Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                


Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

β†’ ~ cd github-changelog
β†’ ~/github-changelog|main git log main
showing all changes successfully

You can now filter results from the code scanning REST API based on alert severity. Use the parameter severity to return only code scanning alerts with a specific severity. This is available at the repository and organization level.

This feature is available on GitHub.com, and will also be included in GitHub Enterprise Server (GHES) version 3.8.

Read more about the code scanning API

See more

In a small but frequently requested improvement, GitHub now shows the date that an archived repository was put into read-only mode to indicate it is no longer actively maintained.

Previously, you could see that a repo was in the 'archived' state and probably infer from the commit log when it last saw activity, but the actual date the archiving happened was not surfaced anywhere. Now there's a date included in the "this repo is read-only" banner at the top of the repository view.

New repository banner showing an archived repository and the date on which it was archived

Repositories archived prior to November 9th, 2022, will display a more generic message.

Repository banner showing the generic message that it was archived prior to November 9th, 2022

See more

Dependabot security updates now supports the GitHub Actions ecosystem, making it easier for you to fix vulnerable GitHub Actions dependencies. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable GitHub Actions used in your workflows to the minimum patched version.

Learn more about Dependabot security updates.

See more

Dependabot expands its existing Hex private registry support beyond Hex organizations by adding support for self-hosted Hex repositories. You can configure your self-hosted Hex package repository as a private registry for use with Dependabot version updates. Special thanks to @sorentwo for their contribution to Dependabot!

Learn more about configuring Dependabot version updates and its supported ecosystems and package managers.

See more

You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:

  • GitHub Advanced Security
  • Secret scanning
  • Push protection

In the future, you'll be able to enable and disable multiple repositories from the coverage view.

enablement panel on coverage view

Learn more about the new coverage view and send us your feedback

Learn more about GitHub Advanced Security

See more

A GitHub Actions workflow run is made up of one or more jobs and each job is associated with a check run. The workflow_job webhook is sent during state transitions of a workflow job. The job state is included in the webhook payload as the action property, which currently takes the values of queued, in_progress, or completed.

With this change, the workflow_job webhook will now support a new waiting state whenever a job is waiting on an environment protection rule, aligning with the waiting state of the corresponding check run. This enables better insight into the progress of a job when using environment protection rules.

In addition, when a job refers to an environment key in its YAML definition, the resulting workflow_job webhook payload will also include a new property, deployment with the metadata about the deployment created by the check run.

Learn more about using environments for deployment Jobs in a Workflow

For questions, visit the GitHub Actions community.

To see what's next for Actions, visit our public roadmap.

See more

As we prepare for next year's 2FA requirement for active contributors on GitHub, we're making improvements to our two-factor setup UI to encourage best practices and ensure new 2FA users have their authentication factors set up correctly from the start.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

If you wish to use SMS when setting up 2FA, you can switch your authentication method via the new option at the bottom. In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

For more information, see "Configuring two-factor authentication".

See more

OpenID Connect (OIDC) for authenticating enterprise managed users is now generally available for enterprises using Azure AD.

OIDC allows GitHub to use your identity provider's IP allow list policies to control where PAT and SSH keys can be used to access GitHub from, with granular control down to individuals. Enterprise customers using OIDC can now select whether to use their identity provider's IP allow list policies, or GitHub's built-in allow list feature.



To learn more about OIDC and enterprise managed users, see "Enterprise Managed Users" and "Migrating from SAML to OIDC for Enterprise Managed Users". To learn more about Azure AD's IP allow list functionality, see "Location based Conditional access"

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Figma to scan for their API tokens and help secure our mutual users on public repositories. Figma API tokens can be used to read and interact with Figma and FigJam files — both through Figma’s own platform and other Figma-integrated applications. GitHub will forward access tokens found in public repositories to Figma, who will will immediately notify token owners. You can read more information about Figma's tokens here.

GitHub Advanced Security customers can also scan for Figma tokens and block them from entering their private and public repositories with push protection.

See more

Hot on the heels of GitHub Universe, we're bringing you simplified project creation and an improved experience for converting drafts into issues in repositories outside the project's organization.

Creating a project from your team or repository index page is now faster than ever! Instead of navigating to the organization page, simply use the dropdown on the Link a project button to select New project. We'll create a project and automatically link it to the team or repository from which it was created.

📤 Convert drafts into issues outside the project organization

Work often spans multiple repositories and even across organization boundaries so we want you to be able to quickly create issues in whichever repository you need, right from projects. That's why we've made it possible to convert a draft issue into an issue in any organization you have access to. When selecting the repository for your issue, type in the organization name ahead of the repository and we'll take care of the rest. We also support the @me operator if you'd like to create the issue in a personal repository.

🚀 Universe recap

If you missed us at Universe 2022, be sure to check out our blog post recapping our recent announcements and sign-up for the Private Betas for tasklists ☑ or roadmap 🗺️!

