From acda94397c1af6927d961d9b61a7110ef00f95f7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 18:49:46 +0000 Subject: [PATCH 1/3] Initial plan From 9ebf64cd731f057b825763995ca0687fc6bc9451 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 19:27:32 +0000 Subject: [PATCH 2/3] feat: propagate top-level runs-on to all support jobs for full self-hosted runner support Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 4 +- .../workflows/agent-persona-explorer.lock.yml | 4 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 6 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 4 +- .github/workflows/ci-doctor.lock.yml | 4 +- .../claude-code-user-docs-review.lock.yml | 4 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 4 +- .github/workflows/cloclo.lock.yml | 4 +- .../workflows/code-scanning-fixer.lock.yml | 6 +- .github/workflows/code-simplifier.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 6 +- .../copilot-cli-deep-research.lock.yml | 4 +- .../copilot-pr-merged-report.lock.yml | 4 +- .../copilot-pr-nlp-analysis.lock.yml | 6 +- .../copilot-pr-prompt-analysis.lock.yml | 6 +- .../copilot-session-insights.lock.yml | 6 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 4 +- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 6 +- .../workflows/daily-compiler-quality.lock.yml | 4 +- .../daily-copilot-token-report.lock.yml | 6 +- .github/workflows/daily-doc-updater.lock.yml | 4 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .../workflows/daily-firewall-report.lock.yml | 4 +- .../workflows/daily-issues-report.lock.yml | 4 +- .../daily-mcp-concurrency-analysis.lock.yml | 4 +- .../daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 6 +- .../daily-observability-report.lock.yml | 2 +- .../daily-performance-summary.lock.yml | 4 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 4 +- .../workflows/daily-repo-chronicle.lock.yml | 4 +- .../daily-safe-output-optimizer.lock.yml | 4 +- .../daily-safe-outputs-conformance.lock.yml | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 2 +- .../daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .../daily-syntax-error-quality.lock.yml | 2 +- .../daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 4 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 6 +- .github/workflows/delight.lock.yml | 4 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 4 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .../workflows/discussion-task-miner.lock.yml | 4 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 6 +- .../workflows/functional-pragmatist.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 4 +- .../github-mcp-tools-report.lock.yml | 4 +- .../github-remote-mcp-auth-test.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 4 +- .github/workflows/go-fan.lock.yml | 4 +- .github/workflows/go-logger.lock.yml | 4 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 4 +- .github/workflows/grumpy-reviewer.lock.yml | 4 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 4 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 4 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 4 +- .github/workflows/mcp-inspector.lock.yml | 4 +- .github/workflows/mergefest.lock.yml | 2 +- .github/workflows/metrics-collector.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 4 +- .github/workflows/pdf-summary.lock.yml | 4 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 4 +- .github/workflows/portfolio-analyst.lock.yml | 4 +- .../workflows/pr-nitpick-reviewer.lock.yml | 4 +- .github/workflows/pr-triage-agent.lock.yml | 4 +- .../prompt-clustering-analysis.lock.yml | 4 +- .github/workflows/python-data-charts.lock.yml | 4 +- .github/workflows/q.lock.yml | 4 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .../workflows/repo-audit-analyzer.lock.yml | 4 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 4 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 4 +- .../schema-consistency-checker.lock.yml | 4 +- .github/workflows/scout.lock.yml | 4 +- .../workflows/security-compliance.lock.yml | 4 +- .github/workflows/security-review.lock.yml | 4 +- .../semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 4 +- .../workflows/slide-deck-maintainer.lock.yml | 4 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 4 +- .github/workflows/smoke-codex.lock.yml | 4 +- .github/workflows/smoke-copilot-arm.lock.yml | 12 +- .github/workflows/smoke-copilot.lock.yml | 4 +- .github/workflows/smoke-gemini.lock.yml | 4 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 4 +- .../workflows/static-analysis-report.lock.yml | 4 +- .../workflows/step-name-alignment.lock.yml | 4 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 4 +- .../workflows/technical-doc-writer.lock.yml | 4 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .../test-create-pr-error-handling.lock.yml | 4 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .../test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .../workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 4 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../weekly-editors-health-check.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 4 +- .../weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 2 +- .../workflow-health-manager.lock.yml | 4 +- .../workflows/workflow-normalizer.lock.yml | 2 +- .../workflow-skill-extractor.lock.yml | 2 +- .../docs/guides/self-hosted-runners.md | 130 ++++++++++++++++++ .../src/content/docs/reference/frontmatter.md | 15 +- .../content/docs/reference/safe-outputs.md | 9 +- pkg/parser/schemas/main_workflow_schema.json | 4 +- pkg/workflow/cache.go | 2 +- pkg/workflow/compiler_activation_jobs.go | 4 +- .../compiler_orchestrator_workflow.go | 1 + pkg/workflow/compiler_safe_outputs_job.go | 2 +- pkg/workflow/compiler_types.go | 1 + pkg/workflow/notify_comment.go | 2 +- pkg/workflow/repo_memory.go | 2 +- pkg/workflow/safe_jobs.go | 2 +- pkg/workflow/safe_outputs_config_helpers.go | 31 ++++- pkg/workflow/safe_outputs_jobs.go | 2 +- pkg/workflow/safe_outputs_runs_on_test.go | 96 ++++++++++++- pkg/workflow/safe_outputs_test.go | 25 ++-- pkg/workflow/threat_detection.go | 2 +- pkg/workflow/threat_detection_test.go | 4 +- 167 files changed, 537 insertions(+), 279 deletions(-) create mode 100644 docs/src/content/docs/guides/self-hosted-runners.md diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 6b60bde99a..f055e7c1a6 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1277,7 +1277,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8b5e9aa558..bb90ddf426 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1214,7 +1214,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 092a41118c..496c84f55a 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 87e04ac455..e3596c6a96 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 7b07e1ea80..135cd8c363 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1297,7 +1297,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1430,7 +1430,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 909daf9069..9d592ff6a3 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 8efdeee8f3..3b6f222418 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6b30c73629..d638cbb43e 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 3406b5a4ac..409f649587 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index bf56befc79..e150955f32 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 34b57a60b5..8f3f60b035 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1239,7 +1239,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 97c9b48aea..d9d47fd70a 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1386,7 +1386,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 2e2b5520d4..9e493d3f91 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1175,7 +1175,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index e3d36d5f9c..2ff51d03d1 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 181dafb461..e73a975ab2 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1201,7 +1201,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 24e7a25645..8cbe9e677e 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1598,7 +1598,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 06c466a035..7431bbc0c9 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1192,7 +1192,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1352,7 +1352,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index ab3b4dc29a..7f2d7b09cc 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index e77e7dec5d..025e106abc 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 02f9db1a00..a9188b0f59 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 9a0a4e5e0f..bf23b9cae9 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1169,7 +1169,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1301,7 +1301,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 797bd9bb89..7e30621446 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1087,7 +1087,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 2bd196cd9f..f62fdccd30 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1260,7 +1260,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index f677e8e16e..7395b4af9e 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1183,7 +1183,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1315,7 +1315,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index b02f6ce795..bd46963847 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1107,7 +1107,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1239,7 +1239,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 0f6f613945..0e9473d14a 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1248,7 +1248,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1380,7 +1380,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index ab401e2657..72300364f8 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 61d4a858f4..326f68e7e3 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1e15d90232..a4e7bfa6d0 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 6b04296258..a2e0813811 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1277,7 +1277,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 4ed472d3b9..d42a7840e6 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index b3d631d23e..981798d5d6 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1226,7 +1226,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1359,7 +1359,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 3ad3b061f0..2a65c6875b 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1149,7 +1149,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 3fdf273929..34be42e3a2 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1194,7 +1194,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1327,7 +1327,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 8d8f9dd494..61e73a467b 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1264,7 +1264,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 49e43c7aca..788aa570f3 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 314c9bdb87..7e9151e2ca 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index bea723f005..d233d20dad 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1256,7 +1256,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7a7674e74b..a7dc484e83 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1305,7 +1305,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 5e3b4fc521..1f792d0f4c 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1213,7 +1213,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index e483a2d098..2efc9966c3 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 52c1067270..6cbc0eba3a 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1256,7 +1256,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1389,7 +1389,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index b054d9f585..e5539bc6de 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 9e81507527..315800174c 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1737,7 +1737,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 9e846470af..19c84fd8a0 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index dc3afa5a57..3bfa8272e0 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1394,7 +1394,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index eed552b7b3..e60cd69be3 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1191,7 +1191,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index beff45446f..b7ecfaa884 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1334,7 +1334,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 86485c36d5..5d3589f84c 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 81c35b24d0..3f7bcd6e28 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index f6a0e4609f..cade40d225 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 86e246d585..5eed9849ea 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index cb4d289aba..68137fae24 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index dffba2df65..b8173e44d6 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b16d7ed6a8..391dfbade4 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b0adb64bbc..40ea6280e3 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1170,7 +1170,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 19903bd8b0..16c35b4a6e 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 9415fcea20..56c5f0bcb8 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1295,7 +1295,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1428,7 +1428,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 23ef1a3d1e..bff901bbb6 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1172,7 +1172,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index e7eb50b43f..dd296a7a19 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index e3de227867..ed140fa045 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 4cf96de250..f010d8d517 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b601e2942b..ba25480b94 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 3a279438c5..27aa2ccdb0 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1344,7 +1344,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index bb66be51d8..71282dc2ae 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f1f5947d83..7895d6108f 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1153,7 +1153,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 55dd3494ac..3779dfec6a 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index a7c5914eeb..47e494031a 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index d760d03ce0..0a036e60bb 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index fa5e4a53ff..204257f7d2 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 3ff52bd8ff..e84f795ef7 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1166,7 +1166,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: @@ -1298,7 +1298,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 55d04e81a1..a4de7534fd 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 50fc308b9c..e28105f242 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1248,7 +1248,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index f3e680bea0..d4ccf7856c 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1301,7 +1301,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 42716c2487..5620870131 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index b94ef238a3..2675f5ce36 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1232,7 +1232,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6457728b45..e1db9854b4 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1219,7 +1219,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 6f369d4cde..f6fe9986b9 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1428,7 +1428,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 79d8472590..45583215c9 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 7e343def11..33a547bc71 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1128,7 +1128,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c96fd80842..8bc443cbd1 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1268,7 +1268,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index a5d1aa587a..33fff48881 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 913eed7b95..ef74b1dfa9 