Add InternalsVisibleTo attribute for testing purposes

Remove duplicate 'using GitHub.Runner.Worker.Container;' statement that was causing compilation error CS0105.

.github/workflows/close-bugs-bot.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           close-issue-message: "This issue does not seem to be a problem with the runner application, it concerns the GitHub actions platform more generally. Could you please post your feedback on the [GitHub Community Support Forum](https://github.com/orgs/community/discussions/categories/actions) which is actively monitored. Using the forum ensures that we route your problem to the correct team. 😃"
           exempt-issue-labels: "keep"

.github/workflows/close-features-bot.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           close-issue-message: "Thank you for your interest in the runner application and taking the time to provide your valuable feedback. We kindly ask you to redirect this feedback to the [GitHub Community Support Forum](https://github.com/orgs/community/discussions/categories/actions-and-packages) which our team actively monitors and would be a better place to start a discussion for new feature requests in GitHub Actions. For more information on this policy please [read our contribution guidelines](https://github.com/actions/runner#contribute). 😃"
           exempt-issue-labels: "keep"

.github/workflows/dependency-check.yml

@@ -0,0 +1,211 @@
+name: Dependency Status Check
+
+on:
+  workflow_dispatch:
+    inputs:
+      check_type:
+        description: "Type of dependency check"
+        required: false
+        default: "all"
+        type: choice
+        options:
+          - all
+          - node
+          - dotnet
+          - docker
+          - npm
+  schedule:
+    - cron: "0 11 * * 1" # Weekly on Monday at 11 AM
+
+jobs:
+  dependency-status:
+    runs-on: ubuntu-latest
+    outputs:
+      node20-status: ${{ steps.check-versions.outputs.node20-status }}
+      node24-status: ${{ steps.check-versions.outputs.node24-status }}
+      dotnet-status: ${{ steps.check-versions.outputs.dotnet-status }}
+      docker-status: ${{ steps.check-versions.outputs.docker-status }}
+      buildx-status: ${{ steps.check-versions.outputs.buildx-status }}
+      npm-vulnerabilities: ${{ steps.check-versions.outputs.npm-vulnerabilities }}
+      open-dependency-prs: ${{ steps.check-prs.outputs.open-dependency-prs }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Check dependency versions
+        id: check-versions
+        run: |
+          echo "## Dependency Status Report" >> $GITHUB_STEP_SUMMARY
+          echo "Generated on: $(date)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Check Node versions
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "node" ]]; then
+            echo "### Node.js Versions" >> $GITHUB_STEP_SUMMARY
+            
+            VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json)
+            LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1)
+            LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1)
+            
+            CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+            CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+            
+            NODE20_STATUS="✅ up-to-date"
+            NODE24_STATUS="✅ up-to-date"
+            
+            if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then
+              NODE20_STATUS="⚠️ outdated"
+            fi
+            
+            if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then
+              NODE24_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Version | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|---------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Node 20 | $CURRENT_NODE20 | $LATEST_NODE20 | $NODE20_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "| Node 24 | $CURRENT_NODE24 | $LATEST_NODE24 | $NODE24_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "node20-status=$NODE20_STATUS" >> $GITHUB_OUTPUT
+            echo "node24-status=$NODE24_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check .NET version
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "dotnet" ]]; then
+            echo "### .NET SDK Version" >> $GITHUB_STEP_SUMMARY
+            
+            current_dotnet_version=$(jq -r .sdk.version ./src/global.json)
+            current_major_minor=$(echo "$current_dotnet_version" | cut -d '.' -f 1,2)
+            latest_dotnet_version=$(curl -sb -H "Accept: application/json" "https://dotnetcli.blob.core.windows.net/dotnet/Sdk/$current_major_minor/latest.version")
+            
+            DOTNET_STATUS="✅ up-to-date"
+            if [ "$current_dotnet_version" != "$latest_dotnet_version" ]; then
+              DOTNET_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| .NET SDK | $current_dotnet_version | $latest_dotnet_version | $DOTNET_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "dotnet-status=$DOTNET_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check Docker versions
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "docker" ]]; then
+            echo "### Docker Versions" >> $GITHUB_STEP_SUMMARY
+            
+            current_docker=$(grep "ARG DOCKER_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
+            current_buildx=$(grep "ARG BUILDX_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
+            
+            latest_docker=$(curl -s https://download.docker.com/linux/static/stable/x86_64/ | grep -o 'docker-[0-9]*\.[0-9]*\.[0-9]*\.tgz' | sort -V | tail -n 1 | sed 's/docker-\(.*\)\.tgz/\1/')
+            latest_buildx=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.tag_name' | sed 's/^v//')
+            
+            DOCKER_STATUS="✅ up-to-date"
+            BUILDX_STATUS="✅ up-to-date"
+            
+            if [ "$current_docker" != "$latest_docker" ]; then
+              DOCKER_STATUS="⚠️ outdated"
+            fi
+            
+            if [ "$current_buildx" != "$latest_buildx" ]; then
+              BUILDX_STATUS="⚠️ outdated"
+            fi
+            
+            echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Docker | $current_docker | $latest_docker | $DOCKER_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "| Docker Buildx | $current_buildx | $latest_buildx | $BUILDX_STATUS |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            
+            echo "docker-status=$DOCKER_STATUS" >> $GITHUB_OUTPUT
+            echo "buildx-status=$BUILDX_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+          # Check npm vulnerabilities
+          if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "npm" ]]; then
+            echo "### NPM Security Audit" >> $GITHUB_STEP_SUMMARY
+            
+            cd src/Misc/expressionFunc/hashFiles
+            npm install --silent
+            
+            AUDIT_OUTPUT=""
+            AUDIT_EXIT_CODE=0
+            # Run npm audit and capture output and exit code
+            if ! AUDIT_OUTPUT=$(npm audit --json 2>&1); then
+              AUDIT_EXIT_CODE=$?
+            fi
+            
+            # Check if output is valid JSON
+            if echo "$AUDIT_OUTPUT" | jq . >/dev/null 2>&1; then
+              VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0')
+              # Ensure VULN_COUNT is a number
+              VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1)
+              VULN_COUNT=${VULN_COUNT:-0}
+              
+              NPM_STATUS="✅ no vulnerabilities"
+              if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then
+                NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found"
+                
+                # Get vulnerability details
+                HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0')
+                CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0')
+                
+                echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
+                echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+                echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY
+                echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+              else
+                echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+              fi
+            else
+              NPM_STATUS="❌ npm audit failed"
+              echo "npm audit failed to run or returned invalid JSON ❌" >> $GITHUB_STEP_SUMMARY
+              echo "Exit code: $AUDIT_EXIT_CODE" >> $GITHUB_STEP_SUMMARY
+              echo "Output: $AUDIT_OUTPUT" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+            fi
+            
+            echo "npm-vulnerabilities=$NPM_STATUS" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for open dependency PRs
+        id: check-prs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "### Open Dependency PRs" >> $GITHUB_STEP_SUMMARY
+
+          # Get open PRs with dependency label
+          OPEN_PRS=$(gh pr list --label "dependencies" --state open --json number,title,url)
+          PR_COUNT=$(echo "$OPEN_PRS" | jq '. | length')
+
+          if [ "$PR_COUNT" -gt 0 ]; then
+            echo "Found $PR_COUNT open dependency PR(s):" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "$OPEN_PRS" | jq -r '.[] | "- [#\(.number)](\(.url)) \(.title)"' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No open dependency PRs found ✅" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "open-dependency-prs=$PR_COUNT" >> $GITHUB_OUTPUT
+
+      - name: Summary
+        run: |
+          echo "### Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- Check for open PRs with the \`dependency\` label before releases" >> $GITHUB_STEP_SUMMARY
+          echo "- Review and merge dependency updates regularly" >> $GITHUB_STEP_SUMMARY
+          echo "- Critical vulnerabilities should be addressed immediately" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Automated workflows run weekly to check for updates:**" >> $GITHUB_STEP_SUMMARY
+          echo "- Node.js versions (Mondays at 6 AM)" >> $GITHUB_STEP_SUMMARY
+          echo "- NPM audit fix (Mondays at 7 AM)" >> $GITHUB_STEP_SUMMARY
+          echo "- .NET SDK updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
+          echo "- Docker/Buildx updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY

.github/workflows/docker-buildx-upgrade.yml

@@ -2,8 +2,8 @@ name: "Docker/Buildx Version Upgrade"
 
 on:
   schedule:
-    - cron: '0 0 * * 1'  # Run every Monday at midnight
-  workflow_dispatch:      # Allow manual triggering
+    - cron: "0 0 * * 1" # Run every Monday at midnight
+  workflow_dispatch: # Allow manual triggering
 
 jobs:
   check-versions:
@@ -35,7 +35,7 @@ jobs:
             echo "Failed to retrieve a valid Docker version"
             exit 1
           fi
-          
+
           should_update=0
           [ "$current_version" != "$latest_version" ] && should_update=1
 
