dns-auditer and ansible-github-runner: infra chores that run themselves

Platform engineering is full of work that is individually small and collectively expensive: auditing SPF, DMARC, DNSSEC, TLS ciphers, HSTS, and CSP across every domain; keeping CI runners patched, isolated, and cheap. Done by hand, these get skipped until an incident forces attention. The right fix is not a checklist, it is automation that runs on a schedule, reports only when something changes, and cleans up after itself so nobody has to babysit it.

dns-auditer is a scheduled GitHub Actions workflow that runs a Python auditor against every domain in a config file, fans out to four check modules, and commits structured JSON so the posture history lives in git. A second script opens GitHub Issues when checks fail or warn and closes them automatically when checks pass again, with no duplicate issues and noise-stable messages to avoid churny daily commits. It runs entirely on the built-in token: no API keys, no secrets. ansible-github-runner provisions a Linux box into a runner fleet via three roles applied in dependency order: hardening, docker, and the runner itself. It wipes each job workspace in a throwaway root container before the next job, stopping cross-job leakage. A pull-through Docker Hub registry mirror and a persistent BuildKit cache keep builds warm and dodge rate limits, and a weekly self-maintenance workflow, opt-in and disabled by default, keeps the box current.