Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Secret scanning validity checks are now generally available.

Starting today, validity checks will be included in the ‘GitHub recommended’ setup through code security configurations and will be enabled for any newly attached repositories.

Please note that on July 24, validity checks will also be enabled retroactively for any repositories that had attached the GitHub recommended configuration before July 2, 2024. If you wish to directly manage feature enablement moving forward, we recommend unattaching the recommended configuration and attaching your own custom configuration to those repositories.

Learn more about secret scanning and validity checks

GitHub secret scanning lets you know if your secret is active or inactive with partner validity checks. These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature; you can also perform on demand validity checks from the alert details page.

Learn how to secure your repositories with secret scanning, participate in the community discussion with feedback, or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

See more

Starting today, you can enable validity checks for your GitHub organization through security configurations.

You can also more easily enable or disable validity checks at the enterprise level with the ability to enable or disable for all enterprise repos.

If your organization had previously enabled validity checks through the ‘Global Settings’ page, the feature will be migrated to your existing configurations and enabled on repositories they are attached to with no additional effort on your part.

Please note that GitHub is also adding validity checks to the ‘GitHub recommended’ code security configuration. Any organization which has enabled the recommended configuration before today will have validity checks automatically enabled on July 24, 2024. If you wish to directly manage feature enablement, we recommend unattaching the recommended configuration and attaching your own custom configuration to those repositories.

Learn more about secret scanning and validity checks

GitHub secret scanning lets you know if your secret is active or inactive with partner validity checks. These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature; you can also perform on demand validity checks from the alert details page.

Learn how to secure your repositories with secret scanning or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

See more

GitHub users can create software bill of material (SBOM) files for their repositories to help them understand its dependencies. SBOMs are a machine-readable inventory of a project’s dependencies and associated information. With this release, we have added copyright attribution data for dependencies in the SBOM.

Learn more about SBOM files and how GitHub helps you secure your software supply chain.

See more

Today’s changelog brings you GraphQL and webhook support for project status updates and project custom field changes directly in the webhook event!

Using GraphQL and webooks with project status updates

Following our release earlier this year for project status updates, you can now interact with project status updates using GraphQL and webhooks. This unlocks new ways to automate how you provide and gather project status update information.

GraphQL

There is a new ProjectV2StatusUpdate GraphQL object to interact with project status updates, so you can view, create, update, and delete status updates.

Below is an example query to create a new project status update.

mutation {
  createProjectV2StatusUpdate(
    input: {projectId: "0123456", body: "We wrapped up our bug bash following the beta rollout. We're back on track for our GA date in August! 🚀", startDate: "2024-06-03", targetDate: "2024-08-09", status: ON_TRACK}
  ) {
    statusUpdate {
      id
      startDate
      targetDate
      body
      bodyHTML
      status
    }
  }
}

Webhooks

Project status updates are included in the new projects_v2_status_update webhook event, so you can understand and be notified when a new project status update is provided.

You must be subscribed to this event from the organization settings page to receive this information.
organization settings for webhook event

Below is an example of a webhook event.

{
    "action": "edited",
    "projects_v2_status_update": {
        "id": 32633,
        "node_id": "PVTSU_lADOBH2n9s4Ajp6VzX95",
        "project_node_id": "PVT_kwDOBH2n9s4Ajp6V",
        "creator": {
          ...
        },
        "body": "We've kicked off this project and are feeling confident in our rollout plan. More updates and demos to come next week!",
        "start_date": "2024-06-24",
        "target_date": "2024-08-16",
        "status": "ON_TRACK",
        "created_at": "2024-06-24T20:27:48Z",
        "updated_at": "2024-06-24T20:30:47Z"
    },
    "changes": {
        "body": {
            "from": "We're still planning this out and are kicking off soon.",
            "to": "We've kicked off this project and are feeling confident in our rollout plan. More updates and demos to come next week!"
        },
        "status": {
            "from": "INACTIVE",
            "to": "ON_TRACK"
        },
        "start_date": {
            "from": null,
            "to": "2024-06-24"
        },
        "target_date": {
            "from": null,
            "to": "2024-08-16"
        }
    },
    "organization": {
        ...
    },
    "sender": {
        ...
    }
}

Using webhooks for project custom field changes

Project custom field changes are now included directly in the project_v2_item webhook event when a project item’s fields are edited, removing the need to send an additional GraphQL query. This gives you the previous and current field values to understand how project fields change over time and how long they have a particular value, allowing you to understand how long an item was In progress before moving to Done status.

