The GitHub Blog provides updates, announcements, and insights from the world's leading software development platform, covering topics such as new features, community highlights, and industry trends. Developers can learn about GitHub's latest developments, best practices for collaboration, and tips for maximizing productivity on the platform.

GitHub Blog

GitHub's 2026 security roadmap for GitHub Actions targets three layers: ecosystem integrity, attack surface reduction, and CI/CD infrastructure observability. Key upcoming features include workflow-level dependency locking (similar to go.mod/go.sum) to make action dependencies deterministic and auditable, policy-driven workflow execution controls built on GitHub's ruleset framework to govern who can trigger workflows and which events are allowed, scoped secrets that bind credentials to explicit execution contexts rather than broad repository/org scope, an Actions Data Stream for near real-time CI/CD telemetry delivered to S3 or Azure, and a native Layer 7 egress firewall for GitHub-hosted runners. Most features are targeting public preview within 3-9 months. The roadmap is a direct response to recent supply chain attacks targeting CI/CD pipelines like tj-actions/changed-files and trivy-action.

What’s coming to our GitHub Actions 2026 security roadmap

Scoped secrets and improved secret governance