Skip to content

actions

Subscribe to all “actions” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Actions now supports a concurrency key at both the workflow and job level that will ensure that only a single run or job is in progress.

There are a number of scenarios where you only want a single instance of a particular workflow or job running at any given time. For example: if you have a deployment to your production environment ensuring that only a single deployment is happening at any given time and that you are always deploying the latest code can be important. The concurrency key can be any string or an expression using the github context. When a job or run starts it first checks to see if anything is currently holding on to the concurrency group specified. If not, it will start. If there is a lock on the group, the job or run will be marked as pending and will only start after the blocking job or run completes.

Learn more about concurrency groups in GitHub Actions

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub CLI 1.9 allows you to work with GitHub Actions in your terminal:

  • List and view workflows and runs with gh workflow list, gh workflow view, gh run list, and gh run view
  • View the logs for a particular run with gh run view --log
  • View the logs for runs with jobs that failed with gh run view --log-failed
  • Download run artifacts with gh run download
  • Re-run runs with failed jobs using gh run rerun
  • Watch runs in progress using gh run watch
  • Trigger workflows with the workflow_dispatch event using gh workflow run
  • Enable and disable workflows with gh workflow enable and gh workflow disable

Learn more about GitHub CLI and check out the blog post to learn more about this release.

See more

You can now use setup-java v2 to download and cache binaries from different distributions, including Adopt OpenJDK and Zulu OpenJDK.

With setup-java v2, you can:

  • Add Java distributions of your choice
  • Get native support for Adopt OpenJDK
  • Reduce your Java setup time significantly as the action can utilize pre-cached Adopt OpenJDK distributions from GitHub-hosted runner images

As part of the v2 release, setup-java now requires a mandatory distribution argument and no longer supports legacy Java version syntax 1.x. You can use our migration guide to learn more about upgrading to v2.

steps:
- uses: actions/checkout@v2
- uses: actions/setup-java@v2
  with:
    distribution: 'adopt'
    java-version: '11'
- run: java -cp java HelloWorldApp

For questions, visit the setup-java repo and GitHub Actions community

See more

GitHub Actions deployment reviews are now available on GitHub Mobile.

You can approve or reject jobs awaiting review, view deployment status and deployed environments, and receive push notifications for requests for your review for a given deployment. Deployments awaiting your approval will also appear within the Notifications tab on GitHub Mobile.

Screenshot of reviewing a deployment on GitHub for Android

Screen capture of reviewing a deployment on GitHub for iOS


Learn more about the reviewing deployments on GitHub Actions.

For questions, visit the GitHub Actions community.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more

The Audit Log now includes events associated with GitHub Actions workflow runs. This data provides enterprise customers with a greatly expanded data set for security and compliance audits.

New events will be incorporated into the audit log when:

  • A workflow run is created, completed, deleted, or re-run
  • A workflow job is prepared. Importantly, this job will include the list of secrets that were provided to the runner
  • A self-hosted runner’s version is updated

Screenshot of audit log UI with new events

These new events are only available to customers on the Enterprise plan. All events are available in the REST API, and all events except for workflow run created, workflow run completed, and workflow job prepared are available in the UI and exports.

Learn more about Audit Log events

For questions please visit the GitHub Actions community forum

To see what’s next for GitHub Actions, visit our public roadmap.

See more

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests
to better understand the risks.

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more

You can now limit which branches can deploy to an environment using Environment protection rules.

When a job tries to deploy to an environment with Deployment branches configured Actions will check the value of github.ref against the configuration and if it does not match the job will fail and the run will stop.

The Deployment branches rule can be configured to allow:

  1. All branches – Any branch in the repository can deploy

  2. Protected branches – Only branches with protection rules

  3. Selected branches – Branches matching a set of name patterns

    Configure Deployment branches

Learn more about Environment protection rules

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub Actions now supports skipping push and pull_request workflows by looking for some common keywords in your commit message.

If any commit message in your push or the HEAD commit of your PR contains the strings [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] workflows triggered on the push or pull_request events will be skipped.

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

Beginning March 1, 2021, we will remove .NET Core 3.0 from macOS 10.15, Ubuntu 16.04, and Ubuntu 18.04 virtual environments for GitHub-hosted runners. We follow a general guideline of removing software tools from our hosted images six months after they are deprecated, and .NET Core 3.0 reached its end of life on March 3, 2020.

You can continue to use .NET Core 3.0 with our setup-dotnet action. The setup-dotnet action is always the recommended way of using .NET with GitHub Actions because it ensures consistent behavior across different runners or versions of .NET and protects your workflow from possible future deprecation of additional .NET versions:

steps:
- uses: actions/checkout@main
- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.0.x'
- run: dotnet build <my project>

For the latest updates, be sure to subscribe to the announcement in the actions/virtual-environments repository.

See more

On February 15th, GitHub Actions will remove support for referencing actions using the shortened version of a git commit SHA. This may cause some workflows in your repository to break. To fix these workflows, you will need to update the action reference to use the full commit SHA.

For example, if your workflow references actions/checkout@5a4ac90, you should change it to actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f. You can find the full commit SHA in the referenced action's repository.

This change is being made to align product functionality with our published security guidance

See more

Today we are releasing an open beta for the new continuous delivery capabilities in GitHub Actions. In this open beta there is no need to sign up, all existing GitHub organizations and accounts can use the new capabilities in their public repositories and GitHub Enterprise Cloud organizations can use them in all repositories.

The addition of environment protection rules and environment secrets enable separation of concerns between deployment and development to meet compliance and security requirements. The required reviewers environment protection rule will automatically pause a job trying to deploy to the protected environment and notifies the reviewers. Once approved, the job runs and is given secured access to the environment’s secrets. Also, the environments page includes a deployment log and information on the latest code change deployed to each environment.

