Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Using vision input in Copilot Chat with Claude and Gemini is now in public preview

Copilot looking at Claude and Gemini models

You now have more choices when chatting with Copilot about images in VS Code, Visual Studio, and on the immersive mode on github.com. Starting today, you can use the vision capability with the Claude Sonnet 3.5, Claude Sonnet 3.7, Gemini 2.0 Flash, Gemini 2.5 Pro, and GPT-4o models.

Some ideas to get you started:

  • Add screenshots of errors with Copilot to have it interpret the image and suggest solutions for the issue.
  • Share mockups of new designs, and Vision will help you bring them to life.
  • Ask questions about architecture diagrams.

Currently, the supported image types are JPEG/JPG, PNG, GIF, and WEBP.

When using Vision on VS Code and Visual Studio, make sure you have the Copilot Editor Preview Features policy enabled to get access. On github.com, get started simply by selecting a Claude or Gemini model from the model picker.

This feature was previously only available for GPT-4o in VS Code and Visual Studio and on github.com.

To learn more, read the documentation about using Vision in Copilot Chat.

Please share your feedback in our community discussions.

See more

CodeQL support for Java and C# private registries is now generally available

When CodeQL scans repositories with Java and/or C# code that depend on packages in private registries—but don’t include those registry addresses in their Maven, Gradle, or NuGet configuration files—the analysis now uses private registry addresses configured at the organization level. This makes it even easier to roll out CodeQL’s Java and C# analysis at scale.

Last year we enabled CodeQL build-mode: none scans to access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This required the addresses of the private registry to be defined in the project configuration. With this change, projects that relied on configurations defined in the build systems or locations external to the project will be able to use private registries.

This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.

This officially marks the end of the preview phase for CodeQL Java/C# private registry support; this feature is now generally available on GitHub.com. It will also roll out with GitHub Enterprise server version 3.18.

See more

GitHub Copilot Chat for Eclipse is now generally available

GitHub Copilot Chat for Eclipse is now generally available

GitHub Copilot Chat is now generally available for Eclipse! If you’re an Eclipse user, you can take advantage of AI-powered assistance with both code completions and in-editor chat assistance today.

Key features of GitHub Copilot Chat for Eclipse

  • Chat view: Ask Copilot for help with coding tasks directly in the chat view.  To learn more about this, see our documentation.

  • Model Selector for Chat: GitHub Copilot allows you to change the model during a chat. To learn more about this, see our documentation.

  • Slash commands: Use quick commands, like /explain for code explanations.

  • Reference code: Scope chats to specific files for more relevant assistance.

  • ABAP Enablement: GitHub Copilot for Eclipse has introduced enablement for ABAP, allowing users to leverage Copilot’s capabilities while working with ABAP code. GitHub Copilot for Eclipse uses the currently available models described in the documentation, without any specific fine-tuning for ABAP.

Try it out

To access GitHub Copilot Chat for Eclipse, you’ll need a Copilot license.

Once you have a license, follow the steps outlined in the Getting Started guide.

Feedback

Your feedback drives improvements. Let us know what you think using the in-product feedback option, or share your thoughts with the GitHub Community.

Join us on this journey as we continue to enhance GitHub Copilot for Eclipse and deliver a smoother developer workflow!

See more

Upcoming breaking changes and releases for GitHub Actions

We’re introducing new controls for automation workflows, enhancing security and flexibility for teams. Additionally, we’ve released updates to Actions runner controller designed to improve performance, customization, and compatibility with evolving deployment strategies. As part of our commitment to maintaining up-to-date infrastructure, we’re retiring older images and encouraging users to transition to newer, more efficient options.

Copilot events not automatically triggering GitHub Actions workflows is in public preview

Copilot authored events will no longer automatically trigger GitHub Actions workflows – administrators will now need to approve these workflows to run.

The approval mechanism is the same as approving runs from forks. This means that a run requiring approval will be given the action_required conclusion before any jobs are started. Users with write access in the UI or actions:write fine-grained access through the API can approve any action_required run. Any triggered workflow runs associated with the same PR in the action_required state will show up in the PR merge box for approval.

