Add support for runs-on field under safe-outputs that allow to configure a custom runner for the jobs support the safe-outputs feature (all jobs that are non-agentic like activation, create_issue, ....) (#1096)

Copilot · pelikhan · web-flow · commit d1f129815855 · 2025-09-29T09:31:48.000-07:00
* Initial plan

* Implement runs-on support for safe-outputs jobs

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

* Remove array format support for runs-on, only support single string values

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

* lint

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: Peli de Halleux &lt;pelikhan@users.noreply.github.com&gt;
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
@@ -1863,6 +1863,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "runs-on": {
+          "type": "string",
+          "description": "Runner specification for all safe-outputs jobs (activation, create-issue, add-comment, etc.). Single runner label (e.g., 'ubuntu-latest', 'windows-latest', 'self-hosted')"
         }
       },
       "additionalProperties": false
diff --git a/pkg/workflow/add_comment.go b/pkg/workflow/add_comment.go
@@ -90,7 +90,7 @@ func (c *Compiler) buildCreateOutputAddCommentJob(data *WorkflowData, mainJobNam
 	job := &Job{
 		Name:           "create_issue_comment",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      issues: write\n      pull-requests: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/add_labels.go b/pkg/workflow/add_labels.go
@@ -88,7 +88,7 @@ func (c *Compiler) buildCreateOutputLabelJob(data *WorkflowData, mainJobName str
 	job := &Job{
 		Name:           "add_labels",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      issues: write\n      pull-requests: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
@@ -146,6 +146,7 @@ type SafeOutputsConfig struct {
 	Env                             map[string]string                      `yaml:"env,omitempty"`            // Environment variables to pass to safe output jobs
 	GitHubToken                     string                                 `yaml:"github-token,omitempty"`   // GitHub token for safe output jobs
 	MaximumPatchSize                int                                    `yaml:"max-patch-size,omitempty"` // Maximum allowed patch size in KB (defaults to 1024)
+	RunsOn                          string                                 `yaml:"runs-on,omitempty"`        // Runner configuration for safe-outputs jobs
 }
 
 // CompileWorkflow converts a markdown workflow to GitHub Actions YAML
@@ -1445,7 +1446,7 @@ func (c *Compiler) buildCheckMembershipJob(data *WorkflowData, frontmatter map[s
 	job := &Job{
 		Name:        "check-membership",
 		If:          data.If, // Use the existing condition (which may include alias checks)
-		RunsOn:      "runs-on: ubuntu-latest",
+		RunsOn:      c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions: "", // No special permissions needed - just reading repo permissions
 		Steps:       steps,
 		Outputs:     outputs,
@@ -1512,7 +1513,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, checkMembershipJobCrea
 	job := &Job{
 		Name:        "activation",
 		If:          activationCondition,
-		RunsOn:      "runs-on: ubuntu-latest",
+		RunsOn:      c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions: permissions,
 		Steps:       steps,
 		Outputs:     outputs,
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
@@ -96,7 +96,7 @@ func (c *Compiler) buildCreateOutputCodeScanningAlertJob(data *WorkflowData, mai
 	job := &Job{
 		Name:           "create_code_scanning_alert",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      security-events: write\n      actions: read", // Need security-events:write for SARIF upload
 		TimeoutMinutes: 10,                                                                                      // 10-minute timeout
 		Steps:          steps,
diff --git a/pkg/workflow/create_discussion.go b/pkg/workflow/create_discussion.go
@@ -104,7 +104,7 @@ func (c *Compiler) buildCreateOutputDiscussionJob(data *WorkflowData, mainJobNam
 	job := &Job{
 		Name:           "create_discussion",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      discussions: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/create_issue.go b/pkg/workflow/create_issue.go
@@ -133,7 +133,7 @@ func (c *Compiler) buildCreateOutputIssueJob(data *WorkflowData, mainJobName str
 	job := &Job{
 		Name:           "create_issue",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    permissions,
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/create_pr_review_comment.go b/pkg/workflow/create_pr_review_comment.go
@@ -72,7 +72,7 @@ func (c *Compiler) buildCreateOutputPullRequestReviewCommentJob(data *WorkflowDa
 	job := &Job{
 		Name:           "create_pr_review_comment",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      pull-requests: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/create_pull_request.go b/pkg/workflow/create_pull_request.go
@@ -113,7 +113,7 @@ func (c *Compiler) buildCreateOutputPullRequestJob(data *WorkflowData, mainJobNa
 	job := &Job{
 		Name:           "create_pull_request",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: write\n      issues: write\n      pull-requests: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/missing_tool.go b/pkg/workflow/missing_tool.go
@@ -55,7 +55,7 @@ func (c *Compiler) buildCreateOutputMissingToolJob(data *WorkflowData, mainJobNa
 	// Create the job
 	job := &Job{
 		Name:           "missing_tool",
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		If:             "${{ always() }}",                    // Always run to capture missing tools
 		Permissions:    "permissions:\n      contents: read", // Only needs read access for logging
 		TimeoutMinutes: 5,                                    // Short timeout since it's just processing output
diff --git a/pkg/workflow/publish_assets.go b/pkg/workflow/publish_assets.go
@@ -182,7 +182,7 @@ func (c *Compiler) buildUploadAssetsJob(data *WorkflowData, mainJobName string,
 	job := &Job{
 		Name:           "upload_assets",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    permissions,
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/push_to_pull_request_branch.go b/pkg/workflow/push_to_pull_request_branch.go
@@ -128,7 +128,7 @@ func (c *Compiler) buildCreateOutputPushToPullRequestBranchJob(data *WorkflowDat
 	job := &Job{
 		Name:           "push_to_pull_request_branch",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: write\n      pull-requests: read\n      issues: read",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,
diff --git a/pkg/workflow/safe_outputs.go b/pkg/workflow/safe_outputs.go
@@ -1,6 +1,18 @@
 package workflow
 
