Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Category Forms on GitHub Discussions

Maintainers of GitHub repositories can now use Category Forms to create templates for their Discussions, which means that users can start new discussions with all the necessary information already included. We hope this leads to less repetitive back and forth conversation with maintainers, as users are more likely to capture all relevant details in their first Discussion post.

Similar to Issue Forms, maintainers can create a discussion template, which will live in .github/DISCUSSION_TEMPLATE/. Each template will map 1:1 with the available Discussion Categories slugs. For example, the template for the “Announcements” category will be .github/DISCUSSION_TEMPLATE/announcements.yml. Once created, Category Forms in Discussions will be familiar to users who have seen them in issues:

Category Forms example

Learn more about Category Forms
For questions or feedback, please visit our community.

See more

Persona is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Persona to scan for their API keys and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Persona API keys allow users to create, update, and interact with their identity-related data. GitHub will forward API keys found in public repositories to Persona, who will notify affected customers and work with them to rotate their API keys. You can read more information about Persona API keys here.

GitHub Advanced Security customers can also scan for Persona API keys and block them from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub Actions – Updating the default GITHUB_TOKEN permissions to read-only

Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository.
As a default, this is too permissive, so to improve security we would like to change the default going forward to a read-only token. You can still flip it to read/write if needed.

This change will not impact any existing enterprises, organizations or repositories. Here is how the defaults are set going forward.

  1. Enterprises: New enterprises will have read-only token.
  2. Organizations owned by Enterprise: New organizations will inherit the permissions from parent enterprise.
  3. Organizations not owned by Enterprise: New organizations will have read-only token.
  4. Repositories owned by organization: New repositories will inherit permissions from parent organization.
  5. Repositories owned by personal account: New repositories will have read-only token.
See more

API requests are available via audit log streaming – Private Beta

GitHub Enterprise Cloud customers can now join a private beta which allows API request events to be streamed as part of their enterprise audit log.

In this private beta, REST API calls against enterprise private repositories can be streamed to one of GitHub's supported streaming endpoints. Further iterations on this feature are planned to expand the API events captured and make this data available via the audit log API.

Many GitHub users leverage GitHub's APIs to extend and customize their GitHub experience. However, use of APIs can create unique security and operational challenges for Enterprises.

With the introduction of targeted audit log streaming API requests, Enterprise owners are now able to:

  • Better understand and analyze API usage targeting their private repositories;
  • Identify and diagnose potentially misconfigured applications or integrations;
  • Troubleshoot API activity targeting private repositories that may be contributing to API rate limiting; and
  • Develop API specific anomaly detection algorithms to identify potentially malicious activity.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, you should begin seeing API request events in your audit log stream. Feedback can be provided at our beta feedback community discussion post.

See more

GitHub Actions: Job summary updates

We are making changes to job summaries and logs in GitHub Actions that will impact customers using self-hosted runners. Over the next six months, customers using self-hosted runners will need to ensure machines have appropriate network access to communicate with the GitHub hosts below so that job summaries and logs emitted from Actions workflows can work as expected.

  • actions-results-receiver-production.githubapp.com
  • productionresultssa*.blob.core.windows.net

After July 31, 2023, if you are using self-hosted runners and have not updated your network access settings to allow the aforementioned hosts, your job summaries and logs may not display correctly.

For more details see
Communication between self-hosted runners and GitHub.

For questions, visit the GitHub Actions community.

To see what's next for Actions, visit our public roadmap.

See more

Audit log streaming to AWS S3 integration with AWS CloudTrail Lake

In January 2022, GitHub announced audit log streaming to AWS is generally available. By streaming the audit log for your enterprise, enterprises benefit from:

  • Data exploration: Examine streamed events using your preferred tool for querying large quantities of data. The stream contains both audit and Git events across the entire enterprise account.
  • Data continuity: Pause the stream for up to seven days without losing any audit data.
  • Data retention: Keep your exported audit logs and Git events data as long as you need to.

To expand on this offering, enterprises streaming their audit log to AWS S3 now have the ability to use AWS CloudTrail Lake integration to automatically consolidate and ingest GitHub audit logs into AWS Cloud Trail Lake. AWS CloudTrail Lake is a managed security and audit data lake that allows organizations to aggregate, immutably store, and query events. By deploying this integration in your own AWS account, AWS CloudTrail Lake will capture and provide tools to analyze GitHub audit log events using SQL-based queries.

