Document and harden remote KVM publishable lane

README.md

@@ -58,6 +58,8 @@ nix run ./nix/test-cluster#cluster -- fresh-matrix
 ./nix/test-cluster/run-publishable-kvm-suite.sh ./work/publishable-kvm-suite
 ```
 
+The repository-owned remote entrypoint for the same suite is [`.github/workflows/kvm-publishable-selfhosted.yml`](.github/workflows/kvm-publishable-selfhosted.yml). It runs the wrapper on Forgejo runners labeled `nix-host`, and those runners must expose `/dev/kvm` with nested virtualization enabled.
+
 Project-done release proof now requires both halves of the public validation surface to be green:
 
 - `baremetal-iso` and `baremetal-iso-e2e` for the canonical `deployer -> installer -> nix-agent` bare-metal bootstrap path

docs/testing.md

@@ -86,6 +86,8 @@ Use these commands as the release-facing local proof set:
 - `baremetal-iso-e2e`: flake-check wrapper around the same canonical ISO harness
 - `deployer-vm-smoke`: lightweight regression proving that `nix-agent` can activate a host-built target closure without guest-side compilation
 
+The repository-owned remote entrypoint for the same publishable KVM proof is [`.github/workflows/kvm-publishable-selfhosted.yml`](../.github/workflows/kvm-publishable-selfhosted.yml). It targets Forgejo runners labeled `nix-host` and expects `/dev/kvm` plus nested virtualization on those hosts.
+
 ## Responsibility Coverage
 
 - `baremetal-iso` and `baremetal-iso-e2e` are the canonical proof for `deployer -> installer -> nix-agent`. They cover phone-home, install-plan materialization, Disko, reboot, and desired-system activation.

nix/test-cluster/README.md

@@ -7,6 +7,7 @@ The same harness also owns the canonical bare-metal bootstrap proof: a raw-QEMU
 
 When `/dev/kvm` is absent, the portable fallback is not another harness subcommand. Use the root-flake non-KVM lane instead: `nix build .#checks.x86_64-linux.portable-control-plane-regressions`.
 When `/dev/kvm` and nested virtualization are available, the reproducible publishable lane is `./nix/test-cluster/run-publishable-kvm-suite.sh`, which records environment metadata and then runs `fresh-smoke`, `fresh-demo-vm-webapp`, and `fresh-matrix` in order.
+The repository-owned remote entrypoint for the same suite is [`.github/workflows/kvm-publishable-selfhosted.yml`](../../.github/workflows/kvm-publishable-selfhosted.yml), which targets Forgejo `nix-host` runners with `/dev/kvm` and nested virtualization enabled.
 
 ## What it validates
 

nix/test-cluster/flake.nix

@@ -74,7 +74,7 @@
         text = ''
           repo_root="$(${pkgs.gitMinimal}/bin/git rev-parse --show-toplevel 2>/dev/null || ${pkgs.coreutils}/bin/pwd)"
           export PHOTON_CLUSTER_FLAKE="''${repo_root}/nix/test-cluster"
-          exec "''${repo_root}/nix/test-cluster/run-cluster.sh" "$@"
+          exec ${pkgs.bash}/bin/bash "''${repo_root}/nix/test-cluster/run-cluster.sh" "$@"
         '';
       };