From a7d19b332e6547b7d03083b4f32c482d95118fad Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Mon, 16 Feb 2026 10:58:45 -0500
Subject: [PATCH] ci: route trusted security and workflow checks to self-hosted
 (#370)

---
 .github/workflows/security.yml        | 4 ++--
 .github/workflows/workflow-sanity.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 60febb7..bff64dc 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -21,7 +21,7 @@ env:
 jobs:
     audit:
         name: Security Audit
-        runs-on: ubuntu-latest
+        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
         timeout-minutes: 20
         steps:
             - uses: actions/checkout@v4
@@ -37,7 +37,7 @@ jobs:
 
     deny:
         name: License & Supply Chain
-        runs-on: ubuntu-latest
+        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
         timeout-minutes: 20
         steps:
             - uses: actions/checkout@v4
diff --git a/.github/workflows/workflow-sanity.yml b/.github/workflows/workflow-sanity.yml
index 47d692d..c37c1f9 100644
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -22,7 +22,7 @@ permissions:
 
 jobs:
   no-tabs:
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.event_name == 'push' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
     timeout-minutes: 10
     steps:
       - name: Checkout
@@ -55,7 +55,7 @@ jobs:
           PY
 
   actionlint:
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.event_name == 'push' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
     timeout-minutes: 10
     steps:
       - name: Checkout