Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Enterprise Server 3.1 is available as a release candidate

GitHub Enterprise Server 3.1 is available now as a release candidate.

The latest version of GitHub Enterprise Server brings a host of features to help teams focus on the work that matters most. That includes:

  • GitHub Actions workflow visualizations – track and troubleshoot complex workflows at a glance
  • Automerge pull requests – automatically merge a pull request the moment it’s ready
  • Repository performance optimization – for large, busy repositories

Customers using GitHub Advanced Security will now benefit from the general availability of secret scanning, and support for more libraries and frameworks with code scanning than ever before.

For more information, see the full GitHub Enterprise Server 3.1 RC blog post.

See more

Sync an out of date branch of a fork from the web

You can now use the web UI to synchronize an out of date branch of a fork with its upstream branch. If there are no merge conflicts between the branches, the fork's branch is updated either by fast-forwarding or by merging from the upstream's branch. If there are conflicts, you will be prompted to open a pull request to resolve.

Fetch upstream up to date, no conflict, and conflict flows

See more

Repository level notification controls for security alerts

We are implementing a change to the default notification settings for security alerts. Previously, if you had permission to view security alerts in a repository, you would receive notifications for that repository as long as your settings allowed for security alert notifications. Starting today, we are moving to a model where you must opt-in to security alert notifications by watching the repository. You will be notified as long as you select All Activity or configure Custom to include Security alerts. You will have 30 days to opt-in to these security alert notifications, or you will stop receiving them.

If you want to continue to receive security alert notifications for all of the repositories that you currently receive them for, you can find a migration experience at the bottom of the watching page. Click Subscribe to security alerts to easily opt-in.

Watching control with new security alerts setting

See more

Brownout Notice: API Authentication via Query Parameters, and the OAuth Applications API for 12 hours

As previously communicated, on May 5th, 2021 we will be conducting the first scheduled brownout for API Authentication via Query Parameters and the OAuth Applications API. If you are passing credentials via query or path parameters, we will intermittently respond with client errors.

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC

Removal

  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more

GitHub Actions : Ubuntu 16.04 LTS virtual environment will be removed on September 20, 2021

As part of our ongoing efforts to keep the hosted actions runners updated and secure, the Ubuntu 16.04 LTS virtual environment will be removed from GitHub Actions on September 20, 2021. For workflows using ubuntu-16.04, you will need to update your workflow files to run on ubuntu-latest which will run on the Ubuntu 20.04 LTS environment instead.

To help make sure all affected customers are aware of this change, we will temporarily suspend workflows on Ubuntu 16.04 LTS environment for two short 'brownout' periods ahead of the final removal. Builds that are scheduled to run during the brownout periods will fail. Therefore it is recommended that you should plan to move to a supported version of Ubuntu before September 6, 2021. The brownouts are scheduled for the following dates and times:

  • September 6, 2021 5:00pm UTC – 10:00pm UTC
  • September 14, 2021 5:00pm UTC – 10:00pm UTC

You can learn more about our software and image guidelines for GitHub-hosted runners in the virtual environment repository. Please contact support if you experience any issues due to this change.

See more

Flag unsigned commits with vigilant mode

To improve security and confidence in the authenticity of your contributions, you can flag commits and tags on GitHub.com that are attributed to you but not signed by you. With vigilant mode enabled (now available in beta), unsigned commits attributed to you are flagged with an Unverified badge. This can alert you and others to potential issues with authenticity.

The author and committer of a Git commit can easily be spoofed. For example, someone can push a commit that claims to be from you, but isn’t. Like showing a passport, committers can increase trust in their commits by signing them with a GPG or S/MIME key. And now, when you enable vigilant mode, commits will be flagged if they’re attributed to you but not signed by you. This raises attention if someone tries to spoof your identity as a committer or author. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses: Verified, Partially verified, or Unverified.

