Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.

Learn more about the new risk and coverage views and send us your feedback

See more

Larger runner workflows using the ubuntu-latest runner label will soon run on Ubuntu-22.04.

Ubuntu-22.04 is now the default version for the ubuntu-latest label for GitHub Actions standard runners workflows. Larger runners will now use the Ubuntu-22.04 as the -latest version starting 15 December 2022.

If you see any issues with your workflows when they are transitioned to Ubuntu-22.04:

  • File an issue in the runner-images repository
  • Switch back to Ubuntu 20.04 by specifying the ubuntu-20.04 runner label. We will continue to support Ubuntu 20.04.

Note that image software between Ubuntu-20.04 and Ubuntu-22.04 differs by the pre-installed and default versions versions of some tools. See the full list.

See more

We've recently released a few minor user experience improvements for our GitHub Security Advisory form:

  • You're no longer required to fill out as many fields in the form before submitting it, so you can publish faster.
  • You now fill out title/description first in the form.
  • You can now access the CVSS Calculator as a top-level attribute, rather than it being the bottom of a dropdown menu.

Further reading:

See more

GitHub organizations can now use the code scanning organization-level API endpoint to retrieve code scanning alerts on public repositories; this no longer requires a GitHub Advanced Security license. This new endpoint supplements the existing repository-level endpoint.

Learn more about the code scanning organization-level REST API.

See more

Dependabot security updates now supports the Pub ecosystem, making it easier for you to fix vulnerable dependencies in your Dart or Flutter apps. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable Pub dependencies to the latest patched version.

Learn more about Dependabot security updates.

See more

GitHub's audit log allows organization and enterprise admins to quickly review the actions performed by members of their organization or enterprise. For Dependabot alerts, the audit log includes actions such as repository enablement, creation or reintroduction of alerts, dismissal of alerts, and resolving of alerts.

The audit log now supports the following improvements:

  • Dismissal comments, if provided with a Dependabot alert, are now displayed in the audit log
  • The audit log API for Dependabot alerts now supports several new fields: alert_number, ghsa_id, dismiss_reason, and dismiss_comment.
  • Additional minor improvements, including links back to the alert and correct timestamps added to events.

This release is available for organization and enterprise admins (including GHES 3.7 and later).

For more information, view documentation on Dependabot alerts in the GitHub audit log.

See more

The recently enhanced GitHub Enterprise "consumed licenses" report and new "enterprise members" report are now generally available. These reports provide more insight into who has access to an enterprise, what level of access, and whether a license is consumed:

  • Consumed License Report: A breakdown of license usage for your GitHub Enterprise and any synced GitHub Enterprise Server instances;
  • Enterprise Members Report: An extensive list of licensed and non-licensed members associated with your Enterprise Cloud environment, including members synced from a GitHub Enterprise Server instance.

To learn more about these reports and how to access them, read our documents about viewing license usage for GitHub Enterprise and exporting membership information about your enterprise.

See more

Today, we’re introducing calendar-based versioning for the REST API to give API integrators a smooth migration path and plenty of time to update their integrations when we need to make occasional breaking changes to the API.

You can learn more in today’s blog post and on the new “API Versions” page in our docs.

If you’re using the REST API, you don’t need to take any action right now. We’ll get in touch with plenty of notice before we drop support for any old versions.

See more

Starting today, GitHub code scanning includes beta support for analyzing code written in Kotlin, powered by the CodeQL engine.

Kotlin is a key programming language used in the creation of Android mobile applications, and is an increasingly popular choice for new projects, augmenting or even replacing Java. To help organisations and open source developers find potential vulnerabilities in their code, we’ve added Kotlin support (beta) to the CodeQL engine that powers GitHub code scanning. CodeQL now natively supports Kotlin, as well as mixed Java and Kotlin projects. Set up code scanning on your repositories today to receive actionable security alerts right on your pull-requests. To enable Kotlin analysis on a repository, configure the code scanning workflow languages to include java. If you have any feedback or questions, please use this discussion thread or open an issue if you encounter any problems.

Kotlin support is an extension of our existing Java support, and benefits from all of our existing CodeQL queries for Java, for both mobile and server-side applications. We’ve also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection and more.

CodeQL support for Kotlin has already been used to identify novel real-world vulnerabilities in popular apps, from task management to productivity platforms. You can watch the GitHub Universe talk on how CodeQL was used to identify vulnerabilities like these here.

Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.8 will include this beta release.

See more

You can now filter results from the code scanning REST API based on alert severity. Use the parameter severity to return only code scanning alerts with a specific severity. This is available at the repository and organization level.

