Hack23 · pethers · Jun 13, 2026 · Jun 13, 2026
diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
@@ -87,7 +87,7 @@ permissions: {}
 jobs:
   close-expired-entities:
     if: ${{ (!(github.event.repository.fork)) && github.event_name != 'push' && (github.event_name != 'workflow_dispatch' && github.event_name != 'workflow_call' || inputs.operation == '') }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       discussions: write
       issues: write
@@ -127,7 +127,7 @@ jobs:
 
   cleanup-cache-memory:
     if: ${{ (!(github.event.repository.fork)) && github.event_name != 'push' && (github.event_name != 'workflow_dispatch' && github.event_name != 'workflow_call' || inputs.operation == '' || inputs.operation == 'clean_cache_memories') }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       actions: write
     steps:
@@ -147,7 +147,7 @@ jobs:
 
   run_operation:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation != '' && inputs.operation != 'safe_outputs' && inputs.operation != 'create_labels' && inputs.operation != 'activity_report' && inputs.operation != 'close_agentic_workflows_issues' && inputs.operation != 'clean_cache_memories' && inputs.operation != 'update_pull_request_branches' && inputs.operation != 'validate' && inputs.operation != 'forecast' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       actions: write
       contents: write
@@ -200,7 +200,7 @@ jobs:
 
   update_pull_request_branches:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'update_pull_request_branches' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       contents: write
       pull-requests: write
@@ -234,7 +234,7 @@ jobs:
 
   apply_safe_outputs:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'safe_outputs' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       actions: read
       contents: write
@@ -285,7 +285,7 @@ jobs:
 
   create_labels:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'create_labels' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
       issues: write
@@ -329,7 +329,7 @@ jobs:
 
   activity_report:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'activity_report' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     timeout-minutes: 120
     permissions:
       actions: read
@@ -434,7 +434,7 @@ jobs:
 
   forecast_report:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'forecast' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     timeout-minutes: 60
     permissions:
       actions: read
@@ -534,7 +534,7 @@ jobs:
 
   close_agentic_workflows_issues:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'close_agentic_workflows_issues' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-26.04
     permissions:
       issues: write
     steps:
@@ -565,7 +565,7 @@ jobs:
 
   validate_workflows:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'validate' && (!(github.event.repository.fork)) }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
       issues: write

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,7 +26,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       actions: read
       contents: read

diff --git a/.github/workflows/compile-agentic-workflows.yml b/.github/workflows/compile-agentic-workflows.yml
@@ -18,7 +18,7 @@ permissions:
 jobs:
   compile:
     name: Compile Agentic Workflows
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
 
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -29,7 +29,7 @@ permissions:
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
 
     # Set the permissions to the lowest permissions possible needed for your steps.
     # Copilot will be given its own token for its operations.

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4

diff --git a/.github/workflows/deploy-s3.yml b/.github/workflows/deploy-s3.yml
@@ -23,7 +23,7 @@ env:
 jobs:
   deploy:
     if: ${{ github.event.inputs.fix_mimetypes != 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     # Full prebuild + Vite + minify + S3 deploy routinely runs >15 minutes
     # as the article corpus grows, so keep explicit headroom.
     timeout-minutes: 45
@@ -470,7 +470,7 @@ jobs:
   # ── Fix MIME types on existing S3 objects (manual trigger only) ──
   fix-mimetypes:
     if: ${{ github.event.inputs.fix_mimetypes == 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4

diff --git a/.github/workflows/exec-brief-translation-checks.yml b/.github/workflows/exec-brief-translation-checks.yml
@@ -38,7 +38,7 @@ concurrency:
 jobs:
   validate:
     name: Validate executive-brief translation PR
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     timeout-minutes: 10
 
     steps:

diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml
@@ -43,7 +43,7 @@ jobs:
   # Vitest Unit Tests
   unit-tests:
     name: Unit Tests (Vitest)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
 
     steps:
       - name: Harden Runner
@@ -96,7 +96,7 @@ jobs:
   # Vite Build Test
   build-test:
     name: Build Test (Vite)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
 
