Sources

# I just don't like GitHub Actions. ... GitHub Actions was launched in 2018 as a means of automating repetitive tasks. In 2019 it was updated with first-class support for continuous integration (CI) and continuous delivery (CD). The premise sounds very "GitHub": ... My intent isn't to slate the feature, but to highlight some limitations of the current implementation and to put forward some ideas. ... … There's no means of easily triggering a re-run of a workflow against the tip of a branch. Not only is this a problem when dealing with transient failures (such as a network issue during an `npm install` or `docker pull`), it also makes development of new workflows or testing changes to existing workflows difficult. It's possible to work around this by adding additional triggers, but it feels like a strange omission. # No first-class support for running locally This limitation seems common to many CI platforms: there's no obvious way to run a workflow locally to verify that it works. Third party tools like Act have put in a great deal of work to approximate the environment, but it's not easy to do so accurately. Act works by executing your GitHub Action workflows in a container. The minimal Debian images it uses by default will be unable to run the majority of workflows, but it's possible to specify your own container image. Unfortunately, the images that try to replicate the Actions environment get very large. A 12GB Docker container isn't ideal. … Unfortunately, it also reduces predictability of builds, as developers have little control over what's installed in the environment. This has a couple of effects: - In CI workflows it becomes harder to troubleshoot test failures, as it's harder to replicate the environment locally. It also makes your builds more susceptible to packaging changes made to the images, as there are far more changes to review to determine the root cause of a failure. - In build and publish workflows it makes it difficult to trust that the environment is secure. Is GitHub reliably auditing all of the software that they're installing? … # Self-hosted runners Actions provides the ability to host your own runners, so that your jobs can run on your own infrastructure and be triggered from within GitHub. This would allow us to build our own minimal image! Unfortunately unlike services like Buildkite, which can run your integration jobs on your own AWS subscription, Actions provides no way to dynamically allocate agents as they're required. … - Support for running workflows in public cloud environments would make using custom images much more accessible, and provide a fairly elegant workaround for most of the issues here. - A more minimal base image should be available, at least as an option. I think it will be difficult to retroactively add in support for SDKs, as Actions would need to be updated to detail their dependencies or risk simply not working, harming the onboarding experience for the majority.

A popular GitHub Action used by thousands of repositories recently compromised those repositories, exposing a critical weakness in how open-source Actions are published and consumed. A new maintainer briefly hijacked the tj-actions/changed-files Action by publishing a version that contained obfuscated, malicious code. This triggered concern within the developer community about CI/CD security in the GitHub Actions ecosystem. The incident highlights an emerging attack surface: the supply chain of Actions themselves. While most guidance focuses on hardening the workflow environment, few teams scrutinize the security of the Actions they import. This breach has prompted renewed calls for best practices such as Action pinning, third-party audits, and hardened runners. Repositories widely used the tj-actions/changed-files Action to detect file changes in pull requests — a common step in conditional CI workflows. In March 2025, a new maintainer introduced a version (v44) that included obfuscated shell commands capable of remote code execution. While the malicious release was short lived, it bypassed detection long enough to expose a blind spot in how many developers trust and consume GitHub Actions. … The compromised Action is notable not just because of its popularity - over 20,000 repositories are estimated to have used it - but because it revealed a broader ecosystem weakness. Devs often treat GitHub Actions as trusted building blocks, yet unlike packages or containers, Actions lack strong controls around publishing, ownership changes, or signature verification. … GitHub Actions in particular run with high privileges, capable of signing releases, pushing images, or deploying to production. A compromised Action can subvert an entire delivery pipeline. While StepSecurity did not quantify how widespread the practice of using unpinned Actions was, they have often emphasized the risks of their use and recommended treating them with caution. The compromise echoes similar issues in adjacent ecosystems, such as malicious NPM packages or trojanized Docker Images. While the industry is making progress through initiatives like SLSA, Sigstore and SBOM tooling, GitHub Actions still lack first-class support for provenance, sandboxing, or trust enforcement on reusable Actions.