To learn more, read our documentation on integrating with AWS CloudTrail Lake.

See more

Roadmap in Projects (public beta)

Today we are announcing the public beta of roadmaps in GitHub Projects! 🎉

Last November at GitHub Universe, we announced the private beta for roadmap. With your help and feedback over the last three months, we have shipped many exciting updates making it easier for you to visualize and plan your work over time, understand what is in progress or coming up next, and keep your team and stakeholders up to date.

image

🗺 Creating a roadmap

You can quickly build a roadmap alongside the same table and board views you already know and love.

When creating a roadmap, use existing date or iteration fields in your project to populate your items on the roadmap or create a new field from the Date fields menu. Set the zoom level to Month, Quarter, or Year depending on how granular you need your roadmap to be.

➕ Adding items and dates

Adding roadmap items works just like adding project items in any other view. Use the + Add item to search for or create a new issue, or type to create a draft placeholder. Once you’ve added the item, assign it to a specific date or within an iteration with a single click.

If plans change (which they often do!), you can adjust and move an item directly on the roadmap to reflect the new plan.

🎨 Customizing the view

Customizing your roadmap helps you create a tailored view for you and your teams. Select a group by field to segment and bucket your items by a custom field, such as status or team. This allows you to visually separate your items to understand both how they line up with each other and how long they all are expected to take.

Select a sort by field to further organize your roadmap, and specify a filter so that you only include relevant project items.

Tell us what you think!

We’ve got more improvements planned but we want to hear from you! Be sure to drop a note in the discussion and let us know how we can improve! Check out the documentation for more details.

If you would like to request access for the tasklists private beta to visualize the hierarchy of your items on the roadmap, sign up on the waitlist.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

Git archive checksums may change

We are reverting this change for now. More details to follow.

The default compression for Git archives has recently changed. As result, archives downloaded from GitHub may have different checksums even though the contents are completely unchanged.&lt

GitHub doesn’t guarantee the stability of checksums for automatically generated archives. These are marked with the words “Source code (zip)” and “Source code (tar.gz)” on the Releases tab. If you need to rely on a consistent checksum, you may upload archives directly to GitHub Releases.
These are guaranteed not to change.

See more

GitHub Desktop improves force pushing and fetching along with many great open source contributions

GitHub Desktop 3.1.5 improves support for force pushing and fetching through the newly added Repository menu items as well as supporting pull request notifications on forks. This release also comes with many great contributions (12 changelog entries! ) from our open source contributors.

Force-pushing and Fetching

Previously, a user could only force push after an action such as rebasing. Now, when users find their branch in any diverged state, they can opt to use the force push Repository menu item. For example, a user can force push when commits exist on the remote that they are sure they want to overwrite.

ALT GitHub Desktop repository in a diverged state with Repository menu open showing force push menu item

Similarly, a user may find themselves in a new local branch they are not ready to publish, yet they want to fetch to see if there are any new changes on their main branch they would want to merge in. Instead of having to switch branches, they can use the Repository menu item to fetch those changes.

Notifications for Forks

If you have been enjoying our Pull Request notifications on your repositories, you will be happy to hear that with 3.1.5 those same notifications are supported on forks.

Open Source Contributions

We love the help we get from the open source community, providing many fixes and improvements for everyone to enjoy.

Thank you @angusdev for contributing all these fixes:

  • Hide window instead of hiding the app on macOS
  • The repository change indicator is visible if repository list item is selected and in focus
  • Tooltips are positioned properly if mouse is not moved
  • Tooltips of long commit author emails wrap to multiple lines
  • Clone repository progress bar no longer hidden by repository list
  • Close repository list after creating or adding repositories

Thank you @tsvetilian-ty for adding support for JetBrains Toolbox and JetBrains Fleet editor for Windows.

Thank you @zipperer for adding support for emacs editor.

Thank you @patinthehat for adding support for JetBrains PhpStorm and WebStorm editors

Thank you @daniel-ciaglia for adding support for VSCodium as an external editor.

Thank you @Shivareddy-Aluri for adding the ability to copy tag names from the commit list.

