From 35da504d11948814a40e4fcf6781a3002b7120ae Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:28:07 +0000 Subject: [PATCH 1/3] Initial plan From 473523bbe5de5438fd6d712fd0980721f6ce5c6d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:50:48 +0000 Subject: [PATCH 2/3] fix: use runner resolution strategy for unlock and detection jobs (#17962) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 2 +- .../workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/ai-moderator.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .../claude-code-user-docs-review.lock.yml | 2 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .../workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 2 +- .../copilot-cli-deep-research.lock.yml | 2 +- .../copilot-pr-merged-report.lock.yml | 2 +- .../copilot-pr-nlp-analysis.lock.yml | 2 +- .../copilot-pr-prompt-analysis.lock.yml | 2 +- .../copilot-session-insights.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 2 +- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .../workflows/daily-compiler-quality.lock.yml | 2 +- .../daily-copilot-token-report.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .../workflows/daily-firewall-report.lock.yml | 2 +- .../workflows/daily-issues-report.lock.yml | 2 +- .../daily-mcp-concurrency-analysis.lock.yml | 2 +- .../daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 2 +- .../daily-observability-report.lock.yml | 2 +- .../daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-repo-chronicle.lock.yml | 2 +- .../daily-safe-output-optimizer.lock.yml | 2 +- .../daily-safe-outputs-conformance.lock.yml | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 2 +- .../daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .../daily-syntax-error-quality.lock.yml | 2 +- .../daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 2 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .../workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .../workflows/functional-pragmatist.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 2 +- .../github-mcp-tools-report.lock.yml | 2 +- .../github-remote-mcp-auth-test.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .../workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/pr-triage-agent.lock.yml | 2 +- .../prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .../workflows/repo-audit-analyzer.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .../schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .../workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .../semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .../workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 2 +- .../workflows/static-analysis-report.lock.yml | 2 +- .../workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .../workflows/technical-doc-writer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .../test-create-pr-error-handling.lock.yml | 2 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .../test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .../workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../weekly-editors-health-check.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 2 +- .../weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 4 +- .../workflow-health-manager.lock.yml | 2 +- .../workflows/workflow-normalizer.lock.yml | 2 +- .../workflow-skill-extractor.lock.yml | 2 +- pkg/parser/schemas/main_workflow_schema.json | 4 + pkg/workflow/compiler_unlock_job.go | 2 +- pkg/workflow/safe_outputs_config_helpers.go | 14 ++ pkg/workflow/safe_outputs_runs_on_test.go | 145 ++++++++++++++++++ pkg/workflow/threat_detection.go | 10 +- pkg/workflow/threat_detection_test.go | 86 ++++++++++- 155 files changed, 407 insertions(+), 154 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 6b60bde99a..ef2c024e5e 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8b5e9aa558..b274e13053 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index bf355f9fea..0e07f755f4 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1129,7 +1129,7 @@ jobs: - activation - agent if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read issues: write diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 092a41118c..496c84f55a 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 87e04ac455..e3596c6a96 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 7b07e1ea80..55db03f2ff 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 909daf9069..9d592ff6a3 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 8efdeee8f3..3b6f222418 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6b30c73629..d638cbb43e 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 3406b5a4ac..409f649587 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index bf56befc79..e150955f32 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 34b57a60b5..59f312011f 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 97c9b48aea..50f5d79b07 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 2e2b5520d4..8d9046de49 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index e3d36d5f9c..2ff51d03d1 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 181dafb461..a84260ad3e 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 24e7a25645..e6630a7495 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 06c466a035..bc0611772b 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index ab3b4dc29a..7f2d7b09cc 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index e77e7dec5d..025e106abc 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 02f9db1a00..a9188b0f59 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 9a0a4e5e0f..c2a55b2d98 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 797bd9bb89..9a637e4982 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 2bd196cd9f..bc42ef355c 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index f677e8e16e..ab994bdc29 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index b02f6ce795..74c2fb708c 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 0f6f613945..2061162aa2 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index ab401e2657..72300364f8 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 61d4a858f4..326f68e7e3 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1e15d90232..a4e7bfa6d0 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 6b04296258..227cda5bff 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 4ed472d3b9..d42a7840e6 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index b3d631d23e..2da8fa916c 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 3ad3b061f0..81e3f7d64f 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 3fdf273929..c64b1455f0 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 8d8f9dd494..aae0aaa802 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 49e43c7aca..788aa570f3 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 314c9bdb87..7e9151e2ca 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index bea723f005..3cb2a827bc 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7a7674e74b..66a75ff6b0 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 5e3b4fc521..fac788e2ca 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index e483a2d098..2efc9966c3 