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1256,7 +1256,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 9aebfb36e9..8589a37951 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 7422eac001..2320dce215 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 61877f91ef..b1b16e65ad 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 0f118dbf7d..c518b72b9a 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1196,7 +1196,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index bd50055535..b3eb7555dd 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index cd94860773..3f1b85aeea 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1174,7 +1174,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index eee7dc265e..98c2995882 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1774,7 +1774,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 380a74e600..e00ea31cf1 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 5d4c40df6b..83cfb633f4 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -653,7 +653,7 @@ jobs: push_repo_memory: needs: agent if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 0a8b89e45a..9d4c7b904b 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 43d59d4d8a..5d9b90d3ec 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1189,7 +1189,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index d38bc6e6aa..b8c9f526ef 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1287,7 +1287,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index d653268b19..66d7791862 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 68544e9609..261a2d4e98 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1928,7 +1928,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 00575ebc0c..5b3c0e1bf7 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1267,7 +1267,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3cb0218469..1d7b268b33 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1365,7 +1365,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index a1d281e9db..a666eb59ab 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1155,7 +1155,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 2c48f7411f..c513159a18 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1305,7 +1305,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index d7c80468a1..abccc32517 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1252,7 +1252,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 20900388ae..dc25762b0b 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1448,7 +1448,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 5c4c3952a1..e7fb8d1963 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 00ed0c78f3..6f5397aa85 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index bd293dd7e8..1b172d7fd8 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1129,7 +1129,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index b0ce520057..0458c7a293 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 941cd6cf91..c2b80bc7bb 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1131,7 +1131,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 1f797889a6..f015395691 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 4a9a4b2828..83b0692126 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1267,7 +1267,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 008758bc27..132241d4ab 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1175,7 +1175,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index cbccebf720..1569d350b5 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1391,7 +1391,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ab14c1a9a7..d387b49b20 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1101,7 +1101,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index fd5358a5b0..22c2e9bfe4 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1339,7 +1339,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index b1b86538ba..14cc40703e 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 825e29f1df..0aeb986683 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1218,7 +1218,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index e98e5d77fb..868187e5c8 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1299,7 +1299,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index eb54028530..8c24a169e7 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 9c9be178be..ae9b8e74e7 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -2810,7 +2810,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 0e5f7f0dda..00f62e6f1c 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1682,7 +1682,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5b0f068311..dd2ee5cf25 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -54,7 +54,7 @@ jobs: if: > (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'water')))) - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: contents: read discussions: write @@ -1855,7 +1855,7 @@ jobs: - send_slack_message - update_cache_memory if: (always()) && (needs.agent.result != 'skipped') - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: actions: write contents: read @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm permissions: contents: read timeout-minutes: 10 @@ -2084,7 +2084,7 @@ jobs: if: > ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'water'))) - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: contents: read discussions: write @@ -2135,7 +2135,7 @@ jobs: - agent - detection if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: actions: write contents: read @@ -2239,7 +2239,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm permissions: contents: read env: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2765c48e22..f31355b847 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -2241,7 +2241,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index fbc22a4cfe..e30de281ed 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1423,7 +1423,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 0f679a3cce..5ccccd690f 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index eddb4b68e1..1cd0799aad 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 6928cf6584..590aa0535b 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 8e24bca735..ad8d1e821a 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 5d4c4393b8..4157e7b9d8 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1256,7 +1256,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index da12f59fe2..227b1fb1d7 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1249,7 +1249,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 26ae6d43ad..13e73991cf 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1200,7 +1200,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 4a891cba8c..ce5d26c45f 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 48e19a468a..ebe73ce25f 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1189,7 +1189,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 686a2133d0..27261ea7fa 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1302,7 +1302,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 78892b7fd7..30dc2e559f 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index f410f9c07c..f3c5ba1bfb 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1230,7 +1230,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index cdd97a6f10..b6c6d8cc46 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index c9a4fbdccc..5ac4184c67 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 4994c0c2d3..de5fe29850 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 130117c67f..22870f625d 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index a13045ce17..62fb2ee935 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index ad1f76e605..e6cbccadb9 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1515,7 +1515,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 20ac245581..de12d9c712 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 2bd4f2e9fd..73a5f89062 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 1646222d20..94d4382264 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1165,7 +1165,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read