If a run is not approved after 30 days, it will be deleted.

Join the discussion within GitHub Community.

Windows Server 2019 is closing down

We’re beginning the process of closing down the Windows server 2019 hosted runner image, following our N-1 OS support policy. This image will be fully retired by June 30, 2025. We recommend updating workflows use windows-2022 or windows-2025.

To raise awareness of the upcoming removal, we’ll temporarily fail jobs using the windows-2019 label starting in June 2025. The brownouts will occur on the following dates and times:

  • June 3 13:00 – 21:00 UTC
  • June 10 13:00-21:00 UTC
  • June 17 13:00-21:00 UTC
  • June 24 13:00-21:00 UTC

Actions runner controller release 0.11.0

The latest ARC release (0.11.0) includes two major product enhancements and numerous quality-of-life improvements.

Customers can now set custom annotations and resources, enabling them to use deployment methods like ArgoCD and Helm.

In addition, ARC customers experienced performance issues due to high cardinality metrics, particularly around labels such as runner name, ID, job workflow ref, and others. This significantly impacted resource consumption in Prometheus instances. With this release, customers can now configure metrics, enabling them to choose elements relevant to their reporting strategy.

All included changes in this release can be found in the release notes.

Updates to the network allow list for Azure private networking

GitHub previously reported the network communication requirements for Azure private networks as they relate to the upcoming release of immutable actions. Please use the IPs listed in the NSG template within our documentation, as previous changelog communications contained overlapping CIDR ranges.

See more

CodeQL 2.21.0 supports TypeScript 5.8 and expands language coverage

CodeQL version 2.21.0 has been released and includes TypeScript 5.8 support, a new Java query to detect exposed Spring Boot actuators, and support for new JavaScript libraries.

TypeScript 5.8 support

CodeQL can now analyze code written in TypeScript version 5.8, helping you find and automatically remediate security issues in the latest TypeScript projects, all without additional configuration.

Improved Java analysis

The community-contributed query java/spring-boot-exposed-actuators by @ggolawski has been promoted out of experimental status and is now included in the default code scanning query pack. This query helps you identify publicly accessible Spring Boot actuators, preventing unintended information disclosure.

Expanded JavaScript framework coverage

We’ve extended our JavaScript analysis to include popular modern frameworks and libraries:

  • Apollo Server: Added support for analyzing data coming from GraphQL when using @apollo/server.
  • React Relay: Added analysis support for React applications using the react-relay library.
  • SAP ecosystem: Added CodeQL support for analysis of SAP packages, including @sap/hana-client, @sap/hdbext, and hdb.
  • TanStack: Added support for analyzing applications using the @tanstack/angular-query-experimental package.

For a full list of changes, please refer to the complete changelog for version 2.21.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.0 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.

See more

Sunset notice for automatic watching of repositories and teams

Highlight of the automatic watching section within Notification Settings

On May 18, 2025, we’re deprecating the automatic watching of repositories and teams. We’re making this change in order to:

  • Reduce notification noise: You’ll receive fewer unexpected notifications, especially when joining large organizations with many repositories.
  • Improve efficiency: You’ll be able to focus on the notifications that matter most, without unnecessary subscriptions.
  • Minimize confusion: You won’t have automatic watching behavior that some users found unclear or overwhelming.

Existing repository subscriptions created through auto-watching will not be impacted. Users will remain subscribed to repositories or teams they were previously watching.

To review or adjust your current repository subscriptions, visit the Watching section. For more detailed notification preferences, head to Notification Settings.

See more

OpenAI GPT-4.1-mini and GPT-4.1-nano are now generally available in GitHub Models

GPT-4.1-mini and GPT-4.1-nano release on GitHub Models

Alongside the launch of GPT-4.1 in GitHub Models, we’re introducing GPT-4.1-mini and GPT-4.1-nano—lightweight variants of OpenAI’s latest model. Designed for high performance with lower cost and latency, these models are ideal for real-time applications and workloads that involve parallel or chained model calls.

