Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

The GitHub Packages npm registry now runs on a new architecture, unlocking great new capabilities:

Publishing packages at organization level with GitHub Packages

Previously, npm packages published to GitHub packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.

Learn more about connecting a repository to a package.

Fine grained permissions for npm packages published to GitHub Packages

You can now configure Actions and Codespaces repository access on the package’s settings page, or invite other users to access the package. Additionally, npm packages published to GitHub packages can still be configured to automatically inherit all permissions from a linked repositories.

Learn more about configuring a package’s access control.

Internal visibility

In addition to public and private, a package’s visibility can now also be set to internal. It is then visible for all members of the GitHub organization.

These new features are now available to all users on

Read more about working with the GitHub npm registry

We appreciate your feedback on these new changes in GitHub’s public community discussions!

See more

GitHub Enterprise Cloud (GHEC) customers can now participate in a public beta enabling audit log streaming to a Datadog endpoint. Joining this beta allows enterprises to continue to satisfy long-term data retention goals and also analyze GitHub audit log data using the tools offered by Datadog.

GHEC administrators interested in participating in the public beta can enable audit log streaming by following the instructions for setting up streaming to Datadog. Customers can provide feedback on their experience at the audit log streaming to Datadog community discussion.

See more

The default code scanning query suites include checks for the most important security vulnerabilities for each supported language, so that any potential problems can be surfaced to developers before they are committed to their repository. However, in some situations a particular check is not relevant for a codebase and you might prefer to not run that CodeQL query. You can now easily exclude queries using code scanning query filters.

Query filters use the same syntax as CodeQL query suites and you can filter on any CodeQL query metadata property. Query filters must be specified in a custom code scanning configuration file, which you refer to from your code scanning analysis workflow file.

In your code scanning workflow file, use the config-file parameter of the init action to specify the path to the configuration file you want to use:

- uses: github/codeql-action/init@v2
    config-file: path/to/config/file.yml

In your configuration file, specify the query filters you want to use. For example, to exclude the Unsafe HTML constructed from library input query from the default code scanning query suite for JavaScript you can specify its id in an exclude block:

name: "My code scanning CodeQL config"

- exclude:
     id: js/html-constructed-from-input

For more information about how to use query filters, see Configuring code scanning in the code scanning documentation.

See more

We've updated the notifications settings page to be more vibrant and easier to understand what changes you're making. Here are some of the updates:

  • Confirmation of which email you'd like to receive notifications at
  • Grouping of your subscriptions and where you receive notifications
  • Grouping of system-related notifications

Learn more here.
An image showing the before and after of notification settings changes. Top of the UI features the ability to choose the default notifications email, with ability to automatically watch repositories and teams just below. From there, a developer can manage their subscriptions for repositories as well as system-related notifications.

See more

GitHub Desktop 3.0.6 brings a slew of community contributions! As an open source project, we are always so grateful to our contributors who make Desktop better for themselves and others. Additionally, we’ve improved the recognition of default branch changes.


  • Add Warp terminal integration for macOS. Thanks @lhvy!
  • Add PyCharm Community Edition support on macOS. Thanks @tsvetilian-ty!
  • Add context menu to the current branch and current repository toolbar. Thanks @uttiya10!


  • Older versions of Sublime Text and SlickEdit are also recognized as external editors. Thanks @vbwx!
  • Fix commit shortcut (Ctrl/Cmd + Enter). Thanks @tsvetilian-ty!
  • Show 'Email' label on the preferences form when user is not signed in. Thanks @andymckay!
  • Fix invalid URL state while the "Clone Repository" modal is open. Thanks @tsvetilian-ty!
  • Fix commit description with three lines overflowing when it shouldn't. Thanks @HeCorr!
  • 'Update from default branch` menu item allows quick merge of upstream. Thanks @uttiya10!
  • Unified diff line gutter context menu items for discard changes no longer enabled when whitespace is hidden.
  • 'Show Whitespace Changes' popover appears as expected on unified diff.
  • On pull or fetch, make sure the default branch is updated to match the repository settings.
  • Fix notifications on Windows 10 builds prior to the Creators Update.


