Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Packages: Fine-grained permissions and organization-level publishing are now available for the GitHub Packages NuGet registry

The GitHub Packages NuGet registry now runs on a new architecture, unlocking great new capabilities:

Publishing packages at organization level with GitHub Packages

Previously, NuGet packages published to GitHub Packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.

Learn more about connecting a repository to a package.

Fine grained permissions for NuGet packages published to GitHub Packages

You can now configure Actions and Codespaces repository access on the package's settings page, or invite other users to access the package. Additionally, NuGet packages published to GitHub Packages can still be configured to automatically inherit all permissions from a linked repository.

Learn more about configuring a package's access control.

Internal visibility

In addition to public and private, a package's visibility can now also be set to internal. It is then visible for all members of the GitHub organization.

These new features are now available to all users on github.com.

Read more about working with the GitHub NuGet registry

We appreciate your feedback on these new changes in GitHub's public community discussions!

See more

Improvements to GitHub Advanced Security billing pages

We've shipped improvements to the billing pages for GitHub Advanced Security so it is easier for you to see how many licenses you are using.

  • You can now see how enterprises and organizations are using licenses in the summary tiles.
  • You can download a CSV report for each item in the billing table so it is easier to report on license usage.
  • For enterprises, the table is sorted by the number of unique committers in each organization, so it is easy to see where GitHub Advanced Security licenses are used.
  • If an organization chooses to disable GitHub Advanced Security on a repository, the confirmation popup now informs you how this would impact your overall licenses usage.

Enterprise and Organisation GitHub Advanced Security usage

This is available on the GitHub Advanced Security section on the enterprise's billing settings page enterprise-name/settings/billing and the organization's code security and analysis settings page organization-name/settings/security_analysis.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about the GitHub Advanced Security billing.

See more

Secret scanning now detects new secrets in issue content

GitHub Advanced Security customers using secret scanning can now view any new secrets exposed in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.

We have also expanded the secret scanning partner program. Secret scanning partners will now receive notifications for secrets found in public issues that match their token formats.

See more

GitHub app in Slack and Microsoft Teams – improvements

We have made bunch of improvements to our GitHub app in Slack and Microsoft Teams.

Slack

1. Introduced comment capability within Pull request notification cards

We have now added support to add comments on your pull requests directly from the notification card in Slack.
image

2. Introduced threading for Pull request notifications

Notifications for any Pull request will be grouped under a parent card as replies. The parent card always shows the latest status of the PR along with other meta-data like title, description, reviewers, labels and checks. Threading gives context, improve collaboration and reduces noise in the channel.
image

3. Added support to turn on/off threading for Issues and Pull requests

If you do not want to use threading or need some flexibility, we are also rolling out an option to turn on/off threading for issues and pull requests.
image

For more information, please visit the GitHub app guidance for Slack

Microsoft Teams

1. Improved the create issue functionality

You can now create issues with just a click, right from the place where you interact with your team i.e. from your channels and personal app.
image

  • The content of the chat is automatically added into the description along with the link to the MS Teams conversation.
  • The last used repo in the channel will be automatically filled in. However, you can go ahead and change to the repo if needed.
  • You can optionally fill in labels, assignees and milestones when you create an issue.
  • Once the issue is created you will receive a confirmation card in the channel where you created the issue.

2. Enhanced the PR notification cards in Channel and Personal App

We made few UI improvements to the Pull request notifications experience in MS Teams.

  • Introduced PR comment capability in GitHub personal app.
  • Made few updates to the look and feel of the Pull request notification card.

image

For more information, please visit the GitHub app guidance for Microsoft Teams

See more

GitHub Copilot is now available for invoiced GitHub Enterprise customers

Starting today, GitHub Copilot is officially available to invoiced GitHub Enterprise customers with our new Copilot for Business offering which joins Copilot for Individuals.
This new add-on means enterprise users can now leverage GitHub Copilot’s powerful AI to write code and even entire functions with a simple editor extension.
Copilot for Business will also provide additional capabilities including license management, centralized policy controls, and industry-leading privacy. Each license will cost $19 USD/month and will be billed directly to existing Enterprise accounts.

