Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Repository updates July 31st 2024

We’re excited to bring an updated repository list view experience and the ruleset merge queue rule to general availability, as well as an update to the status check and workflow rules.

Finding repositories in your organization is now easier

With the introduction of custom properties earlier this year we wanted to make it easier to find repositories across your organization. With the new organization repository view and advanced filtering you find repositories based on common parameters like visibility and language, but also custom properties, size, license and a host of additional values.

Screenshot of repository list view filtered by visibility, archived status and a custom property showing a list of 64 repositories.

Repository Rules updates

Repository ruleset merge queue rule is now generally available

In addition to being able to manage your merge queue via rules, you can now see all the pull requests that merged in the same group along with the checks needed for the queue with rule insights.

Screenshot of repository rule merge queue options with default configurations.

Learn more about merge queues in our documentation and repository rules REST API

Avoid required status checks and required workflows when creating branches

Applying status check and actions workflow rules to newly created branches has been a point of friction in rulesets. When creating a new branch will fail unless you add bypass actors or create an intermediate unprotected branch. To alleviate this friction there is a new option available prevent checks and workflows from running on new branches.

Screenshot of require status check rule with the new "Do not require status checks on creation" option enabled

Learn more about status check rules and required workflows rules in our documentation.

Join the discussion within GitHub Community.

See more

Run workflows set as workflow_dispatch manually

Workflow dispatch screenshot on GitHub Mobile

Developers can now manually run workflows set with workflow_dispatch directly from the Workflow view (Repository -> Actions -> Workflows) on GitHub Mobile. This addition provides developers with greater flexibility and control over their workflows, enabling them to trigger workflows manually while on the go using GitHub Mobile. Whether they are away from their desks, traveling, or simply need to run a workflow quickly, this feature ensures developers can manage their projects efficiently from anywhere.

Join the discussion within GitHub Community.

See more

Copilot Chat in GitHub Mobile can answer questions about a specific repository, file and more

An image showing an outline of a phone with a list of GitHub Copilot prompts

Copilot Chat in GitHub Mobile just got smarter!

Copilot now has improved contextual awareness, allowing you to ask questions about the specific file or repository you are currently viewing.

Developers with a Copilot Enterprise license are also able to ask Copilot Chat for information about open issues, pull requests, and discussions.

This enhancement makes it easier than ever to get the assistance you need, exactly when you need it, all on the go.

Download or update GitHub Mobile today from the Apple App Store or Google Play Store to get started.

Learn more about GitHub Mobile and share your feedback to help us improve.

See more

Keyboard Navigation Improvements for Hovercards

Keyboard Navigation Improvements for Hovercards

We are excited to announce new keyboard behavior for navigating and dismissing hovercards without the need for a mouse! This enhancement is designed to make our platform more user-friendly for everyone, particularly those who rely on keyboard navigation.

How It Works

When you focus on a link with a hovercard, you can now press Alt + Up to make the hovercard appear and move focus inside it. This ensures that you can interact with the hovercard content without leaving your keyboard. Focus is trapped within the hovercard, similar to how it would be in a dialog box. To dismiss the hovercard and restore focus to the link, press Esc.

Customizable Settings

In response to both community and internal feedback, we have also introduced a new user setting that allows you to disable all hovercards. This option can be found under Accessibility Settings.

Send us Feedback

You can reach out to us at GitHub Community. Your feedback is invaluable as we strive to create an inclusive and accessible environment for all users.

See more

Automatically submit your Maven transitive dependencies to the dependency graph

To create a comprehensive model of the dependencies in a Maven project, it is essential to understand the the transitive dependencies that are resolved at build-time. This feature automatically performs build-time resolution of Maven dependencies and submits them to the dependency graph. This improves visibility into your project’s composition by including both the direct and transitive dependencies in your repository’s dependency graph and Dependabot alerts.

When you enable this feature, GitHub will monitor changes to the pom.xml file in the root of all branches of the repository, discover the dependencies referenced in this file, and automatically submit details about them to the dependency graph. This feature requires GitHub Actions, and it is compatible with both GitHub-hosted or self-hosted runners.

See the documentation to learn more about how to enable automatic dependency submission to help you secure your software supply chain.

See more

CodeQL 2.18.1: Kotlin & Swift mobile support is generally available, TypeScript 5.5 support, C# build-mode: none public beta

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.18.1 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes by version include:

For a full list of changes, please refer to the complete changelog for versions 2.17.6, 2.18.0, and 2.18.1. All new functionality will be included in GHES 3.15. Users of GHES 3.14 or older can upgrade their CodeQL version.

See more

Copilot Enterprise Mixed Licensing beta

Today, we’re introducing the beta for Copilot Enterprise Mixed Licensing within an enterprise. This grants GitHub Enterprise Cloud customers greater flexibility in selecting the best Copilot plans for their needs. Now, you can set a Copilot plan at the organization level instead of at the enterprise level.

Try it out now

To update an organization’s Copilot plan, an Enterprise Admin should navigate to Copilot Settings for the enterprise and select the desired plan via the dropdown menu for each organization.

