Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

CodeQL 2.16: Python Dependency Installation Disabled, New Queries, and Bug Fixes

CodeQL 2.16.0 is now available to users of GitHub code scanning on github.com, and all new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

Important changes in this release include:

In July 2023, we disabled automatic dependency installation for new CodeQL code scanning setups when analyzing Python code. With the release of CodeQL 2.16.0, we have disabled dependency installation for all existing configurations as well. This change should lead to a decrease in analysis time for projects that were installing dependencies during analysis, without any significant impact on results. A fallback environment variable flag is available to ease the transition, but will be removed in CodeQL 2.17.0. No action is required for Default setup users. Advanced setup users that had previously set the setup-python-dependencies option in their CodeQL code scanning workflows are encouraged to remove it, as it no longer has any effect.

We fixed a bug that could cause CodeQL to consume more memory than configured when using the --ram flag. If you have used this flag to manually override the memory allocation limit for CodeQL, you may be able to increase it slightly to more closely match the system’s available memory. No action is required for users of the CodeQL Action (on github.com or in GHES) who are not using this flag, as memory limits are calculated automatically.

We added 2 new C/C++ queries that detect pointer lifetime issues, and identify instances where the return value of scanf is not checked correctly. We added a new Java query that detects uses of weakly random values, which an attacker may be able to predict. Furthermore, we improved the precision and fixed potential false-positives for several other queries.

The measure of scanning Go files in the code scanning UI now includes partially extracted files, as this more accurately reflects the source of extracted information even when parts of a file could not be analyzed. We will gradually roll this change out for all supported languages in the near future.

We fixed a bug that led to errors in build commands for Swift analyses on macOS that included the codesign tool.

For a full list of changes, please refer to the complete changelog for version 2.16.0 and 2.15.5.

See more

Migrating GitHub Classroom Assignment Repository Creation from “Create from Template” to Forks [Public Beta]

Last month, we announced our plan to migrate from a strategy where student repositories are created from a template starter code repository to a strategy where student repositories are forked from the starter code repository.

Today, we are launching these changes as a Public Beta that you can opt-into on a per-classroom basis. You may opt-in your Classrooms by clicking the “Opt-in this classroom” button on the banner displayed at the top of the Dashboard of the Classroom you wish to opt-in.

We anticipate generally rolling out these changes to all Classrooms on June 17, 2024.

This public beta allows us to enable one of our most-requested features from teachers: the ability to change starter code after an assignment has been accepted by students. Students will be able to sync their assignment repository with the upstream starter code, allowing teachers to correct starter code mistakes or add additional content after the assignment has gone live to students.

Because there are important differences between creating a repository from a template and forking a repository, there are important changes in behavior for both new and existing assignments in GitHub Classroom. We recommend reviewing the following new behaviors and making adjustments to your assignments if necessary.

Important Changes for Classrooms in the Public Beta

  • All new accepted assignments will be forks, including existing assignments that were created with a template repository. Existing assignment repositories will not be changed, so they will not be able to sync changes from upstream.
  • Starter code assignments cannot be empty. If you are using a starter code repository without any commits, students will not be able to accept your assignment. GitHub Classroom will enforce this requirement for new assignments, but you will need to manually create an initial commit to existing empty starter code repositories in order for students to accept assignments.
  • Starter code commits will no longer be automatically squashed in student repos. A new fork includes the entire commit history of the parent repository, while a repository created from a template starts with a single commit. This can affect teachers who may have assignment solutions in the commit history of the starter code. We recommend using Git on the command line or GitHub Desktop to squash commits of starter code repositories prior to distributing assignments to students if you previously had solutions filled-in the starter code.
  • In order to enable private assignments, your organization must allow forking private repositories. Forking private repositories is not enabled for organizations by default. See managing the forking policy for your organization for information on how to enable this. During the Public Beta, our team is exploring options for automating this step.
  • Student repository visibility will be inherited from the starter code repository. Forks of public repositories cannot be made private on GitHub. As a result, if you wish to use a public template repository as starter code for an assignment where student repositories should remain private, we recommend creating a new repository from the public template and setting it to private prior to using it as starter code in a GitHub Classroom assignment. During the Public Beta, our team is exploring options to automate this step.
  • Private repositories must be in the same organization as the Classroom in order to be used as starter code. If you wish to use a private repository as starter code for an assignment that is housed under your user account or in another organization, we recommend configuring it to be a template repository and creating a new private repository from the template in the same organization as the Classroom prior to using it as starter code in a GitHub Classroom assignment. During the Public Beta, our team is exploring options to automate this extra step.
See more

GitHub Issues & Projects – Project status updates & issues side panel

Today's changelog brings you project status updates and an updated issues side panel in Projects!

