chore: npm audit fix for hashFiles dependencies

Improve logic around decide IsHostedServer. (#4086 )
Link to an extant discussion category (#4084 )
2025-12-10 20:36:49 +00:00 · 2025-11-03 07:03:00 +00:00 · 2025-10-22 00:00:44 -04:00 · 2025-10-20 11:53:45 -04:00 · 2025-10-20 11:40:09 +01:00 · 2025-10-16 20:16:14 +00:00
38 changed files with 869 additions and 65 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -4,7 +4,7 @@
  "features": {
    "ghcr.io/devcontainers/features/docker-in-docker:1": {},
    "ghcr.io/devcontainers/features/dotnet": {
-      "version": "8.0.413"
+      "version": "8.0.415"
    },
    "ghcr.io/devcontainers/features/node:1": {
      "version": "20"
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
  - name: 🛑 Request a feature in the runner application
-    url: https://github.com/orgs/community/discussions/categories/actions-and-packages
-    about: If you have feature requests for GitHub Actions, please use the Actions and Packages section on the Github Product Feedback page.
+    url: https://github.com/orgs/community/discussions/categories/actions
+    about: If you have feature requests for GitHub Actions, please use the Actions section on the Github Product Feedback page.
  - name: ✅ Support for GitHub Actions
    url: https://github.community/c/code-to-cloud/52
    about: If you have questions about GitHub Actions or need support writing workflows, please ask in the GitHub Community Support forum.
--- a/.github/workflows/close-bugs-bot.yml
+++ b/.github/workflows/close-bugs-bot.yml
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          close-issue-message: "This issue does not seem to be a problem with the runner application, it concerns the GitHub actions platform more generally. Could you please post your feedback on the [GitHub Community Support Forum](https://github.com/orgs/community/discussions/categories/actions) which is actively monitored. Using the forum ensures that we route your problem to the correct team. 😃"
          exempt-issue-labels: "keep"
--- a/.github/workflows/close-features-bot.yml
+++ b/.github/workflows/close-features-bot.yml
@@ -7,9 +7,9 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
-          close-issue-message: "Thank you for your interest in the runner application and taking the time to provide your valuable feedback. We kindly ask you to redirect this feedback to the [GitHub Community Support Forum](https://github.com/orgs/community/discussions/categories/actions-and-packages) which our team actively monitors and would be a better place to start a discussion for new feature requests in GitHub Actions. For more information on this policy please [read our contribution guidelines](https://github.com/actions/runner#contribute). 😃"
+          close-issue-message: "Thank you for your interest in the runner application and taking the time to provide your valuable feedback. We kindly ask you to redirect this feedback to the [GitHub Community Support Forum](https://github.com/orgs/community/discussions/categories/actions) which our team actively monitors and would be a better place to start a discussion for new feature requests in GitHub Actions. For more information on this policy please [read our contribution guidelines](https://github.com/actions/runner#contribute). 😃"
          exempt-issue-labels: "keep"
          stale-issue-label: "actions-feature"
          only-labels: "actions-feature"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -38,4 +38,4 @@ jobs:
      working-directory: src

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
--- a/.github/workflows/dependency-check.yml
+++ b/.github/workflows/dependency-check.yml
@@ -0,0 +1,211 @@
+name: Dependency Status Check
+
+on:
+  workflow_dispatch:
+    inputs:
+      check_type:
+        description: "Type of dependency check"
+        required: false
+        default: "all"
+        type: choice
+        options:
+          - all
+          - node
+          - dotnet
+          - docker
+          - npm
+  schedule:
+    - cron: "0 11 * * 1" # Weekly on Monday at 11 AM
+
+jobs:
+  dependency-status:
+    runs-on: ubuntu-latest
+    outputs:
+      node20-status: ${{ steps.check-versions.outputs.node20-status }}
+      node24-status: ${{ steps.check-versions.outputs.node24-status }}
+      dotnet-status: ${{ steps.check-versions.outputs.dotnet-status }}
+      docker-status: ${{ steps.check-versions.outputs.docker-status }}
+      buildx-status: ${{ steps.check-versions.outputs.buildx-status }}
+      npm-vulnerabilities: ${{ steps.check-versions.outputs.npm-vulnerabilities }}
+      open-dependency-prs: ${{ steps.check-prs.outputs.open-dependency-prs }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "20"
+
+      - name: Check dependency versions
+        id: check-versions
+        run: |
+          echo "## Dependency Status Report" >> $GITHUB_STEP_SUMMARY
+          echo "Generated on: $(date)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Check Node versions
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "node" ]]; then
+            echo "### Node.js Versions" >> $GITHUB_STEP_SUMMARY
+            
+            VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json)
+            LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1)
+            LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1)
+            
+            CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+            CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+            
+            NODE20_STATUS="✅ up-to-date"
+            NODE24_STATUS="✅ up-to-date"
+            
+            if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then
+              NODE20_STATUS="⚠️ outdated"
+            fi
+            
+            if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then
+              NODE24_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Version | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|---------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Node 20 | $CURRENT_NODE20 | $LATEST_NODE20 | $NODE20_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "| Node 24 | $CURRENT_NODE24 | $LATEST_NODE24 | $NODE24_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "node20-status=$NODE20_STATUS" >> $GITHUB_OUTPUT
+            echo "node24-status=$NODE24_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check .NET version
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "dotnet" ]]; then
+            echo "### .NET SDK Version" >> $GITHUB_STEP_SUMMARY
+            
+            current_dotnet_version=$(jq -r .sdk.version ./src/global.json)
+            current_major_minor=$(echo "$current_dotnet_version" | cut -d '.' -f 1,2)
+            latest_dotnet_version=$(curl -sb -H "Accept: application/json" "https://dotnetcli.blob.core.windows.net/dotnet/Sdk/$current_major_minor/latest.version")
+            
+            DOTNET_STATUS="✅ up-to-date"
+            if [ "$current_dotnet_version" != "$latest_dotnet_version" ]; then
+              DOTNET_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| .NET SDK | $current_dotnet_version | $latest_dotnet_version | $DOTNET_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "dotnet-status=$DOTNET_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check Docker versions
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "docker" ]]; then
+            echo "### Docker Versions" >> $GITHUB_STEP_SUMMARY
+            
+            current_docker=$(grep "ARG DOCKER_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
+            current_buildx=$(grep "ARG BUILDX_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
+            
+            latest_docker=$(curl -s https://download.docker.com/linux/static/stable/x86_64/ | grep -o 'docker-[0-9]*\.[0-9]*\.[0-9]*\.tgz' | sort -V | tail -n 1 | sed 's/docker-\(.*\)\.tgz/\1/')
+            latest_buildx=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.tag_name' | sed 's/^v//')
+            
+            DOCKER_STATUS="✅ up-to-date"
+            BUILDX_STATUS="✅ up-to-date"
+            
+            if [ "$current_docker" != "$latest_docker" ]; then
+              DOCKER_STATUS="⚠️ outdated"
+            fi
+            
+            if [ "$current_buildx" != "$latest_buildx" ]; then
+              BUILDX_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Docker | $current_docker | $latest_docker | $DOCKER_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "| Docker Buildx | $current_buildx | $latest_buildx | $BUILDX_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "docker-status=$DOCKER_STATUS" >> $GITHUB_OUTPUT
+            echo "buildx-status=$BUILDX_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check npm vulnerabilities
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "npm" ]]; then
+            echo "### NPM Security Audit" >> $GITHUB_STEP_SUMMARY
+            
+            cd src/Misc/expressionFunc/hashFiles
+            npm install --silent
+            
+            AUDIT_OUTPUT=""
+            AUDIT_EXIT_CODE=0
+            # Run npm audit and capture output and exit code
+            if ! AUDIT_OUTPUT=$(npm audit --json 2>&1); then
+              AUDIT_EXIT_CODE=$?
+            fi
+            
+            # Check if output is valid JSON
+            if echo "$AUDIT_OUTPUT" | jq . >/dev/null 2>&1; then
+              VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0')
+              # Ensure VULN_COUNT is a number
+              VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1)
+              VULN_COUNT=${VULN_COUNT:-0}
+              
+              NPM_STATUS="✅ no vulnerabilities"
+              if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then
+                NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found"
+                
+                # Get vulnerability details
+                HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0')
+                CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0')
+                
+                echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
+                echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+                echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY
+                echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+              else
+                echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+              fi
+            else
+              NPM_STATUS="❌ npm audit failed"
+              echo "npm audit failed to run or returned invalid JSON ❌" >> $GITHUB_STEP_SUMMARY
+              echo "Exit code: $AUDIT_EXIT_CODE" >> $GITHUB_STEP_SUMMARY
+              echo "Output: $AUDIT_OUTPUT" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+            fi
+            
+            echo "npm-vulnerabilities=$NPM_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for open dependency PRs
+        id: check-prs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "### Open Dependency PRs" >> $GITHUB_STEP_SUMMARY
+
+          # Get open PRs with dependency label
+          OPEN_PRS=$(gh pr list --label "dependencies" --state open --json number,title,url)
+          PR_COUNT=$(echo "$OPEN_PRS" | jq '. | length')
+
+          if [ "$PR_COUNT" -gt 0 ]; then
+            echo "Found $PR_COUNT open dependency PR(s):" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "$OPEN_PRS" | jq -r '.[] | "- [#\(.number)](\(.url)) \(.title)"' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No open dependency PRs found ✅" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "open-dependency-prs=$PR_COUNT" >> $GITHUB_OUTPUT
+
+      - name: Summary
+        run: |
+          echo "### Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- Check for open PRs with the \`dependency\` label before releases" >> $GITHUB_STEP_SUMMARY
+          echo "- Review and merge dependency updates regularly" >> $GITHUB_STEP_SUMMARY
+          echo "- Critical vulnerabilities should be addressed immediately" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Automated workflows run weekly to check for updates:**" >> $GITHUB_STEP_SUMMARY
+          echo "- Node.js versions (Mondays at 6 AM)" >> $GITHUB_STEP_SUMMARY
+          echo "- NPM audit fix (Mondays at 7 AM)" >> $GITHUB_STEP_SUMMARY
+          echo "- .NET SDK updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
+          echo "- Docker/Buildx updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/docker-buildx-upgrade.yml
+++ b/.github/workflows/docker-buildx-upgrade.yml
@@ -2,7 +2,7 @@ name: "Docker/Buildx Version Upgrade"

