From 9078b511c678a5b6db9135b3c2d6563c4faa5038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Fri, 12 Jun 2026 09:37:18 +0300
Subject: [PATCH 1/3] Update regex for GitHub hosted runner matching

Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
---
 actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
index 14d36ef0fa85..bb4437d803ec 100644
--- a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
@@ -5,7 +5,7 @@ predicate isGithubHostedRunner(string runner) {
   // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
   runner
       .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+      .regexpMatch("^(ubuntu-([0-9.]+|latest)(-arm)?|macos-([0-9]+|latest)(-x?large|-intel)?|windows-([0-9.]+|latest)(-arm|-vs[0-9.]+)?)$")
 }
 
 bindingset[runner]

From eedef515f7c23b4edf73a0e9f58772d93429db31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Fri, 12 Jun 2026 07:50:02 +0000
Subject: [PATCH 2/3] Updated regex. Added test and change note.

---
 actions/ql/lib/change-notes/2026-06-12.md     |  4 ++
 .../actions/security/SelfHostedQuery.qll      | 10 +++--
 .../CWE-284/.github/workflows/test3.yml       | 43 +++++++++++++++++++
 3 files changed, 53 insertions(+), 4 deletions(-)
 create mode 100644 actions/ql/lib/change-notes/2026-06-12.md
 create mode 100644 actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml

diff --git a/actions/ql/lib/change-notes/2026-06-12.md b/actions/ql/lib/change-notes/2026-06-12.md
new file mode 100644
index 000000000000..8fbf902b6ee3
--- /dev/null
+++ b/actions/ql/lib/change-notes/2026-06-12.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
\ No newline at end of file
diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
index bb4437d803ec..3a65771c1745 100644
--- a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
@@ -2,10 +2,12 @@ import actions
 
 bindingset[runner]
 predicate isGithubHostedRunner(string runner) {
-  // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
-  runner
-      .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)(-arm)?|macos-([0-9]+|latest)(-x?large|-intel)?|windows-([0-9.]+|latest)(-arm|-vs[0-9.]+)?)$")
+  // The list of github hosted repos:
+  // https://github.com/actions/runner-images/blob/main/README.md#available-images
+  // https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+  runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or
+  runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or
+  runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$")
 }
 
 bindingset[runner]
diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml
new file mode 100644
index 000000000000..b1fe9fa0caa6
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml
@@ -0,0 +1,43 @@
+name: test
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - ubuntu-22.04
+          - ubuntu-22.04-arm
+          - ubuntu-26.04
+          - ubuntu-26.04-arm
+          - ubuntu-slim
+          - macos-26
+          - macos-26-xlarge
+          - macos-26-intel
+          - macos-26-large
+          - macos-latest-large
+          - macos-15-large
+          - macos-15
+          - macos-15-intel
+          - macos-latest
+          - macos-15
+          - macos-15-xlarge
+          - macos-14-large
+          - macos-14
+          - macos-14-xlarge
+          - windows-2025-vs2026
+          - windows-latest
+          - windows-2025
+          - windows-2022
+          - windows-11
+          - windows-11-arm
+          - windows-11-vs2026-arm
+    runs-on: ${{ matrix.os }}
+    steps:
+      - run: cmd

From bea55224731601a3b6ab8679c5c4045fbc47eed0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Fri, 12 Jun 2026 07:52:34 +0000
Subject: [PATCH 3/3] rename change note

---
 .../{2026-06-12.md => 2026-06-12-self_hosted_runners.md}          | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename actions/ql/lib/change-notes/{2026-06-12.md => 2026-06-12-self_hosted_runners.md} (100%)

diff --git a/actions/ql/lib/change-notes/2026-06-12.md b/actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md
similarity index 100%
rename from actions/ql/lib/change-notes/2026-06-12.md
rename to actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md