Add GitHub Actions runtime upgrade skill (#2016)

* feat: add github actions runtime upgrade instructions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: add runtime upgrade skill for github actions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refine runtime upgrade skill guidance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesmontemagno

docs/README.skills.md

@@ -188,6 +188,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [git-flow-branch-creator](../skills/git-flow-branch-creator/SKILL.md)<br />`gh skills install github/awesome-copilot git-flow-branch-creator` | Intelligent Git Flow branch creator that analyzes git status/diff and creates appropriate branches following the nvie Git Flow branching model. | None |
 | [github-actions-efficiency](../skills/github-actions-efficiency/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-efficiency` | Audit GitHub Actions workflow efficiency and recommend fixes to reduce CI minutes and costs. | `references/actions.md`<br />`references/patterns.md`<br />`references/reporting.md`<br />`references/review-rubric.md` |
 | [github-actions-hardening](../skills/github-actions-hardening/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-hardening` | Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories. | `references/injection.md`<br />`references/permissions-and-tokens.md`<br />`references/report-format.md`<br />`references/supply-chain.md`<br />`references/triggers-and-privilege.md` |
+| [github-actions-runtime-upgrade-conventions](../skills/github-actions-runtime-upgrade-conventions/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-runtime-upgrade-conventions` | Upgrade GitHub Actions to supported runtimes by selecting safe action versions, preserving workflow behavior, and validating post-upgrade execution. | None |
 | [github-codespaces-efficiency](../skills/github-codespaces-efficiency/SKILL.md)<br />`gh skills install github/awesome-copilot github-codespaces-efficiency` | Audit and improve GitHub Codespaces efficiency. Use this skill when a user wants faster Codespaces startup, lower Codespaces spend, slim devcontainers, right-size machines, tune idle timeout, or scope prebuilds to branches with sustained usage. | `references/codespaces.md`<br />`references/review-rubric.md` |
 | [github-copilot-starter](../skills/github-copilot-starter/SKILL.md)<br />`gh skills install github/awesome-copilot github-copilot-starter` | Set up complete GitHub Copilot configuration for a new project based on technology stack | None |
 | [github-issues](../skills/github-issues/SKILL.md)<br />`gh skills install github/awesome-copilot github-issues` | Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, set issue fields (dates, priority, custom fields), set issue types, manage issue workflows, link issues, add dependencies, or track blocked-by/blocking relationships. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", "set the priority", "set the start date", "link issues", "add dependency", "blocked by", "blocking", or any GitHub issue management task. | `references/dependencies.md`<br />`references/images.md`<br />`references/issue-fields.md`<br />`references/issue-types.md`<br />`references/projects.md`<br />`references/search.md`<br />`references/sub-issues.md`<br />`references/templates.md` |

skills/github-actions-runtime-upgrade-conventions/SKILL.md

@@ -0,0 +1,65 @@
+---
+name: github-actions-runtime-upgrade-conventions
+description: 'Upgrade GitHub Actions to supported runtimes by selecting safe action versions, preserving workflow behavior, and validating post-upgrade execution.'
+---
+
+# GitHub Actions Runtime Upgrade Conventions
+
+Use this skill when editing GitHub Actions workflows to address deprecation warnings about action runtimes (for example Node.js runtime migrations).
+
+## Use This Skill When
+
+- Workflow logs report an action is running on a deprecated runtime.
+- You are upgrading action versions in `.github/workflows/*.yml` or `.github/workflows/*.yaml`.
+- You need to keep existing workflow behavior while modernizing action dependencies.
+
+## Upgrade Rules
+
+- Prefer upgrading to the latest stable **major** version of each action that is compatible with the workflow.
+- Prefer immutable pins: resolve the target release to a full commit SHA and use that SHA in `uses:`.
+- Do not pin to mutable tags or branches (for example `@v4` or `@main`) in final recommendations.
+- Upgrade one action at a time per commit (or one tightly related group) so failures are easy to isolate.
+- Keep existing workflow behavior unchanged while upgrading runtime/dependency actions.
+
+## Actions We Track in This Repo
+
+Prioritize runtime review for these groups when warnings appear:
+
+- Any first-party action under `actions/*`
+- Especially setup actions under `actions/setup-*` (for example `setup-node`, `setup-python`, `setup-dotnet`)
+- Any other action explicitly named by the runtime deprecation warning in workflow logs
+
+## Pinning Pattern
+
+```yaml
+steps:
+  - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.3.1
+  - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.4
+```
+
+When recommending upgrades, identify the latest compatible release first, then use the corresponding commit SHA with an optional version comment.
+
+## Verification Checklist
+
+After changing action versions:
+
+1. Ensure all edited workflows still parse and keep the same triggers/permissions unless intentionally changed.
+2. Run the affected workflows (or equivalent local build/test commands) and confirm the upgraded steps complete successfully.
+3. Confirm release/signing/artifact steps still produce expected outputs where applicable.
+4. Check workflow run logs for any new deprecation warnings or runtime migration notes.
+
+## PR Notes
+
+Include in the PR summary:
+
+- Which actions were upgraded (from -> to).
+- Whether any action could not move to a new major and why.
+- Which workflows were re-run to validate the change.
+
+## How This Complements Dependabot
+
+Dependabot can automate many updates, but this skill still helps when:
+
+- Dependabot is not enabled for workflows in a repository.
+- Runtime warnings appear before an automated update is available.
+- A workflow needs behavior-preserving validation after the action bump.