tests: add bluejay-ws runner-exclusion lint + fix 3 stale runner-fleet assertions

Adds Runners_MustNotPinToOperatorWorkstationHosts lint test enforcing
operator directive 2026-05-26: BLUEJAY-WS / iamworkin-ws must never be
a fleet GitHub Actions runner. Build-side analog of the Sprint 9 NEW
safe-account exclusion gate (Puppet GPO/AppLocker/WDAC/audit-forwarder
modules refuse to apply on BLUEJAY-WS). Scans every github-runner
Deployment for forbidden nodeName, nodeSelector, nodeAffinity match
expressions, and toleration key/value pinning. See CLAUDE.md "Common
Mistakes" entry and feedback_bluejay_ws_never_public_runner.md.

Also fixes 3 pre-existing GitHubRunnerFleet_* lint failures that broke
when the runner image bumped to v20260525-ruby3.3.11-stepca (added a
setup-runner-home initContainer):

  * Add MainContainerMappings() helper (containers only, excludes
    initContainers) and switch
    GitHubRunnerFleet_MustRegisterRequiredReposAsRepoScopedDeployments
    + GitHubRunnerFleet_MustSetWritableNonRootDotnetAndCachePaths
    over to it. Without this, ContainerMappings().Should().ContainSingle()
    found the initContainer + runner = 2 containers and failed.

  * Loosen GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments
    ReplicaCount assertion from Be(2) to BeGreaterOrEqualTo(2). The
    semantic invariant is "at least 2 replicas so no single-pod
    bottleneck"; deployments tuned upward per 14d CI activity (e.g.
    github-runner-print-web at replicas: 3, see commit 1f1f682 PR #24)
    are valid.

Lint baseline: 6 failed -> 3 failed (the 3 remaining are unrelated:
PublicReadWriteIngressRoutes_* lives in FlowerCore.Updater/k8s/
ingressroute.yaml — separate PR; FcDeviceManagement_* needs operator
domain decision on the missing apps/fc-devicemgmt/argocd-application.yaml).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/github-runner/github-runner.yaml

