Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

New SSH CAs must sign expiring certificates

SSH CAs uploaded to GitHub.com after March 27th, or in GHES 3.13 and beyond, can only sign certificates that expire. They must expire within 366 days of being created.
While expirations on certificates are not required by signing tools such as ssh-keygen, we are enforcing this best practice in order to protect against a weakness in how SSH certificates are linked to users.

CAs uploaded before the cutoff date or release will be marked in the UI as being allowed to sign non-expiring certificates:

image

An “upgrade” option on the CA lets you enforce expiration of signed certificates. Once you’ve validated that you are indeed using a lifetime on your certificates, we recommend upgrading your CAs. This upgrade step is irreversible, and new CAs cannot be downgraded to allow non-expiring certificates.
If a certificate is signed with no expiration, or a too-long expiration, it will be rejected during SSH connection with an error indicating The SSH certificate used was issued for a longer period than allowed.

This change forces the valid_after issuance timestamp to be written to the certificate, which allows GitHub to detect if the user changed their username after the certificate was issued for that username. This prevents a reuse attack vector where the former holder of a username is able to use certificates issued to them to sign in as the new holder of that username.

To learn more about managing SSH CAs, see “Managing your organization’s SSH CAs” and “Managing SSH CAs for your enterprise.” For information on using SSH CAs, see “About SSH CAs.”

See more

Improved error handling for Dependabot updates for NuGet

Dependabot will now fail gracefully with informative error messages when an unsupported NuGet project type is encountered. If you were using an unsupported project type previously, Dependabot might have failed silently without producing updates. Dependabot is able to process updates to NuGet project files in the .csproj, .vbproj, and .fsproj formats.

See more

OpenSSF Scorecard info is now available in the Dependency Review Action

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.

See more

Code scanning now suggests AI-powered autofixes for CodeQL alerts in pull request (beta)

Code scanning autofix is now available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot, code scanning suggests fixes for Javascript, Typescript, Java, and Python alerts found by CodeQL.
This feature empowers developers to reduce the time and effort spent remediating alerts found in pull requests, and helps prevent new vulnerabilities from being introduced into your code base.

Autofix

The feature is automatically enabled on all private repositories for GitHub Advanced Security customers.
When code scanning analysis is performed on pull requests, autofixes will be generated for supported alerts. They include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss. In addition to changes to the current file, these code suggestions can include changes to multiple files. Where needed, autofix may also add or modify dependencies.

You can see the total number of autofix suggestions provided for CodeQL alerts in open and closed pull requests in security overview:

Autofixes on the overview dashboard

You can configure code scanning autofix for a repository or organisation. You can also use Policies for Code security and analysis to allow autofix for CodeQL code scanning for an enterprise.

Enterprise settings

Code scanning autofix supports, on average, 90% of CodeQL Javascript, Typescript, Java, and Python alerts from queries in the Default code scanning suite. The fix generation for any given alert also depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

This change is now available to all GitHub Advanced Security customers on GitHub.com. For more information, see About autofix for CodeQL code scanning.

Provide feedback for code scanning autofix here.

See more

Enablement trends for security products (public beta)

You can now monitor enablement trends for all security products within your GitHub organization. This functionality is designed to give you a detailed overview of how your organization is implementing security product coverage.

new tool adoption report

Explore enablement trends for historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends page, visit security overview at the organization level. You can find security overview by clicking on the “Security” tab.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and join the discussion within the GitHub Community

See more

Logging SAML SSO and SCIM identity data in audit log events is generally available

Starting today for GitHub Enterprise Cloud and as part of GitHub Enterprise Server version 3.13, enterprise and organization audit log events will include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information will be displayed in the external_identity_nameid field and the SCIM identity data will be displayed in the external_identity_username field within the audit log payloads.

In GitHub Enterprise Cloud Classic, SAML SSO gives organization and enterprise owners a way to control and secure access to resources like repositories, issues, and pull requests. Organization owners can invite GitHub users to join an organization backed by SAML SSO, allowing users to become members of the organization while retaining their existing identity and contributions on GitHub.