-import "strings"
+import (
+	"fmt"
+	"strings"
+)
+
+// formatSafeOutputsRunsOn formats the runs-on value from SafeOutputsConfig for job output
+func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) string {
+	if safeOutputs == nil || safeOutputs.RunsOn == "" {
+		return "runs-on: ubuntu-latest" // Default
+	}
+
+	return fmt.Sprintf("runs-on: %s", safeOutputs.RunsOn)
+}
 
 // HasSafeOutputsEnabled checks if any safe-outputs are enabled
 func HasSafeOutputsEnabled(safeOutputs *SafeOutputsConfig) bool {
@@ -401,6 +413,13 @@ func (c *Compiler) extractSafeOutputsConfig(frontmatter map[string]any) *SafeOut
 				config.MaximumPatchSize = 1024 // Default to 1MB = 1024 KB
 			}
 
+			// Handle runs-on configuration
+			if runsOn, exists := outputMap["runs-on"]; exists {
+				if runsOnStr, ok := runsOn.(string); ok {
+					config.RunsOn = runsOnStr
+				}
+			}
+
 			// Handle jobs (safe-jobs moved under safe-outputs)
 			if jobs, exists := outputMap["jobs"]; exists {
 				if jobsMap, ok := jobs.(map[string]any); ok {
diff --git a/pkg/workflow/safe_outputs_runs_on_test.go b/pkg/workflow/safe_outputs_runs_on_test.go
@@ -0,0 +1,183 @@
+package workflow
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestSafeOutputsRunsOnConfiguration(t *testing.T) {
+	tests := []struct {
+		name           string
+		frontmatter    string
+		expectedRunsOn string
+	}{
+		{
+			name: "default runs-on when not specified",
+			frontmatter: `---
+safe-outputs:
+  create-issue:
+    title-prefix: "[ai] "
+---
+
+# Test Workflow
+
+This is a test workflow.`,
+			expectedRunsOn: "runs-on: ubuntu-latest",
+		},
+		{
+			name: "custom runs-on string",
+			frontmatter: `---
+safe-outputs:
+  create-issue:
+    title-prefix: "[ai] "
+  runs-on: windows-latest
+---
+
+# Test Workflow
+
+This is a test workflow.`,
+			expectedRunsOn: "runs-on: windows-latest",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create temporary directory and file
+			tmpDir, err := os.MkdirTemp("", "workflow-runs-on-test")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(tmpDir)
+
+			testFile := filepath.Join(tmpDir, "test.md")
+			err = os.WriteFile(testFile, []byte(tt.frontmatter), 0644)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			compiler := NewCompiler(false, "", "test")
+			err = compiler.CompileWorkflow(testFile)
+			if err != nil {
+				t.Fatalf("Failed to compile workflow: %v", err)
+			}
+
+			// Read the compiled lock file
+			lockFile := filepath.Join(tmpDir, "test.lock.yml")
+			yamlContent, err := os.ReadFile(lockFile)
+			if err != nil {
+				t.Fatalf("Failed to read lock file: %v", err)
+			}
+
+			yamlStr := string(yamlContent)
+			if !strings.Contains(yamlStr, tt.expectedRunsOn) {
+				t.Errorf("Expected compiled YAML to contain %q, but it didn't.\nYAML content:\n%s", tt.expectedRunsOn, yamlStr)
+			}
+		})
+	}
+}
+
+func TestSafeOutputsRunsOnAppliedToAllJobs(t *testing.T) {
+	frontmatter := `---
+safe-outputs:
+  create-issue:
+    title-prefix: "[ai] "
+  add-comment:
+  add-labels:
+  update-issue:
+  runs-on: self-hosted
+---
+
+# Test Workflow
+
+This is a test workflow.`
+
+	// Create temporary directory and file
+	tmpDir, err := os.MkdirTemp("", "workflow-runs-on-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	testFile := filepath.Join(tmpDir, "test.md")
+	err = os.WriteFile(testFile, []byte(frontmatter), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	compiler := NewCompiler(false, "", "test")
