From ff3d0421b06b890f6b8a46e07a84bc918ddefe06 Mon Sep 17 00:00:00 2001
From: yuriyryabikov <22548029+kurok@users.noreply.github.com>
Date: Tue, 21 Apr 2026 09:40:37 +0100
Subject: [PATCH] ci: rotate ec2-github-runner SHA to Phase 4 safe tip

namecheap/ec2-github-runner#19 merged after #18's non-root change
broke dogfood on #182 (runner registration timeout). The new tip
keeps Phase 4's safe subset: runner-version input, --ephemeral /
--unattended / --disableupdate on config.sh, SHA-256 verification
of the runner tarball, set -euo pipefail. Non-root runner user
reverted for separate investigation.

Rotation: a1bd2f9 (Phase 1) -> 78f98d1 (Phase 4 safe).
Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f15c2b1f..d2bd6a0e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -140,7 +140,7 @@ jobs:
         # SHA-pinned (was @feat/al2023-support). The same SHA is reused by
         # the stop-runner step so both halves of the runner lifecycle run
         # identical action code.
-        uses: namecheap/ec2-github-runner@a1bd2f99953fff1dbae09841e794c9745229a543 # feat/al2023-support @ 2026-04-21 — aws-sdk v3 migration (Phase 1)
+        uses: namecheap/ec2-github-runner@78f98d15001dea276cc48d299401345570fccb09 # feat/al2023-support @ 2026-04-21 — Phase 4 (runner-version input, --ephemeral, checksum verify; non-root reverted)
         with:
           mode: start
           github-token: ${{ secrets.GH_TOKEN }}
@@ -231,7 +231,7 @@ jobs:
       - name: Stop EC2 runner
         # SHA-pinned (was @main). Matches the start-runner step above so
         # stop logic is in lockstep with the code that started the runner.
-        uses: namecheap/ec2-github-runner@a1bd2f99953fff1dbae09841e794c9745229a543 # feat/al2023-support @ 2026-04-21 — aws-sdk v3 migration (Phase 1)
+        uses: namecheap/ec2-github-runner@78f98d15001dea276cc48d299401345570fccb09 # feat/al2023-support @ 2026-04-21 — Phase 4 (runner-version input, --ephemeral, checksum verify; non-root reverted)
         with:
           mode: stop
           github-token: ${{ secrets.GH_TOKEN }}