GitHub Actions 2025 Features

1 vCPU Linux Runners (October 2025 - Public Preview)

What: New lightweight runners optimized for automation tasks with lower cost.

Specs:

• 1 vCPU
• 5 GB RAM
• 15-minute job limit
• Optimized for short-running tasks

When to Use 1 vCPU Runners

Ideal for:

• Issue triage automation
• Label management
• PR comment automation
• Status checks
• Lightweight scripts
• Git operations (checkout, tag, commit)
• Notification tasks

NOT suitable for:

• Build operations
• Test suites
• Complex CI/CD pipelines
• Resource-intensive operations

Usage

# .github/workflows/automation.yml
name: Lightweight Automation

on:
  issues:
    types: [opened, labeled]

jobs:
  triage:
    runs-on: ubuntu-latest-1-core  # New 1 vCPU runner
    timeout-minutes: 10  # Max 15 minutes
    steps:
      - name: Triage Issue
        run: |
          echo "Triaging issue..."
          gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"

Cost Savings Example

# Before: Using 2 vCPU runner for simple task
jobs:
  label:
    runs-on: ubuntu-latest  # 2 vCPU, higher cost
    steps:
      - name: Add label
        run: gh pr edit ${{ github.event.number }} --add-label "reviewed"

# After: Using 1 vCPU runner (lower cost)
jobs:
  label:
    runs-on: ubuntu-latest-1-core  # 1 vCPU, 50% cost reduction
    timeout-minutes: 5
    steps:
      - name: Add label
        run: gh pr edit ${{ github.event.number }} --add-label "reviewed"

Immutable Releases (August 2025)

What: Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.

Benefits:

• Supply chain security
• Audit compliance
• Prevent tampering
• Trust in release artifacts

Create Immutable Release

# Using GitHub CLI
gh release create v1.0.0 \
  dist/*.zip \
  --title "Version 1.0.0" \
  --notes-file CHANGELOG.md \
  --immutable

# Verify immutability
gh release view v1.0.0 --json isImmutable

GitHub Actions Workflow

# .github/workflows/release.yml
name: Create Immutable Release

on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build artifacts
        run: npm run build

      - name: Create Immutable Release
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const tag = context.ref.replace('refs/tags/', '');

            await github.rest.repos.createRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: tag,
              name: `Release ${tag}`,
              body: fs.readFileSync('CHANGELOG.md', 'utf8'),
              draft: false,
              prerelease: false,
              make_immutable: true  # Mark as immutable
            });

      - name: Upload Release Assets
        run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber

Immutable Release Policy

# Organizational policy for immutable releases
name: Enforce Immutable Releases

on:
  release:
    types: [created]

jobs:
  enforce-immutability:
    runs-on: ubuntu-latest
    if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"

    steps:
      - name: Fail if not immutable
        run: |
          echo "ERROR: Production releases must be immutable"
          exit 1

Node24 Migration (September 2025)

What: GitHub Actions migrating from Node20 to Node24 in fall 2025.

Timeline:

• September 2025: Node24 support added
• October 2025: Deprecation notices for Node20
• November 2025: Node20 phase-out begins
• December 2025: Full migration to Node24

Update Your Actions

Check Node version in actions:

# Old - Node20
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-node@v3
        with:
          node-version: '20'  # Update to 24

# New - Node24
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-node@v4
        with:
          node-version: '24'  # Current LTS

Runner Version Compatibility

# Ensure runner supports Node24
jobs:
  test:
    runs-on: ubuntu-latest  # Runner v2.328.0+ supports Node24

    steps:
      - name: Verify Node version
        run: node --version  # Should show v24.x.x

Custom Actions Migration

If you maintain custom actions:

// action.yml
runs:
  using: 'node24'  // Updated from 'node20'
  main: 'index.js'

# Update dependencies
npm install @actions/core@latest
npm install @actions/github@latest

# Test with Node24
node --version  # Ensure 24.x
npm test

Actions Environment Variables (May 2025)

What: Actions environments now available for all plans (public and private repos).

