Description
## Goal
Deploy the hydrapipelinerunnerapple service on cederikmini (node-38f14c8b) and retire the manually configured GitHub Actions runner at ~/actions-runner.
## Current state
- hydrapipelinerunnerapple v0.1.0 published to releases.experiencenet.com
- hydracluster role `hydrapipelinerunnerapple` added and recipe defined (as of hydracluster v2.0.51)
- cederikmini enrolled as hydracluster node node-38f14c8b
- FileVault is enabled on cederikmini, which blocks autologin — the recipe cannot complete without autologin working
- Role NOT yet assigned to node-38f14c8b in hydracluster
- Config (github_token, github_repo) not yet written to the node
- Manual runner is still active at ~/actions-runner on cederikmini
## Blockers
FileVault must be disabled first. This requires physical access to cederikmini:
1. System Settings > Privacy & Security > FileVault > Turn Off FileVault
2. Wait for decryption to complete
3. System Settings > General > Login Items or Users & Groups > enable autologin for the service account
## Steps remaining (in order)
1. Physical: Turn off FileVault on cederikmini
2. Physical: Enable autologin for the account that runs the runner service
3. hydracluster: Assign role hydrapipelinerunnerapple to node-38f14c8b via admin UI or API
4. Wait for recipe to run — hydracluster installs hydrapipelinerunnerapple on next provisioning cycle
5. Write config via hydracluster exec: set github_token and github_repo (cederikdotcom/hydraheadipad or relevant repo)
6. Restart service via hydracluster exec
7. Verify runner appears as online in GitHub repository Settings > Actions > Runners
8. Stop and remove manual runner at ~/actions-runner on cederikmini
## Definition of done
- hydrapipelinerunnerapple running as systemd unit on cederikmini
- Runner visible and online in GitHub Actions
- ~/actions-runner manual runner stopped and unregistered
- No manual intervention needed after reboot (autologin + systemd handles restart)