From 35da504d11948814a40e4fcf6781a3002b7120ae Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:28:07 +0000 Subject: [PATCH 1/3] Initial plan From 473523bbe5de5438fd6d712fd0980721f6ce5c6d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:50:48 +0000 Subject: [PATCH 2/3] fix: use runner resolution strategy for unlock and detection jobs (#17962) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 2 +- .../workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/ai-moderator.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .../claude-code-user-docs-review.lock.yml | 2 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .../workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 2 +- .../copilot-cli-deep-research.lock.yml | 2 +- .../copilot-pr-merged-report.lock.yml | 2 +- .../copilot-pr-nlp-analysis.lock.yml | 2 +- .../copilot-pr-prompt-analysis.lock.yml | 2 +- .../copilot-session-insights.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 2 +- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .../workflows/daily-compiler-quality.lock.yml | 2 +- .../daily-copilot-token-report.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .../workflows/daily-firewall-report.lock.yml | 2 +- .../workflows/daily-issues-report.lock.yml | 2 +- .../daily-mcp-concurrency-analysis.lock.yml | 2 +- .../daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 2 +- .../daily-observability-report.lock.yml | 2 +- .../daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-repo-chronicle.lock.yml | 2 +- .../daily-safe-output-optimizer.lock.yml | 2 +- .../daily-safe-outputs-conformance.lock.yml | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 2 +- .../daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .../daily-syntax-error-quality.lock.yml | 2 +- .../daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 2 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .../workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .../workflows/functional-pragmatist.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 2 +- .../github-mcp-tools-report.lock.yml | 2 +- .../github-remote-mcp-auth-test.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .../workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/pr-triage-agent.lock.yml | 2 +- .../prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .../workflows/repo-audit-analyzer.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .../schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .../workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .../semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .../workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 2 +- .../workflows/static-analysis-report.lock.yml | 2 +- .../workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .../workflows/technical-doc-writer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .../test-create-pr-error-handling.lock.yml | 2 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .../test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .../workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../weekly-editors-health-check.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 2 +- .../weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 4 +- .../workflow-health-manager.lock.yml | 2 +- .../workflows/workflow-normalizer.lock.yml | 2 +- .../workflow-skill-extractor.lock.yml | 2 +- pkg/parser/schemas/main_workflow_schema.json | 4 + pkg/workflow/compiler_unlock_job.go | 2 +- pkg/workflow/safe_outputs_config_helpers.go | 14 ++ pkg/workflow/safe_outputs_runs_on_test.go | 145 ++++++++++++++++++ pkg/workflow/threat_detection.go | 10 +- pkg/workflow/threat_detection_test.go | 86 ++++++++++- 155 files changed, 407 insertions(+), 154 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 6b60bde99a3..ef2c024e5e8 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8b5e9aa558d..b274e13053c 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index bf355f9feab..0e07f755f4f 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1129,7 +1129,7 @@ jobs: - activation - agent if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read issues: write diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 092a41118cf..496c84f55a2 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 87e04ac4550..e3596c6a96d 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 7b07e1ea80c..55db03f2ff7 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 909daf9069a..9d592ff6a37 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 8efdeee8f31..3b6f2224182 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6b30c736299..d638cbb43e4 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 3406b5a4ac5..409f6495876 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index bf56befc79b..e150955f32d 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 34b57a60b50..59f312011fa 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 97c9b48aea1..50f5d79b07e 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 2e2b5520d4c..8d9046de49a 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index e3d36d5f9cb..2ff51d03d17 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 181dafb4617..a84260ad3e1 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 24e7a256451..e6630a74952 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 06c466a0355..bc0611772bf 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index ab3b4dc29a1..7f2d7b09ccd 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index e77e7dec5de..025e106abc9 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 02f9db1a005..a9188b0f59c 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 9a0a4e5e0f9..c2a55b2d985 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 797bd9bb892..9a637e49829 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 2bd196cd9f3..bc42ef355cb 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index f677e8e16e4..ab994bdc294 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index b02f6ce795e..74c2fb708cb 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 0f6f6139455..2061162aa2a 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index ab401e26573..72300364f8b 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 