The default branch for newly-created repositories is now main

The default branch name for new repositories is now main. To set a different default:

  • For users, on the https://github.com/settings/repositories page
  • For organization owners, on the https://github.com/organizations/YOUR-ORGANIZATION/settings/repository-defaults page
  • For enterprise administrators, on the https://github.com/enterprises/YOUR-ENTERPRISE/settings/member_privileges page

Users, organizations, and enterprises that previously selected a default branch for new repositories are not impacted by this change.

Existing repositories are not impacted by this change. Later this year, you'll be able to rename the default branch for existing repositories for your user, organization, or enterprise account.

This change is one of many changes GitHub is making to support projects and maintainers that want to rename their default branch. To learn more about the changes we're making, see github/renaming.

A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT. This can result in environment variables being introduced or modified without the intention of the workflow author.

To allow us to address this issue and maintain the ability for you to dynamically set environment variables we have introduced a new set of files to manage environment and path updates in workflows.

Patching your actions and workflows

If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater.

Action authors who are using the toolkit should update the @actions/core package to v1.2.6 or greater to get the updated addPath and exportVariable functions.

Action and workflow authors who are setting environment variables via STDOUT should update any usage of the set-env and add-path workflow commands to use the new environment files.

If you need to log untrusted information such as issue titles, bodies, or commit messages to STDOUT we recommend that you disable command processing prior to doing that.

As an example in bash you could do the following:

jobs:
  example-job:
    name: example
    runs-on: ubuntu-latest
    steps:
    - name: log untrusted output
      run: |

        # disable command workflow processing
        echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"

        # log untrusted output
        echo "untrusted output"

        # enable workflow command processing
        echo "::`echo -n ${{ github.token }} | sha256sum | head -c 64`::"

In a JavaScript Action:

import {v4 as uuidv4} from 'uuid'

// disable workflow commands
const token = uuidv4()
console.log(`::stop-commands::${token}`)

// log untrusted output
console.log("untrusted output")

// enable workflow commands
console.log(`::${token}::`)

For other languages you need to generate a suitably random token that changes with each run.

See Stopping and starting workflow commands to learn more.

Starting today runner version 2.273.5 will begin to warn you if you use the add-path or set-env commands. We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.

Learn more about CVE-2020-15228

@actions/core npm package

Learn more about the new environment files

For questions please visit the GitHub Actions community forum

See more

You can now fine-tune access to external actions. These updated settings make it easier to achieve your security and compliance goals with GitHub Actions.

  • You can limit external actions to just those created by GitHub, those in the Marketplace that were created by verified authors, or a combination
  • You can optionally list specific external actions. Wildcards, tags, and SHAs enable flexibility and specificity

image

Learn more about external action policies

For questions please visit the GitHub Actions community forum

To see what's next for GitHub Actions, visit our public roadmap.

See more