 on:
  schedule:
-    - cron: "0 9 * * 1" # Weekly on Monday at 9 AM UTC (independent of other dependencies)
+    - cron: "0 0 * * 1" # Run every Monday at midnight
  workflow_dispatch: # Allow manual triggering

 jobs:
@@ -159,5 +159,8 @@ jobs:
          # Create PR
          gh pr create -B main -H "$branch_name" \
            --title "$pr_title" \
-            --label "dependency" \
+            --label "dependencies" \
+            --label "dependencies-weekly-check" \
+            --label "dependencies-not-dependabot" \
+            --label "docker" \
            --body-file pr_body.txt
--- a/.github/workflows/dotnet-upgrade.yml
+++ b/.github/workflows/dotnet-upgrade.yml
@@ -96,7 +96,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --label "dependency" --body "
+          gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --label "dependencies" --label "dependencies-weekly-check" --label "dependencies-not-dependabot" --label "dotnet" --body "
            https://dotnetcli.blob.core.windows.net/dotnet/Sdk/${{ needs.dotnet-update.outputs.DOTNET_CURRENT_MAJOR_MINOR_VERSION }}/latest.version
            
              
--- a/.github/workflows/node-upgrade.yml
+++ b/.github/workflows/node-upgrade.yml
@@ -32,20 +32,47 @@ jobs:
          echo "Verifying availability in alpine_nodejs..."
          ALPINE_RELEASES=$(curl -s https://api.github.com/repos/actions/alpine_nodejs/releases | jq -r '.[].tag_name')

-          if ! echo "$ALPINE_RELEASES" | grep -q "^node20-$LATEST_NODE20$"; then
+          if ! echo "$ALPINE_RELEASES" | grep -q "^v$LATEST_NODE20$"; then
            echo "::warning title=Node 20 Fallback::Node 20 version $LATEST_NODE20 not found in alpine_nodejs releases, using fallback"
            # Fall back to latest available alpine_nodejs v20 release
-            LATEST_NODE20=$(echo "$ALPINE_RELEASES" | grep "^node20-" | head -1 | sed 's/^node20-//')
+            LATEST_NODE20=$(echo "$ALPINE_RELEASES" | grep "^v20\." | head -1 | sed 's/^v//')
            echo "Using latest available alpine_nodejs Node 20: $LATEST_NODE20"
          fi

-          if ! echo "$ALPINE_RELEASES" | grep -q "^node24-$LATEST_NODE24$"; then
+          if ! echo "$ALPINE_RELEASES" | grep -q "^v$LATEST_NODE24$"; then
            echo "::warning title=Node 24 Fallback::Node 24 version $LATEST_NODE24 not found in alpine_nodejs releases, using fallback"
            # Fall back to latest available alpine_nodejs v24 release
-            LATEST_NODE24=$(echo "$ALPINE_RELEASES" | grep "^node24-" | head -1 | sed 's/^node24-//')
+            LATEST_NODE24=$(echo "$ALPINE_RELEASES" | grep "^v24\." | head -1 | sed 's/^v//')
            echo "Using latest available alpine_nodejs Node 24: $LATEST_NODE24"
          fi

+          # Validate that we have non-empty version numbers
+          if [ -z "$LATEST_NODE20" ] || [ "$LATEST_NODE20" = "" ]; then
+            echo "::error title=Invalid Node 20 Version::Failed to determine valid Node 20 version. Got: '$LATEST_NODE20'"
+            echo "Available alpine_nodejs releases:"
+            echo "$ALPINE_RELEASES" | head -10
+            exit 1
+          fi
+
+          if [ -z "$LATEST_NODE24" ] || [ "$LATEST_NODE24" = "" ]; then
+            echo "::error title=Invalid Node 24 Version::Failed to determine valid Node 24 version. Got: '$LATEST_NODE24'"
+            echo "Available alpine_nodejs releases:"
+            echo "$ALPINE_RELEASES" | head -10
+            exit 1
+          fi
+
+          # Additional validation: ensure versions match expected format (x.y.z)
+          if ! echo "$LATEST_NODE20" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error title=Invalid Node 20 Format::Node 20 version '$LATEST_NODE20' does not match expected format (x.y.z)"
+            exit 1
+          fi
+
+          if ! echo "$LATEST_NODE24" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error title=Invalid Node 24 Format::Node 24 version '$LATEST_NODE24' does not match expected format (x.y.z)"
+            exit 1
+          fi
+
+          echo "✅ Validated Node versions: 20=$LATEST_NODE20, 24=$LATEST_NODE24"
          echo "latest_node20=$LATEST_NODE20" >> $GITHUB_OUTPUT
          echo "latest_node24=$LATEST_NODE24" >> $GITHUB_OUTPUT

@@ -82,13 +109,50 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
+          # Final validation before making changes
+          NODE20_VERSION="${{ steps.node-versions.outputs.latest_node20 }}"
+          NODE24_VERSION="${{ steps.node-versions.outputs.latest_node24 }}"
+          
+          echo "Final validation of versions before PR creation:"
+          echo "Node 20: '$NODE20_VERSION'"
+          echo "Node 24: '$NODE24_VERSION'"
+          
+          # Validate versions are not empty and match expected format
+          if [ -z "$NODE20_VERSION" ] || ! echo "$NODE20_VERSION" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error title=Invalid Node 20 Version::Refusing to create PR with invalid Node 20 version: '$NODE20_VERSION'"
+            exit 1
+          fi
+          
+          if [ -z "$NODE24_VERSION" ] || ! echo "$NODE24_VERSION" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error title=Invalid Node 24 Version::Refusing to create PR with invalid Node 24 version: '$NODE24_VERSION'"
+            exit 1
+          fi
+          
+          echo "✅ All versions validated successfully"
+
          # Update the files
          if [ "${{ steps.node-versions.outputs.needs_update20 }}" == "true" ]; then
-            sed -i 's/NODE20_VERSION="[^"]*"/NODE20_VERSION="${{ steps.node-versions.outputs.latest_node20 }}"/' src/Misc/externals.sh
+            sed -i 's/NODE20_VERSION="[^"]*"/NODE20_VERSION="'"$NODE20_VERSION"'"/' src/Misc/externals.sh
          fi

          if [ "${{ steps.node-versions.outputs.needs_update24 }}" == "true" ]; then
-            sed -i 's/NODE24_VERSION="[^"]*"/NODE24_VERSION="${{ steps.node-versions.outputs.latest_node24 }}"/' src/Misc/externals.sh
+            sed -i 's/NODE24_VERSION="[^"]*"/NODE24_VERSION="'"$NODE24_VERSION"'"/' src/Misc/externals.sh
+          fi
+
+          # Verify the changes were applied correctly
+          echo "Verifying changes in externals.sh:"
+          grep "NODE20_VERSION=" src/Misc/externals.sh
+          grep "NODE24_VERSION=" src/Misc/externals.sh
+          
+          # Ensure we actually have valid versions in the file
+          UPDATED_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+          UPDATED_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+          
+          if [ -z "$UPDATED_NODE20" ] || [ -z "$UPDATED_NODE24" ]; then
+            echo "::error title=Update Failed::Failed to properly update externals.sh"
+            echo "Updated Node 20: '$UPDATED_NODE20'"
+            echo "Updated Node 24: '$UPDATED_NODE24'"
+            exit 1
          fi