If your Enterprise Cloud Classic organization uses SAML SSO, you can use SCIM to add, manage, and remove organization members’ access to your organization. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.

To learn more, read our documentation about SAML SSO authentication data in our audit logs.

See more

Dependabot security updates work with private registries even if target branch is specified

Previously, if you specified your private registry configuration in the dependabot.yml file and also had a configuration block for that ecosystem using the target-branch key, Dependabot security updates wouldn’t utilize the private registry information as expected. Starting today, Dependabot now uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. This ensures that security updates are applied correctly, regardless of your repository’s configuration settings. Note that security updates still does not support target-branch configuration.

Learn more about configuring private registries for Dependabot in the Dependabot documentation.

See more

Dependabot will now pause scheduled jobs after 15 failures

Previously, if Dependabot encountered 30 consecutive failures, it would stop running scheduled jobs until manual intervention via updating the dependency graph or manifest file. Dependabot will now pause scheduled jobs after 15 failures. This will give an earlier indication of potential issues while still ensuring that critical security updates will continue to be applied without interruption.

Read more in the Dependabot Docs. 

See more

Precise code navigation for TypeScript projects

Precise code navigation is now available for all TypeScript repositories.
Precise code navigation gives more accurate results by only considering the set of classes, functions, and imported definitions that are visible at a given point in your code.

Precise code navigation is powered by the stack graphs framework.
You can read about how we use stack graphs for code navigation and visit the stack graphs definition for TypeScript to learn more.
You can also read more about code navigation for TypeScript and other languages in our documentation.

See more

Authenticate ORCID iD

We’re excited to announce that GitHub is partnering with ORCID. You can now authenticate your ORCID account with your GitHub account, and display your ORCID iD on your public GitHub profile. ORCID provides a persistent unique digital identifier (an ORCID iD) that researchers own and control, and that distinguishes them from every other researcher.

Go to https://github.com/settings/profile to authenticate your ORCID iD.

See more

[Public Beta] Bring Your Own Identity Provider to Enterprise Managed Users

New customers of GHEC enterprise managed users (EMUs) can now use the SSO and SCIM providers of their choice, separate from one another, for a more flexible approach to user lifecycle management. EMU enterprises will allow all valid SAML 2.0 and SCIM implementations as part of this public beta.

We are progressively rolling out this change to existing enterprises through March 19th. Existing EMU enterprises will see a new opt-in capability to allow writes to the SCIM API for callers other than the partner identity applications currently supported. A personal access token (Classic) with the admin:enterprise scope is required for SCIM writes. While in public beta, we do not recommend that existing customers change their current production identity system.

opt into SCIM API writes

Learn more about provisioning enterprise managed users with the SCIM API. If you have questions about migrating identity providers, please review the updated documentation or contact your account team.

See more

CodeQL 2.16.4: AI-powered autofixes for Java, support for C# 12 & Go 1.22, new queries

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.

The number of generated autofixes is now also visible in a dedicated security overview tile:

security overview showing a counter of fix suggestions

Furthermore, this release

For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.

See more

Secret scanning AI-generated custom patterns (public beta)

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

As of today, you can leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

You can create your own custom detectors for secret scanning by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

Anyone able to define custom patterns is able to use the regular expression generator. This feature is shipping to public beta today for all GitHub Enterprise Cloud customers with GitHub Advanced Security.

Learn more about the regular expression generator or how to define your own custom patterns.

See more

Secret scanning and push protection are enabled by default on new public repositories

All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.

Existing public repositories are not affected, nor are new public repositories that belong to an organization.

See more

GitHub Copilot Chat General Availability in JetBrains IDE

GitHub Copilot Chat in JetBrains IDEs is now generally available

Following our Private Beta, we are thrilled to announce Copilot Chat in JetBrains IDEs is now generally available (GA) for all our Copilot Individual, Business, and Enterprise customers.

