Back to Details

github-actions-2025

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GitHub Actions 2025 Features

GitHub Actions 2025 新功能

1 vCPU Linux Runners (October 2025 - Public Preview)

1核vCPU Linux运行器(2025年10月 - 公开预览)

What: New lightweight runners optimized for automation tasks with lower cost.
Specs:
  • 1 vCPU
  • 5 GB RAM
  • 15-minute job limit
  • Optimized for short-running tasks
内容概述: 针对自动化任务优化的新型轻量运行器,成本更低。
规格参数:
  • 1核vCPU
  • 5GB内存
  • 15分钟任务时长限制
  • 针对短时长任务优化

When to Use 1 vCPU Runners

何时使用1核vCPU运行器

Ideal for:
  • Issue triage automation
  • Label management
  • PR comment automation
  • Status checks
  • Lightweight scripts
  • Git operations (checkout, tag, commit)
  • Notification tasks
NOT suitable for:
  • Build operations
  • Test suites
  • Complex CI/CD pipelines
  • Resource-intensive operations
适用场景:
  • 问题分类自动化
  • 标签管理
  • PR评论自动化
  • 状态检查
  • 轻量脚本
  • Git操作(检出、打标签、提交)
  • 通知任务
不适用场景:
  • 构建操作
  • 测试套件
  • 复杂CI/CD流水线
  • 资源密集型操作

Usage

使用示例

yaml
undefined
yaml
undefined

.github/workflows/automation.yml

.github/workflows/automation.yml

name: Lightweight Automation
on: issues: types: [opened, labeled]
jobs: triage: runs-on: ubuntu-latest-1-core # New 1 vCPU runner timeout-minutes: 10 # Max 15 minutes steps: - name: Triage Issue run: | echo "Triaging issue..." gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
undefined
name: Lightweight Automation
on: issues: types: [opened, labeled]
jobs: triage: runs-on: ubuntu-latest-1-core # New 1 vCPU runner timeout-minutes: 10 # Max 15 minutes steps: - name: Triage Issue run: | echo "Triaging issue..." gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
undefined

Cost Savings Example

成本节约示例

yaml
undefined
yaml
undefined

Before: Using 2 vCPU runner for simple task

Before: Using 2 vCPU runner for simple task

jobs: label: runs-on: ubuntu-latest # 2 vCPU, higher cost steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
jobs: label: runs-on: ubuntu-latest # 2 vCPU, higher cost steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"

After: Using 1 vCPU runner (lower cost)

After: Using 1 vCPU runner (lower cost)

jobs: label: runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction timeout-minutes: 5 steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
undefined
jobs: label: runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction timeout-minutes: 5 steps: - name: Add label run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
undefined

Immutable Releases (August 2025)

不可变发布(2025年8月)

What: Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.
Benefits:
  • Supply chain security
  • Audit compliance
  • Prevent tampering
  • Trust in release artifacts
内容概述: 发布版本现在可标记为不可变——一旦发布,资产和Git标签无法被修改或删除。
优势:
  • 供应链安全
  • 审计合规
  • 防止篡改
  • 增强发布工件的可信度

Create Immutable Release

创建不可变发布

bash
undefined
bash
undefined

Using GitHub CLI

Using GitHub CLI

gh release create v1.0.0
dist/*.zip
--title "Version 1.0.0"
--notes-file CHANGELOG.md
--immutable
gh release create v1.0.0
dist/*.zip
--title "Version 1.0.0"
--notes-file CHANGELOG.md
--immutable

Verify immutability

Verify immutability

gh release view v1.0.0 --json isImmutable
undefined
gh release view v1.0.0 --json isImmutable
undefined

GitHub Actions Workflow

GitHub Actions工作流示例

yaml
undefined
yaml
undefined

.github/workflows/release.yml

.github/workflows/release.yml

name: Create Immutable Release
on: push: tags: - 'v*'
jobs: release: runs-on: ubuntu-latest permissions: contents: write
steps:
  - name: Checkout
    uses: actions/checkout@v4

