Skip to content

Add ubuntu-slim as built-in GitHub Actions runner #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fproulx-boostsecurity merged 3 commits into from
Jan 9, 2026
Merged

Add ubuntu-slim as built-in GitHub Actions runner #383

fproulx-boostsecurity merged 3 commits into from
Jan 9, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 9, 2026
edited
Loading

GitHub released ubuntu-slim as an officially supported hosted runner. The pr_runs_on_self_hosted rule was incorrectly flagging it as a self-hosted runner.

Changes

  • Updated regex pattern in opa/rego/poutine/utils.rego to recognize ubuntu-slim as built-in
  • Added test case in opa/opa_test.go to verify ubuntu-slim is not flagged as self-hosted
  • Added workflow smoke test with ubuntu_slim job in scanner/testdata/.github/workflows/allowed_pr_runner.yml to demonstrate ubuntu-slim works correctly in PR workflows
  • Updated test expectations in scanner/inventory_test.go to account for line number changes
# Before: only ubuntu-{XX.04|latest|latest-N-cores} recognized
"(?i)^((ubuntu-(([0-9]{2})\\.04|latest(-(4|8|16)-cores)?)|macos-...))$"

# After: ubuntu-slim now included
"(?i)^((ubuntu-(([0-9]{2})\\.04|latest(-(4|8|16)-cores)?|slim)|macos-...))$"

Workflows using ubuntu-slim will no longer trigger false positive warnings for self-hosted runner usage.

Original prompt

This section details on the original issue you should resolve

<issue_title>ubuntu-slim</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

ubuntu-slim is a new gh action runner image.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Treat ubuntu-slim as builtin and not raise warnings for PRs using it</issue_description>

<agent_instructions>ubuntu-slim is a new officially supported GitHub Actions hosted runner. Similar to ubuntu-latest. We have a Rego rule (opa/rego/poutine/utils.rego) which needs to be updated to support this, plus there are test cases to validate the self-hosted runner rule will only trip when it's not considered built-in</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Update Rego rule to treat ubuntu-slim as built-in Add ubuntu-slim as built-in GitHub Actions runner Jan 9, 2026
@fproulx-boostsecurity fproulx-boostsecurity marked this pull request as ready for review January 9, 2026 03:25
@fproulx-boostsecurity fproulx-boostsecurity requested a review from a team as a code owner January 9, 2026 03:25
@fproulx-boostsecurity
Copy link
Contributor

fproulx-boostsecurity commented Jan 9, 2026

@copilot it would be great to add a proper test case (with ubuntu-slim) as a GitHub Actions workflow file (similar to other basic smoke test with ubuntu-latest)

Copy link
Contributor Author

Copilot AI commented Jan 9, 2026

@copilot it would be great to add a proper test case (with ubuntu-slim) as a GitHub Actions workflow file (similar to other basic smoke test with ubuntu-latest)

Added a ubuntu_slim job to the allowed_pr_runner.yml workflow test file that uses ubuntu-slim runner with pull_request trigger. The test validates that workflows using ubuntu-slim don't trigger the pr_runs_on_self_hosted rule. (commit b607d04)

@fproulx-boostsecurity
Copy link
Contributor

fproulx-boostsecurity commented Jan 9, 2026

Closes #383

@fproulx-boostsecurity fproulx-boostsecurity mentioned this pull request Jan 9, 2026
Closed
@fproulx-boostsecurity fproulx-boostsecurity merged commit 5760250 into main Jan 9, 2026
11 checks passed
@fproulx-boostsecurity fproulx-boostsecurity deleted the copilot/update-rego-rule-for-ubuntu-slim branch January 9, 2026 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SUSTAPLE117 SUSTAPLE117 SUSTAPLE117 approved these changes

+1 more reviewer

@fproulx-boostsecurity fproulx-boostsecurity fproulx-boostsecurity approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@fproulx-boostsecurity fproulx-boostsecurity

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ubuntu-slim

3 participants

@fproulx-boostsecurity @SUSTAPLE117