Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Secret scanning AI-generated custom patterns (public beta)

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

As of today, you can leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

You can create your own custom detectors for secret scanning by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

Anyone able to define custom patterns is able to use the regular expression generator. This feature is shipping to public beta today for all GitHub Enterprise Cloud customers with GitHub Advanced Security.

Learn more about the regular expression generator or how to define your own custom patterns.

See more

Secret scanning and push protection are enabled by default on new public repositories

All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.

Existing public repositories are not affected, nor are new public repositories that belong to an organization.

See more

GitHub Copilot Chat General Availability in JetBrains IDE

GitHub Copilot Chat in JetBrains IDEs is now generally available

Following our Private Beta, we are thrilled to announce Copilot Chat in JetBrains IDEs is now generally available (GA) for all our Copilot Individual, Business, and Enterprise customers.

Driven by GPT-4, GitHub Copilot Chat provides instant guidance directly within various JetBrains IDEs, such as PyCharm, IntelliJ IDEA, WebStorm, Rider, and more. This contextually-aware tool tailors suggestions to your specific coding tasks and even allows explicitly adding files for reference. It empowers developers to innovate efficiently by assisting with complex concepts, code explanations, unit testing, and many more use cases, all while effortlessly adjusting to your preferred language style.

How to get started?

If you were already using Private Beta:
– No further action is required. You can continue using the chat feature as usual.

If you haven’t enabled Chat and want to use GitHub Copilot Chat in JetBrains IDEs

  • Copilot Individual users: You automatically have access to the chat within JetBrains IDEs.
  • Copilot Business and Enterprise users: Your organization admins will need to grant you access to Copilot chat in IDEs. Once you have access, please consult our getting started guide

How to give us your feedback?

We are dedicated to continuous improvement and innovation. Your feedback remains a crucial part of our development process, and we look forward to hearing more about your experiences with GitHub Copilot Chat for JetBrains IDEs. Please use this link to share your feedback or ideas on how to improve the product.

Join the discussion within GitHub Community.

See more

GitHub Actions; All Actions will run on Node20 instead of Node16 by default

Node16 has been out of support since September 2023. As a result we have started the deprecation process of Node16 for GitHub Actions. We plan to migrate all actions to run on Node20 by Spring 2024.
Following on from our warning in workflows using Node16 we will start enforcing the use of Node20 rather than Node16 on the 3rd of June.

If you would like to test this ahead of timer, you can choose to set
FORCE_JAVASCRIPT_ACTIONS_TO_NODE20=true
as an ‘env’ in their workflow or as an environment variable on your runner machine to force the use of Node20 now.

To opt out of this and continue using Node16 while it is still available in the runner, you can choose to set ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true
as an ‘env’ in their workflow or as an environment variable on your runner machine. This will only work until we upgrade the runner removing Node16 later in the spring.

Removal of Operating System support for non-Node20 OS versions

To support this change, we will be removing the Action runner support for the following operating systems which do not have official support for Node20:
– Red Hat Enterprise Linux 7
– CentOS 7
– Oracle Linux 7
– Debian 9
– Ubuntu 16.04
– Linux Mint 18
– openSUSE 15
– SUSE Enterprise Linux (SLES) 12 SP2
– Windows 7 64-bit
– Windows 8.1 64-bit

To find out more about our currently supported OS versions, please read our public docs

What you need to do

For Actions maintainers: Update your actions to run on Node20 instead of Node16 (Actions configuration settings)
For Actions users: Update your workflows with latest versions of the actions which runs on Node20 (Using versions for Actions)

See more

GitHub Support Portal redesign: Toward a more personalized future

We’re excited to announce the launch of our redesigned Support Portal! Our aim is to enhance your support experience, and we’ve tailored the portal with your needs in mind.

The redesign focuses on increased user-friendliness, accessibility, and intuitive navigation, enabling us to provide you with more personalized content. This ensures you can quickly and easily find the answers you’re looking for.

Whether you have a question, an issue, or a suggestion, our Support Portal is designed to help you get the most out of our products and services.

Explore the new look at https://support.github.com and share your feedback with us!

transition between the old support portal to new

See more

Group Configuration Options for Dependabot Security Updates – Public Beta

Dependabot security updates help you keep your dependencies secure by opening pull requests when a Dependabot alert is raised. With today’s release, you can now use flexible grouping options in dependabot.yml to control how Dependabot structures its security pull requests to make them more mergeable for you based on your context. Whether you’d like to simply update as many dependencies at once as possible (patterns: '*') or minimize the risk of breaking changes (dependency-type: development or update-types: "patch"), there are grouping options for you.

By specifying applies-to: security-updates in your group rule configuration, you can specify how you would like Dependabot to group your security updates. If you would like Dependabot to group together all possible updates for an ecosystem, you can instead use the UI located in your repository settings to do so. To learn more about this, check out our documentation here.