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 52c1067270..ba79f1f48b 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index b054d9f585..e5539bc6de 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 9e81507527..5cf5c81bca 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 9e846470af..19c84fd8a0 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index dc3afa5a57..d7a5134233 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index eed552b7b3..444271a047 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index beff45446f..983942235c 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 86485c36d5..5d3589f84c 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 81c35b24d0..3f7bcd6e28 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index f6a0e4609f..cade40d225 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 86e246d585..5eed9849ea 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index cb4d289aba..68137fae24 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index dffba2df65..b8173e44d6 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b16d7ed6a8..391dfbade4 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b0adb64bbc..f1357a2205 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 19903bd8b0..16c35b4a6e 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 9415fcea20..4dfb1d5c6e 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 23ef1a3d1e..33a52c3457 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index e7eb50b43f..dd296a7a19 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index e3de227867..ed140fa045 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 4cf96de250..f010d8d517 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b601e2942b..ba25480b94 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 3a279438c5..4da22a898a 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index bb66be51d8..71282dc2ae 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f1f5947d83..4b714e05c4 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 55dd3494ac..3779dfec6a 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index a7c5914eeb..47e494031a 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index d760d03ce0..0a036e60bb 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index fa5e4a53ff..204257f7d2 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 3ff52bd8ff..06efa6cf1c 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 55d04e81a1..a4de7534fd 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 50fc308b9c..76b7932a39 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index f3e680bea0..d45f795680 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 42716c2487..5620870131 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index b94ef238a3..a5702f5277 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6457728b45..c760c2e8be 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 6f369d4cde..23ab513e8f 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 79d8472590..45583215c9 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 7e343def11..77d2b3cabf 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c96fd80842..2001f91faf 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index a5d1aa587a..33fff48881 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 913eed7b95..56dcac3e9d 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 9aebfb36e9..8589a37951 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 7422eac001..2320dce215 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 61877f91ef..b1b16e65ad 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 0f118dbf7d..8881028c60 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index bd50055535..b3eb7555dd 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index cd94860773..fa504c0f0d 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index eee7dc265e..1a030fd48c 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 380a74e600..e00ea31cf1 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 0a8b89e45a..9d4c7b904b 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 43d59d4d8a..357dfce954 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index d38bc6e6aa..3e67c00daa 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index d653268b19..66d7791862 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 68544e9609..47beac5519 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 00575ebc0c..4968f0f638 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3cb0218469..9464c90a38 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index a1d281e9db..3cee1402e5 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 2c48f7411f..8fad76f30d 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index d7c80468a1..318d27c031 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 20900388ae..98faa68a5d 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 5c4c3952a1..e7fb8d1963 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 00ed0c78f3..6f5397aa85 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index bd293dd7e8..923a5c9d11 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index b0ce520057..0458c7a293 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 941cd6cf91..b37ed00717 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 1f797889a6..f015395691 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 4a9a4b2828..7625a88cc8 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 008758bc27..e4cc0952a6 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index cbccebf720..3ca16607ac 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ab14c1a9a7..bf6032a3ae 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index fd5358a5b0..26fa0b1d65 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index b1b86538ba..14cc40703e 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 825e29f1df..15bffe5f39 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index e98e5d77fb..213bf5de19 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index eb54028530..8c24a169e7 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 9c9be178be..545bd0df52 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 0e5f7f0dda..843a1be0b3 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5b0f068311..8138fc6225 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2765c48e22..9b09984d8e 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index fbc22a4cfe..24aacf30b4 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 0f679a3cce..5ccccd690f 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index eddb4b68e1..1cd0799aad 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 6928cf6584..590aa0535b 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 8e24bca735..ad8d1e821a 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 5d4c4393b8..b4c3490aac 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index da12f59fe2..26727b2430 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 26ae6d43ad..1e5bbf99ef 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 4a891cba8c..ce5d26c45f 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 48e19a468a..2dac1457e0 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 686a2133d0..c134c45ff6 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 