From ee01d0b0fa55ea4294213dced1cb6c56fdd8c604 Mon Sep 17 00:00:00 2001
From: yuriyryabikov <22548029+kurok@users.noreply.github.com>
Date: Wed, 17 Jun 2026 19:10:26 +0100
Subject: [PATCH] fix: bump default actions/runner to 2.335.1

GitHub stops allowing actions/runner v2.333.1 (the previous default) to
run jobs on 2026-06-23. Bump the default runner-version to the latest
release 2.335.1 and replace the SHA-256 checksum table with the x64/arm64
hashes from the v2.335.1 release body (the same source the
verify-runner-url job cross-checks).

Touches action.yml, src/config.js fallback, the checksum table + tests,
README, the pr.yml comment, and the rebuilt dist/ bundle.

Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
---
 .github/workflows/pr.yml       |  2 +-
 README.md                      |  2 +-
 action.yml                     |  2 +-
 dist/index.js                  | 11 ++++++-----
 src/config.js                  |  2 +-
 src/runner-checksums.js        |  9 +++++----
 tests/config.test.js           |  4 ++--
 tests/runner-checksums.test.js | 10 +++++-----
 8 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index e4359083..7cd8f69e 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -74,7 +74,7 @@ jobs:
           # action.yml declares:
           #   runner-version:
           #     ...
-          #     default: '2.333.1'
+          #     default: '2.335.1'
           version=$(awk '/^  runner-version:/{found=1} found && /^    default:/{gsub(/[^0-9.]/, "", $2); print $2; exit}' action.yml)
           if [ -z "$version" ]; then
             echo "::error::Could not locate the default runner-version in action.yml"
diff --git a/README.md b/README.md
index 61cedc78..6fe70064 100644
--- a/README.md
+++ b/README.md
@@ -287,7 +287,7 @@ Now you're ready to go!
 | `iam-role-name`                                                                                                                                                              | Optional. Used only with the `start` mode. | IAM role name to attach to the created EC2 runner. <br><br> This allows the runner to have permissions to run additional actions within the AWS account, without having to manage additional GitHub secrets and AWS users. <br><br> Setting this requires additional AWS permissions for the role launching the instance (see above). |
 | `aws-resource-tags`                                                                                                                                                          | Optional. Used only with the `start` mode. | Specifies tags to add to the EC2 instance and any attached storage. <br><br> This field is a stringified JSON array of tag objects, each containing a `Key` and `Value` field (see example below). <br><br> Setting this requires additional AWS permissions for the role launching the instance (see above).                         |
 | `eip-allocation-id` | Optional. Used only with the `start` mode. | Allocation Id of an Elastic IP to associate with the runner instance once it is running. |
-| `runner-version` | Optional. Used only with the `start` mode. | Version of the `actions/runner` binary to download and register (default `2.333.1`). <br><br> Must have a matching entry in `src/runner-checksums.js`; the action verifies the downloaded tarball's SHA-256 against that table before extraction. |
+| `runner-version` | Optional. Used only with the `start` mode. | Version of the `actions/runner` binary to download and register (default `2.335.1`). <br><br> Must have a matching entry in `src/runner-checksums.js`; the action verifies the downloaded tarball's SHA-256 against that table before extraction. |
 | `http-tokens` | Optional. Used only with the `start` mode. | Instance Metadata Service (IMDS) token mode (default `required`). <br><br> - `required` — IMDSv2 only; mitigates SSRF-style credential theft. <br> - `optional` — also allows IMDSv1; set only if a workload on the runner needs it. |
 | `encrypt-ebs` | Optional. Used only with the `start` mode. | When `true`, the root EBS volume is created with SSE-EBS encryption using the account's default AWS-managed key (default `false`). Volume size / type / IOPS are preserved from the AMI. |
 | `debug` | Optional. | When `true`, the action emits extra diagnostic output to the Actions log — inputs (secrets redacted), AWS SDK response metadata, and runner-registration poll details. Default `false`. |
diff --git a/action.yml b/action.yml
index e5f43445..961c368a 100644
--- a/action.yml
+++ b/action.yml
@@ -78,7 +78,7 @@ inputs:
       tarball's SHA-256 against that table before extraction). To
       override, add the corresponding hash to the table in a PR.
     required: false
-    default: '2.333.1'
+    default: '2.335.1'
   encrypt-ebs:
     description: >-
       When 'true', the root EBS volume is created with SSE-EBS
diff --git a/dist/index.js b/dist/index.js
index 51a0b2d9..36628515 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -96478,7 +96478,7 @@ class Config {
       label: core.getInput('label'),
       ec2InstanceId: core.getInput('ec2-instance-id'),
       iamRoleName: core.getInput('iam-role-name'),
-      runnerVersion: core.getInput('runner-version') || '2.333.1',
+      runnerVersion: core.getInput('runner-version') || '2.335.1',
       httpTokens: core.getInput('http-tokens') || 'required',
       encryptEbs: core.getInput('encrypt-ebs') || 'false',
       debug: core.getInput('debug') || 'false',
@@ -96829,12 +96829,13 @@ module.exports = {
 // upstream is caught at code-review time, not at runtime.
 //
 // Sources:
-//   https://github.com/actions/runner/releases/tag/v2.333.1
+//   https://github.com/actions/runner/releases/tag/v2.335.1
 
