diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index ddfb5367bc..fb91d91519 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -14,8 +14,6 @@ topics: - Security --- -{% data reusables.actions.enterprise-github-hosted-runners %} - ## Overview This guide explains how to configure security hardening for certain {% data variables.product.prodname_actions %} features. If the {% data variables.product.prodname_actions %} concepts are unfamiliar, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." @@ -214,7 +212,7 @@ The same principles described above for using third-party actions also apply to {% ifversion internal-actions %} -## Allowing workflows to access internal {% ifversion private-actions %}and private {% endif %}repositories +## Allowing workflows to access internal and private repositories {% data reusables.actions.outside-collaborators-actions %} For more information, see "[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)." @@ -222,14 +220,11 @@ The same principles described above for using third-party actions also apply to {% endif %} -{% ifversion allow-actions-to-approve-pr %} +## Preventing {% data variables.product.prodname_actions %} from creating or approving pull requests -## Preventing {% data variables.product.prodname_actions %} from {% ifversion allow-actions-to-approve-pr-with-ent-repo %}creating or {% endif %}approving pull requests +{% data reusables.actions.workflow-pr-approval-permissions-intro %} Allowing workflows, or any other automation, to create or approve pull requests could be a security risk if the pull request is merged without proper oversight. -{% data reusables.actions.workflow-pr-approval-permissions-intro %} Allowing workflows, or any other automation, to {% ifversion allow-actions-to-approve-pr-with-ent-repo %}create or {% endif %}approve pull requests could be a security risk if the pull request is merged without proper oversight. - -For more information on how to configure this setting, see {% ifversion allow-actions-to-approve-pr-with-ent-repo %}{% ifversion ghes or ghec %}"[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests)",{% endif %}{% endif %} "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-{% ifversion allow-actions-to-approve-pr-with-ent-repo %}creating-or-{% endif %}approving-pull-requests)"{% ifversion allow-actions-to-approve-pr-with-ent-repo %}, and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests)"{% endif %}. -{% endif %} +For more information on how to configure this setting, see {% ifversion ghes or ghec %}"[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests),"{% endif %} "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests)," and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests)." ## Using OpenSSF Scorecards to secure workflows @@ -239,12 +234,16 @@ For more information on how to configure this setting, see {% ifversion allow-ac These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner. +{% ifversion fpt or ghec %} + {% note %} **Note:** {% data variables.product.prodname_dotcom %}-hosted runners do not scan for malicious code downloaded by a user during their job, such as a compromised third party library. {% endnote %} +{% endif %} + ### Accessing secrets Workflows triggered from a forked repository using the `pull_request` event have read-only permissions and have no access to secrets. However, these permissions differ for various event triggers such as `issue_comment`, `issues`, `push` and `pull_request` from a branch within the repository, where the attacker could attempt to steal repository secrets or use the write permission of the job's [`GITHUB_TOKEN`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). @@ -303,15 +302,21 @@ This list describes the recommended approaches for accessing repository data wit ## Hardening for {% data variables.product.prodname_dotcom %}-hosted runners +{% data reusables.actions.enterprise-github-hosted-runners %} + +{% ifversion fpt or ghec %} + {% data variables.product.prodname_dotcom %}-hosted runners take measures to help you mitigate security risks. {% ifversion actions-sbom %} ### Reviewing the supply chain for {% data variables.product.prodname_dotcom %}-hosted runners -You can view a software bill of materials (SBOM) to see what software was pre-installed on the {% data variables.product.prodname_dotcom %}-hosted runner image used during your workflow runs. You can provide your users with the SBOM which they can run through a vulnerability scanner to validate if there are any vulnerabilities in the product. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software. +For {% data variables.product.prodname_dotcom %}-hosted runners created from images maintained by {% data variables.product.company_short %}, you can view a software bill of materials (SBOM) to see what software was pre-installed on the runner. You can provide your users with the SBOM which they can run through a vulnerability scanner to validate if there are any vulnerabilities in the product. