Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Previously, if you specified your private registry configuration in the dependabot.yml file and also had a configuration block for that ecosystem using the target-branch key, Dependabot security updates wouldn’t utilize the private registry information as expected. Starting today, Dependabot now uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. This ensures that security updates are applied correctly, regardless of your repository’s configuration settings. Note that security updates still does not support target-branch configuration.

Learn more about configuring private registries for Dependabot in the Dependabot documentation.

See more

Previously, if Dependabot encountered 30 consecutive failures, it would stop running scheduled jobs until manual intervention via updating the dependency graph or manifest file. Dependabot will now pause scheduled jobs after 15 failures. This will give an earlier indication of potential issues while still ensuring that critical security updates will continue to be applied without interruption.

Read more in the Dependabot Docs. 

See more

Precise code navigation is now available for all TypeScript repositories.
Precise code navigation gives more accurate results by only considering the set of classes, functions, and imported definitions that are visible at a given point in your code.

Precise code navigation is powered by the stack graphs framework.
You can read about how we use stack graphs for code navigation and visit the stack graphs definition for TypeScript to learn more.
You can also read more about code navigation for TypeScript and other languages in our documentation.

See more

We’re excited to announce that GitHub is partnering with ORCID. You can now authenticate your ORCID account with your GitHub account, and display your ORCID iD on your public GitHub profile. ORCID provides a persistent unique digital identifier (an ORCID iD) that researchers own and control, and that distinguishes them from every other researcher.

Go to https://github.com/settings/profile to authenticate your ORCID iD.

See more

New customers of GHEC enterprise managed users (EMUs) can now use the SSO and SCIM providers of their choice, separate from one another, for a more flexible approach to user lifecycle management. EMU enterprises will allow all valid SAML 2.0 and SCIM implementations as part of this public beta.

We are progressively rolling out this change to existing enterprises through March 19th. Existing EMU enterprises will see a new opt-in capability to allow writes to the SCIM API for callers other than the partner identity applications currently supported. A personal access token (Classic) with the admin:enterprise scope is required for SCIM writes. While in public beta, we do not recommend that existing customers change their current production identity system.

opt into SCIM API writes

Learn more about provisioning enterprise managed users with the SCIM API. If you have questions about migrating identity providers, please review the updated documentation or contact your account team.

See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.

The number of generated autofixes is now also visible in a dedicated security overview tile:

security overview showing a counter of fix suggestions

Furthermore, this release

For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

As of today, you can leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

You can create your own custom detectors for secret scanning by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

Anyone able to define custom patterns is able to use the regular expression generator. This feature is shipping to public beta today for all GitHub Enterprise Cloud customers with GitHub Advanced Security.

Learn more about the regular expression generator or how to define your own custom patterns.

See more

All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.

Existing public repositories are not affected, nor are new public repositories that belong to an organization.

See more

GitHub Copilot Chat in JetBrains IDEs is now generally available

Following our Private Beta, we are thrilled to announce Copilot Chat in JetBrains IDEs is now generally available (GA) for all our Copilot Individual, Business, and Enterprise customers.

Driven by GPT-4, GitHub Copilot Chat provides instant guidance directly within various JetBrains IDEs, such as PyCharm, IntelliJ IDEA, WebStorm, Rider, and more. This contextually-aware tool tailors suggestions to your specific coding tasks and even allows explicitly adding files for reference. It empowers developers to innovate efficiently by assisting with complex concepts, code explanations, unit testing, and many more use cases, all while effortlessly adjusting to your preferred language style.

How to get started?

If you were already using Private Beta:
– No further action is required. You can continue using the chat feature as usual.

If you haven’t enabled Chat and want to use GitHub Copilot Chat in JetBrains IDEs

  • Copilot Individual users: You automatically have access to the chat within JetBrains IDEs.
  • Copilot Business and Enterprise users: Your organization admins will need to grant you access to Copilot chat in IDEs. Once you have access, please consult our getting started guide

How to give us your feedback?

We are dedicated to continuous improvement and innovation. Your feedback remains a crucial part of our development process, and we look forward to hearing more about your experiences with GitHub Copilot Chat for JetBrains IDEs. Please use this link to share your feedback or ideas on how to improve the product.

Join the discussion within GitHub Community.

See more

Node16 has been out of support since September 2023. As a result we have started the deprecation process of Node16 for GitHub Actions. We plan to migrate all actions to run on Node20 by Spring 2024.
Following on from our warning in workflows using Node16 we will start enforcing the use of Node20 rather than Node16 on the 13th of May.

If you would like to test this ahead of timer, you can choose to set
FORCE_JAVASCRIPT_ACTIONS_TO_NODE20=true
as an ‘env’ in their workflow or as an environment variable on your runner machine to force the use of Node20 now.

To opt out of this and continue using Node16 while it is still available in the runner, you can choose to set ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true
as an ‘env’ in their workflow or as an environment variable on your runner machine. This will only work until we upgrade the runner removing Node16 later in the spring.