Below is an example of the webhook which includes the previous and current value for single select, text, number, iteration, and date project custom fields using the changes parameter.

"changes": {
    "field_value": {
        "field_node_id": "PVTSSF_lADOBH2n9s4Aje1Izgb1kEs",
        "field_type": "single_select",
        "field_name": "Status",
        "project_number": 18,
        "from": {
            "id": "f75ad846",
            "name": "Todo",
            "color": "GREEN",
            "description": "This item hasn't been started"
        },
        "to": {
            "id": "47fc9ee4",
            "name": "In Progress",
            "color": "YELLOW",
            "description": "This is actively being worked on"
        }
    }
},

Bug fixes and improvements

  • Added the convertProjectV2DraftIssueItemToIssue GraphQL mutation to convert drafts to issues
  • Fixed an error message when resizing columns in the table layout
  • Fixed errors when migrating a classic project to the new Projects experience
  • Fixed a bug where updating an issue in the project side panel didn’t reflect in the project view
  • Fixed the rendering of special characters in a single-select field description from the table layout cell dropdown
  • Fixed a bug where a space could not be added in project chart titles

✍️ Tell us what you think!

Join the conversation in the community discussion to share your feedback.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the documentation.

See more

June CE Changelog

Another month, and another exciting set of updates for Copilot Enterprise. Let’s dig in:

Copilot Chat in GitHub.com can now answer questions about your pull requests, discussions, and files.

Catch up on Pull Requests: Copilot can answer questions about a Pull Request and give you an overview of the changes the Pull Request introduces. To learn more, see “Asking questions about a specific pull request” in the GitHub docs.
Try it yourself: Navigate to a Pull Request on GitHub.com, and ask Copilot to Tell me about this Pull Request

Get more out of Discussions Copilot can help you get up to speed quickly by summarizing discussions and discussion comments. In addition, Copilot can identify themes in the discussion and commentary made by different participants aiding you in catching up on context seamlessly. To learn more, see “Asking a question about a specific issue or discussion” in the GitHub docs.
Try it yourself: Navigate to a discussion on GitHub.com, and ask Copilot to Summarize this discussion

Ask about Files and learn about recent changes: Copilot can now tell you about a file or retrieve the most recent changes in the file on any branch. Ask Copilot to tell you what has changed in a file to gain a deeper understanding into your codebase and what’s changing in it. To learn more, see “File details skill” in the GitHub docs.
Try it yourself: Navigate to a file on GitHub.com, and ask Copilot to What's changed in this file recently?

Copilot Enterprise features are now available in Visual Studio Code and Visual Studio

As announced earlier this month, Copilot Enterprise features are now available in Visual Studio Code and in Visual Studio for the first time. (For Visual Studio, you’ll need to be running Visual Studio 17.11 Preview 2 or later.)

Chat with the context of the web in Visual Studio Code and Visual Studio: GitHub Copilot can now search Bing to find information outside of its general knowledge or your codebase. Just mention @GitHub, and Copilot will intelligently decide when to use Bing. Bing search is only available if enabled by an administrator – for more details, see “Enabling GitHub Copilot Enterprise features”.

Get answers from across your entire codebase in Visual Studio: Copilot Chat can now answer questions with understanding of your full repository, not just the tabs you have open. Index your repository on GitHub.com, and then ask a question mentioning @GitHub. You can ask questions like @GitHub Where is device detection implemented?.

Access your Copilot knowledge bases in Visual Studio Code: You can now access your knowledge bases from any Copilot Chat conversation by typing @GitHub #kb, selecting a knowledge base from the list, and then entering your question. Copilot will respond, using the Markdown documentation in your knowledge base as context for its answer.