Yet, beneath this veneer of convenience, a growing chorus of dissatisfaction is emerging among developers who argue that Actions falls short in reliability, speed, and usability. This sentiment reached a boiling point in a recent blog post by developer Alexey “exlee” Sokolov, who didn’t mince words in his tirade titled “I Hate GitHub Actions with Passion,” published on his personal site xlii.space. Sokolov’s frustrations echo broader complaints that have been simmering in developer communities for years, amplified by recent pricing changes and performance issues. Sokolov’s critique centers on what he describes as GitHub Actions’ “slow feedback loop” and “insane complexity” in debugging. He recounts a personal ordeal with his project “tmplr,” where a CI build failed mysteriously on Linux ARM architecture while succeeding on others. The process of diagnosing the issue—pushing commits repeatedly to trigger workflows—felt archaic and inefficient, leading to hours of wasted time. This isn’t an isolated incident; developers on platforms like Reddit have long shared similar war stories. In a 2023 thread on Reddit’s r/devops, users lamented Actions’ unreliability, citing frequent outages and unpredictable behavior as reasons to seek alternatives. The backlash isn’t just anecdotal. Recent data from industry benchmarks highlights tangible shortcomings. For instance, a performance analysis by RunsOn, detailed in their GitHub Actions CPU performance benchmarks, reveals that Actions runners often lag in CPU speed and suffer from queuing delays compared to competitors. Developers report wait times that can stretch minutes or even hours during peak usage, disrupting the rapid iteration cycles essential to agile development. Moreover, GitHub’s own status updates, like a January 12, 2026, post from GitHub Status on X, admitted to “degraded performance” in Actions, underscoring systemic issues that affect thousands of users daily. **Unpacking the Core Flaws in GitHub Actions** At the heart of the criticism is GitHub Actions’ architecture, which relies on virtual machines spun up on demand. While this serverless model sounds efficient, it introduces latency that frustrates developers accustomed to instant feedback. Sokolov in his post compares it unfavorably to local testing environments, where errors can be caught immediately without the “push and pray” cycle. This sentiment is mirrored in a 2024 Reddit discussion on r/devops, where over 200 comments detailed gripes ranging from poor caching mechanisms to inconsistent runner environments. One user noted that Actions’ YAML syntax, while flexible, lacks robust local validation tools, leading to deployment-time surprises. Pricing has become another flashpoint. In December 2025, GitHub announced changes to its Actions pricing model, including charges for self-hosted runners—previously free—which sparked outrage. As reported by Techzine Global, the company delayed implementation until March 2026 after developer pushback, but the move highlighted a perceived shift toward monetization over user needs. … On social media, the discontent is palpable. Posts on X from developers like Theo Browne (@t3dotgg) in December 2025 criticized GitHub for charging users to integrate faster alternatives like Depot and Blacksmith, calling it “insanity.” Similarly, David Cramer (@zeeg) noted Actions’ lack of a “real moat,” suggesting easy migration paths to rivals. These real-time sentiments, gathered from recent X discussions, paint a picture of a tool that’s losing its grip as developers demand more from their CI/CD pipelines. … Personal stories from the trenches illustrate why these alternatives are resonating. In Sokolov’s case, switching to a local-first approach or tools like Act (a local runner for Actions) could mitigate some pains, but he advocates for complete alternatives to escape the ecosystem’s pitfalls. X posts from users like @draslan_eth in early January 2026 echo this, decrying Actions’ wait times compared to “beefy machine” local runs. Community forums reveal patterns: a 2021 X post by @GabriellaG439 criticized Actions’ YAML DSL for lacking local testing, a complaint that persists. Even GitHub’s announcements, such as the 2019 update on workflow editing improvements shared via their official X account, haven’t fully addressed these issues, as evidenced by ongoing developer feedback. … Pricing dynamics play a crucial role. GitHub’s recent concessions, detailed in a GIGAZINE report from December 2025 on gigazine.net, show responsiveness to criticism, but trust erosion persists. Alternatives often offer free tiers or predictable costs, attracting budget-sensitive indie developers. Looking ahead, the competition is fostering innovation. Posts on X, including a January 15, 2026, thread translated from Korean on @GeekNewsHada, share global frustrations with Actions’ debugging, suggesting a universal push toward more reliable tools.