Protection rules and secrets

Environment history

Learn more about environments

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub Actions can now generate a visual graph of your workflow on every run. With workflow visualization, you can

  • view and understand complex workflows
  • track progress of workflows in real-time
  • troubleshoot runs quickly by easily accessing logs and jobs metadata
  • monitor progress of deployment jobs and easily access deployment targets

Workflow visualization for GitHub Actions is now available in a public beta. To view a visual graph of your workflow, simply navigate to the workflow home page and select the run for which you will like to see the graph.

graph example of a workflow run

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

On October 1, 2020, we published a CVE outlining a vulnerability in the set-env and add-path workflow commands feature of GitHub Actions, and announced that we would be deprecating those features. In addition, we began flagging to customers in their Actions logs about the coming deprecation and provided guidance on how to migrate to the replacement functionality.

Specific vulnerabilities introduced by these commands have been patched, but in order to completely close the attack vector we need to disable the set-env and add-path workflow commands.

Security and transparency are essential to maintaining your trust. Therefore, while our investigations show no evidence at this time of this vulnerability being exploited, out of an abundance of caution, we will disable those commands and start failing workflow runs that use them on November 16, 2020.

For details on how to use the new functionality and prevent your workflows from breaking please see https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/.

Update 11/19/2020: Version [v2.274.2](https://github.com/actions/runner/releases/tag/v2.274.2) of the GitHub Actions runner removes support for these commands and has been rolled out across GitHub.

See more

Workflows using the ubuntu-latest runner label will soon run on Ubuntu-20.04. GitHub Actions has supported Ubuntu-20.04 in preview mode since June 2. During these past four months we have monitored image stability and customer feedback, and waited for a range of critical software tools to improve support for Ubuntu-20.04.

Now Ubuntu-20.04 is ready to be the default version for the ubuntu-latest label in GitHub Actions workflows. This change will be rolled out over a period of several weeks beginning on November 30, 2020.

If you see any issues with your workflows when they are transitioned to Ubuntu-20.04:

  • File an issue in the virtual-environments repository
  • Switch back to Ubuntu 18.04 by specifying the ubuntu-18.04 runner label. We will continue to support Ubuntu 18.04.

Note that image software between Ubuntu-18.04 and Ubuntu-20.04 differs by the pre-installed and default versions versions of some tools. See the full list of changed software.

See more

We changed the GitHub Actions self-hosted runner group default access to disable "Allow public repositories." This change impacts runner groups created before Sep 4, 2020 and changes those runner groups to a more secure default.

GitHub does not recommend the use of self-hosted runners with public repositories. If you are aware of the risks, and you choose to run workflows on your public repositories, you can update your runner group access to “Allow public repositories.”

Learn more about managing access to self-hosted runners.

See more

You can now change the maximum retention days for artifacts and logs in GitHub Actions, allowing you to better manage your storage space and to comply with your organizational retention policies.

With custom retention days, you can delete artifacts and logs sooner than the existing default of 90 days. Optionally, for private, internal and GitHub Enterprise repositories, you can retain artifacts and logs for over a year.

Retention days can be defined in the Actions Settings or in the YAML at an enterprise, organization, repository, or an individual artifact level.

Here’s an example of changing retention days in Actions Settings and in the YAML:

- uses: actions/upload-artifact
  with:
    name: my-artifact
    path: ./my_path
    retention-days: 30

Learn more about custom artifacts and log retention days and visit the GitHub Actions community forum for questions.

See more

A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT. This can result in environment variables being introduced or modified without the intention of the workflow author.

To allow us to address this issue and maintain the ability for you to dynamically set environment variables we have introduced a new set of files to manage environment and path updates in workflows.

Patching your actions and workflows

If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater.

Action authors who are using the toolkit should update the @actions/core package to v1.2.6 or greater to get the updated addPath and exportVariable functions.

Action and workflow authors who are setting environment variables via STDOUT should update any usage of the set-env and add-path workflow commands to use the new environment files.

If you need to log untrusted information such as issue titles, bodies, or commit messages to STDOUT we recommend that you disable command processing prior to doing that.

As an example in bash you could do the following:

jobs:
  example-job:
    name: example
    runs-on: ubuntu-latest
    steps:
    - name: log untrusted output
      run: |

        # disable command workflow processing
        echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"

        # log untrusted output
        echo "untrusted output"

        # enable workflow command processing
        echo "::`echo -n ${{ github.token }} | sha256sum | head -c 64`::"

In a JavaScript Action:

import {v4 as uuidv4} from 'uuid'

// disable workflow commands
const token = uuidv4()
console.log(`::stop-commands::${token}`)

// log untrusted output
console.log("untrusted output")

// enable workflow commands
console.log(`::${token}::`)

For other languages you need to generate a suitably random token that changes with each run.

See Stopping and starting workflow commands to learn more.

Starting today runner version 2.273.5 will begin to warn you if you use the add-path or set-env commands. We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.

Learn more about CVE-2020-15228

@actions/core npm package

Learn more about the new environment files

For questions please visit the GitHub Actions community forum

See more

You can now fine-tune access to external actions. These updated settings make it easier to achieve your security and compliance goals with GitHub Actions.

  • You can limit external actions to just those created by GitHub, those in the Marketplace that were created by verified authors, or a combination
  • You can optionally list specific external actions. Wildcards, tags, and SHAs enable flexibility and specificity

image

Learn more about external action policies

For questions please visit the GitHub Actions community forum

To see what's next for GitHub Actions, visit our public roadmap.

See more