Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Advisory Database now includes an Unreviewed Advisories section

Up until today, the GitHub Advisory Database has only published advisories that have been curated and approved by our Security Lab team.

This approach meant users sometimes couldn't find advisories in our database when searching, so the Advisory Database now has a separate section of listings for unreviewed advisories. These will be auto-published from the National Vulnerability Database feed.

Screenshot of unreviewed advisories

If you search for a term like "WordPress plugin," you can now see listings that are both GitHub reviewed and unreviewed. If you'd like to filter for only reviewed advisories, add type:reviewed to your query. Alternatively, you can also enter your query and then click the "All reviewed" button on the left-hand sidebar.

Screenshot of filtering for reviewed advisories

Dependabot alerts will continue to only be generated for GitHub Reviewed advisories in order to preserve their curated level of quality.

See more

Restrict renaming protected branches to admins

Now, only admins can rename branches that are protected by branch protection rules.

GitHub allows repository collaborators to rename every branch in a repository, with the exception of the default branch.
When a collaborator renames a branch, any non-wildcard branch protection rules that apply to that branch are also changed to match the branch's new name.
Because only admins can modify branch protection rules, renaming of a protected branch is now limited to admin users.

For more information, visit Renaming a branch and Managing a branch protection rule.

See more

OpenAPI Description of REST API is now 3.1 compliant

GitHub upgraded its OpenAPI description to the OpenAPI Specification (OAS) 3.1.

Upgrading to OAS 3.1 will enable us to add GitHub Webhooks to the description, simplify the description of nullable schemas, and reduce the description size by removing duplicate nullable reference schemas.

The GitHub OpenAPI description contains more than 600 operations exposed in our API. For visual exploration of the API, you can load the description as a Postman Collection. Programmatically, the description can be used to generate mock servers, test suites, and bindings for languages not supported by Octokit.

The description is provided under two formats. The bundled version is preferred for most use cases as it makes use of OpenAPI components for reuse and readability. For tooling that doesn't support inline references to components, we also provide a fully dereferenced version.

We are currently still publishing the 3.0 version of the description, which is now generally available in the latest release. The 3.1 version of the description is being published in parallel and can be found in the descriptions-next folder in the github/rest-api-description repository. More information about GitHub's OpenAPI description can also be found in our documentation.

See more

The new GitHub Issues – December 16th update

Following our last update, we have a number of exciting updates and improvements being released today for the new projects experience.

🔗 Stay in sync with linked pull requests

One of the top requested features, you can now easily see what work is in progress with our latest field type linked pull requests for both the table and board layouts.

  • Open the new field menu or the command palette to add the field linked pull requests to any of your existing views.
  • On the table this will display as a new column.
  • Or on the board this will display embedded in the card.
  • Learn more about linking issues and pull requests.

Linked pull requests

📝 Shape your draft issues

We have added multiple improvements for draft issues, you can now:

  • Add assignees ✨.
  • Include a markdown body.
  • View and edit the content in our new side-panel.

Then easily convert your draft to an issue in your chosen repository when you are ready.

Draft issues

🐇 Access your projects through your repository

To bring your projects closer to your code, you can now curate a list of projects useful to your team under the projects tab in any repository. Projects are still created and owned by the organization or user but are now much faster to access.

  • Open the projects tab in a repository.
  • Hit the add projects button to search for a project under the same organization or user account as the repository.

image

✨ Bug fixes & improvements

Other changes include:

  • Group by is now enabled for both assignees and repositories ✨.
  • Iterations have a new filter option to always return the @current iteration.
  • Bug fix – for certain Japanese characters in the omnibar.
  • The current iteration now includes the current label when in group by.
  • Date ranges for iterations are included in the board layout.
  • Bug fix – sort by assignee will now be in alphabetical order, regardless of case.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

Codespaces are now available to an organization’s outside collaborators

Codespaces have been constrained to specific users or all members of an organization, which, while great for day-to-day software development, didn't allow everyone in an organization to participate. That's why we're so happy to announce that as of today, you can invite outside collaborators to access Codespaces.

Outside collaborators expand Codespaces to use cases like interviewing, training, and teaching, where you can easily add outside collaborators to specific repositories within your organization (or in certain cases, giving each collaborator their own repository). Start by granting "All members and outside collaborators" access to Codespaces, then inviting collaborators to repositories you want them to use Codespaces in.

For more information, see "Enabling Codespaces for your organization."

See more

GitHub Actions: GitHub-hosted runners now run Node.js 16 by default

In the latest update to our GitHub-hosted runners virtual environments, Node.js 16 has become the default version of node and npm 8 has become the default version of npm.

To select the version of Node.js that you use for your projects, we encourage you to use the setup-node action.