          # Configure git
@@ -98,15 +162,15 @@ jobs:
          # Create branch and commit changes
          branch_name="chore/update-node"
          git checkout -b "$branch_name"
-          git commit -a -m "chore: update Node versions (20: ${{ steps.node-versions.outputs.latest_node20 }}, 24: ${{ steps.node-versions.outputs.latest_node24 }})"
+          git commit -a -m "chore: update Node versions (20: $NODE20_VERSION, 24: $NODE24_VERSION)"
          git push --force origin "$branch_name"

          # Create PR body using here-doc for proper formatting
-          cat > pr_body.txt << 'EOF'
+          cat > pr_body.txt << EOF
          Automated Node.js version update:

-          - Node 20: ${{ steps.node-versions.outputs.current_node20 }} → ${{ steps.node-versions.outputs.latest_node20 }}
-          - Node 24: ${{ steps.node-versions.outputs.current_node24 }} → ${{ steps.node-versions.outputs.latest_node24 }}
+          - Node 20: ${{ steps.node-versions.outputs.current_node20 }} → $NODE20_VERSION
+          - Node 24: ${{ steps.node-versions.outputs.current_node24 }} → $NODE24_VERSION

          This update ensures we're using the latest stable Node.js versions for security and performance improvements.

@@ -120,7 +184,11 @@ jobs:
          # Create PR
          gh pr create -B main -H "$branch_name" \
            --title "chore: update Node versions" \
-            --label "dependency" \
+            --label "dependencies" \
+            --label "dependencies-weekly-check" \
+            --label "dependencies-not-dependabot" \
+            --label "node" \
+            --label "javascript" \
            --body-file pr_body.txt

          echo "::notice title=PR Created::Successfully created Node.js version update PR on branch $branch_name"
--- a/.github/workflows/npm-audit-typescript.yml
+++ b/.github/workflows/npm-audit-typescript.yml
@@ -9,7 +9,7 @@ jobs:
    steps:
      - uses: actions/checkout@v5
      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: "20"
      - name: NPM install and audit fix with TypeScript auto-repair
@@ -220,9 +220,9 @@ jobs:
            fi
            
            # Create PR with appropriate labels
-            labels="dependency,typescript"
+            labels="dependencies,dependencies-not-dependabot,typescript,npm,security"
            if [[ "$build_status" == *"fails"* ]]; then
-              labels="dependency,typescript,needs-manual-review"
+              labels="dependencies,dependencies-not-dependabot,typescript,npm,security,needs-manual-review"
            fi
            
            # Create PR
--- a/.github/workflows/npm-audit.yml
+++ b/.github/workflows/npm-audit.yml
@@ -12,7 +12,7 @@ jobs:
      - uses: actions/checkout@v5
      
      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: "20"
          
@@ -125,7 +125,12 @@ jobs:
            # Create PR
            gh pr create -B main -H "$branch_name" \
              --title "chore: npm audit fix for hashFiles dependencies" \
-              --label "dependency" \
+              --label "dependencies" \
+              --label "dependencies-weekly-check" \
+              --label "dependencies-not-dependabot" \
+              --label "npm" \
+              --label "typescript" \
+              --label "security" \
              --body-file pr_body.txt
          else
            echo "✅ No changes to commit - npm audit fix did not modify any files"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
    # Make sure ./releaseVersion match ./src/runnerversion
    # Query GitHub release ensure version is not used
    - name: Check version
-      uses: actions/github-script@v7.0.1
+      uses: actions/github-script@v8.0.0
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
@@ -171,7 +171,7 @@ jobs:
    # Create ReleaseNote file
    - name: Create ReleaseNote
      id: releaseNote
-      uses: actions/github-script@v7.0.1
+      uses: actions/github-script@v8.0.0
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
@@ -300,7 +300,7 @@ jobs:

