Mobile monthly: February’s general availability and more

What's New in Mobile

January and February brought a number of improvements to GitHub Mobile, making it more powerful and flexible. We’re rolling out exciting new features designed to make coding and collaboration easier on the go. From third-party integrations that extend GitHub Copilot’s capabilities to in-chat coding assistance, sub-issues, and refined notification preferences, these updates are designed to boost productivity and keep you connected wherever you are.

What’s new:

Copilot Chat is now available for Free on GitHub Mobile

  • Introducing GitHub Copilot Chat to all users on GitHub Mobile for free. Just tap the Copilot button to start getting answers for coding questions, or chat about issues, pull requests, and repositories wherever you are.
  • Copilot Extensions on GitHub Mobile are generally available. Developers can extend Copilot’s capabilities on the go, integrating third-party tools, automating tasks, and receiving personalized code suggestions.
  • Introducing sub-issues on GitHub Mobile. Track progress and understand remaining work within a parent-child hierarchy on the go.
  • Review your notification preferences: from time to time, we’ll ask that you check in on your notification preferences to ensure that you’re receiving the kinds of notifications you want, at times you want to receive them.
Copilot Extensions Sub-issues
Copilot extensions.png sub-issues.png

iOS bug fixes:

  • Widgets reflect the accent color when tinted.
  • Add reactions to the latest release in the Releases view.
  • Inbox swipe actions get dismissed before entering batch selection mode.
  • In the Explore view, avatars load correctly with transparent background.
  • In the Issue view, remove an extra animation when data loads.
  • Navigate content in the Explore view’s “For You” feed using assistive technologies.
  • Pull request reviews from Copilot code review show the “Copilot” brand name.
  • Clearing a field used for a grouping within a project re-groups content without duplicate group titles.
  • Fixed an issue where the search bar was improperly updated during text input with marked text in Japanese or Chinese input methods.
  • Fixed an issue where pull-to-refresh in discussions failed to refresh data and the loading indicator remained stuck.
  • The pull request widget responds to user specified tints.
  • Issues in archived repositories no longer show update actions.
  • Code vulnerability alerts in Copilot chat are no longer duplicated.
  • Indented code blocks in Copilot chat display within a chat response.
  • Nested lists in markdown content display with less indentation when viewed with larger text sizes.
  • Issue and pull requests display their issue or pull request number when scoped to a single repository.
  • Shortcuts scoped to a single repository will no longer list the repository name for each issue or pull request.

Android bug fixes:

  • Improved scrolling performance for lists where list items contains web views.
  • The correct default commit message now appears when creating a new file in a repository.
  • Improved line wrapping in the Code view.
  • Various sub-issues design tweaks and improvements.
  • Fixed file header appearance in pull request reviews.
  • Pull request reviews now display the correct submission date.
  • Anchor links in markdown files will now scroll to the correct position.
  • The delete branch button will now be shown after closing a pull request.
  • Bots are now mentionable in pull request reviews if they are the author.

Learn more about GitHub Mobile and share your feedback to help us improve.

Join the discussion within GitHub Community.

Java CRSF, Go 1.24 and C# 13 language features support available in CodeQL 2.20.5

CodeQL version 2.20.5 has been released and includes a host of coverage improvements, including extended support for C# 13 and new detection capabilities for Java and GitHub Actions workflow files.

CodeQL is the static analysis engine that powers GitHub code scanning, which finds and remediates security issues in your code.

CodeQL 2.20.5 adds full support for new language features introduced in C# 13 / .NET 9, as well improved coverage for .NET 9. This will improve the detection of alerts and reduce the chance of false negative results.

CodeQL Java analysis is improved with additional support for Cross Site Request Forgery (CSRF). The new analysis capability detects vulnerabilities that occur when using HTTP request types that are not protected against cross site requests by default.

Go analysis has been updated to support Go 1.24, which includes new language features and improvements. This will improve the detection of alerts and reduce the chance of false negative results.

For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Improved code scanning coverage for GitHub Actions (Public Preview)

We recently launched analysis capabilities for GitHub Actions workflow files in public preview.

With the release of CodeQL 2.20.5, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.

The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:

  • actions/envpath-injection/medium detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate the PATH environment variable. This could allow an attacker to alter the execution of system commands.
  • actions/envvar-injection/medium detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or {delimiters}.
  • actions/code-injection/medium– detects situation where user-controlled input can end up in contexts like run: or script:, leading to malicious code being executed and secrets being leaked.
  • actions/artifact-poisoning/medium detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.
  • actions/untrusted-checkout/medium detects situations where workflows triggered by events like pull_request_target or issue_comment can execute arbitrary code from untrusted sources, if followed by an explicit checkout.

Because of its lower precision and the large number of alerts it generates, the query actions/unpinned-tag has been moved to the security-extended query suite from the default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.

Three queries have been removed from the default and security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.

These changes are now available with the release of CodeQL 2.20.5. For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more
View all changes