Loading...
Loading...
GitHub Actions 2025 features including 1 vCPU runners, immutable releases, and Node24 migration
npx skill4agent add josiahsiegel/claude-plugin-marketplace github-actions-2025# .github/workflows/automation.yml
name: Lightweight Automation
on:
issues:
types: [opened, labeled]
jobs:
triage:
runs-on: ubuntu-latest-1-core # New 1 vCPU runner
timeout-minutes: 10 # Max 15 minutes
steps:
- name: Triage Issue
run: |
echo "Triaging issue..."
gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"# Before: Using 2 vCPU runner for simple task
jobs:
label:
runs-on: ubuntu-latest # 2 vCPU, higher cost
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
# After: Using 1 vCPU runner (lower cost)
jobs:
label:
runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction
timeout-minutes: 5
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"# Using GitHub CLI
gh release create v1.0.0 \
dist/*.zip \
--title "Version 1.0.0" \
--notes-file CHANGELOG.md \
--immutable
# Verify immutability
gh release view v1.0.0 --json isImmutable# .github/workflows/release.yml
name: Create Immutable Release
on:
push:
tags:
- 'v*'
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifacts
run: npm run build
- name: Create Immutable Release
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const tag = context.ref.replace('refs/tags/', '');
await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: tag,
name: `Release ${tag}`,
body: fs.readFileSync('CHANGELOG.md', 'utf8'),
draft: false,
prerelease: false,
make_immutable: true # Mark as immutable
});
- name: Upload Release Assets
run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber# Organizational policy for immutable releases
name: Enforce Immutable Releases
on:
release:
types: [created]
jobs:
enforce-immutability:
runs-on: ubuntu-latest
if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
- name: Fail if not immutable
run: |
echo "ERROR: Production releases must be immutable"
exit 1# Old - Node20
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
with:
node-version: '20' # Update to 24
# New - Node24
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v4
with:
node-version: '24' # Current LTS# Ensure runner supports Node24
jobs:
test:
runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
- name: Verify Node version
run: node --version # Should show v24.x.x// action.yml
runs:
using: 'node24' // Updated from 'node20'
main: 'index.js'# Update dependencies
npm install @actions/core@latest
npm install @actions/github@latest
# Test with Node24
node --version # Ensure 24.x
npm test# .github/workflows/deploy.yml
name: Deploy to Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- name: Deploy
run: |
echo "Deploying to ${{ vars.DEPLOY_URL }}"
# Deployment steps...# .github/workflows/policy.yml
# Repository or organization settings
allowed-actions:
verified-only: true
# Explicitly block actions
blocked-actions:
- 'untrusted/action@*'
- 'deprecated-org/*'
# Require SHA pinning for security
require-sha-pinning: true# Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4
# After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1# Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
# Or use action-security tool
npx pin-github-action actions/checkout@v4
# Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11# .github/workflows/copilot-automation.yml
name: Copilot PR Automation
on:
pull_request:
types: [opened]
jobs:
copilot-review:
runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'
steps:
- name: Auto-review
run: gh pr review --approveactions/upload-artifact@v1-v2actions/upload-artifact@v4+# Old (Retired)
- uses: actions/upload-artifact@v2
with:
name: build-artifacts
path: dist/
# New (Required)
- uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: dist/
retention-days: 30windows-2019# Old
jobs:
build:
runs-on: windows-2019 # Retired
# New
jobs:
build:
runs-on: windows-2022 # Current
# Or windows-latest (recommended)actions_inbound# Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'
# Configure firewall rules based on response
{
"domains": [
"*.actions.githubusercontent.com",
"*.pkg.github.com"
],
"ip_ranges": [
"140.82.112.0/20",
"143.55.64.0/20"
]
}# Use 1 vCPU for lightweight tasks
jobs:
label-management:
runs-on: ubuntu-latest-1-core
timeout-minutes: 5
# Use standard runners for builds/tests
build:
runs-on: ubuntu-latest# Always mark production releases as immutable
- name: Create Release
run: gh release create $TAG --immutable# Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8# Use latest Node version
- uses: actions/setup-node@v4
with:
node-version: '24'# Use environments for deployments
jobs:
deploy:
environment: production
# Requires approval, wait timer, branch restrictions# Ensure task completes within 15 minutes
jobs:
task:
runs-on: ubuntu-latest-1-core
timeout-minutes: 10 # Safety margin# Test locally with Node24
nvm install 24
nvm use 24
npm test# Use v4 of artifact actions
- uses: actions/upload-artifact@v4 # Not v1/v2