78892b7fd7..30dc2e559f 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index f410f9c07c..3165d176b9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index cdd97a6f10..b6c6d8cc46 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index c9a4fbdccc..5ac4184c67 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 4994c0c2d3..de5fe29850 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 130117c67f..22870f625d 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index a13045ce17..62fb2ee935 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index ad1f76e605..a1e46d7cd7 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 20ac245581..de12d9c712 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 2bd4f2e9fd..73a5f89062 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 1646222d20..3cf065cf15 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 9c8da0a6f0..60d6158863 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index cc4adb3b41..6a58b678c1 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read timeout-minutes: 10 @@ -1313,7 +1313,7 @@ jobs: - agent - detection if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read issues: write diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index a5740ac7e7..7dc957352b 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 1fc06fd0cb..5035bba7cd 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 8dc26aa52e..706342fc09 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read concurrency: diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index d46a72dbb7..e1a1937b96 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -6611,6 +6611,10 @@ "items": { "$ref": "#/$defs/githubActionsStep" } + }, + "run-on": { + "type": "string", + "description": "Runner specification for the detection job. Overrides safe-outputs.runs-on for the detection job only. Defaults to safe-outputs.runs-on, then ubuntu-latest." } }, "additionalProperties": false diff --git a/pkg/workflow/compiler_unlock_job.go b/pkg/workflow/compiler_unlock_job.go index f1446dec7a..a8f27c7755 100644 --- a/pkg/workflow/compiler_unlock_job.go +++ b/pkg/workflow/compiler_unlock_job.go @@ -100,7 +100,7 @@ func (c *Compiler) buildUnlockJob(data *WorkflowData, threatDetectionEnabled boo Name: "unlock", Needs: needs, If: alwaysFunc.Render(), - RunsOn: data.RunsOn, + RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), Permissions: permissions, Steps: steps, TimeoutMinutes: 5, // Short timeout - unlock is a quick operation diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go index 47305d412c..6856b5eafc 100644 --- a/pkg/workflow/safe_outputs_config_helpers.go +++ b/pkg/workflow/safe_outputs_config_helpers.go @@ -121,6 +121,20 @@ func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) strin return "runs-on: " + safeOutputs.RunsOn } +// formatDetectionRunsOn resolves the runner for the detection job using the following priority: +// 1. safe-outputs.detection.run-on (detection-specific override) +// 2. safe-outputs.runs-on (global safe-outputs runner) +// 3. ubuntu-latest (default) +func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig) string { + if safeOutputs != nil && safeOutputs.ThreatDetection != nil && safeOutputs.ThreatDetection.RunsOn != "" { + return "runs-on: " + safeOutputs.ThreatDetection.RunsOn + } + if safeOutputs != nil && safeOutputs.RunsOn != "" { + return "runs-on: " + safeOutputs.RunsOn + } + return "runs-on: " + constants.DefaultActivationJobRunnerImage +} + // builtinSafeOutputFields contains the struct field names for the built-in safe output types // that are excluded from the "non-builtin" check. These are: noop, missing-data, missing-tool. var builtinSafeOutputFields = map[string]bool{ diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go index d9bcdee427..85356ef6dc 100644 --- a/pkg/workflow/safe_outputs_runs_on_test.go +++ b/pkg/workflow/safe_outputs_runs_on_test.go @@ -184,3 +184,148 @@ func TestFormatSafeOutputsRunsOnEdgeCases(t *testing.T) { }) } } + +func TestUnlockJobUsesRunsOn(t *testing.T) { + frontmatter := `--- +on: + issues: + types: [opened] + lock-for-agent: true +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted +--- + +# Test Workflow + +This is a test workflow.` + + tmpDir := testutil.TempDir(t, "workflow-unlock-runs-on-test") + + testFile := filepath.Join(tmpDir, "test.md") + if err := os.WriteFile(testFile, []byte(frontmatter), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test.lock.yml") + yamlContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + yamlStr := string(yamlContent) + + // Verify the unlock job uses the safe-outputs runs-on value + expectedRunsOn := "runs-on: self-hosted" + unlockJobPattern := "\n unlock:" + unlockStart := strings.Index(yamlStr, unlockJobPattern) + if unlockStart == -1 { + t.Fatal("Expected unlock job to be present in compiled YAML") + } + + unlockSection := yamlStr[unlockStart : unlockStart+500] + defaultRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage + if strings.Contains(unlockSection, defaultRunsOn) { + t.Errorf("Unlock job uses default %q instead of safe-outputs runner.\nUnlock section:\n%s", defaultRunsOn, unlockSection) + } + if !strings.Contains(unlockSection, expectedRunsOn) { + t.Errorf("Unlock job does not use expected %q.\nUnlock section:\n%s", expectedRunsOn, unlockSection) + } +} + +func TestDetectionJobRunsOnResolution(t *testing.T) { + tests := []struct { + name string + frontmatter string + expectedRunsOn string + }{ + { + name: "detection uses safe-outputs runs-on when no detection run-on", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: self-hosted", + }, + { + name: "detection run-on overrides safe-outputs runs-on", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " + runs-on: self-hosted + threat-detection: + run-on: detection-runner +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: detection-runner", + }, + { + name: "detection falls back to ubuntu-latest when no runs-on configured", + frontmatter: `--- +on: push +safe-outputs: + create-issue: + title-prefix: "[ai] " +--- + +# Test Workflow + +This is a test workflow.`, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmpDir := testutil.TempDir(t, "workflow-detection-runs-on-test") + + testFile := filepath.Join(tmpDir, "test.md") + if err := os.WriteFile(testFile, []byte(tt.frontmatter), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := filepath.Join(tmpDir, "test.lock.yml") + yamlContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + yamlStr := string(yamlContent) + + // Verify the detection job uses the expected runs-on value + detectionJobPattern := "\n detection:" + detectionStart := strings.Index(yamlStr, detectionJobPattern) + if detectionStart == -1 { + t.Fatal("Expected detection job to be present in compiled YAML") + } + + detectionSection := yamlStr[detectionStart : detectionStart+500] + if !strings.Contains(detectionSection, tt.expectedRunsOn) { + t.Errorf("Detection job does not use expected %q.