61d4a858f45..326f68e7e3d 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1e15d90232e..a4e7bfa6d07 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 6b042962586..227cda5bff2 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 4ed472d3b96..d42a7840e62 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index b3d631d23e7..2da8fa916cb 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 3ad3b061f0b..81e3f7d64fd 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 3fdf2739297..c64b1455f01 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 8d8f9dd4948..aae0aaa8021 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 49e43c7acab..788aa570f30 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 314c9bdb873..7e9151e2caa 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index bea723f0058..3cb2a827bcf 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7a7674e74b9..66a75ff6b00 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 5e3b4fc5210..fac788e2ca1 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index e483a2d098d..2efc9966c39 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 52c10672702..ba79f1f48b1 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index b054d9f5852..e5539bc6ded 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 9e81507527d..5cf5c81bcaf 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 9e846470afd..19c84fd8a07 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index dc3afa5a572..d7a5134233d 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index eed552b7b39..444271a0472 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index beff45446ff..983942235cd 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 86485c36d50..5d3589f84c4 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 81c35b24d09..3f7bcd6e285 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index f6a0e4609f4..cade40d225b 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 86e246d5855..5eed9849ea2 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index cb4d289abac..68137fae243 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index dffba2df653..b8173e44d68 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b16d7ed6a83..391dfbade44 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b0adb64bbca..f1357a22056 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 19903bd8b0c..16c35b4a6e3 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 9415fcea20d..4dfb1d5c6ee 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 23ef1a3d1ee..33a52c3457c 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index e7eb50b43fe..dd296a7a19f 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index e3de227867f..ed140fa0459 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 4cf96de2508..f010d8d5179 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b601e2942bd..ba25480b941 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 3a279438c5b..4da22a898aa 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index bb66be51d8a..71282dc2aec 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f1f5947d83f..4b714e05c4a 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 55dd3494ac7..3779dfec6a8 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index a7c5914eebd..47e494031aa 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index d760d03ce03..0a036e60bba 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index fa5e4a53ff6..204257f7d2b 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 3ff52bd8ff3..06efa6cf1cb 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 55d04e81a12..a4de7534fd9 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 50fc308b9c5..76b7932a39e 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index f3e680bea0d..d45f7956809 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 42716c2487e..5620870131b 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index b94ef238a3c..a5702f52771 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6457728b454..c760c2e8bee 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 6f369d4cdec..23ab513e8f3 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 79d84725908..45583215c9a 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 7e343def11e..77d2b3cabf6 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c96fd808429..2001f91faf9 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index a5d1aa587a5..33fff48881c 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 913eed7b955..56dcac3e9d9 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 9aebfb36e9e..8589a37951d 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 7422eac001f..2320dce2156 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 61877f91eff..b1b16e65adf 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 0f118dbf7d9..8881028c607 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index bd500555351..b3eb7555ddc 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index cd94860773d..fa504c0f0d4 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index eee7dc265ed..1a030fd48c5 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 380a74e6007..e00ea31cf1f 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 0a8b89e45aa..9d4c7b904bb 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 43d59d4d8af..357dfce9540 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index d38bc6e6aab..3e67c00daab 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index d653268b192..66d7791862c 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 68544e9609c..47beac5519b 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 00575ebc0c4..4968f0f6389 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3cb02184693..9464c90a388 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index a1d281e9db1..3cee1402e53 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 2c48f7411f5..8fad76f30da 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index d7c80468a19..318d27c0316 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 20900388aec..98faa68a5d2 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 5c4c3952a16..e7fb8d19634 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 00ed0c78f31..6f5397aa851 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index