Both inherit the core strengths of the GPT-4.1 series, including enhanced coding capabilities, improved instruction following, long-context understanding, and multimodal support (text and image). With features like parallel function calling and structured output generation, GitHub Models users can now choose the right-sized model for their specific needs—whether building chatbots, coding copilots, or AI-powered agents.

  • GPT-4.1-mini: Combines strong general-purpose reasoning with low cost and latency, supporting both text and vision use cases.

  • GPT-4.1-nano: Offers even lower cost and latency, ideal for lightweight tasks and high-frequency usage at scale.

Try, compare, and implement these models in your code for free in the playground (GPT-4.1-mini and GPT-4.1-nano) or through the GitHub API.

To learn more, visit the GitHub Models documentation, and join the community discussions to share feedback and connect with other developers.

See more

GitHub Actions token integration now generally available in GitHub Models

You can now use the built-in GITHUB_TOKEN from GitHub Actions to authenticate requests to GitHub Models. This simplifies your workflows by integrating AI capabilities directly into your actions, eliminating the need to generate and manage Personal Access Tokens (PATs).

With this update, creating and sharing AI-driven GitHub Actions has never been easier. Add AI to your workflows effortlessly, whether it’s generating issue comments or reviewing pull requests.

Try it out today and streamline your automation with integrated AI.

GitHub Models empowers every developer to effortlessly incorporate AI into their GitHub workflows.

For more details, check out our documentation or join our community discussions.

See more

Secret scanning expands default pattern and push protection support

GitHub regularly updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.

The following new patterns were added over the last few months. Secret scanning automatically detects any secrets matching these patterns in your repositories. See the full list of supported secrets in the documentation.

Provider Token Partner User Push protection
Bitrise bitrise_personal_access_token
Bitrise bitrise_workspace_api_token
Buildkite buildkite_user_access_token
LinkedIn linkedin_client_secret
Mailersend mailersend_smtp_password
Naver Cloud navercloud_gov_access_key
Naver Cloud navercloud_gov_access_key_secret
Naver Cloud navercloud_gov_sts
Naver Cloud navercloud_gov_sts_secret
Naver Cloud navercloud_pub_access_key
Naver Cloud navercloud_pub_access_key_secret
Naver Cloud navercloud_pub_sts
Naver Cloud navercloud_pub_sts_secret
Neon neon_api_key
Neon neon_connection_uri
Pangea pangea_token
Planning Center planning_center_oauth_access_token
Planning Center planning_center_oauth_app_secret
Planning Center planning_center_personal_access_token
Ramp ramp_client_id
Ramp ramp_client_secret
Ramp ramp_oauth_token
RunPod runpod_api_key
Sourcegraph sourcegraph_access_token
Sourcegraph sourcegraph_dotcom_user_gateway
Sourcegraph sourcegraph_instance_identifier_access_token
Sourcegraph sourcegraph_license_key_token
Sourcegraph sourcegraph_product_subscription_token

The following existing patterns were upgraded to be included in push protection. When push protection is enabled, secret scanning automatically blocks any pushes that contain a secret matching these patterns.

Provider Token
Atlassian atlassian_jwt
Azure azure_web_pub_sub_connection_string
Azure microsoft_corporate_network_user_credential
Azure azure_app_configuration_connection_string
Beamer API Key beamer_api_key
Checkout.com checkout_test_secret_key
Duffel duffel_test_access_token
Dynatrace dynatrace_internal_token
eBay ebay_sandbox_client_id ebay_sandbox_client_secret
Frame.io frameio_jwt
Google google_oauth_refresh_token
Google google_oauth_access_token
Lob lob_test_api_key
Mailgun mailgun_api_key
Notion notion_oauth_client_secret
Pulumi pulumi_access_token
RubyGems rubygems_api_key
Sentry sentry_integration_token
Sentry sentry_org_auth_token
Sentry sentry_user_app_auth_token
Sentry sentry_user_auth_token
Shopee shopee_open_platform_partner_key
Shopify shopify_app_client_credentials
Shopify shopify_custom_app_access_token
Shopify shopify_partner_api_token
Shopify shopify_private_app_password
Square square_access_token
Square square_production_application_secret
Square square_sandbox_application_secret
SSLMate sslmate_api_key
SSLMate sslmate_cluster_secret
Stripe stripe_test_secret_key
Tableau tableau_personal_access_token
WorkOS workos_staging_api_key
Yandex yandex_dictionary_api_key
Yandex yandex_cloud_api_key

