You can now create single-use self-hosted runner registration tokens using the REST API.
When a runner registers using one of these tokens it will only be allowed to run a single job before being automatically removed from the repository, organization, or enterprise. This enables you to improve the security of your self-hosted runner infrastructure by limiting the exposure of long lived credentials.
Today, we're extending CodeQL code scanning support to Swift! Developers working on Swift libraries and apps on Apple platforms can now benefit from our best-in-class code security analysis. We currently identify issues such as path injection, unsafe web view fetches, numerous cryptographic misuses and other types of unsafe evaluation or processing of unsanitized user-controlled data. During this beta, we’ll gradually increase our coverage of distinct weaknesses.
Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which in sum run nearly 400 checks on your code, all while keeping false positive rates low and precision high.
Set up code scanning on your Swift repositories today and receive actionable security alerts right on your pull requests. Read more about our supported Swift versions and platforms here.
Swift support is available starting with CodeQL version 2.13.3. GitHub.com users are automatically updated, while GitHub Enterprise Server users can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.
This is just the start for Swift support in GitHub Advanced Security, keep an eye on the main GitHub blog for further announcements. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack. Thanks to all Swift community members who have participated in the private beta.
We've now made it easier to understand changes to your repositories with the new activity view. Historically viewing pushes to a repository required contacting GitHub support. This new activity view gives users with read access the ability to self-serve insights to a repository and all of its changes.
You can access the Activity view from the main page of a repository by clicking "Activity" to the right of the list of files.
You can also access the activity view from the Branches page of any repository by clicking on the activity icon.
From the activity view you can sort and filter to find exactly what you are looking for.
Here is an example of how you could use the activity view to find a force push on a particular branch, and then compare the changes to the repository before and after the push:
Learn more about the Activity view.
Already using the activity view? We'd love to hear your feedback.
GitHub Enterprise Cloud administrators can now download and view the updated Services Continuity and Incident Plan for 2023.
To learn more, please review our documentation on how to access compliance reports for your enterprise or for your organization.
Today's Changelog brings you project templates, support for tasklists on mobile, and bulk edit support on boards!
Project templates for organizations are now in public beta! Building upon the recently released ability to copy an existing project you can now create, save and reuse projects with templates, helping you save time and create a consistent approach to managing your projects.
To get started with project templates:
admins will see a new option Make template on the settings page that will set the project as a template.admins and write access users will see the option to Copy as template, which will create a new version without your issues and pull requests as a template.is:template on the projects page. 
As we continue to build out more functionality for project templates we would love your feedback and to hear more about your experiences and requests. Check out the docs for more details.
Tasklists now render on mobile! View progress on your initiatives, epics, umbrella issues (or whatever your team calls them) on the go!
Tasklists are currently in private beta, and you can sign your organization up on the waitlist.
Kanban enthusiasts rejoice! We've added the ability for users to bulk update cards on their boards with either mouse drag and drop or keyboard navigation. To select more than one card, simply hold Ctrl/Command and click on the cards you wish to move. For keyboard warriors, tab to the card you wish to drag, hold shift and navigate to other cards you wish to update, and press enter to select and move the selected cards.
For more detailed information, find a full list of keyboard shortcuts in the docs.
When you collapse a group in the table or roadmap layout, the group will remain collapsed when you return to the view. This is only the case for your view and will not be applied for anyone else.
If other values in this field already have a color, a color will be auto-assigned to any new values added to the field.
You can now select and copy a range of cells. Use Ctrl/Command + a keyboard command once to select a row and twice to select all cells, and Ctrl/Command + c to copy values. You can then paste values in other text editors using Ctrl/Command + v.
Tasklists bug fixes and improvements:
Other changes include:
label dialog without using a mouseSee how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.
GitHub secret scanning protects users by searching repositories for known types of tokens. By identifying and flagging these tokens, our scans help prevent data leaks and fraud.
We have partnered with Canadian Digital Service (CDS) to scan for their tokens and help secure our mutual users on public repositories. Canadian Digital Service tokens allow users to send email and text messages using the Government of Canada’s Notify service. GitHub will forward access tokens found in public repositories to CDS, which will then revoke the token and contact the impacted users to help them generate new tokens. You can read more information about CDS's tokens here.
All users can scan for and block CDS tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block CDS tokens in their private repositories.
Bamboo Server and Data Center migrations to GitHub Actions are now in public beta! You can now plan, test, and automate the migration of your Bamboo pipelines to GitHub Actions easily and for free using GitHub Actions Importer.
For details on how to get started, check out our documentation. For questions and feedback about the public beta, please visit the GitHub Actions Importer community.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with LogicMonitor to scan for their tokens and help secure our mutual users on public repositories. LogicMonitor tokens allow users to authenticate requests to LogicMonitor's REST API. GitHub will forward access tokens found in public repositories to LogicMonitor, which will then inform their portal contacts for remediation. You can read more information about LogicMonitor's tokens here.
All users can scan for and block LogicMonitor tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block LogicMonitor tokens in their private repositories.
