Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Comment on files in a pull request (public beta)

Commenting directly on a file in a pull request (not just a specific line) is now available in public beta! 🎉

With this capability you can now comment on deleted, binary (including images), and renamed files in a pull request. You can also comment generally about a changed code file without having to attach the comment to a specific line.

How it works

To comment on any file in a pull request, click the Comment on this file button in the header of the file (next to the Viewed checkbox):
image

Comments on files appear in the Files Changed and Conversation tabs and can be replied to and resolved like regular review comments.
image

Tell us what you think

This feature is currently in public beta, with GitHub Mobile and API support coming soon.

Join the discussion and let us know what you think!

See more

Projects on GitHub Mobile is now generally available

Projects on GitHub Mobile

Projects on GitHub Mobile are now available for iOS and Android! Find the projects you're working on through a repository, organization, or from your user profile. You can also easily change views in a project to browse your issues and pull requests grouped and organized just as you like.

Custom fields and metadata, such as status, category, priority, and iteration, are displayed as an easy-to-read list within a project item. Simply tap on the list to edit the fields, or long-press on a project item for further actions like closing it or previewing its content.

Update your GitHub Mobile apps today from the Android Google Play or iOS App Store.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more

Organization Audit Logs include IP addresses – Public Beta

GitHub organization owners can now opt-in to a public beta to display organization members' IP addresseses in audit logs events. When enabled, IP addresses will be displayed for all audit log events performed by organization members on organization assets other than public repositories, which will be treated differently due to privacy obligations.

The inclusion of IP addresses in audit logs helps software developers and administrators protect their systems and data from potential threats and improve their overall security posture by providing the source of an action or event within a system or network. This information is crucial for troubleshooting issues or investigating security incidents. IP addresses are often used in forensic investigations to trace the origin of cyberattacks, unauthorized access, or other malicious activities.

For additional information and instructions for enabling this feature, read about displaying IP addresses in the audit log for your organization.

See more

Changes to the code search API

We are preparing to bring powerful new code search capabilities to GitHub. As part of that effort, on April 10, 2023, we will make several changes to the code search API:

  • Code search rate limits will be separated from the rate limits for other search types. The separate code search category will have a rate limit of 10 requests per minute.
  • We are deprecating support for sorting code search results. Once these changes take effect, all code search results will be sorted by best match.
  • All code search API endpoints will require authentication. This change only affects repository scoped queries, because all other query types already require authentication.

To prepare for these changes, make sure your code handles rate limiting. And if you’re using code search to track changes or find security vulnerabilities in your codebase, consider using webhooks or GitHub Advanced Security.

These changes will take effect in 30 days, on April 10, 2023.

See more

Delete stale code scanning configurations to close outdated alerts

Code scanning configurations can now be deleted from the code scanning alert page. This could be used to delete stale configurations causing alerts to remain open, or delete old configurations which are no longer used.

Code scanning can be configured to use different tools, target different languages, or even analyze different parts of the codebase in the same repository. In certain circumstances more than one of these configurations may produce the same alert. However, if one of the configurations is no longer used and becomes 'stale' you may find that the alert is fixed in one configuration but not in the stale configuration, which is potentially confusing. Today we are releasing a new feature that allows you to easily delete stale configurations which cause alerts to remain open after they've been fixed.

In the code scanning alert page, the counter in the 'Affected branches' sidebar shows the number of configurations for the branch. Click a branch to view the configuration details, and delete configurations as required. A configuration is deleted for a branch, so may have an impact on the status of other alerts on the same branch. When a configuration is deleted, a timeline entry is recorded on the alert, and repositories in an organization also record an audit log entry. If a configuration is deleted by mistake, re-run the analysis to update the alert and reinstate the configuration.

Delete code scanning configurations

Read more about removing stale code scanning configurations and alerts.

See more

GitHub Actions – Required workflows improvements

Today, we are adding a couple of new improvements to required workflows in GitHub Actions.

  • Blocking direct push: Direct pushes are now blocked on branches of the repositories where required workflows are enforced. To push to a branch where required workflows are enforced at the organizational level, create a pull request to make the necessary changes. If you want to allow direct pushes for a particular repository, you must remove the repository as a target from respective required workflows.

    Block direct push PR

    Block direct push CI

  • Ability to configure required workflows from refs: Required workflows can now be referenced using any branch, tag, or commit SHA from the repository containing the workflow file, during its configuration. This helps you to freeze your required workflow file to a fully validated golden version and gives you the flexibility to move to latest version after testing it thoroughly. The branch, tag, or commit can be specified in the workflow path text field similar to how it is specified for actions within a workflow yaml.

    Required workflows ref

Link to Documentation

Note: Required workflows is currently in beta.

See more

GitHub Issues & Projects – March 9th update

Today's Changelog brings you auto-add and auto-archive workflows for all users to make managing your project a breeze, and tasklists improvements!

🤖 Automatically add and archive project items

We previously announced the public beta of the auto-archive workflow and the auto-add workflow for Enterprise users, and today we are excited to share these are now available to everyone!

From the Workflows page in your project, configure the filter criteria for when you want to automatically archive items from your project via Auto-archive items, as well as automatically adding items from a repository to your project via Auto-add to project.

Note Multi-repository auto-add workflows are only available to Team and Enterprise users

✅ Tasklist improvements

As part of our ongoing Private Beta for Tasklists, we continue to ship weekly improvements! We're letting in new organizations regularly, sign yours up here.

🟣 See completion pills for issues

Issues in your tasklist now have completion pills which indicate whether or not they have children, making it easier to understand how close your tasklist is to completion.

✏️ Edit issue metadata directly from the tasklist

Quickly make edits to assignees, labels and projects straight from a tasklist.

🐞 Tasklist bug fixes and improvements

  • Fixed a bug where labels and assignee meta-data took a very long time to be reflected on tasklists
  • Better support for issue deletion and transfer of issues within tasklists
  • Fixed a visual bug with tasklist drag-and-drop
  • Fixed a bug where long task titles broke tasklists
  • Fixed a bug where empty tasks broke tasklists

Bug fixes and improvements

  • Fixed misaligned field pills on board items
  • Fixed misaligned board columns when grouped by an iteration field
  • Fixed a bug where closed projects were included in the project count

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more

Use multi-repository variant analysis (beta) to run CodeQL queries at scale

Today we have released multi-repository variant analysis for CodeQL in public beta to help the OSS security community power up their research with CodeQL.

CodeQL is the static code analysis engine that powers GitHub code scanning. Out of the box, CodeQL is able to find many different types of security vulnerability and flag them up in pull requests.

But one of CodeQL’s superpowers is its versatility and customizability: you can use it to find virtually any pattern in source code. As such, it’s a great tool for finding new types of vulnerabilities – once you’ve identified an interesting pattern, model it as a CodeQL query, and then run it against your repository to find all occurrences of that pattern! But most vulnerabilities are relevant to many codebases. Wouldn’t it be amazing if you could easily run your query against many repos at the same time? Well, now you can with multi-repository variant analysis — which we’ve just shipped in public beta!

Screenshot 2023-02-22 at 16 39 39

This new feature will allow security researchers to run CodeQL analyses against large numbers of repos, straight from the CodeQL extension for VS Code, making it possible to identify new types of security vulnerabilities in the most popular open-source codebases.

Checkout the CodeQL for VS Code documentation to get learn how to get started with multi-repository variant analysis. We'd also love to hear your feedback on this GitHub community discussion.

See more

Increased concurrency for 2-core Linux & Windows Hosted Actions runners for Enterprise Plans

Starting on March 08, 2023, GitHub Enterprise customers using 2-core GitHub-hosted Linux and Windows runners will have the job concurrency on Windows/Linux increased from 180 to 500.

Enterprise customers need to make no changes to take advantage of this increased concurrency. If you require higher concurrency on 2-Core GitHub-hosted Linux and Windows runners than 500, please reach out to GitHub support.

