Skip to content

api

Subscribe to all “api” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Enterprise Cloud administrators may need to review external identity information via the GraphQL API. Historically, this has required a token with the admin:org or admin:enterprise scope. We've taken a "least privilege" mindset in reviewing this flow and have now made this information available via the read:enterprise and read:org scopes for enterprise owner and organization owner actors.

For more information, see the GraphQL API documentation for Enterprise and Organization SAMLIdentity objects.

See more

Organization owners can now automate the approval and auditing of fine-grained personal access tokens (PATs) in their organization using a GitHub app. New APIs and webhook events allow a GitHub app to be notified of new PAT requests in an organization, review the request, and then approve or deny the PAT. They also provide a view of all approved fine-grained PATs for an organization, with the ability to revoke their authorization as well. These APIs and events are part of the ongoing fine-grained PAT public beta that launched last year.

Mermaid diagram indicating how a request from a user triggers a webhook event to an app, who can then review the request and choose to approve it. Later, the application can review all approved PATs, and choose to revoke one, resulting in an email notification to the user who created the PAT.

Details included in the webhook event and API listings include the repositories and permissions requested, the expiration time of the token, and the user's explanation for what they plan to do with the PAT. The personal_access_token_request events are generated when a request is created, approved or denied by an administrator or application, or cancelled by the requesting user.

Only a GitHub app is able to call these APIs, either acting on its own or on behalf of a signed-in organization administrator.
The organization_personal_access_tokens permission is needed to manage the active tokens, while the organization_personal_access_token_requests permission enables the app to recieve webhooks about requests and call the request management APIs.

Organizations must have the personal access token approval flow enabled in order to manage these requests, otherwise fine-grained personal access tokens are automatically approved for the organization (which generates a personal_access_token_request: approved event).

To learn more about these APIs, see "List requests to access organization resources with fine-grained PATs" and the "personal_access_token_request webhook event". To learn more about fine-grained PATs, and how to enable them for your organization, see "Setting a personal access token policy for your organization".

If you have feedback or bugs to report about fine-grained PATs, please let us know in the dedicated feedback discussion.

See more

We are preparing to bring powerful new code search capabilities to GitHub. As part of that effort, on April 10, 2023, we will make several changes to the code search API:

  • Code search rate limits will be separated from the rate limits for other search types. The separate code search category will have a rate limit of 10 requests per minute.
  • We are deprecating support for sorting code search results. Once these changes take effect, all code search results will be sorted by best match.
  • All code search API endpoints will require authentication. This change only affects repository scoped queries, because all other query types already require authentication.

To prepare for these changes, make sure your code handles rate limiting. And if you’re using code search to track changes or find security vulnerabilities in your codebase, consider using webhooks or GitHub Advanced Security.

These changes will take effect in 30 days, on April 10, 2023.

See more

The Custom Repository Roles REST API has moved to general availability, with a breaking change to the path used.
Previously, the API was found at /orgs/{org}/custom_roles – it has been moved to /orgs/{org}/custom-repository-roles. With organization-level custom roles in progress, we found that the custom_roles path was wasn't specific enough and could generate confusion.
The deprecated beta API will be removed from api.github.com in 6 months, on September 7th, 2023.
On GitHub Enterprise Server, the API will be available at its new path in version 3.9. The previous API to list roles was added in GHES 3.4, and will be removed with the next API version.

To learn more about custom repository roles, see "About custom repository roles" and "Custom repository roles REST API".

See more

What’s new?

This feature makes it easier to enable Dependabot alerts and check enablement status across all your repositories at an enterprise level, with updates across both enablement UI and APIs. These updates will ship today for GitHub.com and will ship for GitHub Enterprise Server users in 3.9.

Changes to the REST API

Dependabot alerts have been added to existing endpoints:

‘Code security and analysis’ settings

You can also adjust your enablement settings from your enterprise settings page (under ‘code security and analysis’). Options include enable all, disable all, and enable for new repositories for your enterprise.