\nDetection section:\n%s", tt.expectedRunsOn, detectionSection) + } + }) + } +} diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 7475725e1e..a3fef9f1c3 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -16,6 +16,7 @@ type ThreatDetectionConfig struct { Steps []any `yaml:"steps,omitempty"` // Array of extra job steps EngineConfig *EngineConfig `yaml:"engine-config,omitempty"` // Extended engine configuration for threat detection EngineDisabled bool `yaml:"-"` // Internal flag: true when engine is explicitly set to false + RunsOn string `yaml:"run-on,omitempty"` // Runner override for the detection job } // parseThreatDetectionConfig handles threat-detection configuration @@ -64,6 +65,13 @@ func (c *Compiler) parseThreatDetectionConfig(outputMap map[string]any) *ThreatD } } + // Parse run-on field + if runOn, exists := configMap["run-on"]; exists { + if runOnStr, ok := runOn.(string); ok { + threatConfig.RunsOn = runOnStr + } + } + // Parse engine field (supports string, object, and boolean false formats) if engine, exists := configMap["engine"]; exists { // Handle boolean false to disable AI engine @@ -141,7 +149,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: "runs-on: ubuntu-latest", + RunsOn: c.formatDetectionRunsOn(data.SafeOutputs), Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 459b7719c8..a920246a40 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -111,6 +111,17 @@ func TestParseThreatDetectionConfig(t *testing.T) { }, }, }, + { + name: "object with run-on override", + outputMap: map[string]any{ + "threat-detection": map[string]any{ + "run-on": "self-hosted", + }, + }, + expectedConfig: &ThreatDetectionConfig{ + RunsOn: "self-hosted", + }, + }, } for _, tt := range tests { @@ -134,6 +145,68 @@ func TestParseThreatDetectionConfig(t *testing.T) { if len(result.Steps) != len(tt.expectedConfig.Steps) { t.Errorf("Expected %d steps, got %d", len(tt.expectedConfig.Steps), len(result.Steps)) } + + if result.RunsOn != tt.expectedConfig.RunsOn { + t.Errorf("Expected RunsOn %q, got %q", tt.expectedConfig.RunsOn, result.RunsOn) + } + }) + } +} + +func TestFormatDetectionRunsOn(t *testing.T) { + compiler := NewCompiler() + + tests := []struct { + name string + safeOutputs *SafeOutputsConfig + expectedRunsOn string + }{ + { + name: "nil safe outputs returns default", + safeOutputs: nil, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + { + name: "detection run-on takes priority over safe-outputs runs-on", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "self-hosted", + ThreatDetection: &ThreatDetectionConfig{ + RunsOn: "detection-runner", + }, + }, + expectedRunsOn: "runs-on: detection-runner", + }, + { + name: "falls back to safe-outputs runs-on when detection run-on is empty", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "self-hosted", + ThreatDetection: &ThreatDetectionConfig{}, + }, + expectedRunsOn: "runs-on: self-hosted", + }, + { + name: "falls back to default when both detection run-on and safe-outputs runs-on are empty", + safeOutputs: &SafeOutputsConfig{ + ThreatDetection: &ThreatDetectionConfig{}, + }, + expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + }, + { + name: "nil threat detection still uses safe-outputs runs-on", + safeOutputs: &SafeOutputsConfig{ + RunsOn: "windows-latest", + ThreatDetection: nil, + }, + expectedRunsOn: "runs-on: windows-latest", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := compiler.formatDetectionRunsOn(tt.safeOutputs) + if result != tt.expectedRunsOn { + t.Errorf("Expected runs-on %q, got %q", tt.expectedRunsOn, result) + } }) } } @@ -222,8 +295,17 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - if job.RunsOn != "runs-on: ubuntu-latest" { - t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) + // Detection job uses formatDetectionRunsOn: safe-outputs.detection.run-on > safe-outputs.runs-on > default + expectedRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage + if tt.data.SafeOutputs != nil { + if tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn + } else if tt.data.SafeOutputs.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.RunsOn + } + } + if job.RunsOn != expectedRunsOn { + t.Errorf("Expected %q runner, got %q", expectedRunsOn, job.RunsOn) } // In dev mode (default), detection job should have contents: read permission for checkout // In release mode, it should have empty permissions From 725dc400c3e4f047e3558fbc2c8a6c8355729dde Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:24:54 +0000 Subject: [PATCH 3/3] fix: detection job uses agent.runs-on as default, overridable via safe-outputs.detection.runs-on Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 2 +- .../workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .../claude-code-user-docs-review.lock.yml | 2 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .../workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 2 +- .../copilot-cli-deep-research.lock.yml | 2 +- .../copilot-pr-merged-report.lock.yml | 2 +- .../copilot-pr-nlp-analysis.lock.yml | 2 +- .../copilot-pr-prompt-analysis.lock.yml | 2 +- .../copilot-session-insights.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 2 +- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .../workflows/daily-compiler-quality.lock.yml | 2 +- .../daily-copilot-token-report.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .../workflows/daily-firewall-report.lock.yml | 2 +- .../workflows/daily-issues-report.lock.yml | 2 +- .../daily-mcp-concurrency-analysis.lock.yml | 2 +- .../daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-news.lock.yml | 2 +- .../daily-observability-report.lock.yml | 2 +- .../daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-repo-chronicle.lock.yml | 2 +- .../daily-safe-output-optimizer.lock.yml | 2 +- .../daily-safe-outputs-conformance.lock.yml | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 2 +- .../daily-security-red-team.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .../daily-syntax-error-quality.lock.yml | 2 +- .../daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 2 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .../workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .../workflows/functional-pragmatist.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 2 +- .../github-mcp-tools-report.lock.yml | 2 +- .../github-remote-mcp-auth-test.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/gpclean.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .../workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/pr-triage-agent.lock.yml | 2 +- .../prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .../workflows/repo-audit-analyzer.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .../schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .../workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .../semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .../workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 2 +- .../workflows/static-analysis-report.lock.yml | 2 +- .../workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .../workflows/technical-doc-writer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .../test-create-pr-error-handling.lock.yml | 2 +- .github/workflows/test-dispatcher.lock.yml | 2 +- .../test-project-url-default.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .../workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../weekly-editors-health-check.