GitHub Actions November 2025: What Changed Now

The November 2025 wave of GitHub Actions changes landed with real impact: higher ceilings for reusable workflows, Apple Silicon M2 macOS runners in general availability, a cache eviction policy that finally bites at scale, and a December security update that changes how pull_request_target and environment branch protections behave. If “GitHub Actions November 2025” wasn’t already on your team’s radar, it should be—because these aren’t just convenience tweaks. They reshape how you structure CI/CD, especially in monorepos and regulated environments.

What changed in GitHub Actions November 2025?

Here’s the short list you can paste into your team channel:

• Reusable workflows: limits raised to 10 nested levels and 50 total calls per run. This is a big architectural unlock for platform teams managing policy-as-code and language cells.
• macOS runners: M2-powered larger runners are GA with labels like macos-15-xlarge and macos-latest-xlarge. The macos-latest label migrated to macOS 15 in August–September 2025, and Intel (x86_64) support is on a long deprecation path (Apple Silicon is the default future).
• Cache enforcement: GitHub is shifting eviction checks from every 24 hours to every hour. If you routinely exceed ~10 GB cache per repo, watch for thrash and adjust keys or save/restore strategy.
• Security: On December 8, 2025, pull_request_target resolves refs from the default branch, and environment branch protection rules will evaluate against the executing ref for PR events. If you rely on precise branch filters for environments, you’ll need to update those patterns.
• Copilot: The Copilot coding agent no longer requires enabling GitHub Actions at the org level. That gives admins more flexibility separating automation from AI assistance.

We’ll unpack each area, then get practical about updates you can ship this week.

Why these changes matter more than they look

Limits shape architecture. The old cap—four nested reusable workflows and 20 calls—forced teams to cram logic into fewer YAML files or accept brittle copy/paste across services. Raising to 10/50 lets you model a pipeline as it really is: a stack of small, composable workflows (checkout, cache, language setup, lint, unit, integration, SAST/DAST, SBOM/signing, deploy, verify) that you can reuse and govern consistently.

On Apple platforms, the macOS story has been converging on Apple Silicon for years. M2 GA means faster builds for iOS/macOS with better GPU-enabled workloads. The catch? Tooling assumptions change—Xcode versions, simulator availability, and architecture-specific flags can trip up pipelines that haven’t been maintained. If you’ve been standing still, your pipelines are moving under you.

Security-wise, pull_request_target was always powerful but risky because it runs with elevated permissions and access to secrets. By anchoring it to the default branch, GitHub closes a class of attacks that abused outdated workflows on non-default branches. It’s the right call—just expect to tweak environment branch protection filters and some assumptions about refs in your jobs.

“GitHub Actions November 2025” playbook: a 7‑day upgrade plan

Here’s a pragmatic, low-drama sequence we’ve used with client teams to adapt quickly without breaking deploys.

Day 1: Baseline and blast radius

Inventory the repos that matter (prod deployers and SDKs first). For each:

• List workflows that call or are called as reusable workflows. Flag any that already hit the old 4/20 limits.
• Find jobs with runs-on: macos-*. Note Intel usage (macos-15-intel, macos-14-large) and iOS simulators.
• Check cache usage at repo and org scope. If you’re dancing around 10 GB, you’re at risk of hourly eviction churn.
• Search for on: pull_request_target and workflows that attach environments on PR events. List the environment branch pattern rules.

Tip: if your pipelines publish to npm, put those on the front burner and audit tokens. Classic tokens are being revoked on November 19, 2025. If that’s news, use our CI/CD playbook in npm Token Migration by Nov 19: The CI/CD Playbook and line up granular access tokens today.

