The latest GitHub and GitHub Copilot SOC reports are now available

We are pleased to announce that our most recent SOC reports (1, 2, and 3) are available now and include GitHub Enterprise Cloud for github.com with all new regions like the EU, as well as Copilot Business and Enterprise. These reports are applicable for the 6-month period April 1, 2024 to September 30, 2024 and are available on the GitHub Enterprise Trust Center for our customers.

This represents a significant milestone for GitHub and our customers for multiple reasons:
– Copilot Business and Enterprise are now gaining coverage of control operating effectiveness over the period represented by a Type II report (as opposed to the point-in-time reports represented by the previous Type I reports issued Spring 2024)
– Coverage for Enterprises hosted in either dotcom or the newly launched EU region.
– Future regions launched for GitHub Enterprise Cloud will also be compliant.

These efforts and the culminating SOC 2 Type II reports represent GitHub’s ongoing commitment to provide secure products to our customers, which continues to provide developers the assurance to build software better, together.

Looking forward, bridge letters will be coming mid-January 2025 for the gap period representing October through December 2024. Additionally, the next round of SOC reports covering October 1, 2024 to March 31, 2025 will be available to customers in June 2025.

Deprecation notice: GitHub Pages actions to require artifacts actions v4 on GitHub.com

What’s Changing

On January 30, 2025, the actions/upload-artifact and actions/download-artifact actions will be deprecated and no longer supported. These actions are being replaced with v4 versions, offering improved performance and new features.

What You Need to Do

If your GitHub Page site is using a custom Actions workflow to deploy, it must be updated to use:

For detailed instructions and examples, see: Using custom workflows with GitHub Pages.

Key Details

  • Applies to GitHub.com only: This change does not affect GitHub Enterprise Server (GHES).
  • Deadline: Update your workflows before January 30, 2025 to avoid deployment failures.
See more

Notice of upcoming releases and breaking changes for GitHub Actions

Ubuntu-latest upcoming breaking changes

We will migrate the ubuntu-latest label to ubuntu 24 starting on December 5, 2024 and ending on January 17, 2025. The ubuntu 24 image has a different set of tools and packages than ubuntu 22. We have made cuts to the list of packages so that we can maintain our SLA for free disk space. This may break your workflows if you depend on certain packages that have been removed. Please review this list to see if you are using any affected packages.

Ubuntu 20 image is closing down

We are beginning the process of closing down the Ubuntu 20 hosted runner image, following our N-1 OS support policy. This image will be fully retired by April 1, 2025. We recommend updating workflows to use ubuntu-22.04, or ubuntu-24.04.

Artifacts v3 brownouts

Artifact actions v3 will be closing down by January 30th, 2025. To raise awareness of the upcoming removal, we will temporarily fail jobs using v3 of actions/upload-artifact or actions/download-artifact. Builds that are scheduled to run during the brownout periods will fail. The brownouts are scheduled for the following dates and times:
– January 9th 5pm – 6pm UTC
– January 16th 3pm – 7pm UTC
– January 23rd 2pm – 10pm UTC

actions/cache v1-v2 and actions/toolkit cache package closing down

Starting February 1st, 2025, Actions’ cache storage will move to a new architecture, as a result we are closing down v1-v2 of actions/cache as well as all previous versions of the @actions/cache package(prior to 4.0.0) in actions/toolkit.
Attempting to use a version of the @actions/cache package after the announced deprecation date will result in a workflow failure. Announcements have been posted in the actions/cache and actions/toolkit repositories with additional information on the migration. Note that this does not affect GitHub Enterprise Server customers, you can continue to use all versions without failure.

Updates to the network allow list for self-hosted runners and Azure private networking

With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to pkg.actions.githubusercontent.com to ensure Immutable Actions can be downloaded successfully and jobs don’t fail during setup. If you already allow *.actions.githubusercontent.com which is listed as an required domain then no action is necessary. Traffic will also be required to ghcr.io for publishing new versions of an Immutable Action in the future, which will be available with the GA release.

This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.

Additionally, our guidance for configuring Azure private networking has been updated to account for the new domains. The following IP addresses have been added to the NSG template in our documentation.
– 140.82.121.33/32
– 140.82.121.34/32
– 140.82.113.33/32
– 140.82.113.34/32
– 140.82.112.33/32
– 140.82.112.34/32
– 140.82.114.33/32
– 140.82.114.34/32
– 192.30.255.164/31
– 4.237.22.32/32
– 20.217.135.1/32
– 4.225.11.196/32
– 20.26.156.211/32

Upcoming breaking image changes

For a full list of this month’s breaking changes to our hosted runner images, please see our announcement page.

See more
View all changes