actions

Subscribe to all “actions” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

We changed the GitHub Actions self-hosted runner group default access to disable "Allow public repositories." This change impacts runner groups created before Sep 4, 2020 and changes those runner groups to a more secure default.

GitHub does not recommend the use of self-hosted runners with public repositories. If you are aware of the risks, and you choose to run workflows on your public repositories, you can update your runner group access to “Allow public repositories.”

Learn more about managing access to self-hosted runners.

See more

You can now change the maximum retention days for artifacts and logs in GitHub Actions, allowing you to better manage your storage space and to comply with your organizational retention policies.

With custom retention days, you can delete artifacts and logs sooner than the existing default of 90 days. Optionally, for private, internal and GitHub Enterprise repositories, you can retain artifacts and logs for over a year.

Retention days can be defined in the Actions Settings or in the YAML at an enterprise, organization, repository, or an individual artifact level.

Here’s an example of changing retention days in Actions Settings and in the YAML:

- uses: actions/upload-artifact
  with:
    name: my-artifact
    path: ./my_path
    retention-days: 30

Learn more about custom artifacts and log retention days and visit the GitHub Actions community forum for questions.

See more

A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT. This can result in environment variables being introduced or modified without the intention of the workflow author.

To allow us to address this issue and maintain the ability for you to dynamically set environment variables we have introduced a new set of files to manage environment and path updates in workflows.

Patching your actions and workflows

If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater.

Action authors who are using the toolkit should update the @actions/core package to v1.2.6 or greater to get the updated addPath and exportVariable functions.

Action and workflow authors who are setting environment variables via STDOUT should update any usage of the set-env and add-path workflow commands to use the new environment files.

If you need to log untrusted information such as issue titles, bodies, or commit messages to STDOUT we recommend that you disable command processing prior to doing that.

As an example in bash you could do the following:

jobs:
  example-job:
    name: example
    runs-on: ubuntu-latest
    steps:
    - name: log untrusted output
      run: |

        # disable command workflow processing
        echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"

        # log untrusted output
        echo "untrusted output"

        # enable workflow command processing
        echo "::`echo -n ${{ github.token }} | sha256sum | head -c 64`::"

In a JavaScript Action:

import {v4 as uuidv4} from 'uuid'

// disable workflow commands
const token = uuidv4()
console.log(`::stop-commands::${token}`)

// log untrusted output
console.log("untrusted output")

// enable workflow commands
console.log(`::${token}::`)

For other languages you need to generate a suitably random token that changes with each run.

See Stopping and starting workflow commands to learn more.

Starting today runner version 2.273.5 will begin to warn you if you use the add-path or set-env commands. We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.

Learn more about CVE-2020-15228

@actions/core npm package

Learn more about the new environment files

For questions please visit the GitHub Actions community forum

See more

You can now fine-tune access to external actions. These updated settings make it easier to achieve your security and compliance goals with GitHub Actions.

  • You can limit external actions to just those created by GitHub, those in the Marketplace that were created by verified authors, or a combination
  • You can optionally list specific external actions. Wildcards, tags, and SHAs enable flexibility and specificity

image

Learn more about external action policies

For questions please visit the GitHub Actions community forum

To see what's next for GitHub Actions, visit our public roadmap.

See more

Starting today you can temporarily disable a GitHub Actions workflow either in the UI or through the API. With this functionality you can stop a workflow from being triggered without having to delete the file from the repo. Later you can easily re-enable it again from the UI or through the API.

This new functionality can be useful in some situations, for example:

  • An error on a workflow is producing too many or wrong requests impacting external services negatively.
  • You want to temporarily pause a workflow that is not critical and is consuming too many minutes on your account.
  • You want to pause a workflow that is doing requests to a service that is down.
  • You are working on a fork and you don't need all the functionality of some workflows it includes (e.g. scheduled workflows).

For questions please visit the GitHub Actions community forum

To see what's next for GitHub Actions, visit our public roadmap

See more

You can now use images from private registries in job and service containers.

Job and Service containers in GitHub Actions allow you to containerize your CI environment and make databases, caches, or other services available to your tests. Previously those containers had to come from a public container registry which limited the usefulness for some customers. Additionally, we had numerous requests from the GitHub community forums for private registry support.

