Introducing “CI/CD Admin” – A New Pre-Defined Organization Role for GitHub Actions

We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.

In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.

With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables
  • Network configuration
  • Actions usage metrics

For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.

CodeQL 2.19.0: TypeScript 5.6 and Go 1.23 support, new queries for JavaScript and Ruby

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

  • CodeQL 2.18.2
    • Support for scanning Java codebases without needing a build is generally available.
    • The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
    • One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
  • CodeQL 2.18.3
    • New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
  • CodeQL 2.18.4
    • Support for scanning C# codebases without needing a build is generally available.
    • Support for Go 1.23.
  • CodeQL 2.19.0
    • Support for TypeScript 5.6.
    • One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
    • A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more

Actions: new images and ubuntu-latest changes

Ubuntu 24 for GitHub-hosted runners is now GA

The Ubuntu 24.04 image for Actions is now generally available. To use Ubuntu 24 directly on your GitHub-hosted runners update runs-on: in your workflow file to ubuntu-24.04.

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Ubuntu 24.04 runner image has different tools and tool versions than Ubuntu 22.04.

ubuntu-latest migration

The ubuntu-latest label will migrate to Ubuntu 24 over the course of the next month, beginning September 23rd and finishing on October 30th. During migration, you can determine if your job has migrated by viewing the “Runner Image” information in the “Set up job” step of your Actions logs.

macOS 15 for GitHub-hosted runners in Public Beta

The macOS 15 image for Actions is now available in public beta. To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

The macOS 15 runner image has different tools and tool versions than macOS 14.

To view the list of installed software for each image, or report issues, head to the runner-images repository.

See more
View all changes