Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

actions

Subscribe to all “actions” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

GitHub Actions: Control permissions for GITHUB_TOKEN

April 20, 2021

GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret.

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  packages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

Setting the default permissions for the organization or repository

A new admin setting lets you set the default permissions for the token in your organization or repository.

You can choose between two options:

Read/write for all scopes (current default)
Read repo contents

Setting the default to contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.

Learn more about setting the token permissions

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more See more

GitHub Actions: Limit workflow run or job concurrency

April 19, 2021

actions

GitHub Actions now supports a concurrency key at both the workflow and job level that will ensure that only a single run or job is in progress.

There are a number of scenarios where you only want a single instance of a particular workflow or job running at any given time. For example: if you have a deployment to your production environment ensuring that only a single deployment is happening at any given time and that you are always deploying the latest code can be important. The concurrency key can be any string or an expression using the github context. When a job or run starts it first checks to see if anything is currently holding on to the concurrency group specified. If not, it will start. If there is a lock on the group, the job or run will be marked as pending and will only start after the blocking job or run completes.

Learn more about concurrency groups in GitHub Actions

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more See more

GitHub CLI 1.9 enables you to work with GitHub Actions from your terminal

April 15, 2021

GitHub CLI 1.9 allows you to work with GitHub Actions in your terminal:

List and view workflows and runs with gh workflow list, gh workflow view, gh run list, and gh run view
View the logs for a particular run with gh run view --log
View the logs for runs with jobs that failed with gh run view --log-failed
Download run artifacts with gh run download
Re-run runs with failed jobs using gh run rerun
Watch runs in progress using gh run watch
Trigger workflows with the workflow_dispatch event using gh workflow run
Enable and disable workflows with gh workflow enable and gh workflow disable

Learn more about GitHub CLI and check out the blog post to learn more about this release.

See more See more

GitHub Actions: Setup-java now support Adopt OpenJDK

April 5, 2021

actions

You can now use setup-java v2 to download and cache binaries from different distributions, including Adopt OpenJDK and Zulu OpenJDK.

With setup-java v2, you can:

Add Java distributions of your choice
Get native support for Adopt OpenJDK
Reduce your Java setup time significantly as the action can utilize pre-cached Adopt OpenJDK distributions from GitHub-hosted runner images

As part of the v2 release, setup-java now requires a mandatory distribution argument and no longer supports legacy Java version syntax 1.x. You can use our migration guide to learn more about upgrading to v2.

steps:
- uses: actions/checkout@v2
- uses: actions/setup-java@v2
  with:
    distribution: 'adopt'
    java-version: '11'
- run: java -cp java HelloWorldApp

For questions, visit the setup-java repo and GitHub Actions community

See more See more

Reviewing Deployments on GitHub Mobile

April 1, 2021

GitHub Actions deployment reviews are now available on GitHub Mobile.

You can approve or reject jobs awaiting review, view deployment status and deployed environments, and receive push notifications for requests for your review for a given deployment. Deployments awaiting your approval will also appear within the Notifications tab on GitHub Mobile.

Screenshot of reviewing a deployment on GitHub for Android

Screen capture of reviewing a deployment on GitHub for iOS

Learn more about the reviewing deployments on GitHub Actions.

For questions, visit the GitHub Actions community.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more See more

GitHub Actions: Workflow run events are now included in the Audit Log

February 23, 2021

actions

The Audit Log now includes events associated with GitHub Actions workflow runs. This data provides enterprise customers with a greatly expanded data set for security and compliance audits.

New events will be incorporated into the audit log when:

A workflow run is created, completed, deleted, or re-run
A workflow job is prepared. Importantly, this job will include the list of secrets that were provided to the runner
A self-hosted runner’s version is updated

Screenshot of audit log UI with new events

These new events are only available to customers on the Enterprise plan. All events are available in the REST API, and all events except for workflow run created, workflow run completed, and workflow job prepared are available in the UI and exports.

Learn more about Audit Log events

For questions please visit the GitHub Actions community forum

To see what’s next for GitHub Actions, visit our public roadmap.

See more See more

GitHub Actions: environment, environment protection rules and deployment reviewers API

February 23, 2021

actions

The API for environments, and environment protection rules is now available. The API enables you to automate scenarios like creating an environment or approving a deployment.

Learn more about the Environments API
Learn more about the GitHub Actions API

For questions visit the GitHub Actions community

See more See more

GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions

February 19, 2021

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests to better understand the risks.

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more See more

GitHub Actions: Limit which branches can deploy to an environment

February 17, 2021

actions

You can now limit which branches can deploy to an environment using Environment protection rules.

