Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Announcing TISAX for GitHub

GitHub is now a participant in TISAX with an Assessment Level 2 (AL2) label in the ENX Portal. TISAX is a recognized assessment and exchange mechanism for the German automotive industry, ensuring that companies meet specific information security requirements. It is based on the German Association of the Automotive Industry or Verband de Automobile (VDA) Information Security Assessment (ISA) catalog, which aligns most closely with ISO/IEC 27001.

What does this mean for me as a customer?

For our customers, this participation provides additional assurance that GitHub is a trusted partner in managing and securing their data. It opens new opportunities for customers who require TISAX participation to consider using GitHub Enterprise Cloud products, GitHub Copilot, and GitHub Actions.

Participating in the TISAX program at Assessment Level 2 means that GitHub has demonstrated the ability to adequately protect sensitive information in accordance with industry standards. This assessment level focuses on:

  • Information Security: Implementing robust security measures to prevent unauthorized data access and breaches.
  • Risk Management: Continuously identifying, evaluating, and mitigating potential risks to GitHub’s information systems.

The scope of the TISAX assessment, using the newly released VDA ISA version 6, is the same as the GitHub Information Security Management System (ISMS), which has already been assessed against ISO/IEC 27001:2013. To see the scope, you can review GitHub’s ISO/IEC 27001:2013 certification.

Customers who are interested and registered as TISAX participants with ENX can find the details of GitHub’s assessment via the ENX portal by searching for GitHub, our Assessment ID (APC0RT), or our AL2 scope ID (SY52MN).

If you have any questions or need more information about GitHub’s compliance practices, please visit the GitHub Trust Center.

See more

Repository level Actions Usage Metrics – public preview

Actions Usage Metrics is in public preview for all GitHub Enterprise Cloud customers at the repository level.

Actions Usage Metrics enables you to view data about your Actions workflow runs in your repositories. Launched initially at the Organization level, this dashboard helps teams identify opportunities to optimize pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity.

To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.

See more

Evolving GitHub Issues (Public Beta)

GitHub Issues has been how the world’s best software teams collaborate since it first launched in 2009. Today we are excited to unveil a major evolution of issues and projects, featuring a range of highly requested enhancements including sub-issues, issue types and advanced search for issues. Together, these additions make it easier than ever to break down work, visualize progress, categorize and find just the right issue in GitHub.

These new features are now available in public beta for you to try. To gain access for your organization, please sign up here.

🔗 Break down and nest issues with sub-issues

Sub-issues allow you to break down and organize issues within a parent-child hierarchy. You can create sub-issues from any issue and use their nested structure to track progress and understand remaining work. You can also easily track sub-issues progress within your projects.

Learn more and share feedback on sub-issues.

📁 Organize your work with issue types

Issues types allow you to classify and manage your issues with a shared and consistent language across all repositories in an organization. You can quickly understand the progress of your bug backlog, find all of the high level initiatives teams are working on, and understand the breakdown of work in a project.

Issue types displayed as part of a repo index page

Learn more and share feedback on issue types.

From the repository issues page, you can build advanced searches using the AND and OR keywords and parentheses for nested searches. This allows you to build more complex filters to find the exact set of issues you’re looking for.

A user searches for type bug OR type task

Learn more and share feedback on advanced search for issues.

🎨 Issues UI updates

All these new features are based upon an update to the issues front end, designed to be fast and familiar. This means there are no new UI patterns to slow you down, but we did include a few tweaks to speed you up, including:

  • The issues index page has a new filter bar with autocomplete and syntax highlighting.
  • Creating multiple issues is faster with a ‘create more’ option to quickly get back to the creation screen.
  • Issue form and templates are now presented in alphabetical order based on file name, making it easier for you to set just the right order.
  • Easily share the URL to an issue with a new ‘copy link’ button.
  • On long issues, selecting ‘load more’ will now fetch 150 events instead of 50.

Learn more and share feedback on the updated issues UI.

♾️ Increased items in GitHub Projects

Earlier this year, we introduced the private beta of increased project item limits, expanding the capacity from 1,200 to 50,000 items in a project. Today, we’re expanding the audience for these increased limits.

Since the private beta, we’ve added support for slice by, swimlanes, and GraphQL API. We’ve also fixed your top bug reports and made performance improvements.

