fix: add safe-outputs.threat-detection.runs-on override for the detection job runner#28287
Closed
fix: add safe-outputs.threat-detection.runs-on override for the detection job runner#28287
Conversation
…tputs.runs-on The detection job previously defaulted to ubuntu-latest regardless of any runs-on or runs-on-slim frontmatter settings. Now the precedence is: 1. safe-outputs.threat-detection.runs-on (highest) 2. safe-outputs.runs-on 3. runs-on-slim 4. ubuntu-latest (default) Adds formatDetectionJobRunsOn() helper, tests, and updated docs." Agent-Logs-Url: https://github.com/github/gh-aw/sessions/09ad97a3-118c-4077-acae-d2ee8efde6ac Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ssert.Equal in tests Agent-Logs-Url: https://github.com/github/gh-aw/sessions/09ad97a3-118c-4077-acae-d2ee8efde6ac Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix detection step runs-on not inherited from runs-on or runs-on-slim
fix: detection job does not inherit runs-on from runs-on-slim or safe-outputs.runs-on
Apr 24, 2026
pelikhan
reviewed
Apr 24, 2026
Comment on lines
+59
to
+62
| if data.RunsOnSlim != "" { | ||
| safeOutputsRuntimeLog.Printf("Detection job runs-on from runs-on-slim: %s", data.RunsOnSlim) | ||
| return "runs-on: " + data.RunsOnSlim | ||
| } |
| safeOutputsRuntimeLog.Printf("Detection job runs-on from threat-detection config: %s", td.RunsOn) | ||
| return "runs-on: " + td.RunsOn | ||
| } | ||
| if so.RunsOn != "" { |
Collaborator
There was a problem hiding this comment.
@copilot should not rely on safe-outputs.runs-on
Contributor
Author
There was a problem hiding this comment.
Reverted in 01a2e6e. The detection job now only uses safe-outputs.threat-detection.runs-on and defaults to ubuntu-latest — safe-outputs.runs-on and runs-on-slim no longer propagate to it.
…runs-on override is supported Per reviewer feedback, the detection job should not inherit from safe-outputs.runs-on or runs-on-slim. It always defaults to ubuntu-latest unless safe-outputs.threat-detection.runs-on is explicitly set. Update tests and docs accordingly. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1ad21e49-e78c-4836-b733-ca9ed34e0329 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
fix: detection job does not inherit runs-on from runs-on-slim or safe-outputs.runs-on
fix: add safe-outputs.threat-detection.runs-on override for the detection job runner
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
detectionjob always usedubuntu-latestwith no way to override it from within the workflow frontmatter. Unlike other framework jobs, the detection job intentionally does not inheritruns-on-slimorsafe-outputs.runs-onbecause it has different networking and compute requirements.Changes
safe_outputs_runtime.go— NewformatDetectionJobRunsOn()helper: usessafe-outputs.threat-detection.runs-onwhen set, otherwise defaults toubuntu-latest.threat_detection.go—buildDetectionJobnow delegates toformatDetectionJobRunsOn()instead of the inline hardcoded value.safe_outputs_runs_on_test.go— Unit tests for the new helper and integration tests asserting that the detection job section uses the expected runner and thatruns-on-slim/safe-outputs.runs-ondo not bleed through.self-hosted-runners.md— Restored original documentation wording: detection job defaults toubuntu-latest; override withsafe-outputs.threat-detection.runs-on.Example
To run the detection job on a specific runner (e.g. when your self-hosted runner lacks outbound internet access for AI detection):
Without
threat-detection.runs-on, the detection job always usesubuntu-latestregardless ofruns-on-slimorsafe-outputs.runs-on.