Advisory Database supports GitHub Actions advisories

The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.

If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.

Ubuntu 22.04 is now generally available on GitHub-hosted runners. To use it now, simply add runs-on: ubuntu-22.04 in your workflow file. Otherwise, our recommendation is to use ubuntu-latest, which currently utilizes Ubuntu 20.04 but will begin running on Ubuntu 22.04 in the near future. This will ensure your workflows are always using a recent OS and removes the need to constantly update workflow files with image versions.

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-dotnet@v1
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Ubuntu 22.04 runner image has different tools and tool versions than Ubuntu 20.04.

Read more on available runner images and beta images terms of use in our documentation.

See more

The Ubuntu 18.04 Actions runner image started our deprecation process on 8/8/22 and will be fully unsupported by 12/1/22. To raise awareness of the upcoming removal, jobs using Ubuntu 18.04 will temporarily fail during scheduled time periods defined below:

  • October 3, 12:00 UTC – October 3, 14:00 UTC
  • October 18, 14:00 UTC – October 18, 16:00 UTC
  • November 15, 18:00 UTC – November 15, 20:00 UTC
  • November 30, 20:00 UTC – November 30, 22:00 UTC
  • December 15, 20:00 UTC – December 16 00:00 UTC
  • January 5, 10.00 UTC – January 5, 14.00 UTC
  • January 13, 12.00 UTC – January 13, 16.00 UTC
  • January 18, 14.00 UTC – January 18, 18.00 UTC
  • January 24, 16.00 UTC – January 24, 20.00 UTC
  • February 7, 16.00 UTC – February 7, 22.00 UTC
  • February 21, 10.00 UTC – February 21, 22.00 UTC
  • March 6, 00.00 UTC – March 7, 00.00 UTC
  • March 13, 00.00 UTC – March 14, 00.00 UTC
  • March 21, 00.00 UTC – March 22, 00.00 UTC
  • March 28, 00.00 UTC – March 29, 00.00 UTC

What you need to do

Workflows using the ubuntu-18.04 YAML workflow label should be updated to ubuntu-20.04, ubuntu-22.04, or ubuntu-latest. You can always get up-to-date information on our tools by reading about the software in GitHub Actions virtual environments. Please contact GitHub Support.

*update: we extended the deprecation schedule until April 2023 with updated dates for brownouts.

See more