 const CHECKSUMS = {
-  // v2.333.1 — pinned default as of 2026-04-21.
-  'x64-2.333.1':   '18f8f68ed1892854ff2ab1bab4fcaa2f5abeedc98093b6cb13638991725cab74',
-  'arm64-2.333.1': '69ac7e5692f877189e7dddf4a1bb16cbbd6425568cd69a0359895fac48b9ad3b',
+  // v2.335.1 — pinned default as of 2026-06-17. Bumped from 2.333.1, which
+  // GitHub stops allowing to run jobs on 2026-06-23.
+  'x64-2.335.1':   '4ef2f25285f0ae4477f1fe1e346db76d2f3ebf03824e2ddd1973a2819bf6c8cf',
+  'arm64-2.335.1': '6d1e85bfd1a506a8b17c1f1b9b57dba458ffed90898799aaa9f599520b0d9207',
 };
 
 function lookup(arch, version) {
diff --git a/src/config.js b/src/config.js
index c02c6d38..68634de7 100644
--- a/src/config.js
+++ b/src/config.js
@@ -16,7 +16,7 @@ class Config {
       label: core.getInput('label'),
       ec2InstanceId: core.getInput('ec2-instance-id'),
       iamRoleName: core.getInput('iam-role-name'),
-      runnerVersion: core.getInput('runner-version') || '2.333.1',
+      runnerVersion: core.getInput('runner-version') || '2.335.1',
       httpTokens: core.getInput('http-tokens') || 'required',
       encryptEbs: core.getInput('encrypt-ebs') || 'false',
       debug: core.getInput('debug') || 'false',
diff --git a/src/runner-checksums.js b/src/runner-checksums.js
index 754364fc..9fa5f6af 100644
--- a/src/runner-checksums.js
+++ b/src/runner-checksums.js
@@ -17,12 +17,13 @@
 // upstream is caught at code-review time, not at runtime.
 //
 // Sources:
-//   https://github.com/actions/runner/releases/tag/v2.333.1
+//   https://github.com/actions/runner/releases/tag/v2.335.1
 
 const CHECKSUMS = {
-  // v2.333.1 — pinned default as of 2026-04-21.
-  'x64-2.333.1':   '18f8f68ed1892854ff2ab1bab4fcaa2f5abeedc98093b6cb13638991725cab74',
-  'arm64-2.333.1': '69ac7e5692f877189e7dddf4a1bb16cbbd6425568cd69a0359895fac48b9ad3b',
+  // v2.335.1 — pinned default as of 2026-06-17. Bumped from 2.333.1, which
+  // GitHub stops allowing to run jobs on 2026-06-23.
+  'x64-2.335.1':   '4ef2f25285f0ae4477f1fe1e346db76d2f3ebf03824e2ddd1973a2819bf6c8cf',
+  'arm64-2.335.1': '6d1e85bfd1a506a8b17c1f1b9b57dba458ffed90898799aaa9f599520b0d9207',
 };
 
 function lookup(arch, version) {
diff --git a/tests/config.test.js b/tests/config.test.js
index 17ab235f..3b591b82 100644
--- a/tests/config.test.js
+++ b/tests/config.test.js
@@ -132,9 +132,9 @@ describe('Config — mode validation', () => {
 });
 
 describe('Config — runner-version input', () => {
-  test('defaults to 2.333.1 when unset', () => {
+  test('defaults to 2.335.1 when unset', () => {
     const config = loadConfig(startModeInputs);
-    expect(config.input.runnerVersion).toBe('2.333.1');
+    expect(config.input.runnerVersion).toBe('2.335.1');
   });
 
   test('honors an explicit override', () => {
diff --git a/tests/runner-checksums.test.js b/tests/runner-checksums.test.js
index c6513ba1..e14bbecd 100644
--- a/tests/runner-checksums.test.js
+++ b/tests/runner-checksums.test.js
@@ -22,11 +22,11 @@ describe('runner-checksums', () => {
   });
 
   test('lookup returns the expected value for a known key', () => {
-    expect(checksums.lookup('x64', '2.333.1')).toBe(
-      '18f8f68ed1892854ff2ab1bab4fcaa2f5abeedc98093b6cb13638991725cab74',
+    expect(checksums.lookup('x64', '2.335.1')).toBe(
+      '4ef2f25285f0ae4477f1fe1e346db76d2f3ebf03824e2ddd1973a2819bf6c8cf',
     );
-    expect(checksums.lookup('arm64', '2.333.1')).toBe(
-      '69ac7e5692f877189e7dddf4a1bb16cbbd6425568cd69a0359895fac48b9ad3b',
+    expect(checksums.lookup('arm64', '2.335.1')).toBe(
+      '6d1e85bfd1a506a8b17c1f1b9b57dba458ffed90898799aaa9f599520b0d9207',
     );
   });
 
@@ -35,6 +35,6 @@ describe('runner-checksums', () => {
   });
 
   test('lookup returns null for an unsupported arch', () => {
-    expect(checksums.lookup('riscv', '2.333.1')).toBeNull();
+    expect(checksums.lookup('riscv', '2.335.1')).toBeNull();
   });
 });