Back to updates

CI/CD - 1

2026 (2)

March (1)

security: Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

Microsoft Security Blog

2026-03-25

Microsoft describes a Trivy supply-chain compromise in which attackers abused trusted distribution channels to deliver credential-stealing malware into CI/CD pipelines. The post outlines attacker techniques plus detection, investigation, and defense steps for security teams.

January (1)

github: Reduced pricing for GitHub-hosted runners usage

GitHub

2026-01-01

GitHub has reduced pricing for GitHub-hosted runners — price cuts of up to 39% are now in effect; the change was announced on December 16, 2025.

2025 (8)

December (4)

dotnet: Microsoft.Testing.Platform Now Fully Supported in Azure DevOps

.NET

2025-12-16

Azure DevOps now fully supports Microsoft.Testing.Platform, enabling teams to run tests and publish test results directly within Azure DevOps pipelines and workflows. The update improves integration between the testing platform and Azure DevOps for streamlined test execution and reporting.

github: Coming soon: Simpler pricing and a better experience for GitHub Actions

GitHub

2025-12-16

Starting January 1, 2026, GitHub will lower prices for GitHub-hosted runners by up to 39% (varying by machine type) to deliver simpler pricing and a better GitHub Actions experience; free usage minute quotas will remain unchanged.

github: Better diagnostics for VNET injected runners and required self-hosted runner upgrades

GitHub

2025-12-12

GitHub announced that GitHub-hosted larger runners using Azure VNET-injection now provide detailed network diagnostics when connectivity problems occur, replacing generic pool errors with per-endpoint visibility and drill-down information. The changelog also calls attention to required upgrades for self-hosted runners.

security: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack

Microsoft Security Blog

2025-12-09

Shai‑Hulud 2.0 is a large-scale supply chain attack in which adversaries maliciously modified hundreds of public packages to compromise developer environments, CI/CD pipelines, and cloud workloads in order to harvest credentials and configuration secrets. Microsoft published guidance to detect, investigate, and defend against these compromises across development toolchains, build systems, and cloud assets.

November (3)

github: Unified code-to-cloud artifact risk visibility with Microsoft Defender for Cloud now in public preview

GitHub

2025-11-18

GitHub announced a public preview integration with Microsoft Defender for Cloud that provides unified risk visibility across code, build artifacts, and production context so teams can track, prioritize, and remediate the security risks that matter.

github: New GitHub Actions OIDC token claims

GitHub

2025-11-13

GitHub Actions OIDC tokens now include a check_run_id claim, allowing workflows to present a run-specific identifier to external services. This change enables more fine-grained attribute-based access control and improved auditability for integrations.

github: New releases for GitHub Actions – November 2025

GitHub

2025-11-06

GitHub increased limits for reusable workflows in GitHub Actions (November 2025): workflows can now nest up to 10 reusable workflows and a single workflow run can call up to 50 workflows in total.

October (1)

dotnet: Developer and AI Code Reviewer: Reviewing AI-Generated Code in .NET

.NET

2025-10-07

Practical guidance for reviewing AI-generated .NET code, emphasizing that AI output should be treated as a starting point and validated through tests, linters, security checks, and clear team processes to maintain quality and productivity.