env: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 9c8da0a6f0..60d6158863 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index cc4adb3b41..f949ff2c24 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index a5740ac7e7..67466f9422 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: @@ -1273,7 +1273,7 @@ jobs: - agent - detection if: always() && needs.detection.outputs.success == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write outputs: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 1fc06fd0cb..5035bba7cd 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 8dc26aa52e..706342fc09 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/docs/src/content/docs/guides/self-hosted-runners.md b/docs/src/content/docs/guides/self-hosted-runners.md new file mode 100644 index 0000000000..c52567ef8e --- /dev/null +++ b/docs/src/content/docs/guides/self-hosted-runners.md @@ -0,0 +1,130 @@ +--- +title: Self-Hosted Runners Guide +description: Learn how to route all generated workflow jobs to self-hosted runners to avoid GitHub-hosted minutes consumption. +sidebar: + order: 460 +--- + +GitHub Agentic Workflows generates several jobs in addition to the main AI agent job (activation, pre-activation, safe-outputs, detection, cache-memory, repo-memory). By default these support jobs run on GitHub-hosted runners (`ubuntu-slim` or `ubuntu-latest`). This guide explains how to run all generated jobs on self-hosted runners with a single frontmatter entry. + +## Quick Start + +Set `runs-on` in the workflow frontmatter to route **every generated job** to your self-hosted runners: + +```aw wrap +--- +on: + issues: + types: [opened] +runs-on: self-hosted +--- + +# My Workflow + +Analyze the issue and respond. +``` + +The `runs-on` value is inherited by all generated jobs: + +| Job | Runner | +|-----|--------| +| `pre_activation` | `self-hosted` | +| `activation` | `self-hosted` | +| `agent` | `self-hosted` | +| `safe_outputs` | `self-hosted` | +| `detection` *(if threat detection enabled)* | `self-hosted` | +| `update_cache_memory` *(if cache-memory enabled)* | `self-hosted` | +| `push_repo_memory` *(if repo-memory enabled)* | `self-hosted` | +| `unlock` *(if locking enabled)* | `self-hosted` | + +## Multi-Label Runners + +Use an array of labels to target runners that match all labels: + +```aw wrap +--- +on: + issues: + types: [opened] +runs-on: + - self-hosted + - linux + - x64 +--- + +# My Workflow + +Analyze the issue and respond. +``` + +## Separate Runners for Agent and Support Jobs + +For cost optimization, you can run the compute-intensive agent job on powerful self-hosted hardware while keeping lightweight support jobs on GitHub-hosted runners: + +```aw wrap +--- +on: + issues: + types: [opened] +runs-on: [self-hosted, heavy] # Agent job uses powerful self-hosted runner +safe-outputs: + runs-on: ubuntu-slim # Support jobs use lightweight GitHub-hosted runner + create-issue: + title-prefix: "[ai] " +--- + +# My Workflow + +Analyze the issue and respond. +``` + +### Precedence Order + +1. **`safe-outputs.runs-on`** – explicit override for all support jobs +2. **`runs-on`** (top-level) – inherited by all jobs when `safe-outputs.runs-on` is not set +3. **`ubuntu-slim`** – built-in default for support jobs when neither is set + +## Runner Group Configuration + +Use an object to target a specific runner group: + +```aw wrap +--- +on: + issues: + types: [opened] +runs-on: + group: my-runner-group + labels: + - ubuntu-latest +--- + +# My Workflow + +Analyze the issue and respond. +``` + +## Requirements + +Self-hosted runners used by GitHub Agentic Workflows must meet these requirements: + +- **Linux only** – macOS runners are not supported because the Agent Workflow Firewall requires Docker containers, which macOS runners do not support. See [FAQ](/gh-aw/reference/faq/#why-are-macos-runners-not-supported). +- **Docker** – the runner must have Docker installed and the user running the workflow must be able to run Docker commands without `sudo`. +- **GitHub Actions runner software** – the standard Actions runner software must be installed and registered. + +## FAQ + +### Why don't macOS runners work? + +macOS GitHub-hosted runners do not support Docker container jobs, which are required for the Agent Workflow Firewall sandbox. Use a Linux self-hosted runner instead. + +### Can I set different runners for specific jobs? + +Not for individual generated jobs, but you can split agent vs. support jobs using `runs-on` and `safe-outputs.runs-on` as shown in the [Separate Runners](#separate-runners-for-agent-and-support-jobs) section above. + +Custom jobs defined in `safe-outputs.jobs` can each specify their own `runs-on`. + +### What happens if I don't set runs-on? + +- The agent job defaults to `ubuntu-latest`. +- Support jobs default to `ubuntu-slim` (a lightweight 1-vCPU GitHub-hosted runner). diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index 6760d1e982..7f01712612 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -465,10 +465,22 @@ Standard GitHub Actions properties: ```yaml wrap run-name: "Custom workflow run name" # Defaults to workflow name -runs-on: ubuntu-latest # Defaults to ubuntu-latest (main job only) +runs-on: ubuntu-latest # Applies to ALL jobs (agent + all support jobs) timeout-minutes: 30 # Defaults to 20 minutes ``` +When `runs-on` is set, it applies to **every generated job** – the agent job and all support jobs +(activation, pre-activation, safe-outputs, detection, cache-memory, repo-memory). +This is the single entry point for routing all jobs to self-hosted runners. + +To use different runners for the agent job and support jobs, combine `runs-on` with `safe-outputs.runs-on`: + +```yaml wrap +runs-on: [self-hosted, heavy] # Agent job uses powerful self-hosted runner +safe-outputs: + runs-on: ubuntu-slim # Support jobs use the lightweight hosted runner +``` + **Supported runners for `runs-on:`** | Runner | Status | @@ -476,6 +488,7 @@ timeout-minutes: 30 # Defaults to 20 minutes | `ubuntu-latest` | ✅ Default. Recommended for most workflows. | | `ubuntu-24.04` / `ubuntu-22.04` | ✅ Supported. | | `ubuntu-24.04-arm` | ✅ Supported. Linux ARM64 runner. | +| `self-hosted` / `[self-hosted, linux]` | ✅ Supported. Applies to all jobs. See [self-hosted runners guide](/gh-aw/guides/self-hosted-runners/). | | `macos-*` | ❌ Not supported. Docker is unavailable on macOS runners (no nested virtualization). See [FAQ](/gh-aw/reference/faq/). | | `windows-*` | ❌ Not supported. AWF requires Linux. | diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md index 89d9527347..8055245494 100644 --- a/docs/src/content/docs/reference/safe-outputs.md +++ b/docs/src/content/docs/reference/safe-outputs.md @@ -1289,7 +1289,14 @@ safe-outputs: ### Custom Runner Image -Specify custom runner for safe output jobs (default: `ubuntu-slim`): `runs-on: ubuntu-22.04` +Specify a custom runner for all support jobs (default: inherits from top-level `runs-on`, otherwise `ubuntu-slim`): + +```yaml +safe-outputs: + runs-on: ubuntu-22.04 +``` + +This overrides the top-level `runs-on` for support jobs only. To route **all** jobs (agent + support) to self-hosted runners, set `runs-on` at the top level instead. See the [Self-Hosted Runners Guide](/gh-aw/guides/self-hosted-runners/) for details. ### Custom Messages (`messages:`) diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index d46a72dbb7..29ede975e4 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1840,7 +1840,7 @@ } }, "runs-on": { - "description": "Runner type for workflow execution (GitHub Actions standard field). Supports multiple forms: simple string for single runner label (e.g., 'ubuntu-latest'), array for runner selection with fallbacks, or object for GitHub-hosted runner groups with specific labels. For agentic workflows, runner selection matters when AI workloads require specific compute resources or when using self-hosted runners with specialized capabilities. Typically configured at the job level instead. See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job", + "description": "Runner type for