diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 44a3482..d6d057d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,8 @@ permissions:
 
 jobs:
   server:
+    # Stays on GitHub-hosted: the watcher-runners (ARC, no local Docker — image
+    # builds offload to remote BuildKit) can't run the postgres service container.
     runs-on: ubuntu-latest
     services:
       postgres:
@@ -35,7 +37,7 @@ jobs:
       - run: cargo test --locked   # runs the ingest->query integration test against the service DB
 
   ui:
-    runs-on: ubuntu-latest
+    runs-on: watcher-runners
     defaults:
       run:
         working-directory: ui
@@ -50,11 +52,12 @@ jobs:
       - run: npm run build
 
   chart:
-    runs-on: ubuntu-latest
+    runs-on: watcher-runners
     steps:
       - uses: actions/checkout@v6
-      - name: Install helm
-        run: curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+      # setup-helm installs to the tool cache (no sudo). get-helm-3's sudo install
+      # fails on the ARC runners, which run with no_new_privileges.
+      - uses: azure/setup-helm@v5
       - run: helm lint chart
 
   # One image now: the server builds the UI and embeds it (rust-embed), so there