enterprise

Subscribe to all “enterprise” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

2FA security checkup experience is now improved

GitHub is committed to a secure software ecosystem and requires most developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA).To ensure that all users stay up to date with their account security configurations, we are now improving the checkup experience using various global banners that guide users to review and update their settings on a more regular basis.

These banners replace the security checkup interstitials that were previously displayed every 3 months for 2FA users. Each banner calls out the specific security configuration that needs attention (ex: user only having a single verified email), and will also include a quick link to the corresponding settings page to modify the required settings.

To learn more about the 2FA program, see our April 2024 blog post about how GitHub is securing millions of developers using 2FA, as well as the “About the mandatory 2FA program” documentation.

See more

Upcoming Automatic Upgrade to the Enterprise Account Experience

Starting September 3, 2024 enterprise customers who currently have a single organization without an enterprise account will be automatically upgraded into an enterprise account at no additional cost. An enterprise account will be created for you, and your organization will become the first member organization.

In April 2023, we introduced enterprise accounts for all new enterprise customers. We outlined our plans to assist existing customers with a single organization in obtaining an enterprise account. Enterprise accounts provide a unified experience granting access to all the latest and most robust features within the platform.

What is an enterprise account?

Enterprise accounts represent the top-most layer of the GitHub Enterprise management hierarchy, allowing enterprise owners to manage and scale their GitHub environments. Essentially, the enterprise account sits above organizations and serves as the primary interface for enterprise owners.

Benefits of an enterprise account:

Timeline & Next Steps:

If you have a GitHub Enterprise Cloud account without an enterprise account:

  • Voluntary Upgrade (Now – September 3rd, 2024): Administrators can proactively upgrade their existing account to an enterprise account via the Billing and Plans page under the account’s settings.
  • Automatic Upgrade (Starting September 3rd, 2024): If an upgrade was not completed during the voluntary phase, the account will be assigned a scheduled upgrade date. We’ll notify administrators two weeks prior to this date.

  • Seamless Transition: On the scheduled upgrade date, if not yet upgraded, the account will seamlessly transition and be nested under a new assigned enterprise account.

  • The new enterprise account name will match the organization name or as close as possible if the name is already taken, and customers may choose to rename after the upgrade.

  • There will be no change in ownership, all of the existing owners will remain the owners of the new enterprise account. The organization’s URL will not change, so existing usage of the repos or organization URL will not be impacted.
  • The existing configuration such as SAML SSO, PATs, policies, and application integrations should remain with the organization, unless there’s an override at the enterprise account.
See more

The GitHub Enterprise Server 3.13 is generally available

The GitHub Enterprise Server 3.13 release is generally available

GitHub Enterprise Server 3.13 gives customers more fine-grained control over deployment requirements and enhanced security controls. Here are a few highlights:

  • We are introducing a new feature for repositories called custom properties, a major enhancement to how repositories are managed and classified across GitHub organizations. Properties offer a flexible way to add meaningful metadata to your repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. Check out the demo! For more information, see custom properties for repositories.
  • Elasticsearch will be upgraded from version 5 to version 8, when the appliance is upgraded to 3.13. Elasticsearch powers all search experiences in GHES including code search and audit logs. Upgrading ES5 to ES8 allows the platform to take advantage of better performance and improved security posture in ES8. For more information regarding what to expect during ES8 upgrade, see Preparing for Elasticsearch upgrade in GHES 3.13.
  • Enterprise and organization audit log events now include the applicable SAML and SCIM identity data associated with the user. For more information, see Reviewing the audit log for your organization.
  • Developers who use devcontainer.json files to define their development containers will now be able to use Dependabot version updates to keep their dependencies in the container up-to-date. Once configured in dependabot.yml, Dependabot will open PRs on a specified schedule to update the listed dependencies to latest.
  • Pull Requests rebases are now faster! Under the hood, rebase commits now use the merge-ort. Rebases that timed out for large repositories before are now a lot more likely to be successful.
  • Using Project Status Updates, you can now provide high level details on the status, timing, and progress of your project, directly from the project! This makes it easy to know and share with others how your work is progressing, any risks, and a history of when and why something changed, all in the same place where you’re tracking your work.