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 2 +- .../weekly-safe-outputs-spec-review.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 2 +- .../workflow-health-manager.lock.yml | 2 +- .../workflows/workflow-normalizer.lock.yml | 2 +- .../workflow-skill-extractor.lock.yml | 2 +- pkg/parser/schemas/main_workflow_schema.json | 4 +- pkg/workflow/safe_outputs_config_helpers.go | 12 ++--- pkg/workflow/safe_outputs_runs_on_test.go | 12 ++--- pkg/workflow/threat_detection.go | 8 ++-- pkg/workflow/threat_detection_test.go | 44 ++++++++++--------- 153 files changed, 188 insertions(+), 188 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index ef2c024e5e..6b60bde99a 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1136,7 +1136,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index b274e13053..8b5e9aa558 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1008,7 +1008,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 496c84f55a..092a41118c 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -960,7 +960,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e3596c6a96..87e04ac455 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -915,7 +915,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 55db03f2ff..7b07e1ea80 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1174,7 +1174,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 9d592ff6a3..909daf9069 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 3b6f222418..8efdeee8f3 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1025,7 +1025,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index d638cbb43e..6b30c73629 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 409f649587..3406b5a4ac 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -961,7 +961,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e150955f32..bf56befc79 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1036,7 +1036,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 59f312011f..34b57a60b5 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1035,7 +1035,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 50f5d79b07..97c9b48aea 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1163,7 +1163,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 8d9046de49..2e2b5520d4 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 2ff51d03d1..e3d36d5f9c 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -925,7 +925,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index a84260ad3e..181dafb461 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index e6630a7495..24e7a25645 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1308,7 +1308,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index bc0611772b..06c466a035 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 7f2d7b09cc..ab3b4dc29a 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -962,7 +962,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 025e106abc..e77e7dec5d 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -966,7 +966,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index a9188b0f59..02f9db1a00 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -999,7 +999,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c2a55b2d98..9a0a4e5e0f 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1046,7 +1046,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 9a637e4982..797bd9bb89 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index bc42ef355c..2bd196cd9f 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1085,7 +1085,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index ab994bdc29..f677e8e16e 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1073,7 +1073,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 74c2fb708c..b02f6ce795 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 2061162aa2..0f6f613945 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,7 +1125,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 72300364f8..ab401e2657 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 326f68e7e3..61d4a858f4 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -941,7 +941,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index a4e7bfa6d0..1e15d90232 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -928,7 +928,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 227cda5bff..6b04296258 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1167,7 +1167,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index d42a7840e6..4ed472d3b9 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 2da8fa916c..b3d631d23e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 81e3f7d64f..3ad3b061f0 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -973,7 +973,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index c64b1455f0..3fdf273929 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index aae0aaa802..8d8f9dd494 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 788aa570f3..49e43c7aca 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -878,7 +878,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 7e9151e2ca..314c9bdb87 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 3cb2a827bc..bea723f005 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1080,7 +1080,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 66a75ff6b0..7a7674e74b 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1106,7 +1106,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index fac788e2ca..5e3b4fc521 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 2efc9966c3..e483a2d098 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1102,7 +1102,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index ba79f1f48b..52c1067270 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1146,7 +1146,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index e5539bc6de..b054d9f585 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1063,7 +1063,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 5cf5c81bca..9e81507527 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1569,7 +1569,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 19c84fd8a0..9e846470af 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,7 +1461,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index d7a5134233..dc3afa5a57 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1133,7 +1133,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 444271a047..eed552b7b3 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 983942235c..beff45446f 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1103,7 +1103,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 5d3589f84c..86485c36d5 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 3f7bcd6e28..81c35b24d0 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -979,7 +979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index cade40d225..f6a0e4609f 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 5eed9849ea..86e246d585 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 68137fae24..cb4d289aba 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -958,7 +958,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index b8173e44d6..dffba2df65 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 391dfbade4..b16d7ed6a8 