🟢 Project status updates

You can now provide high level details on the status, timing, and progress of your project, directly from the project! This makes it easy to know and share with others how your work is progressing, any risks, and a history of when and why something changed, all in the same place where you're tracking your work.

You can access status updates from the Project details panel, where you can also add a short description or README with additional project information. Select Add update to give your project a Status, Start date, or Target date, along with additional details or mentioning another user or team. You can also edit, delete, or copy a link to a specific update to make it easy to share with others.

Once you add a status update to a project, you'll find it visible in the project header and the project index pages, so you can quickly find and access the high level details for all of your projects in a single place and drill in for more information.

project index page showing the description and start / end dates next to the project name

For more details, check out the documentation.

🛝 Issues side panel in Projects

Projects has an updated issues side panel which matches the design of issues reached from a repository. In addition to providing a consistent experience, this update also means that issues accessed from a project have all timeline events and include any other projects the issue is a part of, making it easier to manage issues from either a project or a repository.

The image shows a project with an open issue page in a side panel

Bug fixes and improvements

  • Fixed a bug where labels were being unexpectedly changed on issues when adding them to a project
  • Improved the workflow name editing experience by providing a dialog
  • Improved keyboard focus and navigation on the Insights and Workflows pages

✍️ Tell us what you think!

Join the conversation in the community discussion to share your feedback.

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the documentation.

See more

Copilot – January 18th update

🌐 Upcoming deprecation of Copilot Chat API endpoints

Note: If you are using the latest version of the Copilot extension for Visual Studio or VS Code or you are using the Copilot plugin for JetBrains IDEs, you will not be impacted by this change.

As we announced in September, we updated the API service endpoints used by Copilot Chat. On February 1, 2024, we will deprecate the Copilot Chat API endpoints currently being routed through https://copilot-proxy.githubusercontent.com. Instead, these requests will go through https://api.githubcopilot.com. Versions 0.8.0 and later of the Copilot Chat extension for VS Code and versions 0.1.1817.27579 and later of the Copilot Chat extension for Visual Studio already route chat traffic through https://api.githubcopilot.com. All versions of the Copilot plugin for JetBrains IDEs already route chat traffic through https://api.githubcopilot.com.

To ensure Copilot Chat continues working from February 1, 2024, please update to the most recent version of the Copilot extension and ensure your firewall and network settings allow communication to https://api.githubcopilot.com.

⏫ Update on the Copilot Enterprise Waitlist

On January 19, 2024, we will close the Copilot Enterprise waitlist in anticipation of the general availability release of Copilot Enterprise.

Join the discussion within GitHub Community.

See more

Copilot Content Exclusions Feature Update

Following our previous communication dated November 8, 2023, regarding the temporary rollback of the Copilot content exclusions feature, we are pleased to announce the re-deployment of this feature with significant enhancements. The rollout will be progressive during the next 10 days as we monitor the behaviour.

With Content Exclusion, GitHub Copilot Business customers will be able to prevent specified files or repositories from being used to inform code completion suggestions made by GitHub Copilot. GitHub Copilot will not be available in excluded files. Organization administrators or repository owners can choose which files or repositories are excluded. Learn more.

Overview of the Issue

Our team observed a critical issue where clients were incorrectly blocked from using Copilot due to the initial implementation of content exclusions. This was primarily caused by errors in fetching content exclusion policies from the client, leading to a temporary suspension of the feature.

Actions Undertaken

In response to this, our engineering team undertook a comprehensive review and rectification process. The issues identified in the client's code were addressed, and additional verifications were implemented on both server and client sides to prevent recurrence.

New Enhancements in the Re-deployed Feature

  • Performance Update: We have optimized the performance of the content exclusions feature, ensuring minimal impact on the user experience.
  • Extended Coverage: The feature now supports all our official Integrated Development Environments: Visual Studio, JetBrains IDEs, Visual Studio Code, and Vim/Neovim.

Current Status

  • Users with pre-existing content exclusion configurations will experience no change.
  • New and returning users can now utilize the enhanced feature across all supported IDEs.

