Windows-Latest Migration and the Architectural Evolution of GitHub Actions Runner Images

The lifecycle management of runner images within GitHub Actions is a critical component of modern CI/CD stability. When developers utilize the windows-latest label in their YAML workflow configurations, they are opting into a dynamic pointer that directs the execution environment toward the most recent stable version of the Windows operating system supported by GitHub. This abstraction provides the benefit of automated updates but introduces a layer of volatility during migration windows, where the underlying OS version shifts. The transition from Windows Server 2022 to Windows Server 2025 represents a significant architectural shift, necessitating a deep understanding of image deprecation, tool availability, and the strategic use of specific version labels to maintain pipeline idempotency.

The Windows Server 2025 Migration Cycle

The migration of the windows-latest label from Windows Server 2022 to Windows Server 2025 was a phased deployment designed to minimize catastrophic pipeline failures while advancing the ecosystem to a more modern kernel. This process began on September 2, 2025, and reached full completion by September 30, 2025.

The impact of this migration is absolute: once a specific workflow has been migrated to the Windows Server 2025 image, it cannot revert to Windows Server 2022 for any future executions. This creates a "point of no return" for workflows relying on the -latest pointer. For developers, this means that any dependency tied to the specific environment of Server 2022 must be validated against the 2025 image before the migration window closes.

The motivation behind this transition is rooted in the General Availability (GA) status of Windows Server 2025, which was established for all customers on April 8, 2025. By monitoring customer feedback to ensure image stability, GitHub determined that the image was mature enough to serve as the default. However, to maintain Service Level Agreements (SLA) regarding free disk space, GitHub performed strategic cuts to the list of pre-installed packages. This means that certain tools available in the 2022 image were intentionally removed from the 2025 image.

Strategic Mitigation of Migration Risks

To avoid the unpredictability of the windows-latest label, GitHub provides a mechanism for version pinning. Instead of using the generic label, users can explicitly define the OS version in their YAML files.

The following table outlines the behavior of labels during a migration event:

Label Behavior Stability Level Recommended Use Case
windows-latest Points to newest stable OS (e.g., Server 2025) Low (Changes over time) Projects that want the newest tools automatically
windows-2022 Points specifically to Windows Server 2022 High (Static) Legacy projects requiring specific 2022 binaries
windows-2025 Points specifically to Windows Server 2025 High (Static) New projects targeting modern Windows kernels

The migration process for -latest labels is generally gradual, spanning one to two months. This window is designed to allow engineers to adapt their workflows. To proactively identify tooling differences, developers are encouraged to check the tool list for Windows 2025. If a required package was removed to save disk space, the workflow must be updated to install that package dynamically during the job execution.

Integration of Visual Studio 2026 and Preview Images

As the ecosystem evolves, GitHub introduces specialized images to provide a validation path for upcoming toolsets. A dedicated Windows runner image featuring Visual Studio 2026 was released in public preview. This image operates in parallel with the standard windows-2025 image, ensuring that developers can test their builds against the new IDE and compiler toolchain without disrupting their primary production pipelines.

To utilize this preview environment, the runs-on target in the YAML workflow must be updated to:

windows-2025-vs2026

This allows for the identification and resolution of compatibility issues on a controlled timeline. The integration of Visual Studio 2026 into the default windows-2025 image is scheduled for General Availability on May 4, 2026. Following this GA release, the migration to the new Visual Studio 2026 image is set to begin on June 8, 2026.

This tiered approach—moving from public preview to GA and then to a mandatory migration—provides developers with multiple fallback options. If a build fails on the windows-2025-vs2026 image, developers can maintain their existing pipelines on windows-2022 or the standard windows-2025 image until a fix is implemented.

Expansion into Windows on Arm Architecture

A significant expansion in the GitHub Actions ecosystem is the support for Windows on Arm runners. This initiative is designed to support the developer experience for Arm-powered Copilot+ PCs, which utilize a different instruction set than traditional Intel/AMD x64 processors.

This support has been extended to all public repositories, including those under GitHub Free tier accounts. This democratization of Arm runners ensures that open-source projects can perform build and regression testing on Arm-based Windows targets with the same rigor as Intel targets.