Learn more about securing your repositories with secret scanning.

See more

Copilot extension for GitHub Models now requires updated permissions

The Copilot extension for GitHub Models now requires the models:read permission in order to access GitHub Models APIs. Users will need to reauthorize the extension by accepting the new permission via the email notification sent from GitHub.

This change follows our March 18 changelog, which announced that GitHub Apps and fine-grained PATs accessing GitHub Models would require the models:read permission.

If the updated permission is not granted, functionality like @models in chat may stop working.

To learn more about GitHub Models, check out the docs. You can also join our Community discussions.

See more

Windows arm64 hosted runners now available in public preview

Now in public preview, Windows arm64 hosted runners are available for free in public repositories. This runner comes with a Windows 11 Desktop image, fully equipped with all the tooling you need to quickly get started running your workflows. Following the release of linux arm64 hosted runners in January, this now extends to Windows support for the open source-community. These four vCPU runners provide a power-efficient compute layer for your Windows workloads. Arm-native developers can now build, test, and deploy entirely within the arm64 architecture without the need for virtualization on your actions runs.

How to use the runners

To leverage the arm64 hosted runners, add the following labels in your public repository workflow runs:

  • windows-11-arm

Please note that this label will not work in private repositories—the workflow will fail if you add it. All runs in public repositories will adhere to our standard runners usage limits, with maximum concurrencies based on your plan type. While the arm64 runners are in public preview, you may experience longer queue times during peak usage hours.

Images for arm64 larger runners

In partnership with Arm, there is now a Windows 11 desktop arm64 image with preinstalled tools available for all GitHub runner sizes, including both the new free offering and our existing arm64 larger runners. To use the new image on larger runners, you can create a new runner and select the Microsoft Windows 11 Desktop by Arm Limited image in the Images console.

To view the list of installed software, give feedback on the image, or report issues, visit the partner-runner-images repository.

Get started today!

To get started building windows on arm64 for free, simply add the new label to the runs-on syntax in your public actions workflow file. For more information on arm64 runners and how to use them, see our documentation and join the conversation in the Community discussion.

See more

OpenAI GPT-4.1 now available in public preview for GitHub Copilot and GitHub Models

GPT-4.1 release in GitHub Copilot and GitHub Models

OpenAI’s latest model, GPT-4.1, is now available in GitHub Copilot and GitHub Models, bringing OpenAI’s newest model to your coding workflow. This model outperforms GPT-4o across the board, with major gains in coding, instruction following, and long-context understanding. It has a larger context window and features a refreshed knowledge cutoff of June 2024.

OAI has optimized GPT-4.1 for real-world use based on direct developer feedback about: frontend coding, making fewer extraneous edits, following formats reliably, adhering to response structure and ordering, consistent tool usage, and more. This model is a strong default choice for common development tasks that benefit from speed, responsiveness, and general-purpose reasoning.

Copilot

OpenAI GPT-4.1 is rolling out for all Copilot Plans, including Copilot Free. You can access it through the model picker in Visual Studio Code and on github.com chat. To accelerate your workflow, whether you’re debugging, refactoring, modernizing, testing, or just getting started, select “GPT-4.1 (Preview)” to begin using it.

Enabling access

Copilot Enterprise administrators will need to enable access to GPT-4.1 through a new policy in Copilot settings. As an administrator, you can verify availability by checking your individual Copilot settings and confirming the policy for GPT-4.1 is set to enabled. Once enabled, users will see GPT-4.1 in the Copilot Chat model selector in VS Code and on github.com.

