GitHub Actions 2025 Features 1 vCPU Linux Runners (October 2025 - Public Preview)
What: New lightweight runners optimized for automation tasks with lower cost.
Specs:
1 vCPU 5 GB RAM 15-minute job limit Optimized for short-running tasks When to Use 1 vCPU Runners
Ideal for:
Issue triage automation Label management PR comment automation Status checks Lightweight scripts Git operations (checkout, tag, commit) Notification tasks
NOT suitable for:
Build operations Test suites Complex CI/CD pipelines Resource-intensive operations Usage
.github/workflows/automation.yml
name: Lightweight Automation
on: issues: types: [opened, labeled]
jobs: triage: runs-on: ubuntu-latest-1-core # New 1 vCPU runner timeout-minutes: 10 # Max 15 minutes steps: - name: Triage Issue run: | echo "Triaging issue..." gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
Cost Savings Example
Before: Using 2 vCPU runner for simple task
jobs: label: runs-on: ubuntu-latest # 2 vCPU, higher cost steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
After: Using 1 vCPU runner (lower cost)
jobs: label: runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction timeout-minutes: 5 steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
Immutable Releases (August 2025)
What: Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.
Benefits:
Supply chain security Audit compliance Prevent tampering Trust in release artifacts Create Immutable Release
Using GitHub CLI
gh release create v1.0.0 \ dist/*.zip \ --title "Version 1.0.0" \ --notes-file CHANGELOG.md \ --immutable
Verify immutability
gh release view v1.0.0 --json isImmutable
GitHub Actions Workflow
.github/workflows/release.yml
name: Create Immutable Release
on: push: tags: - 'v*'
jobs: release: runs-on: ubuntu-latest permissions: contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifacts
run: npm run build
- name: Create Immutable Release
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const tag = context.ref.replace('refs/tags/', '');
await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: tag,
name: `Release ${tag}`,
body: fs.readFileSync('CHANGELOG.md', 'utf8'),
draft: false,
prerelease: false,
make_immutable: true # Mark as immutable
});
- name: Upload Release Assets
run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
Immutable Release Policy
Organizational policy for immutable releases
name: Enforce Immutable Releases
on: release: types: [created]
jobs: enforce-immutability: runs-on: ubuntu-latest if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
- name: Fail if not immutable
run: |
echo "ERROR: Production releases must be immutable"
exit 1
Node24 Migration (September 2025)
What: GitHub Actions migrating from Node20 to Node24 in fall 2025.
Timeline:
September 2025: Node24 support added October 2025: Deprecation notices for Node20 November 2025: Node20 phase-out begins December 2025: Full migration to Node24 Update Your Actions
Check Node version in actions:
Old - Node20
jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v3 with: node-version: '20' # Update to 24
New - Node24
jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v4 with: node-version: '24' # Current LTS
Runner Version Compatibility
Ensure runner supports Node24
jobs: test: runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
- name: Verify Node version
run: node --version # Should show v24.x.x
Custom Actions Migration
If you maintain custom actions:
// action.yml runs: using: 'node24' // Updated from 'node20' main: 'index.js'
Update dependencies
npm install @actions/core@latest npm install @actions/github@latest
Test with Node24
node --version # Ensure 24.x npm test
Actions Environment Variables (May 2025)
What: Actions environments now available for all plans (public and private repos).
Environment Protection Rules
.github/workflows/deploy.yml
name: Deploy to Production
on: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest environment: name: production url: https://app.example.com
steps:
- name: Deploy
run: |
echo "Deploying to ${{ vars.DEPLOY_URL }}"
# Deployment steps...
Environment configuration:
Settings → Environments → production Add protection rules: Required reviewers Wait timer Deployment branches (only main) Allowed Actions Policy Updates (August 2025)
What: Enhanced governance with explicit blocking and SHA pinning.
Block Specific Actions
.github/workflows/policy.yml
Repository or organization settings
allowed-actions: verified-only: true
# Explicitly block actions blocked-actions: - 'untrusted/action@' - 'deprecated-org/'
# Require SHA pinning for security require-sha-pinning: true
SHA Pinning for Security
Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4
After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Generate SHA-Pinned Actions
Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
Or use action-security tool
npx pin-github-action actions/checkout@v4
Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
Copilot-Triggered Workflows (April 2025)
What: Workflows triggered by Copilot-authored events now require explicit approval.
Configure Copilot Workflow Approval
.github/workflows/copilot-automation.yml
name: Copilot PR Automation
on: pull_request: types: [opened]
jobs: copilot-review: runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'
steps:
- name: Auto-review
run: gh pr review --approve
Manual approval required for Copilot PRs (same mechanism as fork PRs).
Artifact Storage Architecture (February 2025)
What: Artifacts moved to new architecture on February 1, 2025.
Breaking changes:
actions/upload-artifact@v1-v2 retired March 1, 2025 Must use actions/upload-artifact@v4+ Migration
Old (Retired)
- uses: actions/upload-artifact@v2 with: name: build-artifacts path: dist/
New (Required)
- uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist/ retention-days: 30
Windows Server 2019 Retirement (June 2025)
What: windows-2019 runner image fully retired June 30, 2025.
Migration
Old
jobs: build: runs-on: windows-2019 # Retired
New
jobs: build: runs-on: windows-2022 # Current # Or windows-latest (recommended)
Meta API for Self-Hosted Runners (May 2025)
What: New actions_inbound section in meta API for network configuration.
Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'
Configure firewall rules based on response
{ "domains": [ ".actions.githubusercontent.com", ".pkg.github.com" ], "ip_ranges": [ "140.82.112.0/20", "143.55.64.0/20" ] }
Best Practices for 2025 1. Use Appropriate Runners
Use 1 vCPU for lightweight tasks
jobs: label-management: runs-on: ubuntu-latest-1-core timeout-minutes: 5
# Use standard runners for builds/tests build: runs-on: ubuntu-latest
- Immutable Releases for Production
Always mark production releases as immutable
-
name: Create Release run: gh release create $TAG --immutable
-
SHA Pinning for Security
Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
-
Update to Node24
Use latest Node version
-
uses: actions/setup-node@v4 with: node-version: '24'
-
Environment Protection
Use environments for deployments
jobs: deploy: environment: production # Requires approval, wait timer, branch restrictions
Troubleshooting
1 vCPU runner timeout:
Ensure task completes within 15 minutes
jobs: task: runs-on: ubuntu-latest-1-core timeout-minutes: 10 # Safety margin
Node24 compatibility issues:
Test locally with Node24
nvm install 24 nvm use 24 npm test
Artifact upload failures:
Use v4 of artifact actions
- uses: actions/upload-artifact@v4 # Not v1/v2
Resources GitHub Actions 1 vCPU Runners Immutable Releases Node24 Migration