diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml
index 51ee0270..f21f0817 100644
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@@ -54,7 +54,11 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    runs-on: ubuntu-latest
+    # NOTE: infra-sre must register a `docker` label on every act-runner that
+    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
+    # the `docker` label land on runners that lack the socket and fail here.
+    # See issue #576.
+    runs-on: [ubuntu-latest, docker]
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
     steps:
@@ -79,8 +83,10 @@ jobs:
         run: |
           set -euo pipefail
           echo "::group::Docker daemon health check"
+          echo "Runner: ${HOSTNAME:-unknown}"
           docker info 2>&1 | head -5 || {
             echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
             echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
             exit 1
           }
diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index db84492b..4bdfef86 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -52,7 +52,12 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-latest
+    # NOTE: infra-sre must register a `docker` label on every act-runner that
+    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
+    # the `docker` label land on runners that lack the socket and fail here.
+    # molecule-runner-1 (no socket) vs molecule-runner-4 (socket) — coin-flip
+    # without this label gate.  See issue #576.
+    runs-on: [ubuntu-latest, docker]
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -68,8 +73,10 @@ jobs:
         run: |
           set -euo pipefail
           echo "::group::Docker daemon health check"
+          echo "Runner: ${HOSTNAME:-unknown}"
           docker info 2>&1 | head -5 || {
             echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
             echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
             exit 1
           }