See more

Introducing the ability to subscribe to specific Discussion categories on Slack

Many users use our Slack integration to know what’s new in their repo’s Discussion. However, for large repos, these notifications can get overwhelming. Today, we’re introducing the ability to subscribe to specific Discussion categories in Slack. By default, when users subscribe to a Discussion, they subscribe to all categories. With the new command, we’re introducing a way to add category filters:

/github subscribe <org_name>/<repo_name> discussions:{category:"<category1>","<category2>"}

Users can also unsubscribe a Slack channel from previously set category filters with a similar command:

/github unsubscribe <org_name>/<repo_name> discussions:{category:"<category1>"}

Note: By default, if no category filters were added, the app will subscribe to all categories in the Discussion. Similarly, if you remove all category filters, the app will return to its default state of being subscribed to all categories. To unsubscribe from Discussions entirely, users can continue to use the unsubscribe command on Discussions, as shown below:

/github unsubscribe <org_name>/<repo_name> discussions

See more

GitHub Enterprise Server 3.8 is now generally available

The GitHub Enterprise Server 3.8 is generally available

GitHub Enterprise Server 3.8 brings new capabilities to help companies build and deliver secure software. We've added over 100 features, and here are a few highlights:

  • GitHub Projects, the adaptable and flexible tool for planning and tracking work on GitHub is now available on Enterprise Server as a public beta.
  • GitHub Actions support organization-wide required workflows. You can define mandated workflows to run during the lifecycle of a repository’s pipeline.
  • Code scanning now supports Kotlin. We are launching a public beta for support of Kotlin, with this support enabled for all new code scanning users and any existing users that have already configured a Java analysis.
  • The Management Console now supports multiple users. We are introducing a multi-user concept with a user management interface to the Management Console to allow admins to invite new users with different types of access roles.

To learn more about about GitHub Enterprise Server 3.8, read the release notes, and download it now.

See more

Security advisories now have multiple types of credits

You can now designate different types of credits to users who contribute to GitHub security advisories.

These new credit types mirror those in the CVE 5.0 schema:

  • finder
  • reporter
  • analyst
  • coordinator
  • remediation developer
  • remediation reviewer
  • remediation verifier
  • tool
  • sponsor
  • other

Going forward, GitHub will automatically apply the the reporter credit type to anyone credited after submitting a private vulnerability report and the analyst type to anyone credited after submitting an edit to the global Advisory Database. We've also retroactively applied those labels to previously credited individuals who took those actions.

Further reading:

See more

Custom repository roles API GA and breaking change

The Custom Repository Roles REST API has moved to general availability, with a breaking change to the path used.
Previously, the API was found at /orgs/{org}/custom_roles – it has been moved to /orgs/{org}/custom-repository-roles. With organization-level custom roles in progress, we found that the custom_roles path was wasn't specific enough and could generate confusion.
The deprecated beta API will be removed from api.github.com in 6 months, on September 7th, 2023.
On GitHub Enterprise Server, the API will be available at its new path in version 3.9. The previous API to list roles was added in GHES 3.4, and will be removed with the next API version.

To learn more about custom repository roles, see "About custom repository roles" and "Custom repository roles REST API".

See more

Dependency graph removes go.sum support

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

See more

GitHub Octernships: a path for students for a thriving tech career

We are excited to announce the launch of GitHub Octernships! Students represent the next generation of developers and GitHub Education is here to nurture this talent, equip them with the skills they need to drive future software innovation.

GitHub Octernships is initially starting for students in 10 countries, including India, Singapore, Indonesia, Malaysia, Vietnam, Philippines, Thailand, Mexico, Nigeria, and Colombia, and will gradually expand to more regions over time.

To apply, you need to be verified on Global Campus, be an active contributor on GitHub, and keep an eye out for new projects that we’ll be posting on Octernships all year round.

image

Checkout the blog to learn more. These changes will be gradually rolling out over the next few days. Have any questions or feedback, connect with us @ Octernships Discussion

Not yet verified? What are you waiting for? Join GitHub Global Campus.

See more

Secret scanning changes coming to how you opt-in to alert notifications

We are changing how you receive notifications of secret scanning alerts. Previously, to receive secret scanning alert notifications, you had to watch a repository with "All activity" or "Security alerts" and enable Dependabot email alerts to receive notifications.

Beginning March 16, here are the steps you need to take to continue to receive notifications from secret scanning:

  1. (No change required) Watch repositories of interest by choosing "All activity" or "Security alerts". This help you choose what events GitHub will notify you about.
  2. (Action needed) In your user notification settings, choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

watching settings

See more
View more changes