From 9078b511c678a5b6db9135b3c2d6563c4faa5038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Fri, 12 Jun 2026 09:37:18 +0300
Subject: [PATCH] Update regex for GitHub hosted runner matching

Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
---
 actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
index 14d36ef0fa8..bb4437d803e 100644
--- a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
@@ -5,7 +5,7 @@ predicate isGithubHostedRunner(string runner) {
   // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
   runner
       .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+      .regexpMatch("^(ubuntu-([0-9.]+|latest)(-arm)?|macos-([0-9]+|latest)(-x?large|-intel)?|windows-([0-9.]+|latest)(-arm|-vs[0-9.]+)?)$")
 }
 
 bindingset[runner]