all workflow jobs. When set, this value is used for the agent job AND all support jobs (activation, pre-activation, safe-outputs, detection, cache-memory, repo-memory). This is the single entry point for routing every generated job to self-hosted runners. Use safe-outputs.runs-on to override support jobs independently. Supports multiple forms: simple string (e.g., 'self-hosted'), array for runner selection with fallbacks, or object for GitHub-hosted runner groups. See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job", "oneOf": [ { "type": "string", @@ -6922,7 +6922,7 @@ }, "runs-on": { "type": "string", - "description": "Runner specification for all safe-outputs jobs (activation, create-issue, add-comment, etc.). Single runner label (e.g., 'ubuntu-slim', 'ubuntu-latest', 'windows-latest', 'self-hosted'). Defaults to 'ubuntu-slim'. See https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/" + "description": "Runner override for support jobs (activation, pre-activation, safe-outputs, detection, cache-memory, repo-memory). Takes precedence over the top-level runs-on for these jobs. Single runner label (e.g., 'ubuntu-slim', 'ubuntu-latest', 'windows-latest', 'self-hosted'). When not set, inherits from the top-level runs-on; when top-level is also not set, defaults to 'ubuntu-slim'. See https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/" } }, "additionalProperties": false diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 6d5b9c13df..879c512f80 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -839,7 +839,7 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection job := &Job{ Name: "update_cache_memory", DisplayName: "", // No display name - job ID is sufficient - RunsOn: "runs-on: ubuntu-latest", + RunsOn: c.formatSafeOutputsRunsOn(data), If: jobCondition, Permissions: permissions, Needs: []string{"agent", "detection"}, diff --git a/pkg/workflow/compiler_activation_jobs.go b/pkg/workflow/compiler_activation_jobs.go index e2b3f7502a..64e8c5dbf3 100644 --- a/pkg/workflow/compiler_activation_jobs.go +++ b/pkg/workflow/compiler_activation_jobs.go @@ -348,7 +348,7 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec job := &Job{ Name: string(constants.PreActivationJobName), If: jobIfCondition, - RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: permissions, Steps: steps, Outputs: outputs, @@ -728,7 +728,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate Name: string(constants.ActivationJobName), If: activationCondition, HasWorkflowRunSafetyChecks: workflowRunRepoSafety != "", // Mark job as having workflow_run safety checks - RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: permissions, Environment: environment, Steps: steps, diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go index aa1f1720d0..c2e7476b6d 100644 --- a/pkg/workflow/compiler_orchestrator_workflow.go +++ b/pkg/workflow/compiler_orchestrator_workflow.go @@ -209,6 +209,7 @@ func (c *Compiler) extractYAMLSections(frontmatter map[string]any, workflowData workflowData.TimeoutMinutes = c.extractTopLevelYAMLSection(frontmatter, "timeout-minutes") workflowData.RunsOn = c.extractTopLevelYAMLSection(frontmatter, "runs-on") + workflowData.RunsOnExplicit = workflowData.RunsOn != "" workflowData.Environment = c.extractTopLevelYAMLSection(frontmatter, "environment") workflowData.Container = c.extractTopLevelYAMLSection(frontmatter, "container") workflowData.Cache = c.extractTopLevelYAMLSection(frontmatter, "cache") diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index 6d35201fc5..b8f1168f1b 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -333,7 +333,7 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa job := &Job{ Name: "safe_outputs", If: jobCondition.Render(), - RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: permissions.RenderToYAML(), TimeoutMinutes: 15, // Slightly longer timeout for consolidated job with multiple steps Env: jobEnv, diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go index cdd43bf97e..3fdd789dea 100644 --- a/pkg/workflow/compiler_types.go +++ b/pkg/workflow/compiler_types.go @@ -412,6 +412,7 @@ type WorkflowData struct { CustomSteps string PostSteps string // steps to run after AI execution RunsOn string + RunsOnExplicit bool // true when runs-on was explicitly set in frontmatter (not just defaulted) Environment string // environment setting for the main job Container string // container setting for the main job Services string // services setting for the main job diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index 9d5dda4326..15d3214f65 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -385,7 +385,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa job := &Job{ Name: "conclusion", If: condition.Render(), - RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: permissions.RenderToYAML(), Steps: steps, Needs: needs, diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index ee0d84d536..9b962371d9 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -730,7 +730,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna job := &Job{ Name: "push_repo_memory", DisplayName: "", // No display name - job ID is sufficient - RunsOn: "runs-on: ubuntu-latest", + RunsOn: c.formatSafeOutputsRunsOn(data), If: jobCondition, Permissions: "permissions:\n contents: write", Needs: []string{"agent"}, // Detection dependency added by caller if needed diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index efcd5bc16c..e1e24e9d1d 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -199,7 +199,7 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool } } } else { - job.RunsOn = "runs-on: ubuntu-latest" // Default + job.RunsOn = c.formatSafeOutputsRunsOn(data) // Default inherits from safe-outputs.runs-on or top-level runs-on } // Set if condition - combine safe output type check with user-provided condition diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go index 47305d412c..9a6a1f04ad 100644 --- a/pkg/workflow/safe_outputs_config_helpers.go +++ b/pkg/workflow/safe_outputs_config_helpers.go @@ -112,13 +112,30 @@ func getEnabledSafeOutputToolNamesReflection(safeOutputs *SafeOutputsConfig) []s return tools } -// formatSafeOutputsRunsOn formats the runs-on value from SafeOutputsConfig for job output -func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) string { - if safeOutputs == nil || safeOutputs.RunsOn == "" { - return "runs-on: " + constants.DefaultActivationJobRunnerImage - } - - return "runs-on: " + safeOutputs.RunsOn +// formatSafeOutputsRunsOn formats the runs-on value for support jobs (activation, +// pre-activation, safe-outputs, detection, cache-memory, repo-memory, etc.). +// +// Resolution order: +// 1. safe-outputs.runs-on (explicit per-workflow override for support jobs) +// 2. top-level runs-on (inherited when safe-outputs.runs-on is not set) +// 3. DefaultActivationJobRunnerImage ("ubuntu-slim") as the final default +// +// This allows a single top-level runs-on entry to configure all jobs at once, +// while still providing a fine-grained override via safe-outputs.runs-on when +// the agent job and support jobs need different runners. +func (c *Compiler) formatSafeOutputsRunsOn(data *WorkflowData) string { + // 1. Explicit safe-outputs.runs-on takes priority + if data.SafeOutputs != nil && data.SafeOutputs.RunsOn != "" { + return "runs-on: " + data.SafeOutputs.RunsOn + } + + // 2. Inherit from top-level runs-on when explicitly set by the user + if data.RunsOnExplicit && data.RunsOn != "" { + return c.indentYAMLLines(data.RunsOn, " ") + } + + // 3. Fall back to the lightweight default runner for support jobs + return "runs-on: " + constants.DefaultActivationJobRunnerImage } // builtinSafeOutputFields contains the struct field names for the built-in safe output types diff --git a/pkg/workflow/safe_outputs_jobs.go b/pkg/workflow/safe_outputs_jobs.go index 91fe7a2ba1..5a4c4ee534 100644 --- a/pkg/workflow/safe_outputs_jobs.go +++ b/pkg/workflow/safe_outputs_jobs.go @@ -133,7 +133,7 @@ func (c *Compiler) buildSafeOutputJob(data *WorkflowData, config SafeOutputJobCo job := &Job{ Name: config.JobName, If: jobCondition.Render(), - RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: config.Permissions.RenderToYAML(), TimeoutMinutes: 10, // 10-minute timeout as required for all safe output jobs Steps: steps, diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go index d9bcdee427..6b93fcb4d9 100644 --- a/pkg/workflow/safe_outputs_runs_on_test.go +++ b/pkg/workflow/safe_outputs_runs_on_test.go @@ -153,31 +153,115 @@ This is a test workflow.