diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml
index f21f0817..9f1b03a1 100644
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@@ -54,11 +54,13 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    # NOTE: infra-sre must register a `docker` label on every act-runner that
-    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
-    # the `docker` label land on runners that lack the socket and fail here.
-    # See issue #576.
-    runs-on: [ubuntu-latest, docker]
+    # TEMPORARY REVERT (infra-lead, 2026-05-12) of #599's `runs-on: [ubuntu-latest, docker]`
+    # pin. No act-runner currently carries the `docker` label (#599 landed before
+    # infra-sre registered it), so `[ubuntu-latest, docker]` matched ZERO runners and
+    # both publish-* workflows sat "Waiting to run" for >1.5h. Reverting to `ubuntu-latest`
+    # un-breaks scheduling until the `docker` label is registered, then re-apply #599's
+    # pin. See #576 + #599.
+    runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
     steps:
diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index 4bdfef86..34ba6201 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -52,12 +52,14 @@ env:
 
 jobs:
   build-and-push:
-    # NOTE: infra-sre must register a `docker` label on every act-runner that
-    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
-    # the `docker` label land on runners that lack the socket and fail here.
-    # molecule-runner-1 (no socket) vs molecule-runner-4 (socket) — coin-flip
-    # without this label gate.  See issue #576.
-    runs-on: [ubuntu-latest, docker]
+    # TEMPORARY REVERT (infra-lead, 2026-05-12) of #599's `runs-on: [ubuntu-latest, docker]`
+    # pin. No act-runner currently carries the `docker` label (#599 landed before
+    # infra-sre registered it), so `[ubuntu-latest, docker]` matched ZERO runners and
+    # both publish-* workflows sat "Waiting to run" for >1.5h — strictly worse than the
+    # pre-#599 coin-flip. Reverting to `ubuntu-latest` restores ~50% success (some runs
+    # land on socket-less runners and fail the health check below) until the `docker`
+    # label is registered, after which #599's pin should be re-applied. See #576 + #599.
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2