@@ -64,17 +64,17 @@ jobs:
         run: |
           docker_should_update="${{ steps.check_docker_version.outputs.SHOULD_UPDATE }}"
           buildx_should_update="${{ steps.check_buildx_version.outputs.SHOULD_UPDATE }}"
-          
+
           # Show annotation if only Docker needs update
           if [[ "$docker_should_update" == "1" && "$buildx_should_update" == "0" ]]; then
             echo "::warning ::Docker version (${{ steps.check_docker_version.outputs.LATEST_VERSION }}) needs update but Buildx is current. Only updating when both need updates."
           fi
-          
+
           # Show annotation if only Buildx needs update
           if [[ "$docker_should_update" == "0" && "$buildx_should_update" == "1" ]]; then
             echo "::warning ::Buildx version (${{ steps.check_buildx_version.outputs.LATEST_VERSION }}) needs update but Docker is current. Only updating when both need updates."
           fi
-          
+
           # Show annotation when both are current
           if [[ "$docker_should_update" == "0" && "$buildx_should_update" == "0" ]]; then
             echo "::warning ::Latest Docker version is ${{ steps.check_docker_version.outputs.LATEST_VERSION }} and Buildx version is ${{ steps.check_buildx_version.outputs.LATEST_VERSION }}. No updates needed."
@@ -90,25 +90,25 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
-      
+
       - name: Update Docker version
         shell: bash
         run: |
           latest_version="${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }}"
           current_version="${{ needs.check-versions.outputs.DOCKER_CURRENT_VERSION }}"
-          
+
           # Update version in Dockerfile
           sed -i "s/ARG DOCKER_VERSION=$current_version/ARG DOCKER_VERSION=$latest_version/g" ./images/Dockerfile
-      
+
       - name: Update Buildx version
         shell: bash
         run: |
           latest_version="${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}"
           current_version="${{ needs.check-versions.outputs.BUILDX_CURRENT_VERSION }}"
-          
+
           # Update version in Dockerfile
           sed -i "s/ARG BUILDX_VERSION=$current_version/ARG BUILDX_VERSION=$latest_version/g" ./images/Dockerfile
-      
+
       - name: Commit changes and create Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
           branch_name="feature/docker-buildx-upgrade"
           commit_message="Upgrade Docker to v${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Buildx to v${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}"
           pr_title="Update Docker to v${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Buildx to v${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}"
-          
+
           # Configure git
           git config --global user.name "github-actions[bot]"
           git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>"
@@ -129,16 +129,38 @@ jobs:
           else
             git checkout -b "$branch_name"
           fi
-          
+
           # Commit and push changes
           git commit -a -m "$commit_message"
           git push --force origin "$branch_name"
+
+          # Create PR body using here-doc for proper formatting
+          cat > pr_body.txt << 'EOF'
+          Automated Docker and Buildx version update:
           
+          - Docker: ${{ needs.check-versions.outputs.DOCKER_CURRENT_VERSION }} → ${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }}
+          - Buildx: ${{ needs.check-versions.outputs.BUILDX_CURRENT_VERSION }} → ${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}
+          
+          This update ensures we're using the latest stable Docker and Buildx versions for security and performance improvements.
+          
+          **Release notes:** https://docs.docker.com/engine/release-notes/
+          
+          **Next steps:**
+          - Review the version changes
+          - Verify container builds work as expected
+          - Test multi-platform builds if applicable
+          - Merge when ready
+          
+          ---
+          
+          Autogenerated by [Docker/Buildx Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/docker-buildx-upgrade.yml)
+          EOF
+
           # Create PR
-          pr_body="Upgrades Docker version from ${{ needs.check-versions.outputs.DOCKER_CURRENT_VERSION }} to ${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Docker Buildx version from ${{ needs.check-versions.outputs.BUILDX_CURRENT_VERSION }} to ${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}.\n\n"
-          pr_body+="Release notes: https://docs.docker.com/engine/release-notes/\n\n"
-          pr_body+="---\n\nAutogenerated by [Docker/Buildx Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/docker-buildx-upgrade.yml)"
-          
           gh pr create -B main -H "$branch_name" \
             --title "$pr_title" \
-            --body "$pr_body"
+            --label "dependencies" \
+            --label "dependencies-weekly-check" \
+            --label "dependencies-not-dependabot" \
+            --label "docker" \
+            --body-file pr_body.txt

.github/workflows/dotnet-upgrade.yml

@@ -2,13 +2,13 @@ name: "DotNet SDK Upgrade"
 
 on:
   schedule:
-    - cron: '0 0 * * 1'
+    - cron: "0 8 * * 1" # Weekly on Monday at 8 AM UTC (independent of Node.js/NPM)
   workflow_dispatch:
 
 jobs:
   dotnet-update:
     runs-on: ubuntu-latest
-    outputs: 
+    outputs:
       SHOULD_UPDATE: ${{ steps.fetch_latest_version.outputs.SHOULD_UPDATE }}
       BRANCH_EXISTS: ${{ steps.fetch_latest_version.outputs.BRANCH_EXISTS }}
       DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION: ${{ steps.fetch_latest_version.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}
@@ -37,7 +37,7 @@ jobs:
 
           # check if git branch already exists for the upgrade
           branch_already_exists=0
-          
+
           if git ls-remote --heads --exit-code origin refs/heads/feature/dotnetsdk-upgrade/${latest_patch_version};
           then 
             branch_already_exists=1
@@ -89,17 +89,17 @@ jobs:
     if: ${{ needs.dotnet-update.outputs.SHOULD_UPDATE == 1 && needs.dotnet-update.outputs.BRANCH_EXISTS == 0 }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
-      with:
-        ref: feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}
-    - name: Create Pull Request
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --body "
-          https://dotnetcli.blob.core.windows.net/dotnet/Sdk/${{ needs.dotnet-update.outputs.DOTNET_CURRENT_MAJOR_MINOR_VERSION }}/latest.version
-          
+      - uses: actions/checkout@v5
+        with:
+          ref: feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}
+      - name: Create Pull Request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --label "dependencies" --label "dependencies-weekly-check" --label "dependencies-not-dependabot" --label "dotnet" --body "
+            https://dotnetcli.blob.core.windows.net/dotnet/Sdk/${{ needs.dotnet-update.outputs.DOTNET_CURRENT_MAJOR_MINOR_VERSION }}/latest.version
             
-          ---
-            
-          Autogenerated by [DotNet SDK Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/dotnet-upgrade.yml)"
+              
+            ---
+              
+            Autogenerated by [DotNet SDK Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/dotnet-upgrade.yml)"

.github/workflows/node-upgrade.yml

@@ -0,0 +1,130 @@
+name: Auto Update Node Version
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Weekly, every Monday
+  workflow_dispatch:
+
+jobs:
+  update-node:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Get latest Node versions
+        id: node-versions
+        run: |
+          # Get latest Node.js releases from official GitHub releases
+          echo "Fetching latest Node.js releases..."
+
+          # Get latest v20.x release
+          LATEST_NODE20=$(curl -s https://api.github.com/repos/nodejs/node/releases | \
+            jq -r '.[] | select(.tag_name | startswith("v20.")) | .tag_name' | \
+            head -1 | sed 's/^v//')
+
+          # Get latest v24.x release  
+          LATEST_NODE24=$(curl -s https://api.github.com/repos/nodejs/node/releases | \
+            jq -r '.[] | select(.tag_name | startswith("v24.")) | .tag_name' | \
+            head -1 | sed 's/^v//')
+
+          echo "Found Node.js releases: 20=$LATEST_NODE20, 24=$LATEST_NODE24"
+
+          # Verify these versions are available in alpine_nodejs releases
+          echo "Verifying availability in alpine_nodejs..."
+          ALPINE_RELEASES=$(curl -s https://api.github.com/repos/actions/alpine_nodejs/releases | jq -r '.[].tag_name')
+
+          if ! echo "$ALPINE_RELEASES" | grep -q "^node20-$LATEST_NODE20$"; then
+            echo "::warning title=Node 20 Fallback::Node 20 version $LATEST_NODE20 not found in alpine_nodejs releases, using fallback"
+            # Fall back to latest available alpine_nodejs v20 release
+            LATEST_NODE20=$(echo "$ALPINE_RELEASES" | grep "^node20-" | head -1 | sed 's/^node20-//')
+            echo "Using latest available alpine_nodejs Node 20: $LATEST_NODE20"
+          fi
+
+          if ! echo "$ALPINE_RELEASES" | grep -q "^node24-$LATEST_NODE24$"; then
+            echo "::warning title=Node 24 Fallback::Node 24 version $LATEST_NODE24 not found in alpine_nodejs releases, using fallback"
+            # Fall back to latest available alpine_nodejs v24 release
+            LATEST_NODE24=$(echo "$ALPINE_RELEASES" | grep "^node24-" | head -1 | sed 's/^node24-//')
+            echo "Using latest available alpine_nodejs Node 24: $LATEST_NODE24"
+          fi
+
+          echo "latest_node20=$LATEST_NODE20" >> $GITHUB_OUTPUT
+          echo "latest_node24=$LATEST_NODE24" >> $GITHUB_OUTPUT
+
+          # Check current versions in externals.sh
+          CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+          CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
+
+          echo "current_node20=$CURRENT_NODE20" >> $GITHUB_OUTPUT
+          echo "current_node24=$CURRENT_NODE24" >> $GITHUB_OUTPUT
+
+          # Determine if updates are needed
+          NEEDS_UPDATE20="false"
+          NEEDS_UPDATE24="false"
+
+          if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then
+            NEEDS_UPDATE20="true"
+            echo "::notice title=Node 20 Update Available::Current: $CURRENT_NODE20 → Latest: $LATEST_NODE20"
+          fi
+
+          if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then
+            NEEDS_UPDATE24="true"
+            echo "::notice title=Node 24 Update Available::Current: $CURRENT_NODE24 → Latest: $LATEST_NODE24"
+          fi
+
+          if [ "$NEEDS_UPDATE20" == "false" ] && [ "$NEEDS_UPDATE24" == "false" ]; then
+            echo "::notice title=No Updates Needed::All Node.js versions are up to date"
+          fi
+
+          echo "needs_update20=$NEEDS_UPDATE20" >> $GITHUB_OUTPUT
+          echo "needs_update24=$NEEDS_UPDATE24" >> $GITHUB_OUTPUT
+
+      - name: Update externals.sh and create PR
+        if: steps.node-versions.outputs.needs_update20 == 'true' || steps.node-versions.outputs.needs_update24 == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Update the files
+          if [ "${{ steps.node-versions.outputs.needs_update20 }}" == "true" ]; then
+            sed -i 's/NODE20_VERSION="[^"]*"/NODE20_VERSION="${{ steps.node-versions.outputs.latest_node20 }}"/' src/Misc/externals.sh
+          fi
+
+          if [ "${{ steps.node-versions.outputs.needs_update24 }}" == "true" ]; then
+            sed -i 's/NODE24_VERSION="[^"]*"/NODE24_VERSION="${{ steps.node-versions.outputs.latest_node24 }}"/' src/Misc/externals.sh
+          fi
+
+          # Configure git
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>"
+
+          # Create branch and commit changes
+          branch_name="chore/update-node"
+          git checkout -b "$branch_name"
+          git commit -a -m "chore: update Node versions (20: ${{ steps.node-versions.outputs.latest_node20 }}, 24: ${{ steps.node-versions.outputs.latest_node24 }})"
+          git push --force origin "$branch_name"
+
+          # Create PR body using here-doc for proper formatting
+          cat > pr_body.txt << 'EOF'
+          Automated Node.js version update:
+
+          - Node 20: ${{ steps.node-versions.outputs.current_node20 }} → ${{ steps.node-versions.outputs.latest_node20 }}
+          - Node 24: ${{ steps.node-versions.outputs.current_node24 }} → ${{ steps.node-versions.outputs.latest_node24 }}
+
+          This update ensures we're using the latest stable Node.js versions for security and performance improvements.
+
+          **Note**: When updating Node versions, remember to also create a new release of alpine_nodejs at the updated version following the instructions at: https://github.com/actions/alpine_nodejs
+
+          ---
+
+          Autogenerated by [Node Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/node-upgrade.yml)
+          EOF
+
+          # Create PR
+          gh pr create -B main -H "$branch_name" \
+            --title "chore: update Node versions" \
+            --label "dependencies" \
+            --label "dependencies-weekly-check" \
+            --label "dependencies-not-dependabot" \
+            --label "node" \
+            --label "javascript" \
+            --body-file pr_body.txt
+
+          echo "::notice title=PR Created::Successfully created Node.js version update PR on branch $branch_name"

.github/workflows/npm-audit-typescript.yml

@@ -0,0 +1,235 @@
+name: NPM Audit Fix with TypeScript Auto-Fix
+
+on:
+  workflow_dispatch:
+
+jobs:
+  npm-audit-with-ts-fix:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - name: NPM install and audit fix with TypeScript auto-repair
+        working-directory: src/Misc/expressionFunc/hashFiles
+        run: |
+          npm install
+
+          # Check for vulnerabilities first
+          echo "Checking for npm vulnerabilities..."
+          if npm audit --audit-level=moderate; then
+            echo "✅ No moderate or higher vulnerabilities found"
+            exit 0
+          fi
+
+          echo "⚠️ Vulnerabilities found, attempting npm audit fix..."
+
+          # Attempt audit fix and capture the result
+          if npm audit fix; then
+            echo "✅ npm audit fix completed successfully"
+            AUDIT_FIX_STATUS="success"
+          else
+            echo "⚠️ npm audit fix failed or had issues"
+            AUDIT_FIX_STATUS="failed"
+            
+            # Try audit fix with --force as a last resort for critical/high vulns only
+            echo "Checking if critical/high vulnerabilities remain..."
+            if ! npm audit --audit-level=high; then
+              echo "🚨 Critical/high vulnerabilities remain, attempting --force fix..."
+              if npm audit fix --force; then
+                echo "⚠️ npm audit fix --force completed (may have breaking changes)"
+                AUDIT_FIX_STATUS="force-fixed"
+              else
+                echo "❌ npm audit fix --force also failed"
+                AUDIT_FIX_STATUS="force-failed"
+              fi
+            else
+              echo "✅ Only moderate/low vulnerabilities remain after failed fix"
+              AUDIT_FIX_STATUS="partial-success"
+            fi
+          fi
+
+          echo "AUDIT_FIX_STATUS=$AUDIT_FIX_STATUS" >> $GITHUB_ENV
+
+          # Try to fix TypeScript issues automatically
+          echo "Attempting to fix TypeScript compatibility issues..."
+
+          # Check if build fails
+          if ! npm run build 2>/dev/null; then
+            echo "Build failed, attempting automated fixes..."
+            
+            # Common fix 1: Update @types/node to latest compatible version
+            echo "Trying to update @types/node to latest version..."
+            npm update @types/node
+            
+            # Common fix 2: If that doesn't work, try installing a specific known-good version
+            if ! npm run build 2>/dev/null; then
+              echo "Trying specific @types/node version..."
+              # Try Node 20 compatible version
+              npm install --save-dev @types/node@^20.0.0
+            fi
+            
+            # Common fix 3: Clear node_modules and reinstall if still failing
+            if ! npm run build 2>/dev/null; then
+              echo "Clearing node_modules and reinstalling..."
+              rm -rf node_modules package-lock.json
+              npm install
+              
+              # Re-run audit fix after clean install if it was successful before
+              if [[ "$AUDIT_FIX_STATUS" == "success" || "$AUDIT_FIX_STATUS" == "force-fixed" ]]; then
+                echo "Re-running npm audit fix after clean install..."
+                npm audit fix || echo "Audit fix failed on second attempt"
+              fi
+            fi
+            
+            # Common fix 4: Try updating TypeScript itself
+            if ! npm run build 2>/dev/null; then
+              echo "Trying to update TypeScript..."
+              npm update typescript
+            fi
+            
+            # Final check
+            if npm run build 2>/dev/null; then
+              echo "✅ Successfully fixed TypeScript issues automatically"
+            else
+              echo "⚠️ Could not automatically fix TypeScript issues"
+            fi
+          else
+            echo "✅ Build passes after audit fix"
+          fi
+
+      - name: Create PR if changes exist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HUSKY: 0 # Disable husky hooks for automated commits
+        run: |
+          # Check if there are any changes
+          if [ -n "$(git status --porcelain)" ]; then
+            # Configure git
+            git config --global user.name "github-actions[bot]"
+            git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>"
+
+            # Create branch and commit changes
+            branch_name="chore/npm-audit-fix-with-ts-repair"
+            git checkout -b "$branch_name"
+            
+            # Commit with --no-verify to skip husky hooks
+            git commit -a -m "chore: npm audit fix with automated TypeScript compatibility fixes" --no-verify
+            git push --force origin "$branch_name"
+            
+            # Check final build status and gather info about what was changed
+            build_status="✅ Build passes"
+            fixes_applied=""
+            cd src/Misc/expressionFunc/hashFiles
+            
+            # Check what packages were updated
+            if git diff HEAD~1 package.json | grep -q "@types/node"; then
+              fixes_applied+="\n- Updated @types/node version for TypeScript compatibility"
+            fi
+            if git diff HEAD~1 package.json | grep -q "typescript"; then
+              fixes_applied+="\n- Updated TypeScript version"
+            fi
+            if git diff HEAD~1 package-lock.json | grep -q "resolved"; then
+              fixes_applied+="\n- Updated package dependencies via npm audit fix"
+            fi
+            
+            if ! npm run build 2>/dev/null; then
+              build_status="⚠️ Build fails - manual review required"
+            fi
+            cd - > /dev/null
+            
+            # Create enhanced PR body using here-doc for proper formatting
+            audit_status_msg=""
+            case "$AUDIT_FIX_STATUS" in
+              "success")
+                audit_status_msg="✅ **Audit Fix**: Completed successfully"
+                ;;
+              "partial-success")
+                audit_status_msg="⚠️ **Audit Fix**: Partial success (only moderate/low vulnerabilities remain)"
+                ;;
+              "force-fixed")
+                audit_status_msg="⚠️ **Audit Fix**: Completed with --force (may have breaking changes)"
+                ;;
+              "failed"|"force-failed")
+                audit_status_msg="❌ **Audit Fix**: Failed to resolve vulnerabilities"
+                ;;
+              *)
+                audit_status_msg="❓ **Audit Fix**: Status unknown"
+                ;;
+            esac
+            
+            if [[ "$build_status" == *"fails"* ]]; then
+              cat > pr_body.txt << EOF
+          Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies.
+
+          **Build Status**: ⚠️ Build fails - manual review required
+          $audit_status_msg
+
+          This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes.
+
+          ⚠️ **Manual Review Required**: The build is currently failing after automated fixes were attempted.
+
+          Common issues and solutions:
+          - Check for TypeScript version compatibility with Node.js types
+          - Review breaking changes in updated dependencies
+          - Consider pinning problematic dependency versions temporarily
+          - Review tsconfig.json for compatibility settings
+
+          **Automated Fix Strategy**:
+          1. Run npm audit fix with proper error handling
+          2. Update @types/node to latest compatible version
+          3. Try Node 20 specific @types/node version if needed
+          4. Clean reinstall dependencies if conflicts persist
+          5. Update TypeScript compiler if necessary
+
+          ---
+
+          Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml)
+          EOF
+            else
+              cat > pr_body.txt << EOF
+          Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies.
+
+          **Build Status**: ✅ Build passes
+          $audit_status_msg
+
+          This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes.
+
+          ✅ **Ready to Merge**: All automated fixes were successful and the build passes.
+
+          **Automated Fix Strategy**:
+          1. Run npm audit fix with proper error handling
+          2. Update @types/node to latest compatible version
+          3. Try Node 20 specific @types/node version if needed
+          4. Clean reinstall dependencies if conflicts persist
+          5. Update TypeScript compiler if necessary
+
+          ---
+
+          Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml)
+          EOF
+            fi
+            
+            if [ -n "$fixes_applied" ]; then
+              # Add the fixes applied section to the file
+              sed -i "/This workflow attempts/a\\
+          \\
+          **Automated Fixes Applied**:$fixes_applied" pr_body.txt
+            fi
+            
+            # Create PR with appropriate labels
+            labels="dependencies,dependencies-not-dependabot,typescript,npm,security"
+            if [[ "$build_status" == *"fails"* ]]; then
+              labels="dependencies,dependencies-not-dependabot,typescript,npm,security,needs-manual-review"
+            fi
+            
+            # Create PR
+            gh pr create -B main -H "$branch_name" \
+              --title "chore: npm audit fix with TypeScript auto-repair" \
+              --label "$labels" \
+              --body-file pr_body.txt
+          else
+            echo "No changes to commit"
+          fi