  • Add ability to skip staggered release to ensure the latest version is downloaded.

Learn more about GitHub Desktop

See more

GitHub Advanced Security customers using secret scanning can now specify a custom link that will show in the error message when push protection detects and blocks a potential secret. Admins can use the custom link to provide their developers with a point of reference on best practices with secrets.

Learn more about protecting pushes with secret scanning.

Custom link displayed in a push protection error message

See more

We updated the web UI to make keeping forks in sync with their upstream repositories more intuitive. "Fetch upstream" has been renamed to "Sync fork," which better describes the button's behavior. If the sync causes a conflict, the web UI prompts users to contribute their changes to the upstream, discard their changes, or resolve the conflict.

Image of sync fork button

Read more about branches.

Read more about working with forks.

See more

OpenID Connect (OIDC) support in GitHub Actions is now enhanced to support secure cloud deployments at scale.

Org & repo admins can use the new OIDC API support to:

  • enable a standard OIDC configuration across their cloud deployment workflows by customizing the subject claim format.
  • ensure additional compliance & security for their OIDC based deployments by appending the issuer url with their enterprise slug
  • configure advanced OIDC policies by using the additional OIDC token claims like repository_id and repo_visibility.

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

See more

In May we shipped a setting for including the pull request title in the default commit message presented to users when squash merging a pull request. We just shipped more options for customizing the default commit message, including using the pull request's description! You can also now customize the default commit messages for merge commit merges. The goal is more predictable, consistent, and useful commit messages for your pull requests, which translate to a more useful Git commit history.

How it works

From repository settings, a maintainer or admin can choose the default format for commit messages produced when merging pull requests:

This selection is used to form a default commit message that gets presented to users on the pull request page when merging a pull request. For example, assume Default to pull request title and description is selected and a user clicks to merge a pull request with this description:

The default commit message will include the pull request's title and description:

The user can then accept this commit message or make changes before merging.


For merge commit merging:

  • Default message: pull request number and head branch on the first line; pull request title on the third line
  • Pull request title: pull request title and number on the first line
  • Pull request title and description: pull request title and number on the first line; pull request description starting on the third line

For squash merging:

  • Default message: commit title and commit message (if the pull request contains a single commit), or the pull request title and number and list of commits (if the pull request contains multiple commits)
  • Pull request title: pull request title and number on the first line
  • Pull request title and commit details: pull request title and number on the first line; commit message (if a single commit) or list of commits (if multiple commits)
  • Pull request title and description: pull request title and number on the first line; pull request description starting on the third line

Additional details

If no message is provided when merging a pull request using the REST API or GraphQL mutation, a default commit message will be formed based on the selected message format and merge method.

The default message format can be managed using the Create a repository or Update a repository REST APIs. See the merge_commit_title, merge_commit_message, and squash_merge_commit_title, squash_merge_commit_message parameters.


We want to hear from you! Tell us what you think and how we can make it better:

Learn more

Learn more about configuring merge commit merging and configuring squash merging.

See more

With this update, organization admins can manage billing settings for codespaces that are created for organization controlled repositories. Admins can choose to opt-in to the organization covering the bill for GitHub Codespaces, enable Codespaces access only for select members of the organization, allow for all organization members, or also include outside collaborators. See the screenshot below, and documentation for Enabling GitHub Codespaces for your organization for more details.

Organization Settings Billing UI

Note: The functionality of this interface remains the same. The label was updated to "Billing" where it used to be labeled "User permissions" to increase clarity. There are no changes required to your settings as a result of this update.

Any GitHub user who can clone a repository and has access to Codespaces will be able to create a codespace for it. To manage who can clone a repository in your Organization see Managing teams and people with access to your repository.

See more

GitHub now supports SSH commit verification, so you can sign commits and tags locally using a self-generated SSH public key, which will give others confidence about the origin of a change you have made. If a commit or tag has an SSH signature that is cryptographically verifiable, GitHub makes the commit or tag "Verified" or "Partially Verified."