Next Steps

We are closely monitoring the performance and user feedback post-deployment. The support for Copilot Chat is also in progress and will be part of the General Availability.

Join the Discussion

We value your feedback and encourage you to participate in the discussion within the GitHub Community.

See more

GitHub Actions – Repository Actions Runners List is now generally available

The Repository Actions Runners List is now generally available. With the Repository Actions Runnners List you can view all available runners right within the Actions tab, without needing access to repository or organization settings.

The runner types listed include Standard GitHub-hosted, Larger GitHub-hosted, Self-hosted, and Scale-sets.

Benefits of using the Repository Actions Runners List:

  • Visibility into all GitHub Actions runners: Users with repo:write access can now view which runner options are available for use within a repository, without needing to contact a Repo admin or an Organization owner to find runner label names.
  • Faster access to runner labels: Conveniently view and copy labels for all runners, making it straightforward to identify the type of runner you need and use it in a workflow.

To access the Repository Actions Runners List:

  1. Navigate to the main page of the repository.
  2. Click the "Actions" tab under your repository name.
  3. Under the "Management" section in the left sidebar, click on "Runners".
  4. Explore available runners within a repository and copy runner labels to use them in YAML workflow files.

Note: Enterprise and Organization owners can also create new runners from this page from the "New runner" button.
Repository Actions Runners List

This feature is available to users with:

  • Free and Pro Personal Accounts
  • Organizations on a Free Plan
  • Organizations on a Team Plan
  • Enterprises on a GitHub Enterprise Cloud plan (including Enterprise Managed Users)

Note: This feature is not available to users in Organizations on the GitHub Enterprise Server or Legacy plans.

If you have any feedback to help improve this experience, be sure to post it on our GitHub Community Discussion.

See more

Codespaces host image upgrade

GitHub Codespaces recently promoted the current beta host image configuration to stable as part of our regular maintenance for our hosts. This change includes multiple minor version updates, as well as major version updates to the Docker engine and Docker Compose packages installed on the host. This will not impact most development container configurations.

For more details about the specific changes, see our documentation regarding host image configurations here.

If you have any issues, please contact support.

Additional Resources

See more

Global Code Search on GitHub Mobile

GitHub Mobile Code Search

Introducing Global Code Search on GitHub Mobile

Global code search is now available directly from the home screen on GitHub Mobile. This addition enables users to conveniently find code snippets, navigate repositories, and access content directly from the home screen.
With global code search, users can easily locate anything they need while on the go.

Download or update GitHub Mobile today from the Apple App Store or Google Play Store to get started.

Learn more about GitHub Mobile and share your feedback to help us improve.

See more

Code scanning: deprecation of CodeQL Action v2

On December 13, 2023, we released CodeQL Action v3, which runs on the Node.js 20 runtime. CodeQL Action v2 will be deprecated at the same time as GHES 3.11, which is currently scheduled for December 2024.

How does this affect me?

Default setup

Users of code scanning default setup do not need to take any action in order to automatically move to CodeQL Action v3.

Advanced setup

Users of code scanning advanced setup need to change their workflow files in order to start using CodeQL Action v3.

Users of GitHub.com and GitHub Enterprise Server 3.12 (and newer)

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

  • GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
  • GitHub Enterprise Server (GHES) 3.12 (and newer)

Users of the above-mentioned platforms should update their CodeQL workflow file(s) to refer to the new v3 version of the CodeQL Action. Note that the upcoming release of GitHub Enterprise Server 3.12 will ship with v3 of the CodeQL Action included.

Users of GitHub Enterprise Server 3.11

While GHES 3.11 does support Node 20 Actions, it does not ship with CodeQL Action v3. Users who want to migrate to v3 on GHES 3.11 should request that their system administrator enables GitHub Connect to download v3 onto GHES before updating their workflow files.

Users of GitHub Enterprise Server 3.10 (and older)

GHES 3.10 (and earlier) does not support running Actions using the Node 20 runtime and is therefore unable to run CodeQL Action v3. Please upgrade to a newer version of GitHub Enterprise Server prior to changing your CodeQL Action workflow files.

Exactly what do I need to change?