.github/workflows/npm-audit.yml

@@ -0,0 +1,137 @@
+name: NPM Audit Fix
+
+on:
+  schedule:
+    - cron: "0 7 * * 1" # Weekly on Monday at 7 AM UTC
+  workflow_dispatch:
+
+jobs:
+  npm-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          
+      - name: NPM install and audit fix
+        working-directory: src/Misc/expressionFunc/hashFiles
+        run: |
+          npm install
+          
+          # Check what vulnerabilities exist
+          echo "=== Checking current vulnerabilities ==="
+          npm audit || true
+          
+          # Apply audit fix --force to get security updates
+          echo "=== Applying npm audit fix --force ==="
+          npm audit fix --force
+          
+          # Test if build still works and set status
+          echo "=== Testing build compatibility ==="
+          if npm run all; then
+            echo "✅ Build successful after audit fix"
+            echo "AUDIT_FIX_STATUS=success" >> $GITHUB_ENV
+          else
+            echo "❌ Build failed after audit fix - will create PR with fix instructions"
+            echo "AUDIT_FIX_STATUS=build_failed" >> $GITHUB_ENV
+          fi
+          
+      - name: Create PR if changes exist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Check if there are any changes
+          if [ -n "$(git status --porcelain)" ]; then
+            # Configure git
+            git config --global user.name "github-actions[bot]"
+            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            
+            # Create branch and commit changes
+            branch_name="chore/npm-audit-fix-$(date +%Y%m%d)"
+            git checkout -b "$branch_name"
+            git add .
+            git commit -m "chore: npm audit fix for hashFiles dependencies" --no-verify
+            git push origin "$branch_name"
+            
+            # Create PR body based on what actually happened
+            if [ "$AUDIT_FIX_STATUS" = "success" ]; then
+              cat > pr_body.txt << 'EOF'
+          Automated npm audit fix for security vulnerabilities in hashFiles dependencies.
+          
+          **✅ Full Fix Applied Successfully**
+          This update addresses npm security advisories and ensures dependencies are secure and up-to-date.
+          
+          **Changes made:**
+          - Applied `npm audit fix --force` to resolve security vulnerabilities
+          - Updated package-lock.json with security patches
+          - Verified build compatibility with `npm run all`
+          
+          **Next steps:**
+          - Review the dependency changes  
+          - Verify the hashFiles functionality still works as expected
+          - Merge when ready
+          
+          ---
+          
+          Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml)
+          EOF
+            elif [ "$AUDIT_FIX_STATUS" = "build_failed" ]; then
+              cat > pr_body.txt << 'EOF'
+          Automated npm audit fix for security vulnerabilities in hashFiles dependencies.
+          
+          **⚠️ Security Fixes Applied - Build Issues Need Manual Resolution**
+          This update applies important security patches but causes build failures that require manual fixes.
+          
+          **Changes made:**
+          - Applied `npm audit fix --force` to resolve security vulnerabilities
+          - Updated package-lock.json with security patches
+          
+          **⚠️ Build Issues Detected:**
+          The build fails after applying security fixes, likely due to TypeScript compatibility issues with updated `@types/node`.
+          
+          **Required Manual Fixes:**
+          1. Review TypeScript compilation errors in the build output
+          2. Update TypeScript configuration if needed
+          3. Consider pinning `@types/node` to a compatible version
+          4. Run `npm run all` locally to verify fixes
+          
+          **Next steps:**
+          - **DO NOT merge until build issues are resolved**
+          - Apply manual fixes for TypeScript compatibility
+          - Test the hashFiles functionality still works as expected
+          - Merge when build passes
+          
+          ---
+          
+          Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml)
+          EOF
+            else
+              # Fallback case
+              cat > pr_body.txt << 'EOF'
+          Automated npm audit attempted for security vulnerabilities in hashFiles dependencies.
+          
+          **ℹ️ No Changes Applied**
+          No security vulnerabilities were found or no changes were needed.
+          
+          ---
+          
+          Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml)
+          EOF
+            fi
+            
+            # Create PR
+            gh pr create -B main -H "$branch_name" \
+              --title "chore: npm audit fix for hashFiles dependencies" \
+              --label "dependencies" \
+              --label "dependencies-weekly-check" \
+              --label "dependencies-not-dependabot" \
+              --label "npm" \
+              --label "typescript" \
+              --label "security" \
+              --body-file pr_body.txt
+          else
+            echo "✅ No changes to commit - npm audit fix did not modify any files"
+          fi

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
     # Make sure ./releaseVersion match ./src/runnerversion
     # Query GitHub release ensure version is not used
     - name: Check version
-      uses: actions/github-script@v7.0.1
+      uses: actions/github-script@v8.0.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -171,7 +171,7 @@ jobs:
     # Create ReleaseNote file
     - name: Create ReleaseNote
       id: releaseNote
-      uses: actions/github-script@v7.0.1
+      uses: actions/github-script@v8.0.0
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
@@ -300,7 +300,7 @@ jobs:
 
       - name: Compute image version
         id: image
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             const fs = require('fs');

.github/workflows/stale-bot.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-issue-message: "This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days."
           close-issue-message: "This issue was closed because it has been stalled for 15 days with no activity."

.husky/pre-commit

@@ -1,6 +1 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-cd src/Misc/expressionFunc/hashFiles
-
-npx lint-staged
+cd src/Misc/expressionFunc/hashFiles && npx lint-staged