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -953,7 +953,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index f1357a2205..b0adb64bbc 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1016,7 +1016,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 16c35b4a6e..19903bd8b0 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -948,7 +948,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 4dfb1d5c6e..9415fcea20 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1193,7 +1193,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 33a52c3457..23ef1a3d1e 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1062,7 +1062,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index dd296a7a19..e7eb50b43f 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -926,7 +926,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index ed140fa045..e3de227867 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -967,7 +967,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f010d8d517..4cf96de250 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ba25480b94..b601e2942b 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -922,7 +922,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 4da22a898a..3a279438c5 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1127,7 +1127,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 71282dc2ae..bb66be51d8 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -949,7 +949,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 4b714e05c4..f1f5947d83 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1043,7 +1043,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 3779dfec6a..55dd3494ac 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -965,7 +965,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 47e494031a..a7c5914eeb 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,7 +972,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0a036e60bb..d760d03ce0 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 204257f7d2..fa5e4a53ff 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1024,7 +1024,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 06efa6cf1c..3ff52bd8ff 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -995,7 +995,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a4de7534fd..55d04e81a1 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 76b7932a39..50fc308b9c 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1060,7 +1060,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d45f795680..f3e680bea0 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1084,7 +1084,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 5620870131..42716c2487 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index a5702f5277..b94ef238a3 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index c760c2e8be..6457728b45 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1030,7 +1030,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 23ab513e8f..6f369d4cde 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1212,7 +1212,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 45583215c9..79d8472590 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1023,7 +1023,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 77d2b3cabf..7e343def11 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 2001f91faf..c96fd80842 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1033,7 +1033,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 33fff48881..a5d1aa587a 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 56dcac3e9d..913eed7b95 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1040,7 +1040,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 8589a37951..9aebfb36e9 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1047,7 +1047,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 2320dce215..7422eac001 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -974,7 +974,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index b1b16e65ad..61877f91ef 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 8881028c60..0f118dbf7d 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -992,7 +992,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index b3eb7555dd..bd50055535 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -985,7 +985,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index fa504c0f0d..cd94860773 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -986,7 +986,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 1a030fd48c..eee7dc265e 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1325,7 +1325,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index e00ea31cf1..380a74e600 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -977,7 +977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 9d4c7b904b..0a8b89e45a 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -892,7 +892,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 357dfce954..43d59d4d8a 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 3e67c00daa..d38bc6e6aa 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1049,7 +1049,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 66d7791862..d653268b19 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 47beac5519..68544e9609 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1653,7 +1653,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 4968f0f638..00575ebc0c 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1091,7 +1091,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 9464c90a38..3cb0218469 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1122,7 +1122,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 3cee1402e5..a1d281e9db 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1045,7 +1045,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 8fad76f30d..2c48f7411f 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1117,7 +1117,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 318d27c031..d7c80468a1 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1077,7 +1077,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 98faa68a5d..20900388ae 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1171,7 +1171,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index e7fb8d1963..5c4c3952a1 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1015,7 +1015,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6f5397aa85..00ed0c78f3 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1038,7 +1038,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 923a5c9d11..bd293dd7e8 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -954,7 +954,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 0458c7a293..b0ce520057 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -911,7 +911,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index b37ed00717..941cd6cf91 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -956,7 +956,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index f015395691..1f797889a6 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -939,7 +939,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 7625a88cc8..4a9a4b2828 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1079,7 +1079,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index