This rule is designed to detect instances when a GitHub Actions workflow is executed on a self-hosted runner. The detection leverages data from GitHub webhooks to monitor workflow job actions, specifically looking for jobs that indicate successful completion on runners designated as self-hosted. The rule is categorized under various MITRE ATT&CK tactics such as Execution and Privilege Escalation to recognize potential risks associated with self-hosted runners, which can introduce certain vulnerabilities if not properly secured. The rule includes multiple test cases to validate detection scenarios, ranging from public repositories to private non-forkable ones, ensuring comprehensive coverage of potential usage patterns of self-hosted runners in various contexts (e.g., workflows that should or should not execute on a self-hosted runner). Ultimately, alerts are triggered based on observations of workflows involving self-hosted runners, assisting in the proactive identification and monitoring of such actions.