## GitHub Actions limitations While GitHub Actions offers powerful automation features, there are some limitations and challenges to consider, as reported by users on the G2 platform: - **Complexity:** The platform can feel overwhelming for new users, especially given the range of features and options available. The complexity of setting up workflows, particularly for those new to version control, contributes to a steep learning curve. - **Limited free tier for private repositories:** While GitHub provides some free minutes and storage, these are often insufficient for teams working on large or complex projects. The cost for additional resources can become a concern, especially for smaller organizations or teams with limited budgets. The pricing for larger teams, particularly those requiring private repositories, can be prohibitive. - **Inconsistent performance:** Users have reported slow deployment times, even for small applications, and occasional issues with downtime and performance lags exist. These slowdowns impact productivity and consume the allotted minutes from the usage quota, frustrating users on limited plans. - **Troubleshooting:** Debugging issues within GitHub Actions can also be time-consuming, as there is no single comprehensive guide for troubleshooting. This leads to delays when errors occur in workflows. In addition, our experience shows many organizations use GitHub Actions and related tools to **implement full Continuous Delivery pipelines**, even though they were not intended for this purpose. This creates the problem of Shadow CD: - Shadow CD creates an illusion of automation, but it lacks crucial elements that people need to trust it. - To manage layers of automation not supported by the platform, developers create collections of scripts, sometimes with hundreds or thousands of lines. - The scrips are often created and maintained by a handful of engineers, often just a single person. Maintenance, security, and support become a significant challenge.

When using GitHub Actions, security concerns and maintaining environment consistency are crucial. Utilize GitHub Secrets to protect sensitive information and Docker to ensure consistent environments. Additionally, issues can be swiftly resolved through logging and error reporting functionalities. … ... One common challenge with GitHub Actions is managing secrets and environment variables securely, especially when workflows need access to sensitive data for deployment. A solution is to use GitHub's encrypted secrets feature to store these values, ensuring they're not exposed in logs or to unauthorized users. Additionally, fine-tuning permissions for GitHub Actions can help prevent misuse, allowing workflows to run with the minimum necessary privileges. This approach enhances security while ensuring workflows have the access they need to perform tasks effectively.

This is one of the most prevalent and dangerous supply chain risks in GitHub Actions. Despite causing nightmare scenarios for tens of thousands of users this year, most developers still do not pin their actions properly. According to Wiz, only 3.9% of repositories pin 100% of their third-party Actions to an immutable commit SHA hash.

You can find all sorts of stuff in there- they're been so neglectful of the self hosted actions that it's embarrassing they're trying to charge for it. They don't release containers that match the runners on the public at all. They don't handle proper rootless docker-in-docker. All issues that have come up repeatedly. If they want to charge for things fine, but actually provide a service that doesn't require your users doing 90% of the work. ... Aside from the pricing change, GH Actions is not a "premium service" that is even worth paying for. The "control plane" suffers from multiple issues (see recent problems about broker / backend problems not relaying the messages) and the GH Actions ecosystem is broken in so many ways (e.g: safe_sleep). … #### ikemo3 Dec 18, 2025 ... I'm an individual developer on the Pro plan, but the included minutes aren't sufficient for my needs, so I separately contract with Ubicloud. Ubicloud is 1/10th the price of GitHub Actions (before this change), but if this additional charge is applied, the total cost becomes 3.5x higher. (In other words, I'd be paying GitHub 2.5x more than Ubicloud!) … #### vwnj84 Dec 19, 2025 ... It was really terrible from an Enterprise standpoint, because budgets are already set for different departments and development teams. They were told that all they needed to pay for was their infrastructure, not the scheduler, since that's a huge part of what they're already paying for with their per-person Enterprise license. Then this was announced, and suddenly here at the end of the year, we get to tell everyone that's already scraping for pennies that there is now an additional unbudgeted cost. And then it's 'postponed' two days after the announcement and managers are flipping out that they cannot budget around this madness. I don't blame them. … Throw in the many UX issues that have been neglected for years (limit on jobs per workflow, concurrency groups canelling jobs instead of queuing, self-hosted runner versions only last a month or two before being rejected, hung logs, outages, no per second billing) and trying to slide in the announcement in December. It seems quite bold of GitHub. … ### molexx Jan 2, 2026 - Please stop applying breaking changes. Whilst they might well be 'best practice' and you might think you've informed us about them in plenty of time, real-world evidence shows this causes disruption and unhappy users.* We use Actions to deploy to production, and if we need a production deployment we NEED a production deployment, I do not want to take several hours out to investigate, fix and test changes to our action that was stable yesterday because of a requirement change you have force-applied to us. Whether you allegedly warned anyone about it months ago or not.