Learn more in the GitHub’s blog.

See more

Updated timeline for the deprecation of CodeQL Action v1

The deprecation date for the CodeQL Action v1 is shifting. Initially, this was December 2022, and now it is January 2023. This change follows the updated timeline on the deprecation of GitHub Enterprise Server (GHES) 3.3.

In January 2023, the CodeQL Action v1 will be officially deprecated (alongside GHES 3.3). GitHub Action workflows that refer to v1 of the CodeQL Action will continue to work, but no new analysis capabilities will be released to v1. New CodeQL analysis capabilities will only be available to users of v2. For more information about this deprecation and detailed upgrade instructions, please see the original deprecation announcement from April 2022.

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

Environments in which CodeQL runs in CI/CD systems other than GitHub Actions are not affected by this deprecation.

See more

Extending Checks Retention Policies to GHES

Previously, data generated from Checks were not managed by a retention policy and would therefore grow unbounded. A recent change was made to GitHub.com that archives checks data after 400 days and deletes records 30 days after they are archived.

This change will be extended to GitHub Enterprise Server (GHES) version 3.8 with additional features that will allow administrators to:

  • Enable/disable checks retention
  • Set a custom retention threshold
  • Set a custom hard-delete threshold

This pertains to all Checks data, including those that are generated from GitHub Actions and the Statuses API.

For questions, visit the GitHub community or get started with Checks API today.

See more

Explore the content of your npm packages with the new code explorer

You can now view the content of a package with the updated code explorer directly on the npmjs.com portal. We have improved the reliability, performance and have now made this feature available for free. You no more need to download a package to view its content. With this feature, you can easily scrutinise packages to make sure it is safe for use in your application. The code explorer provides syntax highlighting for .js, .ts, .md, .json and other commonly used file types in npm packages. You can also view the content of any previous version of a package.

Start by exploring the npm package.

See more

Limit scope of npm tokens with the new granular access tokens

You can now create access tokens with limited scope using the new granular access tokens functionality in npm. With granular access tokens, you can:

  • Restrict which packages and/or scopes a token has access to
  • Grant tokens access to specific organizations for user management
  • Set a token expiration date
  • Limit token access based on IP address ranges
  • Select between read and/or write access

Tokens with least privileges protects your npm packages from accidental or malicious misuse of your token. These tokens also allow you to manage your npm org and teams from a CI/CD pipeline. Granular access tokens are specifically built for automation and do not require 2FA. We recommend using granular access tokens with least privileges while you automate publishing and org management activities.

See more

GitHub Actions workflow notifications in Slack and Microsoft Teams

We are excited to announce that GitHub app in Slack and Microsoft Teams now supports GitHub Actions workflow notifications.

image

You can now subscribe to your repository and get notified about GitHub Actions workflow run status from your channel or personal app.
/github subscribe owner/repo workflows

  • You will get notified when a new workflow run is triggered. And you can track the live status of the jobs.
  • You can track the approval notifications as a reply in the thread and you can approve the notifications directly from channel/personal app.
  • Once the workflow is completed, you will get a update as a reply in the thread so that you can complete context and history about the workflow run.
  • If something fails, you can choose to rerun the workflow in place and you can also enable debug logs if needed.

Workflow notification filters

Getting notified about each and every workflow run can be noisy. So, we are providing you capability to filter the notifications based on your requirement. You can filter your actions workflows notifications based on name, event, actor and/or branch. You can filter the notifications as below.

/github subscribe owner/repo workflows:{name:"your workflow name" event:"workflow event" branch:"branch name" actor:"actor name"}

  • name: Name of your workflow
  • event: The event on which the workflow is triggered. You can find all the available events list here.
  • actor: The person who triggered or responsible for running of the workflow
  • branch: The branch on which the workflow is running. Only in the cases where pull_request event is included, the branch will be the target branch the pull request is created for.