The impact of this update is the simplification of continuous integration for cross-platform applications. Developers targeting the Arm architecture no longer need to rely solely on external hardware or limited private beta access; they can now incorporate Arm-based Windows targets directly into their CI pipelines.

Advanced Runner Orchestration: The Scale Set Client

To complement the hosted runner images, GitHub has introduced the GitHub Actions runner scale set client in public preview. This is a standalone Go-based module that allows organizations to implement custom autoscaling solutions without the prerequisite of Kubernetes.

The client functions as an orchestration layer that interacts with GitHub's scale set APIs, but it leaves the actual provisioning of the hardware to the user. This means the client can be deployed across various infrastructures:

  • Virtual Machines (VMs)
  • Bare metal servers
  • Containerized environments
  • Cloud-native services

The capabilities of the scale set client include:

  • Platform agnostic design: Operates across Windows, Linux, and macOS.
  • Provisioning control: Users define the exact parameters for how runners are created, scaled, and destroyed.
  • Multi-label support: The ability to assign multiple labels to a single scale set to optimize resource allocation for different build types.
  • Agentic scenario support: Integration with agentic workflows, specifically supporting the GitHub Copilot coding agent.
  • Real-time telemetry: Built-in metrics for monitoring job execution and runner performance.

Programmatic Governance via New REST APIs

To manage the security and configuration of these runners and workflows, GitHub has launched new REST APIs for settings management. These APIs are available at the repository, organization, and enterprise levels, allowing for the programmatic auditing and modification of policies.

The specific settings now accessible via these API endpoints include:

  • Approval for running fork pull request workflows from contributors.
  • Permissions for allowing workflows on fork pull requests within private repositories.
  • Configuration of which repositories are authorized to create repository-level self-hosted runners.
  • Definition of artifact and log retention periods.

By utilizing these endpoints, DevOps teams can move away from manual reviews and implement "Infrastructure as Code" for their GitHub Actions governance, ensuring that security policies are applied consistently across thousands of repositories.

Security Reinforcement through Action Allowlisting

In tandem with the infrastructure updates, security controls have been expanded. Action allowlisting is now available across all GitHub plans, including Free, Team, and Enterprise. This feature enables the enforcement of the principle of least privilege by allowing administrators to define exactly which actions and reusable workflows are permitted to run within their repositories.

This control mechanism protects against compromised third-party actions and ensures that only vetted code is executed within the CI/CD pipeline. When combined with the new REST APIs, organizations can programmatically manage their allowlists to maintain a strict security posture.

Summary of Runner Image Versioning and Labels

The relationship between labels and OS versions is summarized in the following structure:

  • windows-latest: Dynamic pointer; currently transitioning to Windows Server 2025.
  • windows-2022: Static pointer to Windows Server 2022.
  • windows-2025: Static pointer to Windows Server 2025.
  • windows-2025-vs2026: Preview pointer for Windows Server 2025 with Visual Studio 2026.
  • macos-26-large: Preview pointer for macOS 26 Intel runners for larger runner configurations.

Conclusion

The transition of windows-latest to Windows Server 2025 is not merely a version bump but a strategic realignment of the runner ecosystem to support modern hardware and software requirements. The shift involves a careful balance between offering the latest features—such as Windows on Arm support and Visual Studio 2026 integration—and maintaining the stability of existing pipelines. The introduction of the Go-based runner scale set client further decouples the orchestration logic from the infrastructure, granting developers unprecedented control over how their Windows environments are scaled.

For the technical practitioner, the primary takeaway is the necessity of moving away from the -latest label for mission-critical production pipelines. The volatility introduced during the September 2025 migration window highlights the risk of automated OS updates. By adopting specific version labels and utilizing the public preview images for toolchain validation, teams can ensure their CI/CD pipelines remain resilient against the inevitable evolution of the underlying host images. The synergy between the new REST APIs for governance and the expanded allowlisting capabilities ensures that as the infrastructure scales, the security perimeter remains intact.

Sources

  1. GitHub Blog: GitHub Actions New APIs and Windows Latest Migration Notice
  2. GitHub Blog: GitHub Actions Early February 2026 Updates
  3. GitHub Issue: Windows-latest workflows will use Windows Server 2025 image in GH #12677
  4. GitHub Repository: actions/runner-images
  5. Windows Developer Blog: GitHub Actions now supports Windows on Arm runners for all public repos

Related Posts