` } } +// TestTopLevelRunsOnInheritedByAllJobs verifies that setting a top-level runs-on +// causes all support jobs (activation, pre_activation, safe_outputs, detection, +// cache-memory, repo-memory) to use the same runner as the agent job. +func TestTopLevelRunsOnInheritedByAllJobs(t *testing.T) { + frontmatter := `--- +on: push +runs-on: self-hosted +safe-outputs: + create-issue: + title-prefix: "[ai] " +--- + +# Test Workflow + +This is a test workflow.` + + tmpDir := testutil.TempDir(t, "workflow-top-runs-on-test") + testFile := filepath.Join(tmpDir, "test.md") + if err := os.WriteFile(testFile, []byte(frontmatter), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test.lock.yml") + yamlContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + yamlStr := string(yamlContent) + expectedRunsOn := "runs-on: self-hosted" + defaultRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage + + // All jobs (agent + all support) should use self-hosted + if strings.Contains(yamlStr, defaultRunsOn) { + t.Errorf("Expected no jobs to use default %q when top-level runs-on is set to self-hosted.\nYAML:\n%s", defaultRunsOn, yamlStr) + } + + // At minimum, verify activation and safe_outputs jobs use self-hosted + for _, jobName := range []string{"pre_activation:", "activation:", "safe_outputs:"} { + jobPattern := "\n " + jobName + jobStart := strings.Index(yamlStr, jobPattern) + if jobStart == -1 { + continue // job may not be present (optional) + } + end := min(jobStart+600, len(yamlStr)) + jobSection := yamlStr[jobStart:end] + if !strings.Contains(jobSection, expectedRunsOn) { + t.Errorf("Job %q does not use expected %q when top-level runs-on is self-hosted.\nJob section:\n%s", jobName, expectedRunsOn, jobSection) + } + } +} + func TestFormatSafeOutputsRunsOnEdgeCases(t *testing.T) { compiler := NewCompiler() tests := []struct { name string - safeOutputs *SafeOutputsConfig + data *WorkflowData expectedRunsOn string }{ { name: "nil safe outputs config", - safeOutputs: nil, + data: &WorkflowData{SafeOutputs: nil}, expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, }, { - name: "safe outputs config with nil runs-on", - safeOutputs: &SafeOutputsConfig{ - RunsOn: "", + name: "safe outputs config with empty runs-on", + data: &WorkflowData{ + SafeOutputs: &SafeOutputsConfig{RunsOn: ""}, }, expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, }, + { + name: "inherits from top-level runs-on when safe-outputs.runs-on is unset", + data: &WorkflowData{ + RunsOn: "runs-on: self-hosted", + RunsOnExplicit: true, + SafeOutputs: nil, + }, + expectedRunsOn: "runs-on: self-hosted", + }, + { + name: "does not inherit top-level runs-on when it is just the default", + data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", + RunsOnExplicit: false, // not explicitly set by user + SafeOutputs: nil, + }, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + { + name: "safe-outputs.runs-on overrides top-level runs-on", + data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", + RunsOnExplicit: true, + SafeOutputs: &SafeOutputsConfig{RunsOn: "ubuntu-slim"}, + }, + expectedRunsOn: "runs-on: ubuntu-slim", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - runsOn := compiler.formatSafeOutputsRunsOn(tt.safeOutputs) + runsOn := compiler.formatSafeOutputsRunsOn(tt.data) if runsOn != tt.expectedRunsOn { t.Errorf("Expected runs-on to be %q, got %q", tt.expectedRunsOn, runsOn) } diff --git a/pkg/workflow/safe_outputs_test.go b/pkg/workflow/safe_outputs_test.go index d51eb4b0c0..5c92aa5888 100644 --- a/pkg/workflow/safe_outputs_test.go +++ b/pkg/workflow/safe_outputs_test.go @@ -705,39 +705,44 @@ func TestFormatSafeOutputsRunsOn(t *testing.T) { tests := []struct { name string - safeOutputs *SafeOutputsConfig + data *WorkflowData expectedRunsOn string }{ { name: "nil safe outputs returns default", - safeOutputs: nil, + data: &WorkflowData{SafeOutputs: nil}, expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, }, { name: "empty runs-on returns default", - safeOutputs: &SafeOutputsConfig{RunsOn: ""}, + data: &WorkflowData{SafeOutputs: &SafeOutputsConfig{RunsOn: ""}}, expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, }, { - name: "custom runs-on", - safeOutputs: &SafeOutputsConfig{RunsOn: "ubuntu-latest"}, + name: "custom safe-outputs.runs-on", + data: &WorkflowData{SafeOutputs: &SafeOutputsConfig{RunsOn: "ubuntu-latest"}}, expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "self-hosted runs-on", - safeOutputs: &SafeOutputsConfig{RunsOn: "self-hosted"}, + name: "self-hosted safe-outputs.runs-on", + data: &WorkflowData{SafeOutputs: &SafeOutputsConfig{RunsOn: "self-hosted"}}, expectedRunsOn: "runs-on: self-hosted", }, { - name: "windows-latest runs-on", - safeOutputs: &SafeOutputsConfig{RunsOn: "windows-latest"}, + name: "windows-latest safe-outputs.runs-on", + data: &WorkflowData{SafeOutputs: &SafeOutputsConfig{RunsOn: "windows-latest"}}, expectedRunsOn: "runs-on: windows-latest", }, + { + name: "inherits top-level runs-on when safe-outputs.runs-on unset", + data: &WorkflowData{RunsOn: "runs-on: self-hosted", RunsOnExplicit: true, SafeOutputs: nil}, + expectedRunsOn: "runs-on: self-hosted", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := compiler.formatSafeOutputsRunsOn(tt.safeOutputs) + result := compiler.formatSafeOutputsRunsOn(tt.data) if result != tt.expectedRunsOn { t.Errorf("formatSafeOutputsRunsOn() = %q, want %q", result, tt.expectedRunsOn) } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 7475725e1e..fe26d7c9cd 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -141,7 +141,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: "runs-on: ubuntu-latest", + RunsOn: c.formatSafeOutputsRunsOn(data), Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 459b7719c8..6c867729a1 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -222,8 +222,8 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - if job.RunsOn != "runs-on: ubuntu-latest" { - t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) + if job.RunsOn != "runs-on: "+constants.DefaultActivationJobRunnerImage { + t.Errorf("Expected %s runner, got %q", constants.DefaultActivationJobRunnerImage, job.RunsOn) } // In dev mode (default), detection job should have contents: read permission for checkout // In release mode, it should have empty permissions From 9af7b9d490d68fba8cd555ca0b1679265be39f62 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 19:48:46 +0000 Subject: [PATCH 3/3] revert: restore detection job to hardcoded ubuntu-latest runner Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 2 +- .github/workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .github/workflows/breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .github/workflows/claude-code-user-docs-review.lock.yml | 2 +- .github/workflows/cli-consistency-checker.lock.yml | 2 +- .github/workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .github/workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .github/workflows/commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .github/workflows/copilot-agent-analysis.lock.yml | 2 +- .github/workflows/copilot-cli-deep-research.lock.yml | 2 +- .github/workflows/copilot-pr-merged-report.lock.yml | 2 +- .github/workflows/copilot-pr-nlp-analysis.lock.yml | 2 +- .github/workflows/copilot-pr-prompt-analysis.lock.yml | 2 +- .github/workflows/copilot-session-insights.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .github/workflows/daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .github/workflows/daily-cli-performance.lock.yml | 2 +- .github/workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .github/workflows/daily-compiler-quality.lock.yml | 2 +- .github/workflows/daily-copilot-token-report.