Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Notice of breaking changes: Security manager REST API will be retired and replaced with the organization roles REST API

As part of our ongoing efforts to improve flexibility and control for managing the security manager role, we are retiring the security manager API and replacing it with the more robust organization roles API, which provides expanded functionality for managing roles in an organization, including security managers.

Endpoints Affected

The following security manager endpoints will be retired in 12 months:

  • GET /orgs/{org}/security-managers/teams
  • PUT /orgs/{org}/security-managers/teams/{team_slug}
  • DELETE /orgs/{org}/security-managers/teams/{team_slug}

After this period, these endpoints will no longer be available. Instead, you can use the organization roles API to perform the same actions and much more.

Retirement Timeline

  • GitHub.com: 2025-12-31
  • GitHub Enterprise Server: Version 3.20

Replacements

The organization roles API offers enhanced capabilities for managing roles across an organization. Use the following endpoint as a replacement:

  • GET /orgs/{org}/roles
  • GET /orgs/{org}/roles/{role_id}/teams
  • PUT /orgs/{org}/roles/{role_id}/teams/{team_slug}
  • DELETE /orgs/{org}/roles/{role_id}/teams/{team_slug}

You can start transitioning to the organization roles API today on GitHub.com. For GitHub Enterprise Server users, the organization roles API will support the security manager role starting in version 3.16.

Learn more about the organization roles API and send us your feedback

See more

Persistent commit signature verification is generally available

We’re excited to announce that persistent commit signature verification is now generally available! This powerful feature ensures that commit signatures are verified once at the time of the push and remain permanently verified within their respective repository’s network.

With persistent commit signature verification, commit signatures retain their verified status even if signing keys are rotated, revoked, or contributors leave the organization. You can view verification timestamps by hovering over the Verified badge on GitHub or by accessing the verified_at field through the REST API.

A badge tooltip displaying the date when the signature was first verified.

This feature brings long-term reliability to your commit history, offering a consistent solution for managing commit signatures over time. New commits have had persistent records since the public preview launch. Existing commits progressively gain persistent records during their next verification, such as when viewing the Verified badge on GitHub or retrieving the commit via the REST API.

Learn more about commit signature verification and join the conversation in the GitHub Community.

See more

Reviewers can add a comment on push protection bypass requests for secret scanning

Reviewers can now add comments to push protection bypass requests in secret scanning. These comments help provide context, explaining the reasoning behind approving or denying a request. Requesters gain clarity on why their request was denied, and other reviewers can better understand why a request was approved or denied.

The comment is included in the response email sent to the requester, as well as in the timeline of the resulting alert, the API, the audit log, and webhook responses.

screenshot of an alert that has bypassed push protection, with a reviewer comment in the timeline

Learn more about how to secure your repositories with secret scanning and push protection bypass controls.

See more

Enhanced CodeQL pull request alerts report

The metrics overview for CodeQL pull request alerts now includes enhanced tracking and reporting mechanisms, resulting in greater accuracy and more CodeQL pull request alerts and Copilot Autofixes displayed on the dashboard.

These changes retroactively affect the dashboard numbers, allowing you to effectively monitor your organization’s security posture.

With these insights, you can proactively identify and address security risks before they reach your default branch. The metrics overview for CodeQL pull request alerts helps you understand how effectively CodeQL prevents vulnerabilities in your organization. You can use these metrics to easily identify the repositories where action is needed to mitigate security risks.

The change is now generally available on GitHub Enterprise Cloud.

Learn more about security overview and code scanning.

See more

GitHub Copilot Extensions now understand context in your environment

context passing example

GitHub Copilot Extensions can now access local context in your editor and github.com to provide you with richer and more tailored responses.

As a developer, you can benefit from context passing when interacting with extensions. Passing context to extensions will continue to maintain security through permission controls set by your administrators and content exclusion rules.

Available contexts by development environment

Local context is not passed to extensions by default.

Requirements for developers

  • Access to GitHub Copilot Extensions
  • Admin authorization to install on organization-owned repos

Requirements for builders

  • Explicit requests to receive editor context, configured in your GitHub app settings
  • Update your APIs to handle new reference types and account for certain references only being available in certain contexts

Connect with our community in our Discussion Forum, or relay your feedback here.

See more

GitHub Skyline CLI extension now available

Bring your GitHub contributions to life with the new GitHub Skyline CLI extension – visualize, customize, and 3D print your journey in open source, all from the command line!