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software. -SBOMs are available for Ubuntu, Windows, and macOS runner images. You can locate the SBOM for your build in the release assets at https://github.com/actions/runner-images/releases. An SBOM with a filename in the format of `sbom.IMAGE-NAME.json.zip` can be found in the attachments of each release. +SBOMs are available for Ubuntu, Windows, and macOS runner images maintained by {% data variables.product.company_short %}. You can locate the SBOM for your build in the release assets at https://github.com/actions/runner-images/releases. An SBOM with a filename in the format of `sbom.IMAGE-NAME.json.zip` can be found in the attachments of each release. + +For third-party images, such as the images for ARM-powered runners, you can find details of the software that's included in the image in the [`actions/partner-runner-images` repository](https://github.com/actions/partner-runner-images). {% endif %} @@ -319,6 +324,8 @@ SBOMs are available for Ubuntu, Windows, and macOS runner images. You can locate {% data reusables.actions.runners-etc-hosts-file %} For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." +{% endif %} + ## Hardening for self-hosted runners {% ifversion fpt or ghec %} @@ -385,7 +392,7 @@ You can use the security log to monitor activity for your user account and the a For example, you can use the audit log to track the `org.update_actions_secret` event, which tracks changes to organization secrets. -![Screenshot showing a search for "action:org.update_actions_secret" in the audit log for an organization. Two results detail API updates to two secrets that are available to selected repositories.](/assets/images/help/repository/audit-log-entries.png) +![Screenshot showing a search for "action:org.update_actions_secret" in the audit log for an organization. Two results are shown.](/assets/images/help/repository/audit-log-entries.png) For the full list of events that you can find in the audit log for each account type, see the following articles: diff --git a/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md b/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md index f4335c17f0..e5d0edc738 100644 --- a/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md @@ -26,6 +26,8 @@ Runners are the machines that execute jobs in a {% data variables.product.prodna {% ifversion not ghes %} +You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU or ARM processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners)." + Using {% data variables.product.prodname_dotcom %}-hosted runners requires network access with at least 70 kilobits per second upload and download speeds. {% endif %} diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md index f3123ea454..ed9ce541d4 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md @@ -27,10 +27,7 @@ Ubuntu and Windows {% data variables.actions.hosted_runners %} offer autoscaling The following machines sizes are available for macOS {% data variables.actions.hosted_runners %}. -| Runner Size | Architecture| Processor (CPU)| Memory (RAM) | Storage (SSD) | YAML workflow label | -| --------------| --------------| -------------- | ------------- | ------------- | --------------------- | -| Large | Intel| 12 | 30 GB | 14 GB | macos-latest-large, macos-12-large, macos-13-large [latest], macos-14-large[Beta] | -| XLarge| arm64 (M1)|6 CPU and 8 GPU| 14 GB | 14 GB | macos-latest-xlarge, macos-13-xlarge[latest], macos-14-xlarge[Beta] | +{% data reusables.actions.larger-runners-table %} #### Limitations for macOS {% data variables.actions.hosted_runners %} @@ -42,11 +39,11 @@ Compared to standard {% data variables.product.prodname_dotcom %}-hosted runners {% rowheaders %} -| Operating system | Ubuntu | Windows | macOS | -| -------------------------------------------- | ------ | ------- | ----- | +| | Ubuntu | Windows | macOS | +| ------------------- | ------ | ------- | ----- | | Static IP addresses | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | -| Autoscaling | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | -| Runner groups | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| Autoscaling | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| Runner groups | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% endrowheaders %} @@ -58,11 +55,11 @@ These features can enhance your CI/CD pipelines in the following ways. ### Runner images -{% data variables.actions.hosted_runner_caps %}s run on virtual machines (VMs), and GitHub installs a virtual hard disk (VHD) on this machine during the VM creation process. You can choose from different VM images to install on your runners. +{% data variables.actions.hosted_runner_caps %}s run on virtual machines (VMs), and {% data variables.product.prodname_dotcom %} installs