Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

The code scanning option for repository rules is now available in public beta. Code scanning users can now create a dedicated code scanning rule to block pull request merges, instead of relying on status checks.
Making it easier than ever to prevent new vulnerabilities from being introduced into your code base.

code scanning rule

Configuring code scanning merge protection with rulesets can be done at the repository or organization levels and for repositories configured with either default setup or advanced setup. Additionally you can also use the REST API to set merge protection with rulesets.

You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
– A required tool found a code scanning alert of a severity that is defined in a ruleset.
– A required code scanning tool’s analysis is still in progress.
– A required code scanning tool is not configured for the repository.

Note: Merge protection with rulesets is not related to status checks. If the code scanning rule is configured for the repository in parallel with an alert threshold and the merge protection rule for the code scanning check run, the two functionalities will work simultaneously. For more information about status checks, see about status checks.

This beta is now available on GitHub.com and will be available on GHES 3.14. The organisation wide rules is only available for GitHub enterprise. For more information, see Configuring merge protection for all repositories in an organization.

We look forward to your feedback on the code scanning option for repository rules in the GitHub community.

See more

This public beta enables developers to use a directories key to list multiple directories for the same ecosystem configuration in the dependabot.yml file.

Previously, developers with multiple package manifests for the same ecosystem (e.g. npm, pip, gradle) across multiple directories had to create separate dependabot.yml configurations for each of those directories. This could lead to many duplicated configurations, and high maintenance costs if a developer wished to make a change that spanned multiple directories.

A new dependabot.yml key, directories, is now available in public beta. The directories key accepts a list of strings representing directories, and can be used instead of directory.

Below is an example dependabot.yml multi-directory configuration setup, including how you can use the directories key:

version: 2
updates:
  - package-ecosystem: "bundler"
    directories:
      - "/frontend"
      - "/backend"
      - "/admin"
    schedule:
      interval: "weekly"

This example configuration applies to both security and version updates.

Wildcards and globbing support (i.e. using * to represent a pattern of directories) is coming soon in our next public beta releases, with an expected public beta launch within the next few months. Stay tuned for more!

If a developer still wishes to explicitly enumerate configurations for the same ecosystem using directory, they can still choose to do so; the directory key still accepts single-directory entries. For more information on the directory key, check out the dependabot.yml configuration options for the directory key documentation.

See more

To enhance accessibility for our users, we have introduced a new accessibility setting that allows the underlining of links within text. It is important that links are clearly distinguishable from the surrounding text, which is achieved not only through color but also through additional styling.

For more information on this feature, please visit our documentation. Thank you for all your valuable feedback during the beta phase.

See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.1 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for C# alerts on pull requests, powered by Copilot. This is automatically enabled for all private repositories for all GitHub Advanced Security customers. For the first time, autofix covers nearly all security queries for a language, with 49 supported queries for C# from our Default and Extended suites. Use our public discussion for questions and feedback.

Also included in this release:

For a full list of changes, please refer to the complete changelog for version 2.17.1. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

For enterprise owners and security managers dedicated to managing security products, we are excited to announce a new capability: you can now gain historical insights into security products enablement trends across your GitHub enterprise. This overview helps you understand how security product coverage is being implemented across your company.

Following our March announcement of the public beta of the enablement trends report for organizations, which allowed monitoring of enablement trends for all security products within your GitHub organization, we’ve expanded this capability to the enterprise level. The addition of an owner filter further simplifies the navigation of metrics for repositories owned by specific organizations.

Enterprise enablement trends report

Explore enablement trends and gain historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends report, navigate to your enterprise account. In the enterprise account sidebar, click Code Security.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and join the discussion within the GitHub Community

See more

The new deployment views across environments are now generally available (GA)! 🎉

Previously we have shipped dashboard views to track your deployments using GitHub Actions across various environments.
These views have enabled Developers and DevOps managers to view the full history of deployments in a repository or filter them across environments & workflows to understand their status, duration or address any blockers.

We are now announcing GA for these Deployment Dashboard views along with the following enhancements:

  • Pinning of environments. Ex: You can now “pin” up to 10 of your most critical environments to provide a quick way to view all the deployments rolled out to them.
  • More filters on the views. Ex: You can now drill down to the list of deployments triggered by specific creators with specific deployment statuses and targeting specific environments.

New Deployment views

Learn more about viewing and filtering deployments in your repository through our documentation.

For questions, visit the GitHub Actions community.
To see what’s next for Actions, visit our public roadmap.

See more

Today’s changelog brings you a new workflow to auto-close issues in Projects!

🪄 Auto-close issue project workflow

The auto-close issue workflow allows you to automatically close issues when their project status is changed to “Done” ✅ or any custom status you define (🙅 say goodbye to repetitive clicks).