Enable Dependabot alerts

Learn more about Dependabot alerts

See more

Today’s Changelog brings you updates to workflows, roadmaps, our API and makes cross organization projects a breeze!

➕ Automatically add items from multiple repositories

Last month, we shared the latest automation to help you automatically add relevant items to your project! However, if your project pulls from multiple repositories, this wasn’t enough. Today, we’re shipping the ability to create up to 3 copies of the auto-add workflow.

After configuring and enabling the initial auto-add workflow, open the context menu in the workflow list and select Duplicate workflow to create a new auto-add workflow.

Note Multi-repository auto-add is currently only shipped to Enterprise users

🗺 Reordering roadmap items

Alongside sorting your roadmap items by a field to organize your view, you can now reorder your items by dragging and dropping them in the table. Quickly make adjustments to the ordering of your items or move them to a different group altogether with the new drag-and-drop functionality.

↔️ Add cross-organization issues and pull requests to Projects

We’ve made it easier to use Projects across different organizations, previously this required pasting URLs to a project directly. With this improvement you can:

  • Search within different organizations for issues or pull requests directly from the omnibar. Just hit # followed by the organization name and a / to start searching within that organization.
  • Add items via the existing GraphQL API endpoint, addProjectV2ItemById, which will now accept an Issue or Pull Request from a different organization when adding to a Project.

a user searches for issues across organizations using the syntax org-name/repo-name

📊 Projects GraphQL API improvements

We’ve released new endpoints to our Projects GraphQL API providing the ability to create new projects, create project fields and delete project fields. Check out the docs below to find out more:

  • createProjectV2Field: https://docs.github.com/en/graphql/reference/mutations#createprojectv2field
  • deleteProjectV2Field: https://docs.github.com/en/graphql/reference/mutations#deleteprojectv2field
  • deleteProjectV2: https://docs.github.com/en/graphql/reference/mutations#deleteprojectv2

Bug fixes and improvements

  • Fixed a focus problem which caused the page to ‘jump’ when scrolling immediately after posting an issue comment.
  • Resolved a problem stopping TGZ file uploads working on Safari and Firefox.
  • Fixed file upload failures in Issue Forms when focus was quickly switched between markdown editors.
  • Fixed a bug where closed iterations couldn’t have their dates changed into the future
  • Fixed a minor bug where View tab width was incorrect when zoomed in
  • Fixed a small visual bug for Beta workflows where the pill was off-center

See how to use GitHub for project planning with GitHub issues, check out what’s on the roadmap, and learn more in the docs.

See more

Today’s changelog brings you the addition of colors and descriptions for single-select fields, as well as improvements to both roadmaps and tasklists!

🎨 Single-select field colors and descriptions

Make it easier for your team to scan projects and take action by adding color and descriptions to single select fields. To update a field, go to settings and select the pencil icon next to the custom single-select field you want to update.

🗺 Roadmaps improvements

If plans change and you need to make adjustments to your roadmap, you can now resize and move items between iterations. Drag and drop your items to quickly make your changes when using an iteration as a Date field on your roadmap.

You are also now able to resize the table in a roadmap view to create the space you need, similar to resizing a column in a table view.

Tasklists improvements

Tasklists are currently in private beta but we’re letting folks in as fast as we can. If you haven’t already, be sure to join the waitlist!

We’ve recently shipped the below improvements, so let us know what you think.
– Navigate via the side-panel when grouped by Tracked by
– Open and navigate in the side-panel by clicking the Tracks completion pill
– Automatically update your filter by clicking on the “Tracked by” text in the Tracked by field in board layout

Bug fixes and improvements

  • Leverage copyProjectV2 in the GraphQL API to copy a project
  • Manually reorder items on a sorted table view
  • Edit single-select fields directly from a board column with the new Edit details menu option
  • Auto-save single-select field changes in project settings

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

The actions and reusable workflows from private repositories can now be shared with other private repositories within the same organization, user account, or enterprise.
See managing the repository settings and managing the enterprise repository settings to allow access to workflows in other repositories.

