GitHub Actions November 2025 brings real change: M2 macOS runners are generally available, reusable workflow limits just increased, and macOS 13 images are headed for weekly brownouts before retirement. In parallel, npm classic tokens are disabled now and will be revoked on November 19. If your CI builds iOS apps or your pipelines publish to npm, this is your 10‑day window to stabilize. (github.blog)
Here’s the thing: none of this is theoretical. I’ve already seen iOS pipelines stall on brownouts, and I’ve watched package publishes fail when tokens quietly expired. Let’s get practical and make the changes that keep your workflows green.
What changed this week in GitHub Actions
Three updates landed that affect how teams structure CI, manage build times, and wire up AI in the toolchain.
Reusable workflow limits expanded
You can now nest up to 10 reusable workflows (up from four) and call up to 50 total from a single run (up from 20). This removes a pain point for platform teams building shared pipelines—think central security gates, SBOM steps, or mobile signing chains—without resorting to brittle copy‑paste YAML. (github.blog)
M2 macOS runners are GA—with labels you should adopt
M2‑powered macOS runners are generally available. Use macos-latest-xlarge, macos-15-xlarge, macos-14-xlarge, or macos-13-xlarge to get Apple Silicon performance and GPU acceleration. If you’re compiling Swift, running Xcode UI tests, or trans‑coding assets, the time savings add up quickly. (github.blog)
Copilot coding agent no longer depends on Actions
GitHub Copilot’s coding agent can be enabled without turning on Actions org‑wide. That gives enterprises more flexibility—AI assistance without the governance lift of enabling all of Actions immediately. If you already run Actions, nothing breaks; if you don’t, you can roll out the agent independently and meter access. (github.blog)
For a deeper dive on the features and tradeoffs, see our analysis in the November Actions update explainer, then return here for the migration plan.
Will my iOS/mac builds break this month?
Short answer: they might during brownouts unless you update runner labels. The macOS 13 image retires on December 4, 2025, with weekly brownouts in November that intentionally fail jobs to get your attention:
• Nov 4, 14:00–24:00 UTC
• Nov 11, 14:00–24:00 UTC
• Nov 18, 14:00–24:00 UTC
• Nov 25, 14:00–24:00 UTC
Jobs using macos-13, macos-13-large, or macos-13-xlarge will fail during those windows. Migrate to macos-15 (or macos-latest)—prefer the arm64 M‑series labels to align with Apple Silicon and future speedups. (github.blog)
But there’s a catch: Node 24 will become the default runtime for Actions in 2026, and it doesn’t support macOS 13.4 or lower. If you self‑host or pin to older macOS, plan your OS upgrades now to avoid surprises when runner updates flip you to Node 24 next year. (github.blog)
npm token migration: will my publish jobs fail on Nov 19?
Yes, if you still rely on classic npm tokens. As of November 5, 2025, you can no longer create classic tokens; all classic tokens will be permanently revoked on November 19. New write‑enabled granular tokens enforce 2FA by default, cap lifetime at 90 days, and support a “Bypass 2FA” option for CI. GitHub is steering maintainers toward OIDC‑based trusted publishing so you don’t manage long‑lived tokens at all. (github.blog)
If your pipelines still publish with a classic token in a repository secret, your Nov 19 releases will fail. Switch now to either granular tokens (with planned rotation) or trusted publishing tied to your CI identity.
The 10‑day migration checklist (print this)
Run these items in order. I’ve included quick tests so you don’t wait until a release train to learn something’s broken.
1) Normalize runner labels and capacity
• Search your org for macos-13 labels and replace with macos-15 or macos-latest (prefer arm64).
• If you need x86_64 for a dependency, move those jobs to Linux x86 runners for build steps and keep macOS only where Xcode or signing actually require it.
• Run at least one full iOS build on macos-15 M2 xlarge and compare wall‑clock times; if your queue times spike, consider a concurrency cap or scheduling non‑urgent jobs outside peak hours. (github.blog)
2) Patch reusable workflow calls
Re‑organize your pipeline into smaller, composable reusable workflows where it was previously too constrained. With nesting up to 10 and 50 total calls, you can model a clean “golden path” without YAML duplication. Keep each workflow’s inputs narrow and output contracts explicit so you can swap implementations without refactoring call sites. (github.blog)
3) Flip npm publishing to OIDC (or rotate to granular tokens)
Option A: adopt trusted publishing. Configure your npm package to accept publishes from your CI via OIDC; remove npm tokens from repository secrets entirely.