Removal of Operating System support for non-Node20 OS versions

To support this change, we will be removing the Action runner support for the following operating systems which do not have official support for Node20:
– Red Hat Enterprise Linux 7
– CentOS 7
– Oracle Linux 7
– Debian 9
– Ubuntu 16.04
– Linux Mint 18
– openSUSE 15
– SUSE Enterprise Linux (SLES) 12 SP2
– Windows 7 64-bit
– Windows 8.1 64-bit

To find out more about our currently supported OS versions, please read our public docs

What you need to do

For Actions maintainers: Update your actions to run on Node20 instead of Node16 (Actions configuration settings)
For Actions users: Update your workflows with latest versions of the actions which runs on Node20 (Using versions for Actions)

See more

We’re excited to announce the launch of our redesigned Support Portal! Our aim is to enhance your support experience, and we’ve tailored the portal with your needs in mind.

The redesign focuses on increased user-friendliness, accessibility, and intuitive navigation, enabling us to provide you with more personalized content. This ensures you can quickly and easily find the answers you’re looking for.

Whether you have a question, an issue, or a suggestion, our Support Portal is designed to help you get the most out of our products and services.

Explore the new look at https://support.github.com and share your feedback with us!

transition between the old support portal to new

See more

Dependabot security updates help you keep your dependencies secure by opening pull requests when a Dependabot alert is raised. With today’s release, you can now use flexible grouping options in dependabot.yml to control how Dependabot structures its security pull requests to make them more mergeable for you based on your context. Whether you’d like to simply update as many dependencies at once as possible (patterns: '*') or minimize the risk of breaking changes (dependency-type: development or update-types: "patch"), there are grouping options for you.

By specifying applies-to: security-updates in your group rule configuration, you can specify how you would like Dependabot to group your security updates. If you would like Dependabot to group together all possible updates for an ecosystem, you can instead use the UI located in your repository settings to do so. To learn more about this, check out our documentation here.

The available grouping options are:

  • patterns, which will match based on package names
  • dependency-type, which will group based on development or production dependencies, for ecosystems where this is supported, and
  • update-types, which will group based on SemVer level update

Learn more about grouping configuration options here.

See more

We’ve enhanced Custom Organization Roles by adding fine-grained permissions for GitHub Actions. Now, with Enterprise Cloud plans, organization owners can assign members and teams specific permissions for managing various aspects of Actions, including:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables

These additional settings allow organization owners to delegate CI/CD automation management responsibilities to individuals or teams without granting access to any other organization owner privileges.

Please refer to our documentation for more detail about GitHub Actions fine grained permissions with Custom Organization Roles.

See more

GitHub Enterprise Server 3.12 is generally available

GitHub Enterprise Server 3.12 is now generally available and gives customers more fine-grained control over deployment requirements, as well as enhanced security controls. Here are a few highlights:

  • Restrict your deployment rollouts to select tag patterns in Actions Environments.
  • Enforce which Actions workflows must pass with organization-wide repository rulesets.
  • Scale your security strategy with Dependabot Alert Rules. This public beta allows customers to choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in their repository or organization.
  • Automate pull request merges using Merge Queues. Previously developers needed to manually update their pull requests prior to merging, to ensure their changes wouldn’t break the main branch. These updates would initiate a round of continuous integration checks that needed to pass before a pull request could be merged. But with merge queues, this process is automated by ensuring each pull request queued for merging is tested with other pull requests queued ahead of it.
  • Enhance the security of your code with a public beta of Secret Scanning for non-provider patterns, and an update to Code Scanning’s default setup to support all CodeQL languages.
  • GitHub Project templates are available at the organization level, allowing customers to share out and learn best practices in how to set up and use projects to plan and track their work.
  • Updated global navigation to make using and finding information better, as well as improve accessibility and performance.
  • Highlight text in markdown files with accessibility aspects in mind with the alerts markdown extension, which gives you five levels to use (note, tip, important, warning, and caution).

Read more about GitHub Enterprise Server 3.12 in the release notes,
or download it now.
If you have any feedback or questions, please contact our Support team.

See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.3 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes in this release include:

  • CodeQL code scanning now supports AI-powered automatic fix suggestions for Python alerts on pull requests. This is automatically enabled for all current autofix preview participants.
  • A new option has been added to the Python extractor: python_executable_name. This allows you to select a non-default Python executable installed on the system running the scan (e.g. py.exe on Windows machines).
  • A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
  • Two new queries:
  • The sinks of queries java/path-injection and java/path-injection-local have been reworked to reduce the number of false positives.

For a full list of changes, please refer to the complete changelog for version 2.16.3. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

We’ve started the rollout for enabling push protection on all free user accounts on GitHub. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

It might take a week or two for this change to apply to your account; you can verify status and opt-in early in your code security and analysis settings. Once enabled, you also have the option to opt-out. Disabling push protection may cause secrets to be accidentally leaked.

See more