The available grouping options are:

  • patterns, which will match based on package names
  • dependency-type, which will group based on development or production dependencies, for ecosystems where this is supported, and
  • update-types, which will group based on SemVer level update

Learn more about grouping configuration options here.

See more

Actions Fine Grained Permissions

We’ve enhanced Custom Organization Roles by adding fine-grained permissions for GitHub Actions. Now, with Enterprise Cloud plans, organization owners can assign members and teams specific permissions for managing various aspects of Actions, including:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables

These additional settings allow organization owners to delegate CI/CD automation management responsibilities to individuals or teams without granting access to any other organization owner privileges.

Please refer to our documentation for more detail about GitHub Actions fine grained permissions with Custom Organization Roles.

See more

The GitHub Enterprise Server 3.12 is generally available

GitHub Enterprise Server 3.12 is generally available

GitHub Enterprise Server 3.12 is now generally available and gives customers more fine-grained control over deployment requirements, as well as enhanced security controls. Here are a few highlights:

  • Restrict your deployment rollouts to select tag patterns in Actions Environments.
  • Enforce which Actions workflows must pass with organization-wide repository rulesets.
  • Scale your security strategy with Dependabot Alert Rules. This public beta allows customers to choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in their repository or organization.
  • Automate pull request merges using Merge Queues. Previously developers needed to manually update their pull requests prior to merging, to ensure their changes wouldn’t break the main branch. These updates would initiate a round of continuous integration checks that needed to pass before a pull request could be merged. But with merge queues, this process is automated by ensuring each pull request queued for merging is tested with other pull requests queued ahead of it.
  • Enhance the security of your code with a public beta of Secret Scanning for non-provider patterns, and an update to Code Scanning’s default setup to support all CodeQL languages.
  • GitHub Project templates are available at the organization level, allowing customers to share out and learn best practices in how to set up and use projects to plan and track their work.
  • Updated global navigation to make using and finding information better, as well as improve accessibility and performance.
  • Highlight text in markdown files with accessibility aspects in mind with the alerts markdown extension, which gives you five levels to use (note, tip, important, warning, and caution).

Read more about GitHub Enterprise Server 3.12 in the release notes,
or download it now.
If you have any feedback or questions, please contact our Support team.

See more

CodeQL 2.16.3: AI-powered autofixes for Python, updated queries, and security fixes

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

  • CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
  • A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
  • A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
  • Two new queries:
  • The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

Push protection is enabled for free users on GitHub

We’ve started the rollout for enabling push protection on all free user accounts on GitHub. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

It might take a week or two for this change to apply to your account; you can verify status and opt-in early in your code security and analysis settings. Once enabled, you also have the option to opt-out. Disabling push protection may cause secrets to be accidentally leaked.

See more

Enterprise READMEs

Enterprise accounts now have a new root navigational experience, landing all users on an Enterprise Overview. Within this new page, GitHub Enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The Organization page still exists and can be found within the left-hand navigation of the enterprise account. This new experience is available on GitHub.com today and will be included in GitHub Enterprise Server 3.13.

To learn more, read our documentation on creating a README for an enterprise. To provide feedback about what you’d like to see on this new page, you may do so at anytime by clicking Give Feedback on the right-hand side of the new overview page, above the README.

See more

Copilot – February 27th update

⏫ Copilot Code Completion model updated with more improvements

We’re excited to announce a new update to the model powering Copilot Code Completion across all IDEs! This update includes improved instruction following and performance improvement for our users. Here are the details:

  • Improved instruction following: Copilot can better understand and follow instructions given by the user. This means that Copilot is now better at generating code that matches the user’s intent and requirements.
  • Performance improvement: Finally, this model update includes a performance improvement for Copilot users. While this may not be noticeable in all cases, it can help make Copilot even faster and more efficient for certain tasks.
See more

Repository Rules – configure merge queue rule – public beta

Configuring merge queue in your repo rulesets is now available in public beta!

Screenshot showing the configuration of merge queue inside a ruleset

Merge queue & rule insights

Until now, rule insights would only list one pull request as merged even when multiple pull requests were merged by the queue at the same time. Also in this beta, each pull request in a merge queue will have an individual record in rule insights, linked to the actor that added the pull request to the merge queue.

Example screenshot showing rules insights and all PRs from a queue

Within the additional data of a rule insight dialog you can now see all the pull requests that merged in the same group along with the checks needed for the queue.

Example screenshot of details of a queue in rule insights

Limitations

  • The merge queue rule cannot be configured via an API. This feature will be available in the near future.
  • Merge Queue for branch protections and repository rules do not support wildcard patterns
  • Not supported in organization rulesets.
  • Multiple merge queues configured against a single branch will prevent merging.

Join the discussion within GitHub Community.

