github-runner behavior and uses ACCESS_TOKEN to mint short-lived
-#   registration tokens on pod start.
+#   github-runner-token with field "credential". myoung34/github-runner uses
+#   ACCESS_TOKEN to mint short-lived registration tokens on pod start.
 #
 # Security model:
 #   - No ClusterRole / ClusterRoleBinding. The ServiceAccount has no K8s API
@@ -157,19 +152,15 @@ spec:
      # honors the deeper mount.
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -178,8 +169,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            # GitHub org/repo targeting.
            # Set REPO_URL for a repo-scoped runner (cheaper, simpler).
@@ -334,19 +325,15 @@ spec:
      # rather than re-applied per repo as flipped lanes land.
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -355,8 +342,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Shared.Pos"
@@ -472,19 +459,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -493,8 +476,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Puppet"
@@ -604,19 +587,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -625,8 +604,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage"
@@ -736,19 +715,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -757,8 +732,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DMS"
@@ -868,19 +843,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -889,8 +860,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Telephony"
@@ -1000,19 +971,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1021,8 +988,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Print.Web"
@@ -1132,19 +1099,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1153,8 +1116,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Chat"
@@ -1264,19 +1227,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1285,8 +1244,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MySQL"
@@ -1396,19 +1355,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1417,8 +1372,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Kiosk.Linux"
@@ -1530,19 +1485,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1551,8 +1502,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Marquee"
@@ -1664,19 +1615,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1685,8 +1632,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.TtsReader"
@@ -1798,19 +1745,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1819,8 +1762,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Knowledge"
@@ -1931,19 +1874,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1952,8 +1891,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.LlmBridge"
@@ -2064,19 +2003,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2085,8 +2020,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Media"
@@ -2197,19 +2132,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2218,8 +2149,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Presentations"
@@ -2330,19 +2261,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2351,8 +2278,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.RemoteDesktop"
@@ -2463,19 +2390,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2484,8 +2407,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DNS"
@@ -2596,19 +2519,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2617,8 +2536,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Distribution"
@@ -2729,19 +2648,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2750,8 +2665,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Scoreboard"
@@ -2862,19 +2777,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2883,8 +2794,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SegmentDisplay"
@@ -2995,19 +2906,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3016,8 +2923,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage.Contracts"
@@ -3128,19 +3035,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3149,8 +3052,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SignalControl"
@@ -3261,19 +3164,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3282,8 +3181,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Intranet.Web"
@@ -3394,19 +3293,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3415,8 +3310,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Provisioning"
@@ -3527,19 +3422,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3548,8 +3439,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Redis"
@@ -3660,19 +3551,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3681,8 +3568,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MessageBoard"
@@ -3793,19 +3680,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: busybox:1.36
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3814,8 +3697,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Never
+          image: myoung34/github-runner:latest
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MenuBoard"
--- a/apps/github-runner/install-ruby-toolcache.sh
+++ b/apps/github-runner/install-ruby-toolcache.sh
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-RUBY_VERSION="${RUBY_VERSION:-3.3.11}"
-RUBY_MINOR="${RUBY_MINOR:-3.3}"
-TOOLCACHE_ROOT="${TOOLCACHE_ROOT:-/opt/runner-toolcache}"
-RUNNER_UID="${RUNNER_UID:-1001}"
-RUNNER_GID="${RUNNER_GID:-1001}"
-RUBY_PREFIX="${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64"
-
-mkdir -p "${TOOLCACHE_ROOT}/Ruby"
-RUBY_CONFIGURE_OPTS="${RUBY_CONFIGURE_OPTS:---disable-install-doc --disable-yjit}" ruby-build "${RUBY_VERSION}" "${RUBY_PREFIX}"
-
-touch "${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64.complete"
-ln -sfn "${RUBY_VERSION}" "${TOOLCACHE_ROOT}/Ruby/${RUBY_MINOR}"
-
-"${RUBY_PREFIX}/bin/ruby" -v
-chown -R "${RUNNER_UID}:${RUNNER_GID}" "${TOOLCACHE_ROOT}"
-chmod -R a+rX "${TOOLCACHE_ROOT}"
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -280,14 +280,13 @@ data:
              printer_model: "NuPrint 210"

      # Print.Web health (Blazor app on edge2:5200)
-      # Target `/health` (anonymous) — root path requires API key auth and returns 401.
      - job_name: "probe-printweb"
        metrics_path: /probe
        params:
          module: [http_2xx]
        scrape_interval: 30s
        static_configs:
-          - targets: ["http://10.0.57.16:5200/health"]
+          - targets: ["http://10.0.57.16:5200/"]
            labels:
              instance: "print-web"
              service: "print-web"