docs/dependency-management.md

@@ -0,0 +1,217 @@
+# Runner Dependency Management Process
+
+## Overview
+
+This document outlines the automated dependency management process for the GitHub Actions Runner, designed to ensure we maintain up-to-date and secure dependencies while providing predictable release cycles.
+
+## Release Schedule
+
+- **Monthly Runner Releases**: New runner versions are released monthly
+- **Weekly Dependency Checks**: Automated workflows check for dependency updates every Monday
+- **Security Patches**: Critical security vulnerabilities are addressed immediately outside the regular schedule
+
+## Automated Workflows
+
+**Note**: These workflows are implemented across separate PRs for easier review and independent deployment. Each workflow includes comprehensive error handling and security-focused vulnerability detection.
+
+### 1. Foundation Labels
+
+- **Workflow**: `.github/workflows/setup-labels.yml` (PR #4024)
+- **Purpose**: Creates consistent dependency labels for all automation workflows
+- **Labels**: `dependencies`, `security`, `typescript`, `needs-manual-review`
+- **Prerequisite**: Must be merged before other workflows for proper labeling
+
+### 2. Node.js Version Updates
+
+- **Workflow**: `.github/workflows/node-upgrade.yml`
+- **Schedule**: Mondays at 6:00 AM UTC
+- **Purpose**: Updates Node.js 20 and 24 versions in `src/Misc/externals.sh`
+- **Source**: [nodejs.org](https://nodejs.org) and [actions/alpine_nodejs](https://github.com/actions/alpine_nodejs)
+- **Priority**: First (NPM depends on current Node.js versions)
+
+### 3. NPM Security Audit
+
+- **Primary Workflow**: `.github/workflows/npm-audit.yml` ("NPM Audit Fix")
+  - **Schedule**: Mondays at 7:00 AM UTC
+  - **Purpose**: Automated security vulnerability detection and basic fixes
+  - **Location**: `src/Misc/expressionFunc/hashFiles/`
+  - **Features**: npm audit, security patch application, PR creation
+  - **Dependency**: Runs after Node.js updates for optimal compatibility
+
+- **Fallback Workflow**: `.github/workflows/npm-audit-typescript.yml` ("NPM Audit Fix with TypeScript Auto-Fix")
+  - **Trigger**: Manual dispatch only
+  - **Purpose**: Manual security audit with TypeScript compatibility fixes
+  - **Use Case**: When scheduled workflow fails or needs custom intervention
+  - **Features**: Enhanced TypeScript auto-repair, graduated security response
+  - **How to Use**:
+    1. If the scheduled "NPM Audit Fix" workflow fails, go to Actions tab
+    2. Select "NPM Audit Fix with TypeScript Auto-Fix" workflow
+    3. Click "Run workflow" and optionally specify fix level (auto/manual)
+    4. Review the generated PR for TypeScript compatibility issues
+
+### 4. .NET SDK Updates
+
+- **Workflow**: `.github/workflows/dotnet-upgrade.yml`
+- **Schedule**: Mondays at midnight UTC
+- **Purpose**: Updates .NET SDK and package versions with build validation
+- **Features**: Global.json updates, NuGet package management, compatibility checking
+- **Independence**: Runs independently of Node.js/NPM updates
+
+### 5. Docker/Buildx Updates
+
+- **Workflow**: `.github/workflows/docker-buildx-upgrade.yml` ("Docker/Buildx Version Upgrade")
+- **Schedule**: Mondays at midnight UTC
+- **Purpose**: Updates Docker and Docker Buildx versions with multi-platform validation
+- **Features**: Container security scanning, multi-architecture build testing
+- **Independence**: Runs independently of other dependency updates
+
+### 6. Dependency Monitoring
+
+- **Workflow**: `.github/workflows/dependency-check.yml` ("Dependency Status Check")
+- **Schedule**: Mondays at 11:00 AM UTC
+- **Purpose**: Comprehensive status report of all dependencies with security audit
+- **Features**: Multi-dependency checking, npm audit status, build validation, choice of specific component checks
+- **Summary**: Runs last to capture results from all morning dependency updates
+
+## Release Process Integration
+
+### Pre-Release Checklist
+
+Before each monthly runner release:
+
+1. **Check Dependency PRs**:
+
+   ```bash
+   # List all open dependency PRs
+   gh pr list --label "dependencies" --state open
+   
+   # List only automated weekly dependency updates
+   gh pr list --label "dependencies-weekly-check" --state open
+   
+   # List only custom dependency automation (not dependabot)
+   gh pr list --label "dependencies-not-dependabot" --state open
+   ```
+
+2. **Run Manual Dependency Check**:
+   - Go to Actions tab → "Dependency Status Check" → "Run workflow"
+   - Review the summary for any outdated dependencies
+
+3. **Review and Merge Updates**:
+   - Prioritize security-related updates
+   - Test dependency updates in development environment
+   - Merge approved dependency PRs
+
+### Vulnerability Response
+
+#### Critical Security Vulnerabilities
+
+- **Response Time**: Within 24 hours
+- **Process**:
+  1. Assess impact on runner security
+  2. Create hotfix branch if runner data security is affected
+  3. Expedite patch release if necessary
+  4. Document in security advisory if applicable
+
+#### Non-Critical Vulnerabilities
+
+- **Response Time**: Next monthly release
+- **Process**:
+  1. Evaluate if vulnerability affects runner functionality
+  2. Include fix in regular dependency update cycle
+  3. Document in release notes
+
+## Monitoring and Alerts
+
+### GitHub Actions Workflow Status
+
+- All dependency workflows create PRs with the `dependencies` label
+- Failed workflows should be investigated immediately
+- Weekly dependency status reports are generated automatically
+
+### Manual Checks
+
+You can manually trigger dependency checks:
+
+- **Full Status**: Run "Dependency Status Check" workflow
+- **Specific Component**: Use the dropdown to check individual dependencies
+
+## Dependency Labels
+
+All automated dependency PRs are tagged with labels for easy filtering and management:
+
+### Primary Labels
+
+- **`dependencies`**: All automated dependency-related PRs
+- **`dependencies-weekly-check`**: Automated weekly dependency updates from scheduled workflows
+- **`dependencies-not-dependabot`**: Custom dependency automation (not created by dependabot)
+- **`security`**: Security vulnerability fixes and patches  
+- **`typescript`**: TypeScript compatibility and type definition updates
+- **`needs-manual-review`**: Complex updates requiring human verification
+
+### Technology-Specific Labels
+
+- **`node`**: Node.js version updates
+- **`javascript`**: JavaScript runtime and tooling updates
+- **`npm`**: NPM package and security updates
+- **`dotnet`**: .NET SDK and NuGet package updates
+- **`docker`**: Docker and container tooling updates
+
+### Workflow-Specific Branches
+
+- **Node.js updates**: `chore/update-node` branch
+- **NPM security fixes**: `chore/npm-audit-fix-YYYYMMDD` and `chore/npm-audit-fix-with-ts-repair` branches
+- **NuGet/.NET updates**: `feature/dotnetsdk-upgrade/{version}` branches
+- **Docker updates**: `feature/docker-buildx-upgrade` branch
+
+## Special Considerations
+
+### Node.js Updates
+
+When updating Node.js versions, remember to:
+
+1. Create a corresponding release in [actions/alpine_nodejs](https://github.com/actions/alpine_nodejs)
+2. Follow the alpine_nodejs getting started guide
+3. Test container builds with new Node versions
+
+### .NET SDK Updates
+
+- Only patch versions are auto-updated within the same major.minor version
+- Major/minor version updates require manual review and testing
+
+### Docker Updates
+
+- Updates include both Docker Engine and Docker Buildx
+- Verify compatibility with runner container workflows
+
+## Troubleshooting
+
+### Common Issues
+
+1. **NPM Audit Workflow Fails**:
+   - Check if `package.json` exists in `src/Misc/expressionFunc/hashFiles/`
+   - Verify Node.js setup step succeeded
+
+2. **Version Detection Fails**:
+   - Check if upstream APIs are available
+   - Verify parsing logic for version extraction
+
+3. **PR Creation Fails**:
+   - Ensure `GITHUB_TOKEN` has sufficient permissions
+   - Check if branch already exists
+
+### Contact
+
+For questions about the dependency management process:
+
+- Create an issue with the `dependencies` label
+- Review existing dependency management workflows
+- Consult the runner team for security-related concerns
+
+## Metrics and KPIs
+
+Track these metrics to measure dependency management effectiveness:
+
+- Number of open dependency PRs at release time
+- Time to merge dependency updates
+- Number of security vulnerabilities by severity
+- Release cycle adherence (monthly target)

docs/start/envlinux.md

@@ -20,7 +20,6 @@ Execute ./bin/installdependencies.sh to install any missing Dotnet Core 6.0 depe
 You can easily correct the problem by executing `./bin/installdependencies.sh`.  
 The `installdependencies.sh` script should install all required dependencies on all supported Linux versions  
 > Note: The `installdependencies.sh` script will try to use the default package management mechanism on your Linux flavor (ex. `yum`/`apt-get`/`apt`).
-> For Fedora-based systems, the script automatically handles lttng-ust version compatibility by creating symlinks when needed (e.g., Fedora 41 ships with liblttng-ust.so.1 but the runner needs liblttng-ust.so.0).
 
 ### Full dependencies list
 
@@ -34,7 +33,7 @@ Debian based OS (Debian, Ubuntu, Linux Mint)
 
 Fedora based OS (Fedora, Red Hat Enterprise Linux, CentOS, Oracle Linux 7)
 
-- lttng-ust (the installdependencies.sh script will automatically handle version compatibility for newer Fedora versions)
+- lttng-ust
 - openssl-libs
 - krb5-libs
 - zlib

images/Dockerfile

@@ -5,8 +5,8 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
-ARG DOCKER_VERSION=28.3.3
-ARG BUILDX_VERSION=0.27.0
+ARG DOCKER_VERSION=28.4.0
+ARG BUILDX_VERSION=0.28.0
 
 RUN apt update -y && apt install curl unzip -y
 

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -22,7 +22,7 @@
         "husky": "^9.1.7",
         "lint-staged": "^15.5.0",
         "prettier": "^3.0.3",
-        "typescript": "^5.2.2"
+        "typescript": "^5.9.2"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {
@@ -4481,9 +4481,9 @@
       }
     },
     "node_modules/typescript": {
-      "version": "5.2.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.2.2.tgz",
-      "integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==",
+      "version": "5.9.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
       "dev": true,
       "bin": {
         "tsc": "bin/tsc",
@@ -7715,9 +7715,9 @@
       }
     },
     "typescript": {
-      "version": "5.2.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.2.2.tgz",
-      "integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==",
+      "version": "5.9.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
       "dev": true
     },
     "unbox-primitive": {

src/Misc/expressionFunc/hashFiles/package.json

@@ -10,7 +10,7 @@
     "lint": "eslint src/**/*.ts",
     "pack": "ncc build -o ../../layoutbin/hashFiles",
     "all": "npm run format && npm run lint && npm run build && npm run pack",
-    "prepare": "cd ../../../../ && husky install"
+    "prepare": "cd ../../../../ && husky"
   },
   "repository": {
     "type": "git",
@@ -45,6 +45,6 @@
     "husky": "^9.1.7",
     "lint-staged": "^15.5.0",
     "prettier": "^3.0.3",
-    "typescript": "^5.2.2"
+    "typescript": "^5.9.2"
   }
 }

src/Misc/externals.sh

@@ -6,8 +6,8 @@ NODE_URL=https://nodejs.org/dist
 NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download
 # When you update Node versions you must also create a new release of alpine_nodejs at that updated version.
 # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started
-NODE20_VERSION="20.19.4"
-NODE24_VERSION="24.5.0"
+NODE20_VERSION="20.19.5"
+NODE24_VERSION="24.7.0"
 
 get_abs_path() {
   # exploits the fact that pwd will print abs path when no args