Environment Protection Rules

# .github/workflows/deploy.yml
name: Deploy to Production

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://app.example.com

    steps:
      - name: Deploy
        run: |
          echo "Deploying to ${{ vars.DEPLOY_URL }}"
          # Deployment steps...

Environment configuration:

• Settings → Environments → production
• Add protection rules:
  • Required reviewers
  • Wait timer
  • Deployment branches (only main)

Allowed Actions Policy Updates (August 2025)

What: Enhanced governance with explicit blocking and SHA pinning.

Block Specific Actions

# .github/workflows/policy.yml
# Repository or organization settings
allowed-actions:
  verified-only: true

  # Explicitly block actions
  blocked-actions:
    - 'untrusted/action@*'
    - 'deprecated-org/*'

  # Require SHA pinning for security
  require-sha-pinning: true

SHA Pinning for Security

# Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4

# After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1

Generate SHA-Pinned Actions

# Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'

# Or use action-security tool
npx pin-github-action actions/checkout@v4
# Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

Copilot-Triggered Workflows (April 2025)

What: Workflows triggered by Copilot-authored events now require explicit approval.

Configure Copilot Workflow Approval

# .github/workflows/copilot-automation.yml
name: Copilot PR Automation

on:
  pull_request:
    types: [opened]

jobs:
  copilot-review:
    runs-on: ubuntu-latest

    # Copilot-generated PRs require approval
    if: github.event.pull_request.user.login != 'github-copilot[bot]'

    steps:
      - name: Auto-review
        run: gh pr review --approve

Manual approval required for Copilot PRs (same mechanism as fork PRs).

Artifact Storage Architecture (February 2025)

What: Artifacts moved to new architecture on February 1, 2025.

Breaking changes:

• actions/upload-artifact@v1-v2 retired March 1, 2025
• Must use actions/upload-artifact@v4+

Migration

# Old (Retired)
- uses: actions/upload-artifact@v2
  with:
    name: build-artifacts
    path: dist/

# New (Required)
- uses: actions/upload-artifact@v4
  with:
    name: build-artifacts
    path: dist/
    retention-days: 30

Windows Server 2019 Retirement (June 2025)

What: windows-2019 runner image fully retired June 30, 2025.

Migration

# Old
jobs:
  build:
    runs-on: windows-2019  # Retired

# New
jobs:
  build:
    runs-on: windows-2022  # Current
    # Or windows-latest (recommended)

Meta API for Self-Hosted Runners (May 2025)

What: New actions_inbound section in meta API for network configuration.

# Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'

# Configure firewall rules based on response
{
  "domains": [
    "*.actions.githubusercontent.com",
    "*.pkg.github.com"
  ],
  "ip_ranges": [
    "140.82.112.0/20",
    "143.55.64.0/20"
  ]
}

Best Practices for 2025

1. Use Appropriate Runners

# Use 1 vCPU for lightweight tasks
jobs:
  label-management:
    runs-on: ubuntu-latest-1-core
    timeout-minutes: 5

  # Use standard runners for builds/tests
  build:
    runs-on: ubuntu-latest

2. Immutable Releases for Production

# Always mark production releases as immutable
- name: Create Release
  run: gh release create $TAG --immutable

3. SHA Pinning for Security

# Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8

4. Update to Node24

# Use latest Node version
- uses: actions/setup-node@v4
  with:
    node-version: '24'

5. Environment Protection

# Use environments for deployments
jobs:
  deploy:
    environment: production
    # Requires approval, wait timer, branch restrictions

Troubleshooting

1 vCPU runner timeout:

# Ensure task completes within 15 minutes
jobs:
  task:
    runs-on: ubuntu-latest-1-core
    timeout-minutes: 10  # Safety margin

Node24 compatibility issues:

# Test locally with Node24
nvm install 24
nvm use 24
npm test

Artifact upload failures:

# Use v4 of artifact actions
- uses: actions/upload-artifact@v4  # Not v1/v2

Resources

• GitHub Actions 1 vCPU Runners
• Immutable Releases
• Node24 Migration