  - name: Build artifacts
    run: npm run build

  - name: Create Immutable Release
    uses: actions/github-script@v7
    with:
      script: |
        const fs = require('fs');
        const tag = context.ref.replace('refs/tags/', '');

        await github.rest.repos.createRelease({
          owner: context.repo.owner,
          repo: context.repo.repo,
          tag_name: tag,
          name: `Release ${tag}`,
          body: fs.readFileSync('CHANGELOG.md', 'utf8'),
          draft: false,
          prerelease: false,
          make_immutable: true  # Mark as immutable
        });

  - name: Upload Release Assets
    run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
undefined
name: Create Immutable Release
on: push: tags: - 'v*'
jobs: release: runs-on: ubuntu-latest permissions: contents: write
steps:
  - name: Checkout
    uses: actions/checkout@v4

  - name: Build artifacts
    run: npm run build

  - name: Create Immutable Release
    uses: actions/github-script@v7
    with:
      script: |
        const fs = require('fs');
        const tag = context.ref.replace('refs/tags/', '');

        await github.rest.repos.createRelease({
          owner: context.repo.owner,
          repo: context.repo.repo,
          tag_name: tag,
          name: `Release ${tag}`,
          body: fs.readFileSync('CHANGELOG.md', 'utf8'),
          draft: false,
          prerelease: false,
          make_immutable: true  # Mark as immutable
        });

  - name: Upload Release Assets
    run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
undefined

Immutable Release Policy

不可变发布策略

yaml
undefined
yaml
undefined

Organizational policy for immutable releases

Organizational policy for immutable releases

name: Enforce Immutable Releases
on: release: types: [created]
jobs: enforce-immutability: runs-on: ubuntu-latest if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
  - name: Fail if not immutable
    run: |
      echo "ERROR: Production releases must be immutable"
      exit 1
undefined
name: Enforce Immutable Releases
on: release: types: [created]
jobs: enforce-immutability: runs-on: ubuntu-latest if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
  - name: Fail if not immutable
    run: |
      echo "ERROR: Production releases must be immutable"
      exit 1
undefined

Node24 Migration (September 2025)

Node24迁移(2025年9月)

What: GitHub Actions migrating from Node20 to Node24 in fall 2025.
Timeline:
  • September 2025: Node24 support added
  • October 2025: Deprecation notices for Node20
  • November 2025: Node20 phase-out begins
  • December 2025: Full migration to Node24
内容概述: GitHub Actions将于2025年秋季从Node20迁移至Node24。
时间线:
  • 2025年9月:新增Node24支持
  • 2025年10月:发布Node20弃用通知
  • 2025年11月:开始逐步淘汰Node20
  • 2025年12月:全面迁移至Node24

Update Your Actions

更新你的Actions

Check Node version in actions:
yaml
undefined
检查Actions中的Node版本:
yaml
undefined

Old - Node20

Old - Node20

jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v3 with: node-version: '20' # Update to 24
jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v3 with: node-version: '20' # Update to 24

New - Node24

New - Node24

jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v4 with: node-version: '24' # Current LTS
undefined
jobs: build: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v4 with: node-version: '24' # Current LTS
undefined

Runner Version Compatibility

运行器版本兼容性

yaml
undefined
yaml
undefined

Ensure runner supports Node24

Ensure runner supports Node24

jobs: test: runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
  - name: Verify Node version
    run: node --version  # Should show v24.x.x
undefined
jobs: test: runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
  - name: Verify Node version
    run: node --version  # Should show v24.x.x
undefined

Custom Actions Migration

自定义Actions迁移

If you maintain custom actions:
javascript
// action.yml
runs:
  using: 'node24'  // Updated from 'node20'
  main: 'index.js'
bash
undefined
如果你维护自定义Actions:
javascript
// action.yml
runs:
  using: 'node24'  // Updated from 'node20'
  main: 'index.js'
bash
undefined

Update dependencies

Update dependencies

npm install @actions/core@latest npm install @actions/github@latest
npm install @actions/core@latest npm install @actions/github@latest

Test with Node24

Test with Node24

node --version # Ensure 24.x npm test
undefined
node --version # Ensure 24.x npm test
undefined

Actions Environment Variables (May 2025)

Actions环境变量(2025年5月)

What: Actions environments now available for all plans (public and private repos).
内容概述: Actions环境现在对所有套餐开放(公开和私有仓库均可使用)。

Environment Protection Rules

环境保护规则

yaml
undefined
yaml
undefined

.github/workflows/deploy.yml

.github/workflows/deploy.yml

name: Deploy to Production
on: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest environment: name: production url: https://app.example.com
steps:
  - name: Deploy
    run: |
      echo "Deploying to ${{ vars.DEPLOY_URL }}"
      # Deployment steps...