As always, we welcome any feedback on Copilot Enterprise in the discussion within GitHub Community.

See more

Starting today, you can now perform on demand validity checks for NuGet API keys and supported Azure connection strings. These checks will also continue to run on an ongoing basis.

GitHub secret scanning lets you know if your secret is active or inactive with partner validity checks. These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature; you can also perform on demand validity checks from the alert details page.

Learn how to secure your repositories with secret scanning or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

See more

Auto-triage rules help you reduce alert and pull request fatigue, while better managing your alerts at scale.

With Dependabot auto-triage rules, you can create your own custom rules to control how Dependabot ignores alerts with auto-dismissal, snoozes and reopens alerts, and generates pull requests to fix alerts – so you can focus on the alerts that matter, without worrying about the alerts that don’t.

Rules can be created with the following alert attributes:
– CVE ID
– CWE
– Dependency scope (devDependency or runtime)
– Ecosystem
– GHSA ID
– Manifest path (for repository-level rules only)
– Package name
– Patch availability
– Severity

For more information and how to use this feature, please refer to our documentation.

See more

GitHub Artifact Attestations is generally available

We’re thrilled to announce the general availability of GitHub Artifact Attestations! Artifact Attestations allow you to guarantee the integrity of artifacts built inside GitHub Actions by creating and verifying signed attestations. With this release, you can now easily verify these artifacts before you deploy them in your Kubernetes cluster. Powered by Sigstore, Artifact Attestations help you secure your software’s supply chain by creating an unforgeable link between artifacts and their build process.

“Over the past nine months, Trail of Bits has worked closely with GitHub to make Homebrew one of the earliest public adopters of Artifact Attestations. Software, and especially open source software, is more complicated and interconnected than ever, and we believe strongly that GitHub’s new Artifact Attestations feature is a huge and necessary step towards addressing the problem of complex, opaque, software supply chains.” – William Woodruff, Engineering Director, Trail of Bits

“Using Artifact Attestations, we finished a project in under a week that we originally scoped out for months to complete.” – Mike Place, Director of Software Engineering at Elastic

Adding provenance to a GitHub Actions workflow is simple! You just need to invoke the new attest-build-provenance Action with the path to your artifact:

permissions:
  id-token: write
  contents: read
  attestations: write

#
# (build your artifact)
#

- name: Generate artifact attestation
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: 'PATH/TO/ARTIFACT'

Then verify it with our CLI tool:

gh attestation verify PATH/TO/ARTIFACT -o myorganization

Enhance your SDLC’s security with a Kubernetes admission controller

With general availability we are also releasing a new way to build a Kubernetes admission controller that can validate attestations directly within your Kubernetes clusters. This means that only properly attested artifacts can be deployed, adding an extra layer of security and compliance to your software development lifecycle (SDLC). By integrating Artifact Attestations into your GitHub Actions workflows, you enhance the security of your development and deployment processes, protecting against supply chain attacks and unauthorized modifications.

Setting up an admission controller for GitHub Artifact Attestations involves deploying the Sigstore Policy Controller, adding a TrustRoot and ClusterImagePolicy to your cluster, and enforcing those policies on a per-namespace basis. Quickly deploy your own admission controller using our Helm charts.

Learn more about the Kubernetes admission controller

Get Started

To start using the new features, check out our documentation and watch the video below for a step-by-step guide on integrating artifact attestations into your workflows. This feature supports both public and private repositories, making it easier than ever to secure your projects.

Integrate GitHub Artifact Attestations into your workflows today, and add meaningful security to your SDLC. Please join the discussion in the GitHub Community and share your feedback with us.

See more

Dependabot version updates requires developers to configure and check in a dependabot.yml file. In the past, it was challenging for administrators to configure a dependabot.yml that works for all repositories without per-repo customization. With this change, you can now specify multiple directories of dependency manifests using the directories key. Directories can be configured with wildcards or globbing to make targeting easier as well. This will simplify the process of creating configurations and allow greater flexibility for developers who wish to customize their behavior.

To learn more, visit our dependabot.yml configuration documentation for the directories key.

See more

Developers can now run their Actions workflows using Ubuntu 24.04 on the GitHub-Hosted arm64 runners that are currently in public beta.
To get started using Ubuntu 24.04, create an arm64 runner in your organization/enterprise, and select the “Ubuntu 24.04 by Arm Limited” partner image. Then update the runs-on syntax in your GitHub Actions workflow file to match that runner name. To learn more about how to set-up arm64 hosted runners, you can check out the documentation.

This new image is provided by Arm and is not maintained by GitHub. If you spot any issues with your workflows when using Ubuntu 24.04, or if you have feedback on the software installed on the image, you can provide feedback in the partner-runner-images repository.

See more

Since the initial beta release of the Copilot User Management API, we’ve heard feedback that obtaining the full set of Copilot seats and their associated activity status has been cumbersome. Many enterprise admins did not have the necessary “write” permissions and needed to iterate over multiple organizations’ data due to the lack of an enterprise endpoint.

With today’s update, we’ve added a centralized enterprise endpoint for listing Copilot seats and associated metadata across the enterprise. We have also updated the necessary scope to read:enterprise. Now, all enterprise admins can quickly gather their enterprise’s Copilot seats details with just one API request!

Likewise, for existing, non-destructive endpoints on the User Management API, we have updated all minimum permission requirements to read from write.

Check out our updated documentation to learn more and try it out today! You can share your feedback with us in this discussion.

See more

CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze C# projects without needing a build. This public beta capability enables organizations to more easily roll out CodeQL at scale. Previously, CodeQL required a working build to analyze C# projects. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of C# repos without manual intervention.
This new way of analyzing C# codebases is now enabled by default for all code scanning users on GitHub.com. CodeQL CLI users can enable this feature using the build-mode: none flag, starting with version 2.17.6.

Repositories with an existing code scanning setup, default or advanced, will not experience any changes. If code scanning is working for you today it will continue to work as-is, and there is no need to change your configuration.

  • Repositories using code scanning default setup will automatically benefit from this new analysis approach.
  • Repositories using advanced setup for code scanning via workflow files will have the option to choose a build-mode. The default value for newly configured C# repositories will be build-mode: none.
  • CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the --build-mode none option. Generally, you should set the --build-mode option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.

The new mechanism for scanning C# is available on GitHub.com and will be available with CodeQL CLI 2.17.6. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning C# projects without the need for working builds, send us your feedback.

See more

You can now use the REST API to create and manage code security configurations, as well as attach them to repositories at scale.

The API supports the following code security configuration actions for organizations:
– Create, get, update, and delete configurations
– Set and retrieve default configurations
– List all configurations
– Attach configurations to repositories

The API is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more

GitHub is committed to a secure software ecosystem and requires most developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA).To ensure that all users stay up to date with their account security configurations, we are now improving the checkup experience using various global banners that guide users to review and update their settings on a more regular basis.

These banners replace the security checkup interstitials that were previously displayed every 3 months for 2FA users. Each banner calls out the specific security configuration that needs attention (ex: user only having a single verified email), and will also include a quick link to the corresponding settings page to modify the required settings.

To learn more about the 2FA program, see our April 2024 blog post about how GitHub is securing millions of developers using 2FA, as well as the “About the mandatory 2FA program” documentation.

See more

Starting September 3, 2024 enterprise customers who currently have a single organization without an enterprise account will be automatically upgraded into an enterprise account at no additional cost. An enterprise account will be created for you, and your organization will become the first member organization.

In April 2023, we introduced enterprise accounts for all new enterprise customers. We outlined our plans to assist existing customers with a single organization in obtaining an enterprise account. Enterprise accounts provide a unified experience granting access to all the latest and most robust features within the platform.

What is an enterprise account?

Enterprise accounts represent the top-most layer of the GitHub Enterprise management hierarchy, allowing enterprise owners to manage and scale their GitHub environments. Essentially, the enterprise account sits above organizations and serves as the primary interface for enterprise owners.