Thank you @j-f1 for improving the the diff view by adding highlighting to Arduino's .ino files as C++ source.

Learn more about GitHub Desktop here.

See more

GitHub Projects – January 26th update

This week, we’ve shipped a new experience for creating issues directly from Projects, improved sorting by custom fields across all layouts, and fixed a few bugs.

📝 Create issues in a snap with the new issue creation dialog

Create new issues quickly and easily by clicking the + icon on the omnibar and selecting Create new issue. Add labels, select a milestone, and assign to a teammate without ever leaving your project.

🗂 Sorting by field values on the board layout

Sort by field values on the board layout to easily organize your work items within your board columns. Select a sorting field from the view configuration menu to reorder items within each column, and move your items freely between columns while still maintaining the sorted order.

✅ Tasklists (Private Beta) improvements & bug fixes

Tasklists is currently in Private Beta but we’re letting folks in as fast as we can, join the waitlist!

We’ve recently shipped a major refactor to tasklists, so bear with us and help us by reporting problems you run into!

🐛Tasklists bug fixes

  • Fixed a bug where transferring Issues broke tasklists
  • Stopped inserting superfluous newlines around tasklists
  • Stopped showing duplicate labels on tasklists

✨ Tasklists enhancements

  • Edit history now reflects the changes made to the tasklists in Markdown
  • Tasklists preserve inserted Markdown instead of callously disposing of all “non-tasks”
  • Support for bold, italicize, strike text out, link and code formatting
  • Ability to @ mention people in tasks
See more

Enable private vulnerabilty reporting organization-wide

Organization admins and security managers can now enable private vulnerability reporting for all public repositories within an organization at once.

With this enhancement, you no longer have to enable the feature for each repository individually.

Find this option under your organization's "Settings" tab under "Code security and analysis".

Private vulnerability reporting

See more

Dependabot alerts prettified link and hovercard

Starting today, when linking to a Dependabot alert in an issue and or pull requests, anyone with permissions to view the alert will see a rich Dependabot alert mention, with detailed hovercard and a prettified link with the title of the alert.

Card details include:

  • Alert title, repository, and description
  • Date that the alert was opened
  • Alert severity and status (fixed, dismissed, or open).

Dependabot alerts - prettified links and hovercard example

Learn more about Dependabot alerts

See more

Twilio Segment is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Twilio Segment to scan for their tokens and help secure our mutual users on all public repositories, and private repositories with GitHub Advanced Security. Twilio Segment tokens allow users to programmatically manage their workspaces. GitHub will forward access tokens found in public repositories to Twilio Segment, who will immediately revoke the token and notify workspace owners. You can learn more about Twilio Segment tokens here.

GitHub Advanced Security customers can also block Twilio Segment tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Add notes when blocking users

gif of adding note to blocked user

You can now add a note to describe why the blocking of a user took place, to provide projects and teams with the context around privacy and safety decisions. Notes on blocked users at the organization level will be visible to the owners and moderators of that organization. Notes on blocked users from your personal account will be visible just to you.

See more

Secret scanning users can now see the validity of detected GitHub tokens

Secret scanning users can now view the validity of detected GitHub tokens by clicking into the related alert's UI page. The alert page will tell you whether the GitHub token is still active and able to be used.

Secret scanning alerts are available for free on public repositories and as part of GitHub Advanced Security on private repositories.

See more

The crates.io registry is now a GitHub secret scanning integrator

GitHub, the Rust Foundation, and the Rust Project are collaborating to help protect you from leaked crates.io keys.

From today, GitHub will scan every commit to a public repository for exposed crates.io keys. We will forward any tokens we find to crates.io, who will automatically disable the tokens and notify their owners. The end-to-end process takes only a few seconds.

Crates.io is the latest GitHub secret scanning integrator; since 2018, GitHub has partnered with over 100 token issuers to help keep our mutual customers safe. We continue to welcome new partners for public repository secret scanning. In addition, GitHub Advanced Security customers can scan their private repositories for leaked secrets.

We’d like to thank the crates.io team, the staff at the Rust Foundation, and the work from AWS’ Dan Gardner on this GitHub pull request that made our collaboration with Rust possible.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more
View more changes