GitHub CLI Skyline extension in action showing a user's contributions in glorious ASCII art.

Go
@chrisreddington
@martinwoodward
@leereilly
@jasonlong

🛠️ Features

  • Binary STL generation: Turn your contribution data into 3D-printed works of art.
  • Customizable year selection: Show off a single year or flex with multi-year masterpieces.
  • Automatic authentication: Uses your GitHub credentials or specify another user.
  • ASCII art previews: See your contribution skyline before it’s immortalized IRL.

💻 Quick Start

If you already have GitHub CLI installed, installation is as easy as:

gh extension install github/gh-skyline

Generate a skyline:

gh skyline --year 2024

Generate a skyline for a specific user and year range:

gh skyline –-user chrisreddington --year 2014-2024

Start printing your GitHub journey in 3D glory. Your desk, your shelf, and your ego will thank you 😎

 

An example of a 3D Printed GitHub Skyline

 

🌟 Did you know: If you don’t have a 3D printer, you can upload STL files to GitHub and see them rendered directly in your browser:

Share your virtual | IRL skylines with #GitHubSkyline on social or in the community discussion – we can’t wait to see your creations!

See more

Copilot Workspace Changelog (December 6th, 2024)

As you may have seen in Discord a few weeks ago, Copilot Workspace is graduating! It is a very exciting time, and also a time of change. So before getting into the product changes from this week, we want to highlight a few logistical changes, because everyone loves logistics 💪

Changelog location: All future Copilot Workspace changelogs will be posted here, rather than in the user manual repository. Since you’re already reading this week’s changelog here, you’re ahead of the curve. Great work!

How to provide feedback: We are also transitioning from the current Discord to a GitHub Discussion as the primary place for feedback and discussions around Copilot Workspace. We will still be available in Discord, but posting in the discussion will ensure we see your feedback sooner.

Okay, now onto the product updates for this week! 🎉

Image Preview Support

Building on recent improvements to file and image support, you can now preview images directly in the Workspace editor. Selecting an image from the file tree will now display a full preview of the image, letting you open a preview tab directly within the editor.

copilot workspace with a rendered image in the open tab

Simplifying the Experience

Since our last changes dropped we have invested time into streamlining the Workspace experience, saving you clicks, headaches, and frustration.

Reducing Action Button Clicks

We updated the primary action button such that secondary actions available in the dropdown no longer require a second click of the primary button – when you select an action it will immediately take effect.

the copilot workspace primary action button dropdown

Consolidating the Plan Action Buttons

We have also consolidated plan action buttons like Regenerate and Add File to a kebab menu.

Before:
the previous copilot workspace planning experience

After:
the updated planning experience with actions under a kebab menu

VS Code Extension Updates

  • Stale View Fix: Resolved an issue where stale view states were retained in certain views.
  • Push to Branch / PR Creation Fix: Fixed failures when merging into an existing branch with updates to the same files.
  • Binary Detection Fix: Addressed a false positive issue where folders were incorrectly flagged as binary after session syncing stopped.
  • Enhanced Session List: Sessions now appear earlier in their lifecycle in the session list, supporting the new brainstorming feature in VS Code.
  • Error Message Visibility: Resolved cases where certain error messages did not display.

See more

Copilot Chat now has a 64k context window with OpenAI GPT-4o

Copilot Chat on GitHub.com, GitHub Mobile, the GitHub CLI, as well as officially supported IDEs now have a 64k token window available when working with OpenAI GPT-4o. With this change, customers working with large files and repositories should expect improved responses from Copilot. This change helps Copilot retrieve more information when executing skills to provide contextually relevant responses.

There is no action required on your part to benefit from this upgrade, it is automatically available for all GitHub Copilot users. For more information, check out our documentation and join the discussion within the GitHub Copilot Community.

Hungry for more? – 128k token window for VS Code Insiders

If you’re using GitHub Copilot with Visual Studio Code Insiders, you have access to an even larger 128k context window – the maximum supported by OpenAI GPT-4o. Download the Insiders build to try it out.

See more

Actions metrics improvements: adding runner labels

Starting today, you can now view runner labels in the Jobs tab of your Actions metrics. You can filter by the runner label to view runner specific metrics and answer questions such as:
– “What is the average queue time for my runner?”
– “Which repositories are using my runner?”
– “Which jobs are using the ubuntu-latest label?”