     steps:
       - name: Harden Runner
@@ -159,7 +159,7 @@ jobs:
   # (Other E2E tests moved to separate workflows: test-homepage.yml, test-dashboard.yml, test-news.yml)
   multi-language-tests:
     name: Multi-Language Sanity Tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     needs: build-test
     # This job covers homepage + dashboard + news across all 14 languages
     # (~3× the work of the per-page Cypress jobs), so it needs a larger budget
@@ -242,7 +242,7 @@ jobs:
   # Never blocks the pipeline (continue-on-error: true).
   node-next-compat:
     name: Node.js Nightly Compat
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     continue-on-error: true
     # Bound the whole job so a hung checkout/fetch (transient GitHub-hosted
     # runner flake — see PR #2428 run 25737016620 where `git fetch` stalled
@@ -340,7 +340,7 @@ jobs:
   # Summary Report
   test-summary:
     name: Test Summary
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     needs: [unit-tests, build-test, multi-language-tests, node-next-compat]
     if: always()
 

diff --git a/.github/workflows/jsdoc-validation.yml b/.github/workflows/jsdoc-validation.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   typedoc-generation:
     name: Generate & Validate TypeDoc
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     timeout-minutes: 10
 
     steps:
@@ -203,7 +203,7 @@ jobs:
   # deploy-docs:
   #   name: Deploy to GitHub Pages
   #   needs: jsdoc-generation
-  #   runs-on: ubuntu-latest
+  #   runs-on: ubuntu-26.04
   #   if: github.ref == 'refs/heads/main'
   #   steps:
   #     - uses: actions/download-artifact@v4

diff --git a/.github/workflows/knip.yml b/.github/workflows/knip.yml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   knip:
     name: Run Knip
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -10,7 +10,7 @@ permissions: read-all
 jobs:
   labeler:
     name: Label Pull Request
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     # Enhanced permissions for label management
     permissions:
       contents: read # Required to check out the code

diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml
@@ -23,7 +23,7 @@ permissions:
 jobs:
   lighthouse:
     name: Lighthouse Performance Audit
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
 
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/news-pat-pr-fallback.yml b/.github/workflows/news-pat-pr-fallback.yml
@@ -56,7 +56,7 @@ concurrency:
 jobs:
   fallback:
     name: Host-side PAT PR fallback
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: write
       pull-requests: write

diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   typescript-lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
@@ -66,7 +66,7 @@ jobs:
           retention-days: 30
 
   html-validation:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
@@ -148,7 +148,7 @@ jobs:
           retention-days: 30
 
   link-checker:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
@@ -287,7 +287,7 @@ jobs:
           retention-days: 30
 
   summary:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     needs: [typescript-lint, html-validation, link-checker]
     if: always()
     steps:

diff --git a/.github/workflows/regenerate-articles.yml b/.github/workflows/regenerate-articles.yml
@@ -24,7 +24,7 @@ permissions:
 jobs:
   regenerate:
     name: Regenerate article.md + news HTML (all langs)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     timeout-minutes: 60
 
     steps:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -49,7 +49,7 @@ jobs:
   # --------------------------------------------------------------------------
   prepare:
     name: Prepare Release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: write # Required for git auto-commit
     outputs:
@@ -120,7 +120,7 @@ jobs:
   build:
     name: Build Application
     needs: [prepare]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
     steps:
@@ -183,7 +183,7 @@ jobs:
   unit-tests:
     name: Unit Tests
     needs: [prepare]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
     steps:
@@ -253,7 +253,7 @@ jobs:
   typedoc:
     name: Generate TypeDoc
     needs: [prepare]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
     steps:
@@ -298,7 +298,7 @@ jobs:
   e2e:
     name: E2E (${{ matrix.shard.name }})
     needs: [prepare, build]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
     strategy:
@@ -389,7 +389,7 @@ jobs:
   package:
     name: Build Release Package
     needs: [prepare, build]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
       id-token: write # Required for OIDC
@@ -450,7 +450,7 @@ jobs:
   deploy-docs:
     name: Deploy Documentation
     needs: [prepare, build, unit-tests, typedoc, e2e]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: write # Required for github-pages-deploy-action
     steps:
@@ -673,7 +673,7 @@ jobs:
   release:
     name: Create GitHub Release
     needs: [prepare, build, package, unit-tests, e2e]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: write # Required to create releases
     steps:
@@ -777,7 +777,7 @@ jobs:
   npm-publish:
     name: Publish to npm
     needs: [prepare, build, unit-tests, typedoc, e2e, package, deploy-docs, release]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       contents: read
       id-token: write # Required for npm provenance
@@ -839,7 +839,7 @@ jobs:
     name: Deployment Summary
     needs: [prepare, release, deploy-docs, npm-publish]
     if: always()
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     steps:
       - name: Print summary
         run: |

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -20,7 +20,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-26.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write