Security is a topic that can feel daunting at times, but it doesn’t have to. The security team at GitHub has been working to streamline the processes for discovering, reporting, and fixing common vulnerabilities through features such as GitHub Security Advisories, Dependency Graph, Dependabot Alerts, and Dependabot Security Updates. And, in July, we brought all of these supply chain security features to the Go community.
You can now set an expiration date on new or existing personal access tokens! GitHub will send you an email when it’s time to renew a token that’s about to expire. A new response header, (
GitHub-Authentication-Token-Expiration) indicates the expiration date, which you can use in scripts to (for example) log a warning message as the date approaches.
For anyone with an academic bent: If you add a
CITATION.cff file to your repository, GitHub will now parse your information into APA and BibTeX citation formatting that can be copied by academics who cite your work. Check out the documentation for how to add a
CITATION.cff file. We think it’s pretty cool!
New to GitHub.com? Welcome! We’ve redesigned the onboarding experience for new accounts.
In April, we shipped an update for GitHub Actions that required maintainers to approve Actions runs for first-time contributors. Based on user feedback, you can now configure this behavior at the repository, organization, or enterprise level.
Want to run Node.js projects faster on GitHub Actions? Enable dependency caching on the
setup-node supports caching from both npm and yarn package managers. If you’ve got questions, join us in the GitHub Support Community discussion.
- uses: actions/setup-node@v2 with: node-version: '14' cache: npm
Use a new beta feature to translate GitHub Discussions content into Korean, Brazilian Portuguese, and English. Click the overflow menu beside any discussion comment and you’ll see a link to translate it to your preferred language (based on the default language configuration of your web browser). Support for more languages coming soon. Be sure to leave feedback!
Creating or editing a release in a GitHub repository? We added a text-editing toolbar to the markdown editor! Show off your excitement with bold and italics, or learn more about managing releases in our documentation.
The CodeQL team had another busy month. If you are using CodeQL for your code scanning, here’s what happened in July:
- CodeQL package manager is now in public beta! CodeQL packages can contain CodeQL queries and CodeQL libraries. If you upload a pack to the package registry on GitHub.com, CodeQL will automatically fetch any required dependencies when running queries from the pack. See the Changelog entry for more functionality details.
- Your CodeQL security alerts now display severity levels:
low. CodeQL automatically calculates
security-severityand assigns an exact numerical score to each security query. The Changelog entry walks you through this scoring, plus how to view alerts and customize settings.
Speaking of code scanning, we’ve made some changes to how we display scan results. Your repository’s security view shows alerts for the default branch of your repository (under “Code scanning alerts”), but you can use the branch filter to display alerts on non-default branches, and we’ve extended the search syntax so that you can use a more simplified version of the previous queries.
A couple more security updates:
In June, security alert notifications became opt-in on a per-repository basis. Security alert digest emails will now respect these settings!
Maybe you haven’t joined GitHub Sponsors because you aren’t sure how to set up a business bank account or fiscal host for your organization? We’re happy to announce that organizations can now join GitHub Sponsors using a personal bank account, too!