JosiahSiegel/github-actions-2025
plugins/git-master/skills/github-actions-2025/SKILL.md
GitHub Actions 2025-2026 features and modernization. PROACTIVELY activate for: (1) 1 vCPU Linux runners (October 2025 public preview), (2) immutable releases for hardened distribution, (3) Node24 migration from Node20, (4) reusable workflows and composite actions, (5) workflow_dispatch with rich inputs, (6) artifact attestations and provenance, (7) ARC (Actions Runner Controller) for self-hosted Kubernetes, (8) larger runners and macOS Apple Silicon runners, (9) deployment environments and protection rules, (10) OIDC federation to AWS/Azure/GCP. Provides: workflow templates, runner-selection matrix, OIDC setup recipes, attestation patterns, and Node24 migration steps.
$ install --global
skillsauthnpx skillsauth add JosiahSiegel/claude-plugin-marketplace github-actions-2025Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 7:04 AM290.9s1 file scanned
SKILL.md
- name:
- github-actions-2025
- description:
- |
- PROACTIVELY activate for:
- (1) 1 vCPU Linux runners (October 2025 public preview), (2) immutable releases for hardened distribution, (3) Node24 migration from Node20, (4) reusable workflows and composite actions, (5) workflow_dispatch with rich inputs, (6) artifact attestations and provenance, (7) ARC (Actions Runner Controller) for self-hosted Kubernetes, (8) larger runners and macOS Apple Silicon runners, (9) deployment environments and protection rules, (10) OIDC federation to AWS/Azure/GCP.
- Provides:
- workflow templates, runner-selection matrix, OIDC setup recipes, attestation patterns, and Node24 migration steps.
GitHub Actions 2025 Features
1 vCPU Linux Runners (October 2025 - Public Preview)
What: New lightweight runners optimized for automation tasks with lower cost.
Specs:
- 1 vCPU
- 5 GB RAM
- 15-minute job limit
- Optimized for short-running tasks
When to Use 1 vCPU Runners
Ideal for:
- Issue triage automation
- Label management
- PR comment automation
- Status checks
- Lightweight scripts
- Git operations (checkout, tag, commit)
- Notification tasks
NOT suitable for:
- Build operations
- Test suites
- Complex CI/CD pipelines
- Resource-intensive operations
Usage
# .github/workflows/automation.yml
name: Lightweight Automation
on:
issues:
types: [opened, labeled]
jobs:
triage:
runs-on: ubuntu-latest-1-core # New 1 vCPU runner
timeout-minutes: 10 # Max 15 minutes
steps:
- name: Triage Issue
run: |
echo "Triaging issue..."
gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
Cost Savings Example
# Before: Using 2 vCPU runner for simple task
jobs:
label:
runs-on: ubuntu-latest # 2 vCPU, higher cost
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
# After: Using 1 vCPU runner (lower cost)
jobs:
label:
runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction
timeout-minutes: 5
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
Immutable Releases (August 2025)
What: Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.
Benefits:
- Supply chain security
- Audit compliance
- Prevent tampering
- Trust in release artifacts
Create Immutable Release
# Using GitHub CLI
gh release create v1.0.0 \
dist/*.zip \
--title "Version 1.0.0" \
--notes-file CHANGELOG.md \
--immutable
# Verify immutability
gh release view v1.0.0 --json isImmutable
GitHub Actions Workflow
# .github/workflows/release.yml
name: Create Immutable Release
on:
push:
tags:
- 'v*'
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifacts
run: npm run build
- name: Create Immutable Release
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const tag = context.ref.replace('refs/tags/', '');
await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: tag,
name: `Release ${tag}`,
body: fs.readFileSync('CHANGELOG.md', 'utf8'),
draft: false,
prerelease: false,
make_immutable: true # Mark as immutable
});
- name: Upload Release Assets
run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
Immutable Release Policy
# Organizational policy for immutable releases
name: Enforce Immutable Releases
on:
release:
types: [created]
jobs:
enforce-immutability:
runs-on: ubuntu-latest
if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
- name: Fail if not immutable
run: |
echo "ERROR: Production releases must be immutable"
exit 1
Node24 Migration (September 2025)
What: GitHub Actions migrating from Node20 to Node24 in fall 2025.