a virtual hard disk (VHD) on this machine during the VM creation process. You can choose from different VM images to install on your runners. -**GitHub-owned images:** These images are maintained by GitHub and are available for Linux x64, Windows x64, and macOS (x64 and arm) runners. For more information on these images and a full list of included tools for each runner operating system, see the [{% data variables.product.prodname_actions %} Runner Images](https://github.com/actions/runner-images) repository. +**{% data variables.product.prodname_dotcom %}-owned images:** These images are maintained by {% data variables.product.prodname_dotcom %} and are available for Linux x64, Windows x64, and macOS (x64 and arm) runners. For more information on these images and a full list of included tools for each runner operating system, see the [{% data variables.product.prodname_actions %} Runner Images](https://github.com/actions/runner-images) repository. -**Partner Images:** Partner images are not managed by GitHub and are pulled from the Azure Marketplace. For more info on the Windows 11 desktop image see [Microsoft Windows 11 Desktop](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoftwindowsdesktop.windows-11?tab=Overview). For more info on the GPU runner compatible images, see [NVIDIA GPU-Optimized VMI](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/nvidia.ngc_azure_17_11) and [Data Science Virtual Machine - Windows 2019](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=overview). +**Partner Images:** Partner images are not managed by {% data variables.product.prodname_dotcom %} and are pulled from the Azure Marketplace. For more information about about the Windows 11 desktop image see [Microsoft Windows 11 Desktop](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoftwindowsdesktop.windows-11?tab=Overview). For more information about the GPU runner compatible images, see [NVIDIA GPU-Optimized VMI](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/nvidia.ngc_azure_17_11) and [Data Science Virtual Machine - Windows 2019](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=overview). For more information about the images for ARM-powered runners, see the [`actions/partner-runner-images` repository](https://github.com/actions/partner-runner-images). This is also the place to provide feedback or report issues about third-party images. ### Understanding billing @@ -80,22 +77,33 @@ You can choose from several specifications for {% data variables.actions.hosted_ ### Specifications for general {% data variables.actions.hosted_runners %} -| CPU | Memory (RAM) | Storage (SSD) | Operating system (OS) | -| --- | ------------- | ------------- | --------------------- | -| 6 | 14 GB | 14 GB | macOS | -| 12 | 30 GB | 14 GB | macOS | -| 2 | 8 GB | 75 GB | Ubuntu | -| 4 | 16 GB | 150 GB | Ubuntu, Windows | -| 8 | 32 GB | 300 GB | Ubuntu, Windows | -| 16 | 64 GB | 600 GB | Ubuntu, Windows | -| 32 | 128 GB | 1200 GB | Ubuntu, Windows | -| 64 | 256 GB | 2040 GB | Ubuntu, Windows | +{% note %} ->[!NOTE] The 4vcpu Windows runner only works with the Windows 11 Desktop image. +**Note:** arm64 runners are currently in beta and subject to change. + +{% endnote %} + +| CPU | Memory (RAM) | Storage (SSD) | Architecture | Operating system (OS) | +| --- | ------------- | ------------- | ------------ | --------------------- | +| 6 | 14 GB | 14 GB | arm64 | macOS | +| 12 | 30 GB | 14 GB | x64 | macOS | +| 2 | 8 GB | 75 GB | x64, arm64 | Ubuntu | +| 4 | 16 GB | 150 GB | x64, arm64 | Ubuntu, Windows | +| 8 | 32 GB | 300 GB | x64, arm64 | Ubuntu, Windows | +| 16 | 64 GB | 600 GB | x64, arm64 | Ubuntu, Windows | +| 32 | 128 GB | 1200 GB | x64, arm64 | Ubuntu, Windows | +| 64 | 208 GB | 2040 GB | arm64 | Ubuntu, Windows | +| 64 | 256 GB | 2040 GB | x64 | Ubuntu, Windows | + +>[!NOTE] The 4-vCPU Windows runner only works with the Windows 11 Desktop image. ### Specifications for GPU {% data variables.actions.hosted_runners %} -{% data reusables.actions.gpu-runner-beta-note %} +{% note %} + +**Note:** GPU runners are currently in beta and subject to change. + +{% endnote %} | CPU | GPU | GPU card | Memory (RAM) | GPU memory (VRAM) | Storage (SSD) | Operating system (OS) | | --- | --- | -------- | ------------ | ----------------- | ------------- | --------------------- | diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md index a1a6a0bd81..0b268f24df 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md @@ -10,9 +10,11 @@ redirect_from: - /actions/using-github-hosted-runners/controlling-access-to-larger-runners --- -{% data reusables.actions.enterprise-github-hosted-runners %} +{% note %} -{% data reusables.actions.windows-linux-larger-runners-note %} +**Note:** {% data reusables.actions.windows-linux-larger-runners-note %} + +{% endnote %} ## About runner groups @@ -33,7 +35,7 @@ Runner groups are used to control which repositories