Day 2: Reshape with reusable workflows (10/50)

Split monolith workflows into composable layers. A common pattern:

# .github/workflows/pipeline.yml
name: service-pipeline
on:
  push:
    branches: [main]
  pull_request:

jobs:
  gates:
    uses: org/.github/.github/workflows/supply-chain.yml@v3
    secrets: inherit

  language:
    uses: org/.github/.github/workflows/node-cell.yml@v7
    with:
      node-version: '22.x'
    secrets: inherit

  test-matrix:
    uses: org/.github/.github/workflows/test-matrix.yml@v12

  package:
    uses: org/.github/.github/workflows/package-sign-sbom.yml@v5

  deploy:
    if: github.ref == 'refs/heads/main'
    uses: org/.github/.github/workflows/deploy-env.yml@v9
    with:
      environment: 'staging'

With 10 levels and 50 calls, you can break “cells” down without fear. Keep each called workflow small and single-purpose. Enforce SHA pinning in your allowed actions policy for third‑party actions, and explicitly block risky actions or tags. It’s a two-minute governance win that prevents surprise upgrades.

Day 3: M2 macOS runners without surprises

Confirm your labels and toolchain:

• Use macos-15-xlarge or macos-latest-xlarge for Apple Silicon larger runners. Avoid assuming macos-latest is macOS 14—it’s on 15.
• For legacy Intel needs, target macos-15-intel or the standard large labels, and plan a migration path off x86_64 well ahead of 2027 when macOS 15 images retire.
• Pin Xcode with xcversion or agvtool equivalents and verify simulator availability before flipping labels.

Example:

jobs:
  ios-build:
    runs-on: macos-15-xlarge
    steps:
      - uses: actions/checkout@<SHA>
      - uses: maxim-lobanov/setup-xcode@<SHA>
        with:
          xcode-version: '16.1'
      - name: Build and test
        run: |
          xcodebuild -scheme App -sdk iphonesimulator -destination 'platform=iOS Simulator,name=iPhone 16' test

Run these on a staging branch for a week before promoting to main. Watch for code signing, provisioning profile, and simulator flakiness.

Day 4: Cache policy sanity check

The hourly eviction check means your least‑recently‑used caches rotate faster. If your keying strategy is too granular, you’ll thrash. Practical tweaks:

• Prefer a stable key with a few restore-keys fallbacks instead of hashing entire lockfiles for every tiny change.
• Avoid storing giant artifacts in cache; use artifacts for build outputs you must keep, and cache only what’s truly expensive to rebuild (language deps, toolchains).
• Upgrade to the latest actions/cache release and ensure your self‑hosted runners are on a current version if you operate them.

- uses: actions/cache@<SHA-of-v4>
  with:
    path: | 
      ~/.npm
      node_modules
    key: npm-${{ runner.os }}-v1-${{ hashFiles('**/package-lock.json') }}
    restore-keys: |
      npm-${{ runner.os }}-v1-

Day 5: Pull request security changes (Dec 8 deadline)

Two checks to make now so you aren’t scrambling in December:

• Minimize use of pull_request_target. If you don’t need elevated permissions or secrets, switch to pull_request. Where you must keep it, restrict permissions with permissions: and sanitize any user input before it hits a shell.
• Update environment patterns for PR events. Environment rules will evaluate against refs/pull/<number>/merge for pull_request* events and the default branch for pull_request_target. If your pattern was refs/heads/main or a branch glob, add the PR merge ref pattern where appropriate.

permissions:
  contents: read
  id-token: write
  packages: read

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  check:
    environment: staging  # ensure environment rule matches PR merge refs
    runs-on: ubuntu-latest

Day 6: Copilot, budgets, and separation of duties

The Copilot coding agent no longer needs Actions enabled at the org level. That’s handy for orgs that keep automation tightly gated but still want AI assistance in repos. If your finance or security team is watching AI usage or premium request budgets, treat Copilot like any other metered service: set budgets, monitor usage, and document model choices in repo /.github policies. For billing gotchas and governance tips, see Copilot Premium Requests: Avoid Nov 18 Surprise Bills.

Day 7: Governance sweep

Lock in the wins:

• Enforce SHA pinning and blocklist rules for actions at org level. Explicitly deny risky tags (for example, actions/checkout@v4 without a SHA).
• Set default token permissions to read and elevate per job only when required.
• Turn on code scanning for action workflows; scan the .github/workflows directory as part of your policy-as-code pipeline.

People also ask: common questions we’re getting

Should we still use pull_request_target?