This feature is available on GitHub.com, and will also be included in GitHub Enterprise Server (GHES) version 3.8.

Read more about the code scanning API

See more

In a small but frequently requested improvement, GitHub now shows the date that an archived repository was put into read-only mode to indicate it is no longer actively maintained.

Previously, you could see that a repo was in the 'archived' state and probably infer from the commit log when it last saw activity, but the actual date the archiving happened was not surfaced anywhere. Now there's a date included in the "this repo is read-only" banner at the top of the repository view.

New repository banner showing an archived repository and the date on which it was archived

Repositories archived prior to November 9th, 2022, will display a more generic message.

Repository banner showing the generic message that it was archived prior to November 9th, 2022

See more

Dependabot expands its existing Hex private registry support beyond Hex organizations by adding support for self-hosted Hex repositories. You can configure your self-hosted Hex package repository as a private registry for use with Dependabot version updates. Special thanks to @sorentwo for their contribution to Dependabot!

Learn more about configuring Dependabot version updates and its supported ecosystems and package managers.

See more

You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:

  • GitHub Advanced Security
  • Secret scanning
  • Push protection

In the future, you'll be able to enable and disable multiple repositories from the coverage view.

enablement panel on coverage view

Learn more about the new coverage view and send us your feedback

Learn more about GitHub Advanced Security

See more

A GitHub Actions workflow run is made up of one or more jobs and each job is associated with a check run. The workflow_job webhook is sent during state transitions of a workflow job. The job state is included in the webhook payload as the action property, which currently takes the values of queued, in_progress, or completed.

With this change, the workflow_job webhook will now support a new waiting state whenever a job is waiting on an environment protection rule, aligning with the waiting state of the corresponding check run. This enables better insight into the progress of a job when using environment protection rules.

In addition, when a job refers to an environment key in its YAML definition, the resulting workflow_job webhook payload will also include a new property, deployment with the metadata about the deployment created by the check run.

Learn more about using environments for deployment Jobs in a Workflow

For questions, visit the GitHub Actions community.

To see what's next for Actions, visit our public roadmap.

See more

As we prepare for next year's 2FA requirement for active contributors on GitHub, we're making improvements to our two-factor setup UI to encourage best practices and ensure new 2FA users have their authentication factors set up correctly from the start.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

If you wish to use SMS when setting up 2FA, you can switch your authentication method via the new option at the bottom. In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

For more information, see "Configuring two-factor authentication".

See more

OpenID Connect (OIDC) for authenticating enterprise managed users is now generally available for enterprises using Azure AD.

OIDC allows GitHub to use your identity provider's IP allow list policies to control where PAT and SSH keys can be used to access GitHub from, with granular control down to individuals. Enterprise customers using OIDC can now select whether to use their identity provider's IP allow list policies, or GitHub's built-in allow list feature.

image

image

To learn more about OIDC and enterprise managed users, see "Enterprise Managed Users" and "Migrating from SAML to OIDC for Enterprise Managed Users". To learn more about Azure AD's IP allow list functionality, see "Location based Conditional access"

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Figma to scan for their API tokens and help secure our mutual users on public repositories. Figma API tokens can be used to read and interact with Figma and FigJam files — both through Figma’s own platform and other Figma-integrated applications. GitHub will forward access tokens found in public repositories to Figma, who will will immediately notify token owners. You can read more information about Figma's tokens here.

GitHub Advanced Security customers can also scan for Figma tokens and block them from entering their private and public repositories with push protection.

See more

Hot on the heels of GitHub Universe, we're bringing you simplified project creation and an improved experience for converting drafts into issues in repositories outside the project's organization.

Creating a project from your team or repository index page is now faster than ever! Instead of navigating to the organization page, simply use the dropdown on the Link a project button to select New project. We'll create a project and automatically link it to the team or repository from which it was created.

📤 Convert drafts into issues outside the project organization

Work often spans multiple repositories and even across organization boundaries so we want you to be able to quickly create issues in whichever repository you need, right from projects. That's why we've made it possible to convert a draft issue into an issue in any organization you have access to. When selecting the repository for your issue, type in the organization name ahead of the repository and we'll take care of the rest. We also support the @me operator if you'd like to create the issue in a personal repository.

🚀 Universe recap

If you missed us at Universe 2022, be sure to check out our blog post recapping our recent announcements and sign-up for the Private Betas for tasklists ☑ or roadmap 🗺️!

✨ Bug fixes and improvements

  • Support command + shift + enter to close or reopen an issue from the side panel
  • Respect "paste link as plain text" setting
  • Fixed a bug that allowed users without write access to see UI for restoring from archive

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more