If you already use an SSH key to authenticate with GitHub, you can now upload the same or a different key pair’s public key to use it as a signing key. There is no limit to the number of signing keys you can add to your account. For more information, visit SSH Commit Verification in the GitHub documentation.


See more

Reusable workflows can now be called from a matrix and other reusable workflows.

You can now nest up to 4 levels of reusable workflows giving you greater flexibility and better code reuse. Calling a reusable workflow from a matrix allows you to create richer parameterized builds and deployments.

Learn more about nesting reusable workflows.

Learn more about using reusable workflows with the matrix strategy..

For questions and feedback, visit the GitHub Actions community.

See more

This feature is available to repositories enrolled in the Pull Request Merge Queue beta.

A new webhook event and GitHub Actions workflow trigger (merge_group) makes it easier to run required status checks on merge groups created by merge queue. A merge group includes the changes from one or more pull requests and must pass the status checks required by the target branch.

A merge_group webhook event, which currently has one supported action (checks_requested), is sent after a merge group is created and informs receivers, including GitHub Actions, when status checks are needed on the merge group. The event payload includes head_sha, the commit SHA that should be validated and have status reported on using check runs or commit statuses. For GitHub Actions, status is reported automatically at the conclusion of jobs in the triggered workflow.

To trigger a GitHub Actions workflow for a merge group, the merge_group trigger should be used. The following example triggers on individual pull requests and merge groups targeting the main branch:

# Trigger this workflow on individual pull requests and merge groups that target the `main` branch
    branches: [ main ]
    branches: [ main ]

A push event is still sent when a merge group branch is created, and will trigger a GitHub Actions workflow. However, unlike a merge_group event, a push event does not include the target branch of the merge group.

Learn more about using merge queue.

Learn more about the new GitHub Actions merge_group workflow trigger and the merge_group webhook event.

See more

We’ve made a series of improvements to the GitHub Connect license sync feature in addition to the "Sync now" button we recently added in GHES:

  1. Enterprise administrators can now access a refreshed Consumed License CSV that includes additional data, such as the saml_name_id and the GitHub Enterprise Cloud email address (for verified domains only) for each user;
  2. Enterprise administrators also have access to two new License REST API endpoints:
    a. consumed-licenses: returns the same Consumed License data found in the CSV download
    b. license-sync-status: returns information related to the license sync job status
  3. We improved the license sync matching algorithm for enterprises that use SAML SSO. We now attempt to match Server user accounts against SAML attributes in addition to matching against users' GitHub Enterprise Cloud email addresses. This improvement eliminates the need for enterprise administrators to require users to add their work-related email addresses to their GitHub Enterprise Cloud account.

Learn more about license sync and give us your feedback

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Prefect to scan for their access tokens and help secure our mutual users on public and private repositories. The Prefect service account API keys are not associated with a user and are restricted to a specific tenant, but they are recommended for application and automation use. GitHub will forward access tokens found in public repositories to Prefect, who will immediately email the owner of the leaked key. More information about Prefect API Tokens can be found here.

GitHub Advanced Security customers can also scan for Prefect tokens and block them from entering their private and public repositories with push protection.

See more

You can now create a custom role to bypass branch protections without having to grant the Admin role. Previously, to bypass branch protections you had to be an Admin which provides additional permissions that may not be needed. For tighter control of Admin permissions, you can now craft a custom role that has the Bypass branch protections permission, allowing just the right amount of access.

Image of Custom roles Inherited from Maintain role that adds the new Bypass branch protections permission

To enforce branch protections for all Admins and roles with the "Bypass branch protections" permission, enable Do not allow bypassing the above settings in your branch protection rules.

Image of checkbox selecting Do not allow bypassing the above settings

This permission differs from the Push commits to protected branches permission, which allows pushing to a protected branch, but branch protection rules will still apply and could result in a push being denied.

For more information, visit Managing custom repository roles for an organization in the GitHub documentation.

We appreciate feedback on this and other topics in GitHub's public feedback discussions.

See more