GitHub is now protecting users of CloudBees from accidental leaks of their API tokens. Token scanning scans all incoming commits in public repositories. If potential tokens are discovered, it sends them to partners for verification, and potential action, including contacting the token owner and/or revoking the token on the server-side.
Web Authentication (WebAuthn) security keys
GitHub now supports the WebAuthn standard for authentication. A broad array of security keys can be used across most major browsers (Apple will add support in Fall 2019). The following is supported: external hardware security keys, Android phones, Chrome with TouchID, iOS Brave with the Yubico 5Ci key, facial recognition or PIN with Windows Hello, as well as any new authenticators platform owners release in the future. No additional action is required for users with existing U2F hardware security keys.
When publishing a package in GitHub Package Registry, a release and corresponding tag will no longer be created. When publishing a package with a version corresponding to an existing tag and release, the package is automatically associated with that release.
Support for using the GitHub Actions `GITHUB_TOKEN` to access packages in GitHub Package Registry has also been extended to NuGet packages. You can now publish and consume NuGet packages from Actions by adding `GITHUB_TOKEN` to your NuGet.config file as a password.