To learn more about the models available in Copilot, see our documentation on models and get started with Copilot today.

GitHub Models

GitHub Models users can now harness the power of GPT-4.1 to enhance their AI applications and projects. In the GitHub Models playground, you can experiment with sample prompts, refine your ideas, and iterate as you build. You can also try it alongside other models including those from Cohere, DeepSeek, Meta, and Microsoft.

To learn more about GitHub Models, check out the GitHub Models documentation.

Share your feedback

Join the Community discussion to share feedback and tips.

See more

The Llama 4 herd is now generally available in GitHub Models

Llama 4 release on GitHub Models

The latest AI models from Meta, Llama-4-Scout-17B-16E-Instruct and Llama-4-Maverick-17B-128E-Instruct-FP8, are now available on GitHub Models.

Llama-4-Scout-17B is a 17B parameter Mixture-of-Experts (MOE) model optimized for tasks like summarization, personalization, and reasoning. Its ability to handle extensive context makes it well-suited for tasks that require complex and detailed reasoning.

Llama-4-Maverick-17B is a 17B parameter Mixture-of-Experts (MOE) model designed for high-quality chat, creative writing, and precise image analysis. With its conversational fine-tuning and support for text and image understanding, Maverick is ideal for creating AI assitants and applications.

Try, compare, and implement these models in your code for free in the playground (Llama-4-Scout-17B-16E-Instruct and Llama-4-Maverick-17B-128E-Instruct-FP8) or through the GitHub API.

To learn more about GitHub Models, check out the docs. You can also join our community discussions.

See more

VSCode Copilot agent mode in Codespaces

GitHub Codespaces has introduced a new Agentic AI feature—you can now open a Codespace running VSCode’s Copilot agent mode, directly from a GitHub issue. With a single click, you can go from issue to implementation!

When you’re in a GitHub issue, the right-hand side of the view now displays a Code with Copilot Agent Mode button in the Development section. Clicking this button initializes a new Codespace, opens the Codespace in a new tab, and enables VSCode’s Copilot agent mode, using the issue body as context. Copilot will then get to work on the issue, thoroughly analyzing the codebase and considering dependencies to suggest appropriate file changes. You can then work with Copilot to fine tune your code and make modifications as required.

VSCode Agent Mode in Codespaces is in public preview, and we’ll be iterating on the experience over the upcoming months. Stay tuned for updates!

See more

Copilot Chat users can use the Gemini 2.5 Pro model in public preview

Gemini 2.5 Pro is now available to all GitHub Copilot customers. The latest Gemini model from Google is their most advanced model for complex tasks. It shows strong reasoning and code capabilities. It also leads on common coding, math, and science benchmarks.

Google Gemini 2.5 Pro announcement

Get started today!

Copilot Pro/Pro+ users

You can start using the new Gemini 2.5 Pro model today through the model selectors in Copilot Chat in VS Code and immersive chat on github.com.

Copilot Business or Enterprise users

Copilot Business and Enterprise organization administrators will need to grant access to Gemini 2.5 Pro in Copilot through a new policy in Copilot settings. Once enabled, users will see the model selector in VS Code and chat on github.com. You can confirm the model’s availability by checking individual Copilot settings and confirming the policy for Gemini 2.5 Pro is set to enabled.

Share your feedback

Join the Community discussion to share feedback and tips.

For additional information, check out the docs on Gemini 2.5 Pro in Copilot.

Learn more about the models available in Copilot in our documentation on models and get started with Copilot today.

See more

Removing hardcoded secrets detection from CodeQL

Starting May 30, 2025, CodeQL will no longer generate code scanning alerts for hardcoded secrets. Instead, we recommend using secret scanning to detect hardcoded secrets in your repositories, which has greater precision and recall than CodeQL. Secret scanning is a feature of GitHub Secret Protection.

