Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

CodeQL 2.17.1: AI-powered autofixes for C#, new Ruby queries and more Java models

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.1 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for C# alerts on pull requests, powered by Copilot. This is automatically enabled for all private repositories for all GitHub Advanced Security customers. For the first time, autofix covers nearly all security queries for a language, with 49 supported queries for C# from our Default and Extended suites. Use our public discussion for questions and feedback.

Also included in this release:

For a full list of changes, please refer to the complete changelog for version 2.17.1. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

Enterprise enablement trends for security products (public beta)

For enterprise owners and security managers dedicated to managing security products, we are excited to announce a new capability: you can now gain historical insights into security products enablement trends across your GitHub enterprise. This overview helps you understand how security product coverage is being implemented across your company.

Following our March announcement of the public beta of the enablement trends report for organizations, which allowed monitoring of enablement trends for all security products within your GitHub organization, we’ve expanded this capability to the enterprise level. The addition of an owner filter further simplifies the navigation of metrics for repositories owned by specific organizations.

Enterprise enablement trends report

Explore enablement trends and gain historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends report, navigate to your enterprise account. In the enterprise account sidebar, click Code Security.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and join the discussion within the GitHub Community

See more

GitHub Actions – Deployment views across environments (GA)

The new deployment views across environments are now generally available (GA)! 🎉

Previously we have shipped dashboard views to track your deployments using GitHub Actions across various environments.
These views have enabled Developers and DevOps managers to view the full history of deployments in a repository or filter them across environments & workflows to understand their status, duration or address any blockers.

We are now announcing GA for these Deployment Dashboard views along with the following enhancements:

  • Pinning of environments. Ex: You can now “pin” up to 10 of your most critical environments to provide a quick way to view all the deployments rolled out to them.
  • More filters on the views. Ex: You can now drill down to the list of deployments triggered by specific creators with specific deployment statuses and targeting specific environments.

New Deployment views

Learn more about viewing and filtering deployments in your repository through our documentation.

For questions, visit the GitHub Actions community.
To see what’s next for Actions, visit our public roadmap.

See more

GitHub Issues & Projects – Auto-close issue project workflow

Today’s changelog brings you a new workflow to auto-close issues in Projects!

🪄 Auto-close issue project workflow

The auto-close issue workflow allows you to automatically close issues when their project status is changed to “Done” ✅ or any custom status you define (🙅 say goodbye to repetitive clicks).

Implementing the new workflow

For existing projects anyone with write or admin access can enable the new auto-close issue workflow on the workflows page.

For new projects the auto-close issue workflow will be enabled by default.

✍️ Tell us what you think!

Join the conversation in the community discussion to share your feedback.

Bug fixes and improvements

  • Enterprise Managed Users can now use public project templates and copy public projects
  • Changed the behavior to apply a secondary sort field from the view configuration menu and also the table column menu

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the documentation.

See more

GitHub Copilot Metrics API now available in public beta

We’re excited to announce the public beta of the GitHub Copilot Metrics API, available to all customers of GitHub Copilot Business and GitHub Copilot Enterprise starting today.

The GitHub Copilot Metrics API is designed to supply you with information about Copilot’s usage within your organizations. The data from the API is intended to be consumed and combined with your organization’s own data to create greater visibility into how Copilot fits into the bigger picture of your software development cycle.

What functionality will be included in the Public Beta?

  • Historical data will be automatically loaded, giving you the ability to overlay data with any previous sources from day one.

  • The endpoint will supply data for the previous 28 days of usage history, on a rolling basis.

  • Data is summarized by day, and is refreshed at day end.

  • Date ranges and pagination are now available.

  • This iteration of the GitHub Copilot Metrics API is focused on serving metrics for Copilot Chat and code completions that take place in the IDE.

  • Code completion metrics: Lines of Code Suggested, Lines of Code Accepted, Number of Suggestions, Number of Acceptances, and Active Users with slices on language, and IDE.

  • Copilot Chat metrics: Number of Chats, Chat Suggestions Accepted, and Active Users. The endpoint does not currently feature slices on language or IDE for Chat metrics.

  • Team-level aggregates for GitHub teams with five or more members are also available.

Documentation and Resources

To help you get started, we have prepared comprehensive documentation and resources:

  • API Documentation: Explore the detailed API documentation, including metrics definitions here.

  • Visualization: You can find an open source tool for consuming and visualizing data from the endpoint here.

  • Metrics Export: Generate a flattened CSV from the endpoint using GitHub Actions here.

  • Learning Pathway: You can find an extended article on measuring the impact of GitHub Copilot here.

Participate in the Public Beta!

Your feedback during this beta phase is invaluable to us. We encourage you to share your experiences, which will be instrumental in refining and enhancing the API as we look toward the future.