src/Misc/layoutbin/installdependencies.sh

@@ -131,63 +131,12 @@ then
             command -v dnf
             if [ $? -eq 0 ]
             then
-                # Install basic dependencies first
-                dnf install -y openssl-libs krb5-libs zlib libicu
+                dnf install -y lttng-ust openssl-libs krb5-libs zlib libicu
                 if [ $? -ne 0 ]
                 then
                     echo "'dnf' failed with exit code '$?'"
                     print_errormessage
                     exit 1
-                fi
-
-                # Handle lttng-ust with fallback logic for version compatibility
-                dnf_with_lttng_fallbacks() {
-                    # Try to install the current lttng-ust package
-                    dnf install -y lttng-ust
-                    if [ $? -eq 0 ]
-                    then
-                        # Check if it provides the required liblttng-ust.so.0
-                        if ldconfig -p | grep -q "liblttng-ust.so.0"
-                        then
-                            echo "Found liblttng-ust.so.0"
-                            return 0
-                        else
-                            echo "Warning: lttng-ust installed but liblttng-ust.so.0 not found"
-                            echo "Attempting to create compatibility symlink..."
-                            
-                            # Find the actual liblttng-ust library
-                            lttng_lib=$(ldconfig -p | grep "liblttng-ust.so" | head -1 | awk '{print $NF}')
-                            if [ -n "$lttng_lib" ] && [ -f "$lttng_lib" ]
-                            then
-                                # Create symlink in the same directory
-                                lib_dir=$(dirname "$lttng_lib")
-                                if [ -w "$lib_dir" ]
-                                then
-                                    ln -sf "$(basename "$lttng_lib")" "$lib_dir/liblttng-ust.so.0"
-                                    echo "Created compatibility symlink: $lib_dir/liblttng-ust.so.0 -> $(basename "$lttng_lib")"
-                                    ldconfig
-                                    return 0
-                                else
-                                    echo "Cannot create symlink in $lib_dir (permission denied)"
-                                    return 1
-                                fi
-                            else
-                                echo "Could not find lttng-ust library file"
-                                return 1
-                            fi
-                        fi
-                    else
-                        echo "Failed to install lttng-ust package"
-                        return 1
-                    fi
-                }
-
-                dnf_with_lttng_fallbacks
-                if [ $? -ne 0 ]
-                then
-                    echo "Failed to install lttng-ust with compatibility"
-                    print_errormessage
-                    exit 1
                 fi         
             else
                 echo "Can not find 'dnf'"

src/Runner.Common/ConfigurationStore.cs

@@ -53,6 +53,9 @@ namespace GitHub.Runner.Common
         [DataMember(EmitDefaultValue = false)]
         public bool UseV2Flow { get; set; }
 
+        [DataMember(EmitDefaultValue = false)]
+        public bool UseRunnerAdminFlow { get; set; }
+
         [DataMember(EmitDefaultValue = false)]
         public string ServerUrlV2 { get; set; }
 

src/Runner.Common/Constants.cs

@@ -169,6 +169,7 @@ namespace GitHub.Runner.Common
                 public static readonly string AllowRunnerContainerHooks = "DistributedTask.AllowRunnerContainerHooks";
                 public static readonly string AddCheckRunIdToJobContext = "actions_add_check_run_id_to_job_context";
                 public static readonly string DisplayHelpfulActionsDownloadErrors = "actions_display_helpful_actions_download_errors";
+                public static readonly string ContainerActionRunnerTemp = "actions_container_action_runner_temp";
             }
             
             // Node version migration related constants

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -153,8 +153,8 @@ namespace GitHub.Runner.Listener.Configuration
                     registerToken = await GetRunnerTokenAsync(command, inputUrl, "registration");
                     GitHubAuthResult authResult = await GetTenantCredential(inputUrl, registerToken, Constants.RunnerEvent.Register);
                     runnerSettings.ServerUrl = authResult.TenantUrl;
-                    runnerSettings.UseV2Flow = authResult.UseV2Flow;
-                    Trace.Info($"Using V2 flow: {runnerSettings.UseV2Flow}");
+                    runnerSettings.UseRunnerAdminFlow = authResult.UseRunnerAdminFlow;
+                    Trace.Info($"Using runner-admin flow: {runnerSettings.UseRunnerAdminFlow}");
                     creds = authResult.ToVssCredentials();
                     Trace.Info("cred retrieved via GitHub auth");
                 }
@@ -211,7 +211,7 @@ namespace GitHub.Runner.Listener.Configuration
             string poolName = null;
             TaskAgentPool agentPool = null;
             List<TaskAgentPool> agentPools;
-            if (runnerSettings.UseV2Flow)
+            if (runnerSettings.UseRunnerAdminFlow)
             {
                 agentPools = await _dotcomServer.GetRunnerGroupsAsync(runnerSettings.GitHubUrl, registerToken);
             }
@@ -259,7 +259,7 @@ namespace GitHub.Runner.Listener.Configuration
                 var userLabels = command.GetLabels();
                 _term.WriteLine();
                 List<TaskAgent> agents;
-                if (runnerSettings.UseV2Flow)
+                if (runnerSettings.UseRunnerAdminFlow)
                 {
                     agents = await _dotcomServer.GetRunnerByNameAsync(runnerSettings.GitHubUrl, registerToken, runnerSettings.AgentName);
                 }
@@ -280,7 +280,7 @@ namespace GitHub.Runner.Listener.Configuration
 
                         try
                         {
-                            if (runnerSettings.UseV2Flow)
+                            if (runnerSettings.UseRunnerAdminFlow)
                             {
                                 var runner = await _dotcomServer.ReplaceRunnerAsync(runnerSettings.PoolId, agent, runnerSettings.GitHubUrl, registerToken, publicKeyXML);
                                 runnerSettings.ServerUrlV2 = runner.RunnerAuthorization.ServerUrl;
@@ -330,10 +330,11 @@ namespace GitHub.Runner.Listener.Configuration
 
                     try
                     {
-                        if (runnerSettings.UseV2Flow)
+                        if (runnerSettings.UseRunnerAdminFlow)
                         {
                             var runner = await _dotcomServer.AddRunnerAsync(runnerSettings.PoolId, agent, runnerSettings.GitHubUrl, registerToken, publicKeyXML);
                             runnerSettings.ServerUrlV2 = runner.RunnerAuthorization.ServerUrl;
+                            runnerSettings.UseV2Flow = true; // if we are using runner admin, we also need to hit broker
 
                             agent.Id = runner.Id;
                             agent.Authorization = new TaskAgentAuthorization()
@@ -400,13 +401,26 @@ namespace GitHub.Runner.Listener.Configuration
             }
             else
             {
-
                 throw new NotSupportedException("Message queue listen OAuth token.");
             }
 
+            // allow the server to override the serverUrlV2 and useV2Flow
+            if (agent.Properties.TryGetValue("ServerUrlV2", out string serverUrlV2) &&
+                !string.IsNullOrEmpty(serverUrlV2))
+            {
+                Trace.Info($"Service enforced serverUrlV2: {serverUrlV2}");
+                runnerSettings.ServerUrlV2 = serverUrlV2;
+            }
+
+            if (agent.Properties.TryGetValue("UseV2Flow", out bool useV2Flow) && useV2Flow)
+            {
+                Trace.Info($"Service enforced useV2Flow: {useV2Flow}");
+                runnerSettings.UseV2Flow = useV2Flow;
+            }
+
             // Testing agent connection, detect any potential connection issue, like local clock skew that cause OAuth token expired.
 
-            if (!runnerSettings.UseV2Flow)
+            if (!runnerSettings.UseV2Flow && !runnerSettings.UseRunnerAdminFlow)
             {
                 var credMgr = HostContext.GetService<ICredentialManager>();
                 VssCredentials credential = credMgr.LoadCredentials(allowAuthUrlV2: false);
@@ -429,20 +443,6 @@ namespace GitHub.Runner.Listener.Configuration
                 }
             }
 
-            // allow the server to override the serverUrlV2 and useV2Flow
-            if (agent.Properties.TryGetValue("ServerUrlV2", out string serverUrlV2) &&
-                !string.IsNullOrEmpty(serverUrlV2))
-            {
-                Trace.Info($"Service enforced serverUrlV2: {serverUrlV2}");
-                runnerSettings.ServerUrlV2 = serverUrlV2;
-            }
-
-            if (agent.Properties.TryGetValue("UseV2Flow", out bool useV2Flow) && useV2Flow)
-            {
-                Trace.Info($"Service enforced useV2Flow: {useV2Flow}");
-                runnerSettings.UseV2Flow = useV2Flow;
-            }
-
             _term.WriteSection("Runner settings");
 
             // We will Combine() what's stored with root.  Defaults to string a relative path
@@ -538,7 +538,7 @@ namespace GitHub.Runner.Listener.Configuration
                 {
                     RunnerSettings settings = _store.GetSettings();
 
-                    if (settings.UseV2Flow)
+                    if (settings.UseRunnerAdminFlow)
                     {
                         var deletionToken = await GetRunnerTokenAsync(command, settings.GitHubUrl, "remove");
                         await _dotcomServer.DeleteRunnerAsync(settings.GitHubUrl, deletionToken, settings.AgentId);

src/Runner.Listener/Configuration/CredentialManager.cs

@@ -89,7 +89,7 @@ namespace GitHub.Runner.Listener.Configuration
         public string Token { get; set; }
 
         [DataMember(Name = "use_v2_flow")]
-        public bool UseV2Flow { get; set; }
+        public bool UseRunnerAdminFlow { get; set; }
 
         public VssCredentials ToVssCredentials()
         {

src/Runner.Worker/Container/DockerCommandManager.cs

@@ -111,19 +111,19 @@ namespace GitHub.Runner.Worker.Container
         {
             IList<string> dockerOptions = new List<string>();
             // OPTIONS
-            dockerOptions.Add($"--name {container.ContainerDisplayName}");
+            dockerOptions.Add(DockerUtil.CreateEscapedOption("--name", container.ContainerDisplayName));
             dockerOptions.Add($"--label {DockerInstanceLabel}");
             if (!string.IsNullOrEmpty(container.ContainerWorkDirectory))
             {
-                dockerOptions.Add($"--workdir {container.ContainerWorkDirectory}");
+                dockerOptions.Add(DockerUtil.CreateEscapedOption("--workdir", container.ContainerWorkDirectory));
             }
             if (!string.IsNullOrEmpty(container.ContainerNetwork))
             {
-                dockerOptions.Add($"--network {container.ContainerNetwork}");
+                dockerOptions.Add(DockerUtil.CreateEscapedOption("--network", container.ContainerNetwork));
             }
             if (!string.IsNullOrEmpty(container.ContainerNetworkAlias))
             {
-                dockerOptions.Add($"--network-alias {container.ContainerNetworkAlias}");
+                dockerOptions.Add(DockerUtil.CreateEscapedOption("--network-alias", container.ContainerNetworkAlias));
             }
             foreach (var port in container.UserPortMappings)
             {
@@ -195,10 +195,10 @@ namespace GitHub.Runner.Worker.Container
         {
             IList<string> dockerOptions = new List<string>();
             // OPTIONS
-            dockerOptions.Add($"--name {container.ContainerDisplayName}");
+            dockerOptions.Add(DockerUtil.CreateEscapedOption("--name", container.ContainerDisplayName));
             dockerOptions.Add($"--label {DockerInstanceLabel}");
 