bd293dd7e8f..923a5c9d113 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index b0ce5200578..0458c7a293e 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 941cd6cf916..b37ed00717f 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 1f797889a6f..f0153956916 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 4a9a4b28280..7625a88cc8e 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 008758bc27c..e4cc0952a67 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index cbccebf720c..3ca16607ac7 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ab14c1a9a77..bf6032a3ae0 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index fd5358a5b04..26fa0b1d657 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index b1b86538bab..14cc40703ef 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 825e29f1dff..15bffe5f393 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index e98e5d77fbd..213bf5de19e 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index eb540285307..8c24a169e7d 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 9c9be178be0..545bd0df52a 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 0e5f7f0dda0..843a1be0b3b 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5b0f0683113..8138fc62251 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2765c48e222..9b09984d8e2 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index fbc22a4cfe0..24aacf30b41 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 0f679a3cce8..5ccccd690fa 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index eddb4b68e13..1cd0799aada 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 6928cf6584a..590aa0535bf 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 8e24bca7356..ad8d1e821a7 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 5d4c4393b89..b4c3490aac8 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index da12f59fe25..26727b24308 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 26ae6d43ad1..1e5bbf99efb 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 4a891cba8cd..ce5d26c45f3 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 48e19a468a4..2dac1457e06 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 686a2133d06..c134c45ff67 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 78892b7fd7c..30dc2e559f4 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index f410f9c07c0..3165d176b98 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index cdd97a6f101..b6c6d8cc465 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index c9a4fbdccc3..5ac4184c672 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 4994c0c2d3f..de5fe298501 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 130117c67fa..22870f625dd 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index a13045ce171..62fb2ee935c 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index ad1f76e6056..a1e46d7cd7d 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 20ac245581a..de12d9c712a 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 2bd4f2e9fd7..73a5f890622 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 1646222d205..3cf065cf157 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 9c8da0a6f07..60d61588639 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index cc4adb3b41e..6a58b678c1c 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1313,7 +1313,7 @@ jobs: - agent - detection if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read issues: write diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index a5740ac7e76..7dc957352be 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 1fc06fd0cbe..5035bba7cd3 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 8dc26aa52eb..706342fc09d 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index d46a72dbb7b..e1a1937b96b 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -6611,6 +6611,10 @@ "items": { "$ref": "#/$defs/githubActionsStep" } + }, + "run-on": { + "type": "string", + "description": "Runner specification for the detection job. Overrides safe-outputs.runs-on for the detection job only. Defaults to safe-outputs.runs-on, then ubuntu-latest." } }, "additionalProperties": false diff --git a/pkg/workflow/compiler_unlock_job.go b/pkg/workflow/compiler_unlock_job.go index f1446dec7a6..a8f27c77551 100644 --- a/pkg/workflow/compiler_unlock_job.go +++ b/pkg/workflow/compiler_unlock_job.go @@ -100,7 +100,7 @@ func (c *Compiler) buildUnlockJob(data *WorkflowData, threatDetectionEnabled boo Name: "unlock", Needs: needs, If: alwaysFunc.Render(), - RunsOn: data.RunsOn, + RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), Permissions: permissions, Steps: steps, TimeoutMinutes: 5, // Short timeout - unlock is a quick operation diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go index 47305d412c0..6856b5eafc2 100644 --- a/pkg/workflow/safe_outputs_config_helpers.go +++ b/pkg/workflow/safe_outputs_config_helpers.go @@ -121,6 +121,20 @@ func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) strin return "runs-on: " + safeOutputs.RunsOn } +// formatDetectionRunsOn resolves the runner for the detection job using the following priority: +// 1. safe-outputs.detection.run-on (detection-specific override) +// 2. safe-outputs.runs-on (global safe-outputs runner) +// 3. ubuntu-latest (default) +func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig) string { + if safeOutputs != nil && safeOutputs.ThreatDetection != nil && safeOutputs.ThreatDetection.RunsOn != "" { + return "runs-on: " + safeOutputs.ThreatDetection.RunsOn + } + if safeOutputs != nil && safeOutputs.RunsOn != "" { + return "runs-on: " + safeOutputs.RunsOn + } + return "runs-on: " + constants.DefaultActivationJobRunnerImage +} + // builtinSafeOutputFields contains the struct field names for the built-in safe output types // that are excluded from the "non-builtin" check. These are: noop, missing-data, missing-tool. var builtinSafeOutputFields = map[string]bool{ diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go index d9bcdee427b..85356ef6dcd 100644 --- a/pkg/workflow/safe_outputs_runs_on_test.go +++ b/pkg/workflow/safe_outputs_runs_on_test.go @@ -184,3 +184,148 @@ func TestFormatSafeOutputsRunsOnEdgeCases(t *testing.T) { }) } } + +func TestUnlockJobUsesRunsOn(t *testing.T) { + frontmatter := `--- +on: + issues: + types: [opened] + lock-for-agent: true +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted +--- + +# Test Workflow + +This is a test workflow.