GitHub Actions – OIDC integration with AWS no longer requires pinning of intermediate TLS certificates

GitHub Actions – OpenId Connect (OIDC) integration with AWS is now optimized to avoid pinning any intermediary certificate thumbprints.

While configuring GitHub as an OIDC IdP (ID Provider), AWS now secures communication by trusting GitHub Actions’s trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify GitHub’s IdP server certificate.
This will address and avoid any issues caused due to pinning certificate thumbprints while authenticating from GitHub to AWS using OIDC. No action is needed for GitHub customers.

Learn more about using OIDC with GitHub Actions.

Updates to the audit log api requests streaming public beta

In April, we announced that GitHub Enterprise Cloud customers could join a public beta for streaming API request events as part of their enterprise audit log. As part of that release, REST API calls against enterprise's private and internal repositories could be streamed to one of GitHub's supported streaming endpoints.

However, we've discovered the need to expand our api call coverage against private and internal repositories in order to capture other security significant api routes. Additionally, we've determined several api routes targeting internal and private repositories generate significant event volumes with little auditing or security value. To address these concerns, we partnered with GitHub's security team to define a set of auditing and security significant controllers to serve as the basis for the public beta. These adjustments to the beta should increase signal and decrease the noise generated by the api request event being streamed.
image (4)

Note: hashed_token and token_id have been redacted for security reasons.

Enterprise owners interested in the public beta can still follow the instructions in our docs for enabling audit log streaming of API requests. We welcome feedback on the changes made to this feature on our beta feedback community discussion post.

See more

Pull request merge queue is now generally available!

Today we are announcing the general availability of pull request merge queue! 🎉

Merge queue helps increase velocity in software delivery by automating pull request merges into your busiest branches. Screenshot of pull request merge queue

Before merge queue, developers would often need to update their pull request branches prior to merging to ensure their changes wouldn't break the main branch because of incompatibilities with pull requests already merged. Each of these updates caused a new round of continuous integration (CI) checks that would have to finish before the developer could attempt to merge. Merge queue automates this process by ensuring each pull request queued for merging is tested with any other pull requests queued ahead of it.

Merge queue is available on private and public repos on the GitHub Enterprise Cloud plan and all public repos owned by organizations.

Check out this video demo of how merge queue works.

Updates

Over the last few months, we've been busy fixing bugs and responding to feedback. As part of the general availability, we're announcing the following updates:

  • New: A merge_group webhook event with an action of destroyed is now published when a merge group is destroyed for any reason, including when it's merged or invalidated because a pull request is removed from the queue.
  • Fixed: The before and created properties of the push webhook event published when a temporary branch is created by the queue are now set to reflect a branch was created
  • Changed: Jumping to the front of the queue is now only available to admins by default in repos on GitHub Enterprise, but can be granted to individual users and teams using a custom repository role. Previously, any user with write access could jump the queue, but admins did not have a way to limit access to it or grant it to users without write access.
  • Fixed: A pull_request.dequeued webhook event is now consistently published whenever a pull request is removed from the queue for any reason, including when it has been merged by the queue.

Learn more

For more on how to get started with merge queue, check out details on our blog!

A special thanks

A huge shout out and thank you to our customers in the community that participated in the public beta of this feature. Your input will help teams prevent traffic jams on their busiest branches! Hooray!

See more
View all changes