See more

GitHub Copilot Enterprise is now generally available

GitHub Copilot Enterprise is now generally available

GitHub Copilot Enterprise, our most advanced AI offering to date, is now generally available. With GitHub Copilot Enterprise, you can:

  • Gain a deeper understanding of your organization’s unique codebase: Copilot Chat in GitHub.com understands your code and streamlines code navigation and comprehension for developers.
  • Quickly access organizational knowledge and best practices: By letting developers attach knowledge bases (formerly known as docsets) to conversations, Copilot Chat in GitHub.com can answer questions based on your Markdown documentation stored on GitHub.
  • Review pull requests faster: With pull request summaries generated by GitHub Copilot and the ability to chat about changes in a pull request, reviewers can get up to speed on a pull request quickly and spend more time providing valuable feedback.

Following on from our limited public beta, we are bringing the following improvements to GitHub Copilot Enterprise today to make Copilot even smarter:

  • GitHub Copilot can now search Bing within chat conversations in GitHub.com to answer questions and find information outside of its general knowledge or your codebase (public beta).
  • You can now access your knowledge bases (formerly known as docsets) from any Copilot Chat conversation in GitHub.com with the “Attach knowledge” button. Organization owners can create knowledge bases from an organization’s settings.
  • GitHub Copilot knows about code as you browse, so you no longer have to be explicit about exactly what file, symbol or snippet you want to chat about.

Example conversation demonstrating how GitHub Copilot can access the code you are currently looking at

  • GitHub Copilot generates pull request summaries that are now more structured, with a “Summary” section that gives a high-level overview, and an “Outline” section that walks through the code.
  • GitHub Copilot can now analyze and explain any pull request diff, making it easier for pull request reviewers to understand changes and share great feedback.

Example conversation demonstrating how GitHub Copilot can explain and improve pull request diffs

Ready to give Copilot Chat in GitHub.com a try? Here are some suggested prompts to get you started:

  • Ask a question about recent events to trigger a Bing search: What updates were there in Node.js v20?
  • Open GitHub Copilot Chat on a repository and ask a question about the repository: Where is the turnOn function defined?
  • Open a file on GitHub.com and ask a question about that file: Draft unit test cases for each of the functions in the file I’m currently viewing
See more

Secret scanning supports user namespace repositories for Enterprise Managed Users

Enterprise Managed Users can now enable secret scanning on their user namespace repositories. Owners of user repositories will receive secret scanning alerts when a supported secret is detected in their repository. User namespace repositories can also enable push protection.

In the enterprise level list of secret scanning alerts, enterprise owners can view all secrets detected in user namespace repositories. Enterprise owners can temporarily access user namespace repositories to view the secret details.

User namespace repositories are included in the security risk and coverage pages.

Secret scanning will also be supported on Enterprise Server personal repositories starting on GHES 3.13.

See more

New limits on scoped token creation for GitHub Apps

As a proactive measure to protect Github.com availability, GitHub Apps that attempt to create high-complexity scoped installation tokens will receive failures if they would individually reference too many repositories. At the time of release, no GitHub App is above these limits – the limit is approximately 8 times higher than what any app is consuming. See below for details on how complexity is calculated.

Scoped tokens allow a GitHub App to create an installation token that has just a subset of the privileges that the app has within an organization – both a reduced set of repositories, as well as permissions.
In this way, an application with many permissions and access to many repositories can still safely request a token that’s good for just the access that’s currently required, a useful least-privilege feature.

When requesting a scoped token, applications can indicate both the permissions and repositories that are desired. Both parameters are optional, and if either is omitted the full corresponding access will be given to the token, either all granted permissions or all accessible repositories.

The first limit being added is when the repositories are included in the token request – now, no more than 500 individual repositories can be listed.

The second limit is if the repositories are not listed but permissions are, and the application is installed on some repositories in the organization – as in, it has not been explicitly granted access to all repositories in the organization.
In that case, the limit is based on the number of permissions being requested and the number of repositories the application has access to. If the complexity limit is exceeded, the application will recieve an error: Too many repositories for installation, and provides the maximum number of repositories the application can have access to in order to succeed, as well as other options to reduce the complexity of your token, which are provided here as well.

To reduce the complexity of your token request, you can do one of the following:
1. Reduce the number of repositories that the application has access to in the organization.
2. Reduce the number of permissions requested for the token.
3. Set the application to have access to “all” of the organization’s repositories.
4. Not request a scoped token at all, and instead request a standard installation token.

Any of these options will reduce the complexity of the token and allow the application to fetch tokens for that organization once again.

To learn more about GitHub App scoped token issuance and installation, see our documentation:

  • “Generating an installation access token for a GitHub App”
  • “Reviewing and modifying installed GitHub Apps”
  • REST API: “Create an installation access token for an app”
    • See more

    CodeQL 2.16.2: New Android queries and improved precision

    CodeQL 2.16.2 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

    Important changes in this release include:

    We added two new Java / Android queries (java/android/sensitive-text and java/android/sensitive-notification) to detect sensitive data exposure via text fields and notifications.

    We have improved the precision of several C/C++ queries.

    We now recognize collection expressions introduced in C# 12 (e.g. [1, y, 4, .. x]).

    For a full list of changes, please refer to the complete changelog for version 2.16.2

    See more
    View more changes