` + + tmpDir := testutil.TempDir(t, "workflow-unlock-runs-on-test") + + testFile := filepath.Join(tmpDir, "test.md") + if err := os.WriteFile(testFile, []byte(frontmatter), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test.lock.yml") + yamlContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + yamlStr := string(yamlContent) + + // Verify the unlock job uses the safe-outputs runs-on value + expectedRunsOn := "runs-on: self-hosted" + unlockJobPattern := "\n unlock:" + unlockStart := strings.Index(yamlStr, unlockJobPattern) + if unlockStart == -1 { + t.Fatal("Expected unlock job to be present in compiled YAML") + } + + unlockSection := yamlStr[unlockStart : unlockStart+500] + defaultRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage + if strings.Contains(unlockSection, defaultRunsOn) { + t.Errorf("Unlock job uses default %q instead of safe-outputs runner.\nUnlock section:\n%s", defaultRunsOn, unlockSection) + } + if !strings.Contains(unlockSection, expectedRunsOn) { + t.Errorf("Unlock job does not use expected %q.\nUnlock section:\n%s", expectedRunsOn, unlockSection) + } +} + +func TestDetectionJobRunsOnResolution(t *testing.T) { + tests := []struct { + name string + frontmatter string + expectedRunsOn string + }{ + { + name: "detection uses safe-outputs runs-on when no detection run-on", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: self-hosted", + }, + { + name: "detection run-on overrides safe-outputs runs-on", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted + threat-detection: + run-on: detection-runner +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: detection-runner", + }, + { + name: "detection falls back to ubuntu-latest when no runs-on configured", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmpDir := testutil.TempDir(t, "workflow-detection-runs-on-test") + + testFile := filepath.Join(tmpDir, "test.md") + if err := os.WriteFile(testFile, []byte(tt.frontmatter), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test.lock.yml") + yamlContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + yamlStr := string(yamlContent) + + // Verify the detection job uses the expected runs-on value + detectionJobPattern := "\n detection:" + detectionStart := strings.Index(yamlStr, detectionJobPattern) + if detectionStart == -1 { + t.Fatal("Expected detection job to be present in compiled YAML") + } + + detectionSection := yamlStr[detectionStart : detectionStart+500] + if !strings.Contains(detectionSection, tt.expectedRunsOn) { + t.Errorf("Detection job does not use expected %q.\nDetection section:\n%s", tt.expectedRunsOn, detectionSection) + } + }) + } +} diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 7475725e1ec..a3fef9f1c34 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -16,6 +16,7 @@ type ThreatDetectionConfig struct { Steps []any `yaml:"steps,omitempty"` // Array of extra job steps EngineConfig *EngineConfig `yaml:"engine-config,omitempty"` // Extended engine configuration for threat detection EngineDisabled bool `yaml:"-"` // Internal flag: true when engine is explicitly set to false + RunsOn string `yaml:"run-on,omitempty"` // Runner override for the detection job } // parseThreatDetectionConfig handles threat-detection configuration @@ -64,6 +65,13 @@ func (c *Compiler) parseThreatDetectionConfig(outputMap map[string]any) *ThreatD } } + // Parse run-on field + if runOn, exists := configMap["run-on"]; exists { + if runOnStr, ok := runOn.(string); ok { + threatConfig.RunsOn = runOnStr + } + } + // Parse engine field (supports string, object, and boolean false formats) if engine, exists := configMap["engine"]; exists { // Handle boolean false to disable AI engine @@ -141,7 +149,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: "runs-on: ubuntu-latest", + RunsOn: c.formatDetectionRunsOn(data.SafeOutputs), Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 459b7719c86..a920246a40a 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -111,6 +111,17 @@ func TestParseThreatDetectionConfig(t *testing.T) { }, }, }, + { + name: "object with run-on override", + outputMap: map[string]any{ + "threat-detection": map[string]any{ + "run-on": "self-hosted", + }, + }, + expectedConfig: &ThreatDetectionConfig{ + RunsOn: "self-hosted", + }, + }, } for _, tt := range tests { @@ -134,6 +145,68 @@ func TestParseThreatDetectionConfig(t *testing.T) { if len(result.Steps) != len(tt.expectedConfig.Steps) { t.Errorf("Expected %d steps, got %d", len(tt.expectedConfig.Steps), len(result.Steps)) } + + if result.RunsOn != tt.expectedConfig.RunsOn { + t.Errorf("Expected RunsOn %q, got %q", tt.expectedConfig.RunsOn, result.RunsOn) + } + }) + } +} + +func TestFormatDetectionRunsOn(t *testing.T) { + compiler := NewCompiler() + + tests := []struct { + name string + safeOutputs *SafeOutputsConfig + expectedRunsOn string + }{ + { + name: "nil safe outputs returns default", + safeOutputs: nil, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + { + name: "detection run-on takes priority over safe-outputs runs-on", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "self-hosted", + ThreatDetection: &ThreatDetectionConfig{ + RunsOn: "detection-runner", + }, + }, + expectedRunsOn: "runs-on: detection-runner", + }, + { + name: "falls back to safe-outputs runs-on when detection run-on is empty", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "self-hosted", + ThreatDetection: &ThreatDetectionConfig{}, + }, + expectedRunsOn: "runs-on: self-hosted", + }, + { + name: "falls back to default when both detection run-on and safe-outputs runs-on are empty", + safeOutputs: &SafeOutputsConfig{ + ThreatDetection: &ThreatDetectionConfig{}, + }, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + { + name: "nil threat detection still uses safe-outputs runs-on", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "windows-latest", + ThreatDetection: nil, + }, + expectedRunsOn: "runs-on: windows-latest", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := compiler.formatDetectionRunsOn(tt.safeOutputs) + if result != tt.expectedRunsOn { + t.Errorf("Expected runs-on %q, got %q", tt.expectedRunsOn, result) + } }) } } @@ -222,8 +295,17 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - if job.RunsOn != "runs-on: ubuntu-latest" { - t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) + // Detection job uses formatDetectionRunsOn: safe-outputs.detection.run-on > safe-outputs.runs-on > default + expectedRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage + if tt.data.SafeOutputs != nil { + if tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn + } else if tt.data.SafeOutputs.