Performance metrics screen with runner label filter applied

To access the feature, on your organization home page, select Insights near the top of the page, and then select ‘Actions Performance Metrics’ on the left side of the page.
To learn more about GitHub Actions Metrics, check out our public documentation or head to our community discussion to ask questions and provide feedback.

See more

GitHub Models now supports the ability to retrieve structured JSON responses in the UI

GitHub Models now supports the ability to retrieve structured JSON responses from models, making it easier to integrate AI outputs into applications and workflows.

While this functionality was already available via our API, this update adds it to the UI.

JSON Response in GitHub Models Playground

Supported models include OpenAI (except for o1-mini and o1-preview) and Mistral models.

To learn more about GitHub Models, check out the docs. You can also join our dedicated community discussion to discuss this update, swap tips, and share feedback.

See more

The latest GitHub and GitHub Copilot SOC reports are now available

We are pleased to announce that our most recent SOC reports (1, 2, and 3) are available now and include GitHub Enterprise Cloud for github.com with all new regions like the EU, as well as Copilot Business and Enterprise. These reports are applicable for the 6-month period April 1, 2024 to September 30, 2024 and are available on the GitHub Enterprise Trust Center for our customers.

This represents a significant milestone for GitHub and our customers for multiple reasons:
– Copilot Business and Enterprise are now gaining coverage of control operating effectiveness over the period represented by a Type II report (as opposed to the point-in-time reports represented by the previous Type I reports issued Spring 2024)
– Coverage for Enterprises hosted in either dotcom or the newly launched EU region.
– Future regions launched for GitHub Enterprise Cloud will also be compliant.

These efforts and the culminating SOC 2 Type II reports represent GitHub’s ongoing commitment to provide secure products to our customers, which continues to provide developers the assurance to build software better, together.

Looking forward, bridge letters will be coming mid-January 2025 for the gap period representing October through December 2024. Additionally, the next round of SOC reports covering October 1, 2024 to March 31, 2025 will be available to customers in June 2025.

See more

Deprecation notice: GitHub Pages actions to require artifacts actions v4 on GitHub.com

What’s Changing

On January 30, 2025, the actions/upload-artifact and actions/download-artifact actions will be deprecated and no longer supported. These actions are being replaced with v4 versions, offering improved performance and new features.

What You Need to Do

If your GitHub Page site is using a custom Actions workflow to deploy, it must be updated to use:

For detailed instructions and examples, see: Using custom workflows with GitHub Pages.

Key Details

  • Applies to GitHub.com only: This change does not affect GitHub Enterprise Server (GHES).
  • Deadline: Update your workflows before January 30, 2025 to avoid deployment failures.
See more

Notice of upcoming releases and breaking changes for GitHub Actions

Ubuntu-latest upcoming breaking changes

We will migrate the ubuntu-latest label to ubuntu 24 starting on December 5, 2024 and ending on January 17, 2025. The ubuntu 24 image has a different set of tools and packages than ubuntu 22. We have made cuts to the list of packages so that we can maintain our SLA for free disk space. This may break your workflows if you depend on certain packages that have been removed. Please review this list to see if you are using any affected packages.

Ubuntu 20 image is closing down

We are beginning the process of closing down the Ubuntu 20 hosted runner image, following our N-1 OS support policy. This image will be fully retired by April 1, 2025. We recommend updating workflows to use ubuntu-22.04, or ubuntu-24.04.

Artifacts v3 brownouts

Artifact actions v3 will be closing down by January 30th, 2025. To raise awareness of the upcoming removal, we will temporarily fail jobs using v3 of actions/upload-artifact or actions/download-artifact. Builds that are scheduled to run during the brownout periods will fail. The brownouts are scheduled for the following dates and times:

  • January 9th 5pm – 6pm UTC
  • January 16th 3pm – 7pm UTC
  • January 23rd 2pm – 10pm UTC

actions/cache v1-v2 and actions/toolkit cache package closing down

Starting February 1st, 2025, Actions’ cache storage will move to a new architecture, as a result we are closing down v1-v2 of actions/cache. In conjunction, all previous versions of the @actions/cache package (prior to 4.0.0) in actions/toolkit will be closing down. The action and cache package will be fully retired on March 1st.

