#github-actions
Tagged “github-actions”
3 articlesPinning every CI action to a commit SHA is becoming the new minimum
A new write-up from the Cilium maintainers lays out a concrete playbook for locking down CI/CD dependencies — full-SHA pinning for every action, digest-pinned containers, vendored Go modules, and Renovate with a release-age cooldown. The pattern matters even if you do not ship eBPF for a living.
Jun 16, 2026 · Tomás VegaSecurity & supply chainGitHub Agentic Workflows drop personal access tokens for the built-in Actions token
Agentic workflows on GitHub can now authenticate with the ephemeral GITHUB_TOKEN instead of a long-lived personal access token. It is a quiet credential-hygiene win that closes one of the messier blast radii in agent-driven CI.
Jun 15, 2026 · Tomás VegaRunners & infrastructureGitHub Actions resumes self-hosted runner version enforcement
Self-hosted runners must register on 2.329.0 or later and install each new release within 30 days, with full enforcement landing September 25, 2026 on github.com. The change moves runner version management from a hygiene task into a fleet-inventory problem.
Jun 15, 2026 · Maya Okonkwo