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.RunsOn + } + } + if job.RunsOn != expectedRunsOn { + t.Errorf("Expected %q runner, got %q", expectedRunsOn, job.RunsOn) } // In dev mode (default), detection job should have contents: read permission for checkout // In release mode, it should have empty permissions From 725dc400c3e4f047e3558fbc2c8a6c8355729dde Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:24:54 +0000 Subject: [PATCH 3/3] fix: detection job uses agent.runs-on as default, overridable via safe-outputs.detection.runs-on Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 2 +- .../workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .../claude-code-user-docs-review.lock.yml | 2 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .../workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 2 +- .../copilot-cli-deep-research.lock.yml | 2 +- .../copilot-pr-merged-report.lock.yml | 2 +- .../copilot-pr-nlp-analysis.lock.yml | 2 +- .../copilot-pr-prompt-analysis.lock.yml | 2 +- .../copilot-session-insights.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 2 +- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .../workflows/daily-compiler-quality.lock.yml | 2 +- .../daily-copilot-token-report.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .../workflows/daily-firewall-report.lock.yml | 2 +- .../workflows/daily-issues-report.lock.yml | 2 +- .../daily-mcp-concurrency-analysis.lock.yml | 2 +- .../daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 2 +- .../daily-observability-report.lock.yml | 2 +- .../daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-repo-chronicle.lock.yml | 2 +- .../daily-safe-output-optimizer.lock.yml | 2 +- .../daily-safe-outputs-conformance.lock.yml | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 2 +- .../daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .../daily-syntax-error-quality.lock.yml | 2 +- .../daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 2 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .../workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .../workflows/functional-pragmatist.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 2 +- .../github-mcp-tools-report.lock.yml | 2 +- .../github-remote-mcp-auth-test.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .../workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/pr-triage-agent.lock.yml | 2 +- .../prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .../workflows/repo-audit-analyzer.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .../schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .../workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .../semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .../workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 2 +- .../workflows/static-analysis-report.lock.yml | 2 +- .../workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .../workflows/technical-doc-writer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .../test-create-pr-error-handling.lock.yml | 2 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .../test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .../workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../weekly-editors-health-check.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 2 +- .../weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 2 +- .../workflow-health-manager.lock.yml | 2 +- .../workflows/workflow-normalizer.lock.yml | 2 +- .../workflow-skill-extractor.lock.yml | 2 +- pkg/parser/schemas/main_workflow_schema.json | 4 +- pkg/workflow/safe_outputs_config_helpers.go | 12 ++--- pkg/workflow/safe_outputs_runs_on_test.go | 12 ++--- pkg/workflow/threat_detection.go | 8 ++-- pkg/workflow/threat_detection_test.go | 44 ++++++++++--------- 153 files changed, 188 insertions(+), 188 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index ef2c024e5e8..6b60bde99a3 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index b274e13053c..8b5e9aa558d 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 496c84f55a2..092a41118cf 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e3596c6a96d..87e04ac4550 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 55db03f2ff7..7b07e1ea80c 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 9d592ff6a37..909daf9069a 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 3b6f2224182..8efdeee8f31 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index d638cbb43e4..6b30c736299 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 409f6495876..3406b5a4ac5 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e150955f32d..bf56befc79b 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 59f312011fa..34b57a60b50 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 50f5d79b07e..97c9b48aea1 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 8d9046de49a..2e2b5520d4c 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 2ff51d03d17..e3d36d5f9cb 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index a84260ad3e1..181dafb4617 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index e6630a74952..24e7a256451 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index bc0611772bf..06c466a0355 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 7f2d7b09ccd..ab3b4dc29a1 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 025e106abc9..e77e7dec5de 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index a9188b0f59c..02f9db1a005 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c2a55b2d985..9a0a4e5e0f9 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 9a637e49829..797bd9bb892 