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

Improvements to the code scanning API

We have released improvements to the code scanning API:

  • We've added the fixed_at timestamp to alerts. This is the first time that the alert was not detected in an analysis. You can use this data to better understand when code scanning alerts are being fixed.
  • We've enabled sorting of alert results using sort and direction on either created, updated or number. Use this to see the alerts that are most important to you first. For more information, see List code scanning alerts for a repository.
  • We've added a Last-Modified header to the alerts and alert endpoint response. For more information, see Last-Modified in the Mozilla documentation.
  • We've added relatedLocations to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the SARIF spec and read about getting a code scanning analysis for a repository.
  • We've added help and tags data to the webhook response alert rule object. For more information, see Code scanning alert webhooks events and payloads.
  • PATs with the public_repo scope now have write access for code scanning endpoints on public repos, if the user has permission. This is a bug fix and is now inline with the documentation.

For more information, see the Code scanning in the API reference.

See more

GitHub Actions: Changes to permissions in workflows triggered by Dependabot

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events will always receive a read-only token and no secrets.

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot will always receive a read-only token and no secrets.

Both changes are designed to prevent potentially malicious code from executing in a privileged workflow.

Learn more about using Actions and Dependabot together

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub Enterprise Server 3.3 is Generally Available

GitHub Enterprise Server 3.3 is Generally Available!

GitHub Enterprise Server 3.3 is now generally available for all customers. There are three exciting new betas to explore, dozens of productivity enhancements and performance improvements for CI/CD.

For more information about GitHub Enterprise Server 3.3, read the blog post and release notes or download it today. Alternatively, enjoy this ten minute overview presentation.

Are you using the latest GitHub Enterprise Server version? Use the Upgrade Assistant to find the upgrade path from your current version of GitHub Enterprise Server to your desired version.

See more

Container signing added to the Publish Docker Container workflow for GitHub Actions

We have added support for sigstore container signing to the default GitHub Actions starter workflow for publishing container images. New workflows on public repositories will use this by default. If you have an existing workflow, you will need to update your workflow to take advantage of this capability.

For more information, please read the announcement on the GitHub Blog.

See more

Typeform is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans may prevent data leaks and any fraud associated with exposed data.

We have partnered with Typeform to scan for their access tokens and help secure our mutual users. Typeform API tokens allow Typeform users to create forms, retrieve responses, and configure webhooks. More information about Typeform API tokens can be found here.

We’ll forward access tokens found in public repositories to Typeform, who will verify and automatically disable the token. Typeform will then notify the user with the detection details (token name, where it was detected, and the token scopes).

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

Codespaces now have a configurable idle timeout

By default Codespaces time out after 30 minutes of inactivity. We’ve heard from many users that they have a desire to extend this up to an entire workday. You can now set a default idle timeout for your codespaces from five minutes to four hours, as well as override the idle timeout for an individual codespace using the gh CLI.

For more information, see “Setting your timeout period for Codespaces”.

See more

The new GitHub Issues – December 2nd update

We’re consistently expanding the capabilities of projects (boards & tables) on GitHub, and we’ve got a handful of exciting updates and improvements launching today.

💫 View your boards by any field

When you are in the board layout, you can now pick any single select or iteration field to use for columns.

  • Open the view settings menu and select column field.
  • Choose any of the available single select or iteration type fields.
  • Drag and drop your items to update your selected field.

Board Columns v3 1

✅ Set fields to items added under a filter

No more disappearing items. When you add an item to a view with a filter, those fields will now automatically be set.

Adding under filter v3

👋 See your team

With our new presence indicators we continue to evolve the real-time experience in projects, you can see who on your team is making updates to the same projects you are. Presence indicators are currently only enabled for organization owned private projects.

floating heads v2 2

✨ Bug fixes & improvements

Other changes include:

  • Clicking into the filter bar will now automatically add a space.
  • Bug fix where previous iterations would not display in the board layout.
  • Fixed an overflow issue with long view names.
  • Added the ability to filter by type, to switch between users or teams under the manage access settings page.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

Codespaces can install dotfiles from any repo

Dotfiles are a common way to specify custom, user-specific behavior for applications (like Vim or Emacs) and shells on your codespaces. If enabled, dotfiles stored in a user's public dotfiles repository would be used for this configuration. With this change, any user owned repo, including private repos, can be used to install dotfiles into your codespaces.

For more information, see "Dotfiles".

See more

Secret scanning REST API now surfaces locations

GitHub Advanced Security customers can now use the GitHub REST API to retrieve commit details of secrets detected in private repository scans. Now available on cloud, the new endpoint will surface details of a secret's first detection within a file, including the secret's location and commit SHA.

Learn more about the secret scanning REST API
Learn more about private repository scanning with Advanced Security

See more
View more changes