Here’s an example of using private images from Docker Hub and GitHub Container Registry:

jobs:
  build:
    container:
      image: octocat/ci-image:latest
      credentials:
        username: mona
        password: ${{ secrets.docker_hub_password}}
    services:
      db:
        image:  ghcr.io/octocat/testdb:latest
        credentials:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.ghcr_password }}

For questions, visit the GitHub Actions community forum.

To see what’s next for GitHub Actions, visit our public roadmap.

See more

Logs for GitHub Actions have gotten a significant update. Some major enhancements and new features include:

  • Styling changes to improve readability
  • An improved search experience for large logs
  • Auto-scrolling and expansion if a step fails
  • Redesigned errors and warnings
  • Clickable URLs
  • Support for more colors
  • Full-screen mode

Check out our detailed blog post on the new Logs Experience for more information.

For questions please visit the GitHub Actions community forum

To see what's next for GitHub Actions, visit our public roadmap

See more

Account and billing admins can now provide a list of email addresses to receive billing notifications, including threshold notifications for Actions and Packages.

The email addresses may belong to users such as repo admins, individuals who are not actually part of your GitHub organization (e.g. in the procurement department at your company), or even be distribution lists.

Visit the documentation on how to set a billing email to learn more.

See more

You can now create reusable actions using shell scripts and even mix multiple shell languages in the same action. You probably have a lot of shell script to automate many tasks, now you can easily turn them into an action and reuse them for different workflows. Sometimes it’s easier to just write a shell script than JavaScript or Docker. Now you don’t have to worry about wrapping your scripts in Docker containers.

Here’s an example of how you can use composite run steps actions:

Composite Run Step Example

workflow.yml:

jobs:
  build:
    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v2
    - uses: octocat/say-hello@v1
      with: 
        name: OctoCat

octocat/say-hello/action.yml:

inputs:
  name: 
    description: 'Your name'
    default: 'No name provided'
runs:
  using: "composite"
  steps: 
    - run: echo Hello ${{ inputs.name }}.
      shell: bash
    - run: echo "Nice to meet you!"
      shell: pwsh

Learn more about composite run steps and visit the GitHub Actions community forum for questions.

See more

We’ve made some changes in GitHub Actions to better support communities who have chosen to move away from using master as their default branch name.

We have updated all of our starter workflows to use a new $default-branch macro rather than the previously hardcoded master. You can take advantage of this feature in your custom starter workflow templates as well.

In addition, we have renamed the default branch for most of the GitHub-authored actions from master to main. All of your workflows that reference the old branch name will still work. However, you’ll see a prompt to change to the new name when you edit the workflow on the web.

This change is one of many changes GitHub is making to support projects and maintainers that want to rename their default branch. To learn more about the changes we’re making, see github/renaming.

See more

We have released the ability to delete completed workflow runs in the Actions tab. If you have write access to the repository, you can now see a new option to delete the workflow run in the dropdown menu.

You'll be advised that deleting a workflow run could prevent existing PRs from being able to be merged. This can happen if you have protected branch rules requiring certain status checks to pass.

See more

Run workflow button for workflow with workflow_dispatch

You can now create workflows that are manually triggered with the new workflow_dispatch event.
You will then see a ‘Run workflow’ button on the Actions tab, enabling you to easily trigger a run.
You can choose which branch the workflow is run on.
In addition, you can optionally specify inputs, which GitHub will present as form elements in the UI. Workflow dispatch inputs are specified with the same format as action inputs.

For example:

on: 
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'     
        required: true
        default: 'warning'
      tags:
        description: 'Test scenario tags'  

The triggered workflow receives the inputs in the github.event context.

For example:

jobs:
  printInputs:
    runs-on: ubuntu-latest
    steps:
    - run: |
        echo "Log level: ${{ github.event.inputs.logLevel }}"
        echo "Tags: ${{ github.event.inputs.tags }}" 

If you have any questions or thoughts about these changes, we recommend asking in our GitHub Community Forum’s Actions Board!

See more

You can now create workflow templates, making it easier to promote best practices and consistency across your organization.

  • Workflow templates are defined in a .github repository, enabling you to leverage all the power of GitHub’s collaborative capabilities and providing full auditability
  • You can optionally define rules for which repositories are a best fit for the templates

Learn more about workflow templates

For questions please visit the GitHub Actions community forum

See more