**Environment configuration:**
- Settings → Environments → production
- Add protection rules:
  - Required reviewers
  - Wait timer
  - Deployment branches (only main)
name: Deploy to Production
on: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest environment: name: production url: https://app.example.com
steps:
  - name: Deploy
    run: |
      echo "Deploying to ${{ vars.DEPLOY_URL }}"
      # Deployment steps...

**环境配置:**
- 设置 → 环境 → production
- 添加保护规则:
  - 必需审核人
  - 等待计时器
  - 部署分支(仅main分支)

Allowed Actions Policy Updates (August 2025)

允许的Actions策略更新(2025年8月)

What: Enhanced governance with explicit blocking and SHA pinning.
内容概述: 增强治理能力,支持显式阻止和SHA固定。

Block Specific Actions

阻止特定Actions

yaml
undefined
yaml
undefined

.github/workflows/policy.yml

.github/workflows/policy.yml

Repository or organization settings

Repository or organization settings

allowed-actions: verified-only: true

Explicitly block actions

blocked-actions: - 'untrusted/action@' - 'deprecated-org/'

Require SHA pinning for security

require-sha-pinning: true
undefined
allowed-actions: verified-only: true

Explicitly block actions

blocked-actions: - 'untrusted/action@' - 'deprecated-org/'

Require SHA pinning for security

require-sha-pinning: true
undefined

SHA Pinning for Security

基于SHA固定提升安全性

yaml
undefined
yaml
undefined

Before: Version pinning (can be changed by action maintainer)

Before: Version pinning (can be changed by action maintainer)

  • uses: actions/checkout@v4
  • uses: actions/checkout@v4

After: SHA pinning (immutable)

After: SHA pinning (immutable)

  • uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
undefined
  • uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
undefined

Generate SHA-Pinned Actions

生成SHA固定的Actions

bash
undefined
bash
undefined

Get commit SHA for specific version

Get commit SHA for specific version

gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'

Or use action-security tool

Or use action-security tool

npx pin-github-action actions/checkout@v4
npx pin-github-action actions/checkout@v4

Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

undefined
undefined

Copilot-Triggered Workflows (April 2025)

Copilot触发的工作流(2025年4月)

What: Workflows triggered by Copilot-authored events now require explicit approval.
内容概述: 由Copilot生成事件触发的工作流现在需要显式批准。

Configure Copilot Workflow Approval

配置Copilot工作流批准规则

yaml
undefined
yaml
undefined

.github/workflows/copilot-automation.yml

.github/workflows/copilot-automation.yml

name: Copilot PR Automation
on: pull_request: types: [opened]
jobs: copilot-review: runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'

steps:
  - name: Auto-review
    run: gh pr review --approve

**Manual approval required for Copilot PRs** (same mechanism as fork PRs).
name: Copilot PR Automation
on: pull_request: types: [opened]
jobs: copilot-review: runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'

steps:
  - name: Auto-review
    run: gh pr review --approve

**Copilot生成的PR需要手动批准**(与分支PR的机制相同)。

Artifact Storage Architecture (February 2025)

工件存储架构(2025年2月)

What: Artifacts moved to new architecture on February 1, 2025.
Breaking changes:
  • actions/upload-artifact@v1-v2
    retired March 1, 2025
  • Must use 
    actions/upload-artifact@v4+
内容概述: 工件将于2025年2月1日迁移至新架构。
重大变更:
  • actions/upload-artifact@v1-v2
    将于2025年3月1日停用
  • 必须使用 
    actions/upload-artifact@v4+

Migration

迁移示例

yaml
undefined
yaml
undefined

Old (Retired)

Old (Retired)

  • uses: actions/upload-artifact@v2 with: name: build-artifacts path: dist/
  • uses: actions/upload-artifact@v2 with: name: build-artifacts path: dist/

New (Required)

New (Required)

  • uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist/ retention-days: 30
undefined
  • uses: actions/upload-artifact@v4 with: name: build-artifacts path: dist/ retention-days: 30
undefined