Driven by GPT-4, GitHub Copilot Chat provides instant guidance directly within various JetBrains IDEs, such as PyCharm, IntelliJ IDEA, WebStorm, Rider, and more. This contextually-aware tool tailors suggestions to your specific coding tasks and even allows explicitly adding files for reference. It empowers developers to innovate efficiently by assisting with complex concepts, code explanations, unit testing, and many more use cases, all while effortlessly adjusting to your preferred language style.

How to get started?

If you were already using Private Beta:
– No further action is required. You can continue using the chat feature as usual.

If you haven’t enabled Chat and want to use GitHub Copilot Chat in JetBrains IDEs

  • Copilot Individual users: You automatically have access to the chat within JetBrains IDEs.
  • Copilot Business and Enterprise users: Your organization admins will need to grant you access to Copilot chat in IDEs. Once you have access, please consult our getting started guide

How to give us your feedback?

We are dedicated to continuous improvement and innovation. Your feedback remains a crucial part of our development process, and we look forward to hearing more about your experiences with GitHub Copilot Chat for JetBrains IDEs. Please use this link to share your feedback or ideas on how to improve the product.

Join the discussion within GitHub Community.

See more

GitHub Actions; All Actions will run on Node20 instead of Node16 by default

Node16 has been out of support since September 2023. As a result we have started the deprecation process of Node16 for GitHub Actions. We plan to migrate all actions to run on Node20 by Spring 2024.
Following on from our warning in workflows using Node16 we will start enforcing the use of Node20 rather than Node16 on the 13th of May.

If you would like to test this ahead of timer, you can choose to set
FORCE_JAVASCRIPT_ACTIONS_TO_NODE20=true
as an ‘env’ in their workflow or as an environment variable on your runner machine to force the use of Node20 now.

To opt out of this and continue using Node16 while it is still available in the runner, you can choose to set ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true
as an ‘env’ in their workflow or as an environment variable on your runner machine. This will only work until we upgrade the runner removing Node16 later in the spring.

Removal of Operating System support for non-Node20 OS versions

To support this change, we will be removing the Action runner support for the following operating systems which do not have official support for Node20:
– Red Hat Enterprise Linux 7
– CentOS 7
– Oracle Linux 7
– Debian 9
– Ubuntu 16.04
– Linux Mint 18
– openSUSE 15
– SUSE Enterprise Linux (SLES) 12 SP2
– Windows 7 64-bit
– Windows 8.1 64-bit

To find out more about our currently supported OS versions, please read our public docs

What you need to do

For Actions maintainers: Update your actions to run on Node20 instead of Node16 (Actions configuration settings)
For Actions users: Update your workflows with latest versions of the actions which runs on Node20 (Using versions for Actions)

See more

GitHub Support Portal redesign: Toward a more personalized future

We’re excited to announce the launch of our redesigned Support Portal! Our aim is to enhance your support experience, and we’ve tailored the portal with your needs in mind.

The redesign focuses on increased user-friendliness, accessibility, and intuitive navigation, enabling us to provide you with more personalized content. This ensures you can quickly and easily find the answers you’re looking for.

Whether you have a question, an issue, or a suggestion, our Support Portal is designed to help you get the most out of our products and services.

Explore the new look at https://support.github.com and share your feedback with us!

transition between the old support portal to new

See more

Group Configuration Options for Dependabot Security Updates – Public Beta

Dependabot security updates help you keep your dependencies secure by opening pull requests when a Dependabot alert is raised. With today’s release, you can now use flexible grouping options in dependabot.yml to control how Dependabot structures its security pull requests to make them more mergeable for you based on your context. Whether you’d like to simply update as many dependencies at once as possible (patterns: '*') or minimize the risk of breaking changes (dependency-type: development or update-types: "patch"), there are grouping options for you.

By specifying applies-to: security-updates in your group rule configuration, you can specify how you would like Dependabot to group your security updates. If you would like Dependabot to group together all possible updates for an ecosystem, you can instead use the UI located in your repository settings to do so. To learn more about this, check out our documentation here.

The available grouping options are:

  • patterns, which will match based on package names
  • dependency-type, which will group based on development or production dependencies, for ecosystems where this is supported, and
  • update-types, which will group based on SemVer level update

Learn more about grouping configuration options here.

See more
View more changes