in a workflow file, you’re declaring a dependency. GitHub resolves it, downloads it, and executes it. That’s package management. ... Package managers are a critical part of software supply chain security. The industry has spent years hardening them after incidents like left-pad, event-stream, and countless others. Lockfiles, integrity hashes, and dependency visibility aren’t optional extras. They’re the baseline. GitHub Actions ignores all of it. … The core problem is the lack of a lockfile. Every other package manager figured this out decades ago: you declare loose constraints in a manifest, the resolver picks specific versions, and the lockfile records exactly what was chosen. GitHub Actions has no equivalent. Every run re-resolves from your workflow file, and the results can change without any modification to your code. Research from USENIX Security 2022 analyzed over 200,000 repositories and found that 99.7% execute externally developed Actions, 97% use Actions from unverified creators, and 18% run Actions with missing security updates. The researchers identified four fundamental security properties that CI/CD systems need: admittance control, execution control, code control, and access to secrets. GitHub Actions fails to provide adequate tooling for any of them. A follow-up study using static taint analysis found code injection vulnerabilities in over 4,300 workflows across 2.7 million analyzed. Nearly every GitHub Actions user is running third-party code with no verification, no lockfile, and no visibility into what that code depends on. … ``` // Simplified from actions/runner ActionManager.cs ... // Resolution happens on GitHub's server - opaque to us var downloadInfo = await GetDownloadInfoFromGitHub(action.Reference); // Download and extract - no integrity verification var tarball = await Download(downloadInfo.TarballUrl); Extract(tarball, $"_actions/{action.Owner}/{action.Repo}/{downloadInfo.Sha}"); // If composite, recurse into its dependencies var actionYml = Parse($"_actions/{action.Owner}/{action.Repo}/{downloadInfo.Sha}/action.yml"); if (actionYml.Type == "composite") { // These nested actions may use mutable tags - we have no control await PrepareActionsRecursiveAsync(actionYml.Steps, depth + 1); } } ``` … Even setting lockfiles aside, Actions has other issues that proper package managers solved long ago. **No registry.** Actions live in git repositories. There’s no central index, no security scanning, no malware detection, no typosquatting prevention. A real registry can flag malicious packages, store immutable copies independent of the source, and provide a single point for security response. The Marketplace exists but it’s a thin layer over repository search. Without a registry, there’s nowhere for immutable metadata to live. If an action’s source repository disappears or gets compromised, there’s no fallback. … ### How Did We Get Here? The Actions runner is forked from Azure DevOps, designed for enterprises with controlled internal task libraries where you trust your pipeline tasks. GitHub bolted a public marketplace onto that foundation without rethinking the trust model. The addition of composite actions and reusable workflows created a dependency system, but the implementation ignored lessons from package management: lockfiles, integrity verification, transitive pinning, dependency visibility. This matters beyond CI/CD. Trusted publishing is being rolled out across package registries: PyPI, npm, RubyGems, and others now let you publish packages directly from GitHub Actions using OIDC tokens instead of long-lived secrets. OIDC removes one class of attacks (stolen credentials) but amplifies another: the supply chain security of these registries now depends entirely on GitHub Actions, a system that lacks the lockfile and integrity controls these registries themselves require. A compromise in your workflow’s action dependencies can lead to malicious packages on registries with better security practices than the system they’re trusting to publish. … GitHub closed the feature request. GitHub’s design choices don’t just affect GitHub users. Forgejo Actions maintains compatibility with GitHub Actions, which means projects migrating to Codeberg for ethical reasons inherit the same broken CI architecture. The Forgejo maintainers openly acknowledge the problems, with contributors calling GitHub Actions’ ecosystem “terribly designed and executed.” But they’re stuck maintaining compatibility with it. Codeberg mirrors common actions to reduce GitHub dependency, but the fundamental issues are baked into the model itself. GitHub’s design flaws are spreading to the alternatives.