Timeline:
- September 2025: Node24 support added
- October 2025: Deprecation notices for Node20
- November 2025: Node20 phase-out begins
- December 2025: Full migration to Node24
Update Your Actions
Check Node version in actions:
# Old - Node20
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
with:
node-version: '20' # Update to 24
# New - Node24
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v4
with:
node-version: '24' # Current LTS
Runner Version Compatibility
# Ensure runner supports Node24
jobs:
test:
runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
- name: Verify Node version
run: node --version # Should show v24.x.x
Custom Actions Migration
If you maintain custom actions:
// action.yml
runs:
using: 'node24' // Updated from 'node20'
main: 'index.js'
# Update dependencies
npm install @actions/core@latest
npm install @actions/github@latest
# Test with Node24
node --version # Ensure 24.x
npm test
Actions Environment Variables (May 2025)
What: Actions environments now available for all plans (public and private repos).
Environment Protection Rules
# .github/workflows/deploy.yml
name: Deploy to Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- name: Deploy
run: |
echo "Deploying to ${{ vars.DEPLOY_URL }}"
# Deployment steps...
Environment configuration:
- Settings → Environments → production
- Add protection rules:
- Required reviewers
- Wait timer
- Deployment branches (only main)
Allowed Actions Policy Updates (August 2025)
What: Enhanced governance with explicit blocking and SHA pinning.
Block Specific Actions
# .github/workflows/policy.yml
# Repository or organization settings
allowed-actions:
verified-only: true
# Explicitly block actions
blocked-actions:
- 'untrusted/action@*'
- 'deprecated-org/*'
# Require SHA pinning for security
require-sha-pinning: true
SHA Pinning for Security
# Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4
# After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Generate SHA-Pinned Actions
# Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
# Or use action-security tool
npx pin-github-action actions/checkout@v4
# Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
Copilot-Triggered Workflows (April 2025)
What: Workflows triggered by Copilot-authored events now require explicit approval.
Configure Copilot Workflow Approval
# .github/workflows/copilot-automation.yml
name: Copilot PR Automation
on:
pull_request:
types: [opened]
jobs:
copilot-review:
runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'
steps:
- name: Auto-review
run: gh pr review --approve
Manual approval required for Copilot PRs (same mechanism as fork PRs).
Artifact Storage Architecture (February 2025)
What: Artifacts moved to new architecture on February 1, 2025.
Breaking changes:
actions/upload-artifact@v1-v2retired March 1, 2025- Must use
actions/upload-artifact@v4+
Migration
# Old (Retired)
- uses: actions/upload-artifact@v2
with:
name: build-artifacts
path: dist/
# New (Required)
- uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: dist/
retention-days: 30
Windows Server 2019 Retirement (June 2025)
What: windows-2019 runner image fully retired June 30, 2025.
Migration
# Old
jobs:
build:
runs-on: windows-2019 # Retired
# New
jobs:
build:
runs-on: windows-2022 # Current
# Or windows-latest (recommended)
Meta API for Self-Hosted Runners (May 2025)
What: New actions_inbound section in meta API for network configuration.
# Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'
# Configure firewall rules based on response
{
"domains": [
"*.actions.githubusercontent.com",
"*.pkg.github.com"
],
"ip_ranges": [
"140.82.112.0/20",
"143.55.64.0/20"
]
}
Best Practices for 2025
1. Use Appropriate Runners
# Use 1 vCPU for lightweight tasks
jobs:
label-management:
runs-on: ubuntu-latest-1-core
timeout-minutes: 5
# Use standard runners for builds/tests
build:
runs-on: ubuntu-latest
2. Immutable Releases for Production
# Always mark production releases as immutable
- name: Create Release
run: gh release create $TAG --immutable
3. SHA Pinning for Security
# Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
4. Update to Node24
# Use latest Node version
- uses: actions/setup-node@v4
with:
node-version: '24'
5. Environment Protection
# Use environments for deployments
jobs:
deploy:
environment: production
# Requires approval, wait timer, branch restrictions
Troubleshooting
1 vCPU runner timeout:
# Ensure task completes within 15 minutes
jobs:
task:
runs-on: ubuntu-latest-1-core
timeout-minutes: 10 # Safety margin
Node24 compatibility issues:
# Test locally with Node24
nvm install 24
nvm use 24
npm test
Artifact upload failures:
# Use v4 of artifact actions
- uses: actions/upload-artifact@v4 # Not v1/v2
Resources
- GitHub Actions 1 vCPU Runners
- Immutable Releases
- Node24 Migration
Related Skills
JosiahSiegel/ml-training
development
VerifiedTrustedCommunity
This skill should be used when the user asks to train, debug, scale, or improve ML models. PROACTIVELY activate for: (1) PyTorch, TensorFlow/Keras, JAX, Flax, Hugging Face Trainer/Accelerate training loops, (2) distributed training, DDP/FSDP/DeepSpeed, TPU/GPU setup, (3) mixed precision AMP/bf16, gradient accumulation, checkpointing, seeding, (4) overfitting, imbalance, loss functions, regularization, LR schedules, warmup, (5) memory optimization, gradient checkpointing, offloading, quantization-aware training. Provides: reproducible training best practices across deep learning and classical ML.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-mlops
development
VerifiedTrustedCommunity
This skill should be used when the user asks to productionize, track, version, govern, monitor, or automate ML systems. PROACTIVELY activate for: (1) MLflow, Weights & Biases, Neptune, Comet, ClearML experiment tracking, (2) model registry, model versioning, artifact lineage, reproducibility, (3) Kubeflow, SageMaker Pipelines, Vertex AI Pipelines, Azure ML pipelines, Databricks workflows, (4) CI/CD, continuous training/evaluation, A/B tests, canary/shadow deployments, (5) drift detection, model monitoring, data validation, responsible AI governance. Provides: end-to-end MLOps architecture and operational safeguards.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-inference-optimization
development
VerifiedTrustedCommunity
This skill should be used when the user asks to optimize, export, serve, compress, or accelerate ML inference. PROACTIVELY activate for: (1) latency, throughput, p95/p99, batching, concurrency, KV cache, memory, or cost issues, (2) quantization INT8/INT4, GPTQ, AWQ, bitsandbytes, pruning, sparsity, distillation, (3) ONNX export, ONNX Runtime, TensorRT, TorchScript, torch.compile, XLA, OpenVINO, Core ML, TFLite, (4) Triton, TorchServe, TF Serving, BentoML, Seldon, KServe configuration, (5) edge deployment, CPU/GPU/TPU/Inferentia serving. Provides: hardware-aware inference optimization and safe benchmarking.
38SKILL.mdUpdated May 28, 2026
JosiahSiegel/ml-hyperparameter-tuning
testing
VerifiedTrustedCommunity
This skill should be used when the user asks to tune hyperparameters, run sweeps, optimize search spaces, or use AutoML. PROACTIVELY activate for: (1) Optuna, Ray Tune, FLAML, AutoGluon, Hyperopt, Nevergrad, KerasTuner, W&B sweeps, (2) grid search, random search, Bayesian optimization, TPE, Gaussian processes, evolutionary search, (3) ASHA, Hyperband, successive halving, multi-fidelity optimization, population-based training, (4) learning-rate finder, batch-size search, early stopping, pruning, (5) reproducible sweep design and experiment analysis. Provides: budget-aware hyperparameter search strategy.
38SKILL.mdUpdated May 28, 2026