GitHub Enterprise Cloud administrators can now download and view the latest GitHub SOC 1, Type 2 and SOC 2, Type 2 compliance reports for 2021. These reports can be found under the Compliance settings tab of their enterprise account: https://github.com/enterprises/"your-enterprise"/settings/compliance.
For organizations, these reports can be found under the Organization Security settings tab of their organization: https://github.com/organizations/"your-org"/settings/security.
On February 16, 2022, all non-audit-related npm Advisory APIs will be deprecated. Historically these undocumented APIs have been used to programmatically access advisory data. If you don’t use these APIs, you don’t need to take any action at this time.
Earlier this year, all npm advisory APIs were updated to be powered by the GitHub Advisory Database. As part of this work, we have created a service that converts the GitHub Advisory entries into a format that is compatible with the npm CLI and other tools that rely on our audit APIs that manage POST requests.
All non-audit-related npm Advisory APIs will be deprecated as the data being served from them has been modified from the original source, the GitHub Advisory Database.
We recommend customers who wish to continue utilizing advisory data should switch to the GitHub Security Advisory GraphQL API.
You can now add custom parameters to your sponsorship URL in order to see what links your sponsors are coming to you from. Learn more about formatting your custom URLs and how to export the metadata in the documentation.
You can manage your keyboard shortcuts using the new accessibility settings page.
You can choose to disable "character key shortcuts". This turns off keyboard shortcuts that only use single characters like s, g c, and . (the period key). Shortcuts which make use of modifier keys like command and control are not affected by this setting.
This feature prevents accidental triggering of keyboard shortcuts. This is important for people who use a keyboard and for people who use assistive technologies like voice input.
Windows Server 2022 with Visual Studio 2022 is now generally available on GitHub-hosted runners. To use it now, simply add runs-on: windows-2022 in your workflow file. Otherwise, our recommendation is to use windows-latest, which currently utilizes Windows 2019 but will begin running on Windows 2022 in the near future. This will ensure your workflows are always using a recent OS and removes the need to constantly update workflow files with image versions.
jobs:
build:
runs-on: windows-2022
steps:
- uses: actions/checkout@v2
- uses: actions/setup-dotnet@v1
- name: Build
run: dotnet build
- name: Run tests
run: dotnet testThe Windows Server 2022 runner image has different tools and tool versions than Windows Server 2019.
Read more on available runner images and beta images terms of use in our documentation.
Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.
Do you think they could be even better? Let us know how we can improve by contributing to our discussion.
On Saturday November 13, 2021 from 7:00PM to 9:00PM PST, GitHub’s billing systems will undergo scheduled maintenance.
During this time period, certain payment functionalities will be unavailable including:
Thank you for your patience as we work to improve our systems.
You can now export your Advanced Security license data to review usage across your business. The CSV data can be downloaded at both enterprise and organization level, and contains: the organization, repository, username, and the user's most recent commit date. This data can be used to answer questions like, "which users are consuming an Advanced Security committer seat?", "which Advanced Security-enabled repos is a user contributing to?", and "how are Advanced Security licenses being consumed across orgs?".
For organizations, download the CSV on the organization billing settings page and security & analysis settings page.
For enterprises, download the CSV on the enterprise licensing settings page.
The Advanced Security billing data can also be retrieved via the billing API. For organization-level data use the /orgs/{org}/settings/billing/advanced-security endpoint, and for enterprise-level data use the /enterprises/{enterprise}/settings/billing/advanced-security endpoint.
This has shipped on GitHub Enterprise Cloud and will be available on GitHub Enterprise Server 3.4.
Read more about viewing your Advanced Security usage, the organization-level billing API, and the enterprise-level billing API.
You can now quickly create a Markdown link in all Markdown-enabled fields, like issue comments and pull request descriptions, by pasting a URL on text that you have previously selected.
Learn more about writing and formatting on GitHub.
The "Only notify requested team members" setting can now be enabled independently of "Enable auto assignment" in the Team's code review settings.
This is useful in scenarios where many users are auto assigned but not all users require notification. For example, when repositories are configured with teams as code owners but contributors know the specific individual to review their pull request. This setting now allows you to require that team for review, but without always notifying the whole team unnecessarily.
Read more about managing code review settings for your team.