      - name: Compute image version
        id: image
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
        with:
          script: |
            const fs = require('fs');
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          stale-issue-message: "This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days."
          close-issue-message: "This issue was closed because it has been stalled for 15 days with no activity."
--- a/docs/dependency-management.md
+++ b/docs/dependency-management.md
@@ -0,0 +1,217 @@
+# Runner Dependency Management Process
+
+## Overview
+
+This document outlines the automated dependency management process for the GitHub Actions Runner, designed to ensure we maintain up-to-date and secure dependencies while providing predictable release cycles.
+
+## Release Schedule
+
+- **Monthly Runner Releases**: New runner versions are released monthly
+- **Weekly Dependency Checks**: Automated workflows check for dependency updates every Monday
+- **Security Patches**: Critical security vulnerabilities are addressed immediately outside the regular schedule
+
+## Automated Workflows
+
+**Note**: These workflows are implemented across separate PRs for easier review and independent deployment. Each workflow includes comprehensive error handling and security-focused vulnerability detection.
+
+### 1. Foundation Labels
+
+- **Workflow**: `.github/workflows/setup-labels.yml` (PR #4024)
+- **Purpose**: Creates consistent dependency labels for all automation workflows
+- **Labels**: `dependencies`, `security`, `typescript`, `needs-manual-review`
+- **Prerequisite**: Must be merged before other workflows for proper labeling
+
+### 2. Node.js Version Updates
+
+- **Workflow**: `.github/workflows/node-upgrade.yml`
+- **Schedule**: Mondays at 6:00 AM UTC
+- **Purpose**: Updates Node.js 20 and 24 versions in `src/Misc/externals.sh`
+- **Source**: [nodejs.org](https://nodejs.org) and [actions/alpine_nodejs](https://github.com/actions/alpine_nodejs)
+- **Priority**: First (NPM depends on current Node.js versions)
+
+### 3. NPM Security Audit
+
+- **Primary Workflow**: `.github/workflows/npm-audit.yml` ("NPM Audit Fix")
+  - **Schedule**: Mondays at 7:00 AM UTC
+  - **Purpose**: Automated security vulnerability detection and basic fixes
+  - **Location**: `src/Misc/expressionFunc/hashFiles/`
+  - **Features**: npm audit, security patch application, PR creation
+  - **Dependency**: Runs after Node.js updates for optimal compatibility
+
+- **Fallback Workflow**: `.github/workflows/npm-audit-typescript.yml` ("NPM Audit Fix with TypeScript Auto-Fix")
+  - **Trigger**: Manual dispatch only
+  - **Purpose**: Manual security audit with TypeScript compatibility fixes
+  - **Use Case**: When scheduled workflow fails or needs custom intervention
+  - **Features**: Enhanced TypeScript auto-repair, graduated security response
+  - **How to Use**:
+    1. If the scheduled "NPM Audit Fix" workflow fails, go to Actions tab
+    2. Select "NPM Audit Fix with TypeScript Auto-Fix" workflow
+    3. Click "Run workflow" and optionally specify fix level (auto/manual)
+    4. Review the generated PR for TypeScript compatibility issues
+
+### 4. .NET SDK Updates
+
+- **Workflow**: `.github/workflows/dotnet-upgrade.yml`
+- **Schedule**: Mondays at midnight UTC
+- **Purpose**: Updates .NET SDK and package versions with build validation
+- **Features**: Global.json updates, NuGet package management, compatibility checking
+- **Independence**: Runs independently of Node.js/NPM updates
+
+### 5. Docker/Buildx Updates
+
+- **Workflow**: `.github/workflows/docker-buildx-upgrade.yml` ("Docker/Buildx Version Upgrade")
+- **Schedule**: Mondays at midnight UTC
+- **Purpose**: Updates Docker and Docker Buildx versions with multi-platform validation
+- **Features**: Container security scanning, multi-architecture build testing
+- **Independence**: Runs independently of other dependency updates
+
+### 6. Dependency Monitoring
+
+- **Workflow**: `.github/workflows/dependency-check.yml` ("Dependency Status Check")
+- **Schedule**: Mondays at 11:00 AM UTC
+- **Purpose**: Comprehensive status report of all dependencies with security audit
+- **Features**: Multi-dependency checking, npm audit status, build validation, choice of specific component checks
+- **Summary**: Runs last to capture results from all morning dependency updates
+
+## Release Process Integration
+
+### Pre-Release Checklist
+
+Before each monthly runner release:
+
+1. **Check Dependency PRs**:
+
+   ```bash
+   # List all open dependency PRs
+   gh pr list --label "dependencies" --state open
+   
+   # List only automated weekly dependency updates
+   gh pr list --label "dependencies-weekly-check" --state open
+   
+   # List only custom dependency automation (not dependabot)
+   gh pr list --label "dependencies-not-dependabot" --state open
+   ```
+
+2. **Run Manual Dependency Check**:
+   - Go to Actions tab → "Dependency Status Check" → "Run workflow"
+   - Review the summary for any outdated dependencies
+
+3. **Review and Merge Updates**:
+   - Prioritize security-related updates
+   - Test dependency updates in development environment
+   - Merge approved dependency PRs
+
+### Vulnerability Response
+
+#### Critical Security Vulnerabilities
+
+- **Response Time**: Within 24 hours
+- **Process**:
+  1. Assess impact on runner security
+  2. Create hotfix branch if runner data security is affected
+  3. Expedite patch release if necessary
+  4. Document in security advisory if applicable
+
+#### Non-Critical Vulnerabilities
+
+- **Response Time**: Next monthly release
+- **Process**:
+  1. Evaluate if vulnerability affects runner functionality
+  2. Include fix in regular dependency update cycle
+  3. Document in release notes
+
+## Monitoring and Alerts
+
+### GitHub Actions Workflow Status
+
+- All dependency workflows create PRs with the `dependencies` label
+- Failed workflows should be investigated immediately
+- Weekly dependency status reports are generated automatically
+
+### Manual Checks
+
+You can manually trigger dependency checks:
+
+- **Full Status**: Run "Dependency Status Check" workflow
+- **Specific Component**: Use the dropdown to check individual dependencies
+
+## Dependency Labels
+
+All automated dependency PRs are tagged with labels for easy filtering and management:
+
+### Primary Labels
+
+- **`dependencies`**: All automated dependency-related PRs
+- **`dependencies-weekly-check`**: Automated weekly dependency updates from scheduled workflows
+- **`dependencies-not-dependabot`**: Custom dependency automation (not created by dependabot)
+- **`security`**: Security vulnerability fixes and patches  
+- **`typescript`**: TypeScript compatibility and type definition updates
+- **`needs-manual-review`**: Complex updates requiring human verification
+
+### Technology-Specific Labels
+
+- **`node`**: Node.js version updates
+- **`javascript`**: JavaScript runtime and tooling updates
+- **`npm`**: NPM package and security updates
+- **`dotnet`**: .NET SDK and NuGet package updates
+- **`docker`**: Docker and container tooling updates
+
+### Workflow-Specific Branches
+
+- **Node.js updates**: `chore/update-node` branch
+- **NPM security fixes**: `chore/npm-audit-fix-YYYYMMDD` and `chore/npm-audit-fix-with-ts-repair` branches
+- **NuGet/.NET updates**: `feature/dotnetsdk-upgrade/{version}` branches
+- **Docker updates**: `feature/docker-buildx-upgrade` branch
+
+## Special Considerations
+
+### Node.js Updates
+
+When updating Node.js versions, remember to:
+
+1. Create a corresponding release in [actions/alpine_nodejs](https://github.com/actions/alpine_nodejs)
+2. Follow the alpine_nodejs getting started guide
+3. Test container builds with new Node versions
+
+### .NET SDK Updates
+
+- Only patch versions are auto-updated within the same major.minor version
+- Major/minor version updates require manual review and testing
+
+### Docker Updates
+
+- Updates include both Docker Engine and Docker Buildx
+- Verify compatibility with runner container workflows
+
+## Troubleshooting
+
+### Common Issues
+
+1. **NPM Audit Workflow Fails**:
+   - Check if `package.json` exists in `src/Misc/expressionFunc/hashFiles/`
+   - Verify Node.js setup step succeeded
+
+2. **Version Detection Fails**:
+   - Check if upstream APIs are available
+   - Verify parsing logic for version extraction
+
+3. **PR Creation Fails**:
+   - Ensure `GITHUB_TOKEN` has sufficient permissions
+   - Check if branch already exists
+
+### Contact
+
+For questions about the dependency management process:
+
+- Create an issue with the `dependencies` label
+- Review existing dependency management workflows
+- Consult the runner team for security-related concerns
+
+## Metrics and KPIs
+
+Track these metrics to measure dependency management effectiveness:
+
+- Number of open dependency PRs at release time
+- Time to merge dependency updates
+- Number of security vulnerabilities by severity
+- Release cycle adherence (monthly target)
--- a/images/Dockerfile
+++ b/images/Dockerfile
@@ -5,8 +5,8 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
-ARG DOCKER_VERSION=28.4.0
-ARG BUILDX_VERSION=0.28.0
+ARG DOCKER_VERSION=28.5.1
+ARG BUILDX_VERSION=0.29.1

 RUN apt update -y && apt install curl unzip -y

@@ -21,6 +21,10 @@ RUN curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-c
    && unzip ./runner-container-hooks.zip -d ./k8s \
    && rm runner-container-hooks.zip