To upgrade to CodeQL Action v3, open your CodeQL workflow file(s) in the .github directory of your repository and look for references to:

  • github/codeql-action/init@v2
  • github/codeql-action/autobuild@v2
  • github/codeql-action/analyze@v2
  • github/codeql-action/upload-sarif@v2

These entries need to be replaced with their v3 equivalents:

  • github/codeql-action/init@v3
  • github/codeql-action/autobuild@v3
  • github/codeql-action/analyze@v3
  • github/codeql-action/upload-sarif@v3

Can I use Dependabot to help me with this upgrade?

Yes, you can! For more details on how to configure Dependabot to automatically upgrade your Actions dependencies, please see this page.

What happens in December 2024?

In December 2024, CodeQL Action v2 will be officially deprecated (at the same time as the GHES 3.11 deprecation). At that point, no new updates will be made to CodeQL Action v2, which means that new CodeQL analysis capabilities will only be available to users of CodeQL Action v3. We will keep a close eye on the migration progress across GitHub. If many workflow files still refer to CodeQL Action v2, we might consider scheduling one or more brownout moments later in the year to increase awareness.

See more

GitHub Copilot Chat now generally available for organizations and individuals

GitHub Copilot Chat now generally available for organizations and individuals

Recently, we announced that GitHub Copilot Chat in IDEs is now generally available for both Visual Studio Code and Visual Studio, and is included in all GitHub Copilot plans alongside the original GitHub Copilot productivity boosting code completion capabilities. It is also available at no cost to verified teachers, students, and maintainers of popular open source projects. As of now, GitHub Copilot Chat is still in the private beta for JetBrains IDEs.

If you’ve been using Copilot Chat in public beta or have already provided access to your development team, no additional actions are required. There’s also no need to install any additional extensions; Copilot chat extension is bundled together with the Copilot extension.

Enterprise and organization administrators can grant their development teams access to Copilot Chat by enabling the Copilot Chat setting for their users.

Please check out our guide for getting started with Copilot chat.

Looking forward to hearing about how you’re putting it to use!

Join the discussion within GitHub Community.

See more

Copilot Enterprise beta – January 10th update

The new year brings new features and improvements for the Copilot Enterprise! 🎆 These changes are focused on streamlined onboarding and ease of use.

As a reminder, Copilot Enterprise is currently in limited public beta. Enterprises can request access by signing up to the waitlist.

Semantic search can be enabled on any repository

Developers in an enterprise with access to Copilot Enterprise can now enable semantic search on a repository through the click of a button. Once a repository is indexed, Copilot has a much improved understanding of the code base in that repository and can answer questions via Copilot Chat in GitHub.com.

Create docsets to access your company’s critical knowledge

Organizations with documentation hosted in GitHub repos and written in Markdown (.md, .mdx) can now create “docsets” and enable developers in those organizations to access that critical knowledge via Copilot Chat in GitHub.com.

To get started, admins can create a docset, including the repositories that contain Markdown documentation.

Members of the corresponding organization can start to ask questions about the documentation by selecting the docset from Copilot’s “New conversation” UI in GitHub.com.

An organization can have multiple docsets – so, for example, an admin could create a docset for each team with the repositories that are relevant to them.

Introducing Copilot chat for pull request diffs

Developers are now be able to ask Copilot Chat questions about diffs on GitHub.com. To see this in action, simply navigate to a diff and use one of the following two entry points:

  1. Select some of the lines in the diff, and click on the icon on the right. You can click “Explain” to ask Copilot to explain those lines.
  2. You can also ask Copilot to chat about an entire file in the diff by clicking on the three dots at the top-right of the file in the diff. Click on “Ask Copilot about this diff” to start chatting about it.

Improved onboarding and discoverability

  • Enterprise admins have now access to improved onboarding as they enable Copilot Enterprise within their enterprise.
  • GitHub Copilot on GitHub.com can now be accessed via the search bar.
See more

Reduce job queue times with newly updated ‘min’ attribute in Action-Runner-Controller

The min attribute in Action-Runner-Controller is now updated to enhance system responsiveness and efficiency. Previously, the min attribute was focused on determining the minimum number of runners that the system could scale down to during periods of inactivity. This meant that when there were few to no jobs running, the system would maintain this minimum number of runners, which could be either active or idle.

The new behavior of the min attribute shifts focus to maintaining a minimum number of idle runners at all times. This means that even when there are many jobs in progress, the system will ensure that a certain number of runners are always idle and ready to immediately take on new jobs. This change allows for smoother handling of incoming jobs, reducing wait times and improving overall job processing efficiency.