Benefits of an enterprise account:

Timeline & Next Steps:

If you have a GitHub Enterprise Cloud account without an enterprise account:

  • Voluntary Upgrade (Now – September 3rd, 2024): Administrators can proactively upgrade their existing account to an enterprise account via the Billing and Plans page under the account’s settings.
  • Automatic Upgrade (Starting September 3rd, 2024): If an upgrade was not completed during the voluntary phase, the account will be assigned a scheduled upgrade date. We’ll notify administrators two weeks prior to this date.
  • Seamless Transition: On the scheduled upgrade date, if not yet upgraded, the account will seamlessly transition and be nested under a new assigned enterprise account.

  • The new enterprise account name will match the organization name or as close as possible if the name is already taken, and customers may choose to rename after the upgrade.

  • There will be no change in ownership, all of the existing owners will remain the owners of the new enterprise account. The organization’s URL will not change, so existing usage of the repos or organization URL will not be impacted.
  • The existing configuration such as SAML SSO, PATs, policies, and application integrations should remain with the organization, unless there’s an override at the enterprise account.
See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.5 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for C/C++ alerts, powered by Copilot. This is automatically enabled for all private repositories for all GitHub Advanced Security customers. Autofix covers all security queries for C/C++ from our Default suite. Use our public discussion for questions and feedback.

Also included in this release:
– C/C++ now supports adding models for sources, sinks and summaries in data extension files, making it easier to expand support to new libraries.
– Python adds support for opml library and C/C++ adds partial support for Boost.Asio network library.
– All the CodeQL CLI commands that produce SARIF will output a minified version to reduce size.

For a full list of changes, please refer to the complete changelog for version 2.17.5. All new functionality will also be included in GHES 3.14. Users of GHES 3.13 or older can upgrade their CodeQL version.

See more

The GitHub Enterprise Server 3.13 release is generally available

GitHub Enterprise Server 3.13 gives customers more fine-grained control over deployment requirements and enhanced security controls. Here are a few highlights:

  • We are introducing a new feature for repositories called custom properties, a major enhancement to how repositories are managed and classified across GitHub organizations. Properties offer a flexible way to add meaningful metadata to your repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. Check out the demo! For more information, see custom properties for repositories.
  • Elasticsearch will be upgraded from version 5 to version 8, when the appliance is upgraded to 3.13. Elasticsearch powers all search experiences in GHES including code search and audit logs. Upgrading ES5 to ES8 allows the platform to take advantage of better performance and improved security posture in ES8. For more information regarding what to expect during ES8 upgrade, see Preparing for Elasticsearch upgrade in GHES 3.13.
  • Enterprise and organization audit log events now include the applicable SAML and SCIM identity data associated with the user. For more information, see Reviewing the audit log for your organization.
  • Developers who use devcontainer.json files to define their development containers will now be able to use Dependabot version updates to keep their dependencies in the container up-to-date. Once configured in dependabot.yml, Dependabot will open PRs on a specified schedule to update the listed dependencies to latest.
  • Pull Requests rebases are now faster! Under the hood, rebase commits now use the merge-ort. Rebases that timed out for large repositories before are now a lot more likely to be successful.
  • Using Project Status Updates, you can now provide high level details on the status, timing, and progress of your project, directly from the project! This makes it easy to know and share with others how your work is progressing, any risks, and a history of when and why something changed, all in the same place where you’re tracking your work.

Read more about GitHub Enterprise Server 3.13 in the release notes,
or download it now.

If you have any issues upgrading your GitHub Enterprise Server Appliance to version 3.13, or problems using new features, please contact our Support team.

Please join us on GitHub Community to share your feedback or ask any questions about the new features!

See more

Secret scanning’s delegated bypass for push protection allows you to specify which teams or roles have the ability to bypass push protection, and requires everyone else to submit a request to bypass. These requests are reviewed by designated approvers.

A new webhook event, bypass_request_secret_scanning, is now created when:
* bypass requests are created or cancelled
* bypass responses are submitted or dismissed
* bypass requests are completed

Delegated bypass for push protection is available for GitHub Advanced Security customers on Enterprise Cloud, and will be available on GitHub Enterprise Server 3.14.

See more