When a job tries to deploy to an environment with Deployment branches configured Actions will check the value of github.ref against the configuration and if it does not match the job will fail and the run will stop.

The Deployment branches rule can be configured to allow:

All branches – Any branch in the repository can deploy
Protected branches – Only branches with protection rules
Selected branches – Branches matching a set of name patterns

Learn more about Environment protection rules

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more See more

GitHub Actions: Skip pull request and push workflows with [skip ci]

February 8, 2021

actions

GitHub Actions now supports skipping push and pull_request workflows by looking for some common keywords in your commit message.

If any commit message in your push or the HEAD commit of your PR contains the strings [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] workflows triggered on the push or pull_request events will be skipped.

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more See more

GitHub Actions Breaking Change: .NET Core 3.0 will be removed from macOS and Ubuntu images

January 28, 2021

actions

Beginning March 1, 2021, we will remove .NET Core 3.0 from macOS 10.15, Ubuntu 16.04, and Ubuntu 18.04 virtual environments for GitHub-hosted runners. We follow a general guideline of removing software tools from our hosted images six months after they are deprecated, and .NET Core 3.0 reached its end of life on March 3, 2020.

You can continue to use .NET Core 3.0 with our setup-dotnet action. The setup-dotnet action is always the recommended way of using .NET with GitHub Actions because it ensures consistent behavior across different runners or versions of .NET and protects your workflow from possible future deprecation of additional .NET versions:

steps:
- uses: actions/checkout@main
- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.0.x'
- run: dotnet build <my project>

For the latest updates, be sure to subscribe to the announcement in the actions/virtual-environments repository.

See more See more

GitHub Actions: Short SHA deprecation

January 21, 2021

actions

On February 15th, GitHub Actions will remove support for referencing actions using the shortened version of a git commit SHA. This may cause some workflows in your repository to break. To fix these workflows, you will need to update the action reference to use the full commit SHA.

For example, if your workflow references actions/checkout@5a4ac90, you should change it to actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f. You can find the full commit SHA in the referenced action's repository.

This change is being made to align product functionality with our published security guidance

See more See more

GitHub Actions: Environments, environment protection rules and environment secrets (beta)

December 15, 2020

actions

Today we are releasing an open beta for the new continuous delivery capabilities in GitHub Actions. In this open beta there is no need to sign up, all existing GitHub organizations and accounts can use the new capabilities in their public repositories and GitHub Enterprise Cloud organizations can use them in all repositories.

The addition of environment protection rules and environment secrets enable separation of concerns between deployment and development to meet compliance and security requirements. The required reviewers environment protection rule will automatically pause a job trying to deploy to the protected environment and notifies the reviewers. Once approved, the job runs and is given secured access to the environment’s secrets. Also, the environments page includes a deployment log and information on the latest code change deployed to each environment.

Protection rules and secrets

Environment history

Learn more about environments

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more See more

GitHub Actions: Workflow visualization

December 8, 2020

actions

GitHub Actions can now generate a visual graph of your workflow on every run. With workflow visualization, you can

view and understand complex workflows
track progress of workflows in real-time
troubleshoot runs quickly by easily accessing logs and jobs metadata
monitor progress of deployment jobs and easily access deployment targets

Workflow visualization for GitHub Actions is now available in a public beta. To view a visual graph of your workflow, simply navigate to the workflow home page and select the run for which you will like to see the graph.

graph example of a workflow run

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more See more

GitHub Actions: Removing set-env and add-path commands on November 16

November 9, 2020

On October 1, 2020, we published a CVE outlining a vulnerability in the set-env and add-path workflow commands feature of GitHub Actions, and announced that we would be deprecating those features. In addition, we began flagging to customers in their Actions logs about the coming deprecation and provided guidance on how to migrate to the replacement functionality.

Specific vulnerabilities introduced by these commands have been patched, but in order to completely close the attack vector we need to disable the set-env and add-path workflow commands.

Security and transparency are essential to maintaining your trust. Therefore, while our investigations show no evidence at this time of this vulnerability being exploited, out of an abundance of caution, we will disable those commands and start failing workflow runs that use them on November 16, 2020.

For details on how to use the new functionality and prevent your workflows from breaking please see https://blog-github-com-develop.go-vip.co/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/.

Update 11/19/2020: Version [v2.274.2](https://github.com/actions/runner/releases/tag/v2.274.2) of the GitHub Actions runner removes support for these commands and has been rolled out across GitHub.

See more See more

View more changes