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index bc42ef355cb..2bd196cd9f3 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index ab994bdc294..f677e8e16e4 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 74c2fb708cb..b02f6ce795e 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 2061162aa2a..0f6f6139455 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 72300364f8b..ab401e26573 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 326f68e7e3d..61d4a858f45 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index a4e7bfa6d07..1e15d90232e 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 227cda5bff2..6b042962586 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index d42a7840e62..4ed472d3b96 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 2da8fa916cb..b3d631d23e7 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 81e3f7d64fd..3ad3b061f0b 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index c64b1455f01..3fdf2739297 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index aae0aaa8021..8d8f9dd4948 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 788aa570f30..49e43c7acab 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 7e9151e2caa..314c9bdb873 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 3cb2a827bcf..bea723f0058 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 66a75ff6b00..7a7674e74b9 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index fac788e2ca1..5e3b4fc5210 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 2efc9966c39..e483a2d098d 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index ba79f1f48b1..52c10672702 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index e5539bc6ded..b054d9f5852 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 5cf5c81bcaf..9e81507527d 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 19c84fd8a07..9e846470afd 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index d7a5134233d..dc3afa5a572 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 444271a0472..eed552b7b39 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 983942235cd..beff45446ff 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 5d3589f84c4..86485c36d50 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 3f7bcd6e285..81c35b24d09 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index cade40d225b..f6a0e4609f4 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 5eed9849ea2..86e246d5855 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 68137fae243..cb4d289abac 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index b8173e44d68..dffba2df653 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 391dfbade44..b16d7ed6a83 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index f1357a22056..b0adb64bbca 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 16c35b4a6e3..19903bd8b0c 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 4dfb1d5c6ee..9415fcea20d 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 33a52c3457c..23ef1a3d1ee 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index dd296a7a19f..e7eb50b43fe 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index ed140fa0459..e3de227867f 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f010d8d5179..4cf96de2508 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ba25480b941..b601e2942bd 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 4da22a898aa..3a279438c5b 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 71282dc2aec..bb66be51d8a 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 4b714e05c4a..f1f5947d83f 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 3779dfec6a8..55dd3494ac7 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 47e494031aa..a7c5914eebd 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0a036e60bba..d760d03ce03 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 204257f7d2b..fa5e4a53ff6 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 06efa6cf1cb..3ff52bd8ff3 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a4de7534fd9..55d04e81a12 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 76b7932a39e..50fc308b9c5 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d45f7956809..f3e680bea0d 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 5620870131b..42716c2487e 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index a5702f52771..b94ef238a3c 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index c760c2e8bee..6457728b454 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 23ab513e8f3..6f369d4cdec 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 45583215c9a..79d84725908 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 77d2b3cabf6..7e343def11e 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 2001f91faf9..c96fd808429 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 33fff48881c..a5d1aa587a5 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 56dcac3e9d9..913eed7b955 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 8589a37951d..9aebfb36e9e 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 2320dce2156..7422eac001f 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index b1b16e65adf..61877f91eff 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 8881028c607..0f118dbf7d9 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index b3eb7555ddc..bd500555351 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index fa504c0f0d4..cd94860773d 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 1a030fd48c5..eee7dc265ed 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index e00ea31cf1f..380a74e6007 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 9d4c7b904bb..0a8b89e45aa 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 357dfce9540..43d59d4d8af 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 3e67c00daab..d38bc6e6aab 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 66d7791862c..d653268b192 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 47beac5519b..68544e9609c 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 4968f0f6389..00575ebc0c4 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 9464c90a388..3cb02184693 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 3cee1402e53..a1d281e9db1 