Upcoming breaking changes and releases for GitHub Actions

We’re introducing new controls for automation workflows, enhancing security and flexibility for teams. Additionally, we’ve released updates to Actions runner controller designed to improve performance, customization, and compatibility with evolving deployment strategies. As part of our commitment to maintaining up-to-date infrastructure, we’re retiring older images and encouraging users to transition to newer, more efficient options.

Copilot events not automatically triggering GitHub Actions workflows is in public preview

Copilot authored events will no longer automatically trigger GitHub Actions workflows – administrators will now need to approve these workflows to run.

The approval mechanism is the same as approving runs from forks. This means that a run requiring approval will be given the action_required conclusion before any jobs are started. Users with write access in the UI or actions:write fine-grained access through the API can approve any action_required run. Any triggered workflow runs associated with the same PR in the action_required state will show up in the PR merge box for approval.

If a run is not approved after 30 days, it will be deleted.

Join the discussion within GitHub Community.

Windows Server 2019 is closing down

We’re beginning the process of closing down the Windows server 2019 hosted runner image, following our N-1 OS support policy. This image will be fully retired by June 30, 2025. We recommend updating workflows use windows-2022 or windows-2025.

To raise awareness of the upcoming removal, we’ll temporarily fail jobs using the windows-2019 label starting in June 2025. The brownouts will occur on the following dates and times:

  • June 3 13:00 – 21:00 UTC
  • June 10 13:00-21:00 UTC
  • June 17 13:00-21:00 UTC
  • June 24 13:00-21:00 UTC

Actions runner controller release 0.11.0

The latest ARC release (0.11.0) includes two major product enhancements and numerous quality-of-life improvements.

Customers can now set custom annotations and resources, enabling them to use deployment methods like ArgoCD and Helm.

In addition, ARC customers experienced performance issues due to high cardinality metrics, particularly around labels such as runner name, ID, job workflow ref, and others. This significantly impacted resource consumption in Prometheus instances. With this release, customers can now configure metrics, enabling them to choose elements relevant to their reporting strategy.

All included changes in this release can be found in the release notes.

Updates to the network allow list for Azure private networking

GitHub previously reported the network communication requirements for Azure private networks as they relate to the upcoming release of immutable actions. Please use the IPs listed in the NSG template within our documentation, as previous changelog communications contained overlapping CIDR ranges.

CodeQL 2.21.0 supports TypeScript 5.8 and expands language coverage

CodeQL version 2.21.0 has been released and includes TypeScript 5.8 support, a new Java query to detect exposed Spring Boot actuators, and support for new JavaScript libraries.

TypeScript 5.8 support

CodeQL can now analyze code written in TypeScript version 5.8, helping you find and automatically remediate security issues in the latest TypeScript projects, all without additional configuration.

Improved Java analysis

The community-contributed query java/spring-boot-exposed-actuators by @ggolawski has been promoted out of experimental status and is now included in the default code scanning query pack. This query helps you identify publicly accessible Spring Boot actuators, preventing unintended information disclosure.

Expanded JavaScript framework coverage

We’ve extended our JavaScript analysis to include popular modern frameworks and libraries:

  • Apollo Server: Added support for analyzing data coming from GraphQL when using @apollo/server.
  • React Relay: Added analysis support for React applications using the react-relay library.
  • SAP ecosystem: Added CodeQL support for analysis of SAP packages, including @sap/hana-client, @sap/hdbext, and hdb.
  • TanStack: Added support for analyzing applications using the @tanstack/angular-query-experimental package.

For a full list of changes, please refer to the complete changelog for version 2.21.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.0 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Sunset notice for automatic watching of repositories and teams

Highlight of the automatic watching section within Notification Settings

On May 18, 2025, we’re deprecating the automatic watching of repositories and teams. We’re making this change in order to:

  • Reduce notification noise: You’ll receive fewer unexpected notifications, especially when joining large organizations with many repositories.
  • Improve efficiency: You’ll be able to focus on the notifications that matter most, without unnecessary subscriptions.
  • Minimize confusion: You won’t have automatic watching behavior that some users found unclear or overwhelming.

Existing repository subscriptions created through auto-watching will not be impacted. Users will remain subscribed to repositories or teams they were previously watching.

To review or adjust your current repository subscriptions, visit the Watching section. For more detailed notification preferences, head to Notification Settings.

See more
View all changes