From eedef515f7c23b4edf73a0e9f58772d93429db31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Fri, 12 Jun 2026 07:50:02 +0000 Subject: [PATCH] Updated regex. Added test and change note. --- actions/ql/lib/change-notes/2026-06-12.md | 4 ++ .../actions/security/SelfHostedQuery.qll | 10 +++-- .../CWE-284/.github/workflows/test3.yml | 43 +++++++++++++++++++ 3 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 actions/ql/lib/change-notes/2026-06-12.md create mode 100644 actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml diff --git a/actions/ql/lib/change-notes/2026-06-12.md b/actions/ql/lib/change-notes/2026-06-12.md new file mode 100644 index 00000000000..8fbf902b6ee --- /dev/null +++ b/actions/ql/lib/change-notes/2026-06-12.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results. \ No newline at end of file diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll index bb4437d803e..3a65771c174 100644 --- a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -2,10 +2,12 @@ import actions bindingset[runner] predicate isGithubHostedRunner(string runner) { - // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images - runner - .toLowerCase() - .regexpMatch("^(ubuntu-([0-9.]+|latest)(-arm)?|macos-([0-9]+|latest)(-x?large|-intel)?|windows-([0-9.]+|latest)(-arm|-vs[0-9.]+)?)$") + // The list of github hosted repos: + // https://github.com/actions/runner-images/blob/main/README.md#available-images + // https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories + runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or + runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or + runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$") } bindingset[runner] diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml new file mode 100644 index 00000000000..b1fe9fa0caa --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml @@ -0,0 +1,43 @@ +name: test + +on: + pull_request: + +jobs: + test: + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + - ubuntu-24.04 + - ubuntu-24.04-arm + - ubuntu-22.04 + - ubuntu-22.04-arm + - ubuntu-26.04 + - ubuntu-26.04-arm + - ubuntu-slim + - macos-26 + - macos-26-xlarge + - macos-26-intel + - macos-26-large + - macos-latest-large + - macos-15-large + - macos-15 + - macos-15-intel + - macos-latest + - macos-15 + - macos-15-xlarge + - macos-14-large + - macos-14 + - macos-14-xlarge + - windows-2025-vs2026 + - windows-latest + - windows-2025 + - windows-2022 + - windows-11 + - windows-11-arm + - windows-11-vs2026-arm + runs-on: ${{ matrix.os }} + steps: + - run: cmd