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 8fad76f30da..2c48f7411f5 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 318d27c0316..d7c80468a19 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 98faa68a5d2..20900388aec 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index e7fb8d19634..5c4c3952a16 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6f5397aa851..00ed0c78f31 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 923a5c9d113..bd293dd7e8f 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 0458c7a293e..b0ce5200578 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index b37ed00717f..941cd6cf916 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index f0153956916..1f797889a6f 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 7625a88cc8e..4a9a4b28280 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index e4cc0952a67..008758bc27c 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 3ca16607ac7..cbccebf720c 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index bf6032a3ae0..ab14c1a9a77 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 26fa0b1d657..fd5358a5b04 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 14cc40703ef..b1b86538bab 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 15bffe5f393..825e29f1dff 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 213bf5de19e..e98e5d77fbd 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 8c24a169e7d..eb540285307 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 545bd0df52a..9c9be178be0 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 843a1be0b3b..0e5f7f0dda0 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 8138fc62251..d872e96259b 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 9b09984d8e2..2765c48e222 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 24aacf30b41..fbc22a4cfe0 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 5ccccd690fa..0f679a3cce8 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 1cd0799aada..eddb4b68e13 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 590aa0535bf..6928cf6584a 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index ad8d1e821a7..8e24bca7356 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index b4c3490aac8..5d4c4393b89 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 26727b24308..da12f59fe25 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 1e5bbf99efb..26ae6d43ad1 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index ce5d26c45f3..4a891cba8cd 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 2dac1457e06..48e19a468a4 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index c134c45ff67..686a2133d06 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 30dc2e559f4..78892b7fd7c 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 3165d176b98..f410f9c07c0 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b6c6d8cc465..cdd97a6f101 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 5ac4184c672..c9a4fbdccc3 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index de5fe298501..4994c0c2d3f 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 22870f625dd..130117c67fa 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 62fb2ee935c..a13045ce171 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a1e46d7cd7d..ad1f76e6056 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index de12d9c712a..20ac245581a 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 73a5f890622..2bd4f2e9fd7 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 3cf065cf157..1646222d205 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 60d61588639..9c8da0a6f07 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 6a58b678c1c..5cc3e0362b7 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 7dc957352be..a5740ac7e76 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 5035bba7cd3..1fc06fd0cbe 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 706342fc09d..8dc26aa52eb 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index e1a1937b96b..f720ab7e21c 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -6612,9 +6612,9 @@ "$ref": "#/$defs/githubActionsStep" } }, - "run-on": { + "runs-on": { "type": "string", - "description": "Runner specification for the detection job. Overrides safe-outputs.runs-on for the detection job only. Defaults to safe-outputs.runs-on, then ubuntu-latest." + "description": "Runner specification for the detection job. Overrides agent.runs-on for the detection job only. Defaults to agent.runs-on." } }, "additionalProperties": false diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go index 6856b5eafc2..035a6f1490f 100644 --- a/pkg/workflow/safe_outputs_config_helpers.go +++ b/pkg/workflow/safe_outputs_config_helpers.go @@ -122,17 +122,13 @@ func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) strin } // formatDetectionRunsOn resolves the runner for the detection job using the following priority: -// 1. safe-outputs.detection.run-on (detection-specific override) -// 2. safe-outputs.runs-on (global safe-outputs runner) -// 3. ubuntu-latest (default) -func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig) string { +// 1. safe-outputs.detection.runs-on (detection-specific override) +// 2. agentRunsOn (the agent job's runner, passed by the caller) +func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig, agentRunsOn string) string { if safeOutputs != nil && safeOutputs.ThreatDetection != nil && safeOutputs.ThreatDetection.RunsOn != "" { return "runs-on: " + safeOutputs.ThreatDetection.RunsOn } - if safeOutputs != nil && safeOutputs.RunsOn != "" { - return "runs-on: " + safeOutputs.RunsOn - } - return "runs-on: " + constants.DefaultActivationJobRunnerImage + return agentRunsOn } // builtinSafeOutputFields contains the struct field names for the built-in safe output types diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go index 85356ef6dcd..14724db6764 100644 --- a/pkg/workflow/safe_outputs_runs_on_test.go +++ b/pkg/workflow/safe_outputs_runs_on_test.go @@ -246,7 +246,7 @@ func TestDetectionJobRunsOnResolution(t *testing.T) { expectedRunsOn string }{ { - name: "detection uses safe-outputs runs-on when no detection run-on", + name: "detection uses agent runs-on by default (not safe-outputs runs-on)", frontmatter: `--- on: push safe-outputs: @@ -258,10 +258,10 @@ safe-outputs: # Test Workflow This is a test workflow.