If users run workflows that call the retired versions after March 1st, 2025, the workflows will fail. Announcements have been posted in the actions/cache and actions/toolkit repositories with additional information on the migration. Note that this does not affect GitHub Enterprise Server customers, you can continue to use all versions without failure.

Brownouts:
To raise awareness of the upcoming deprecation, we have scheduled brownouts for the following dates/times, builds that are scheduled to run during the brownout periods will fail.

February 4, 5pm – 6pm UTC
February 11, 3pm – 7pm UTC
February 18, 2pm – 10pm UTC

Updates to the network allow list for self-hosted runners and Azure private networking

With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to pkg.actions.githubusercontent.com to ensure Immutable Actions can be downloaded successfully and jobs don’t fail during setup. If you already allow *.actions.githubusercontent.com which is listed as an required domain then no action is necessary. Traffic will also be required to ghcr.io for publishing new versions of an Immutable Action in the future, which will be available with the GA release.

This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.

Additionally, our guidance for configuring Azure private networking has been updated to account for the new domains. The following IP addresses have been added to the NSG template in our documentation.

  • 140.82.121.33/32
  • 140.82.121.34/32
  • 140.82.113.33/32
  • 140.82.113.34/32
  • 140.82.112.33/32
  • 140.82.112.34/32
  • 140.82.114.33/32
  • 140.82.114.34/32
  • 192.30.255.164/31
  • 4.237.22.32/32
  • 20.217.135.1/32
  • 4.225.11.196/32
  • 20.26.156.211/32

Upcoming breaking image changes

For a full list of this month’s breaking changes to our hosted runner images, please see our announcement page.

See more

GitHub Copilot is now available on your GitHub dashboard in public preview

A screenshot of the GitHub dashboard showing the new Copilot input at the top, ready for users to write a prompt.

We know how much easier it is when you can find everything you’re looking for, right where you’ve landed. That’s why we’ve brought GitHub Copilot over to your GitHub dashboard, making it easier than ever to harness the power of AI-assisted coding in the place you already call home.

You can now ask Copilot anything you like using the input at the top of github.com, either by selecting one of our example prompts or by typing your own words. Doing so will open the immersive GitHub Copilot chat experience, where you can continue your conversation with Copilot.

Copilot on the dashboard is available to all users with access to Copilot chat on github.com.

See more

Full compatibility and enhanced authentication for GitHub Copilot in JetBrains IDEs 2024.3

GitHub Copilot plugin now available for JetBrains IDEs version 2024.3

The GitHub Copilot plugin for JetBrains IDEs now fully supports version 2024.3 for you favorite IDEs, including IntelliJ IDEA, PyCharm, and more! This update allows you to take advantage of the latest features and improvements in your development environment, making your coding experience even more seamless and efficient.

What’s new ✨

  • Full compatibility: Use GitHub Copilot with the latest version of JetBrains IDEs.
  • Enhanced authentication: Enjoy a more efficient and secure authentication process.

Benefits for developers ⚡️

  • Stay updated: Leverage the newest features and enhancements in your preferred JetBrains IDE.
  • Improved security: Benefit from a streamlined and secure authentication process.
  • Seamless integration: Experience better compatibility and performance with your development tools.

Get Involved 🛠

If you use version 2024.3 of a JetBrains IDE, we encourage you to try the updated GitHub Copilot plugin and share your feedback. Your input is invaluable in helping us refine and improve the product.

Join the Discussion 🚀

Connect with us and other developers in the GitHub Community Discussion to share your experiences, ask questions, and provide feedback.

See more

Pull request merge method rule – Public Preview

Repository rules now allow you to enforce which merge methods are available when merging pull requests into a specified branch. The merge method rule is available for rulesets at the repository, organization and the enterprise level. Allowing you to choose between merge commit, squash, or rebase to ensure only the selected merge methods are allowed on the targeted branches across the user interface and APIs.

Screenshot of merge type rule selection

Learn more in the documentation and join the discussion within GitHub Community.

See more

Artifact Attestations now support multiple subjects

Artifact Attestations now supports attesting multiple subjects simultaneously. When the attest-build-provenance or attest-sbom actions create multiple attestations, a single attestation is created with references to each of the supplied subjects, rather than generating separate attestations for each artifact. This reduces the number of attestations that you need to create and manage. We published these changes as new versions of the respective actions. Please update your workflows to reference the new versions in order to leverage the new functionality.

