require GitHub-hosted runners in reusable build jobs

[crazy-max]

relates to #161 (comment)

The change inserts a first step in each matrix build job to read runner.environment and fail the job when the value is not github-hosted. This leaves the existing runner selection and mapping logic unchanged, and adds a narrow contract check on the runner environment before the rest of the build steps execute.

The current workflows assume a stronger isolation posture than they actually enforce at the job level. Adding this guard makes the GitHub-hosted requirement explicit in the reusable workflow behavior, which keeps the trust boundary tighter while still leaving room to support different GitHub-hosted labels later through constrained mapping.

[crazy-max]

The reusable workflow check only fails earlier. It does not add a meaningful trust guarantee for the produced artifact.

The security-relevant enforcement is already in the signing and verification path, where we require runnerEnvironment = "github-hosted" in the policy. GitHub's OIDC token already carries the runner_environment claim, so a self-hosted runner cannot satisfy that policy through the normal signing flow.

More importantly, if the caller controls a self-hosted runner, they can already produce a malicious artifact by other means. Blocking that runner in the reusable workflow does not materially improve the trust model, it only makes the contract more explicit at job start.

So I'm going to close this rather than keep a check that reads like a security hardening change when it's really just an early guardrail.