Runner: self-hosted arm64. Deploy target: amd64 (Hetzner). Cross-arch is
safe because Astro output is plain static HTML/CSS/JS — nothing in the
bundle is arch-specific.
Changes:
- runs-on: ubuntu-latest (most portable act_runner label — override per your
runner's registered labels if needed).
- Install Chromium from apt at workflow time (Google Chrome has no Linux/arm64
stable build; Chromium does). Handles both chromium and chromium-browser
package names, sudo-less runners, and idempotently skips if already present.
- Export CHROME_PATH so LHCI picks the right binary.
- Add chromeFlags to lighthouserc.cjs: --no-sandbox --headless=new
--disable-gpu --disable-dev-shm-usage (required in containerized/root
Chromium on CI runners).
- timeout-minutes on both jobs.
- Defense-in-depth install of rsync + openssh in deploy job if the runner
image doesn't ship them.
- Null-guard SFTP_KEY and SFTP_KNOWN_HOSTS secrets.
- Switch echo to printf for deterministic newline handling when writing key
material to ~/.ssh files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ea6267d6f7