What was big in July?

Security is a topic that can feel daunting at times, but it doesn’t have to. The security team at GitHub has been working to streamline the processes for discovering, reporting, and fixing common vulnerabilities through features such as GitHub Security Advisories, Dependency Graph, Dependabot Alerts, and Dependabot Security Updates. And, in July, we brought all of these supply chain security features to the Go community.

screenshot of GitHub Advisory Database, which now includes Go

Literally everything we shipped

General updates

You can now set an expiration date on new or existing personal access tokens! GitHub will send you an email when it’s time to renew a token that’s about to expire. A new response header, (GitHub-Authentication-Token-Expiration) indicates the expiration date, which you can use in scripts to (for example) log a warning message as the date approaches.

For anyone with an academic bent: If you add a CITATION.cff file to your repository, GitHub will now parse your information into APA and BibTeX citation formatting that can be copied by academics who cite your work. Check out the documentation for how to add a CITATION.cff file. We think it’s pretty cool!

New to GitHub.com? Welcome! We’ve redesigned the onboarding experience for new accounts.

GitHub Actions

In April, we shipped an update for GitHub Actions that required maintainers to approve Actions runs for first-time contributors. Based on user feedback, you can now configure this behavior at the repository, organization, or enterprise level.

Screenshot of new settings for maintainers

Want to run Node.js projects faster on GitHub Actions? Enable dependency caching on the setup-node action! setup-node supports caching from both npm and yarn package managers. If you’ve got questions, join us in the GitHub Support Community discussion.

- uses: actions/setup-node@v2
  with:
    node-version: '14'
    cache: npm

GitHub Discussions

Use a new beta feature to translate GitHub Discussions content into Korean, Brazilian Portuguese, and English. Click the overflow menu beside any discussion comment and you’ll see a link to translate it to your preferred language (based on the default language configuration of your web browser). Support for more languages coming soon. Be sure to leave feedback!

screenshot of option to translate a Discussion to Brazilian Portuguese

GitHub Releases

Creating or editing a release in a GitHub repository? We added a text-editing toolbar to the markdown editor! Show off your excitement with bold and italics, or learn more about managing releases in our documentation.

Screenshot of text editing toolbar

GitHub Security

The CodeQL team had another busy month. If you are using CodeQL for your code scanning, here’s what happened in July:

  • CodeQL package manager is now in public beta! CodeQL packages can contain CodeQL queries and CodeQL libraries. If you upload a pack to the package registry on GitHub.com, CodeQL will automatically fetch any required dependencies when running queries from the pack. See the Changelog entry for more functionality details.
  • Your CodeQL security alerts now display severity levels: critical, high, medium, or low. CodeQL automatically calculates security-severity and assigns an exact numerical score to each security query. The Changelog entry walks you through this scoring, plus how to view alerts and customize settings. Screenshot of CodeQL results with severity levels
  • We’ve improved the depth of CodeQL’s analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models for several languages (C++, JavaScript, Python, and Java). See the full list of additions.

Speaking of code scanning, we’ve made some changes to how we display scan results. Your repository’s security view shows alerts for the default branch of your repository (under “Code scanning alerts”), but you can use the branch filter to display alerts on non-default branches, and we’ve extended the search syntax so that you can use a more simplified version of the previous queries.

Screenshot of alerts with branch filtering

A couple more security updates:

We’re happy to welcome Linear and Ionic as GitHub secret scanning integrators. We now scan for their developer tokens! Learn more about secret scanning or about joining our partner program.

In June, security alert notifications became opt-in on a per-repository basis. Security alert digest emails will now respect these settings!

Screenshot of a security alert digest

GitHub Sponsors

If you have a GitHub Sponsors profile, you can now set custom donation amounts as an option both for recurring sponsorships and for one-time sponsorships.

GIF showing "custom one-time amount" and "custom recurring amount" options

Maybe you haven’t joined GitHub Sponsors because you aren’t sure how to set up a business bank account or fiscal host for your organization? We’re happy to announce that organizations can now join GitHub Sponsors using a personal bank account, too!

Take a look at our public roadmap for what’s coming next, follow GitHub Changelog on Twitter, and check back on the GitHub Blog for another recap next month.

Tags: