Updates to the audit log api requests streaming public beta

In April, we announced that GitHub Enterprise Cloud customers could join a public beta for streaming API request events as part of their enterprise audit log. As part of that release, REST API calls against enterprise's private and internal repositories could be streamed to one of GitHub's supported streaming endpoints.

However, we've discovered the need to expand our api call coverage against private and internal repositories in order to capture other security significant api routes. Additionally, we've determined several api routes targeting internal and private repositories generate significant event volumes with little auditing or security value. To address these concerns, we partnered with GitHub's security team to define a set of auditing and security significant controllers to serve as the basis for the public beta. These adjustments to the beta should increase signal and decrease the noise generated by the api request event being streamed.
image (4)

Note: hashed_token and token_id have been redacted for security reasons.

Enterprise owners interested in the public beta can still follow the instructions in our docs for enabling audit log streaming of API requests. We welcome feedback on the changes made to this feature on our beta feedback community discussion post.

Today we are announcing the general availability of pull request merge queue! 🎉

Merge queue helps increase velocity in software delivery by automating pull request merges into your busiest branches. Screenshot of pull request merge queue

Before merge queue, developers would often need to update their pull request branches prior to merging to ensure their changes wouldn't break the main branch because of incompatibilities with pull requests already merged. Each of these updates caused a new round of continuous integration (CI) checks that would have to finish before the developer could attempt to merge. Merge queue automates this process by ensuring each pull request queued for merging is tested with any other pull requests queued ahead of it.

Merge queue is available on private and public repos on the GitHub Enterprise Cloud plan and all public repos owned by organizations.

Check out this video demo of how merge queue works.

Updates

Over the last few months, we've been busy fixing bugs and responding to feedback. As part of the general availability, we're announcing the following updates:

  • New: A merge_group webhook event with an action of destroyed is now published when a merge group is destroyed for any reason, including when it's merged or invalidated because a pull request is removed from the queue.
  • Fixed: The before and created properties of the push webhook event published when a temporary branch is created by the queue are now set to reflect a branch was created
  • Changed: Jumping to the front of the queue is now only available to admins by default in repos on GitHub Enterprise, but can be granted to individual users and teams using a custom repository role. Previously, any user with write access could jump the queue, but admins did not have a way to limit access to it or grant it to users without write access.
  • Fixed: A pull_request.dequeued webhook event is now consistently published whenever a pull request is removed from the queue for any reason, including when it has been merged by the queue.

Learn more

For more on how to get started with merge queue, check out details on our blog!

A special thanks

A huge shout out and thank you to our customers in the community that participated in the public beta of this feature. Your input will help teams prevent traffic jams on their busiest branches! Hooray!

See more

Passkeys are a replacement for passwords when signing in, providing higher security, ease-of-use, and loss-protection. They're now available on GitHub.com as a public beta – see this blog post for more information.

This public beta is open to all users with a password, regardless of whether you use 2FA. To get started, enable passkeys as a feature preview.

By using passkeys, you no longer need to enter a password, or even your username, when you sign in – nor do you need to perform 2FA, if you have 2FA enabled on your account. That's because passkeys validate your identity, as well as possession of a device, so they count as two authentication factors in one.

Once enrolled, you can register a brand new passkey and upgrade many security keys to a passkey. If you're enrolled in the preview, the next time you use an eligible security key you'll be asked to upgrade it.
Screenshot of the security key upgrade prompt, asking the user if they'd like to upgrade a security key called 'fingerprint' to a passkey.

To learn more, check out this blog post about passkeys, as well as "About passkeys" in our documentation. If you have any feedback, please drop us a note in our public discussion – we're excited for this advance in account security, and would love to understand how we can make it better for you.

See more