See more

GitHub Support Portal will now require login

About a month ago we announced that GitHub's Support Portal will soon require login.

Starting today, you will need to be signed-in to your GitHub account to access our Support portal. If you already have a GitHub account, please sign in as usual when accessing the Support Portal. If you don't have an account or are unable to sign in, we'll guide you through a simple email verification process.

We're excited about this change and confident that it will make your experience with GitHub Support more secure and personalized.

See more

Canva is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Canva to scan for their tokens to help secure our mutual users in public repositories. Canva tokens enable users to perform authentication for their Canva Connect API integrations. GitHub will forward any exposed tokens found in public repositories to Canva, who will then rotate the token and notify the user about the leaked token. Read more information about Canva tokens.

GitHub Advanced Security customers can also scan for and block Canva tokens in their private repositories.

See more

Codespaces host image upgrades Docker and compose

GitHub Codespaces will promote the current beta host image configuration to stable on 16 January as part of regular maintenance for hosts. This change includes major version updates to the Docker engine and Docker Compose packages installed on the host as well as several minor version updates. These changes should not impact development container configurations.

If your dev container depends on Docker compose, please test the beta image to ensure that your dev container does not require changes. For more details about the specific changes, see our documentation regarding host image configurations here. You can test the beta host configuration with your own codespaces by selecting the beta host image in your personal settings.

Additional Resources

See more

Code scanning is now more adaptable to your codebase with CodeQL threat model settings for Java (beta)

Use CodeQL threat model settings for Java (beta) to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in your code.

No two codebases are the same and each is subject to different security risks and threats. Such risks and threats can be captured in a codebase's threat model which, in turn, depends on how the code has been designed and will be deployed. To understand the threat model you need to know what type of data is untrusted and poses a threat to the codebase. Additonally, you need to know how that unstrusted (or tainted) data interacts with the application. For example, one codebase might only consider data from remote network requests to be untrusted, whereas another might also consider data from local files to be tainted.

CodeQL can perform security analysis on all such codebases, but it needs to have the right context. It needs the threat model in order to behave slightly differently on different codebases. That way, CodeQL can include (or exclude) the appropriate sources of tainted data during its analysis, and flag up the most relevant security vulnerabilities to developers who work on the code.

CodeQL's default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. Using new CodeQL threat model settings for Java, you can now optionally mark local sources of data as tainted. This includes data from local files, command-line arguments, environment variables, and databases. You can enable the local threat model option in code scanning to help security teams and developers uncover and fix more potential security vulnerabilities in their code.

CodeQL threat model settings can be configured in repositories running code scanning with CodeQL via default setup in the GitHub UI. Alternatively, you can specify it through advanced setup (in an Actions workflow file).

If your repository is running code scanning default setup on Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.

If your repository is running code scanning advanced setup on Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.

CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java code. It will be shipped in GitHub Enterprise Server 3.13.

See more

Upcoming Deprecation of Organization Insights Activity Overview beta

The public beta Activity Overview of Organization Insights for GitHub Enterprise Cloud will be deprecated on January 5, 2024. Since its initial beta launch in 2019, the amount of data calculation and storage required for these views has proven untenable in its current format and the underlying service will be taken offline later in January. Metrics-specific integrations such as Cauldron are available to read, store, and visualize your organization’s data via the GitHub API, as well as more general-purpose data visualization platforms such as PowerBI or Grafana. The Dependency Insights feature will not be impacted.

See more

Code scanning default setup is now available for self-hosted runners on GitHub.com

Code scanning default setup is now available for self-hosted runners on GitHub.com. To use default setup for code scanning, assign the code-scanning label to your runner. Default setup now uses actions/github-script instead of the GH CLI. If your organization has a policy which limits GitHub Actions you will need to allow this action in your policy.

Code scanning sees assigned runners when default setup is enabled. As a result, if a runner is assigned to a repository which is already running default setup, you must disable and re-enable default setup to initiate using the runner.

Larger runners are in beta support, with the limitations that you can only define one single larger runner at the org level with the label code-scanning, and Swift analysis is not supported.

For more information, see “Using labels with self-hosted runners.”

Runner with code-scanning label

This is now available on GitHub.com. Self-Hosted runners for default setup are already supported from GitHub Enterprise Server 3.9.

See more
View more changes