GitHub Actions November 2025: What to Fix This Week

GitHub Actions November 2025 brought a cluster of CI/CD updates that matter in the real world: higher limits for reusable workflows, generally available M2 macOS runners, stricter security semantics for pull_request_target landing December 8, an hourly cache-eviction policy, and the final stretch of npm token changes with a hard date of November 19. If your org touches iOS, JavaScript, or shared workflows, you have tasks to land this week. Let’s translate the release notes into a punch list you can execute.

What changed and why it matters

Three updates shift how teams design and run pipelines:

1) More headroom for reuse. You can now nest up to 10 reusable workflows and call as many as 50 in a single run. Previous limits (4 deep, 20 total) pushed teams into brittle copy-paste. With 10/50, monorepos and platform engineering teams can model clear layers—bootstrap, provisioning, language setup, test matrix, artifacts—without spaghetti.

2) M2 macOS runners are GA. For iOS/macOS builds, Apple Silicon performance is real, especially for Swift/Metal and simulators. The macos-15-xlarge and macos-latest-xlarge labels bring faster builds and GPU acceleration. If you’re still on Intel images for historical reasons, this is the week to compare wall-clock times and cost.

3) Security semantics change for PR events. On December 8, GitHub will lock pull_request_target to always source workflows from the default branch and evaluate environment branch protections against the execution ref. That closes a class of vulnerabilities where outdated workflows on a non-default branch could run with secrets. It’s the right call—but some filters will stop matching until you update them.

GitHub Actions November 2025: the changes that bite now

Here’s what requires action this week, not later.

Update PR-driven environment rules before December 8

Environment branch protections for pull request events will evaluate against the execution reference rather than the PR head. Practically:

• For pull_request, pull_request_review, and pull_request_review_comment, protections evaluate against refs/pull/<number>/merge.
• For pull_request_target, protections evaluate against your default branch.

If your environment filters are set to main or a pattern like release/*, PR jobs might stop matching. Add explicit patterns for refs/pull/*/merge and ensure the default branch is included for any pull_request_target use. For a deeper walkthrough of what changes and why, see our hands-on explainer for pull_request_target changes.

Move off macOS 13 labels and choose the right Apple Silicon size

macOS 13 runner images are in brownouts throughout November and retire December 4. Runner labels like macos-13, macos-13-large, and macos-13-xlarge will fail. Most teams should adopt macos-15 or macos-latest (arm64). If you must stick to Intel briefly, use macos-15-intel while you unwind tooling that doesn’t yet support Apple Silicon. We published a focused macOS 13 deprecation checklist with label mappings and Xcode pitfalls.

Expect cache evictions every hour

GitHub will now enforce cache eviction hourly (not daily) to keep each repository under the 10 GB cap. If you rely on caches for Node/Gradle/CocoaPods, expect more churn unless you tune keys and scopes. The fix is simple: make keys precise, keep restore keys coarse, and scope caches per job or matrix dimension to avoid eviction storms. A mis-scoped cache can slow builds more than no cache at all.

npm tokens: final window closes November 19

Classic npm token creation was disabled November 5. All remaining classic tokens die November 19. New granular tokens with write permissions default to 2FA and now cap at 90 days lifetime; for CI you can opt into a Bypass 2FA mode or—better—publish with OIDC and short-lived session tokens. If you haven’t rotated yet, borrow our battle-tested npm token migration runbook and get it done today.

Let’s get practical: a one-week remediation sprint

Use this sprint plan if you own CI for a mid-sized org (50–200 repos). It’s optimized for speed and safe cutover.

Day 1: Inventory and guardrails

Start with facts. Export repositories using gh or the REST API, then auto-scan YAML for risky patterns:

• Find workflows that use pull_request_target, or environments on PR triggers.
• List any macOS labels matching macos-13* and any Intel-only requirements.
• Map caches: key formats, restore keys, and typical artifact sizes.
• Enumerate npm tokens in org secrets and repository secrets; flag classic tokens.

Flip org-level guardrails where feasible: enforce SHA pinning for third-party actions and block known-bad actions. Both can now be set in the allowed actions policy and save you from dependency surprises later.

Day 2: Fix environments and branch filters

For each environment used by PR-triggered jobs:

• Add refs/pull/*/merge to branch policies that previously matched the source branch name.
• If a workflow uses pull_request_target, confirm the environment policy includes the default branch (that’s the new execution ref).
• Harden token scope for those environments; most jobs run fine with read-only GITHUB_TOKEN.

Consider whether you need pull_request_target at all. If you don’t need elevated permissions or secrets, switch to pull_request. We maintain a field guide with safe patterns in our Last‑Mile Cutover Guide.

Day 3: Move your macOS fleet

Test Apple Silicon runners side-by-side. Create a temporary workflow to run the same job on macos-15 and macos-15-xlarge. Pay attention to simulator boot times and codesign. Typical wins we’ve seen:

• 30–40% faster Swift builds on M2 versus Intel large runners.
• Metal shader compile steps reliably parallelized with fewer timeouts.
• Lower queue times on xlarge labels during US business hours.

If a third-party tool still requires Intel, isolate it to a single job with macos-15-intel, document the exception, and set a sunset date. Don’t hold the whole pipeline back.

Day 4: Tune caches for hourly eviction

Refactor caches where keys are too broad. Pattern that works well:

      - uses: actions/cache@v4
        with:
          path: |
            ~/.npm
            node_modules
          key: npm-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            npm-${{ runner.os }}-

For Gradle or CocoaPods, scope caches per module or workspace. Keep the hottest caches small (hundreds of MB, not multiple GB). Review cache hit rate daily while eviction stabilizes.