You can now specify input types for manually triggered workflows allowing you to provide a better experience to users of your workflow. In addition to the default string type, we now support choice, boolean, and environment.
name: Mixed inputs
on:
workflow_dispatch:
inputs:
name:
type: choice
description: Who to greet
options:
- monalisa
- cschleiden
message:
required: true
use-emoji:
type: boolean
description: Include 🎉🤣 emojis
environment:
type: environment
jobs:
greet:
runs-on: ubuntu-latest
steps:
- name: Send greeting
run: echo "${{ github.event.inputs.message }} ${{ fromJSON('["", "🥳"]')[github.event.inputs.use-emoji == 'true'] }} ${{ github.event.inputs.name }}"Learn more about workflow inputs.
For questions, visit the GitHub Actions community.
To see what's next for Actions, visit our public roadmap.
GitHub Enterprise Cloud standalone organizations paying by invoice may now update to an enterprise account via a self-service flow.
Organization owners may navigate to the organization's billing page and click "Upgrade to Enterprise Account" to begin. There are no changes to licensing agreement or payment terms. In the new enterprise account, every organization owner will be granted the enterprise owner role.
Enterprise accounts allow you to create new organizations, manage policies and users, and provide a single point to manage and view multiple organizations. Enterprise accounts also grant access to features like audit log streaming, enterprise verified domains, and enable cross-organization collaboration via internal repositories.
Learn more about upgrading to an enterprise account.
We’ve improved the depth of CodeQL's analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models. JavaScript analysis now supports most common templating languages, and Java now covers more than three times the endpoints of previous CodeQL versions. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.
We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. These improvements are now available to users of CodeQL code scanning on GitHub.com, and will also be available in the next release of GitHub Enterprise Server (3.3).
Java
We've improved coverage for the following libraries:
JavaScript
We've added support for the following templating languages:
Learn more about CodeQL and code scanning.
Developers and security researchers using the CodeQL CLI and VS Code extension can now build databases and analyze code on machines powered by Apple Silicon (e.g. Apple M1).
In order to use the CodeQL CLI and/or the VS Code extension on Apple Silicon, please make sure to install the Xcode command-line developer tools and Rosetta 2.
For detailed instructions on how to set up the CLI on supported platforms, please refer to the CodeQL CLI guide.
Learn more about CodeQL and code scanning.
You can now require that all changes to a protected branch are made using a pull request, but without requiring reviews. This can be useful when you want to use pull requests for tracking purposes or to simplify your continuous integration (CI) configuration, but don't want to gate merging on review.
Previously, you could create a branch protection rule that required pull requests with approving reviews before commits could be merged into a branch. When pull requests were required, approving reviews were also required. This didn’t meet the needs of users who wanted to require pull requests for tracking purposes or CI validation, but who didn’t want their ability to merge to be gated by approving reviews.
Now, requiring pull requests and requiring approving reviews are separate options of protecting a branch. For example, you can now require pull requests without requiring reviews, or with requiring approving reviews. This flexibility lets you choose what is best for you and your branches.
For more information, visit Managing a branch protection rule.
Code scanning alerts now integrate with GitHub Issues task lists to make it easy to prioritize and track your alerts with all your development work.
You can use the task list feature in markdown to track a code scanning alert in an issue. When you add a code scanning alert to a task list in an issue, a "tracked in" pill will show on the corresponding alert page. The code scanning alerts page also shows which alerts are tracked in issues.
You can also create a new issue from a code scanning alert, which automatically adds the code scanning alert to a task list in the new issue.
This feature has now shipped in beta for all users on GitHub.com.
Learn more about tracking code scanning alerts in Issues using task lists.
We made three improvements to the repository invite experience, so you can start contributing faster:
GitHub secret scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and prevent the fraudulent use of accidentally committed secrets.
We have partnered with Meta to scan for their access tokens and help keep our mutual users secure. Our scan currently covers Facebook user access tokens and page access tokens. These tokens provide permissions to APIs that read, write, or modify the data belonging to a Facebook user or page.
We'll forward access tokens found in public repositories to Meta. Meta will then automatically invalidate tokens that have a valid session and notify app developers.
We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
The GitHub Enterprise Server 3.3 Release Candidate is available. This release contains a broad range of features and enhancements across the platform including GitHub Actions, Security, and a host of helpful productivity improvements.
Read the blog post to discover the highlights in this release, or dive into the full GitHub Enterprise Server 3.3 release notes.
Release Candidates are a way for you to try the latest features at the earliest time, and they help us gather feedback early to ensure the release works in your environment. They should be tested on non-production environments.
Actions written in YAML, also known as composite actions, now support if conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.
Learn more about actions written in YAML.
For questions, visit the GitHub Actions community