diff --git a/.github/workflows/reusable-ci-astro.yml b/.github/workflows/reusable-ci-astro.yml
index 792924a..d3ca48f 100644
--- a/.github/workflows/reusable-ci-astro.yml
+++ b/.github/workflows/reusable-ci-astro.yml
@@ -124,7 +124,7 @@ jobs:
   i18n:
     name: i18n parity
     if: inputs.enable-i18n
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     defaults:
       run:
         working-directory: ${{ inputs.working-directory }}
@@ -152,7 +152,7 @@ jobs:
     name: Lighthouse CI
     needs: build
     if: inputs.enable-lighthouse && (github.event_name == 'pull_request' || !inputs.lighthouse-only-pr)
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
       - uses: actions/download-artifact@v8
diff --git a/.github/workflows/reusable-ci-node.yml b/.github/workflows/reusable-ci-node.yml
index 83c8ad7..13a5e60 100644
--- a/.github/workflows/reusable-ci-node.yml
+++ b/.github/workflows/reusable-ci-node.yml
@@ -156,7 +156,7 @@ jobs:
   quality:
     name: Quality (knip, madge, audit)
     if: inputs.enable-knip || inputs.enable-madge || inputs.enable-audit
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     defaults:
       run:
         working-directory: ${{ inputs.working-directory }}
diff --git a/.github/workflows/reusable-docker-build.yml b/.github/workflows/reusable-docker-build.yml
index 2b291ea..13ba1b4 100644
--- a/.github/workflows/reusable-docker-build.yml
+++ b/.github/workflows/reusable-docker-build.yml
@@ -61,7 +61,7 @@ permissions:
 jobs:
   hadolint:
     name: hadolint
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
       - uses: hadolint/hadolint-action@v3.1.0
@@ -106,7 +106,7 @@ jobs:
     name: Trivy (CVE scan)
     needs: build
     if: inputs.push
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: aquasecurity/trivy-action@0.35.0
         with:
@@ -127,7 +127,7 @@ jobs:
     name: cosign (sign + attest)
     needs: [build, trivy]
     if: inputs.push
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: sigstore/cosign-installer@v3
       - name: Login to GHCR
@@ -153,7 +153,7 @@ jobs:
     name: SBOM (Syft → CycloneDX)
     needs: build
     if: inputs.push
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: anchore/sbom-action@v0
         with:
diff --git a/.github/workflows/reusable-release-rust.yml b/.github/workflows/reusable-release-rust.yml
index a12b4aa..bca2c76 100644
--- a/.github/workflows/reusable-release-rust.yml
+++ b/.github/workflows/reusable-release-rust.yml
@@ -22,6 +22,11 @@ on:
         type: string
         required: false
         default: ''
+      runner:
+        description: 'GitHub Actions runner label for the upload + publish jobs. Defaults to `ubuntu-latest` so public-repo consumers run on free GitHub-hosted runners.'
+        type: string
+        required: false
+        default: 'ubuntu-latest'
     secrets:
       CARGO_REGISTRY_TOKEN:
         required: false
@@ -104,7 +109,7 @@ jobs:
   upload:
     name: Attest + upload assets
     needs: build
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
       - uses: actions/download-artifact@v8
@@ -128,7 +133,7 @@ jobs:
     name: Publish crates.io
     needs: upload
     if: inputs.crate-publish
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
diff --git a/.github/workflows/reusable-security-scan.yml b/.github/workflows/reusable-security-scan.yml
index 3ae2f1f..e3505d4 100644
--- a/.github/workflows/reusable-security-scan.yml
+++ b/.github/workflows/reusable-security-scan.yml
@@ -23,6 +23,11 @@ on:
         type: boolean
         required: false
         default: false
+      runner:
+        description: 'GitHub Actions runner label. Defaults to `ubuntu-latest` so public-repo consumers run on free GitHub-hosted runners. Private consumers can override with `ferrlabs-k8s` for the heavier self-hosted pool.'
+        type: string
+        required: false
+        default: 'ubuntu-latest'
 
 permissions:
   contents: read
@@ -31,7 +36,7 @@ permissions:
 jobs:
   gitleaks:
     name: gitleaks (secrets)
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -72,7 +77,7 @@ jobs:
 
   osv-scanner:
     name: osv-scanner (CVE)
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     steps:
       - uses: actions/checkout@v6
       - name: Detect Go module
@@ -122,7 +127,7 @@ jobs:
 
   trufflehog:
     name: trufflehog (secrets, deep history)
-    runs-on: ferrlabs-k8s
+    runs-on: ${{ inputs.runner }}
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     steps:
       - uses: actions/checkout@v6