+RUN curl -f -L -o runner-container-hooks.zip https://github.com/actions/runner-container-hooks/releases/download/v0.8.0/actions-runner-hooks-k8s-0.8.0.zip \
+    && unzip ./runner-container-hooks.zip -d ./k8s-novolume \
+    && rm runner-container-hooks.zip
+
 RUN export RUNNER_ARCH=${TARGETARCH} \
    && if [ "$RUNNER_ARCH" = "amd64" ]; then export DOCKER_ARCH=x86_64 ; fi \
    && if [ "$RUNNER_ARCH" = "arm64" ]; then export DOCKER_ARCH=aarch64 ; fi \
--- a/releaseNote.md
+++ b/releaseNote.md
@@ -1,20 +1,43 @@
 ## What's Changed
-* Update Docker to v28.3.2 and Buildx to v0.26.1 by @github-actions[bot] in https://github.com/actions/runner/pull/3953
-* Fix if statement structure in update script and variable reference by @salmanmkc in https://github.com/actions/runner/pull/3956
-* Add V2 flow for runner deletion by @Samirat in https://github.com/actions/runner/pull/3954
-* Node 20 -> Node 24 migration feature flagging, opt-in and opt-out environment variables by @salmanmkc in https://github.com/actions/runner/pull/3948
-* Update Node20 and Node24 to latest by @djs-intel in https://github.com/actions/runner/pull/3972
-* Redirect supported OS doc section to current public Docs location by @corycalahan in https://github.com/actions/runner/pull/3979
-* Bump Microsoft.NET.Test.Sdk from 17.13.0 to 17.14.1 by @dependabot[bot] in https://github.com/actions/runner/pull/3975
-* Bump Azure.Storage.Blobs from 12.24.0 to 12.25.0 by @dependabot[bot] in https://github.com/actions/runner/pull/3974
-* Bump actions/download-artifact from 4 to 5 by @dependabot[bot] in https://github.com/actions/runner/pull/3973
-* Bump actions/checkout from 4 to 5 by @dependabot[bot] in https://github.com/actions/runner/pull/3982
+* Update safe_sleep.sh for bug when scheduler is paused for more than 1 second by @horner in https://github.com/actions/runner/pull/3157
+* Acknowledge runner request by @ericsciple in https://github.com/actions/runner/pull/3996
+* Update Docker to v28.3.3 and Buildx to v0.27.0 by @github-actions[bot] in https://github.com/actions/runner/pull/3999
+* Update dotnet sdk to latest version @8.0.413 by @github-actions[bot] in https://github.com/actions/runner/pull/4000
+* Bump actions/attest-build-provenance from 2 to 3 by @dependabot[bot] in https://github.com/actions/runner/pull/4002
+* Bump @typescript-eslint/eslint-plugin from 6.7.2 to 8.35.0 in /src/Misc/expressionFunc/hashFiles by @dependabot[bot] in https://github.com/actions/runner/pull/3920
+* Bump husky from 8.0.3 to 9.1.7 in /src/Misc/expressionFunc/hashFiles by @dependabot[bot] in https://github.com/actions/runner/pull/3842
+* Bump @vercel/ncc from 0.38.0 to 0.38.3 in /src/Misc/expressionFunc/hashFiles by @dependabot[bot] in https://github.com/actions/runner/pull/3841
+* Bump eslint-plugin-github from 4.10.0 to 4.10.2 in /src/Misc/expressionFunc/hashFiles by @dependabot[bot] in https://github.com/actions/runner/pull/3180
+* Bump typescript from 5.2.2 to 5.9.2 in /src/Misc/expressionFunc/hashFiles by @dependabot[bot] in https://github.com/actions/runner/pull/4007
+* chore: migrate Husky config from v8 to v9 format by @salmanmkc in https://github.com/actions/runner/pull/4003
+* Map RUNNER_TEMP for container action by @ericsciple in https://github.com/actions/runner/pull/4011
+* Break UseV2Flow into UseV2Flow and UseRunnerAdminFlow. by @TingluoHuang in https://github.com/actions/runner/pull/4013
+* Update Docker to v28.4.0 and Buildx to v0.28.0 by @github-actions[bot] in https://github.com/actions/runner/pull/4020
+* Bump node.js to latest version in runner. by @TingluoHuang in https://github.com/actions/runner/pull/4022
+* feat: add automated .NET dependency management workflow by @salmanmkc in https://github.com/actions/runner/pull/4028
+* feat: add automated Docker BuildX dependency management workflow by @salmanmkc in https://github.com/actions/runner/pull/4029
+* feat: add automated Node.js version management workflow by @salmanmkc in https://github.com/actions/runner/pull/4026
+* feat: add comprehensive NPM security management workflow by @salmanmkc in https://github.com/actions/runner/pull/4027
+* feat: add comprehensive dependency monitoring system by @salmanmkc in https://github.com/actions/runner/pull/4025
+* Use BrokerURL when using RunnerAdmin by @luketomlinson in https://github.com/actions/runner/pull/4044
+* Bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in https://github.com/actions/runner/pull/4016
+* Bump actions/stale from 9 to 10 by @dependabot[bot] in https://github.com/actions/runner/pull/4015
+* fix: prevent Node.js upgrade workflow from creating PRs with empty versions by @salmanmkc in https://github.com/actions/runner/pull/4055
+* chore: update Node versions by @github-actions[bot] in https://github.com/actions/runner/pull/4057
+* Bump actions/setup-node from 4 to 5 by @dependabot[bot] in https://github.com/actions/runner/pull/4037
+* Bump Azure.Storage.Blobs from 12.25.0 to 12.25.1 by @dependabot[bot] in https://github.com/actions/runner/pull/4058
+* Update Docker to v28.5.0 and Buildx to v0.29.1 by @github-actions[bot] in https://github.com/actions/runner/pull/4069
+* Bump github/codeql-action from 3 to 4 by @dependabot[bot] in https://github.com/actions/runner/pull/4072
+* chore: update Node versions by @github-actions[bot] in https://github.com/actions/runner/pull/4075
+* Include k8s novolume (version v0.8.0) by @nikola-jokic in https://github.com/actions/runner/pull/4063
+* Make sure runner-admin has both auth_url and auth_url_v2. by @TingluoHuang in https://github.com/actions/runner/pull/4066
+* Report job has infra failure to run-service by @TingluoHuang in https://github.com/actions/runner/pull/4073
+* Bump actions/setup-node from 5 to 6 by @dependabot[bot] in https://github.com/actions/runner/pull/4078

 ## New Contributors
-* @Samirat made their first contribution in https://github.com/actions/runner/pull/3954
-* @djs-intel made their first contribution in https://github.com/actions/runner/pull/3972
+* @horner made their first contribution in https://github.com/actions/runner/pull/3157

-**Full Changelog**: https://github.com/actions/runner/compare/v2.327.1...v2.328.0
+**Full Changelog**: https://github.com/actions/runner/compare/v2.328.0...v2.329.0

 _Note: Actions Runner follows a progressive release policy, so the latest release might not be available to your enterprise, organization, or repository yet.
 To confirm which version of the Actions Runner you should expect, please view the download instructions for your enterprise, organization, or repository.
--- a/src/Misc/externals.sh
+++ b/src/Misc/externals.sh
@@ -7,7 +7,7 @@ NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download
 # When you update Node versions you must also create a new release of alpine_nodejs at that updated version.
 # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started
 NODE20_VERSION="20.19.5"
-NODE24_VERSION="24.7.0"
+NODE24_VERSION="24.10.0"

 get_abs_path() {
  # exploits the fact that pwd will print abs path when no args
--- a/src/Runner.Common/ConfigurationStore.cs
+++ b/src/Runner.Common/ConfigurationStore.cs
@@ -1,10 +1,10 @@
-using GitHub.Runner.Sdk;
-using System;
+using System;
 using System.IO;
 using System.Linq;
 using System.Runtime.Serialization;
 using System.Text;
 using System.Threading;
+using GitHub.Runner.Sdk;

 namespace GitHub.Runner.Common
 {
@@ -64,8 +64,20 @@ namespace GitHub.Runner.Common
        {
            get
            {
-                // Old runners do not have this property. Hosted runners likely don't have this property either.
-                return _isHostedServer ?? true;
+                // If the value has been explicitly set, return it.
+                if (_isHostedServer.HasValue)
+                {
+                    return _isHostedServer.Value;
+                }
+
+                // Otherwise, try to infer it from the GitHubUrl.
+                if (!string.IsNullOrEmpty(GitHubUrl))
+                {
+                    return UrlUtil.IsHostedServer(new UriBuilder(GitHubUrl));
+                }
+
+                // Default to true since Hosted runners likely don't have this property set.
+                return true;
            }

            set
--- a/src/Runner.Common/Constants.cs
+++ b/src/Runner.Common/Constants.cs
@@ -170,6 +170,8 @@ namespace GitHub.Runner.Common
                public static readonly string AddCheckRunIdToJobContext = "actions_add_check_run_id_to_job_context";
                public static readonly string DisplayHelpfulActionsDownloadErrors = "actions_display_helpful_actions_download_errors";
                public static readonly string ContainerActionRunnerTemp = "actions_container_action_runner_temp";
+                public static readonly string SnapshotPreflightHostedRunnerCheck = "actions_snapshot_preflight_hosted_runner_check";
+                public static readonly string SnapshotPreflightImageGenPoolCheck = "actions_snapshot_preflight_image_gen_pool_check";
            }
            
            // Node version migration related constants
--- a/src/Runner.Common/RunServer.cs
+++ b/src/Runner.Common/RunServer.cs
@@ -30,6 +30,7 @@ namespace GitHub.Runner.Common
            string environmentUrl,
            IList<Telemetry> telemetry,
            string billingOwnerId,
+            string infrastructureFailureCategory,
            CancellationToken token);

        Task<RenewJobResponse> RenewJobAsync(Guid planId, Guid jobId, CancellationToken token);
@@ -80,11 +81,12 @@ namespace GitHub.Runner.Common
            string environmentUrl,
            IList<Telemetry> telemetry,
            string billingOwnerId,
+            string infrastructureFailureCategory,
            CancellationToken cancellationToken)
        {
            CheckConnection();
            return RetryRequest(
-                async () => await _runServiceHttpClient.CompleteJobAsync(requestUri, planId, jobId, result, outputs, stepResults, jobAnnotations, environmentUrl, telemetry, billingOwnerId, cancellationToken), cancellationToken,
+                async () => await _runServiceHttpClient.CompleteJobAsync(requestUri, planId, jobId, result, outputs, stepResults, jobAnnotations, environmentUrl, telemetry, billingOwnerId, infrastructureFailureCategory, cancellationToken), cancellationToken,
                shouldRetry: ex =>
                    ex is not VssUnauthorizedException &&               // HTTP status 401
                    ex is not TaskOrchestrationJobNotFoundException);   // HTTP status 404
--- a/src/Runner.Listener/Configuration/ConfigurationManager.cs
+++ b/src/Runner.Listener/Configuration/ConfigurationManager.cs
@@ -284,6 +284,7 @@ namespace GitHub.Runner.Listener.Configuration
                            {
                                var runner = await _dotcomServer.ReplaceRunnerAsync(runnerSettings.PoolId, agent, runnerSettings.GitHubUrl, registerToken, publicKeyXML);
                                runnerSettings.ServerUrlV2 = runner.RunnerAuthorization.ServerUrl;
+                                runnerSettings.UseV2Flow = true; // if we are using runner admin, we also need to hit broker