e4cc0952a6..008758bc27 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -987,7 +987,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 3ca16607ac..cbccebf720 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1131,7 +1131,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index bf6032a3ae..ab14c1a9a7 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -993,7 +993,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 26fa0b1d65..fd5358a5b0 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 14cc40703e..b1b86538ba 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1059,7 +1059,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 15bffe5f39..825e29f1df 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1029,7 +1029,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 213bf5de19..e98e5d77fb 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1051,7 +1051,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 8c24a169e7..eb54028530 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1010,7 +1010,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 545bd0df52..9c9be178be 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2543,7 +2543,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 843a1be0b3..0e5f7f0dda 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1465,7 +1465,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 8138fc6225..d872e96259 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1977,7 +1977,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 9b09984d8e..2765c48e22 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1979,7 +1979,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 24aacf30b4..fbc22a4cfe 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1201,7 +1201,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 5ccccd690f..0f679a3cce 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 1cd0799aad..eddb4b68e1 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1459,7 +1459,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 590aa0535b..6928cf6584 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1065,7 +1065,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index ad8d1e821a..8e24bca735 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -968,7 +968,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index b4c3490aac..5d4c4393b8 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1081,7 +1081,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 26727b2430..da12f59fe2 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1061,7 +1061,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 1e5bbf99ef..26ae6d43ad 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1013,7 +1013,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index ce5d26c45f..4a891cba8c 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1007,7 +1007,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 2dac1457e0..48e19a468a 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -969,7 +969,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index c134c45ff6..686a2133d0 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1097,7 +1097,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 30dc2e559f..78892b7fd7 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -919,7 +919,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 3165d176b9..f410f9c07c 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1014,7 +1014,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b6c6d8cc46..cdd97a6f10 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -861,7 +861,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 5ac4184c67..c9a4fbdccc 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1104,7 +1104,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index de5fe29850..4994c0c2d3 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1075,7 +1075,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 22870f625d..130117c67f 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -997,7 +997,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 62fb2ee935..a13045ce17 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -981,7 +981,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a1e46d7cd7..ad1f76e605 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1238,7 +1238,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index de12d9c712..20ac245581 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -963,7 +963,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 73a5f89062..2bd4f2e9fd 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 3cf065cf15..1646222d20 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,7 +989,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 60d6158863..9c8da0a6f0 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -947,7 +947,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 6a58b678c1..5cc3e0362b 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1055,7 +1055,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read timeout-minutes: 10 diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 7dc957352b..a5740ac7e7 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1132,7 +1132,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 5035bba7cd..1fc06fd0cb 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1003,7 +1003,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 706342fc09..8dc26aa52e 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1006,7 +1006,7 @@ jobs: detection: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: read concurrency: diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index e1a1937b96..f720ab7e21 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -6612,9 +6612,9 @@ "$ref": "#/$defs/githubActionsStep" } }, - "run-on": { + "runs-on": { "type": "string", - "description": "Runner specification for the detection job. Overrides safe-outputs.runs-on for the detection job only. Defaults to safe-outputs.runs-on, then ubuntu-latest." + "description": "Runner specification for the detection job. Overrides agent.runs-on for the detection job only. Defaults to agent.runs-on." } }, "additionalProperties": false diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go index 6856b5eafc..035a6f1490 100644 --- a/pkg/workflow/safe_outputs_config_helpers.go +++ b/pkg/workflow/safe_outputs_config_helpers.go @@ -122,17 +122,13 @@ func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) strin } // formatDetectionRunsOn resolves the runner for the detection job using the following priority: -// 1. safe-outputs.detection.run-on (detection-specific override) -// 2. safe-outputs.runs-on (global safe-outputs runner) -// 3. ubuntu-latest (default) -func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig) string { +// 1. safe-outputs.detection.runs-on (detection-specific override) +// 2. agentRunsOn (the agent job's runner, passed by the caller) +func (c *Compiler) formatDetectionRunsOn(safeOutputs *SafeOutputsConfig, agentRunsOn string) string { if safeOutputs != nil && safeOutputs.ThreatDetection != nil && safeOutputs.ThreatDetection.RunsOn != "" { return "runs-on: " + safeOutputs.ThreatDetection.RunsOn } - if safeOutputs != nil && safeOutputs.RunsOn != "" { - return "runs-on: " + safeOutputs.RunsOn - } - return "runs-on: " + constants.DefaultActivationJobRunnerImage + return agentRunsOn } // builtinSafeOutputFields contains the struct field names for the built-in safe output types diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go index 85356ef6dc..14724db676 100644 --- a/pkg/workflow/safe_outputs_runs_on_test.go +++ b/pkg/workflow/safe_outputs_runs_on_test.go @@ -246,7 +246,7 @@ func TestDetectionJobRunsOnResolution(t *testing.T) { expectedRunsOn string }{ { - name: "detection uses safe-outputs runs-on when no detection run-on", + name: "detection uses agent runs-on by default (not safe-outputs runs-on)", frontmatter: `--- on: push safe-outputs: @@ -258,10 +258,10 @@ safe-outputs: # Test Workflow This is a test workflow.