-            dockerOptions.Add($"--workdir {container.ContainerWorkDirectory}");
+            dockerOptions.Add(DockerUtil.CreateEscapedOption("--workdir", container.ContainerWorkDirectory));
             dockerOptions.Add($"--rm");
 
             foreach (var env in container.ContainerEnvironmentVariables)

src/Runner.Worker/FeatureManager.cs

@@ -11,5 +11,10 @@ namespace GitHub.Runner.Worker
             var isContainerHooksPathSet = !string.IsNullOrEmpty(Environment.GetEnvironmentVariable(Constants.Hooks.ContainerHooksPath));
             return isContainerHookFeatureFlagSet && isContainerHooksPathSet;
         }
+
+        public static bool IsContainerActionRunnerTempEnabled(Variables variables)
+        {
+            return variables?.GetBoolean(Constants.Runner.Features.ContainerActionRunnerTemp) ?? false;
+        }
     }
 }

src/Runner.Worker/Handlers/ContainerActionHandler.cs

@@ -191,11 +191,19 @@ namespace GitHub.Runner.Worker.Handlers
             ArgUtil.Directory(tempWorkflowDirectory, nameof(tempWorkflowDirectory));
 
             container.MountVolumes.Add(new MountVolume("/var/run/docker.sock", "/var/run/docker.sock"));
+            if (FeatureManager.IsContainerActionRunnerTempEnabled(ExecutionContext.Global.Variables))
+            {
+                container.MountVolumes.Add(new MountVolume(tempDirectory, "/github/runner_temp"));
+            }
             container.MountVolumes.Add(new MountVolume(tempHomeDirectory, "/github/home"));
             container.MountVolumes.Add(new MountVolume(tempWorkflowDirectory, "/github/workflow"));
             container.MountVolumes.Add(new MountVolume(tempFileCommandDirectory, "/github/file_commands"));
             container.MountVolumes.Add(new MountVolume(defaultWorkingDirectory, "/github/workspace"));
 
+            if (FeatureManager.IsContainerActionRunnerTempEnabled(ExecutionContext.Global.Variables))
+            {
+                container.AddPathTranslateMapping(tempDirectory, "/github/runner_temp");
+            }
             container.AddPathTranslateMapping(tempHomeDirectory, "/github/home");
             container.AddPathTranslateMapping(tempWorkflowDirectory, "/github/workflow");
             container.AddPathTranslateMapping(tempFileCommandDirectory, "/github/file_commands");

src/Runner.Worker/Handlers/ScriptHandler.cs

@@ -249,7 +249,7 @@ namespace GitHub.Runner.Worker.Handlers
             {
                 // We do not not the full path until we know what shell is being used, so that we can determine the file extension
                 scriptFilePath = Path.Combine(tempDirectory, $"{Guid.NewGuid()}{ScriptHandlerHelpers.GetScriptFileExtension(shellCommand)}");
-                resolvedScriptPath = StepHost.ResolvePathForStepHost(ExecutionContext, scriptFilePath).Replace("\"", "\\\"");
+                resolvedScriptPath = $"\"{StepHost.ResolvePathForStepHost(ExecutionContext, scriptFilePath).Replace("\"", "\\\"")}\"";
             }
             else
             {
@@ -260,7 +260,7 @@ namespace GitHub.Runner.Worker.Handlers
                 }
                 scriptFilePath = Inputs["path"];
                 ArgUtil.NotNullOrEmpty(scriptFilePath, "path");
-                resolvedScriptPath = Inputs["path"].Replace("\"", "\\\"");
+                resolvedScriptPath = $"\"{Inputs["path"].Replace("\"", "\\\"")}\"";
             }
 
             // Format arg string with script path

src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs

@@ -2,6 +2,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Text.RegularExpressions;
 using GitHub.Runner.Sdk;
 using GitHub.Runner.Common;
 using GitHub.Runner.Common.Util;
@@ -63,10 +64,47 @@ namespace GitHub.Runner.Worker.Handlers
                     var append = @"if ((Test-Path -LiteralPath variable:\LASTEXITCODE)) { exit $LASTEXITCODE }";
                     contents = $"{prepend}{Environment.NewLine}{contents}{Environment.NewLine}{append}";
                     break;
+                case "bash":
+                case "sh":
+                    contents = FixBashEnvironmentVariables(contents);
+                    break;
             }
             return contents;
         }
 
+        /// <summary>
+        /// Fixes unquoted environment variables in bash/sh scripts to prevent issues with paths containing spaces.
+        /// This method quotes environment variables used in shell redirects and command substitutions.
+        /// </summary>
+        /// <param name="contents">The shell script content to fix</param>
+        /// <returns>Fixed shell script content with properly quoted environment variables</returns>
+        private static string FixBashEnvironmentVariables(string contents)
+        {
+            if (string.IsNullOrEmpty(contents))
+            {
+                return contents;
+            }
+
+            // Pattern to match environment variables in shell redirects that aren't already quoted
+            // This targets patterns like: >> $GITHUB_STEP_SUMMARY, > $GITHUB_OUTPUT, etc.
+            // but avoids already quoted ones like: >> "$GITHUB_STEP_SUMMARY" or >> '$GITHUB_OUTPUT'
+            var redirectPattern = new Regex(
+                @"(\s+(?:>>|>|<|2>>|2>)\s+)(\$[A-Za-z_][A-Za-z0-9_]*)\b(?!\s*['""])",
+                RegexOptions.Compiled | RegexOptions.Multiline
+            );
+
+            // Replace unquoted environment variables in redirects with quoted versions
+            contents = redirectPattern.Replace(contents, match =>
+            {
+                var redirectOperator = match.Groups[1].Value; // e.g., " >> "
+                var envVar = match.Groups[2].Value; // e.g., "$GITHUB_STEP_SUMMARY"
+                
+                return $"{redirectOperator}\"{envVar}\"";
+            });
+
+            return contents;
+        }
+
         internal static (string shellCommand, string shellArgs) ParseShellOptionString(string shellOption)
         {
             var shellStringParts = shellOption.Split(" ", 2);

src/Runner.Worker/Handlers/StepHost.cs

@@ -220,7 +220,7 @@ namespace GitHub.Runner.Worker.Handlers
 
             // [OPTIONS]
             dockerCommandArgs.Add($"-i");
-            dockerCommandArgs.Add($"--workdir {workingDirectory}");
+            dockerCommandArgs.Add(DockerUtil.CreateEscapedOption("--workdir", workingDirectory));
             foreach (var env in environment)
             {
                 // e.g. -e MY_SECRET maps the value into the exec'ed process without exposing

src/Runner.Worker/Runner.Worker.csproj

@@ -12,6 +12,12 @@
     <PublishReadyToRunComposite>true</PublishReadyToRunComposite>
   </PropertyGroup>
 
+  <ItemGroup>
+    <AssemblyAttribute Include="System.Runtime.CompilerServices.InternalsVisibleTo">
+      <_Parameter1>Test</_Parameter1>
+    </AssemblyAttribute>
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\Sdk\Sdk.csproj" />
     <ProjectReference Include="..\Runner.Common\Runner.Common.csproj" />