Learn more about using Artifact Attestations to establish provenance for builds

See more

Enterprise repository properties, policies and rulesets – Public Preview

We are excited to announce the launch of new governance at scale features for enterprise accounts in public preview. This preview includes enterprise custom repository properties, enterprise repository policies and enterprise rulesets to help enterprise administrators manage more at greater scale.

Check out this video on managing your repositories at scale across the enterprise and learn more below.

Enterprise custom properties

Enterprise customers can now enrich repositories with metadata and govern protections for branches, pushes, and tags across your entire enterprise using repository custom properties and rulesets.

Enterprise custom properties screenshot
With custom properties available at the enterprise level, you can ensure consistent properties across organizations without manual synchronization and de-duplication. Enterprise and organization properties share a common namespace to prevent confusion when searching or targeting rulesets with properties.
To learn more about enterprise custom properties, head over to the docs.

Enterprise rulesets

Enterprise rulesets screenshot

Enterprise-level rulesets enforce consistent code governance rules to ensure thorough reviews of critical repositories with pull requests, and protect important locations from unauthorized pushes. Rule insights and push rule bypasses are also available at the enterprise level, providing complete visibility into the rulesets.

Enterprise repository policy

We are also introducing repository policies, which allow you to effectively manage repository lifecycle events such as deletions and visibility from the enterprise level. Enterprise administrators can target enterprise polices over repositories in organizations, as well as repositories homed under personal namespaces for any company using enterprise managed users.

Enterprise repository policy screenshot
Repository policies extend the ruleset framework to help you govern repositories beyond the code itself. These policies manage lifecycle events, enhancing the security, compliance and resilience of your repositories. You can enable repository policies per organization, and the preview launches with five policies:
– Restrict visibility
– Restrict creations
– Restrict deletions
– Restrict transfers
– Restrict names

To learn more about enterprise repository policy, head over to the docs.

Feedback

To ask questions or share feedback, join our discussion in the GitHub Community.

See more

Code scanning now creates alert-related events in audit log

The enterprise and organization-level audit log events are now created when a code scanning alert is created, fixed, dismissed, reopened, or appeared in a new branch:

  • code_scanning.alert_created – a code scanning alert was seen for the first time;
  • code_scanning.alert_appeared_in_branch – an existing code scanning alert appeared in a branch;
  • code_scanning.alert_closed_became_fixed – a code scanning alert was fixed;
  • code_scanning.alert_reappeared – a code scanning alert that was previously fixed reappeared;
  • code_scanning.alert_closed_by_user – a code scanning alert was manually dismissed;
  • code_scanning.alert_reopened_by_user – a code scanning alert that was previously dismissed was reopened.

The new functionality, which will be included in GHES 3.17, provides more insight into the history of a code scanning alert for easier troubleshooting and analysis.

For more information:

See more

Improved pull request merge experience now in public preview

To help you better understand the state of your pull request and get it merged faster, the merge experience on the pull request page has been improved! This experience is currently in public preview.

Screen shot of the updated merge box page on the pull request page showing that 1 review is required, a list of status checks (some failing), and a message about not having any merge conflicts.

What’s new

We’ve maintained the familiar look of the existing merge experience while incorporating several usability improvements:

  • Checks grouped by status: checks are now grouped by status with failing checks prioritized at the top of the list, making it easier to identify issues that need attention
  • Checks ordered alphabetically: status checks are now ordered alphabetically to make it easier to find a specific check
  • Commit metadata validation: errors from failing commit metadata rules (like non-compliant commit messages) can now be corrected and retried
  • Improved accessibility: consistent keyboard navigation, focus management, and landmarks help make the experience more accessible to everyone

For a more complete list of changes visit the feedback discussion.

This improved experience is rolling out gradually and is turned off by default. Once it becomes available to you, a Try the new merge experience link will appear below the merge box on the pull request page:

Image

Click it to switch to the improved experience. A link is also available for easily switching back to the existing experience. You can also toggle the experience via the feature preview dialog.

Known issues

As this experience is in public preview, you may run into some bugs and missing features (let us know when you do). Some of the known issues include:

  • Actions workflows requiring approval cannot be approved currently
  • Changing the commit author email when merging is not currently supported

For a more complete list of known issues visit the feedback discussion.

Feedback

We want to hear from you! To provide feedback, ask questions, and see a list of known issues, visit the GitHub Community improved merge box discussion!

See more
View more changes