                                agent.Id = runner.Id;
                                agent.Authorization = new TaskAgentAuthorization()
@@ -291,6 +292,13 @@ namespace GitHub.Runner.Listener.Configuration
                                    AuthorizationUrl = runner.RunnerAuthorization.AuthorizationUrl,
                                    ClientId = new Guid(runner.RunnerAuthorization.ClientId)
                                };
+
+                                if (!string.IsNullOrEmpty(runner.RunnerAuthorization.LegacyAuthorizationUrl?.AbsoluteUri))
+                                {
+                                    agent.Authorization.AuthorizationUrl = runner.RunnerAuthorization.LegacyAuthorizationUrl;
+                                    agent.Properties["EnableAuthMigrationByDefault"] = true;
+                                    agent.Properties["AuthorizationUrlV2"] = runner.RunnerAuthorization.AuthorizationUrl.AbsoluteUri;
+                                }
                            }
                            else
                            {
@@ -334,6 +342,7 @@ namespace GitHub.Runner.Listener.Configuration
                        {
                            var runner = await _dotcomServer.AddRunnerAsync(runnerSettings.PoolId, agent, runnerSettings.GitHubUrl, registerToken, publicKeyXML);
                            runnerSettings.ServerUrlV2 = runner.RunnerAuthorization.ServerUrl;
+                            runnerSettings.UseV2Flow = true; // if we are using runner admin, we also need to hit broker

                            agent.Id = runner.Id;
                            agent.Authorization = new TaskAgentAuthorization()
@@ -341,6 +350,13 @@ namespace GitHub.Runner.Listener.Configuration
                                AuthorizationUrl = runner.RunnerAuthorization.AuthorizationUrl,
                                ClientId = new Guid(runner.RunnerAuthorization.ClientId)
                            };
+
+                            if (!string.IsNullOrEmpty(runner.RunnerAuthorization.LegacyAuthorizationUrl?.AbsoluteUri))
+                            {
+                                agent.Authorization.AuthorizationUrl = runner.RunnerAuthorization.LegacyAuthorizationUrl;
+                                agent.Properties["EnableAuthMigrationByDefault"] = true;
+                                agent.Properties["AuthorizationUrlV2"] = runner.RunnerAuthorization.AuthorizationUrl.AbsoluteUri;
+                            }
                        }
                        else
                        {
--- a/src/Runner.Listener/JobDispatcher.cs
+++ b/src/Runner.Listener/JobDispatcher.cs
@@ -1211,7 +1211,7 @@ namespace GitHub.Runner.Listener
                    jobAnnotations.Add(annotation.Value);
                }

-                await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, TaskResult.Failed, outputs: null, stepResults: null, jobAnnotations: jobAnnotations, environmentUrl: null, telemetry: null, billingOwnerId: message.BillingOwnerId, CancellationToken.None);
+                await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, TaskResult.Failed, outputs: null, stepResults: null, jobAnnotations: jobAnnotations, environmentUrl: null, telemetry: null, billingOwnerId: message.BillingOwnerId, infrastructureFailureCategory: null, CancellationToken.None);
            }
            catch (Exception ex)
            {
--- a/src/Runner.Worker/ActionManager.cs
+++ b/src/Runner.Worker/ActionManager.cs
@@ -111,7 +111,7 @@ namespace GitHub.Runner.Worker
            {
                // Log the error and fail the PrepareActionsAsync Initialization.
                Trace.Error($"Caught exception from PrepareActionsAsync Initialization: {ex}");
-                executionContext.InfrastructureError(ex.Message);
+                executionContext.InfrastructureError(ex.Message, category: "resolve_action");
                executionContext.Result = TaskResult.Failed;
                throw;
            }
@@ -119,7 +119,7 @@ namespace GitHub.Runner.Worker
            {
                // Log the error and fail the PrepareActionsAsync Initialization.
                Trace.Error($"Caught exception from PrepareActionsAsync Initialization: {ex}");
-                executionContext.InfrastructureError(ex.Message);
+                executionContext.InfrastructureError(ex.Message, category: "invalid_action_download");
                executionContext.Result = TaskResult.Failed;
                throw;
            }
@@ -777,15 +777,15 @@ namespace GitHub.Runner.Worker
                IOUtil.DeleteDirectory(destDirectory, executionContext.CancellationToken);
                Directory.CreateDirectory(destDirectory);

-                if (downloadInfo.PackageDetails != null) 
+                if (downloadInfo.PackageDetails != null)
                {
                    executionContext.Output($"##[group]Download immutable action package '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}'");
                    executionContext.Output($"Version: {downloadInfo.PackageDetails.Version}");
                    executionContext.Output($"Digest: {downloadInfo.PackageDetails.ManifestDigest}");
                    executionContext.Output($"Source commit SHA: {downloadInfo.ResolvedSha}");
                    executionContext.Output("##[endgroup]");
-                } 
-                else 
+                }
+                else
                {
                    executionContext.Output($"Download action repository '{downloadInfo.NameWithOwner}@{downloadInfo.Ref}' (SHA:{downloadInfo.ResolvedSha})");
                }
--- a/src/Runner.Worker/ExecutionContext.cs
+++ b/src/Runner.Worker/ExecutionContext.cs
@@ -522,6 +522,10 @@ namespace GitHub.Runner.Worker
                    if (annotation != null)
                    {
                        stepResult.Annotations.Add(annotation.Value);
+                        if (annotation.Value.IsInfrastructureIssue && string.IsNullOrEmpty(Global.InfrastructureFailureCategory))
+                        {
+                            Global.InfrastructureFailureCategory = issue.Category;
+                        }
                    }
                });

@@ -1335,9 +1339,9 @@ namespace GitHub.Runner.Worker
        }

        // Do not add a format string overload. See comment on ExecutionContext.Write().
-        public static void InfrastructureError(this IExecutionContext context, string message)
+        public static void InfrastructureError(this IExecutionContext context, string message, string category = null)
        {
-            var issue = new Issue() { Type = IssueType.Error, Message = message, IsInfrastructureIssue = true };
+            var issue = new Issue() { Type = IssueType.Error, Message = message, IsInfrastructureIssue = true, Category = category };
            context.AddIssue(issue, ExecutionContextLogOptions.Default);
        }

--- a/src/Runner.Worker/GlobalContext.cs
+++ b/src/Runner.Worker/GlobalContext.cs
@@ -27,6 +27,7 @@ namespace GitHub.Runner.Worker
        public StepsContext StepsContext { get; set; }
        public Variables Variables { get; set; }
        public bool WriteDebug { get; set; }
+        public string InfrastructureFailureCategory { get; set; }
        public JObject ContainerHookState { get; set; }
    }
 }
--- a/src/Runner.Worker/JobExtension.cs
+++ b/src/Runner.Worker/JobExtension.cs
@@ -400,6 +400,10 @@ namespace GitHub.Runner.Worker
                    if (snapshotRequest != null)
                    {
                        var snapshotOperationProvider = HostContext.GetService<ISnapshotOperationProvider>();
+                        // Check that that runner is capable of taking a snapshot
+                        snapshotOperationProvider.RunSnapshotPreflightChecks(context);
+
+                        // Add postjob step to write snapshot file
                        jobContext.RegisterPostJobStep(new JobExtensionRunner(
                            runAsync: (executionContext, _) => snapshotOperationProvider.CreateSnapshotRequestAsync(executionContext, snapshotRequest),
                            condition: snapshotRequest.Condition,
--- a/src/Runner.Worker/JobRunner.cs
+++ b/src/Runner.Worker/JobRunner.cs
@@ -321,7 +321,7 @@ namespace GitHub.Runner.Worker
            {
                try
                {
-                    await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, result, jobContext.JobOutputs, jobContext.Global.StepsResult, jobContext.Global.JobAnnotations, environmentUrl, telemetry, billingOwnerId: message.BillingOwnerId, default);
+                    await runServer.CompleteJobAsync(message.Plan.PlanId, message.JobId, result, jobContext.JobOutputs, jobContext.Global.StepsResult, jobContext.Global.JobAnnotations, environmentUrl, telemetry, billingOwnerId: message.BillingOwnerId, infrastructureFailureCategory: jobContext.Global.InfrastructureFailureCategory, default);
                    return result;
                }
                catch (VssUnauthorizedException ex)
--- a/src/Runner.Worker/SnapshotOperationProvider.cs
+++ b/src/Runner.Worker/SnapshotOperationProvider.cs
@@ -1,15 +1,19 @@
 #nullable enable
+using System;
 using System.IO;
 using System.Threading.Tasks;
 using GitHub.DistributedTask.Pipelines;
+using GitHub.DistributedTask.WebApi;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
+using GitHub.Runner.Worker.Handlers;
 namespace GitHub.Runner.Worker;