Stay tuned for updates and enhancements throughout the beta period. We’re committed to delivering a robust and feature-rich API that meets your needs and expectations.**

See more

Dependabot Updates on Actions for GitHub Enterprise Cloud and Free, Pro, and Teams Users

Starting today, developers using GitHub Enterprise Cloud (GHEC) and Free, Pro, and Teams accounts can enable their repositories and/or organizations to run Dependabot updates as an Actions workflow. With this change, the job that Dependabot runs to generate pull requests will run in GitHub Actions. This is the start of an effort to consolidate Dependabot’s compute platform to Actions, with further migration plans to be announced later.

Who can opt-in?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions today.

What if I’m on Enterprise Server (GHES)?

GitHub Enterprise Server (GHES) and Proxima users already run Dependabot on Actions; no further steps are required to enable Dependabot on Actions for these users.

Why choose to run Dependabot as an Actions workflow today?

Enabling Dependabot on Actions will yield performance benefits like faster Dependabot runs and increased visibility into errors to manually detect and troubleshoot failed runs. Actions APIs and webhooks will also be able to detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines. There will be no change or impact to the Dependabot functionality, and there will be no impact to billed Actions minutes (i.e. Dependabot runs are free).

Will this count towards Actions minutes or costs?

This does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone. Beginning today, using Dependabot as an Actions workflow is free for everyone and generally available on all repositories.

What’s the next migration phase for Dependabot on Actions?

Over the course of the next year, we are migrating all Dependabot workflows to run on Actions compute infrastructure. You can opt-in today to gain access to these benefits, but they’ll be coming soon to all repos without needing to opt-in as well. We’re excited for faster runs, increased troubleshooting visibility, and other future benefits running Dependabot on Actions will unlock. We’ll be in close contact with those organizations who own repositories with Actions disabled and Dependabot enabled as we kick off the compute infrastructure migration. If you have questions or concerns, please contribute to our community discusson or contact our support team.

How to enable Dependabot on Actions?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions runners at either the repository or organization level from the Code security and analysis settings pages. For more information, see our documentation on enabling Dependabot on Actions runners.

When will self-hosted runners, larger runners, and actions runner controller (ARC) be supported?

May 2024

When will VNETs be supported?

This work is still in progress; we don’t yet have an estimated date when these will be available.

Can I use Actions workflows and APIs to trigger Dependabot jobs?

Today, Dependabot jobs can only be triggered from the Dependabot UI, and not by Actions workflows or APIs.

If I see a Dependabot job fail in Actions, how can I restart it?

Check out our documentation on re-running a verison updates job or re-running a security updates job.

If I enable Dependabot on Actions, can I later opt-out?

At this time, you can opt out of enabling Dependabot on Actions. However, this ability will change within the next year as we consolidate Dependabot’s compute platform to Actions.

What if I don’t want to turn on Actions for my repository or organization? What happens if Actions is disabled in a repository but Dependabot is enabled to run on Actions?

During this opt-in phase of the compute infrastructure migration, if you enable Dependabot on Actions but disable Actions at the repository or organization level, Dependabot will run on the legacy compute infrastructure. Please enable Actions either in your Dependabot-enabled repository or across your organization if you wish to opt in to run Dependabot on Actions.

Read more about Dependabot on GitHub Actions runners.

Join the discussion within GitHub Community.

See more

Push rules public beta

Say goodbye to unwanted files cluttering your repos, like *.jar or *.so. And limit who can make updates to sensitive files like your Actions workflows with the public beta of push rules. 🎉

A glimpse of push rules in action

You can now enable a new type of ruleset that allows you to control pushes to repositories based on file extensions, file path lengths, file and folder paths and file sizes. Push rules don’t require any branch targeting as they apply to every push to the repository, and also apply to all forks of the repo to ensure all pushes to the repository network are protected.

Push rules are now available for private and internal repositories for GitHub Teams, and across organizations for GitHub Enterprise Cloud.

Learn more about push rules in our documentation and join the community discussion to leave feedback.

See more

CodeQL for Visual Studio Code documentation is now on docs.github.com

The CodeQL for Visual Studio Code documentation is now on docs.github.com.

This migrates the content from https://codeql.github.com/docs/codeql-for-visual-studio-code and provides a consistent, single-site experience with improved text, descriptions, images, and navigation.

On May 8, 2024, we’ll begin automatically redirecting from the original codeql.github.com location to the new location.

The source files now exist in Markdown format in the public, open-source docs repository. If you would like to contribute, you can consult and follow the steps listed in the GitHub Docs contributing guide.

See more

Updates to GitHub Importer and the deprecation of the Source Import REST API Endpoint

GitHub Importer is a tool that quickly imports source code repositories, including commits and revision history, to GitHub.com. As part of this release, GitHub Importer has implemented a new method for git source migration that will provide users with improved reliability and more detailed error handling when migrating git source repositories to GitHub. Click here to import your project to GitHub.

