EMU OIDC CAP support is now enhanced to protect web sessions [Public Preview]

If you are using GitHub Enterprise Cloud with EMU and using OpenID Connect (OIDC) SSO, this new feature, currently in public preview, will help enforce IdP-defined IP restrictions to protect all web interactions on GitHub.

Currently, when your enterprise uses OIDC-based SSO and if any of the enterprise members change their IP address, GitHub can validate their access to your enterprise and its resources using your IdP’s Conditional Access Policy (CAP). IdP CAP validations previously covered only non-interactive flows where users authenticate with a personal access token or SSH key.

With this launch, we are now extending these validations to include all interactive web flows. If you already had IdP CAP turned ON previously, you will need to explicitly opt-in into extended protection for web sessions from their enterprise’s “Authentication security” settings. If you enable IdP CAP support after today’s public preview launch, you will get the coverage across web flows by default.

When this feature is generally available, we plan to have both interactive and non-interactive flows protected by the IdP CAP validations for all customers by default and remove the additional step of requiring to opt-in.

Learn more about GitHub’s support for your IdP’s Conditional Access Policy.

Notice of breaking changes for GitHub Actions

Ubuntu-latest upcoming breaking changes

We will migrate the ubuntu-latest label to ubuntu 24 starting on December 5, 2024 and ending on January 17, 2025. The ubuntu 24 image has a different set of tools and packages than ubuntu 22. We have made cuts to the list of packages so that we can maintain our SLA for free disk space. This may break your workflows if you depend on certain packages that have been removed. Please review this list to see if you are using any affected packages.

Artifacts v3 brownouts

Artifact actions v3 will be closing down by December 5, 2024. To raise awareness of the upcoming removal, we will temporarily fail jobs using v3 of actions/upload-artifact or actions/download-artifact. Builds that are scheduled to run during the brownout periods will fail. The brownouts are scheduled for the following dates and times:
– November 14, 9am – 10am EST
– November 21, 9am – 5pm EST

Changes to workflow validation for pull requests originating from forked repositories

Currently, you can prevent Actions workflows from automatically running on pull requests made from forked repositories. Actions evaluates whether the actor initiating the request is trusted based on the repository’s settings. Effective today, Actions will require validation of both the pull request author and the event actor to determine if a workflow should run from a pull request event originating from a forked repository. For more information on for pull request approvals, see our documentation.

New webhook rate limit

As GitHub continues to invest in availability, GitHub Actions is introducing a new webhook rate limit per repository. Each repository is now limited to 1500 triggered events every 10 seconds. For more details about the new webhook rate limit, please refer to our documentation.

Updates to the network allow list for self-hosted runners and Azure private networking

With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to ghcr.io and *.actions.githubusercontent.com. If you require more specific domains, you can use pkg.actions.githubusercontent.com instead of *.actions.githubusercontent.com.

This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.

Additionally, our guidance for configuring Azure private networking has been updated to account for the the addional domains. The following IP addresses have been add to the NSG template in our documentation.
– 140.82.121.33/32
– 140.82.121.34/32
– 140.82.113.33/32
– 140.82.113.34/32
– 140.82.112.33/32
– 140.82.112.34/32
– 140.82.114.33/32
– 140.82.114.34/32
– 192.30.255.164/31
– 4.237.22.32/32
– 20.217.135.1/32
– 4.225.11.196/32
– 20.26.156.211/32

See more

Copilot subscription-based network routing is now enforced

Network requests for Copilot are routed based on a user’s Copilot subscription. Requests for Copilot Individual, Copilot Business, and Copilot Enterprise users now route through different endpoints.

This change enables Copilot Business and Copilot Enterprise customers to make sure all Copilot users on their networks are accessing Copilot through their Copilot Business or Copilot Enterprise subscription, and that all Copilot user data is handled according to the terms of their Copilot Business or Copilot Enterprise agreement. In essence, customers will be able to use their network firewall to explicitly allow access to Copilot Business or Copilot Enterprise, and/or block access to Copilot Individual.

Today we enabled enforcement of the user’s subscription on the new endpoints, ensuring only Copilot Business users can connect to Copilot Business endpoints and only Copilot Enterprise users can connect to Copilot Enterprise endpoints.

Read more about subscription-based network routing here.

See more
View all changes