Commits and tags are marked with one of three verification statuses

Try it yourself! First, check out how to automatically sign your commits. Then, enable vigilant mode in your account settings:

Vigilant mode in GitHub.com personal account settings

Be sure to enable vigilant mode after you start signing your commits and tags. Once you enable it, any unsigned commits or tags that you push to GitHub.com will be marked "Unverified," including past commits.

Learn more about vigilant mode.

See more

Pull request events now included in the audit log

Pull request and review-related events are now included in the audit log at both the enterprise and organization levels. This helps administrators better monitor pull request activity and ensure security and compliance requirements are being met.

Events now included in the audit log:

  • A pull request is created, merged, closed, reopened, converted to draft, or marked ready for review
  • A review is requested or a request is removed
  • A review comment is added, updated, or deleted
  • A review is submitted, dismissed, or deleted

Events can be viewed from the web UI, exported as CSV or JSON, or accessed via REST API. You can also search the audit log for specific pull request events. For example action:pull_request filters for events directly on a pull request, action:pull_request.merge shows just merge events, and action:pull_request_review shows review events.

Learn more about audit log and available pull request actions

See more

GitHub Actions: Control permissions for GITHUB_TOKEN

GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret.

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  packages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

Setting the default permissions for the organization or repository

A new admin setting lets you set the default permissions for the token in your organization or repository.

You can choose between two options:

  • Read/write for all scopes (current default)
  • Read repo contents

Setting the default to contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.

image

Learn more about setting the token permissions

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

See more

Sunsetting API Authentication via Query Parameters, and the OAuth Applications API

In February 2020, to strengthen the security of our API, we deprecated API Authentication via Query Parameters and the OAuth Application API to avoid unintentional logging of in-transit access tokens. In the coming months, we'll be removing these endpoints and authentication flow according to the following schedule:

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC

Removal

  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.

Brownouts

  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC

Removal

  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more

Deprecation notice: GitHub Jobs site

Update: As of March 21, 2024, https://jobs.github.com/ has been sunset.

Today we are announcing the deprecation of GitHub Jobs and, on August 19th, will sunset the site entirely. Over the past year, we've seen that most of the positions listed on GitHub Jobs are already posted elsewhere, and most developers who use GitHub are looking elsewhere. To best serve the GitHub developer community, we will be sunsetting the site.

The deprecation and shutdown of GitHub Jobs will follow this timeline:

  • April 19, 2021: Every page on GitHub Jobs will display a banner indicating the deprecation and shutdown dates and linking to this post.
  • May 19, 2021: New job postings will no longer be accepted by GitHub Jobs.
  • June 9-10, June 29 – July 1, July 20-22, August 2-6: The JSON and Atom APIs will brownout so they will return only an error message indicating the deprecation and shutdown dates and linking to this post.
  • August 19, 2021: https://jobs.github.com/ will redirect to this blog post.
  • March 21, 2024: https://jobs.github.com/ has been sunset.
See more

GitHub Actions: Limit workflow run or job concurrency

GitHub Actions now supports a concurrency key at both the workflow and job level that will ensure that only a single run or job is in progress.

There are a number of scenarios where you only want a single instance of a particular workflow or job running at any given time. For example: if you have a deployment to your production environment ensuring that only a single deployment is happening at any given time and that you are always deploying the latest code can be important. The concurrency key can be any string or an expression using the github context. When a job or run starts it first checks to see if anything is currently holding on to the concurrency group specified. If not, it will start. If there is a lock on the group, the job or run will be marked as pending and will only start after the blocking job or run completes.

Learn more about concurrency groups in GitHub Actions

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

New badge for developers who contributed to the Mars 2020 Helicopter mission

Developers who contributed to the specific versions of projects and libraries used by NASA’s Jet Propulsion Laboratory to put the Ingenuity helicopter into the Martian atmosphere will receive a new badge on their profile to commemorate their contributions to this historic achievement in planetary exploration.

See the list of repositories and versions which qualify a user for getting the badge here.

See more
View more changes