How to Manage the Migration Risk of ubuntu-latest Changes
When GitHub repoints ubuntu-latest to a newer Ubuntu release, default tool versions and system libraries can change and break builds that never touched their own code.
The risk with ubuntu-latest is timing: a green pipeline can go red because the underlying image moved. You manage that by pinning production paths and canarying the next image on a schedule.
Pin the critical path, canary the next image
.github/workflows/ci.yml
jobs:
release:
runs-on: ubuntu-24.04 # pinned: protects the release path
steps:
- run: ./release.sh
canary-next-image:
runs-on: ubuntu-latest # tracks the promoted image early
steps:
- run: npm ci && npm testRun the canary on a schedule
.github/workflows/ci.yml
on:
schedule:
- cron: '0 6 * * 1' # Monday 06:00 UTC, before the workweekWhat to check after a bump
Look for changed default versions of Node, Python, Java, Docker, and system compilers, plus removed preinstalled tools. GitHub announces image updates in its runner-images repo; watching releases there gives advance warning.
Related guides
How to Choose Between ubuntu-latest and a Pinned Runner ImageWeigh the convenience of ubuntu-latest against the reproducibility of a pinned image like ubuntu-24.04, and p…
How to Check What Tools a Runner Image PreinstallsFind out which languages, package managers, and CLIs ship preinstalled on a GitHub runner image so you can sk…