If you’re a project admin and your project is approaching the item limit without utilizing Insights (our only currently unsupported feature), a banner will appear over your project to notify you.

As this update is on a project by project basis rather than per organization, to join, just click the “Join waitlist” button on eligible projects.

Learn more and share feedback on increased items in projects.

✍️ We want your feedback – join the public beta

Join here and let us know your feedback!

See more

GitHub Copilot now available for Copilot Individual and Copilot Business (Public Beta)

With a subscription to Copilot Individual or Copilot Business, you can now access Copilot in GitHub.com, allowing you to:

  • Discover codebases on GitHub effortlessly using powerful natural language code search using Copilot Chat.
  • Streamline development processes by receiving suggestions to resolve build failures and summarizing changes in pull requests.
  • Quickly get up to speed with the help of Copilot through summaries and key takeaways from discussions, issues, pull requests and more.
    These features are also now available in GitHub Mobile for all Copilot users.

If you’re enrolled into our recently announced o1 model limited beta, you can experiment with o1-preview and o1-mini directly in GitHub.com. To gain access to o1, please visit the waitlist.

Image

Finally, you can now open Copilot Chat by clicking on the floating Copilot icon in the bottom left corner of the GitHub.com interface.
Image

Join the discussion and let us know what you think on the  GitHub Community.

See more

Bring Your Own Identity Provider to Enterprise Managed Users

GitHub Enterprise Cloud’s open support for the System for Cross-domain Identity Management (SCIM) specification is now generally available for Enterprise Managed Users (EMUs). This allows administrators to mix and match their preferred choices of SAML and SCIM identity systems, providing the flexibility required to meet access management needs.

This release also includes significant improvements for security and auditing:
– A new reduced personal access token (PAT) scope, scim:enterprise, now lets you grant a least privilege, enterprise-level permission set just for read and write access to GitHub’s EMU SCIM API. Use of the admin:enterprise PAT scope is no longer required or recommended.
– New audit log entries exist for SCIM events to enable debugging of any provisioning failures with SCIM APIs.

Learn more about lifecycle management of Enterprise Managed Users with the SCIM API.

See more

Introducing “CI/CD Admin” – A New Pre-Defined Organization Role for GitHub Actions

We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.

In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.

With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables
  • Network configuration
  • Actions usage metrics

For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.

See more

CodeQL 2.19.0: TypeScript 5.6 and Go 1.23 support, new queries for JavaScript and Ruby

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

  • CodeQL 2.18.2
    • Support for scanning Java codebases without needing a build is generally available.
    • The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
    • One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
  • CodeQL 2.18.3
    • New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
  • CodeQL 2.18.4
    • Support for scanning C# codebases without needing a build is generally available.
    • Support for Go 1.23.
  • CodeQL 2.19.0
    • Support for TypeScript 5.6.
    • One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
    • A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more

Actions: new images and ubuntu-latest changes

Ubuntu 24 for GitHub-hosted runners is now GA

The Ubuntu 24.04 image for Actions is now generally available. To use Ubuntu 24 directly on your GitHub-hosted runners update runs-on: in your workflow file to ubuntu-24.04.

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Ubuntu 24.04 runner image has different tools and tool versions than Ubuntu 22.04.

ubuntu-latest migration

The ubuntu-latest label will migrate to Ubuntu 24 over the course of the next month, beginning September 23rd and finishing on October 30th. During migration, you can determine if your job has migrated by viewing the “Runner Image” information in the “Set up job” step of your Actions logs.

macOS 15 for GitHub-hosted runners in Public Beta

The macOS 15 image for Actions is now available in public beta. To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

The macOS 15 runner image has different tools and tool versions than macOS 14.

To view the list of installed software for each image, or report issues, head to the runner-images repository.

See more

End of life for Actions Node16

Following our change to default customers to use Node20, Node16 will reach end of life in the Actions runner on the 15th of October 2024.

From the 15th of October, we will no longer include Node16 in the Actions runner and customers will no longer be able to use Node16 Actions or operating systems that do not support Node20.

To prevent disruption to your Actions workflows, if you’re an Actions maintainer, update your actions to run on Node20 instead of Node16. If you’re an Actions user, update your workflows with latest versions of the actions, which run on Node20.

