License sync updates: new Consumed License data, a new License API and license matching improvements (Public Beta)

We’ve made a series of improvements to the GitHub Connect license sync feature in addition to the "Sync now" button we recently added in GHES:

  1. Enterprise administrators can now access a refreshed Consumed License CSV that includes additional data, such as the saml_name_id and the GitHub Enterprise Cloud email address (for verified domains only) for each user;
  2. Enterprise administrators also have access to two new License REST API endpoints:
    a. consumed-licenses: returns the same Consumed License data found in the CSV download
    b. license-sync-status: returns information related to the license sync job status
  3. We improved the license sync matching algorithm for enterprises that use SAML SSO. We now attempt to match Server user accounts against SAML attributes in addition to matching against users' GitHub Enterprise Cloud email addresses. This improvement eliminates the need for enterprise administrators to require users to add their work-related email addresses to their GitHub Enterprise Cloud account.

Learn more about license sync and give us your feedback

Prefect is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Prefect to scan for their access tokens and help secure our mutual users on public and private repositories. The Prefect service account API keys are not associated with a user and are restricted to a specific tenant, but they are recommended for application and automation use. GitHub will forward access tokens found in public repositories to Prefect, who will immediately email the owner of the leaked key. More information about Prefect API Tokens can be found here.

GitHub Advanced Security customers can also scan for Prefect tokens and block them from entering their private and public repositories with push protection.

See more

Bypass branch protections with a new permission

You can now create a custom role to bypass branch protections without having to grant the Admin role. Previously, to bypass branch protections you had to be an Admin which provides additional permissions that may not be needed. For tighter control of Admin permissions, you can now craft a custom role that has the Bypass branch protections permission, allowing just the right amount of access.

Image of Custom roles Inherited from Maintain role that adds the new Bypass branch protections permission

To enforce branch protections for all Admins and roles with the "Bypass branch protections" permission, enable Do not allow bypassing the above settings in your branch protection rules.

Image of checkbox selecting Do not allow bypassing the above settings

This permission differs from the Push commits to protected branches permission, which allows pushing to a protected branch, but branch protection rules will still apply and could result in a push being denied.

For more information, visit Managing custom repository roles for an organization in the GitHub documentation.

We appreciate feedback on this and other topics in GitHub's public feedback discussions.

See more
View all changes