Option B: if you must use a token, generate a granular token with write scope, set a rotation reminder (≤90 days), and enable Bypass 2FA for non‑interactive jobs. Test with a dry‑run publish and verify provenance. (github.blog)
4) Smoke test AI agent usage and budget guardrails
If you plan to try Copilot’s coding agent without enabling Actions org‑wide, stage a small pilot. Gate it behind an approvals group, turn on usage reporting, and define a de‑scope path if usage exceeds expectations in sprint two. If you already rely on Actions, confirm the agent’s permissions match your repo policy. (github.blog)
5) Prepare for the Node 24 wave
Audit self‑hosted runners and mobile macOS machines—Node 24 isn’t compatible with macOS 13.4 and earlier. For JavaScript Actions you maintain, add a canary workflow that sets FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to detect runtime issues early. (github.blog)
People also ask
Do I need to switch to M2 runners now?
If you ship iOS, yes—move sooner rather than later. M2 runners are GA and deliver faster builds, and the ecosystem is converging on Apple Silicon. The longer you stay on older Intel/macOS 13 images, the more tech debt you accrue and the worse your brownout risk. Migrate core lanes first (build, unit tests), then UI tests, then edge jobs. (github.blog)
Will my workflows break on Nov 19?
Only if they publish to npm using classic tokens. Classic token creation is already disabled and revocation happens November 19. If you’ve rotated to granular tokens or OIDC trusted publishing, you’re fine. Double‑check secrets and CI logs this week. (github.blog)
Is the new 10‑nested workflow limit worth a refactor?
For platform teams: absolutely. Treat it like code reuse for CI. Break monolith workflows into composable building blocks—security scans, cache warmers, SBOM, signing—and call them from application pipelines. You’ll reduce copy‑paste bugs and make policy rollouts a one‑file change. (github.blog)
Gotchas we’ve hit in real migrations
• Homebrew mismatches: Some formulae install to different prefixes on arm64; pin versions or add a quick brew --prefix probe and adjust PATH.
• Cache key churn: Moving from Intel to arm64 can change compiled artifact hashes; prime caches by running parallel lanes once before cutting over.
• Simulator availability: Xcode versions on macos-15 may not match what you pinned on macos-13; select the simulator explicitly.
• Embedded Node: If you vendor Node or use native modules, rebuild for arm64 and turn on --arch arm64 where needed; verify Rosetta isn’t silently in the path.
• Private repos and the agent: If you pilot Copilot’s coding agent, start with a sandbox repo until your governance and audit settings are dialed in. (github.blog)
A pragmatic CI blueprint for November
Use this structure as a north star for a modern Apple + npm shop:
• Runners: macos-15-xlarge for build/test/sign lanes; Linux containers for lint and unit tests that don’t need Xcode.
• Reusable workflows: centralize security scanning, SBOM generation, and notarization; publish outputs as artifacts or reuse with workflow_call.
• Publishing: OIDC trusted publishing for npm (no long‑lived tokens), npm provenance on by default.
• Governance: required checks wrap the reusable workflows; branch protections map to app criticality; Copilot agent rolled out to an allowlist.
• Monitoring: alert on workflow failure spikes during brownout windows; add a dashboard tile for token expirations (or OIDC status) across repos. (github.blog)
Example: cutting over npm publish to OIDC in Actions
Here’s a simplified sequence to get off classic tokens fast:
1) In npm, enable trusted publishing for your package and associate the GitHub repo.
2) In your repo, ensure you’re using a recent actions/setup-node that supports npm provenance.
3) Add an id-token: write permission to the job and remove any NPM_TOKEN secret usage.
4) Run a dry‑run publish on a prerelease tag. If it passes, promote to stable.
This removes rotation busywork and eliminates a whole class of secret‑leak incidents. If you can’t adopt OIDC yet, generate a granular token, enable Bypass 2FA for CI, set a 30–60 day rotation timer, and update your pipeline docs. (github.blog)
Zooming out: why these changes are good for teams
The expanded workflow limits let platform engineering scale without duct tape. Apple Silicon runners bring real‑world speed gains where it matters. Brownouts are a nudge to clean up tech debt before it becomes incident response. And the npm token changes—though annoying—push us toward safer defaults. I’d rather invest a few hours this week than explain a failed release train on November 19. (github.blog)
What to do next
• Update runner labels and test on M2 today.
• Split monolith workflows and adopt reusable calls where it reduces duplication.
• Move npm publishing to OIDC; if not possible, rotate to granular tokens and set reminders before Nov 19.
• Pilot Copilot’s coding agent with a small group and clear usage reporting.
• Put a brownout calendar in your CI channel and staff a light touch watch during the windows. (github.blog)
If you need a deeper, step‑by‑step cutover, our GitHub Actions changes checklist pairs with our npm CI/CD cutover guide and last‑minute npm fixes before Nov 19. And if your team would rather not burn a sprint on this, talk to us about an assisted migration—start at our services page.
Final thought: November’s changes are not just chores—they’re leverage. Teams that make these updates now will ship faster on Apple Silicon, reduce their supply‑chain risk, and spend less time babysitting builds. That’s a trade I’ll take any day.