✨ Bug fixes and improvements

  • Support command + shift + enter to close or reopen an issue from the side panel
  • Respect "paste link as plain text" setting
  • Fixed a bug that allowed users without write access to see UI for restoring from archive

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more

GitHub Enterprise Cloud administrators can now download and view the latest GitHub SOC 1, Type 2 and SOC 2, Type 2 compliance reports for 2022.

To learn more, please review our documentation on how to access compliance reports for your enterprise or for your organization.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with LocalStack to scan for their API key tokens and help secure our mutual users on public repositories. LocalStack's tokens allow for activation of the advanced LocalStack features for their Pro/Team/Enterprise products. GitHub will forward access tokens found in public repositories to LocalStack, who will immediately notify users and revoke any compromised tokens. You can read more information about LocalStack's tokens here.

GitHub Advanced Security customers can also scan for LocalStack tokens and block them from entering their private and public repositories with push protection.

See more

Dependabot version updates now proactively updates Docker image tags in Kubernetes manifests.

When specifying the Docker ecosystem in dependabot.yml include an entry for each directory where a Kubernetes manifest which references Docker image tags is located. Kubernetes manifests can be either Kubernetes Deployment YAML files or Helm charts. Dependabot will parse the unrendered version of the manifest in order to keep your Docker image tags updated.

Learn more about configuring Dependabot version updates.

See more

You can now review and manage your browser and GitHub Mobile sessions using the new Sessions tab in your user settings. This new tab includes all of your signed-in web sessions, as well as each GitHub Mobile app your account is signed into. You can revoke each web and mobile session individually. For mobile sessions, this signs you out of the GitHub Mobile app on that device, and disables that application for use as a second factor. The new Sessions tab replaces the web sessions view that was present under Password and authentication.


This new settings page is generally available for GitHub.com users now, and will be released to GitHub Enterprise Server as part of GHES 3.8.

To learn more, see "Viewing and managing your sessions".

See more

We’ve launched a public preview of GitHub Actions Importer, which helps you forecast, plan, and automate migrations from your current CI/CD tool to GitHub Actions.

Doing individual migrations is relatively easy in isolation. However, for those that have a large and established CI/CD footprint, having tooling available to assist with migrations is key to their ability to adopt Actions at scale. In the time that we’ve been developing and using GitHub Actions Importer in its private preview form, we’ve encountered numerous customers that have thousands of pipelines—even in excess of 15K—in their legacy environments that need to be migrated. GitHub Actions Importer is designed to help when manual migration is not feasible, such as when users have a large number of teams that depend on hundreds or thousands of workflows.

Sign up here to request access to the public preview. Once you've been added, you will receive an email at the address registered on your GitHub account with instructions for getting started.

To learn more, see Automating migrations with GitHub Actions Importer and the announcement post on the GitHub blog.

See more

Whether you invite a user to an organization via the API or via our user interface, we are bringing enhancements to make this experience better. From today, you can:

  • search for a user via a verified email address both within the API and on an organization’s “People” pages;
  • utilize the API to assign more than one enterprise member at a time to additional organizations within your enterprise;
  • view additional user information provided within the enterprise and organization “People” invitation pages.

To learn more, read about inviting users in an organization.

See more

Recently, GitHub added webhooks to our OpenAPI schema. Now, Webhook events and payloads in the GitHub documentation is built from the OpenAPI schema. The schema-generated documentation is more accurate and comprehensive and includes the payload structure for each event and action type.

Currently, the new webhook docs are available for the Free/Pro/Team and GitHub Enterprise Cloud plans. GitHub Enterprise Server and GitHub AE will get the new docs with the next version release.

Do you have ideas for improvement? Open a documentation issue to let us know.

See more

We've launched a limited public beta of a new feature in the GitHub CLI: webhook forwarding.

Webhook forwarding makes it easy to test your webhooks integration in your local environment without having to worry about port forwarding.

All it takes to start receiving webhooks locally is one simple command:

gh webhook forward --repo monalisa/hello-world --events issues,pull_request --url http://localhost:4000/webhooks

With webhook forwarding, you can iterate quickly on your integration without having to deploy your code to a test environment.

To request access to the beta program, post in our GitHub Community discussion. We add new beta users on a regular basis. Once you've been added, you will receive an email at the address registered on your GitHub account.

For more details on this new feature, head over to the docs – see "Receiving webhooks with the GitHub CLI".

See more

Dependabot is a friendly co-developer supporting millions of repositories, but previously wasn't included in mention suggestions.

Starting today, you can more easily mention Dependabot, thanks to autocomplete.

Dependabot Autocomplete

See more

Banner announcing edit files in pull requests feature for GitHub for iOS

Introducing file editing from repositories on GitHub for iOS! Commit changes to code within your repo, create new branches and put up a new pull request to land those quick changes on-the-go!

File editing for pull requests and Browse Code on GitHub for Android is coming soon.

See more