Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:

  • You're now prompted to add a reason for the change, so your contribution can be reviewed more quickly.
  • You can now submit a contributions without reference links getting reordered in the diff.
  • You can now click through to relevant docs from the advisories page.
  • You can overall enjoy a cleaner UX experience through a handful of other small fixes.

Further reading:

See more

We recently released a set of organization-level APIs (in beta) to enable administrators to programmatically manage their organization-owned codespaces at scale. Today we're releasing support for additional organization-level APIs based on the feedback that you shared with us. With this release, we've added support for the following REST API commands:

  • Manage organization-level codespaces secrets
    • List organization secrets
    • Get an organization public key
    • Get an organization secret
    • Create or update an organization secret
    • Delete an organization secret
    • List selected repositories for an organization secret
    • Set selected repositories for an organization secret
    • Add selected repository to an organization secret
    • Remove selected repository from an organization secret
  • Manage access control for organization-owned codespaces
    • Enable Codespaces for all members of the organization
    • Enable Codespaces for select members of the organization
    • Enable Codespaces for all members and outside collaborators of the organization
    • Disable Codespaces for the organization

Organization-level APIs are in beta for GitHub Team and Enterprise Cloud plans. Here are links to our documentation to get started:

If you have any feedback to help improve this experience, be sure to post it on our discussions forum.

See more

Actions runner support for Windows ARM hardware, is now in public beta . This provides teams with the capability to run self-hosted Windows workflows in a Windows ARM64 runtime.

There are some limitations of the current beta product to be aware of:

  • Windows ARM runners are currently using nodejs's "unofficial" win-arm64 builds
  • Some first party actions will not work until a win-arm64 version of that language is released:
    • setup-node
    • Some first party actions don't support the arm64 architecture:
    • setup-python -issue tracking it here

For additional information on how to set up a self-hosted Windows ARM64 runner, please refer to our documentation. If you have any feedback or questions for Actions self-hosted Windows ARM support, you can submit an issue in the runner repository.

See more

Previously, we announced the ability for enterprise owners to limit where private and internal repository forks can be created. We heard from some customers that they need a more granular control over fork permissions for each organization within the enterprise.

Now, we've added the ability for enterprise organization admins to set fork policy at the organization level, further restricting enterprise policy. Forking can be limited to organizations within the enterprise, within the same organization, user accounts and organization within the enterprise, user accounts, or everywhere. Fork policies cascade from the enterprise policy to organization policy to repository policy. Enterprise policies dictate the policy options available for organizations, i.e. an organization admin can only set a more restrictive forking policy than the enterprise allows.

Screenshot of organization fork policy settings

See more

Today’s Changelog brings numerical field sums, Team linked projects, project migration improvements, and URL pasting preferences!

➕ Display sum of numeric fields

Addressing a top user request, you can now display the sum of a numeric field on the group header in both the table and board layouts.

Select one or multiple numeric fields you would like to display the total for from the view configuration menu to assist with your planning! 📝

Ever wanted to curate the list of projects important to your team? Wouldn’t it be great to ensure your team has access to the projects they need to use all the time? With our latest ship, now you can link projects for quick access on your team pages and we’ll also automatically grant your team read access. Note, you currently need to be a maintainer for the team and a project admin to add it to the team page.

Navigate to the Projects tab for your team to add the projects you need today. 🎉

🚀 Migration improvements

Project Migration now includes archived items! We’ve also fixed several migration states so that your entire team is aware that the project has been transfered. Plan your migration today so that you can leverage all the new features and capabilities Projects has to offer 💖

🖌 Paste URLs formatted or as plain text

Choose your own adventure for URL pasting! Based on your feedback we have made paste preference part of our accessibility settings under your profile. Find it under editor settings to change from pasting as a formatted link (default) to pasting as plain text.

setting URL paste behavior

✨ Bug fixes & improvements

Other changes include:

  • Filtering by draft state (is:draft) now applies to open draft pull requests, in addition to draft issues
  • Issue and pull request numbers are now displayed alongside archived item titles
  • Improved condensed keyboard shortcut visuals

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

Additional information has been added to the payload of github.event for scheduled runs. Before this change, github.event for scheduled runs would only include the cron schedule. This change adds information about the repository, organization, and enterprise (when available).

For questions, visit the GitHub Actions community.

To see what’s next for Actions, visit our public roadmap.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with DevCycle to scan for their SDK tokens and help secure our mutual users on public repositories. DevCycle tokens allow users to target and toggle feature flags by environment and platform. GitHub will forward access tokens found in public repositories to DevCycle, who will immediately mark the token as compromised. More information about DevCycle Tokens can be found here.

GitHub Advanced Security customers can also scan for DevCycle tokens and block them from entering their private and public repositories with push protection.

See more

We've made some improvements to audit log search to make it easier to discover events. Since audit log events are found through key:value pairs, we now show you a list of possible options to choose from.
key-value pair dropdown menu available in audit log search

We've also linked to our documentation in the filter dropdown so that you can more easily discover all the possible options for audit log queries.

view advanced search syntax added to audit log filter

To learn more about how to query the audit log, check out our documentation, "About search for the enterprise audit log".

