After concurrency slices, fairness, and reservation contracts, the next layer of pain is label chaos: every repository invents macos-12, self-hosted, or m4 without a namespace, so orchestrators cannot reason about starvation, inheritance, or blast radius. This 2026 guide treats labels on dedicated Mac mini M4 pools as governance primitives: a three-level namespace, explicit priority inheritance from organization to repository, and starvation guards (aging, fair-share caps, secondary drain queues). You get two matrices, eight rollout steps, and audit prompts that security and finance can actually read.
Concurrency and pool fairness: concurrency slices and CI/agent fairness. macOS/Xcode pinning: upgrade windows and drift checks. Reservations and preemption: reservation, preemption, and cooldown. Dispatchable automation hosts: dispatchable Mac nodes. Sharded builds: parallel Mac build nodes. Pricing: pricing; help: help.
Label namespace matrix (prefix, owner, lifetime)
| Prefix | Meaning | Who may define |
|---|---|---|
nm-org/<id>/ |
Fleet-wide pools (e.g., compile-heavy, UI-only) | Platform SRE only |
nm-team/<slug>/ |
Team-scoped capacity carved from org pools | Team lead + SRE approval |
nm-repo/<gh-org>/<name>/ |
Repository-specific experiments or release trains | Repo maintainers within team quota |
Unprefixed labels should be rejected in CI lint for new workflows. Legacy repos get a six-month grandfather window with a dashboard that lists offenders; after the window, merges to default branch require migration. The goal is not pedantry—it is to make “who can steal capacity from whom” answerable from Git history instead of Slack archaeology.
Priority inheritance matrix (effective priority order)
| Source | Default weight | Override rules |
|---|---|---|
| Org policy YAML | Baseline P3 | Security patches may lift to P1 with ticket ID |
| Team policy | Inherits org; max +1 step | Cannot exceed org-declared ceiling for non-incident work |
| Repo workflow annotation | Inherits team; max +1 for release tags | Feature branches capped at team baseline |
Starvation tripwire: if any label’s wait-time p95 exceeds 2× fleet median for 72 h while higher-priority traffic stays below its SLO, enable aging: add +1 virtual priority per 30 min queued, capped at team ceiling.
Starvation guards beyond “raise priority”
- Fair-share token bucket: each team receives refillable tokens per hour per label family; burst allowed, but sustained overuse downgrades effective priority automatically.
- Secondary drain queue: long-waiting jobs move to a low-noise pool nightly so dashboards stop hiding tails behind averages.
- Label affinity caps: limit how many concurrent jobs a single repo label may place on
nm-org/*-heavyhosts—prevents one monorepo from pinning the entire heavy slice.
Eight-step rollout checklist
- Freeze new unprefixed labels in default-branch CI for Mac-backed workflows.
- Generate inventory from orchestrator API + last-30-day
runs-onscan. - Map each label to namespace tier; mark conflicts where two teams share the same string.
- Publish inheritance YAML in a single repo; require PR review from SRE + product security for priority ceiling changes.
- Enable aging in staging with exaggerated thresholds to observe side effects.
- Wire dashboards: per-namespace wait surfaces, not only global p95.
- Game day: simulate org-wide incident priority flip; verify repos cannot permanently camp at P1.
- Quarterly audit: sample 50 workflows for drift; auto-file tickets for violations.
How this interacts with reservations
Reservations decide entitlement; namespaces decide addressability; priority decides ordering within entitlement. If you implement reservations without namespaces, teams will encode “fake namespaces” inside secret runner names. If you implement namespaces without starvation guards, low-priority maintenance repos disappear for weeks whenever a product launch spikes. Keep the three documents—fairness, reservation, and this label guide—linked in the same internal portal page so new hires read them as one system.
Common anti-patterns
Letting developers pick any GitHub-hosted runner string; using emoji or region nicknames in production labels; relying on “just set priority: high” without inheritance caps; ignoring aging because “our jobs are fast”—until they are not; skipping secondary queues because dashboards look green on averages. Each of these creates invisible queues that explode during acquisition integrations or dependency upgrades.
Prototype namespace and aging rules on short-lived Mac mini M4 hosts before you mutate production orchestrator settings. NodeMac rents dedicated Apple Silicon Macs with SSH/VNC in Hong Kong, Japan, Korea, Singapore, and the United States so you can replay label storms from captured traces without risking the shared fleet.