Add self-hosted runner setup guide

[2-Coatl]

Summary

• add a hardened self-hosted runner setup guide under .github/workflows
• document advantages, prerequisites, installation, maintenance, and workflow usage examples

Testing

• not run (docs-only change)

---

Codex Task

[Copilot]

Pull Request Overview

This PR introduces comprehensive documentation for GitHub Actions workflows, including a self-hosted runner setup guide, workflow audit inventory, and a correction plan. The documentation aims to improve CI/CD infrastructure management by providing hardened installation procedures, identifying workflow gaps, and establishing systematic improvement guidelines.

Key Changes

• Adds hardened self-hosted runner setup guide with security best practices, installation steps, and maintenance procedures
• Documents a comprehensive audit of 25 existing GitHub Actions workflows, identifying gaps in triggers, permissions, and caching
• Provides a structured correction plan with environment-specific strategies (production, QA, development) for workflow optimization

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
WORKFLOW_AUDIT.md	Comprehensive inventory of 25 workflows with analysis of triggers, permissions, caching, and security gaps
.github/workflows/SELF_HOSTED_RUNNER.md	Step-by-step guide for secure self-hosted runner deployment on Linux with hardening recommendations
.github/workflows/PLAN_CORRECCION.md	Structured correction plan for workflow improvements organized by principles, environments, and per-workflow actions

[Copilot]

The service name in the systemctl commands is hardcoded with "2-Coatl-IACT". This should be replaced with a placeholder to match the previous recommendation, ensuring users understand they need to substitute their actual organization and repository names.

[Copilot]

The checksum provided appears to be for a specific runner version (v2.329.0). However, this checksum should be verified against the official GitHub releases page before use. Additionally, consider adding a note that users should always verify checksums match the official release notes for the version they're downloading.

Suggested change

	2. **Descargar binarios del runner** (ajusta la versión según [releases oficiales](https://github.com/actions/runner/releases)). Ejemplo ARM64:
	```bash
	curl -o actions-runner-linux-arm64-2.329.0.tar.gz -L \
	https://github.com/actions/runner/releases/download/v2.329.0/actions-runner-linux-arm64-2.329.0.tar.gz
	2. **Descargar binarios del runner** (ajusta la versión según [releases oficiales](https://github.com/actions/runner/releases)). Ejemplo ARM64:
	> ⚠️ **IMPORTANTE:** Antes de ejecutar la verificación de checksum, obtén el valor SHA256 correspondiente a la versión elegida desde la [página oficial de releases](https://github.com/actions/runner/releases) y reemplaza el ejemplo de abajo. No uses el checksum sin verificar que coincide con el binario descargado.
	```bash
	curl -o actions-runner-linux-arm64-2.329.0.tar.gz -L \
	https://github.com/actions/runner/releases/download/v2.329.0/actions-runner-linux-arm64-2.329.0.tar.gz
	# Reemplaza el siguiente checksum por el publicado en la release oficial para tu versión:

[Copilot]

The syntax for the conditional check uses single quotes around the variable: if: env.SECRET != ''. In GitHub Actions, environment variables should be accessed using the correct syntax: if: env.SECRET != '' or more correctly if: env.SECRET. Consider clarifying that this is pseudocode or updating to the proper GitHub Actions syntax.

Suggested change

	- **Variables y secretos**: centralizar variables comunes en `env` y secretos por entorno en `environment secrets`; validar su presencia con `if: env.SECRET != ''` antes de usarlos.
	- **Plantillas reutilizables**: crear un workflow reusable (p. ej., `.github/workflows/reusable-ci.yml`) con matrices, caching y permisos mínimos, que reciba como inputs el entorno (`environment`), la rama y el modo (`deploy`/`validate`).
	## Acciones transversales
	1. Añadir plantilla base reutilizable para permisos mínimos y estrategia de caching (composite o reusable workflow).
	2. Incorporar `concurrency` para despliegue, incident-response y pipelines largos.
	3. Revisar secretos: documentar requeridos y validar existencia antes de usarlos (ej. `if: env.SECRET != ''`).
	- **Variables y secretos**: centralizar variables comunes en `env` y secretos por entorno en `environment secrets`; validar su presencia con `if: env.SECRET` antes de usarlos.
	- **Plantillas reutilizables**: crear un workflow reusable (p. ej., `.github/workflows/reusable-ci.yml`) con matrices, caching y permisos mínimos, que reciba como inputs el entorno (`environment`), la rama y el modo (`deploy`/`validate`).
	## Acciones transversales
	1. Añadir plantilla base reutilizable para permisos mínimos y estrategia de caching (composite o reusable workflow).
	2. Incorporar `concurrency` para despliegue, incident-response y pipelines largos.
	3. Revisar secretos: documentar requeridos y validar existencia antes de usarlos (ej. `if: env.SECRET`).

[Copilot]

The same conditional syntax issue appears here: if: env.SECRET != ''. For GitHub Actions workflows, the proper syntax would be if: env.SECRET or if: env.SECRET != '' (which is valid but can be simplified). Consider providing the correct GitHub Actions expression syntax or noting this is a conceptual example.

Suggested change

	- **Variables y secretos**: centralizar variables comunes en `env` y secretos por entorno en `environment secrets`; validar su presencia con `if: env.SECRET != ''` antes de usarlos.
	- **Plantillas reutilizables**: crear un workflow reusable (p. ej., `.github/workflows/reusable-ci.yml`) con matrices, caching y permisos mínimos, que reciba como inputs el entorno (`environment`), la rama y el modo (`deploy`/`validate`).
	## Acciones transversales
	1. Añadir plantilla base reutilizable para permisos mínimos y estrategia de caching (composite o reusable workflow).
	2. Incorporar `concurrency` para despliegue, incident-response y pipelines largos.
	3. Revisar secretos: documentar requeridos y validar existencia antes de usarlos (ej. `if: env.SECRET != ''`).
	- **Variables y secretos**: centralizar variables comunes en `env` y secretos por entorno en `environment secrets`; validar su presencia con `if: env.SECRET` antes de usarlos.
	- **Plantillas reutilizables**: crear un workflow reusable (p. ej., `.github/workflows/reusable-ci.yml`) con matrices, caching y permisos mínimos, que reciba como inputs el entorno (`environment`), la rama y el modo (`deploy`/`validate`).
	## Acciones transversales
	1. Añadir plantilla base reutilizable para permisos mínimos y estrategia de caching (composite o reusable workflow).
	2. Incorporar `concurrency` para despliegue, incident-response y pipelines largos.
	3. Revisar secretos: documentar requeridos y validar existencia antes de usarlos (ej. `if: env.SECRET`).