`, - expectedRunsOn: "runs-on: self-hosted", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "detection run-on overrides safe-outputs runs-on", + name: "detection runs-on overrides agent runs-on", frontmatter: `--- on: push safe-outputs: @@ -269,7 +269,7 @@ safe-outputs: title-prefix: "[ai] " runs-on: self-hosted threat-detection: - run-on: detection-runner + runs-on: detection-runner --- # Test Workflow @@ -278,7 +278,7 @@ This is a test workflow.`, expectedRunsOn: "runs-on: detection-runner", }, { - name: "detection falls back to ubuntu-latest when no runs-on configured", + name: "detection falls back to agent runs-on (ubuntu-latest) when no runs-on configured", frontmatter: `--- on: push safe-outputs: @@ -289,7 +289,7 @@ safe-outputs: # Test Workflow This is a test workflow.`, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + expectedRunsOn: "runs-on: ubuntu-latest", }, } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index a3fef9f1c3..ecdafff0d1 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -16,7 +16,7 @@ type ThreatDetectionConfig struct { Steps []any `yaml:"steps,omitempty"` // Array of extra job steps EngineConfig *EngineConfig `yaml:"engine-config,omitempty"` // Extended engine configuration for threat detection EngineDisabled bool `yaml:"-"` // Internal flag: true when engine is explicitly set to false - RunsOn string `yaml:"run-on,omitempty"` // Runner override for the detection job + RunsOn string `yaml:"runs-on,omitempty"` // Runner override for the detection job } // parseThreatDetectionConfig handles threat-detection configuration @@ -65,8 +65,8 @@ func (c *Compiler) parseThreatDetectionConfig(outputMap map[string]any) *ThreatD } } - // Parse run-on field - if runOn, exists := configMap["run-on"]; exists { + // Parse runs-on field + if runOn, exists := configMap["runs-on"]; exists { if runOnStr, ok := runOn.(string); ok { threatConfig.RunsOn = runOnStr } @@ -149,7 +149,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin job := &Job{ Name: string(constants.DetectionJobName), If: condition.Render(), - RunsOn: c.formatDetectionRunsOn(data.SafeOutputs), + RunsOn: c.formatDetectionRunsOn(data.SafeOutputs, data.RunsOn), Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index a920246a40..f02c894257 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -112,10 +112,10 @@ func TestParseThreatDetectionConfig(t *testing.T) { }, }, { - name: "object with run-on override", + name: "object with runs-on override", outputMap: map[string]any{ "threat-detection": map[string]any{ - "run-on": "self-hosted", + "runs-on": "self-hosted", }, }, expectedConfig: &ThreatDetectionConfig{ @@ -159,51 +159,57 @@ func TestFormatDetectionRunsOn(t *testing.T) { tests := []struct { name string safeOutputs *SafeOutputsConfig + agentRunsOn string expectedRunsOn string }{ { - name: "nil safe outputs returns default", + name: "nil safe outputs uses agent runs-on", safeOutputs: nil, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + agentRunsOn: "runs-on: ubuntu-latest", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "detection run-on takes priority over safe-outputs runs-on", + name: "detection runs-on takes priority over agent runs-on", safeOutputs: &SafeOutputsConfig{ RunsOn: "self-hosted", ThreatDetection: &ThreatDetectionConfig{ RunsOn: "detection-runner", }, }, + agentRunsOn: "runs-on: ubuntu-latest", expectedRunsOn: "runs-on: detection-runner", }, { - name: "falls back to safe-outputs runs-on when detection run-on is empty", + name: "falls back to agent runs-on when detection runs-on is empty", safeOutputs: &SafeOutputsConfig{ RunsOn: "self-hosted", ThreatDetection: &ThreatDetectionConfig{}, }, - expectedRunsOn: "runs-on: self-hosted", + agentRunsOn: "runs-on: my-agent-runner", + expectedRunsOn: "runs-on: my-agent-runner", }, { - name: "falls back to default when both detection run-on and safe-outputs runs-on are empty", + name: "falls back to agent runs-on when both detection and safe-outputs runs-on are empty", safeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{}, }, - expectedRunsOn: "runs-on: " + constants.DefaultActivationJobRunnerImage, + agentRunsOn: "runs-on: ubuntu-latest", + expectedRunsOn: "runs-on: ubuntu-latest", }, { - name: "nil threat detection still uses safe-outputs runs-on", + name: "nil threat detection uses agent runs-on", safeOutputs: &SafeOutputsConfig{ RunsOn: "windows-latest", ThreatDetection: nil, }, - expectedRunsOn: "runs-on: windows-latest", + agentRunsOn: "runs-on: my-agent-runner", + expectedRunsOn: "runs-on: my-agent-runner", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := compiler.formatDetectionRunsOn(tt.safeOutputs) + result := compiler.formatDetectionRunsOn(tt.safeOutputs, tt.agentRunsOn) if result != tt.expectedRunsOn { t.Errorf("Expected runs-on %q, got %q", tt.expectedRunsOn, result) } @@ -235,6 +241,7 @@ func TestBuildThreatDetectionJob(t *testing.T) { { name: "threat detection enabled should create job", data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", SafeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{}, }, @@ -246,6 +253,7 @@ func TestBuildThreatDetectionJob(t *testing.T) { { name: "threat detection with custom steps should create job", data: &WorkflowData{ + RunsOn: "runs-on: ubuntu-latest", SafeOutputs: &SafeOutputsConfig{ ThreatDetection: &ThreatDetectionConfig{ Steps: []any{ @@ -295,14 +303,10 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.Name != string(constants.DetectionJobName) { t.Errorf("Expected job name 'detection', got %q", job.Name) } - // Detection job uses formatDetectionRunsOn: safe-outputs.detection.run-on > safe-outputs.runs-on > default - expectedRunsOn := "runs-on: " + constants.DefaultActivationJobRunnerImage - if tt.data.SafeOutputs != nil { - if tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { - expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn - } else if tt.data.SafeOutputs.RunsOn != "" { - expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.RunsOn - } + // Detection job uses formatDetectionRunsOn: safe-outputs.detection.runs-on > agent.runs-on + expectedRunsOn := tt.data.RunsOn + if tt.data.SafeOutputs != nil && tt.data.SafeOutputs.ThreatDetection != nil && tt.data.SafeOutputs.ThreatDetection.RunsOn != "" { + expectedRunsOn = "runs-on: " + tt.data.SafeOutputs.ThreatDetection.RunsOn } if job.RunsOn != expectedRunsOn { t.Errorf("Expected %q runner, got %q", expectedRunsOn, job.RunsOn)