Implementing the new workflow

For existing projects anyone with write or admin access can enable the new auto-close issue workflow on the workflows page.

For new projects the auto-close issue workflow will be enabled by default.

✍️ Tell us what you think!

Join the conversation in the community discussion to share your feedback.

Bug fixes and improvements

  • Enterprise Managed Users can now use public project templates and copy public projects.
  • Changed the behavior to apply a secondary sort field from the view configuration menu and also the table column menu.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the documentation.

See more

We’re excited to announce the public beta of the GitHub Copilot Metrics API, available to all customers of GitHub Copilot Business and GitHub Copilot Enterprise starting today.

The GitHub Copilot Metrics API is designed to supply you with information about Copilot’s usage within your organizations. The data from the API is intended to be consumed and combined with your organization’s own data to create greater visibility into how Copilot fits into the bigger picture of your software development cycle.

What functionality will be included in the Public Beta?

  • Historical data will be automatically loaded, giving you the ability to overlay data with any previous sources from day one.
  • The endpoint will supply data for the previous 28 days of usage history, on a rolling basis.

  • Data is summarized by day, and is refreshed at day end.

  • Date ranges and pagination are now available.

  • This iteration of the GitHub Copilot Metrics API is focused on serving metrics for Copilot Chat and code completions that take place in the IDE.

  • Code completion metrics: Lines of Code Suggested, Lines of Code Accepted, Number of Suggestions, Number of Acceptances, and Active Users with slices on language, and IDE.

  • Copilot Chat metrics: Number of Chats, Chat Suggestions Accepted, and Active Users. The endpoint does not currently feature slices on language or IDE for Chat metrics.

  • Team-level aggregates for GitHub teams with five or more members are also available.

Documentation and Resources

To help you get started, we have prepared comprehensive documentation and resources:

  • API Documentation: Explore the detailed API documentation, including metrics definitions here.
  • Visualization: You can find an open source tool for consuming and visualizing data from the endpoint here.

  • Metrics Export: Generate a flattened CSV from the endpoint using GitHub Actions here.

  • Learning Pathway: You can find an extended article on measuring the impact of GitHub Copilot here.

Participate in the Public Beta!

Your feedback during this beta phase is invaluable to us. We encourage you to share your experiences, which will be instrumental in refining and enhancing the API as we look toward the future.

Stay tuned for updates and enhancements throughout the beta period. We’re committed to delivering a robust and feature-rich API that meets your needs and expectations.**

See more

Starting today, developers using GitHub Enterprise Cloud (GHEC) and Free, Pro, and Teams accounts can enable their repositories and/or organizations to run Dependabot updates as an Actions workflow. With this change, the job that Dependabot runs to generate pull requests will run in GitHub Actions. This is the start of an effort to consolidate Dependabot’s compute platform to Actions, with further migration plans to be announced later.

Who can opt-in?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions today.

What if I’m on Enterprise Server (GHES)?

GitHub Enterprise Server (GHES) and Proxima users already run Dependabot on Actions; no further steps are required to enable Dependabot on Actions for these users.

Why choose to run Dependabot as an Actions workflow today?

Enabling Dependabot on Actions will yield performance benefits like faster Dependabot runs and increased visibility into errors to manually detect and troubleshoot failed runs. Actions APIs and webhooks will also be able to detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines. There will be no change or impact to the Dependabot functionality, and there will be no impact to billed Actions minutes (i.e. Dependabot runs are free).

Will this count towards Actions minutes or costs?

This does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone. Beginning today, using Dependabot as an Actions workflow is free for everyone and generally available on all repositories.

What’s the next migration phase for Dependabot on Actions?

Over the course of the next year, we are migrating all Dependabot workflows to run on Actions compute infrastructure. You can opt-in today to gain access to these benefits, but they’ll be coming soon to all repos without needing to opt-in as well. We’re excited for faster runs, increased troubleshooting visibility, and other future benefits running Dependabot on Actions will unlock. We’ll be in close contact with those organizations who own repositories with Actions disabled and Dependabot enabled as we kick off the compute infrastructure migration. If you have questions or concerns, please contribute to our community discusson or contact our support team.

How to enable Dependabot on Actions?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions runners at either the repository or organization level from the Code security and analysis settings pages. For more information, see our documentation on enabling Dependabot on Actions runners.

When will Dependabot support self-hosted runners and larger GitHub-Hosted runners?

May 2024

When will VNETs be supported?

This work is still in progress; we don’t yet have an estimated date when these will be available.

Can I use Actions workflows and APIs to trigger Dependabot jobs?

Today, Dependabot jobs can only be triggered from the Dependabot UI, and not by Actions workflows or APIs.

If I see a Dependabot job fail in Actions, how can I restart it?

Check out our documentation on re-running a verison updates job or re-running a security updates job.

If I enable Dependabot on Actions, can I later opt-out?

At this time, you can opt out of enabling Dependabot on Actions. However, this ability will change within the next year as we consolidate Dependabot’s compute platform to Actions.

What if I don’t want to turn on Actions for my repository or organization? What happens if Actions is disabled in a repository but Dependabot is enabled to run on Actions?

During this opt-in phase of the compute infrastructure migration, if you enable Dependabot on Actions but disable Actions at the repository or organization level, Dependabot will run on the legacy compute infrastructure. Please enable Actions either in your Dependabot-enabled repository or across your organization if you wish to opt in to run Dependabot on Actions.

Read more about Dependabot on GitHub Actions runners.

Join the discussion within GitHub Community.

See more

Say goodbye to unwanted files cluttering your repos, like *.jar or *.so. And limit who can make updates to sensitive files like your Actions workflows with the public beta of push rules. 🎉

A glimpse of push rules in action

You can now enable a new type of ruleset that allows you to control pushes to repositories based on file extensions, file path lengths, file and folder paths and file sizes. Push rules don’t require any branch targeting as they apply to every push to the repository, and also apply to all forks of the repo to ensure all pushes to the repository network are protected.

Push rules are now available for private and internal repositories for GitHub Teams, and across organizations for GitHub Enterprise Cloud.

Learn more about push rules in our documentation and join the community discussion to leave feedback.

See more

The CodeQL for Visual Studio Code documentation is now on docs.github.com.

This migrates the content from https://codeql.github.com/docs/codeql-for-visual-studio-code and provides a consistent, single-site experience with improved text, descriptions, images, and navigation.

On May 8, 2024, we’ll begin automatically redirecting from the original codeql.github.com location to the new location.

The source files now exist in Markdown format in the public, open-source docs repository. If you would like to contribute, you can consult and follow the steps listed in the GitHub Docs contributing guide.

See more

GitHub Importer is a tool that quickly imports source code repositories, including commits and revision history, to GitHub.com. As part of this release, GitHub Importer has implemented a new method for git source migration that will provide users with improved reliability and more detailed error handling when migrating git source repositories to GitHub. Click here to import your project to GitHub.

As previously communicated, this change comes with the ending of support for the REST API endpoints for source imports. Moving forward, these endpoints will return an error. Users are encouraged to make use of the new import repository page instead.

Lastly, we previously announced that GitHub Importer will no longer support importing Mercurial, Subversion and Team Foundation Version Control (TFVC) repositories. Effective today, we’ve ended support for this functionality due to extremely low levels of usage. Moving from these alternative version control systems to Git is simple thanks to fantastic open source tools – for more details, read our Docs article, “Using the command line to import source code”.

See more

You can now add organisation-level CodeQL model packs to improve code scanning coverage for your GitHub organization. This ensures that custom libraries and frameworks are recognised by CodeQL.

In most cases, the out-of-the-box CodeQL threat models provide the best coverage for identifying potential vulnerabilities in your GitHub repositories using code scanning. The CodeQL team at GitHub keeps a close eye on the most widely-used open-source libraries and frameworks to ensure CodeQL recognizes untrusted data that enters an application. For cases which cannot be covered by default, such as custom-built or inner-sourced frameworks and libraries, you can create custom CodeQL model packs to help CodeQL detect additional security vulnerabilities in your code.

Configuring CodeQL model packs in the organisation code security and analysis settings

When you configure CodeQL model packs at scale, the packs will be used in every code scanning analysis that uses default setup in the organization. By default, code scanning will download the latest version of each model pack, meaning that the latest changes to the pack (such as adding information about new frameworks) will automatically be included. Alternatively, you can configure specific sets of CodeQL models to use by stating a specific version (or version range). For more information, see Editing your configuration of default setup in the GitHub documentation.

You can use the CodeQL model editor in VS Code to easily create custom CodeQL model packs for libraries and frameworks written in C# and Java/Kotlin. Custom CodeQL model packs are also supported for code written in JavaScript and Ruby and we will be adding support for these and other CodeQL-supported languages in the CodeQL model editor in the future.

This functionality is now available on GitHub.com and will be available in GitHub Enterprise Server 3.14.

See more

GitHub Enterprise Importer (GEI) has implemented a new process for migrating git source data, significantly improving GEI’s reliability when migrating large repositories up to 10 GB with complex git histories. The new git source migrator is now available for all customers using GEI.