As previously communicated, this change comes with the ending of support for the REST API endpoints for source imports. Moving forward, these endpoints will return an error. Users are encouraged to make use of the new import repository page instead.

Lastly, we previously announced that GitHub Importer will no longer support importing Mercurial, Subversion and Team Foundation Version Control (TFVC) repositories. Effective today, we’ve ended support for this functionality due to extremely low levels of usage. Moving from these alternative version control systems to Git is simple thanks to fantastic open source tools – for more details, read our Docs article, “Using the command line to import source code”.

See more

Configure organization-level CodeQL model packs for GitHub code scanning

You can now add organisation-level CodeQL model packs to improve code scanning coverage for your GitHub organization. This ensures that custom libraries and frameworks are recognised by CodeQL.

In most cases, the out-of-the-box CodeQL threat models provide the best coverage for identifying potential vulnerabilities in your GitHub repositories using code scanning. The CodeQL team at GitHub keeps a close eye on the most widely-used open-source libraries and frameworks to ensure CodeQL recognizes untrusted data that enters an application. For cases which cannot be covered by default, such as custom-built or inner-sourced frameworks and libraries, you can create custom CodeQL model packs to help CodeQL detect additional security vulnerabilities in your code.

Configuring CodeQL model packs in the organisation code security and analysis settings

When you configure CodeQL model packs at scale, the packs will be used in every code scanning analysis that uses default setup in the organization. By default, code scanning will download the latest version of each model pack, meaning that the latest changes to the pack (such as adding information about new frameworks) will automatically be included. Alternatively, you can configure specific sets of CodeQL models to use by stating a specific version (or version range). For more information, see Editing your configuration of default setup in the GitHub documentation.

You can use the CodeQL model editor in VS Code to easily create custom CodeQL model packs for libraries and frameworks written in C# and Java/Kotlin. Custom CodeQL model packs are also supported for code written in JavaScript and Ruby and we will be adding support for these and other CodeQL-supported languages in the CodeQL model editor in the future.

This functionality is now available on GitHub.com and will be available in GitHub Enterprise Server 3.14.

See more

GitHub Enterprise Importer’s new git source migrator improves reliability of large repo migrations

GitHub Enterprise Importer (GEI) has implemented a new process for migrating git source data, significantly improving GEI’s reliability when migrating large repositories up to 10 GB with complex git histories. The new git source migrator is now available for all customers using GEI.

The new git source migrator uses the updated IP addresses for GitHub Enterprise Importer announced in October 2023. If you’re using GitHub Enterprise Importer to run migrations and have IP allow lists enabled, you will need to add our new IP range. The IP allow lists that may need to be updated include:

  • The IP allow list on your destination GitHub.com organization or enterprise
  • If you’re running migrations from GitHub.com, the IP allow list on your source GitHub.com organization or enterprise
  • If you’re running migrations from a GitHub Enterprise Server, Bitbucket Server or Bitbucket Data Center instance, the allow list on your configured Azure Blob Storage or Amazon S3 storage account
  • If you’re running migrations from Azure DevOps, the allow list on your Azure DevOps organization

For a full list of our IP ranges and more information, see our documentation on configuring IP allow lists for migrations.

For additional information about GEI, please follow our documentation for using GitHub Enterprise Importer

See more

Secret scanning for historically existing secrets found in GitHub discussions and pull requests

Secret scanning has recently expanded coverage to GitHub discussions and pull requests.

GitHub is now performing a backfill scan, which will detect any historically existing secrets found in GitHub discussions and pull request bodies or comments.

For repositories with secret scanning enabled, if a secret is detected in a discussion or pull request, you will receive a secret scanning alert for it. Public leaks detected in public GitHub discussion or pull requests will also be sent to providers participating in the secret scanning partnership program.

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

Deprecation of multi-label larger runners

From the 15th of May 2024 we will no longer support multiple labels on larger GitHub Hosted Runners.

In February 2023 we announced that customers could no longer add or manage additional labels on larger runners. Following on from this, we will now be fully deprecating support for multi-labels on larger runners. This means that jobs targeting more than one label or jobs targeting labels that do not match the runners name for GitHub Hosted Larger Runner, after May 15th, will no longer be able to pick up jobs.

We will be running a brown out on the 8th of May between 18:00 and 20:00 UTC, during this time multi label larger runner jobs will fail to start.

To prepare for this change and avoid any disruption, please ensure the runs-on: references only the runner name in your workflows prior to the dates above.

Join the discussion within GitHub Community.

See more

Deprecation notice: v3 of the artifact actions

Starting November 30, 2024, GitHub Actions customers will no longer be able to use v3 of actions/upload-artifact or actions/download-artifact. Customers should update workflows to begin using v4 of the artifact actions as soon as possible. While v4 of the artifact actions improves upload and download speeds by up to 98% and includes several new features, there are key differences from previous versions that may require updates to your workflows. Please see the documentation in the project repositories for guidance on how to migrate your workflows.

The deprecation of v3 will be similar to the previously announced v1 and v2 deprecation plans, which is scheduled to take place on June 30, 2024. Version tags will not be removed from the project repositories, however, attempting to use a version of the actions after the deprecation date will result in a workflow failure. Artifacts within their retention period will remain accessible from the UI or REST API regardless of the version used to upload. This deprecation will not impact any existing versions of GitHub Enterprise Server being used by customers.

This announcement will also be added to actions/upload-artifact and actions/download-artifact. Please visit the documentation to learn more about storing workflow data as artifacts in Actions.

See more

sourceRepositoryUrl is now a required input to the StartRepositoryMigration GraphQL Endpoint

The StartRepositoryMigration GraphQL API endpoint will now require the sourceRepositoryUrl as an input field. While this is a breaking change to the StartRepositoryMigration GraphQL API schema, including this parameter was a de facto requirement already that will now be documented correctly. All StartRepositoryMigration GraphQL requests currently made without this input result in a failed migration. As such, this change should have minimal impact to those using the StartRepositoryMigration GraphQL API endpoint.

See more

Secret scanning changes to detection and validation for Google Cloud Platform, Slack

GitHub secret scanning now supports validity checks for Google Cloud Platform (GCP) account credentials and Slack webhooks. This improvement involves changes to how account credentials for GCP are detected and alerted on.

What’s changing

Secret scanning alerts for Slack webhooks now support validity checks, in addition to previously supported Slack API tokens.

In addition, secret scanning now also alerts on complete GCP service account credential objects which include the fully matched private key, private key ID, and certificate URLs. These alerts support validity checks. As part of this change, you will no longer receive alerts for GCP private key IDs.

About validity checks

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically check validity for alerts on supported token types.

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at the enterprise, organization, or repository level from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending it to the relevant partner.”

Share feedback

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn more about secret scanning or our supported patterns for validity checks.

See more

GitHub Native IP Allow List expands to EMU User Namespaces – Private Beta

Enterprise owners of GitHub Enterprise Cloud with Enterprise Managed Users (EMUs) can now participate in a private beta introducing GitHub’s native IP allow list configuration to cover user namespaces. This feature will limit access to enterprise-managed user namespaces to the owning enterprise’s IP allow list. Access through the web UI, git protocol, and API are all filtered by the IP allow list. All credentials, including personal access tokens, app tokens, and SSH keys, are covered by this policy.

To enroll in this private beta and make this feature available for your enterprise, reach out to your GitHub Account Manager or contact our sales team.

See more

CodeQL 2.17.0: Support for Java 22, Swift 5.10, TS 5.4, C# 12

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.0 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

For a full list of changes, please refer to the complete changelog for version 2.17.0. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

GitHub-hosted runner images deprecation notice: Docker Compose v1

Docker Compose v1 has been deprecated as of July 2023. All customers utilizing Compose v1 on GitHub-hosted runners are encouraged to migrate to Compose v2. Per GitHub’s support policy we will remove this tool from our GitHub managed runner images effective July 9, 2024.

To avoid breaking changes, customers will need to update their Actions workflow files from using docker-compose to docker compose. After July 9, workflows will begin to fail that are using the previous syntax. Customers are advised to review the migration instructions to ensure they are making all the changes required.

For more information on GitHub managed images, see the runner-images repository.

See more

CodeQL threat model settings are now available for C# (beta)

Use CodeQL threat model settings for C# (beta) to adapt CodeQL’s code scanning analysis to detect the most relevant security vulnerabilities in your code.

CodeQL’s default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. We previously released CodeQL threat model settings for Java to allow you to optionally mark local sources of data (such as data from local files, command-line arguments, environment variables, and databases) as tainted in order to help security teams and developers uncover and fix more potential security vulnerabilities in their code. CodeQL threat model settings are now available for C#, meaning that you can now enable similar local sources of taint in your code scanning analysis of code wriitten in C#.

If your repository is running code scanning default setup on C# or Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.

Threat model setting in CodeQL default configuration

If your repository is running code scanning advanced setup on C# or Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.

As part of this work, we made changes to some of the queries included in the default code scanning suite for C# to better align with local and remote threat model settings. As a result you may see slightly fewer alerts when using the default threat model for remote sources. For more information about which queries are impacted, see the changelog for CodeQL 2.17.0.

CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java and C# code. Support for configuring threat model settings for C# will be shipped in GitHub Enterprise Server 3.14. Users of GHES 3.12 or older can also upgrade the version of CodeQL used in code scanning.

See more
View more changes