Read more about GitHub Enterprise Server 3.13 in the release notes,
or download it now.

If you have any issues upgrading your GitHub Enterprise Server Appliance to version 3.13, or problems using new features, please contact our Support team.

Please join us on GitHub Community to share your feedback or ask any questions about the new features!

See more

The GitHub Enterprise Server 3.13 Release Candidate is available

The GitHub Enterprise Server 3.13 release candidate is here

GitHub Enterprise Server 3.13 gives customers more fine-grained control over deployment requirements, and enhanced security controls. Here are a few highlights:

  • We are introducing a new feature for repositories called custom properties, a major enhancement to how repositories are managed and classified across GitHub organizations. Properties offer a flexible way to add meaningful metadata to your repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. Check out the demo! For more information, see custom properties for repositories.

  • Elasticsearch will be upgraded from version 5 to version 8, when the appliance is upgraded to 3.13. Elasticsearch powers all search experiences in GHES including code search and audit logs. Upgrading ES5 to ES8 allows the platform to take advantage of better performance and improved security posture in ES8. For more information regarding what to expect during ES8 upgrade, see Preparing for Elasticsearch upgrade in GHES 3.13. Downnload the 3.13 RC candidate now, upgrade your staging environment and share your feedback with us!

  • Enterprise and organization audit log events now include the applicable SAML and SCIM identity data associated with the user. For more information, see Reviewing the audit log for your organization.

  • Developers who use devcontainer.json files to define their development containers will now be able to use Dependabot version updates to keep their dependencies in the container up-to-date. Once configured in dependabot.yml, Dependabot will open PRs on a specified schedule to update the listed dependencies to latest.

  • Pull Requests rebases are now faster! Under the hood, rebase commits now use the merge-ort. Rebases that timed out for large repositories before are now a lot more likely to be successful.

  • Using Project Status Updates, you can now provide high level details on the status, timing, and progress of your project, directly from the project! This makes it easy to know and share with others how your work is progressing, any risks, and a history of when and why something changed, all in the same place where you’re tracking your work.

Release Candidates are a way for you to try the latest features early, and they help us gather feedback to
ensure the release works in your environment. They should be tested on non-production environments.
Read more about the release candidate process.

Read more about GitHub Enterprise Server 3.13 in the release notes,
or download the release candidate now.
If you have any feedback or questions, please contact our Support team.

See more

Deprecated in 2021, the GitHub Enterprise Support Portal will be turned off on 31st May, 2024.

The enterprise support portal at https://enterprise.githubsupport.com/ has been deprecated since November 1, 2021. However, it has continued to remain accessible to view past tickets. That is now changing. In order to streamline your support experience, we are going to turn the portal off and it will no longer be accessible after May 31st, 2024.

Action required: If you have used this portal to reference old tickets not available on support.github.com, we recommend that you copy any important information from those tickets to another location before the end of this month.

You must visit support.github.com with a support entitled account to open new support tickets about your GitHub enterprise cloud account.

See more

[GA] Guest Collaborators for enterprise managed users

Guest Collaborators for GitHub Enterprise Cloud EMUs are now generally available. Originally announced in public beta at the end of last year, this feature allows an identity provider to assign the guest collaborator role to a user which will restrict that user’s default access to internal repositories.

Our thanks go to the thousands of public beta participants that guided our hand to the GA experience. By popular request, today we also released a public beta for repository collaborator access in EMU enterprises! This brings the “outside collaborator” access style to EMUs, limited to selecting users that are members of the enterprise account. Combining these two features together lets you grant the most granular possible access rights to specific repositories and organizations that fit your needs for contractors and other limited access use cases.

Learn more about guest collaborators

See more

[Public Beta] Repository collaborators for Enterprise Managed Users

Enterprise Managed Users can now be added directly to a repository in their enterprise as a collaborator, without becoming a member of the organization. These users function like outside collaborators, with a few differences:
1. Only user accounts from within the enterprise can be added to the repository. This means that users you want to collaborate with must still come from your linked identity provider (IDP).
2. EMU users can only be collaborators on repositories in their enterprise. EMU accounts cannot collaborate outside their enterprise.
3. Repo Collaborator invitations can only be sent by an EMU’s enterprise owner by default, while in non-EMU enterprises and organizations both enterprise and organization owners can manage outside collaborators.

Like outside collaborators – users do not have to SSO authorize their credentials in order to access repositories that they have been granted access to as a repository collaborators. This aligns to the current access model for internal repositories on GitHub.

You can try out repository collaborators by going to the repository policies section of your Enterprise settings and selecting which tiers of administrators are allowed to invite collaborators.

For more information about repository and outside collaborators, see “Roles in an organization“.

See more

Audit Log Streaming Health Check is Generally Available

GitHub’s audit log streaming health check is now generally available! The purpose of the audit log health check is to ensure audit log streams do not fail silently. Every 24 hours, a health check runs for each stream. If a stream is set up incorrectly, an email will be sent to the enterprise owners as notification that their audit log stream is not properly configured.

Example email notification for misconfigured stream

Streamed audit logs are stored for up to seven days on GitHub.com. To avoid audit log events being dropped from the stream, a misconfigured stream must be fixed within six days of email notification. To fix your streaming configuration, follow the steps outlined in “Setting up audit log streaming.”

See more

Enterprise Licensing page removing “Enterprise Help” section

GitHub Enterprise owners may notice that we removed the Enterprise Help links from your enterprise licensing page `https://github.com/enterprises//enterprise_licensing`, which were previously found here:

These shortcuts can still be found elsewhere:

  • GitHub Enterprise documentation is referenced underneath the README on the Enterprise Overview page `https://github.com/enterprises/`;
  • GitHub Support is discoverable both on the Enterprise Overview page as well as the Support page under settings `https://github.com/enterprises//settings/support`; and
  • GitHub Enterprise Server Support bundles can be uploaded from the Setup > Support Site Admin page as well as the GitHub Enterprise Cloud Support page under settings.
See more

GitHub Native IP Allow List expands to EMU User Namespaces – Private Beta

Enterprise owners of GitHub Enterprise Cloud with Enterprise Managed Users (EMUs) can now participate in a private beta introducing GitHub’s native IP allow list configuration to cover user namespaces. This feature will limit access to enterprise-managed user namespaces to the owning enterprise’s IP allow list. Access through the web UI, git protocol, and API are all filtered by the IP allow list. All credentials, including personal access tokens, app tokens, and SSH keys, are covered by this policy.

To enroll in this private beta and make this feature available for your enterprise, reach out to your GitHub Account Manager or contact our sales team.

See more

Updated GitHub App visibility for Enterprise Managed Users

We’ve clarified the GitHub App creation experience for Enterprise Managed Users (EMUs), updating it for both users and organizations that would like to create an app.

GitHub Apps created within an EMU enterprise are only accessible within the enterprise – they’re blocked for anyone else. In addition, EMU user accounts are unable to install GitHub applications.

To reflect this limitation, we’ve updated the creation UI to disable the “Private” option for EMU users, which prevents users from creating apps that no one can install. We’ve also updated the “Public” option to instead read “This enterprise”, more accurately reflecting where the app can actually be installed.

image

For more information about EMUs, see “About Enterprise Managed Users“. For more about GitHub Apps, see “About GitHub Apps“.

