diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml
index 51ee0270..54476e96 100644
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@@ -54,7 +54,11 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    runs-on: ubuntu-latest
+    # Pin to docker-capable runners (self-hosted + docker label).
+    # Per gitea-operational-quirks.md §3: Hetzner act_runner containers
+    # register labels self-hosted + ubuntu-latest + docker. Only runners
+    # with docker label have /var/run/docker.sock mounted.
+    runs-on: [self-hosted, docker]
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
     steps:
diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index db84492b..8d6d1247 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -52,7 +52,13 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-latest
+    # Pin to docker-capable runners (self-hosted + docker label).
+    # Per gitea-operational-quirks.md §3: Hetzner act_runner containers
+    # register labels self-hosted + ubuntu-latest + docker. Only runners
+    # with docker label have /var/run/docker.sock mounted. The previous
+    # `runs-on: ubuntu-latest` coin-flipped between docker-capable and
+    # non-docker runners, causing Verify Docker daemon access to fail.
+    runs-on: [self-hosted, docker]
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2