 [ServiceLocator(Default = typeof(SnapshotOperationProvider))]
 public interface ISnapshotOperationProvider : IRunnerService
 {
    Task CreateSnapshotRequestAsync(IExecutionContext executionContext, Snapshot snapshotRequest);
+    void RunSnapshotPreflightChecks(IExecutionContext jobContext);
 }

 public class SnapshotOperationProvider : RunnerService, ISnapshotOperationProvider
@@ -24,9 +28,32 @@ public class SnapshotOperationProvider : RunnerService, ISnapshotOperationProvid
        }

        IOUtil.SaveObject(snapshotRequest, snapshotRequestFilePath);
+        executionContext.Output($"Image Name: {snapshotRequest.ImageName} Version: {snapshotRequest.Version}");
        executionContext.Output($"Request written to: {snapshotRequestFilePath}");
        executionContext.Output("This request will be processed after the job completes. You will not receive any feedback on the snapshot process within the workflow logs of this job.");
        executionContext.Output("If the snapshot process is successful, you should see a new image with the requested name in the list of available custom images when creating a new GitHub-hosted Runner.");
        return Task.CompletedTask;
    }
+
+    public void RunSnapshotPreflightChecks(IExecutionContext context)
+    {
+        var shouldCheckRunnerEnvironment = context.Global.Variables.GetBoolean(Constants.Runner.Features.SnapshotPreflightHostedRunnerCheck) ?? false;
+        if (shouldCheckRunnerEnvironment &&
+             context.Global.Variables.TryGetValue(WellKnownDistributedTaskVariables.RunnerEnvironment, out var runnerEnvironment) &&
+             !string.IsNullOrEmpty(runnerEnvironment))
+        {
+            context.Debug($"Snapshot: RUNNER_ENVIRONMENT={runnerEnvironment}");
+            if (!string.Equals(runnerEnvironment, "github-hosted", StringComparison.OrdinalIgnoreCase))
+            {
+                throw new ArgumentException("Snapshot workflows must be run on a GitHub Hosted Runner");
+            }
+        }
+        var imageGenEnabled = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED"));
+        context.Debug($"Snapshot: GITHUB_ACTIONS_IMAGE_GEN_ENABLED={imageGenEnabled}");
+        var shouldCheckImageGenPool = context.Global.Variables.GetBoolean(Constants.Runner.Features.SnapshotPreflightImageGenPoolCheck) ?? false;
+        if (shouldCheckImageGenPool && !imageGenEnabled)
+        {
+            throw new ArgumentException("Snapshot workflows must be run a hosted runner with Image Generation enabled");
+        }
+    }
 }
--- a/src/Sdk/DTWebApi/WebApi/Runner.cs
+++ b/src/Sdk/DTWebApi/WebApi/Runner.cs
@@ -18,6 +18,16 @@ namespace GitHub.DistributedTask.WebApi
                internal set;
            }

+            /// <summary>
+            /// The url to refresh tokens with legacy service
+            /// </summary> 
+            [JsonProperty("legacy_authorization_url")]
+            public Uri LegacyAuthorizationUrl
+            {
+                get;
+                internal set;
+            }
+
            /// <summary>
            /// The url to connect to poll for messages
            /// </summary> 
--- a/src/Sdk/RSWebApi/Contracts/CompleteJobRequest.cs
+++ b/src/Sdk/RSWebApi/Contracts/CompleteJobRequest.cs
@@ -35,5 +35,8 @@ namespace GitHub.Actions.RunService.WebApi

        [DataMember(Name = "billingOwnerId", EmitDefaultValue = false)]
        public string BillingOwnerId { get; set; }
+
+        [DataMember(Name = "infrastructureFailureCategory", EmitDefaultValue = false)]
+        public string InfrastructureFailureCategory { get; set; }
    }
 }
--- a/src/Sdk/RSWebApi/Contracts/IssueExtensions.cs
+++ b/src/Sdk/RSWebApi/Contracts/IssueExtensions.cs
@@ -42,6 +42,7 @@ namespace Sdk.RSWebApi.Contracts
                StartColumn = columnNumber,
                EndColumn = endColumnNumber,
                StepNumber = stepNumber,
+                IsInfrastructureIssue = issue.IsInfrastructureIssue ?? false
            };
        }

--- a/src/Sdk/RSWebApi/RunServiceHttpClient.cs
+++ b/src/Sdk/RSWebApi/RunServiceHttpClient.cs
@@ -131,6 +131,7 @@ namespace GitHub.Actions.RunService.WebApi
            string environmentUrl,
            IList<Telemetry> telemetry,
            string billingOwnerId,
+            string infrastructureFailureCategory,
            CancellationToken cancellationToken = default)
        {
            HttpMethod httpMethod = new HttpMethod("POST");
@@ -145,6 +146,7 @@ namespace GitHub.Actions.RunService.WebApi
                EnvironmentUrl = environmentUrl,
                Telemetry = telemetry,
                BillingOwnerId = billingOwnerId,
+                InfrastructureFailureCategory = infrastructureFailureCategory
            };

            requestUri = new Uri(requestUri, "completejob");
--- a/src/Sdk/Sdk.csproj
+++ b/src/Sdk/Sdk.csproj
@@ -14,7 +14,7 @@
    </PropertyGroup>