Day 5: Rotate npm tokens and adopt OIDC

Migrate classic tokens to granular ones with the minimal scopes required. For publishing, prefer OIDC-based trusted publishing so your CI never holds long-lived credentials. Update publish workflows to request a short-lived session token and set explicit package access. Validate on a canary package before cutting over the main artifacts.

Day 6–7: Raise the floor

Turn on CodeQL workflow analysis for your repos if it isn’t already. It catches missing permissions, untrusted inputs, and script-injection primitives in workflow YAML. Add a periodic job to check for unpinned third-party actions and flag them in PR comments. The goal isn’t zero risk—just fewer footguns shipped to production.

People also ask

Do I need to abandon pull_request_target entirely?

No. Use it when you need elevated permissions or environment secrets to validate changes from forks—like label triage or docs deploy previews. But apply least privilege, validate inputs, and prefer a dedicated, scoped environment. Many teams can safely switch most jobs to pull_request and keep pull_request_target for a narrow slice.

Which macOS runner label should I pick for iOS builds?

Default to macos-15 (arm64). If you’re compiling big workspaces with heavy concurrency, trial macos-15-xlarge. Only use macos-15-intel when a dependency is hard-pinned to x86 and you’ve scheduled its removal. Revisit sizes after a week; the cheapest runner is the one that finishes fast and avoids queue time.

How do I test Node 24 on Actions now?

Actions runners already include Node 24 alongside Node 20. You can opt in early by setting FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true in a test workflow or in a staging environment. Update action versions to those that declare Node 24 support, then remove the flag once you’re confident.

A compact framework for CI/CD hardening

Security and reliability move together. Use this 4x4 worksheet in your next platform review:

• Sources: Default-branch workflows for PR-targeted jobs; pin third-party actions by SHA; ban known-bad actions; require branch protections.
• Secrets: Prefer environment-scoped secrets; read-only GITHUB_TOKEN by default; OIDC for publishers; rotate npm tokens on a schedule.
• Speed: Break test matrices into reusable workflows; cache with precise keys; avoid giant monolithic jobs; isolate flaky tests and cap retries.
• Signals: Turn on CodeQL for workflows; emit cache hit/miss metrics; track queue times and cold-starts; alert on runner label deprecations.

Data you can take to the standup

Pin these dates to your tracker so no one debates them:

• November 6, 2025: New Actions releases—10 nested reusable workflows; 50 workflow calls; M2 macOS runners GA; Copilot coding agent no longer requires Actions.
• November 7, 2025: Announcement of pull_request_target and environment rule changes; effective December 8, 2025.
• November 5, 2025: Classic npm token creation disabled; granular write tokens require 2FA; max 90‑day lifetime; classic tokens revoked November 19, 2025.
• November 2025: Hourly cache eviction enforcement to keep repos under 10 GB.
• December 4, 2025: macOS 13 runner images retired; switch to macos-15/macos-latest (arm64) or temporary macos-15-intel.

Common edge cases (and how to avoid waking up your SRE)

Repo uses environments as a manual approval gate. After December 8, PR jobs might not match your environment filters. Add refs/pull/*/merge. If an approval must only come from main, split the job: validate on PR, deploy on merge.

Hybrid Intel/arm64 toolchains. Some binary-only SDKs still assume x86. Pin those steps to macos-15-intel and keep the rest on arm64. Document the exception and vendor contact; set a 90‑day review cadence.

Cache thrashing destroys speed. If cache usage spikes above 10 GB, the hourly eviction will churn. Split caches per job, trim paths, and prefer artifact pass-through for massive build outputs (e.g., Pods build products).

npm token sprawl. Granular tokens with write scopes still leak if you keep them everywhere. Centralize publishing in one workflow per package and publish via OIDC. Everything else reads from npm with read-only tokens or anonymous pulls.

What to do next

Pick the list that fits your role and close the loop.

For developers

• Update environment branch filters and test PR paths for protected jobs.
• Swap any macos-13* labels for macos-15 or macos-15-xlarge; keep a tactical macos-15-intel job only if necessary.
• Refactor caches with precise keys; watch hit rate after a few runs.
• Rotate npm tokens and adopt OIDC publishing.

For engineering managers

• Schedule a two‑hour cutover window; assign owners per repo.
• Turn on CodeQL workflow analysis across org repos.
• Enforce SHA‑pinned third‑party actions and a small allowlist.
• Track build time and queue time deltas post‑migration.

For business owners

• Avoid outage risk near November 19 (npm tokens) and December 4 (macOS 13 retirement).
• Budget for a few xlarge Apple Silicon runners if they cut total time—and cost—by reducing queues.
• Ask for a short report on cache policy impact and package publishing posture.

Want a second set of hands?

If you’d like a partner to own the cutover, we do this regularly for teams your size. See our CI/CD services and drop a note via our contact form. If you’re already deep into the work, these articles may save you hours: the Last‑Mile Cutover Guide for Actions, the macOS 13 runner deprecation checklist, and our npm migration to‑do list.

The bottom line

November’s releases are good news, but passive readers pay a tax. The new 10/50 workflow limits let you structure pipelines like real software. M2 macOS runners deliver measurable speedups. The PR security semantics fix longstanding footguns. Hourly cache eviction rewards teams that manage their state. And npm’s token deadlines finally push the ecosystem toward short‑lived credentials. None of this needs a multi‑quarter project. Block two focused sessions this week and you’ll be on the right side of every change.