Only when you must. It’s intended for scenarios where the workflow needs elevated permissions on PRs—think triage bots or labelers that need write access. For builds and tests, prefer pull_request and drop permissions to least privilege. If you keep pull_request_target, assume all PR input is untrusted: never run unvetted code with secrets loaded, and gate anything sensitive behind manual approvals or environment protections.

Will the cache eviction change break our builds?

It can, but mostly due to configuration. If you routinely blow past 10 GB per repo with many unique keys, your hit rate will crater when eviction runs hourly. Consolidate keys and separate concerns: put heavyweight language dependency caches under stable keys, and keep build artifacts as artifacts so the cache remains “hot.” Track success rate for actions/cache in your job analytics after the change.

How do we migrate macOS runners safely?

Create a temporary matrix job that runs the same suite on your current label and on macos-15-xlarge. Compare durations, flake rates, and simulator availability. Keep the new lane non‑blocking for a few days; then flip default and remove the old job. If you rely on Intel‑only binary tools, keep a small Intel lane while you plan replacements.

What about npm tokens in our pipelines?

If your CI publishes to npm, you have a near‑term deadline: classic tokens stop working on November 19, 2025. Move to granular access tokens, enforce 2FA, and use the “bypass 2FA” option only for automation scopes that truly require it. Our field guide—npm Token Migration by Nov 19: The CI/CD Playbook—walks you through CI-safe cutovers.

Let’s get practical: copy‑paste snippets that help today

Reusable workflow call with least‑privilege secrets

jobs:
  sdlc-gates:
    uses: org/.github/.github/workflows/sdlc-gates.yml@v18
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      OSS_INDEX_TOKEN: ${{ secrets.OSS_INDEX_TOKEN }}
    permissions:
      contents: read
      security-events: write

Safer PRs: prefer pull_request, limit permissions

on: [pull_request]
permissions:
  contents: read
  checks: read
  id-token: none

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@<SHA>
        with: { fetch-depth: 0 }
      - run: npm ci && npm test

Cache keys that won’t thrash hourly

- uses: actions/cache@<SHA-of-v4>
  with:
    path: ~/.cache/pip
    key: pip-${{ runner.os }}-v1-${{ hashFiles('**/requirements*.txt') }}
    restore-keys: |
      pip-${{ runner.os }}-v1-

What to do next

• Raise an internal issue summarizing the November changes and the December 8 security update. Assign an owner per repo cluster.
• Refactor two of your most brittle workflows using the 10/50 limits. Measure YAML size and change diff noise before/after.
• Stage M2 runner labels on a non‑blocking lane this week. Flip after 3–5 green runs.
• Tighten environment branch patterns for PR events now so December doesn’t surprise you.
• Audit npm tokens in CI and cut over to granular tokens if you haven’t already.

Zooming out: how to think about the next quarter

Actions keeps evolving toward safer defaults and more modular pipelines. Treat these limits and security changes as a nudge to do the platform work you’ve deferred: consolidate language setup into shared workflows, enforce SHA pinning org‑wide, and prune caches. The payoff is less YAML drift, faster iterative changes, and fewer late‑night rebuilds when a single action bumps a minor version.

If you want a quick side‑by‑side checklist of the new limits and labels, our field notes here—new limits, M2, Copilot—and our tactical guide—what to change now—are good companions to this piece. If you’d rather have a partner pressure‑test your pipeline design, our team can help; start with a note via contact us.

Final checklist before you ship changes

• Reusable workflows: confirm calls and nesting remain under 50/10; break out cells where duplication exists.
• macOS: verify labels, Xcode version pinning, and simulator targets. Keep a fallback lane until confidence is high.
• Cache: simplify keys, upgrade actions/cache, and watch hit rates over the next two weeks.
• PR security: minimize pull_request_target, adjust environment patterns, and lock permissions.
• Budgets/tokens: align Copilot budgets and migrate npm tokens before November 19 if you publish.

The theme this month is composability with guardrails. Embrace the expanded limits, then tighten the edges. Your future self—and your pager—will thank you.

Related reads from our team:

• GitHub Actions November 2025: New Limits, M2, Copilot
• GitHub Actions November 2025: What to Change Now
• npm Token Migration by Nov 19: The CI/CD Playbook
• Talk to our engineering team