+	err = compiler.CompileWorkflow(testFile)
+	if err != nil {
+		t.Fatalf("Failed to compile workflow: %v", err)
+	}
+
+	// Read the compiled lock file
+	lockFile := filepath.Join(tmpDir, "test.lock.yml")
+	yamlContent, err := os.ReadFile(lockFile)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+
+	yamlStr := string(yamlContent)
+
+	// Check that all safe-outputs jobs use the custom runs-on
+	expectedRunsOn := "runs-on: self-hosted"
+
+	// Count occurrences - should appear for safe-outputs jobs + activation/membership jobs
+	count := strings.Count(yamlStr, expectedRunsOn)
+	if count < 1 { // At least one job should use the custom runner
+		t.Errorf("Expected at least 1 occurrence of %q in compiled YAML, found %d.\nYAML content:\n%s", expectedRunsOn, count, yamlStr)
+	}
+
+	// Check specifically that the expected safe-outputs jobs use the custom runner
+	expectedJobs := []string{"create_issue:", "create_issue_comment:", "add_labels:", "update_issue:"}
+	for _, jobName := range expectedJobs {
+		if strings.Contains(yamlStr, jobName) {
+			// Find the job section
+			jobStart := strings.Index(yamlStr, jobName)
+			if jobStart != -1 {
+				// Look for runs-on within the next 500 characters of this job
+				jobSection := yamlStr[jobStart : jobStart+500]
+				if strings.Contains(jobSection, "runs-on: ubuntu-latest") {
+					t.Errorf("Job %q still uses default 'runs-on: ubuntu-latest' instead of custom runner.\nJob section:\n%s", jobName, jobSection)
+				}
+				if !strings.Contains(jobSection, expectedRunsOn) {
+					t.Errorf("Job %q does not use expected %q.\nJob section:\n%s", jobName, expectedRunsOn, jobSection)
+				}
+			}
+		}
+	}
+}
+
+func TestFormatSafeOutputsRunsOnEdgeCases(t *testing.T) {
+	compiler := NewCompiler(false, "", "test")
+
+	tests := []struct {
+		name           string
+		safeOutputs    *SafeOutputsConfig
+		expectedRunsOn string
+	}{
+		{
+			name:           "nil safe outputs config",
+			safeOutputs:    nil,
+			expectedRunsOn: "runs-on: ubuntu-latest",
+		},
+		{
+			name: "safe outputs config with nil runs-on",
+			safeOutputs: &SafeOutputsConfig{
+				RunsOn: "",
+			},
+			expectedRunsOn: "runs-on: ubuntu-latest",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			runsOn := compiler.formatSafeOutputsRunsOn(tt.safeOutputs)
+			if runsOn != tt.expectedRunsOn {
+				t.Errorf("Expected runs-on to be %q, got %q", tt.expectedRunsOn, runsOn)
+			}
+		})
+	}
+}
diff --git a/pkg/workflow/update_issue.go b/pkg/workflow/update_issue.go
@@ -97,7 +97,7 @@ func (c *Compiler) buildCreateOutputUpdateIssueJob(data *WorkflowData, mainJobNa
 	job := &Job{
 		Name:           "update_issue",
 		If:             jobCondition,
-		RunsOn:         "runs-on: ubuntu-latest",
+		RunsOn:         c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions:    "permissions:\n      contents: read\n      issues: write",
 		TimeoutMinutes: 10, // 10-minute timeout as required
 		Steps:          steps,

Original file line number	Diff line number	Diff line change
`@@ -1863,6 +1863,10 @@`
`1863`	`1863`	`}`
`1864`	`1864`	`},`
`1865`	`1865`	`"additionalProperties": false`
	`1866`	`+ },`
	`1867`	`+ "runs-on": {`
	`1868`	`+ "type": "string",`
	`1869`	`+ "description": "Runner specification for all safe-outputs jobs (activation, create-issue, add-comment, etc.). Single runner label (e.g., 'ubuntu-latest', 'windows-latest', 'self-hosted')"`
`1866`	`1870`	`}`
`1867`	`1871`	`},`
`1868`	`1872`	`"additionalProperties": false`