fix(ci): disable checkout clean on self-hosted runners (#2733)

## Summary

- The `sudo rm -rf` approach from #2732 fails because the self-hosted
  WSL runner lacks passwordless sudo (`sudo: a terminal is required to
  read the password`).
- Replace it by setting `clean: ${{ matrix.runs-on != 'self-hosted' }}`
  on `actions/checkout`, so checkout skips its built-in workspace clean
  on self-hosted runners and no longer fails with EACCES on root-owned
  Podman overlay files.
- GitHub-hosted runners continue to get `clean: true` as before.

## Test plan

- [ ] Verify the WSL CI job passes (checkout no longer fails with
      EACCES or sudo password prompt)
- [ ] Verify Linux and macOS jobs are unaffected (`clean: true` still
      applies to non-self-hosted runners)


Made with [Cursor](https://cursor.com)

Author: cidrblock

.config/dictionary.txt

@@ -2,7 +2,6 @@ ANSTRAT
 Anson
 CICD
 CMDB
-Cachi
 Customizer
 DEEPSEEK
 Elio’s
@@ -12,7 +11,6 @@ Fqcn
 Fqcns
 Interactable
 KUBEDOCK
-Konflux
 LIGHTSPEED
 LLMPROVIDER
 Lightspeed
@@ -31,24 +29,21 @@ SSOT
 Towncrier
 WSLENV
 antsibull
-appstudio
 bfnrt
-buildah
 charliermarsh
 checode
-clamav
 codeclimate
 codespell
 commitlint
 contentmatches
-coverity
 cpython
 dbaeumer
 dedupe
 deepseek
 dirmngr
 esbenp
 eslintcache
+ffdx
 fixturenames
 fqcn
 genai
@@ -60,7 +55,6 @@ hostsvars
 inetpub
 issuetracker
 knip
-konflux
 lcovonly
 lextudio
 libgbm
@@ -70,7 +64,6 @@ lightspeed
 ligthspeed
 lineinfile
 llmprovider
-longrepr
 microdnf
 myorg
 noconfirm
@@ -80,24 +73,18 @@ nqry
 ollama
 ovsx
 pacman
-pipelinesascode
 prek
 primevue
 priyamsahoo
 progressspinner
 pycobertura
 pydoclint
 pyvenv
-quasis
 relogin
-reprentries
-reprfileloc
-reprtraceback
 reshim
 rhcustom
 rhsso
 seealso
-shiki
 sonarcloud
 sonarqube
 summ
@@ -109,7 +96,6 @@ thumbsup
 timonwong
 tomaciazek
 tombi
-tomjs
 tomlsort
 towerhost
 tsup

.github/workflows/ci.yaml

@@ -282,30 +282,22 @@ jobs:
               SKIP_PODMAN: 1
               SKIP_DOCKER: 1
     steps:
-      - name: Remove root-owned container overlays (self-hosted)
-        if: matrix.runs-on == 'self-hosted'
-        run: |
-          target="$GITHUB_WORKSPACE/out/als/tmp/home/.local/share/containers"
-
-          if [ -e "$target" ] || [ -L "$target" ]; then
-            resolved_workspace="$(readlink -f "$GITHUB_WORKSPACE")"
-            resolved_target="$(readlink -f "$target")"
-
-            case "$resolved_target" in
-              "$resolved_workspace"/*)
-                sudo rm -rf -- "$resolved_target"
-                ;;
-              *)
-                echo "Refusing to delete path outside GITHUB_WORKSPACE: $resolved_target"
-                exit 1
-                ;;
-            esac
-          fi
-
+      # Self-hosted runners may retain root-owned files from previous
+      # container builds (e.g. Podman overlays under out/als/tmp/).
+      # Disable checkout's built-in clean so it does not fail with
+      # EACCES when it cannot remove those files.
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # we need tags for dynamic versioning
           show-progress: false
+          clean: ${{ matrix.runs-on != 'self-hosted' }}
+
+      - name: Clean workspace on self-hosted runner
+        if: matrix.runs-on == 'self-hosted'
+        run: |
+          set -euxo pipefail
+          git reset --hard HEAD
+          git clean -ffdx -e out/als/tmp/
 
       - name: Run setup steps (composite action)
         uses: ./.github/actions/setup