can run jobs on your {% dat For example, the following diagram has a runner group named `grp-ubuntu-20.04-16core` at the enterprise level. Before the repository named `octo-repo` can use the runners in the group, you must first configure the group at the enterprise level to allow access to the `octo-org` organization. You must then configure the group at the organization level to allow access to `octo-repo`. -![Diagram that shows a lock between a runner group at the enterprise level and an organization, and between the organization and two repositories owned by the organization.](/assets/images/help/actions/hosted-runner-mgmt.png) +![Diagram showing a runner group defined at the enterprise level with an organization configuration that allows access for two repositories.](/assets/images/help/actions/hosted-runner-mgmt.png) ## Creating a runner group for an organization diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md index 456ba20a09..ce57f1088b 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md @@ -9,9 +9,14 @@ redirect_from: - /actions/using-github-hosted-runners/managing-larger-runners --- -{% data reusables.actions.windows-linux-larger-runners-note %} +{% note %} -{% data reusables.actions.gpu-runner-beta-note %} +**Notes:** + +- {% data reusables.actions.windows-linux-larger-runners-note %} +- GPU-powered runners and ARM-powered runners are currently in beta and are subject to change. + +{% endnote %} {% ifversion ghec %} diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/running-jobs-on-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/running-jobs-on-larger-runners.md index 4b9f187764..fa9b232b7d 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/running-jobs-on-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/running-jobs-on-larger-runners.md @@ -36,10 +36,8 @@ Once your runner type has been defined, you can update your workflow YAML files Use the labels in the table below to run your workflows on the corresponding macOS {% data variables.actions.hosted_runner %}. -| Runner Size | Architecture| Processor (CPU)| Memory (RAM) | Storage (SSD) | OS (YAML workflow label) | -| --------------| --------------| -------------- | ------------- | ------------- | --------------------- | -| Large | Intel| 12 | 30 GB | 14 GB | macos-latest-large, macos-12-large , macos-13-large [latest] , macos-14-large[Beta] | -| XLarge| arm64 (M1)|6 CPU and 8 GPU| 14 GB | 14 GB | macos-latest-xlarge, macos-13-xlarge [latest], macos-14-xlarge[Beta] | +{% data reusables.actions.larger-runners-table %} + {% note %} **Note:** For macOS {% data variables.actions.hosted_runner %}s, the `-latest` runner label uses the macOS 12 runner image. For macOS Xlarge, the `-latest` runner label uses the macOS 13 runner image @@ -84,7 +82,9 @@ Use the labels in the table below to run your workflows on the corresponding mac ## Using labels to control where jobs are run -In this example, a runner group is populated with Ubuntu 16-core runners, which have also been assigned the label `ubuntu-20.04-16core`. The `runs-on` key sends the job to any available runner with a matching label: +{% data reusables.actions.runner-labels-implicit %} + +In this example, the `runs-on` key sends the job to any available runner that has been assigned the `ubuntu-20.04-16core` label: ```yaml name: learn-github-actions @@ -102,13 +102,17 @@ jobs: - run: bats -v ``` +{% data reusables.actions.runner-labels %} + {% endlinux %} {% windows %} ## Using labels to control where jobs are run -In this example, a runner group is populated with Windows 16-core runners, which have also been assigned the label `windows-2022-16core`. The `runs-on` key sends the job to any available runner with a matching label: +{% data reusables.actions.runner-labels-implicit %} + +In this example, the `runs-on` key sends the job to any available runner that has been assigned the `windows-2022-16core` label: ```yaml name: learn-github-actions @@ -126,6 +130,8 @@ jobs: - run: bats -v ``` +{% data reusables.actions.runner-labels %} + {% endwindows %} {% mac %} @@ -134,7 +140,7 @@ jobs: To run your workflows on macOS {% data variables.actions.hosted_runner %}s, set the value of the `runs-on` key to a label associated with a macOS {% data variables.actions.hosted_runner %}. For a list of macOS {% data variables.actions.hosted_runner %} labels, see "[Available macOS {% data variables.actions.hosted_runner %}s](#available-macos-larger-runners)." -In this example, the workflow uses a label that is associated with macOS XL runners, which is `macos-latest-xl -arm64`. The `runs-on` key sends the job to any available runner with a matching label: +In this example, the workflow uses a label that is associated with macOS XL runners. The `runs-on` key sends the job to any available runner with a matching label: ```yaml name: learn-github-actions-testing @@ -190,4 +196,10 @@ jobs: Because macOS arm64 