Learn more about secret scanning, which scans your repositories for over 300 hardcoded secrets and uses Copilot to detect generic passwords. By using this detection instead of CodeQL, all your alerts for hardcoded secrets can be managed in one place.

What’s changing?

We’re disabling CodeQL detection of hardcoded secrets on May 30, 2025. This aligns with the release of CodeQL 2.21.4. We’ll post a follow-up notice to the GitHub changelog when this is complete. Once these checks are disabled, the next time your repository is analyzed using CodeQL, any code scanning alerts for hardcoded secrets will close. These alerts will stay in your historical security alert backlog.

These changes will also be included with GHES 3.18.

The following CodeQL queries will be disabled:

  • js/hardcoded-credentials
  • swift/hardcoded-key
  • swift/constant-password
  • cs/password-in-configuration
  • cs/hardcoded-credentials
  • js/password-in-configuration-file
  • py/hardcoded-credentials
  • go/hardcoded-credentials
  • rb/hardcoded-credentials
  • cs/hardcoded-connection-string-credentials
  • java/password-in-configuration

Why are we doing this?

The hardcoded secrets queries in CodeQL are redundant to the capabilities of secret scanning, which can result in duplicate alerts for the same secret. This creates unnecessary effort spent on manual deduplication of secret scanning and code scanning alerts. Secret scanning has superior accuracy and recall for detecting hardcoded secrets and provides additional metadata that’s helpful for remediation.

How do I get started?

Check out this introduction to getting started with GitHub Secret Protection:

Watch this video to learn more about deploying and managing Secret Protection at scale:

See more

GitHub Actions: macOS 15 and Windows 2025 images are now generally available

macOS 15 and Windows 2025 images are now generally available for all GitHub-hosted runners. You can use these images in your workflows on GitHub-hosted standard or larger runners.

Get started today

To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

To use Windows 2025, you can target the image directly on standard runners using runs-on: windows-2025. For larger runners, create a runner and select Windows Server 2025 in the Images UI console.

The latest tag will migrate to these images later in the year.

Need support?

Keep in mind that the new runner images have different tools and tool versions than previous versions. To view the full list of software or report issues with your workflows when using the images, visit the runner-images repository.

See more

Copilot Chat now supports pasting GitHub URLs as explicit references

An illustration of a GitHub issue link with a purple and blue background. A URL is displayed in a browser bar at the top, with a dark notification box shows below it, all next to the Copilot logo.

Issues, discussions, and pull requests – these are all important pieces of context when building in GitHub. Now, you can reference these within Copilot Chat. Simply paste a link into the chat and Copilot will do the rest!

How it helps you

  • 📂 Multi-repository support: want to compare a pull request from one project with a discussion from another? No problem!
  • 🏷️ Intuitive navigation: maybe you pasted a link, got up to make a coffee, and forgot what you were doing. With chips in the chat context, you don’t need to worry – it will always be clear what you’ve added.
  • ⌨️ Context-building at your fingertips: let Copilot support you and integrate your work by focusing on the specific problems you want to address.

We like to think that GitHub files and Copilot are both great, and they’re even better when they come together. The power of Copilot and the fountain of knowledge in your repositories will collectively help you do amazing things. We know it.

💬 Let us know what you think using the in-product feedback option or pop it into the GitHub Community at any time.

See more

GitHub Actions hosted runner fleet now includes 96 vCPU larger runner

GitHub Actions 96 vCPU larger runners are now generally available. Customers in need of bigger, more powerful machines to run their workloads can use this runner to reduce runtime on their longer GitHub Actions builds.

This runner is an x64 machine and you can use any of our existing GitHub-owned Linux and Windows images on these runners. Our entire advanced feature set works with the new runner: static IPs, network configurations, autoscaling, and runner groups.

What are the machine specs?

  • vCPU: 96
  • RAM: 384 GB
  • SSD: 2040 GiB

Get started today

To get started, create a new, larger runner and choose the 96-core option in the Size console in the UI. Learn more about how to set up larger runners in our documentation. For pricing information on these larger runners see the billing for GitHub Actions page.

See more
View more changes