    <ItemGroup>
-        <PackageReference Include="Azure.Storage.Blobs" Version="12.25.0" />
+        <PackageReference Include="Azure.Storage.Blobs" Version="12.25.1" />
        <PackageReference Include="Microsoft.Win32.Registry" Version="5.0.0" />
        <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
        <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="6.0.0" />
--- a/src/Test/L0/Worker/JobExtensionL0.cs
+++ b/src/Test/L0/Worker/JobExtensionL0.cs
@@ -567,5 +567,193 @@ namespace GitHub.Runner.Common.Tests.Worker
                }
            }
        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_HostedRunnerCheck_Enabled_GitHubHosted_Success()
+        {
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _jobEc.Global.Variables.Set(WellKnownDistributedTaskVariables.RunnerEnvironment, "github-hosted");
+
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightHostedRunnerCheck, "true");
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                await jobExtension.InitializeJob(_jobEc, _message);
+
+                var postJobSteps = _jobEc.PostJobSteps;
+                Assert.Equal(1, postJobSteps.Count);
+            }
+
+            Environment.SetEnvironmentVariable("RUNNER_ENVIRONMENT", null);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_HostedRunnerCheck_Enabled_SelfHosted_ThrowsException()
+        {
+            using (TestHostContext hc = CreateTestContext())
+            {
+                _jobEc.Global.Variables.Set(WellKnownDistributedTaskVariables.RunnerEnvironment, "self-hosted");
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightHostedRunnerCheck, "true");
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                var exception = await Assert.ThrowsAsync<ArgumentException>(() => jobExtension.InitializeJob(_jobEc, _message));
+                Assert.Contains("Snapshot workflows must be run on a GitHub Hosted Runner", exception.Message);
+            }
+
+            Environment.SetEnvironmentVariable("RUNNER_ENVIRONMENT", null);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_ImageGenPoolCheck_Enabled_ImageGenEnabled_Success()
+        {
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", "true");
+
+            using (TestHostContext hc = CreateTestContext())
+            {
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightImageGenPoolCheck, "true");
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                await jobExtension.InitializeJob(_jobEc, _message);
+
+                var postJobSteps = _jobEc.PostJobSteps;
+                Assert.Equal(1, postJobSteps.Count);
+            }
+
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", null);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_ImageGenPoolCheck_Enabled_ImageGen_False_ThrowsException()
+        {
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", "false");
+
+            using (TestHostContext hc = CreateTestContext())
+            {
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+                _jobEc.SetRunnerContext("environment", "github-hosted");
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightImageGenPoolCheck, "true");
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                var exception = await Assert.ThrowsAsync<ArgumentException>(() => jobExtension.InitializeJob(_jobEc, _message));
+                Assert.Contains("Snapshot workflows must be run a hosted runner with Image Generation enabled", exception.Message);
+            }
+
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", null);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_ImageGenPoolCheck_Enabled_ImageGen_Missing_ThrowsException()
+        {
+            using (TestHostContext hc = CreateTestContext())
+            {
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightImageGenPoolCheck, "true");
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                var exception = await Assert.ThrowsAsync<ArgumentException>(() => jobExtension.InitializeJob(_jobEc, _message));
+                Assert.Contains("Snapshot workflows must be run a hosted runner with Image Generation enabled", exception.Message);
+            }
+
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", null);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public async Task SnapshotPreflightChecks_BothChecks_Enabled_AllConditionsMet_Success()
+        {
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", "true");
+
+            using (TestHostContext hc = CreateTestContext())
+            {
+                hc.SetSingleton<ISnapshotOperationProvider>(new SnapshotOperationProvider());
+
+                var jobExtension = new JobExtension();
+                jobExtension.Initialize(hc);
+
+                // Enable both preflight checks
+                _jobEc.Global.Variables.Set(WellKnownDistributedTaskVariables.RunnerEnvironment, "github-hosted");
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightHostedRunnerCheck, "true");
+                _jobEc.Global.Variables.Set(Constants.Runner.Features.SnapshotPreflightImageGenPoolCheck, "true");
+
+                var snapshot = new Pipelines.Snapshot("TestImageNameForPreflightCheck");
+                var imageNameValueStringToken = new StringToken(null, null, null, snapshot.ImageName);
+                _message.Snapshot = imageNameValueStringToken;
+
+                _actionManager.Setup(x => x.PrepareActionsAsync(It.IsAny<IExecutionContext>(), It.IsAny<IEnumerable<Pipelines.JobStep>>(), It.IsAny<Guid>()))
+                    .Returns(Task.FromResult(new PrepareResult(new List<JobExtensionRunner>(), new Dictionary<Guid, IActionRunner>())));
+
+                await jobExtension.InitializeJob(_jobEc, _message);
+
+                var postJobSteps = _jobEc.PostJobSteps;
+                Assert.Equal(1, postJobSteps.Count);
+            }
+
+            Environment.SetEnvironmentVariable("RUNNER_ENVIRONMENT", null);
+            Environment.SetEnvironmentVariable("GITHUB_ACTIONS_IMAGE_GEN_ENABLED", null);
+        }
    }
 }
--- a/src/Test/L0/Worker/SnapshotOperationProviderL0.cs
+++ b/src/Test/L0/Worker/SnapshotOperationProviderL0.cs
@@ -38,6 +38,7 @@ public class SnapshotOperationProviderL0
            Assert.NotNull(actualSnapshot);
            Assert.Equal(expectedSnapshot.ImageName, actualSnapshot!.ImageName);
            _ec.Verify(ec => ec.Write(null, $"Request written to: {_snapshotRequestFilePath}"), Times.Once);
+            _ec.Verify(ec => ec.Write(null, $"Image Name: {expectedSnapshot.ImageName} Version: {expectedSnapshot.Version}"), Times.Once);
            _ec.Verify(ec => ec.Write(null, "This request will be processed after the job completes. You will not receive any feedback on the snapshot process within the workflow logs of this job."), Times.Once);
            _ec.Verify(ec => ec.Write(null, "If the snapshot process is successful, you should see a new image with the requested name in the list of available custom images when creating a new GitHub-hosted Runner."), Times.Once);
            _ec.VerifyNoOtherCalls();
--- a/src/dev.sh
+++ b/src/dev.sh
@@ -17,7 +17,7 @@ LAYOUT_DIR="$SCRIPT_DIR/../_layout"
 DOWNLOAD_DIR="$SCRIPT_DIR/../_downloads/netcore2x"
 PACKAGE_DIR="$SCRIPT_DIR/../_package"
 DOTNETSDK_ROOT="$SCRIPT_DIR/../_dotnetsdk"
-DOTNETSDK_VERSION="8.0.413"
+DOTNETSDK_VERSION="8.0.415"
 DOTNETSDK_INSTALLDIR="$DOTNETSDK_ROOT/$DOTNETSDK_VERSION"
 RUNNER_VERSION=$(cat runnerversion)

--- a/src/global.json
+++ b/src/global.json
@@ -1,5 +1,5 @@
 {
  "sdk": {
-    "version": "8.0.413"
+    "version": "8.0.415"
  }
 }
--- a/src/runnerversion
+++ b/src/runnerversion
@@ -1 +1 @@
-2.328.0
+2.329.0
Author	SHA1	Message	Date
github-actions[bot]	e75a97dba4	chore: npm audit fix for hashFiles dependencies	2025-11-03 07:03:00 +00:00
Tingluo Huang	bca18f71d0	Improve logic around decide IsHostedServer. (#4086 )	2025-10-22 00:00:44 -04:00
Josh Soref	1b8efb99f6	Link to an extant discussion category (#4084 ) Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2025-10-20 11:53:45 -04:00
github-actions[bot]	0b2c71fc31	Update dotnet sdk to latest version @8.0.415 (#4080 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>	2025-10-20 11:40:09 +01:00
Lawrence Gripper	60af948051	Custom Image: Preflight checks (#4081 ) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-16 20:16:14 +00:00
Tingluo Huang	ff775ca101	Prepare runner release v2.329.0 (#4079 )	2025-10-14 10:31:32 -04:00
dependabot[bot]	f74be39e77	Bump actions/setup-node from 5 to 6 (#4078 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-14 10:13:15 -04:00
Tingluo Huang	1eb15f28a7	Report job has infra failure to run-service (#4073 )	2025-10-13 16:21:32 -04:00
Tingluo Huang	afe4fc8446	Make sure runner-admin has both auth_url and auth_url_v2. (#4066 )	2025-10-13 12:22:10 -04:00
Nikola Jokic	a12731d34d	Include k8s novolume (version v0.8.0) (#4063 )	2025-10-13 13:40:16 +00:00
github-actions[bot]	18f2450d71	chore: update Node versions (#4075 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-10-13 12:31:58 +00:00
dependabot[bot]	2c5f29c3ca	Bump github/codeql-action from 3 to 4 (#4072 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-12 22:08:56 -04:00
github-actions[bot]	c9de9a8699	Update Docker to v28.5.0 and Buildx to v0.29.1 (#4069 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-10-12 21:45:22 -04:00
dependabot[bot]	68ff57dbc4	Bump Azure.Storage.Blobs from 12.25.0 to 12.25.1 (#4058 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-29 13:19:05 +00:00
dependabot[bot]	c774eb8d46	Bump actions/setup-node from 4 to 5 (#4037 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>	2025-09-29 13:09:56 +00:00
github-actions[bot]	f184048a9a	chore: update Node versions (#4057 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-09-29 08:26:46 -04:00
Salman Chishti	338d83a941	fix: prevent Node.js upgrade workflow from creating PRs with empty versions (#4055 )	2025-09-23 15:30:36 +01:00
dependabot[bot]	0b074a3e93	Bump actions/stale from 9 to 10 (#4015 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-19 11:56:15 +01:00
dependabot[bot]	25faeabaa8	Bump actions/github-script from 7.0.1 to 8.0.0 (#4016 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>	2025-09-19 10:33:20 +00:00
Luke Tomlinson	b121ef832b	Use BrokerURL when using RunnerAdmin (#4044 )	2025-09-18 14:10:23 +00:00
Salman Chishti	170033c92b	feat: add comprehensive dependency monitoring system (#4025 )	2025-09-17 16:16:48 +01:00
@@ -1 +1 @@
 .328.0
 .329.0