actions

Subscribe to all “actions” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

As part of our ongoing efforts to keep the hosted actions runners updated and secure, the Ubuntu 16.04 LTS virtual environment will be removed from GitHub Actions on September 20, 2021. For workflows using ubuntu-16.04, you will need to update your workflow files to run on ubuntu-latest which will run on the Ubuntu 20.04 LTS environment instead.

To help make sure all affected customers are aware of this change, we will temporarily suspend workflows on Ubuntu 16.04 LTS environment for two short 'brownout' periods ahead of the final removal. Builds that are scheduled to run during the brownout periods will fail. Therefore it is recommended that you should plan to move to a supported version of Ubuntu before September 6, 2021. The brownouts are scheduled for the following dates and times:

  • September 6, 2021 5:00pm UTC – 10:00pm UTC
  • September 14, 2021 5:00pm UTC – 10:00pm UTC

You can learn more about our software and image guidelines for GitHub-hosted runners in the virtual environment repository. Please contact support if you experience any issues due to this change.

See more

GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret.

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  packages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

Setting the default permissions for the organization or repository

A new admin setting lets you set the default permissions for the token in your organization or repository.

You can choose between two options:

  • Read/write for all scopes (current default)
  • Read repo contents

Setting the default to contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.

image

Learn more about setting the token permissions

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more

GitHub Actions now supports a concurrency key at both the workflow and job level that will ensure that only a single run or job is in progress.

There are a number of scenarios where you only want a single instance of a particular workflow or job running at any given time. For example: if you have a deployment to your production environment ensuring that only a single deployment is happening at any given time and that you are always deploying the latest code can be important. The concurrency key can be any string or an expression using the github context. When a job or run starts it first checks to see if anything is currently holding on to the concurrency group specified. If not, it will start. If there is a lock on the group, the job or run will be marked as pending and will only start after the blocking job or run completes.

Learn more about concurrency groups in GitHub Actions

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub CLI 1.9 allows you to work with GitHub Actions in your terminal:

  • List and view workflows and runs with gh workflow list, gh workflow view, gh run list, and gh run view
  • View the logs for a particular run with gh run view --log
  • View the logs for runs with jobs that failed with gh run view --log-failed
  • Download run artifacts with gh run download
  • Re-run runs with failed jobs using gh run rerun
  • Watch runs in progress using gh run watch
  • Trigger workflows with the workflow_dispatch event using gh workflow run
  • Enable and disable workflows with gh workflow enable and gh workflow disable

Learn more about GitHub CLI and check out the blog post to learn more about this release.

See more

You can now use setup-java v2 to download and cache binaries from different distributions, including Adopt OpenJDK and Zulu OpenJDK.

With setup-java v2, you can:

  • Add Java distributions of your choice
  • Get native support for Adopt OpenJDK
  • Reduce your Java setup time significantly as the action can utilize pre-cached Adopt OpenJDK distributions from GitHub-hosted runner images

As part of the v2 release, setup-java now requires a mandatory distribution argument and no longer supports legacy Java version syntax 1.x. You can use our migration guide to learn more about upgrading to v2.

steps:
- uses: actions/checkout@v2
- uses: actions/setup-java@v2
  with:
    distribution: 'adopt'
    java-version: '11'
- run: java -cp java HelloWorldApp

For questions, visit the setup-java repo and GitHub Actions community

See more

GitHub Actions deployment reviews are now available on GitHub Mobile.

You can approve or reject jobs awaiting review, view deployment status and deployed environments, and receive push notifications for requests for your review for a given deployment. Deployments awaiting your approval will also appear within the Notifications tab on GitHub Mobile.

Screenshot of reviewing a deployment on GitHub for Android

Screen capture of reviewing a deployment on GitHub for iOS


Learn more about the reviewing deployments on GitHub Actions.

For questions, visit the GitHub Actions community.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more

The Audit Log now includes events associated with GitHub Actions workflow runs. This data provides enterprise customers with a greatly expanded data set for security and compliance audits.

New events will be incorporated into the audit log when:

  • A workflow run is created, completed, deleted, or re-run
  • A workflow job is prepared. Importantly, this job will include the list of secrets that were provided to the runner
  • A self-hosted runner’s version is updated

Screenshot of audit log UI with new events

These new events are only available to customers on the Enterprise plan. All events are available in the REST API, and all events except for workflow run created, workflow run completed, and workflow job prepared are available in the UI and exports.

Learn more about Audit Log events

For questions please visit the GitHub Actions community forum

To see what’s next for GitHub Actions, visit our public roadmap.

See more

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests
to better understand the risks.

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more

You can now limit which branches can deploy to an environment using Environment protection rules.

When a job tries to deploy to an environment with Deployment branches configured Actions will check the value of github.ref against the configuration and if it does not match the job will fail and the run will stop.

The Deployment branches rule can be configured to allow:

  1. All branches – Any branch in the repository can deploy

  2. Protected branches – Only branches with protection rules

  3. Selected branches – Branches matching a set of name patterns

    Configure Deployment branches

Learn more about Environment protection rules

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub Actions now supports skipping push and pull_request workflows by looking for some common keywords in your commit message.

If any commit message in your push or the HEAD commit of your PR contains the strings [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] workflows triggered on the push or pull_request events will be skipped.

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

Beginning March 1, 2021, we will remove .NET Core 3.0 from macOS 10.15, Ubuntu 16.04, and Ubuntu 18.04 virtual environments for GitHub-hosted runners. We follow a general guideline of removing software tools from our hosted images six months after they are deprecated, and .NET Core 3.0 reached its end of life on March 3, 2020.

You can continue to use .NET Core 3.0 with our setup-dotnet action. The setup-dotnet action is always the recommended way of using .NET with GitHub Actions because it ensures consistent behavior across different runners or versions of .NET and protects your workflow from possible future deprecation of additional .NET versions:

steps:
- uses: actions/checkout@main
- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.0.x'
- run: dotnet build <my project>

For the latest updates, be sure to subscribe to the announcement in the actions/virtual-environments repository.

See more

On February 15th, GitHub Actions will remove support for referencing actions using the shortened version of a git commit SHA. This may cause some workflows in your repository to break. To fix these workflows, you will need to update the action reference to use the full commit SHA.

For example, if your workflow references actions/checkout@5a4ac90, you should change it to actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f. You can find the full commit SHA in the referenced action's repository.

This change is being made to align product functionality with our published security guidance

See more

Today we are releasing an open beta for the new continuous delivery capabilities in GitHub Actions. In this open beta there is no need to sign up, all existing GitHub organizations and accounts can use the new capabilities in their public repositories and GitHub Enterprise Cloud organizations can use them in all repositories.

The addition of environment protection rules and environment secrets enable separation of concerns between deployment and development to meet compliance and security requirements. The required reviewers environment protection rule will automatically pause a job trying to deploy to the protected environment and notifies the reviewers. Once approved, the job runs and is given secured access to the environment’s secrets. Also, the environments page includes a deployment log and information on the latest code change deployed to each environment.

Protection rules and secrets

Environment history

Learn more about environments

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more