src/Test/L0/Worker/Handlers/ScriptHandlerL0.cs

@@ -0,0 +1,278 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Runtime.CompilerServices;
+using System.Threading.Tasks;
+using GitHub.DistributedTask.Pipelines.ContextData;
+using GitHub.DistributedTask.WebApi;
+using GitHub.Runner.Common;
+using GitHub.Runner.Worker;
+using GitHub.Runner.Worker.Handlers;
+using Moq;
+using Xunit;
+
+namespace GitHub.Runner.Common.Tests.Worker.Handlers
+{
+    public sealed class ScriptHandlerL0
+    {
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void ScriptPath_WithSpaces_ShouldBeQuoted()
+        {
+            // Arrange - Test the path quoting logic that our fix addresses
+            var tempPathWithSpaces = "/path with spaces/_temp";
+            var scriptPathWithSpaces = Path.Combine(tempPathWithSpaces, "test-script.sh");
+            
+            // Test the original (broken) behavior 
+            var originalPath = scriptPathWithSpaces.Replace("\"", "\\\"");
+            
+            // Test our fix - properly quoted path
+            var quotedPath = $"\"{scriptPathWithSpaces.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.False(originalPath.StartsWith("\""), "Original path should not be quoted");
+            Assert.True(quotedPath.StartsWith("\"") && quotedPath.EndsWith("\""), "Fixed path should be properly quoted");
+            Assert.Contains("path with spaces", quotedPath, StringComparison.Ordinal);
+            
+            // Verify the path is properly quoted (platform-agnostic check)
+            Assert.True(quotedPath.StartsWith("\"/path with spaces/_temp"), "Path should start with quoted temp directory");
+            Assert.True(quotedPath.EndsWith("test-script.sh\""), "Path should end with quoted script name");
+        }
+        
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void ScriptPath_WithQuotes_ShouldEscapeQuotes()
+        {
+            // Arrange - Test paths that contain quotes
+            var pathWithQuotes = "/path/\"quoted folder\"/script.sh";
+            
+            // Test our fix - properly escape quotes and wrap in quotes
+            var quotedPath = $"\"{pathWithQuotes.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.True(quotedPath.StartsWith("\"") && quotedPath.EndsWith("\""), "Path should be wrapped in quotes");
+            Assert.Contains("\\\"", quotedPath, StringComparison.Ordinal);
+            Assert.Contains("quoted folder", quotedPath, StringComparison.Ordinal);
+            
+            // Verify quotes are properly escaped
+            Assert.Contains("\\\"quoted folder\\\"", quotedPath, StringComparison.Ordinal);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void ScriptPath_ActionsRunnerWithSpaces_ShouldBeQuoted()
+        {
+            // Arrange - Test the specific real-world scenario that was failing
+            var runnerPathWithSpaces = "/Users/user/Downloads/actions-runner-osx-arm64-2.328.0 2";
+            var tempPath = Path.Combine(runnerPathWithSpaces, "_work", "_temp");
+            var scriptPath = Path.Combine(tempPath, "script-guid.sh");
+            
+            // Test our fix
+            var quotedPath = $"\"{scriptPath.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.True(quotedPath.StartsWith("\"") && quotedPath.EndsWith("\""), "Path should be wrapped in quotes");
+            Assert.Contains("actions-runner-osx-arm64-2.328.0 2", quotedPath, StringComparison.Ordinal);
+            Assert.Contains("_work", quotedPath, StringComparison.Ordinal);
+            Assert.Contains("_temp", quotedPath, StringComparison.Ordinal);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void ScriptPath_MultipleSpaces_ShouldBeQuoted()
+        {
+            // Arrange - Test paths with multiple spaces
+            var pathWithMultipleSpaces = "/path/with  multiple   spaces/script.sh";
+            
+            // Test our fix
+            var quotedPath = $"\"{pathWithMultipleSpaces.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.True(quotedPath.StartsWith("\"") && quotedPath.EndsWith("\""), "Path should be wrapped in quotes");
+            Assert.Contains("multiple   spaces", quotedPath, StringComparison.Ordinal);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void ScriptPath_WithoutSpaces_ShouldStillBeQuoted()
+        {
+            // Arrange - Test normal paths without spaces (regression test)
+            var normalPath = "/home/user/runner/_work/_temp/script.sh";
+            
+            // Test our fix
+            var quotedPath = $"\"{normalPath.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.True(quotedPath.StartsWith("\"") && quotedPath.EndsWith("\""), "Path should be wrapped in quotes");
+            Assert.Equal($"\"{normalPath}\"", quotedPath);
+        }
+
+        [Theory]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        [InlineData("/path with spaces/script.sh")]
+        [InlineData("/Users/user/Downloads/actions-runner-osx-arm64-2.328.0 2/_work/_temp/guid.sh")]
+        [InlineData("C:\\Program Files\\GitHub Runner\\script.cmd")]
+        [InlineData("/path/\"with quotes\"/script.sh")]
+        [InlineData("/path/with'single'quotes/script.sh")]
+        public void ScriptPath_VariousScenarios_ShouldBeProperlyQuoted(string inputPath)
+        {
+            // Arrange & Act
+            var quotedPath = $"\"{inputPath.Replace("\"", "\\\"")}\"";
+            
+            // Assert
+            Assert.True(quotedPath.StartsWith("\""), "Path should start with quote");
+            Assert.True(quotedPath.EndsWith("\""), "Path should end with quote");
+            
+            // Ensure the original path content is preserved
+            var unquotedContent = quotedPath.Substring(1, quotedPath.Length - 2);
+            if (inputPath.Contains("\""))
+            {
+                // If original had quotes, they should be escaped in the result
+                Assert.Contains("\\\"", unquotedContent);
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_BashEnvironmentVariables_ShouldQuoteRedirects()
+        {
+            // Arrange
+            var scriptContent = @"echo ""## Dependency Status Report"" >> $GITHUB_STEP_SUMMARY
+echo ""Generated on: $(date)"" >> $GITHUB_STEP_SUMMARY
+echo ""| Component | Status |"" > $GITHUB_OUTPUT
+echo ""npm-status=ok"" >> $GITHUB_OUTPUT";
+
+            // Act
+            var fixedContent = ScriptHandlerHelpers.FixUpScriptContents("bash", scriptContent);
+
+            // Assert
+            Assert.Contains(">> \"$GITHUB_STEP_SUMMARY\"", fixedContent);
+            Assert.Contains("> \"$GITHUB_OUTPUT\"", fixedContent);
+            Assert.DoesNotContain(">> $GITHUB_STEP_SUMMARY", fixedContent);
+            Assert.DoesNotContain("> $GITHUB_OUTPUT", fixedContent);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_AlreadyQuotedVariables_ShouldNotDoubleQuote()
+        {
+            // Arrange
+            var scriptContent = @"echo ""test"" >> ""$GITHUB_STEP_SUMMARY""
+echo ""test"" > '$GITHUB_OUTPUT'
+echo ""test"" 2>> ""$GITHUB_ENV""";
+
+            // Act
+            var fixedContent = ScriptHandlerHelpers.FixUpScriptContents("bash", scriptContent);
+
+            // Assert - Should remain unchanged
+            Assert.Equal(scriptContent, fixedContent);
+            Assert.Contains(">> \"$GITHUB_STEP_SUMMARY\"", fixedContent);
+            Assert.Contains("> '$GITHUB_OUTPUT'", fixedContent);
+            Assert.Contains("2>> \"$GITHUB_ENV\"", fixedContent);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_ShellRedirectOperators_ShouldHandleAllTypes()
+        {
+            // Arrange
+            var scriptContent = @"echo ""test"" >> $VAR1
+echo ""test"" > $VAR2
+cat < $VAR3
+echo ""test"" 2>> $VAR4
+echo ""test"" 2> $VAR5";
+
+            // Act
+            var fixedContent = ScriptHandlerHelpers.FixUpScriptContents("sh", scriptContent);
+
+            // Assert
+            Assert.Contains(">> \"$VAR1\"", fixedContent);
+            Assert.Contains("> \"$VAR2\"", fixedContent);
+            Assert.Contains("< \"$VAR3\"", fixedContent);
+            Assert.Contains("2>> \"$VAR4\"", fixedContent);
+            Assert.Contains("2> \"$VAR5\"", fixedContent);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_NonShellTypes_ShouldNotModifyEnvironmentVariables()
+        {
+            // Arrange
+            var scriptContent = @"echo ""test"" >> $GITHUB_STEP_SUMMARY";
+
+            // Act
+            var powershellFixed = ScriptHandlerHelpers.FixUpScriptContents("powershell", scriptContent);
+            var cmdFixed = ScriptHandlerHelpers.FixUpScriptContents("cmd", scriptContent);
+            var pythonFixed = ScriptHandlerHelpers.FixUpScriptContents("python", scriptContent);
+
+            // Assert - Should not modify environment variables for non-shell types
+            Assert.Contains(">> $GITHUB_STEP_SUMMARY", powershellFixed);
+            Assert.Contains(">> $GITHUB_STEP_SUMMARY", cmdFixed);
+            Assert.Contains(">> $GITHUB_STEP_SUMMARY", pythonFixed);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_ComplexScript_ShouldQuoteOnlyUnquotedRedirects()
+        {
+            // Arrange
+            var scriptContent = @"#!/bin/bash
+# This is a test script
+echo ""Starting workflow"" >> $GITHUB_STEP_SUMMARY
+echo ""Already quoted"" >> ""$GITHUB_OUTPUT""
+export MY_VAR=""$HOME/path with spaces""
+curl -s https://api.github.com/rate_limit > $TEMP_FILE
+echo ""Final status"" 2>> $ERROR_LOG
+if [ -f ""$GITHUB_ENV"" ]; then
+    echo ""MY_VAR=test"" >> $GITHUB_ENV
+fi";
+
+            // Act
+            var fixedContent = ScriptHandlerHelpers.FixUpScriptContents("bash", scriptContent);
+
+            // Assert
+            Assert.Contains(">> \"$GITHUB_STEP_SUMMARY\"", fixedContent);
+            Assert.Contains(">> \"$GITHUB_OUTPUT\"", fixedContent); // Should remain quoted
+            Assert.Contains("> \"$TEMP_FILE\"", fixedContent);
+            Assert.Contains("2>> \"$ERROR_LOG\"", fixedContent);
+            Assert.Contains(">> \"$GITHUB_ENV\"", fixedContent);
+            
+            // Other parts should remain unchanged
+            Assert.Contains("#!/bin/bash", fixedContent);
+            Assert.Contains("# This is a test script", fixedContent);
+            Assert.Contains("export MY_VAR=\"$HOME/path with spaces\"", fixedContent);
+            Assert.Contains("if [ -f \"$GITHUB_ENV\" ]; then", fixedContent);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void FixUpScriptContents_EnvironmentVariablesInCommands_ShouldNotQuote()
+        {
+            // Arrange - Environment variables not in redirects should not be touched
+            var scriptContent = @"echo $GITHUB_STEP_SUMMARY
+cd $HOME
+ls -la $TEMP_DIR
+if [ ""$MY_VAR"" == ""test"" ]; then
+    echo ""match""
+fi";
+
+            // Act
+            var fixedContent = ScriptHandlerHelpers.FixUpScriptContents("bash", scriptContent);
+
+            // Assert - Should remain unchanged as these are not redirects
+            Assert.Equal(scriptContent, fixedContent);
+        }
+    }
+}