Learn more about Actions configuration settings or using versions for Actions. Join the discussion within GitHub Community.

See more

Enhanced billing platform for enterprises

Starting today, existing GitHub Enterprise customers will begin to transition to the enhanced billing platform.

What is the enhanced billing platform?

The enhanced billing platform is a suite of new features designed to help administrators understand and manage GitHub spend for their enterprise. Benefits of the new platform include:

  • Cost allocation – create cost centers to allocate spend to different Azure subscriptions
  • Spend transparency – view usage for organizations, repositories, products, cost centers, and SKUs by hour, day, month, or year
  • Improved control – set budgets to limit spending and configure alerts to stay informed of budget utilization

View of the usage page of the enhanced billing platform

What to expect

Existing enterprises will gain access to the enhanced billing platform on a rolling basis, and all enterprises will have access by March 2025. You will be informed via email as well as through an in-app banner on the billing page in advance of the transition .

Here are some things to know about the transition:
– Once transitioned, a new Billing & Licensing section will appear in the enterprise account menu.
Spending limits will be migrated and renamed as budgets in the new billing platform. For more details about budgets, visit “Preventing overspending.”
– While the new billing platform will not visually display historical usage, you will be able to download a usage report to get your pre-transition historical usage.

Other important changes

  • Git Large File Storage will transition from prepaid, quota-based data packs to a usage-based metered billing model. If you use Git Large File Storage today, you’ll receive credits for any unused data packs. For more information, visit “About enhanced billing for Git Large File Storage.”
  • Note: some billing-related APIs will no longer work or will work differently, and the relevant API documentation will be updated to reflect this information. In the coming weeks, there will be a separate changelog post that summarizes these changes. For more information about the billing API, visit “REST API endpoints for enterprise billing.”

Learn more

For more information, visit “Using the enhanced billing platform for enterprises” or join the GitHub Community discussion.

See more

Updates to repository enterprise policy, ruleset and custom properties

Recent improvements to enterprise repository policy, rulesets, and custom properties now ensure a more consistent, intuitive experience, making it easier for you to navigate and accomplish your tasks efficiently.

  • Enterprise repository policy page has been renamed to “Member privileges” to align the page title with the current URL path, API endpoints and the corresponding organization setting.

Screenshot of member privileges

  • Repository rulesets now support enterprise owners as a bypass actor, ensuring your most privileged roles across your enterprise can bypass rulesets.

Screenshot of ruleset bypass with enterprise owners

Screenshot of additional repository property section

We want to hear from you

Questions or suggestions? Join the conversation in the community discussion.

See more

Heading elements have been added to Project board views to improve screen reader page navigation

Headings have been added to GitHub Projects’ board layout.

Each column’s title is now a second level heading, and each card’s title is a third level heading. We hope this update helps make navigation via screen reader easier and more intuitive for this experience.

An example project, placed in board layout. Each column of the board has a unique title, and contains multiple cards that communicate different initiatives. Each card also has a distinct title.

This update affects all GitHub plans, and is part of GitHub’s ongoing commitment to accessibility.

Feedback welcome

You can reach out to us in the GitHub Community discussions. Your feedback is invaluable as we continue on our journey to create an inclusive and accessible environment for all.

See more

Enhanced security overview dashboard – detection, remediation, and prevention at the forefront

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

  • Track historical metrics for CodeQL pull request alerts
  • Monitor code as it progresses from feature branches to the default branch
  • Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more

Sign up for OpenAI o1 access on GitHub

You can now join the waitlist for early access to OpenAI o1 for use in GitHub Copilot in Visual Studio Code and GitHub Models. The waitlist is currently available to all Copilot users.

Join the waitlist for access to OpenAI o1 on GitHub.

In Visual Studio Code, you can choose to use o1-preview or o1-mini to power GitHub Copilot Chat in place of the current default model, GPT-4o.

Note: to access this feature, you’ll need to be on VS Code Insiders with the latest pre-release version of the Copilot Chat extension.

Model Picker in Visual Studio Code

In GitHub Models, you can use o1 models both in the playground and via the API. GitHub Models is currently in limited preview and you can sign up for access today.

OpenAI o1 in GitHub Models Playground

Access to these models will roll out progressively while in preview and usage will be rate-limited.

Join the discussion and share feedback with us via Discussions.