`, - expectedRunsOn: "runs-on: self-hosted", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "detection run-on overrides safe-outputs runs-on", + name: "detection runs-on overrides agent runs-on", frontmatter: `--- on: push safe-outputs: @@ -269,7 +269,7 @@ safe-outputs: title-prefix: "[ai] " runs-on: self-hosted threat-detection: - run-on: detection-runner + runs-on: detection-runner --- # Test Workflow @@ -278,7 +278,7 @@ This is a test workflow.`, expectedRunsOn: "runs-on: detection-runner", }, { - name: "detection falls back to ubuntu-latest when no runs-on configured", + name: "detection falls back to agent runs-on (ubuntu-latest) when no runs-on configured", frontmatter: `--- on: push safe-outputs: @@ -289,7 +289,7 @@ safe-outputs: # Test Workflow This is a test workflow.`, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + expectedRunsOn: "runs-on: ubuntu-latest", }, } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index a3fef9f1c34..ecdafff0d1e 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -16,7 +16,7 @@ type ThreatDetectionConfig struct { Steps []any `yaml:"steps,omitempty"` // Array of extra job steps EngineConfig *EngineConfig `yaml:"engine-config,omitempty"` // Extended engine configuration for threat detection EngineDisabled bool `yaml:"-"` // Internal flag: true when engine is explicitly set to false - RunsOn string `yaml:"run-on,omitempty"` // Runner override for the detection job + RunsOn string `yaml:"runs-on,omitempty"` // Runner override for the detection job } // parseThreatDetectionConfig handles threat-detection configuration @@ -65,8 +65,8 @@ func (c *Compiler) parseThreatDetectionConfig(outputMap map[string]any) *ThreatD } } - // Parse run-on field - if runOn, exists := configMap["run-on"]; exists { + // Parse runs-on field + if runOn, exists := configMap["runs-on"]; exists { if runOnStr, ok := runOn.(string); ok { threatConfig.RunsOn = runOnStr } @@ -149,7 +149,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: c.formatDetectionRunsOn(data.SafeOutputs), + RunsOn: c.formatDetectionRunsOn(data.SafeOutputs, data.RunsOn), Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index a920246a40a..f02c8942575 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -112,10 +112,10 @@ func TestParseThreatDetectionConfig(t *testing.T) { }, }, { - name: "object with run-on override", + name: "object with runs-on override", outputMap: map[string]any{ "threat-detection": map[string]any{ - "run-on": "self-hosted", + "runs-on": "self-hosted", }, }, expectedConfig: &ThreatDetectionConfig{ @@ -159,51 +159,57 @@ func TestFormatDetectionRunsOn(t *testing.T) { tests := []struct { name string safeOutputs *SafeOutputsConfig + agentRunsOn string expectedRunsOn string }{ { - name: "nil safe outputs returns default", + name: "nil safe outputs uses agent runs-on", safeOutputs: nil, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + agentRunsOn: "runs-on: ubuntu-latest", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "detection run-on takes priority over safe-outputs runs-on", + name: "detection runs-on takes priority over agent runs-on", safeOutputs: &SafeOutputsConfig{ RunsOn: "self-hosted", ThreatDetection: &ThreatDetectionConfig{ RunsOn: "detection-runner", }, }, + agentRunsOn: "runs-on: ubuntu-latest", expectedRunsOn: "runs-on: detection-runner", }, { - name: "falls back to safe-outputs runs-on when detection run-on is empty", + name: "falls back to agent runs-on when detection runs-on is empty", safeOutputs: &SafeOutputsConfig{ RunsOn: "self-hosted", ThreatDetection: &ThreatDetectionConfig{}, }, - expectedRunsOn: "runs-on: self-hosted", + agentRunsOn: "runs-on: my-agent-runner", + expectedRunsOn: "runs-on: my-agent-runner", }, { - name: "falls back to default when both detection run-on and safe-outputs runs-on are empty", + name: "falls back to agent runs-on when both detection and safe-outputs runs-on are empty", safeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{}, }, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + agentRunsOn: "runs-on: ubuntu-latest", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "nil threat detection still uses safe-outputs runs-on", + name: "nil threat detection uses agent runs-on", safeOutputs: &SafeOutputsConfig{ RunsOn: "windows-latest", ThreatDetection: nil, }, - expectedRunsOn: "runs-on: windows-latest", + agentRunsOn: "runs-on: my-agent-runner", + expectedRunsOn: "runs-on: my-agent-runner", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := compiler.formatDetectionRunsOn(tt.safeOutputs) + result := compiler.formatDetectionRunsOn(tt.safeOutputs, tt.agentRunsOn) if result != tt.expectedRunsOn { t.Errorf("Expected runs-on %q, got %q", tt.expectedRunsOn, result) } @@ -235,6 +241,7 @@ func TestBuildThreatDetectionJob(t *testing.T) { { name: "threat detection enabled should create job", data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", SafeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{}, }, @@ -246,6 +253,7 @@ func TestBuildThreatDetectionJob(t *testing.T) { { name: "threat detection with custom steps should create job", data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", SafeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{ Steps: []any{ @@ -295,14 +303,10 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - // Detection job uses formatDetectionRunsOn: safe-outputs.detection.run-on > safe-outputs.runs-on > default - expectedRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage - if tt.data.SafeOutputs != nil { - if tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { - expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn - } else if tt.data.SafeOutputs.RunsOn != "" { - expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.RunsOn - } + // Detection job uses formatDetectionRunsOn: safe-outputs.detection.runs-on > agent.runs-on + expectedRunsOn := tt.data.RunsOn + if tt.data.SafeOutputs != nil && tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn } if job.RunsOn != expectedRunsOn { t.Errorf("Expected %q runner, got %q", expectedRunsOn, job.RunsOn)