Skip to content

Updated pull request auto-merge behavior for users without write access

To prevent unexpected changes from potentially slipping in after auto-merge is enabled on a pull request, auto-merge is now disabled automatically when new changes are pushed by a user without write access to the repository.

Note: users without write access can still update their pull requests to bring in changes from the base branch without having auto-merge disabled, but auto-merge will be disabled if the update results in merge conflicts that have to be resolved. This is to prevent merge-conflicts being deliberately used as a way to introduce code that hasn't been fully reviewed by the people with write access to the project.

Learn more about automatically merging pull requests when all merge requirements have been met.

GitHub and the Python Package Index (PyPI) are collaborating to help protect you from leaked PyPI API tokens.

From today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. We will forward any tokens we find to PyPI, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.

PyPI is just the latest GitHub secret scanning integrator – since 2018 GitHub has collaborated with 35 token issuers to help keep their customers safe. We continue to welcome new integrators for public repo secret scanning. In addition, GitHub Advanced Security customers can now also scan their private repositories for leaked secrets.

We'd like to thank Joachim Jablon for his work on PyPI that made this collaboration possible.

See more