Adds Runners_MustNotPinToOperatorWorkstationHosts lint test enforcing
operator directive 2026-05-26: BLUEJAY-WS / iamworkin-ws must never be
a fleet GitHub Actions runner. Build-side analog of the Sprint 9 NEW
safe-account exclusion gate (Puppet GPO/AppLocker/WDAC/audit-forwarder
modules refuse to apply on BLUEJAY-WS). Scans every github-runner
Deployment for forbidden nodeName, nodeSelector, nodeAffinity match
expressions, and toleration key/value pinning. See CLAUDE.md "Common
Mistakes" entry and feedback_bluejay_ws_never_public_runner.md.
Also fixes 3 pre-existing GitHubRunnerFleet_* lint failures that broke
when the runner image bumped to v20260525-ruby3.3.11-stepca (added a
setup-runner-home initContainer):
* Add MainContainerMappings() helper (containers only, excludes
initContainers) and switch
GitHubRunnerFleet_MustRegisterRequiredReposAsRepoScopedDeployments
+ GitHubRunnerFleet_MustSetWritableNonRootDotnetAndCachePaths
over to it. Without this, ContainerMappings().Should().ContainSingle()
found the initContainer + runner = 2 containers and failed.
* Loosen GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments
ReplicaCount assertion from Be(2) to BeGreaterOrEqualTo(2). The
semantic invariant is "at least 2 replicas so no single-pod
bottleneck"; deployments tuned upward per 14d CI activity (e.g.
github-runner-print-web at replicas: 3, see commit 1f1f682 PR #24)
are valid.
Lint baseline: 6 failed -> 3 failed (the 3 remaining are unrelated:
PublicReadWriteIngressRoutes_* lives in FlowerCore.Updater/k8s/
ingressroute.yaml — separate PR; FcDeviceManagement_* needs operator
domain decision on the missing apps/fc-devicemgmt/argocd-application.yaml).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ec78175526