See more

You can now display your local timezone on your profile to give others an idea of when to expect responses to pull requests or issues from you. You can opt into this feature by navigating to Settings > Public Profile and checking Display current local time. You can also update this information directly from your profile by clicking 'Edit Profile' under your avatar.
local timezone setting

This will display your timezone in the left sidebar of your profile as well as your timezone's current deviation from UTC. When other users see your profile or user hovercard, they'll see your timezone as well as how many hours behind or ahead they are from your local time.
local timezone display on profile

Learn more about personalizing your profile.

See more

Node 12 has been out of support since April 2022, as a result we have started the deprecation process of Node 12 for GitHub Actions. We plan to migrate all actions to run on Node16 by Summer 2023. We will monitor the progress of the migration and listen to the community for how things are going before we define a final date.
To raise awareness of the upcoming change, we are adding a warning into workflows which contain Actions running on Node 12. This will come into effect starting on September 27th.

What you need to do
For Actions maintainers: Update your actions to run on Node 16 instead of Node 12 (Actions configuration settings)
For Actions users: Update your workflows with latest versions of the actions which runs on Node 16 (Using versions for Actions)

See more

We have started creating and storing CodeQL databases for the most popular open-source projects on GitHub.com. If you use CodeQL for security research, you can now obtain these databases easily and directly through the CodeQL extension for Visual Studio Code, which makes it much easier to write and run your own custom CodeQL queries.

Using CodeQL for security research

The CodeQL engine powers GitHub code scanning: it analyses source code and flags up potential security problems (for example, in pull requests). By default, code scanning runs a large set of open source queries that are able to identify the most important and common security problems.

CodeQL is also a powerful tool for variant analysis and other types of security research. CodeQL treats source code as data, and anyone can write custom CodeQL queries to explore a codebase and identify vulnerabilities. Like code search on steroids!

The first step of any CodeQL analysis is extracting the source code into a CodeQL database. This database contains a relational representation of the source code — including elements like the abstract syntax tree, the data flow graph, and the control flow graph. You can create CodeQL databases yourself using the CodeQL CLI, but with the feature we shipped today, it's much quicker to get started: you can download a ready-built CodeQL database from GitHub.com.

Downloading CodeQL databases from GitHub.com in VS Code

To download a CodeQL database for use in the CodeQL extension in VS Code:

  1. Make sure you have set up the CodeQL extension for VS Code. For more information, see Setting up CodeQL in Visual Studio Code.
  2. Open the CodeQL databases view in the extension.
  3. Hover over the sidebar, click the GitHub icon, and specify the owner/repo identifier of the public repository you'd like to analyze.

    image

Once you've downloaded a CodeQL database, you're ready to start your research. Find more information in the CodeQL documentation.

FAQs

How many CodeQL databases are available?

We currently store databases for over 200,000 repositories on GitHub.com. That list is constantly growing and evolving to make sure that it includes the most interesting codebases for security research.

What languages are can you download CodeQL databases for?

We create and store databases for all of the languages that we support in CodeQL code scanning. For more information, see About code scanning with CodeQL.

Can I download CodeQL databases outside VS Code?

Yes, you can also download CodeQL databases using the GitHub REST API. For more information, see Downloading databases from GitHub.com in the CodeQL CLI documentation.

Why is there no CodeQL codebase available for my favourite open source repository?

If there is a repository that you'd like to analyze, but a CodeQL database is not available yet, then you can trigger the creation (and storing) of a database by enabling GitHub code scanning with the CodeQL engine. Alternatively, you could fork the repository and enable code scanning on the fork. For more information, see the code scanning documentation.

See more

Today, we're adding support for users to create a GitHub Sponsors profile and choose to receive sponsorship payouts via a fiscal host. This will give maintainers more flexibility and choice in how they receive funding. This has already been possible for organizations creating a GitHub Sponsors profile, and that remains unchanged. Users and organizations can still choose to use a Stripe Connect account instead of a fiscal host if they prefer. Learn more about signing up for a GitHub Sponsors profile using a fiscal host.

See more

GitHub Mobile can no longer connect to GitHub Enterprise Server 3.1. To enable connections from GitHub Mobile to GitHub Enterprise Server, a site administrator must upgrade to GitHub Enterprise Server 3.2 or later. Newer versions of GitHub Enterprise Server improve performance, enhance security, and provide new features. For more information, see "GitHub Enterprise Server releases" and "Upgrading GitHub Enterprise Server."


Read more about GitHub Mobile and send us your feedback to help us improve.

See more

A month ago we shared an update about the help.github.com URL. Starting today help.github.com will start redirecting to GitHub's Support Portal at support.github.com
Users should continue to use docs.github.com to reach GitHub Docs.

Any links starting with 'help.github.com/' will continue to work as expected.

See more

Enterprise administrators can now choose to redirect signed-out Enterprise Managed Users to their company's single sign-on (SSO) page. This feature is available as a public beta.
By default, enterprises with Managed Users enabled are hidden, showing a 404 error page any time an enterprise resource is visited by a user that isn't already signed in to the enterprise.
If you enable this feature for your enterprise, visitors to resources in your enterprise, org, or user namespaces will immediately be presented with an SSO redirect if not already signed in to your enterprise.
This redirect helps users sign in to the correct account, rather than giving them the impression that the link they were given no longer works.

You can find this setting in the Authentication security section of your Enterprise Settings, below the single sign-on configuration sections.
image

Read more about this settings at "Automatic redirection for Enterprise Managed Users".

See more