We have also added the API support to configure Actions share policy. Refer to API support or API support for Enterprise for more details.

Learn more about Sharing actions and workflows from your private repository, Sharing actions and workflows with your organization, and Sharing Actions and workflows with your enterprise.

See more

Today, we’re introducing calendar-based versioning for the REST API to give API integrators a smooth migration path and plenty of time to update their integrations when we need to make occasional breaking changes to the API.

You can learn more in today’s blog post and on the new “API Versions” page in our docs.

If you’re using the REST API, you don’t need to take any action right now. We’ll get in touch with plenty of notice before we drop support for any old versions.

See more

Recently, GitHub added webhooks to our OpenAPI schema. Now, Webhook events and payloads in the GitHub documentation is built from the OpenAPI schema. The schema-generated documentation is more accurate and comprehensive and includes the payload structure for each event and action type.

Currently, the new webhook docs are available for the Free/Pro/Team and GitHub Enterprise Cloud plans. GitHub Enterprise Server and GitHub AE will get the new docs with the next version release.

Do you have ideas for improvement? Open a documentation issue to let us know.

See more

As part of the ongoing initiative to deprecate legacy global IDs, you will begin to see deprecation warnings for GraphQL node queries using the legacy ID format.

The deprecation warnings will look like this:

{
  "data": {
    "node": {
      "login": "ahoglund",
    }
  },
  "extensions": {
    "warnings": [
      {
        "type": "DEPRECATION",
        "message": "The id MDQ6VXNlcjM0MDczMDM= is deprecated. Update your cache to use the next_global_id from the data payload.",
        "data": {
          "next_global_id": "U_kgDOADP9xw"
        },
        "link": "https://docs.github.com"
      }
    ]
  }
}

This will not impact the data portion of the payload. We recommend using these deprecation warnings along with the X-Github-Next-Global-ID to begin migrating any of your caches that contain legacy IDs. More information on how to migrate can be found in our last update as well as in the GitHub documentation.

If you have any concerns about the rollout of this change impacting your usage of the GitHub GraphQL API, please contact us and include any relevant information, so that we can better assist you.

See more

We recently released organization-level API support that enables administrators to programmatically manage their organization-owned codespaces at scale. Today we're announcing that these APIs are generally available.

With organization APIs providing a wide range of management operations, organizations can seamlessly integrate GitHub Codespaces into their existing workflows to automate and manage their development processes at scale.

Organization-level APIs are generally available to GitHub Team and Enterprise Cloud plans. Here is a link to our documentation to get started:

See more

Organization administrators can now filter fine-grained personal access tokens (PATs) by their permissions in the organization settings UI. Both pending token requests and active tokens can be filtered by permission, such as issues_write and members_read.

image

After setting a filter, only tokens with that permission will be shown in the table.

To learn more about fine-grained PATs, see "Reviewing fine-grained personal access tokens" and "Managing requests for fine-grained personal access tokens".

See more

You can now retrieve all your Dependabot alerts at the GitHub enterprise level via the REST API. This new API endpoint supplements the recently introduced Dependabot alerts REST API, Dependabot alerts org-level REST API, and Dependabot alerts webhook.

For more information, see Dependabot alerts in the REST API reference or learn more about Dependabot alerts in our documentation.

See more

You can now retrieve all your Dependabot alerts at the GitHub organization level via the REST API. This new API endpoint supplements the recently introduced Dependabot alerts REST API and Dependabot alerts webhook.

This API is available on GitHub.com starting today and will also be available to GitHub Enterprise Server (GHES) users starting with version 3.8.

For more information, see Dependabot alerts in the REST API reference or learn more about Dependabot alerts in our documentation.

See more