In the coming week, GitHub will upgrade the host operating system for the virtual machines that build and run the dev containers in GitHub Codespaces from Ubuntu 18.04 to Ubuntu 22.04. Ubuntu 18.04 will reach its end of standard support on May 31, 2023, so we are upgrading in order to maintain the highest quality of support and security for all development environments. Most users will not be impacted by this update.
The host virtual machine is responsible for building and running the dev container configured in the devcontainer.json. When a developer connects to a codespace, they connect directly to the dev container, whose operating system is defined by the devcontainer.json configuration. This maintenance upgrade will not impact the development container configuration or prebuilds, and will not require any package updates within the development environment itself.
We recommend decoupling your dev container configuration from the host operating system. If your dev container depends on a specific host operating system version or Linux kernel version, this upgrade will impact you. For example, if you are installing specific kernel headers from the host into your dev container, you should change your configuration to install the generic linux headers, as this package will properly update independent of the host operating system kernel version.
If you see any issues that you believe are related to this change, please reach out to GitHub Support.
Helpful Links:
You may start seeing a temporary authorization hold after accruing usage of metered products (GitHub Actions, Packages, or Codespaces). This will appear as a pending charge in your account's payment method and will be immediately reversed as soon as your bank authorizes the amount. You will not be charged for the hold.
For more information, visit documentation for Actions, Packages, and Codespaces.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Highnote to scan for their tokens and help secure our mutual users on public repositories. Highnote tokens allow users to authenticate with Highnote’s GraphQL API. GitHub will forward access tokens found in public repositories to Highnote, which will then revoke the token and work with impacted users to generate a new token. You can read more information about Highnote’s tokens here.
GitHub Advanced Security customers can also scan for Highnote tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.
Many accessibility improvements have been deployed to npmjs.com. Highlights include:
Your feedback is welcome! Please share feedback on the accessibility community discussions page and learn more about GitHub accessibility at accessibility.github.com.
Editing workflow files is now possible on GitHub Mobile! You can create and merge pull requests after modifying your workflow files using the Android or iOS app.
Simply navigate to the file you would like to edit by tapping Browse code in the repository view, then select Edit File in the dropdown menu in the top right hand corner.
More info on how to edit a file or create a pull request on GitHub Mobile can be found here.
Read more about GitHub Mobile and share your feedback to help us improve.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Aiven to scan for their tokens and help secure our mutual users on public repositories. Aiven tokens allow users to interact with Aiven hosted services and the Aiven API. GitHub will forward access tokens found in public repositories to Aiven, and the Aiven Customer Success Team will contact project owners via the normal service channel and work with them to rotate and revoke the affected credentials. Aiven will not revoke credentials without prior communication and acknowledgement from the project owner. You can read more information about Aiven’s tokens here.
GitHub Advanced Security customers can also scan for Aiven tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.
You can now display your preferred pronouns on your GitHub Mobile profile. Adding pronouns to your profile helps create a more inclusive and welcoming community for all. To do so, update your public profile information in the web settings and see them reflected on GitHub Mobile. Learn more in our documentation.
Auto scaling self hosted runners using the actions runner controller and runner scale sets is now in public beta.
Secret scanning's push protection feature is now generally available for all free public repositories on GitHub.com.
You can enable push protection for any public repository on GitHub.com from your repository's "Code security and analysis" settings in the UI or REST API. If you're an organization or enterprise owner, you can also also bulk-enable secret scanning.
For your repositories that are not a part of an organization, you can bulk-enable secret scanning and push protection in your personal "Code security and analysis" settings.
Secret scanning's push protection feature is now generally available for GitHub Advanced Security customers.
Customers can enable push protection for any private repository that has GitHub Advanced Security. Push protection can also be enabled for any public repository, for free. To bulk enable push protection, customers can visit their organization and enterprise's "Code security and analysis" settings in the UI or REST APIs.
Push protection is also available for any custom pattern defined at the repository, organization, and enterprise level. See step 11 under "Defining a custom pattern for a repository" for more details in our documentation.
Actions are coming to your Repositories on GitHub Mobile! Find all your repository's workflows in one convenient place.
Tapping on the new "Actions" row on a Repository now shows you a list of all of the Repository's workflows. Choosing a workflow will show you all of its runs, allowing you to check up on things while on the go. If you want to dig into the details, tapping on a run will lead you into the familiar workflow experience we brought you last year to explore everything from a run's overall status to its individual jobs and even logs.
A run didn't go as planned? No problem. Toggle the new debug-switch when re-running a workflow to see what's going on under the hood, just like you would on GitHub.com.
Read more about GitHub Mobile and share your feedback to help us improve.
Previously, all attached (drag-and-dropped) images and videos on GitHub Issues, Pull Requests, Discussions, and wikis were available to view without authentication if you knew their direct URL. Now, future attachments associated with private repositories can only be viewed after logging in. This doesn’t apply retroactively to existing attachments, which are obfuscated by having a long, unguessable URL.
Email notifications sent from private repositories will no longer display images; each image is replaced by a link to view it on the web. Content inside a Git repository is not affected by this change and has always required authentication for private repositories.
Learn more about attaching files.
Questions or suggestions? Join the conversation in the community discussion.