Windows Server 2019 Retirement (June 2025)

Windows Server 2019停用(2025年6月)

What: 
windows-2019
runner image fully retired June 30, 2025.
内容概述: 
windows-2019
运行器镜像将于2025年6月30日完全停用。

Migration

迁移示例

yaml
undefined
yaml
undefined

Old

Old

jobs: build: runs-on: windows-2019 # Retired
jobs: build: runs-on: windows-2019 # Retired

New

New

jobs: build: runs-on: windows-2022 # Current # Or windows-latest (recommended)
undefined
jobs: build: runs-on: windows-2022 # Current # Or windows-latest (recommended)
undefined

Meta API for Self-Hosted Runners (May 2025)

自托管运行器元API(2025年5月)

What: New 
actions_inbound
section in meta API for network configuration.
bash
undefined
内容概述: 元API中新增 
actions_inbound
部分,用于网络配置。
bash
undefined

Get network requirements for self-hosted runners

Get network requirements for self-hosted runners

curl https://api.github.com/meta | jq '.actions_inbound'
curl https://api.github.com/meta | jq '.actions_inbound'

Configure firewall rules based on response

Configure firewall rules based on response

{ "domains": [ ".actions.githubusercontent.com", ".pkg.github.com" ], "ip_ranges": [ "140.82.112.0/20", "143.55.64.0/20" ] }
undefined
{ "domains": [ ".actions.githubusercontent.com", ".pkg.github.com" ], "ip_ranges": [ "140.82.112.0/20", "143.55.64.0/20" ] }
undefined

Best Practices for 2025

2025年最佳实践

1. Use Appropriate Runners

1. 使用合适的运行器

yaml
undefined
yaml
undefined

Use 1 vCPU for lightweight tasks

Use 1 vCPU for lightweight tasks

jobs: label-management: runs-on: ubuntu-latest-1-core timeout-minutes: 5

Use standard runners for builds/tests

build: runs-on: ubuntu-latest
undefined
jobs: label-management: runs-on: ubuntu-latest-1-core timeout-minutes: 5

Use standard runners for builds/tests

build: runs-on: ubuntu-latest
undefined

2. Immutable Releases for Production

2. 生产环境使用不可变发布

yaml
undefined
yaml
undefined

Always mark production releases as immutable

Always mark production releases as immutable

  • name: Create Release run: gh release create $TAG --immutable
undefined
  • name: Create Release run: gh release create $TAG --immutable
undefined

3. SHA Pinning for Security

3. 基于SHA固定提升安全性

yaml
undefined
yaml
undefined

Pin actions to SHA, not tags

Pin actions to SHA, not tags

  • uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
  • uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
undefined
  • uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
  • uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
undefined

4. Update to Node24

4. 升级至Node24

yaml
undefined
yaml
undefined

Use latest Node version

Use latest Node version

  • uses: actions/setup-node@v4 with: node-version: '24'
undefined
  • uses: actions/setup-node@v4 with: node-version: '24'
undefined

5. Environment Protection

5. 环境保护

yaml
undefined
yaml
undefined

Use environments for deployments

Use environments for deployments

jobs: deploy: environment: production # Requires approval, wait timer, branch restrictions
undefined
jobs: deploy: environment: production # Requires approval, wait timer, branch restrictions
undefined

Troubleshooting

故障排查

1 vCPU runner timeout:
yaml
undefined
1核vCPU运行器超时:
yaml
undefined

Ensure task completes within 15 minutes

Ensure task completes within 15 minutes

jobs: task: runs-on: ubuntu-latest-1-core timeout-minutes: 10 # Safety margin

**Node24 compatibility issues:**
```bash
jobs: task: runs-on: ubuntu-latest-1-core timeout-minutes: 10 # Safety margin

**Node24兼容性问题:**
```bash

Test locally with Node24

Test locally with Node24

nvm install 24 nvm use 24 npm test

**Artifact upload failures:**
```yaml
nvm install 24 nvm use 24 npm test

**工件上传失败:**
```yaml

Use v4 of artifact actions

Use v4 of artifact actions

  • uses: actions/upload-artifact@v4 # Not v1/v2
undefined
  • uses: actions/upload-artifact@v4 # Not v1/v2
undefined

Resources

参考资源