fix(ci): per-runner CARGO_HOME for security job (ANDON paiml/infra#77)

.github/workflows/sovereign-ci.yml

@@ -4,7 +4,7 @@
 # Change once here → applies to all 38 repos instantly.
 #
 # Self-hosted jobs run inside the sovereign-ci container (built by forjar).
 # Each job gets an isolated filesystem — no shared ~/.rustup/, no race conditions.
 # Image: localhost:5000/sovereign-ci:stable (local registry on mac-server)
 # Rebuild: cd infra && make -f machines/intel/Makefile ci-image
 #
@@ -48,7 +48,7 @@
         default: false
         type: boolean
       extra_pkgs:
         description: 'Extra apt packages to install in container (e.g. python3-dev libclang-dev)'
         required: false
         default: ''
         type: string
@@ -83,7 +83,7 @@
 jobs:
   test:
     name: test
     runs-on: [self-hosted, clean-room]
     container:
       image: localhost:5000/sovereign-ci:stable@sha256:10486da5daa3786f3264aa0e19fdde007e7ba1eca1d47ba587947946e42bd871
       # Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
@@ -112,7 +112,7 @@
           persist-credentials: false
       - name: Install extra packages
         if: ${{ inputs.extra_pkgs != '' }}
         run: |
           apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
           sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
       - name: Checkout sibling repos (path deps)
@@ -160,7 +160,7 @@
           # Note: generated contract macros may have unused variables (provable-contracts#64).
           # This is handled by adding -A unused-variables to the clippy step.
       - name: Generate contract assertions (pv codegen)
         run: |
           # pv is baked into sovereign-ci:stable at /usr/local/cargo/bin/pv
           PV=""
           for candidate in /usr/local/cargo/bin/pv /usr/local/bin/pv; do
@@ -211,7 +211,7 @@
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
           USE_NEXTEST: ${{ inputs.use_nextest }}
           TEST_SCOPE: ${{ inputs.test_workspace && '--workspace --lib' || '--lib' }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           # Phase 2 §4.3 — nextest drops ~35% off test-job wall-clock on large suites.
@@ -763,8 +763,26 @@
           # Note: generated contract macros may have unused variables (provable-contracts#64).
           # This is handled by adding -A unused-variables to the clippy step.
       - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
-      - name: Install cargo-audit
-        run: cargo install cargo-audit --locked || true
+      # FIVE-WHYS ROOT CAUSE (2026-04-24, aprender#1043 ANDON, paiml/infra#77):
+      # The `security` job runs bare-metal (runs-on: [self-hosted, clean-room])
+      # so 16 intel-clean-room-* runners all share HOME=/home/noah and thus
+      # $HOME/.cargo/registry. Concurrent `cargo install cargo-audit` jobs
+      # race on src/ extraction + .cache/ writes, producing:
+      #   warning: failed to write cache, path: ~/.cargo/registry/index/.../.cache/ca/rg/<crate>, Permission denied (os error 13)
+      #   error: couldn't read ~/.cargo/registry/src/.../fnv-1.0.7/lib.rs: Permission denied
+      #   error: could not compile `fnv` (lib) due to 1 previous error
+      # Per-runner CARGO_HOME (matches `target/` per-runner pattern already
+      # used by the `test`/`lint`/`coverage` jobs above) eliminates the race
+      # class at source. Independent of aprender#1043's workspace-test fix
+      # (which addresses the containerized workspace-test job's registry
+      # mount, not this bare-metal security job's $HOME).
+      - name: Install cargo-audit (per-runner CARGO_HOME)
+        run: |
+          export CARGO_HOME="/tmp/cargo-home-security-${{ runner.name }}"
+          mkdir -p "$CARGO_HOME"
+          echo "CARGO_HOME=$CARGO_HOME" >> "$GITHUB_ENV"
+          cargo install cargo-audit --locked --root "$CARGO_HOME" || true
+          echo "$CARGO_HOME/bin" >> "$GITHUB_PATH"
       - name: Audit
         run: |
           # FIVE-WHYS ROOT CAUSE (2026-04-12):