The new git source migrator uses the updated IP addresses for GitHub Enterprise Importer announced in October 2023. If you’re using GitHub Enterprise Importer to run migrations and have IP allow lists enabled, you will need to add our new IP range. The IP allow lists that may need to be updated include:

  • The IP allow list on your destination GitHub.com organization or enterprise
  • If you’re running migrations from GitHub.com, the IP allow list on your source GitHub.com organization or enterprise
  • If you’re running migrations from a GitHub Enterprise Server, Bitbucket Server or Bitbucket Data Center instance, the allow list on your configured Azure Blob Storage or Amazon S3 storage account
  • If you’re running migrations from Azure DevOps, the allow list on your Azure DevOps organization

For a full list of our IP ranges and more information, see our documentation on configuring IP allow lists for migrations.

For additional information about GEI, please follow our documentation for using GitHub Enterprise Importer

See more

Secret scanning has recently expanded coverage to GitHub discussions and pull requests.

GitHub is now performing a backfill scan, which will detect any historically existing secrets found in GitHub discussions and pull request bodies or comments.

For repositories with secret scanning enabled, if a secret is detected in a discussion or pull request, you will receive a secret scanning alert for it. Public leaks detected in public GitHub discussion or pull requests will also be sent to providers participating in the secret scanning partnership program.

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

From the 15th of May 2024 we will no longer support multiple labels on larger GitHub Hosted Runners.

In February 2023 we announced that customers could no longer add or manage additional labels on larger runners. Following on from this, we will now be fully deprecating support for multi-labels on larger runners. This means that jobs targeting more than one label or jobs targeting labels that do not match the runners name for GitHub Hosted Larger Runner, after May 15th, will no longer be able to pick up jobs.

We will be running a brown out on the 8th of May between 18:00 and 20:00 UTC, during this time multi label larger runner jobs will fail to start.

To prepare for this change and avoid any disruption, please ensure the runs-on: references only the runner name in your workflows prior to the dates above.

Join the discussion within GitHub Community.

Update 8th May: We did not run the brownout as planned today on May 8th. We apologize for any inconvenience. There will be additional details on the multi-label larger runners deprecation coming soon, with the future brownout date planned for June.

See more

Starting November 30, 2024, GitHub Actions customers will no longer be able to use v3 of actions/upload-artifact or actions/download-artifact. Customers should update workflows to begin using v4 of the artifact actions as soon as possible. While v4 of the artifact actions improves upload and download speeds by up to 98% and includes several new features, there are key differences from previous versions that may require updates to your workflows. Please see the documentation in the project repositories for guidance on how to migrate your workflows.

The deprecation of v3 will be similar to the previously announced v1 and v2 deprecation plans, which is scheduled to take place on June 30, 2024. Version tags will not be removed from the project repositories, however, attempting to use a version of the actions after the deprecation date will result in a workflow failure. Artifacts within their retention period will remain accessible from the UI or REST API regardless of the version used to upload. This deprecation will not impact any existing versions of GitHub Enterprise Server being used by customers.

This announcement will also be added to actions/upload-artifact and actions/download-artifact. Please visit the documentation to learn more about storing workflow data as artifacts in Actions.

See more

The StartRepositoryMigration GraphQL API endpoint will now require the sourceRepositoryUrl as an input field. While this is a breaking change to the StartRepositoryMigration GraphQL API schema, including this parameter was a de facto requirement already that will now be documented correctly. All StartRepositoryMigration GraphQL requests currently made without this input result in a failed migration. As such, this change should have minimal impact to those using the StartRepositoryMigration GraphQL API endpoint.

See more

GitHub secret scanning now supports validity checks for Google Cloud Platform (GCP) account credentials and Slack webhooks. This improvement involves changes to how account credentials for GCP are detected and alerted on.

What’s changing

Secret scanning alerts for Slack webhooks now support validity checks, in addition to previously supported Slack API tokens.

In addition, secret scanning now also alerts on complete GCP service account credential objects which include the fully matched private key, private key ID, and certificate URLs. These alerts support validity checks. As part of this change, you will no longer receive alerts for GCP private key IDs.

About validity checks

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically check validity for alerts on supported token types.

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at the enterprise, organization, or repository level from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending it to the relevant partner.”

Share feedback

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn more about secret scanning or our supported patterns for validity checks.

See more

Enterprise owners of GitHub Enterprise Cloud with Enterprise Managed Users (EMUs) can now participate in a private beta introducing GitHub’s native IP allow list configuration to cover user namespaces. This feature will limit access to enterprise-managed user namespaces to the owning enterprise’s IP allow list. Access through the web UI, git protocol, and API are all filtered by the IP allow list. All credentials, including personal access tokens, app tokens, and SSH keys, are covered by this policy.

To enroll in this private beta and make this feature available for your enterprise, reach out to your GitHub Account Manager or contact our sales team.

See more