See more

SSH CA support for enterprise-owned user accounts

Enterprises that own their user accounts can now use SSH CAs to access user-owned repositories. This is an optional setting that enterprises can enable in their enterprise SSH CA settings page. Enabling this setting allows developers to use a single SSH certificate for all of their interactions with GitHub across their user account’s repositories and their enterprise’s repositories.

This is available now for customers using Enterprise Managed Users in GHEC, and will be included in GHES 3.14. It is not available to GHEC Classic enterprises, where developers bring their own personal accounts to the enterprise; the enterprise does not own those accounts and cannot gain access to their repositories.

For more about SSH certificate authorities, see “Managing SSH certificate authorities for your enterprise“.

See more

Actions Usage Metrics public beta

Customers desire clear, relevant, and actionable insights about how Actions workflows are being used in their organization. Today, we are thrilled to announce that Actions Usage Metrics is available in public beta for GitHub Enterprise Cloud plans.

Actions Usage Metrics screenshot

Time is the most important metric for DevOps and DevEx teams. The question they want answered is, “where are all my minutes going?” Actions Usage Metrics addresses this question and others by focusing on minutes used per workflow, job, repository, runtime OS, and runner type. This data helps organizations locate areas of improvement in their software delivery lifecycle, saving time and money.

Customers can filter data by any combination of workflows, jobs, repositories, runtime OS, and runner type to view total minutes, number of jobs, workflow executions, and more. All usage metrics, filtered or not, can be downloaded as a .csv file to use with your tool of choice.

By default, organization owners can access Actions Usage Metrics. However, access permissions can be granted to other members or teams using Actions fine-grained permissions. This ensures the right level of access to Actions Usage Metrics data, enabling informed decisions and improvements.

To learn more about Actions Usage Metrics, check out our docs or head to our community discussion.

See more

New SSH CAs must sign expiring certificates

SSH CAs uploaded to GitHub.com after March 27th, or in GHES 3.13 and beyond, can only sign certificates that expire. They must expire within 366 days of being created.
While expirations on certificates are not required by signing tools such as ssh-keygen, we are enforcing this best practice in order to protect against a weakness in how SSH certificates are linked to users.

CAs uploaded before the cutoff date or release will be marked in the UI as being allowed to sign non-expiring certificates:

image

An “upgrade” option on the CA lets you enforce expiration of signed certificates. Once you’ve validated that you are indeed using a lifetime on your certificates, we recommend upgrading your CAs. This upgrade step is irreversible, and new CAs cannot be downgraded to allow non-expiring certificates.
If a certificate is signed with no expiration, or a too-long expiration, it will be rejected during SSH connection with an error indicating The SSH certificate used was issued for a longer period than allowed.

This change forces the valid_after issuance timestamp to be written to the certificate, which allows GitHub to detect if the user changed their username after the certificate was issued for that username. This prevents a reuse attack vector where the former holder of a username is able to use certificates issued to them to sign in as the new holder of that username.

To learn more about managing SSH CAs, see “Managing your organization’s SSH CAs” and “Managing SSH CAs for your enterprise.” For information on using SSH CAs, see “About SSH CAs.”

See more

Logging SAML SSO and SCIM identity data in audit log events is generally available

Starting today for GitHub Enterprise Cloud and as part of GitHub Enterprise Server version 3.13, enterprise and organization audit log events will include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information will be displayed in the external_identity_nameid field and the SCIM identity data will be displayed in the external_identity_username field within the audit log payloads.

In GitHub Enterprise Cloud Classic, SAML SSO gives organization and enterprise owners a way to control and secure access to resources like repositories, issues, and pull requests. Organization owners can invite GitHub users to join an organization backed by SAML SSO, allowing users to become members of the organization while retaining their existing identity and contributions on GitHub.

If your Enterprise Cloud Classic organization uses SAML SSO, you can use SCIM to add, manage, and remove organization members’ access to your organization. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.

To learn more, read our documentation about SAML SSO authentication data in our audit logs.

See more
View more changes