Secret scanning expands default pattern and push protection support

GitHub regularly updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.

The following new patterns were added over the last few months. Secret scanning automatically detects any secrets matching these patterns in your repositories. See the full list of supported secrets in the documentation.

Provider Token Partner User Push protection
Bitrise bitrise_personal_access_token
Bitrise bitrise_workspace_api_token
Buildkite buildkite_user_access_token
LinkedIn linkedin_client_secret
Mailersend mailersend_smtp_password
Naver Cloud navercloud_gov_access_key
Naver Cloud navercloud_gov_access_key_secret
Naver Cloud navercloud_gov_sts
Naver Cloud navercloud_gov_sts_secret
Naver Cloud navercloud_pub_access_key
Naver Cloud navercloud_pub_access_key_secret
Naver Cloud navercloud_pub_sts
Naver Cloud navercloud_pub_sts_secret
Neon neon_api_key
Neon neon_connection_uri
Pangea pangea_token
Planning Center planning_center_oauth_access_token
Planning Center planning_center_oauth_app_secret
Planning Center planning_center_personal_access_token
Ramp ramp_client_id
Ramp ramp_client_secret
Ramp ramp_oauth_token
RunPod runpod_api_key
Sourcegraph sourcegraph_access_token
Sourcegraph sourcegraph_dotcom_user_gateway
Sourcegraph sourcegraph_instance_identifier_access_token
Sourcegraph sourcegraph_license_key_token
Sourcegraph sourcegraph_product_subscription_token

The following existing patterns were upgraded to be included in push protection. When push protection is enabled, secret scanning automatically blocks any pushes that contain a secret matching these patterns.

Provider Token
Atlassian atlassian_jwt
Azure azure_web_pub_sub_connection_string
Azure microsoft_corporate_network_user_credential
Azure azure_app_configuration_connection_string
Beamer API Key beamer_api_key
Checkout.com checkout_test_secret_key
Duffel duffel_test_access_token
Dynatrace dynatrace_internal_token
eBay ebay_sandbox_client_id ebay_sandbox_client_secret
Frame.io frameio_jwt
Google google_oauth_refresh_token
Google google_oauth_access_token
Lob lob_test_api_key
Mailgun mailgun_api_key
Notion notion_oauth_client_secret
Pulumi pulumi_access_token
RubyGems rubygems_api_key
Sentry sentry_integration_token
Sentry sentry_org_auth_token
Sentry sentry_user_app_auth_token
Sentry sentry_user_auth_token
Shopee shopee_open_platform_partner_key
Shopify shopify_app_client_credentials
Shopify shopify_custom_app_access_token
Shopify shopify_partner_api_token
Shopify shopify_private_app_password
Square square_access_token
Square square_production_application_secret
Square square_sandbox_application_secret
SSLMate sslmate_api_key
SSLMate sslmate_cluster_secret
Stripe stripe_test_secret_key
Tableau tableau_personal_access_token
WorkOS workos_staging_api_key
Yandex yandex_dictionary_api_key
Yandex yandex_cloud_api_key

Learn more about securing your repositories with secret scanning.

Copilot extension for GitHub Models now requires updated permissions

The Copilot extension for GitHub Models now requires the models:read permission in order to access GitHub Models APIs. Users will need to reauthorize the extension by accepting the new permission via the email notification sent from GitHub.

This change follows our March 18 changelog, which announced that GitHub Apps and fine-grained PATs accessing GitHub Models would require the models:read permission.

If the updated permission is not granted, functionality like @models in chat may stop working.

To learn more about GitHub Models, check out the docs. You can also join our Community discussions.

See more

Windows arm64 hosted runners now available in public preview

Now in public preview, Windows arm64 hosted runners are available for free in public repositories. This runner comes with a Windows 11 Desktop image, fully equipped with all the tooling you need to quickly get started running your workflows. Following the release of linux arm64 hosted runners in January, this now extends to Windows support for the open source-community. These four vCPU runners provide a power-efficient compute layer for your Windows workloads. Arm-native developers can now build, test, and deploy entirely within the arm64 architecture without the need for virtualization on your actions runs.

How to use the runners

To leverage the arm64 hosted runners, add the following labels in your public repository workflow runs:

  • windows-11-arm

Please note that this label will not work in private repositories—the workflow will fail if you add it. All runs in public repositories will adhere to our standard runners usage limits, with maximum concurrencies based on your plan type. While the arm64 runners are in public preview, you may experience longer queue times during peak usage hours.

Images for arm64 larger runners

In partnership with Arm, there is now a Windows 11 desktop arm64 image with preinstalled tools available for all GitHub runner sizes, including both the new free offering and our existing arm64 larger runners. To use the new image on larger runners, you can create a new runner and select the Microsoft Windows 11 Desktop by Arm Limited image in the Images console.

To view the list of installed software, give feedback on the image, or report issues, visit the partner-runner-images repository.

Get started today!

To get started building windows on arm64 for free, simply add the new label to the runs-on syntax in your public actions workflow file. For more information on arm64 runners and how to use them, see our documentation and join the conversation in the Community discussion.

See more
View all changes