fix(ci): update OS versions in auto-test workflow to use github hosted instead of selfhosted runners

[CommanderStorm]

ℹ️ To keep reviews fast and effective, please make sure you’ve read our pull request guidelines

📝 Summary of changes done and why they are done

This fixes https://github.com/louislam/uptime-kuma/security/advisories/GHSA-j2w5-6w25-mcwq

Not sure if it is actually exploitable, but better be sure.
CC @zaddy6

[Copilot]

Pull request overview

This PR addresses a security advisory (GHSA-j2w5-6w25-mcwq) by updating the OS versions used in the auto-test GitHub Actions workflow to more recent versions.

Key changes:

• Updated Ubuntu runner from version 22.04 to 24.04
• Changed ARM64 runner reference to use the standard ubuntu-24.04-arm label

[CommanderStorm]

@louislam merging needs a change in the repo settings as the runners seem to be hardcoded there.

We can also add a job like this

  # This final step is needed to mark the whole workflow as successful
  # Don't change its name - it is used by the merge protection rules
  done:
    name: CI Finished
    runs-on: ubuntu-latest
    needs: [ armv7-simple-tests, auto-test, e2e-test ]
    if: always()
    permissions: {}
    steps:
      - name: Result of the needed steps
        run: echo "${{ toJSON(needs) }}" # zizmor: ignore[template-injection]
      - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped') }}
        name: CI Result
        run: exit 1

[louislam]

I think we still need to change to pull_request_target, as suggested in GHSA-j2w5-6w25-mcwq.

Let me also update the required workflow, in order to pass all checks.

[CommanderStorm]

I think we still need to change to pull_request_target, as suggested in GHSA-j2w5-6w25-mcwq.

Let me also update the required workflow, in order to pass all checks.

I am not sure where you are reading this in https://github.com/louislam/uptime-kuma/security/advisories/GHSA-j2w5-6w25-mcwq

In fact, @zaddy6 explicitely warns against this.

Replace pull_request with pull_request_target ONLY when:

• No untrusted code is checked out
• No build/test steps execute contributor code

-> Lets stick with pull_request trigger. Neither of these two are possible for tests.

[louislam]

Actually, I don't quite understand that recommended fixes, but now we don't have self-hosted runners anymore, I think I don't need to understand it haha. Thanks for the pr.

[CommanderStorm]

The fixes are mostly removing things that were nessesary for the self hosted runners (such as needs).

I chose to use quemu which works resonably well for the armv7 check.

The pipeline is faster since we don't need to wait for the central self-hosted runner and can use our 20 runners. (we are currently not using all)