does not support Node 12, macOS {% data variables.actions.hosted_runner %}s automatically use Node 16 to execute any JavaScript action written for Node 12. Some community actions may not be compatible with Node 16. If you use an action that requires a different Node version, you may need to manually install a specific version at runtime. +{% note %} + +**Note:** ARM-powered runners are currently in beta and are subject to change. + +{% endnote %} + {% endmac %} diff --git a/content/actions/using-jobs/choosing-the-runner-for-a-job.md b/content/actions/using-jobs/choosing-the-runner-for-a-job.md index 70103d2f1c..0c3b63b66a 100644 --- a/content/actions/using-jobs/choosing-the-runner-for-a-job.md +++ b/content/actions/using-jobs/choosing-the-runner-for-a-job.md @@ -7,9 +7,21 @@ versions: ghes: '*' ghec: '*' --- - + {% data reusables.actions.enterprise-github-hosted-runners %} ## Overview -{% data reusables.actions.jobs.section-choosing-the-runner-for-a-job %} +{% data reusables.actions.jobs.choosing-runner-overview %} + +## Choosing {% data variables.product.prodname_dotcom %}-hosted runners + +{% data reusables.actions.jobs.choosing-runner-github-hosted %} + +## Choosing self-hosted runners + +{% data reusables.actions.jobs.choosing-runner-self-hosted %} + +## Choosing runners in a group + +{% data reusables.actions.jobs.choosing-runner-group %} diff --git a/content/actions/using-workflows/workflow-syntax-for-github-actions.md b/content/actions/using-workflows/workflow-syntax-for-github-actions.md index d4d28cd71f..e0c226ff5e 100644 --- a/content/actions/using-workflows/workflow-syntax-for-github-actions.md +++ b/content/actions/using-workflows/workflow-syntax-for-github-actions.md @@ -313,7 +313,19 @@ env: ## `jobs..runs-on` -{% data reusables.actions.jobs.section-choosing-the-runner-for-a-job %} +{% data reusables.actions.jobs.choosing-runner-overview %} + +### Choosing {% data variables.product.prodname_dotcom %}-hosted runners + +{% data reusables.actions.jobs.choosing-runner-github-hosted %} + +### Choosing self-hosted runners + +{% data reusables.actions.jobs.choosing-runner-self-hosted %} + +### Choosing runners in a group + +{% data reusables.actions.jobs.choosing-runner-group %} ## `jobs..environment` @@ -1092,8 +1104,6 @@ jobs: {% endraw %} -{% ifversion actions-inherit-secrets-reusable-workflows %} - ## `jobs..secrets.inherit` Use the `inherit` keyword to pass all the calling workflow's secrets to the called workflow. This includes all secrets the calling workflow has access to, namely organization, repository, and environment secrets. The `inherit` keyword can be used to pass secrets across repositories within the same organization, or across organizations within the same enterprise. @@ -1131,7 +1141,6 @@ jobs: A pair consisting of a string identifier for the secret and the value of the secret. The identifier must match the name of a secret defined by [`on.workflow_call.secrets.`](#onworkflow_callsecretssecret_id) in the called workflow. Allowed expression contexts: `github`, `needs`, and `secrets`. -{% endif %} ## Filter pattern cheat sheet diff --git a/content/billing/managing-billing-for-github-actions/about-billing-for-github-actions.md b/content/billing/managing-billing-for-github-actions/about-billing-for-github-actions.md index b5632adec6..4d67da5da2 100644 --- a/content/billing/managing-billing-for-github-actions/about-billing-for-github-actions.md +++ b/content/billing/managing-billing-for-github-actions/about-billing-for-github-actions.md @@ -85,7 +85,7 @@ Jobs that run on Windows and macOS runners that {% data variables.product.prodna | Windows 2-core | $0.016 | | macOS 3 or 4 (M1 or Intel) | $0.08 | -#### Per-minute rates for {% data variables.actions.hosted_runners %} +#### Per-minute rates for x64-powered {% data variables.actions.hosted_runners %} | Operating system | Per-minute rate (USD) | |---------------------| -----------| @@ -95,17 +95,42 @@ Jobs that run on Windows and macOS runners that {% data variables.product.prodna | Linux 16-core | $0.064 | | Linux 32-core | $0.128 | | Linux 64-core | $0.256 | -| Linux 4-core GPU | $0.07 | | Windows 4-core | $0.032 | | Windows 8-core | $0.064 | | Windows 16-core | $0.128 | | Windows 32-core | $0.256 | | Windows 64-core | $0.512 | -| Windows 4-core GPU | $0.14 | +| Windows 4-core GPU | $0.14 | | macOS 12-core | $0.12 | + +#### Per-minute rates for arm64-powered {% data variables.actions.hosted_runners %} + +| Operating system | Per-minute rate (USD) | +|---------------------| -----------| +| Linux 2-core | $0.005 | +| Linux 4-core | $0.01 | +| Linux 8-core | $0.02 | +| Linux 16-core | $0.04 | +| Linux 32-core | $0.08 | +| Linux 64-core | $0.16 | +| Windows 2-core | $0.01 | +| Windows 4-core | $0.02 | +| Windows 8-core | $0.04 | +| Windows 16-core | $0.08 | +| Windows 32-core | $0.16 | +| Windows 64-core | $0.32 | | macOS 6-core (M1) | $0.16 | -- The number of jobs you can run concurrently across all repositories in your user or organization account depends on your GitHub plan. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration)" for {% data variables.product.prodname_dotcom %}-hosted runners and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)" for self-hosted runner usage limits. +#### Per-minute rates for GPU-powered {% data variables.actions.hosted_runners %} + +| Operating system | Per-minute rate (USD) | +|---------------------| -----------| +| Linux 4-core | $0.07 | +| Windows 4-core | $0.14 | + +#### Points to note about rates for runners + +- The number of jobs you can run concurrently across all repositories in your user or organization account depends on your {% data variables.product.prodname_dotcom %} plan. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration)" for {% data variables.product.prodname_dotcom %}-hosted runners and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)" for self-hosted runner usage limits. - {% data reusables.user-settings.context_switcher %} - {% data reusables.actions.larger-runner-permissions %} - {% data reusables.actions.about-larger-runners-billing %} diff --git a/data/reusables/actions/about-larger-runners.md b/data/reusables/actions/about-larger-runners.md index e41d05860f..7a0034973d 100644 --- a/data/reusables/actions/about-larger-runners.md +++ b/data/reusables/actions/about-larger-runners.md @@ -1,8 +1,9 @@ -In addition to the [standard {% data variables.product.prodname_dotcom %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources), {% data variables.product.prodname_dotcom %} offers customers on {% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %} plans a range of managed virtual machines with advanced features such as: +Customers on {% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %} plans can choose from a range of managed virtual machines that have more resources than the [standard {% data variables.product.prodname_dotcom %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). These machines are referred to as "{% data variables.actions.hosted_runner %}." They offer the following advanced features: - More RAM, CPU, and disk space - Static IP addresses - The ability to group runners - Autoscaling to support concurrent workflows +- GPU-powered and ARM-powered runners These {% data variables.actions.hosted_runners %} are hosted by {% data variables.product.prodname_dotcom %} and have the runner application and other tools preinstalled. diff --git a/data/reusables/actions/actions-tab-new-runners-note.md b/data/reusables/actions/actions-tab-new-runners-note.md index 7d6f6b7c71..2055ddf0eb 100644 --- a/data/reusables/actions/actions-tab-new-runners-note.md +++ b/data/reusables/actions/actions-tab-new-runners-note.md @@ -1,6 +1,6 @@ {% note %} -**Note:** Enterprise and organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can create runners have the option to create new runners from this page. To create a new runner, click **New runner** at the top right of the list of runners to add runners to the repository. +**Note:** Enterprise and organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can create runners from this page. To create a new runner, click **New runner** at the top right of the list of runners to add runners to the repository. For more information, see {% ifversion actions-hosted-runners %}"[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners)" and {% endif %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." diff --git a/data/reusables/actions/gpu-runner-beta-note.md b/data/reusables/actions/gpu-runner-beta-note.md deleted file mode 100644 index 8bb3d53911..0000000000 --- a/data/reusables/actions/gpu-runner-beta-note.md +++ /dev/null @@ -1,5 +0,0 @@ -{% note %} - -**Note:** GPU runners are currently in beta and subject to change. - -{% endnote %} diff --git a/data/reusables/actions/jobs/choosing-runner-github-hosted.md b/data/reusables/actions/jobs/choosing-runner-github-hosted.md new file mode 100644 index 0000000000..d5077c110c --- /dev/null +++ b/data/reusables/actions/jobs/choosing-runner-github-hosted.md @@ -0,0 +1,35 @@ +{% data reusables.actions.enterprise-github-hosted-runners %} + +{% ifversion not ghes %} + +If you use a {% data variables.product.prodname_dotcom %}-hosted runner, each job runs in a fresh instance of a runner image specified by `runs-on`. + +The value for runs-on, when you are using a {% data variables.product.prodname_dotcom %}-hosted runner, is a runner label or the name of a runner group. The labels for the standard {% data variables.product.prodname_dotcom %}-hosted runners are shown in the following tables. + +For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners)." + +{% data reusables.actions.supported-github-runners %} + +In addition to the standard {% data variables.product.prodname_dotcom %}-hosted runners, {% data variables.product.prodname_dotcom %} offers customers on {% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %} plans a range of managed virtual machines with advanced features - for example, more cores and disk space, GPU-powered machines, and ARM-powered machines. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners)." + +{% note %} + +**Note:** The `-latest` runner images are the latest stable images that {% data variables.product.prodname_dotcom %} provides, and might not be the most recent version of the operating system available from the operating system vendor. + +{% endnote %} + +{% warning %} + +**Warning:** Beta and Deprecated Images are provided "as-is", "with all faults" and "as available" and are excluded from the service level agreement and warranty. Beta Images may not be covered by customer support. + +{% endwarning %} + +#### Example: Specifying an operating system + +```yaml +runs-on: ubuntu-latest +``` + +For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." + +{% endif %} diff --git a/data/reusables/actions/jobs/choosing-runner-group.md b/data/reusables/actions/jobs/choosing-runner-group.md new file mode 100644 index 0000000000..43198976cb --- /dev/null +++ b/data/reusables/actions/jobs/choosing-runner-group.md @@ -0,0 +1,23 @@ +You can use `runs-on` to target runner groups, so that the job will execute on any runner that is a member of that group. For more granular control, you can also combine runner groups with labels. + +{% ifversion fpt or ghec %} + +Runner groups can only have [{% data variables.actions.hosted_runner %}s](/actions/using-github-hosted-runners/using-larger-runners) or [self-hosted runners](/actions/hosting-your-own-runners) as members. + +{% endif %} + +#### Example: Using groups to control where jobs are run + +{% data reusables.actions.jobs.example-runs-on-groups %} + +#### Example: Combining groups and labels + +{% data reusables.actions.jobs.example-runs-on-labels-and-groups %} + +{% ifversion ghec or ghes %} + +#### Example: using prefixes to differentiate runner groups + +{% data reusables.actions.using-prefixes-to-differentiate-runner-groups %} + +{% endif %} diff --git a/data/reusables/actions/jobs/choosing-runner-overview.md b/data/reusables/actions/jobs/choosing-runner-overview.md new file mode 100644 index 0000000000..a717b7267b --- /dev/null +++ b/data/reusables/actions/jobs/choosing-runner-overview.md @@ -0,0 +1,49 @@ +Use `jobs..runs-on` to define the type of machine to run the job on. + +{% ifversion fpt or ghec %}- The destination machine can be either a [{% data variables.product.prodname_dotcom %}-hosted runner](#choosing-github-hosted-runners), [{% data variables.actions.hosted_runner %}](#choosing-runners-in-a-group), or a [self-hosted runner](#choosing-self-hosted-runners).{% else %} +- The destination machine can be a [self-hosted runner](#choosing-self-hosted-runners).{% endif %} +{% ifversion target-runner-groups %}- You can target runners based on the labels assigned to them, or their group membership, or a combination of these.{% else %} +- You can target runners based on the labels assigned to them.{% endif %} +- You can provide `runs-on` as: + - A single string + - A single variable containing a string + - An array of strings, variables containing strings, or a combination of both + - A `key: value` pair using the `group` or `labels` keys +- If you specify an array of strings or variables, your workflow will execute on any runner that matches all of the specified `runs-on` values. For example, here the job will only run on a self-hosted runner that has the labels `linux`, `x64`, and `gpu`: + + ```yaml + runs-on: [self-hosted, linux, x64, gpu] + ``` + + For more information, see "[Choosing self-hosted runners](#choosing-self-hosted-runners)." +- You can mix strings and variables in an array. For example: + + {% raw %} + + ```yaml + on: + workflow_dispatch: + inputs: + chosen-os: + required: true + type: choice + options: + - Ubuntu + - macOS + + jobs: + test: + runs-on: [self-hosted, "${{ inputs.chosen-os }}"] + steps: + - run: echo Hello world! + ``` + + {% endraw %} + +- If you would like to run your workflow on multiple machines, use [`jobs..strategy`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy). + +{% note %} + +**Note:** Quotation marks are not required around simple strings like `self-hosted`, but they are required for expressions like {% raw %} `"${{ inputs.chosen-os }}"`{% endraw %}. + +{% endnote %} diff --git a/data/reusables/actions/jobs/choosing-runner-self-hosted.md b/data/reusables/actions/jobs/choosing-runner-self-hosted.md new file mode 100644 index 0000000000..9903fdb415 --- /dev/null +++ b/data/reusables/actions/jobs/choosing-runner-self-hosted.md @@ -0,0 +1,9 @@ +{% data reusables.actions.self-hosted-runner-labels-runs-on %} + +#### Example: Using labels for runner selection + +```yaml +runs-on: [self-hosted, linux] +``` + +For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow)." diff --git a/data/reusables/actions/larger-runners-table.md b/data/reusables/actions/larger-runners-table.md new file mode 100644 index 0000000000..a9d0e234fa --- /dev/null +++ b/data/reusables/actions/larger-runners-table.md @@ -0,0 +1,4 @@ +| Runner Size | Architecture| Processor (CPU)| Memory (RAM) | Storage (SSD) | Workflow label | +| ------------| ------------| -------------- | ------------- | ------------- | -------------- | +| Large | Intel | 12 | 30 GB | 14 GB | macos-latest-large, macos-12-large, macos-13-large [latest], macos-14-large[Beta] | +| XLarge | arm64 (M1) | 6 (+ 8 GPU hardware acceleration) | 14 GB | 14 GB | macos-latest-xlarge, macos-13-xlarge [latest], macos-14-xlarge[Beta] | diff --git a/data/reusables/actions/runner-labels-implicit.md b/data/reusables/actions/runner-labels-implicit.md new file mode 100644 index 0000000000..df1d1a5810 --- /dev/null +++ b/data/reusables/actions/runner-labels-implicit.md @@ -0,0 +1 @@ +You can implicitly pass a label to the `runs-on` key by using the syntax `runs-on: LABEL`. Alternatively, you can use the `labels` key, as shown in the example below. diff --git a/data/reusables/actions/runner-labels.md b/data/reusables/actions/runner-labels.md new file mode 100644 index 0000000000..85e52dcf7f --- /dev/null +++ b/data/reusables/actions/runner-labels.md @@ -0,0 +1 @@ +Anyone with write access to an Actions-enabled repository can find out the labels for the runners that are available in that repository. See "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/running-jobs-on-larger-runners#viewing-available-runners-for-a-repository)." diff --git a/data/reusables/actions/supported-github-runners.md b/data/reusables/actions/supported-github-runners.md index dd47e96043..ce12b67bb5 100644 --- a/data/reusables/actions/supported-github-runners.md +++ b/data/reusables/actions/supported-github-runners.md @@ -1,8 +1,8 @@ - + ### Standard {% data variables.product.prodname_dotcom %}-hosted runners for Public repositories -For public repositories, jobs utilizing the default YAML workflow labels listed in the table below run on virtual machines with the associated specifications. The use of these runners on public repositories is free and unlimited. +For public repositories, jobs using the workflow labels shown in the table below will run on virtual machines with the associated specifications. The use of these runners on public repositories is free and unlimited. @@ -11,7 +11,7 @@ For public repositories, jobs utilizing the default YAML workflow labels listed - + @@ -120,7 +120,7 @@ The macos-latest label currently uses the macOS 14 runner image. ### Standard {% data variables.product.prodname_dotcom %}-hosted runners for Private repositories -For private repositories, jobs utilizing the default YAML workflow labels listed in the table below run on virtual machines with the associated specifications. These runners use your {% data variables.product.prodname_dotcom %} account's allotment of free minutes, and are then charged at the per minute rates. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates)." +For private repositories, jobs using the workflow labels shown in the table below will run on virtual machines with the associated specifications. These runners use your {% data variables.product.prodname_dotcom %} account's allotment of free minutes, and are then charged at the per minute rates. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates)."
Processor (CPU) Memory (RAM) Storage (SSD)OS (YAML workflow label)Workflow label Notes
@@ -129,7 +129,7 @@ For private repositories, jobs utilizing the default YAML workflow labels listed - + @@ -147,7 +147,7 @@ Linux 14 GB diff --git a/data/reusables/actions/windows-linux-larger-runners-note.md b/data/reusables/actions/windows-linux-larger-runners-note.md index 0b0cfc2c0f..f788c47e64 100644 --- a/data/reusables/actions/windows-linux-larger-runners-note.md +++ b/data/reusables/actions/windows-linux-larger-runners-note.md @@ -1,5 +1 @@ -{% note %} - -**Note:** The information and instructions in this article only apply to {% data variables.actions.hosted_runner %}s with Linux and Windows operating systems. - -{% endnote %} +The information and instructions in this article only apply to {% data variables.actions.hosted_runner %}s with Linux and Windows operating systems.
Processor (CPU) Memory (RAM) Storage (SSD)OS (YAML workflow label)Workflow label Notes
-ubuntu-latest,ubuntu-24.04 [Beta], ubuntu-22.04, ubuntu-20.04 +ubuntu-latest, ubuntu-24.04 [Beta], ubuntu-22.04, ubuntu-20.04 The ubuntu-latest label currently uses the Ubuntu 22.04 runner image. @@ -189,7 +189,7 @@ macOS macos-12 or macos-11 -The macos-11 label has been deprecated and will no longer be available after 6/28/2024. +The macos-11 label has been deprecated and will no longer be available after 6/28/2024.