diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6850cb1..9b9e31c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -112,11 +112,12 @@ jobs:
           key: ${{ matrix.target }}
 
       # eframe needs a few system libs on Linux for window management, keyboard,
-      # and OpenGL/X11/Wayland. On self-hosted these persist across runs so this
-      # is a no-op after the first time; on GH-hosted macOS/Windows the step
-      # is guarded out anyway.
+      # and OpenGL/X11/Wayland. Gated to GitHub-hosted runners only — the
+      # self-hosted runners pre-install all of these once at setup time, and
+      # letting multiple parallel matrix jobs race on `sudo apt-get install`
+      # fights over /var/lib/apt/lists/lock and fails them all.
       - name: Install Linux eframe system deps
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y \
@@ -126,8 +127,13 @@ jobs:
             libx11-dev \
             libgl1-mesa-dev libglib2.0-dev libgtk-3-dev
 
+      # Cross-compile toolchains. Same story as above — gated to hosted
+      # runners; self-hosted has gcc-aarch64-linux-gnu + gcc-arm-linux-gnueabihf
+      # pre-installed, and the linker entries live in
+      # /home/ghrunner/cargo-{01,02}/config.toml (seeded once at runner
+      # setup time, picked up via CARGO_HOME env).
       - name: Install aarch64 cross-compile toolchain (Linux only)
-        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        if: matrix.target == 'aarch64-unknown-linux-gnu' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-aarch64-linux-gnu
@@ -135,7 +141,7 @@ jobs:
           echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
 
       - name: Install armhf cross-compile toolchain (Linux only)
-        if: matrix.target == 'arm-unknown-linux-gnueabihf'
+        if: matrix.target == 'arm-unknown-linux-gnueabihf' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-arm-linux-gnueabihf
diff --git a/Cargo.lock b/Cargo.lock
index 6727229..a5f6f75 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.4"
+version = "1.2.5"
 dependencies = [
  "base64 0.22.1",
  "bytes",
diff --git a/Cargo.toml b/Cargo.toml
index 1b5f03d..013a010 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.4"
+version = "1.2.5"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"
diff --git a/android/app/build.gradle.kts b/android/app/build.gradle.kts
index f803199..288e795 100644
--- a/android/app/build.gradle.kts
+++ b/android/app/build.gradle.kts
@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 124
-        versionName = "1.2.4"
+        versionCode = 125
+        versionName = "1.2.5"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019
diff --git a/docs/changelog/v1.2.4.md b/docs/changelog/v1.2.5.md
similarity index 71%
rename from docs/changelog/v1.2.4.md
rename to docs/changelog/v1.2.5.md
index c2a1249..8fbf323 100644
--- a/docs/changelog/v1.2.4.md
+++ b/docs/changelog/v1.2.5.md
@@ -2,7 +2,9 @@
 • سخت‌کردن range-parallel: اعتبارسنجی هدر `Content-Range` قبل از دوختن پاسخ‌های ۲۰۶. پاسخ‌های نامعتبر دیگه به صورت ۲۰۰ OK جعلی ترکیب نمی‌شن — probe نامعتبر به GET تکی برمی‌گرده، چانک‌های نامعتبر به پاسخ probe برمی‌گرده (PR #78)
 • رد configهایی که HTTP و SOCKS5 رو روی یک پورت تنظیم کرده‌اند قبل از bind failure زمان اجرا. هم در load config و هم در فرم UI چک می‌شه (PR #79)
 • یادداشت README درباره محدودیت user-CA اندروید 7+ — اپ‌هایی مثل Telegram / WhatsApp / Instagram به CA ما اعتماد نمی‌کنن، برای اون‌ها از PROXY_ONLY یا upstream_socks5 استفاده کنید (issues #74 #81)
+• رفع زیرساخت CI: مراحل apt-get در buildهای Linux فقط روی runnerهای GitHub-hosted اجرا می‌شن. روی runnerهای self-hosted جدید، چندین job موازی روی `/var/lib/apt/lists/lock` رقابت می‌کردن و همه fail می‌شدن. بسته‌ها اکنون در setup runner پیش‌نصب هستند
 ---
 • Range-parallel hardening: validate `Content-Range` before stitching 206 responses. Invalid responses no longer combine into a fake 200 OK — invalid probe falls back to a normal single GET, invalid later chunks fall back to the probe response (PR #78)
 • Reject configs that set HTTP and SOCKS5 to the same port before the runtime bind failure. Enforced both at config-load time and in the UI form (PR #79)
 • README note on the Android 7+ user-CA trust limit — apps like Telegram / WhatsApp / Instagram don't trust user-installed CAs, use PROXY_ONLY or upstream_socks5 for those (issues #74 #81)
+• CI infrastructure fix: apt-get steps on Linux build jobs gated to GitHub-hosted runners only. On the new self-hosted runners, multiple parallel matrix jobs were racing on `/var/lib/apt/lists/lock` and failing all at once. Packages now pre-installed at runner setup time