See more

Enable secret scanning for non-provider patterns for enterprises with the REST API

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the enterprise level. This enables you to manage your enterprise settings programatically.

The following endpoints have been updated:
Get code security and analysis features for an enterprise: check if non-provider patterns are enabled for the enterprise
Update code security and analysis features for an enterprise: enable or disable non-provider patterns for all new repositories in an enterprise
Enable or disable a security feature: enable or disable non-provider patterns for all existing repositories in an enterprise

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

Learn more about secret scanning and non-provider patterns.

Join the community discussion and share feedback with us in this dedicated community post.

See more

Secret scanning indicates known public leaks and duplicate alerts for private exposures (public beta)

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.

These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.

The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.

In the future, GitHub will surface locations of the known public leak, as well as repository names with duplicate alerts. This metadata will also be surfaced via the REST API and webhooks.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

New commit details page (public beta)

A new version of the commit details page is now available in public beta!

This new page, which is enabled by default, lets you quickly understand and navigate the changes in a commit with improvements to filtering, commenting, and keyboard navigation.

Screen shot of the new commit details page that shows the metadata about the commit, a file tree showing the 3 files changed by the commit, diff snippets for each of the changed files, and a floating comment

What’s new 🎉

Here are a few of the noteworthy changes:

  • Floating comments: Code comments float over the diff when selected. To select, click on the commenter’s avatar to the right of the line.
  • Comment counts: To help you identify files with comments, the number of comments for a file now appears in the file tree.
  • Keyboard navigation within diffs: You can now navigate around changed lines in the diff using the up and down keys on your keyboard. A new context menu also makes it easier to comment, copy, and select.
  • Quick view switching: Switching between unified and split views no longer reloads the page.
  • Filter by file extension: Easily filter changed files by file extension in the diff to see the content most relevant to you.
  • Filtered out diffs hidden: When filtering the file tree, diffs are filtered as well, allowing you to reduce distraction and see the files you care about most.

Next steps 📣

To give feedback, ask questions, or report a bug join us in the feedback discussion.

To opt out of the preview, go the Feature Preview dialog on your profile, select New Commit Details Page, and click Disable.

To learn more about viewing commits, see About commits.

See more

New advanced filters for code security configurations

When reviewing code security configurations, you can now more easily filter repositories with new filter options.

The new filters allow you to sort repositories based on the status of specific features or GHAS itself:

  • advanced-security:enabled
  • dependabot-alerts:enabled
  • dependabot-security-updates:enabled
  • code-scanning-alerts:enabled
  • code-scanning-default-setup:enabled
  • code-scanning-pull-request-alerts:enabled
  • secret-scanning-alerts:enabled
  • secret-scanning-push-protection:enabled

Note that :disabled also works for each of the filters above to achieve the inverse.

Additionally, you can filter based on whether or not a repository is eligible for code scanning default setup:
– code-scanning-default-setup:eligible
– code-scanning-default-setup:not-eligible

These filters are available for organizations with GitHub Advanced Security (GHAS) enabled, and are only available in the UI at this time.

Learn more about code security configurations and send us your feedback.

See more

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

Now you can remediate existing security issues in your public repositories faster with Copilot Autofix for CodeQL alerts. Following our general availability release for all Advanced Security customers, Copilot Autofix for CodeQL alerts is now generally available (GA) for all public repositories, for free.

Powered by GitHub Copilot, this feature provides automatic fixes for vulnerabilities found by CodeQL, both on pull requests and for historical alerts that already exist in a codebase.

Importantly, you stay in full control of your codebase: Copilot Autofix will try and suggest fixes for CodeQL alerts in pull requests, but it’s ultimately up to you to decide whether you wish to accept Copilot’s suggestion wholly, partially, or not at all. The same applies to historical alerts in a codebase: you can request an autofix from Copilot, then review it, and decide whether you want to open a PR with the fix suggestion or commit straight to the affected branch (or neither).

Example of Copilot Autofix generation on the alert page

Copilot Autofix is available for all public repositories that use code scanning CodeQL, and is enabled by default for alerts on PRs. It does not generate additional notifications. If you would like to enable Copilot Autofix on your organization’s private repositories, please have a look at this blog post where we announce Autofix for GitHub Advanced Security.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more
View more changes