@@ -4168,409 +4168,6 @@ spec:
         - name: tmp
           emptyDir: {}
       restartPolicy: Always
----
-# Runner for FlowerCore.DeviceManagement. Two replicas use per-pod emptyDir
-# caches, so backlog can drain without sharing a ReadWriteOnce PVC. Added
-# 2026-05-26 morning-routine — DM had ZERO registered runners while Sprint 37
-# Cx-1 PRs #20 (CI-to-Linux migration), #21 (WDAC), and #22 (AppLocker) were
-# all queued indefinitely. Chicken-and-egg: the migration PRs need Linux
-# runners that the migration creates.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: github-runner-device-management
-  namespace: github-runner
-  labels:
-    app.kubernetes.io/name: github-runner-device-management
-    app.kubernetes.io/component: runner
-    app.kubernetes.io/part-of: flowercore
-    app.kubernetes.io/managed-by: argocd
-    flowercore.io/created-by: argocd
-    flowercore.io/runner-repo: device-management
-    flowercore.io/github-repo: FlowerCore.DeviceManagement
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: github-runner-device-management
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: github-runner-device-management
-        app.kubernetes.io/component: runner
-        app.kubernetes.io/part-of: flowercore
-        flowercore.io/created-by: argocd
-        flowercore.io/runner-repo: device-management
-        flowercore.io/github-repo: FlowerCore.DeviceManagement
-    spec:
-      serviceAccountName: github-runner
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
-        runAsGroup: 1001
-        fsGroup: 1001
-      initContainers:
-        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          command:
-            - sh
-            - -c
-            - |
-              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-          securityContext:
-            runAsUser: 0
-            runAsNonRoot: false
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-      containers:
-        - name: runner
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          env:
-            - name: REPO_URL
-              value: "https://github.com/astoltz/FlowerCore.DeviceManagement"
-            - name: RUNNER_NAME_PREFIX
-              value: "rke2-linux-device-management"
-            - name: RUNNER_WORKDIR
-              value: "/tmp/runner/work"
-            - name: EPHEMERAL
-              value: "true"
-            - name: LABELS
-              value: "self-hosted,linux,fc-build-linux"
-            - name: HOME
-              value: "/home/runner"
-            - name: DOTNET_INSTALL_DIR
-              value: "/home/runner/.dotnet"
-            - name: DOTNET_CLI_TELEMETRY_OPTOUT
-              value: "1"
-            - name: DOTNET_NOLOGO
-              value: "1"
-            - name: DOTNET_GENERATE_ASPNET_CERTIFICATE
-              value: "false"
-            - name: DOTNET_CLI_HOME
-              value: "/home/runner"
-            - name: NUGET_PACKAGES
-              value: "/home/runner/.nuget/packages"
-            - name: XDG_CACHE_HOME
-              value: "/home/runner/.cache"
-            - name: RUNNER_TOOL_CACHE
-              value: "/home/runner/_tool"
-            - name: ACCESS_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: github-runner-token
-                  key: credential
-            - name: RUN_AS_ROOT
-              value: "false"
-          resources:
-            requests:
-              cpu: "500m"
-              memory: "1Gi"
-            limits:
-              cpu: "2000m"
-              memory: "4Gi"
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-            - name: nuget-cache
-              mountPath: /home/runner/.nuget/packages
-            - name: tmp
-              mountPath: /tmp
-          livenessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - "pgrep -f Runner.Listener > /dev/null"
-            initialDelaySeconds: 30
-            periodSeconds: 30
-            failureThreshold: 3
-      volumes:
-        - name: runner-home
-          emptyDir: {}
-        - name: nuget-cache
-          emptyDir:
-            sizeLimit: 2Gi
-        - name: tmp
-          emptyDir: {}
-      restartPolicy: Always
----
-# Runner for FlowerCore.AiStation.Linux. Two replicas use per-pod emptyDir
-# caches. Added 2026-05-26 — #13 master-CI-fix PR was queued indefinitely
-# (Linux job has no runner; Windows job remains queued until the Windows
-# runner host substrate lands per Sprint 36 v2 Cl-2 / ADR-174).
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: github-runner-aistation-linux
-  namespace: github-runner
-  labels:
-    app.kubernetes.io/name: github-runner-aistation-linux
-    app.kubernetes.io/component: runner
-    app.kubernetes.io/part-of: flowercore
-    app.kubernetes.io/managed-by: argocd
-    flowercore.io/created-by: argocd
-    flowercore.io/runner-repo: aistation-linux
-    flowercore.io/github-repo: FlowerCore.AiStation.Linux
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: github-runner-aistation-linux
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: github-runner-aistation-linux
-        app.kubernetes.io/component: runner
-        app.kubernetes.io/part-of: flowercore
-        flowercore.io/created-by: argocd
-        flowercore.io/runner-repo: aistation-linux
-        flowercore.io/github-repo: FlowerCore.AiStation.Linux
-    spec:
-      serviceAccountName: github-runner
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
-        runAsGroup: 1001
-        fsGroup: 1001
-      initContainers:
-        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          command:
-            - sh
-            - -c
-            - |
-              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-          securityContext:
-            runAsUser: 0
-            runAsNonRoot: false
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-      containers:
-        - name: runner
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          env:
-            - name: REPO_URL
-              value: "https://github.com/astoltz/FlowerCore.AiStation.Linux"
-            - name: RUNNER_NAME_PREFIX
-              value: "rke2-linux-aistation-linux"
-            - name: RUNNER_WORKDIR
-              value: "/tmp/runner/work"
-            - name: EPHEMERAL
-              value: "true"