- **Nx "s1ngularity" (August 2025):** Attackers compromised the popular Nx monorepo build system by publishing malicious npm packages via a GitHub Actions exploit, injecting credential-harvesting malware that stole SSH keys, .env** ** files, wallets, and API tokens. This attack affected over 2,000 repositories. … ### 6. Unpinned or Tag-Based Third-Party Actions This is one of the most prevalent and dangerous supply chain risks in GitHub Actions. Despite causing nightmare scenarios for tens of thousands of users this year, most developers still do not pin their actions properly. According to Wiz, only 3.9% of repositories pin 100% of their third-party Actions to an immutable commit SHA hash. … ### 7. Use of Vulnerable Third-Party Actions Third-party GitHub Actions are convenient accelerators but introduce significant supply chain risks. These actions execute with the same permissions as your workflow, granting them potential access to sensitive secrets, tokens, and repository data. Like the previous security flaw, it’s an attack vector for supply chain attacks. As seen in the 2025 tj-actions/changed-files incident (CVE-2025-30066), a compromised action leads to attackers injecting code to exfiltrate secrets, escalating privileges, or deploying malware directly into your pipeline. With recurring incidents during the past year, proactive governance is essential to mitigate these threats.

#### GitHub Action Cons - The free host runners are **slow**. The free host virtual machines are about 4-5x slower than my mini-PC (i7-13700H) that hosted my Jenkins server - To mitigate the performance different – it was very simple to run each “compiler” on its own runner in parallel – so my overall build times only went from ~30min to ~40min.

- Everything that goes into `main` must pass all tests. - Trivial mistakes (formatting, unused deps, lint issues) should be fixed automatically, not cause failures. - The artifacts we test with in CI should be the exact ones we release. - CI should complete quickly (to keep developers happy). GitHub Actions technically allows all of this—but setting it up is a frustrating mess, full of hidden gotchas, inconsistent behavior, and a debugging experience that makes me question my choices. … This is just one of many instances which I believe is the root of what makes the github actions security model so obscure: there are too many pitfalls accompanied by exceptions that you have to account for. Clearly the system is very powerful and allows you to do many things but it also expands the attack surface for breaking things. As far as I can tell I'm not alone in this. Another instance of the same problem I ran into is when I read this paragraph where they recommend that you don't use self-hosted runners in public repositories: … ### Docker and Github Actions, an Unholy Combination If you thought GitHub Actions was bad, try mixing in Docker. GitHub lets you run jobs inside a container. This is great in theory—you can prepackage dependencies into a dev container instead of installing them every run. In practice: - File permissions break constantly. A container builds files as one user, but GitHub runners may use another (different uid and gid) to run it. So it may be unable to either access the files in the container or in the github workspace and temporary host directories that get mounted. - The

Discussions and Stack Overflow. These posts address prevalent issues in such ecosystems, including security, breaking changes, obsolescence, and dependency. We empirically demonstrate the prevalence of these issues in GitHub Actions. Our thematic analysis on GitHub Discussion posts and Stack Overflow questions revealed that Security Vulner- ability is the most prevalent issue in the GHA ecosystem, followed … influences the reliance on Marketplace versus Local Actions. ... platform provides a Marketplace for sharing and reusing open-source Actions, there are still many repositories that prefer to maintain their own GHA locally within their repositories. The survey analysis conducted by the authors revealed some challenges GitHub users face using the Marketplace, where 7 out of 25 participants found it difficult