Note: When you configure workflow notifications without passing any filters, it is configured by default for workflows triggered via pull requests targeting your default branch.

For more information, please visit the GitHub app guidance for Slack and Microsoft Teams.

See more

Organization-level security risk and coverage pages replace overview page

The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.

Learn more about the new risk and coverage views and send us your feedback

See more

GitHub Actions: Larger Runners using Ubuntu-latest label will now use Ubuntu-22.04

Larger runner workflows using the ubuntu-latest runner label will soon run on Ubuntu-22.04.

Ubuntu-22.04 is now the default version for the ubuntu-latest label for GitHub Actions standard runners workflows. Larger runners will now use the Ubuntu-22.04 as the -latest version starting 15 December 2022.

If you see any issues with your workflows when they are transitioned to Ubuntu-22.04:

  • File an issue in the runner-images repository
  • Switch back to Ubuntu 20.04 by specifying the ubuntu-20.04 runner label. We will continue to support Ubuntu 20.04.

Note that image software between Ubuntu-20.04 and Ubuntu-22.04 differs by the pre-installed and default versions versions of some tools. See the full list.

See more

Incremental improvements on security advisory form

We've recently released a few minor user experience improvements for our GitHub Security Advisory form:

  • You're no longer required to fill out as many fields in the form before submitting it, so you can publish faster.
  • You now fill out title/description first in the form.
  • You can now access the CVSS Calculator as a top-level attribute, rather than it being the bottom of a dropdown menu.

Further reading:

See more

Code scanning organization-level REST API is available for public repositories

GitHub organizations can now use the code scanning organization-level API endpoint to retrieve code scanning alerts on public repositories; this no longer requires a GitHub Advanced Security license. This new endpoint supplements the existing repository-level endpoint.

Learn more about the code scanning organization-level REST API.

See more

Dependabot now supports security updates for Dart and Flutter apps that use Pub packages

Dependabot security updates now supports the Pub ecosystem, making it easier for you to fix vulnerable dependencies in your Dart or Flutter apps. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable Pub dependencies to the latest patched version.

Learn more about Dependabot security updates.

See more

Audit log improvements for Dependabot alerts

GitHub's audit log allows organization and enterprise admins to quickly review the actions performed by members of their organization or enterprise. For Dependabot alerts, the audit log includes actions such as repository enablement, creation or reintroduction of alerts, dismissal of alerts, and resolving of alerts.

The audit log now supports the following improvements:

  • Dismissal comments, if provided with a Dependabot alert, are now displayed in the audit log
  • The audit log API for Dependabot alerts now supports several new fields: alert_number, ghsa_id, dismiss_reason, and dismiss_comment.
  • Additional minor improvements, including links back to the alert and correct timestamps added to events.

This release is available for organization and enterprise admins (including GHES 3.7 and later).

For more information, view documentation on Dependabot alerts in the GitHub audit log.

See more

New and improved Enterprise Reports now Generally Available

The recently enhanced GitHub Enterprise "consumed licenses" report and new "enterprise members" report are now generally available. These reports provide more insight into who has access to an enterprise, what level of access, and whether a license is consumed:

  • Consumed License Report: A breakdown of license usage for your GitHub Enterprise and any synced GitHub Enterprise Server instances;
  • Enterprise Members Report: An extensive list of licensed and non-licensed members associated with your Enterprise Cloud environment, including members synced from a GitHub Enterprise Server instance.

To learn more about these reports and how to access them, read our documents about viewing license usage for GitHub Enterprise and exporting membership information about your enterprise.

See more

Calendar-based versioning for the REST API

Today, we’re introducing calendar-based versioning for the REST API to give API integrators a smooth migration path and plenty of time to update their integrations when we need to make occasional breaking changes to the API.

You can learn more in today’s blog post and on the new “API Versions” page in our docs.

If you’re using the REST API, you don’t need to take any action right now. We’ll get in touch with plenty of notice before we drop support for any old versions.

See more
View more changes