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .github/workflows/daily-firewall-report.lock.yml | 2 +- .github/workflows/daily-issues-report.lock.yml | 2 +- .github/workflows/daily-mcp-concurrency-analysis.lock.yml | 2 +- .github/workflows/daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 2 +- .github/workflows/daily-observability-report.lock.yml | 2 +- .github/workflows/daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .github/workflows/daily-rendering-scripts-verifier.lock.yml | 2 +- .github/workflows/daily-repo-chronicle.lock.yml | 2 +- .github/workflows/daily-safe-output-optimizer.lock.yml | 2 +- .github/workflows/daily-safe-outputs-conformance.lock.yml | 2 +- .github/workflows/daily-secrets-analysis.lock.yml | 2 +- .github/workflows/daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .github/workflows/daily-syntax-error-quality.lock.yml | 2 +- .github/workflows/daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .github/workflows/daily-testify-uber-super-expert.lock.yml | 2 +- .github/workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .github/workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .github/workflows/developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .github/workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .github/workflows/duplicate-code-detector.lock.yml | 2 +- .github/workflows/example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .github/workflows/functional-pragmatist.lock.yml | 2 +- .github/workflows/github-mcp-structural-analysis.lock.yml | 2 +- .github/workflows/github-mcp-tools-report.lock.yml | 2 +- .github/workflows/github-remote-mcp-auth-test.lock.yml | 2 +- .github/workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .github/workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .github/workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .github/workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .github/workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .github/workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/pr-triage-agent.lock.yml | 2 +- .github/workflows/prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .github/workflows/repo-audit-analyzer.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .github/workflows/repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .github/workflows/schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .github/workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .github/workflows/semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .github/workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .github/workflows/stale-repo-identifier.lock.yml | 2 +- .github/workflows/static-analysis-report.lock.yml | 2 +- .github/workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .github/workflows/technical-doc-writer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .github/workflows/test-create-pr-error-handling.lock.yml | 2 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .github/workflows/test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .github/workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .github/workflows/weekly-editors-health-check.lock.yml | 2 +- .github/workflows/weekly-issue-summary.lock.yml | 2 +- .github/workflows/weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 2 +- .github/workflows/workflow-health-manager.lock.yml | 2 +- .github/workflows/workflow-normalizer.lock.yml | 2 +- .github/workflows/workflow-skill-extractor.lock.yml | 2 +- pkg/workflow/threat_detection.go | 2 +- pkg/workflow/threat_detection_test.go | 4 ++-- 150 files changed, 151 insertions(+), 151 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index f055e7c1a6..a07eff355a 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index bb90ddf426..8e2393c7d0 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 496c84f55a..092a41118c 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e3596c6a96..87e04ac455 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 135cd8c363..8e13876688 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 9d592ff6a3..909daf9069 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 3b6f222418..8efdeee8f3 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index d638cbb43e..6b30c73629 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 409f649587..3406b5a4ac 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e150955f32..bf56befc79 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 8f3f60b035..77e1c37856 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index d9d47fd70a..fb0d2539f2 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 9e493d3f91..a519cf484b 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 2ff51d03d1..e3d36d5f9c 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index e73a975ab2..7d204c2c77 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 8cbe9e677e..669616be85 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 7431bbc0c9..d779ffbc2d 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 7f2d7b09cc..ab3b4dc29a 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 025e106abc..e77e7dec5d 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index a9188b0f59..02f9db1a00 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index bf23b9cae9..9098bec8ae 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 7e30621446..dc6e3c6228 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index f62fdccd30..1a5594e120 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 7395b4af9e..a1746ecbfe 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index bd46963847..e494ad837b 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 0e9473d14a..6d743bf800 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 72300364f8..ab401e2657 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 326f68e7e3..61d4a858f4 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index a4e7bfa6d0..1e15d90232 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index a2e0813811..6daa16e748 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index d42a7840e6..4ed472d3b9 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 981798d5d6..5c50f08258 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 2a65c6875b..6fa0282a16 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 34be42e3a2..66538ddc91 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 61e73a467b..c23b256268 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 788aa570f3..49e43c7aca 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 7e9151e2ca..314c9bdb87 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index d233d20dad..e6b9cbe762 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index a7dc484e83..10b8054634 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 1f792d0f4c..2c81fe1f70 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 2efc9966c3..e483a2d098 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 6cbc0eba3a..b9d64a43a3 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index e5539bc6de..b054d9f585 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 315800174c..362aebb661 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 19c84fd8a0..9e846470af 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 3bfa8272e0..76d7dcc74b 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index e60cd69be3..b3ecda1238 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index b7ecfaa884..b855c39708 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 5d3589f84c..86485c36d5 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 3f7bcd6e28..81c35b24d0 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index cade40d225..f6a0e4609f 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 5eed9849ea..86e246d585 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 68137fae24..cb4d289aba 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index b8173e44d6..dffba2df65 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 391dfbade4..b16d7ed6a8 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 40ea6280e3..c1b821d0ae 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 16c35b4a6e..19903bd8b0 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 56c5f0bcb8..db878619b1 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index bff901bbb6..dd1dfd4d2c 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index dd296a7a19..e7eb50b43f 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index ed140fa045..e3de227867 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f010d8d517..4cf96de250 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ba25480b94..b601e2942b 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 27aa2ccdb0..c05a72a729 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 71282dc2ae..bb66be51d8 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 7895d6108f..7e9d933149 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 3779dfec6a..55dd3494ac 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 47e494031a..a7c5914eeb 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0a036e60bb..d760d03ce0 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 204257f7d2..fa5e4a53ff 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index e84f795ef7..08661a2945 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a4de7534fd..55d04e81a1 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index e28105f242..528b4908b1 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d4ccf7856c..37f8a6f520 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 5620870131..42716c2487 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 2675f5ce36..a4c7e3d031 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index e1db9854b4..42c310895b 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index f6fe9986b9..b2a2308cf0 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 45583215c9..79d8472590 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 33a547bc71..8b417fb168 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 8bc443cbd1..4bac6306e9 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 33fff48881..a5d1aa587a 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index ef74b1dfa9..eae51da56a 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 8589a37951..9aebfb36e9 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 2320dce215..7422eac001 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index b1b16e65ad..61877f91ef 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index c518b72b9a..eb30bb1276 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index b3eb7555dd..bd50055535 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 3f1b85aeea..08c8a8e44a 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 98c2995882..aaac07f878 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index e00ea31cf1..380a74e600 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 9d4c7b904b..0a8b89e45a 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 5d9b90d3ec..130af10d46 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index b8c9f526ef..975d5d2321 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 66d7791862..d653268b19 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 261a2d4e98..76c9b24c77 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 5b3c0e1bf7..28d84e305d 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 1d7b268b33..85178b12f3 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index a666eb59ab..0bd72881a0 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index c513159a18..26048ccda6 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index abccc32517..a334dc9e09 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index dc25762b0b..e05b8eb9ed 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index e7fb8d1963..5c4c3952a1 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6f5397aa85..00ed0c78f3 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 1b172d7fd8..9cc436affc 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 0458c7a293..b0ce520057 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index c2b80bc7bb..afdc673650 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index f015395691..1f797889a6 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 83b0692126..744478fe50 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 132241d4ab..d224c857af 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 1569d350b5..a83e323b03 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index d387b49b20..00fe5944b4 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 22c2e9bfe4..8ab025bc91 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 14cc40703e..b1b86538ba 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 0aeb986683..20bcc7ee7e 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 868187e5c8..2c31850b04 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 8c24a169e7..eb54028530 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index ae9b8e74e7..57e3ae3fbb 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 00f62e6f1c..47fc015fac 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index dd2ee5cf25..4e73002108 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-24.04-arm + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index f31355b847..24725b6427 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index e30de281ed..2a72c59d7d 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 5ccccd690f..0f679a3cce 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 1cd0799aad..eddb4b68e1 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 590aa0535b..6928cf6584 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index ad8d1e821a..8e24bca735 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 4157e7b9d8..061a2d05ef 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 227b1fb1d7..55c6e42250 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 13e73991cf..9f3839d6ee 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index ce5d26c45f..4a891cba8c 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index ebe73ce25f..b41a4e41da 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 27261ea7fa..cdf4a14fce 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 30dc2e559f..78892b7fd7 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index f3c5ba1bfb..a3a162efd9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b6c6d8cc46..cdd97a6f10 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 5ac4184c67..c9a4fbdccc 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index de5fe29850..4994c0c2d3 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 22870f625d..130117c67f 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 62fb2ee935..a13045ce17 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index e6cbccadb9..21fe1b4d64 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index de12d9c712..20ac245581 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 73a5f89062..2bd4f2e9fd 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 94d4382264..89de7c6236 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 60d6158863..9c8da0a6f0 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index f949ff2c24..cc4adb3b41 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 67466f9422..0e92931144 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 5035bba7cd..1fc06fd0cb 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 706342fc09..8dc26aa52e 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index fe26d7c9cd..7475725e1e 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -141,7 +141,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: c.formatSafeOutputsRunsOn(data), + RunsOn: "runs-on: ubuntu-latest", Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 6c867729a1..459b7719c8 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -222,8 +222,8 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - if job.RunsOn != "runs-on: "+constants.DefaultActivationJobRunnerImage { - t.Errorf("Expected %s runner, got %q", constants.DefaultActivationJobRunnerImage, job.RunsOn) + if job.RunsOn != "runs-on: ubuntu-latest" { + t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) } // In dev mode (default), detection job should have contents: read permission for checkout // In release mode, it should have empty permissions