Integrators can set an IP allow list for a GitHub App by adding individual IP addresses or address ranges for the hosted service. If an enterprise account or organization has enabled IP allow lists and chosen to allow installed GitHub Apps to configure allowed IPs, then the IP addresses provided for a GitHub App will be inherited by the customers allow lists.
When configuring a GitHub App, the authorization callback URL is a required field. But now we allow the developer to specify multiple callback URLs. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
Finally, GitHub Apps can request a permission that allows the app to access a single file in a repository. App developers are encouraged to use this permission rather than requesting access to all files in the repo. Based on feedback from developers, the permission has been updated to allow an app developer to specify up to 10 files for read-only or read-write access that their app can request access to.