This month, GitHub Actions adds entrypoint and command overrides for service containers and new security features including OIDC custom properties and VNET failover.

Customizing entrypoints for service containers

Many GitHub Actions users have been frustrated that you cannot override the entrypoint or commands on service containers, creating many different workarounds to resolve these issues. Now, you can use the new entrypoint and command keys to override the image defaults from your workflow YAML. The naming and behavior match Docker Compose, so the syntax should feel familiar. See our workflow syntax docs for additional details.

Actions OIDC tokens now support repository custom properties

GitHub Actions OpenID Connect (OIDC) tokens include repository custom properties as claims, and this feature is now generally available.

Previously available in public preview, you can now use repository custom properties as claims in your OIDC tokens to create more granular trust policies with your cloud providers. This lets you control access to cloud resources based on how your organization classifies its repositories without needing to enumerate individual repository names or IDs.

With this update, you can:

  • Define trust policies based on custom property values, such as environment type, team ownership, or compliance tier.
  • Reduce the overhead of maintaining per-repository cloud role configurations.
  • Align cloud access controls with your organization’s repository governance model.

To get started, configure custom properties on your repositories and reference them in your cloud provider’s OIDC trust policy. For more information, see our documentation on OIDC token claims.

Azure private networking now supports VNET failover

Azure private networking for GitHub Actions hosted runners now supports failover networks in public preview. You can configure a secondary Azure subnet—optionally in a different region—so your workflows can keep running if the primary subnet becomes unavailable.

Failover can be triggered manually through the network configuration UI or REST API or automatically by GitHub during a regional outage. When a failover occurs, enterprise and organization admins are notified via audit log events and email. If you trigger a failover manually, you’re also responsible for switching back to the primary region when it’s available.

This feature is available to enterprise and organization accounts using Azure private networking for GitHub-hosted runners.

To learn more, see the Azure private networking documentation.