Skip to content
Latchkey

How to Manage the Migration Risk of ubuntu-latest Changes

When GitHub repoints ubuntu-latest to a newer Ubuntu release, default tool versions and system libraries can change and break builds that never touched their own code.

The risk with ubuntu-latest is timing: a green pipeline can go red because the underlying image moved. You manage that by pinning production paths and canarying the next image on a schedule.

Pin the critical path, canary the next image

.github/workflows/ci.yml
jobs:
  release:
    runs-on: ubuntu-24.04       # pinned: protects the release path
    steps:
      - run: ./release.sh
  canary-next-image:
    runs-on: ubuntu-latest      # tracks the promoted image early
    steps:
      - run: npm ci && npm test

Run the canary on a schedule

.github/workflows/ci.yml
on:
  schedule:
    - cron: '0 6 * * 1'   # Monday 06:00 UTC, before the workweek

What to check after a bump

Look for changed default versions of Node, Python, Java, Docker, and system compilers, plus removed preinstalled tools. GitHub announces image updates in its runner-images repo; watching releases there gives advance warning.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →