Add GitHub Actions runtime upgrade skill

[jamesmontemagno]

Summary

• convert the contribution to a new Agent Skill: skills/github-actions-runtime-upgrade-conventions/SKILL.md
• include skill frontmatter and guidance for runtime deprecation upgrades in GitHub Actions workflows
• regenerate docs so the skill appears in docs/README.skills.md and is removed from docs/README.instructions.md

Validation

• npm start
• npm run skill:validate
• npm run plugin:validate
• bash eng/fix-line-endings.sh

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new instruction set to guide GitHub Actions “Node.js runtime deprecated” upgrades and surfaces it in the instructions catalog.

Changes:

• Added “GitHub Actions Runtime Upgrade Conventions” instruction file scoped to workflow YAMLs.
• Updated the docs instructions index to include an install link for the new instruction.

Show a summary per file

File	Description
instructions/github-actions-runtime-upgrade-conventions.instructions.md	New instruction content and frontmatter for workflow runtime upgrade guidance.
docs/README.instructions.md	Adds the new instruction to the documentation list with install links.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 1

[github-actions]

🔒 PR Risk Scan Results

Scanned 2 changed file(s).

Severity	Count
🔴 High	0
🟠 Medium	1
ℹ️ Info	0

Severity	Rule	File	Line	Match
🟠	package-exec-command	docs/README.skills.md	31	| [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the curre

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

[github-actions]

🔍 Skill Validator Results

⚠️ Warnings or advisories found

Scope	Checked
Skills	1
Agents	0
Total	1

Severity	Count
❌ Errors	0
⚠️ Warnings	1
ℹ️ Advisories	0

Summary

Level	Finding
ℹ️	Found 1 skill(s)
ℹ️	[github-actions-runtime-upgrade-conventions] 📊 github-actions-runtime-upgrade-conventions: 392 BPE tokens [chars/4: 507] (compact ✓), 6 sections, 0 code blocks
ℹ️	[github-actions-runtime-upgrade-conventions] ⚠ No code blocks — agents perform better with concrete snippets and commands.
ℹ️	✅ All checks passed (1 skill(s))

Full validator output

Found 1 skill(s)
[github-actions-runtime-upgrade-conventions] 📊 github-actions-runtime-upgrade-conventions: 392 BPE tokens [chars/4: 507] (compact ✓), 6 sections, 0 code blocks
[github-actions-runtime-upgrade-conventions]    ⚠  No code blocks — agents perform better with concrete snippets and commands.
✅ All checks passed (1 skill(s))

[aaronpowell]

How is this skill different to having dependabot running on a repo monitoring workflows?

[jamesmontemagno]

This skill helps the agent update my actions correctly. Not everyone has dependabot on in every repo

[aaronpowell]

This might be a little too heavy handed in steering the agent from the skill. For example, why setup-dotnet and not setup-node or setup-python?

Maybe it'd be better to have it prioritise actions that are action/* (official GitHub ones), or actions/setup-* if it should scope it a bit further.

[aaronpowell]

This is actually counter to our best practice advice per https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/find-and-customize-actions#using-release-management-for-your-custom-actions:

We recommend that you use a SHA value when using third-party actions. However, it's important to note Dependabot will only create Dependabot alerts for vulnerable GitHub Actions that use semantic versioning. For more information, see Secure use reference and Dependabot alerts.

The instruction should be that it looks for the latest release and then gets the SHA of that to pin, rather than a tag or branch, as both are mutable.