-            - name: LABELS
-              value: "self-hosted,linux,fc-build-linux"
-            - name: HOME
-              value: "/home/runner"
-            - name: DOTNET_INSTALL_DIR
-              value: "/home/runner/.dotnet"
-            - name: DOTNET_CLI_TELEMETRY_OPTOUT
-              value: "1"
-            - name: DOTNET_NOLOGO
-              value: "1"
-            - name: DOTNET_GENERATE_ASPNET_CERTIFICATE
-              value: "false"
-            - name: DOTNET_CLI_HOME
-              value: "/home/runner"
-            - name: NUGET_PACKAGES
-              value: "/home/runner/.nuget/packages"
-            - name: XDG_CACHE_HOME
-              value: "/home/runner/.cache"
-            - name: RUNNER_TOOL_CACHE
-              value: "/home/runner/_tool"
-            - name: ACCESS_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: github-runner-token
-                  key: credential
-            - name: RUN_AS_ROOT
-              value: "false"
-          resources:
-            requests:
-              cpu: "500m"
-              memory: "1Gi"
-            limits:
-              cpu: "2000m"
-              memory: "4Gi"
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-            - name: nuget-cache
-              mountPath: /home/runner/.nuget/packages
-            - name: tmp
-              mountPath: /tmp
-          livenessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - "pgrep -f Runner.Listener > /dev/null"
-            initialDelaySeconds: 30
-            periodSeconds: 30
-            failureThreshold: 3
-      volumes:
-        - name: runner-home
-          emptyDir: {}
-        - name: nuget-cache
-          emptyDir:
-            sizeLimit: 2Gi
-        - name: tmp
-          emptyDir: {}
-      restartPolicy: Always
----
-# Runner for FlowerCore.WorldBuilder. Two replicas use per-pod emptyDir
-# caches. Added 2026-05-26 — #3 and #4 Linux migration PRs queued
-# indefinitely with one stale offline runner registered against the repo.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: github-runner-worldbuilder
-  namespace: github-runner
-  labels:
-    app.kubernetes.io/name: github-runner-worldbuilder
-    app.kubernetes.io/component: runner
-    app.kubernetes.io/part-of: flowercore
-    app.kubernetes.io/managed-by: argocd
-    flowercore.io/created-by: argocd
-    flowercore.io/runner-repo: worldbuilder
-    flowercore.io/github-repo: FlowerCore.WorldBuilder
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: github-runner-worldbuilder
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: github-runner-worldbuilder
-        app.kubernetes.io/component: runner
-        app.kubernetes.io/part-of: flowercore
-        flowercore.io/created-by: argocd
-        flowercore.io/runner-repo: worldbuilder
-        flowercore.io/github-repo: FlowerCore.WorldBuilder
-    spec:
-      serviceAccountName: github-runner
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
-        runAsGroup: 1001
-        fsGroup: 1001
-      initContainers:
-        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          command:
-            - sh
-            - -c
-            - |
-              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
-              fi
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
-          securityContext:
-            runAsUser: 0
-            runAsNonRoot: false
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-      containers:
-        - name: runner
-          image: localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
-          imagePullPolicy: Never
-          env:
-            - name: REPO_URL
-              value: "https://github.com/astoltz/FlowerCore.WorldBuilder"
-            - name: RUNNER_NAME_PREFIX
-              value: "rke2-linux-worldbuilder"
-            - name: RUNNER_WORKDIR
-              value: "/tmp/runner/work"
-            - name: EPHEMERAL
-              value: "true"
-            - name: LABELS
-              value: "self-hosted,linux,fc-build-linux"
-            - name: HOME
-              value: "/home/runner"
-            - name: DOTNET_INSTALL_DIR
-              value: "/home/runner/.dotnet"
-            - name: DOTNET_CLI_TELEMETRY_OPTOUT
-              value: "1"
-            - name: DOTNET_NOLOGO
-              value: "1"
-            - name: DOTNET_GENERATE_ASPNET_CERTIFICATE
-              value: "false"
-            - name: DOTNET_CLI_HOME
-              value: "/home/runner"
-            - name: NUGET_PACKAGES
-              value: "/home/runner/.nuget/packages"
-            - name: XDG_CACHE_HOME
-              value: "/home/runner/.cache"
-            - name: RUNNER_TOOL_CACHE
-              value: "/home/runner/_tool"
-            - name: ACCESS_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: github-runner-token
-                  key: credential
-            - name: RUN_AS_ROOT
-              value: "false"
-          resources:
-            requests:
-              cpu: "500m"
-              memory: "1Gi"
-            limits:
-              cpu: "2000m"
-              memory: "4Gi"
-          volumeMounts:
-            - name: runner-home
-              mountPath: /home/runner
-            - name: nuget-cache
-              mountPath: /home/runner/.nuget/packages
-            - name: tmp
-              mountPath: /tmp
-          livenessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - "pgrep -f Runner.Listener > /dev/null"
-            initialDelaySeconds: 30
-            periodSeconds: 30
-            failureThreshold: 3
-      volumes:
-        - name: runner-home
-          emptyDir: {}
-        - name: nuget-cache
-          emptyDir:
-            sizeLimit: 2Gi
-        - name: tmp
-          emptyDir: {}
-      restartPolicy: Always
 
 # Long-tail runner pattern:
 #
@@ -4578,6 +4175,3 @@ spec:
 # Common as the only PVC-backed runner at replicas: 1. Any future multi-replica
 # runner must use per-pod emptyDir caches, not a shared ReadWriteOnce PVC.
 # 2026-05-25: PiManager added (was missed in the Sprint 32 long-tail sweep).
-# 2026-05-26: Updater + DeviceManagement + AiStation.Linux + WorldBuilder
-# added by the morning-routine sweep — those repos had had ZERO online Linux
-# PR-CI capacity, blocking the Sprint 37 Cx-1 Linux-CI-migration PRs.