Enterprise Mixed Licensing Dropdown Menu

Learn more about Copilot Enterprise Mixed Licensing in our documentation here and let us know what you think via Discussions.

See more

Validation on package name when submitting a new GitHub security advisory (GHSA)

To make it easier to submit security advisories, GitHub now validates package names.

When submitting a new GHSA (GitHub Security Advisory) in a repository, the user is prompted to enter the ecosystem (e.g. npm, maven) and package name (e.g. webpack, lodash). Now, when they enter the name, there will be a validation message at the bottom of the form to confirm whether or not the package name they entered has been found in the ecosystem they specified.

To learn more about submitting advisories to our Advisory Database, check out our documentation here.

See more

Actions Usage Metrics is generally available

Actions Usage Metrics is now generally available for all GitHub Enterprise Cloud customers. Actions Usage Metrics enables you to view data about your Actions workflow runs throughout your organization. You can use this data to identify opportunities to optimize your pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity. Actions Usage Metrics breaks down the utilization of workflows, jobs, source repositories, and operating systems for GitHub hosted runners and self-hosted runners. All of this data is available in the UI and can be exported and shared as a .csv file if you wish to integrate your usage data with internal or third party tools.

Actions Usage Metrics screen shot!

To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.

See more

Deprecation of enum field “detached” from the “get repositories associated with a code security configuration” endpoint

The enum field indicating a ‘detached’ status will be deprecated from the ‘Get repositories associated with a code security configuration’ endpoint.

The endpoint itself will remain.

We will replace the ‘detached’ status with a ‘removed’ status. We will also add an additional status of ‘removed_by_enterprise’ to indicate situations where enterprise level settings changes have caused an organization-level code security configuration to be removed from a repository.

This change ensures that the code security configurations API is more inline with the status filters in the UI.

See more

GitHub Private Mirrors App – Public Beta

Today, we’re releasing a beta version of an open source GitHub App that manages private mirrors of public upstream repositories. The Private Mirrors App (PMA) enables organizations with regulatory or policy code review requirements to conduct their reviews in private, before contributing changes upstream. The app manages the lifecycle and synchronization of these private mirrors and automatically configures rulesets to manage PRs made to the mirrors.

The main benefits of working on private mirrors through PMA are:

  • Branch protection rules can enforce PR reviews by people on particular teams to ensure proper signoffs
  • If commits include code/keys/docs that should not be made public, there’s the opportunity to remove them and squash merge without leaking history
  • Initial development can happen inside an Enterprise Managed Users (EMU) organization, whose users ordinarily can’t interact with public GitHub repos. Once the app syncs a change, the public fork and upstream PR use normal github.com identities.

If this is interesting to you, check out the Private Mirrors App repo. If you’ve got questions or feedback, feel free to file an issue in the repostitory or join the conversation in the GitHub Community Discussions.

See more

Copilot text completion for pull request descriptions beta

Enhance your pull request workflow: Copilot pull request text completion now in beta

Copilot text completion for pull request descriptions is now available to all Copilot Enterprise customers. After typing just a few characters, Copilot will suggest completions to finish your sentences, leveraging the context of the PR and linked issues to ensure highly accurate and relevant suggestions.

This feature is currently in beta. An enterprise or organization admin must enable beta features using the “Opt in to preview features” Copilot policy to access text completion.

animation of getting Copilot help writing a pull request description

How to enable text completion for your Enterprise

An enterprise admin can enable beta features using the Copilot policy.

screen grab of enterprise policy for enabling preview Copilot Enterprise features

For more information about policies for Copilot Enterprise, see the documentation.

Users can control the feature

This feature is on by default if you have a Copilot Enterprise seat and your organization has the “Opt in to preview features” policy enabled. Additionally, individual users have the ability to easily disable and reenable completions based on their personal preferences.

screen grab of user controlling text completion using the copilot menu in the pull request description

Learn more

To learn more, check the documentation for Copilot pull request text completion. This beta feature is subject to GitHub’s preview terms.

As always, we welcome any feedback on Copilot Enterprise in the discussion within GitHub Community.

See more

Enable secret scanning for non-provider patterns on repositories with the REST API

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the repository level.

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

See more

Deprecation of API endpoint to enable or disable a security feature for an organization

Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.

If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.

It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.

The endpoint will be removed entirely in the next version of the REST API.

To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Send us your feedback!.

See more

Security overview dashboards, secret scanning metrics and enablement trends reports are now generally available

Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.

Code security insights

Organization-level overview dashboard on the security tab

Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:

  • Track security improvements: Monitor trends over time by age, severity, and security tool, simplifying prioritization with top 10 lists focused on repositories and advisories.
  • Autofix impact: Understand how autofix, powered by GitHub Copilot, is influencing your enterprise’s security remediation efforts.
  • Advanced filtering: Customize data focus with filters by attributes such as team, repository metadata (i.e., custom repository properties), and security tool-specific filters:
    • Dependabot: Filter by ecosystem, package, and dependency scope.
    • CodeQL/Third-Party: Filter by specific rules.
    • Secret Scanning: Filter by secret type, provider, push protection status, and validity.

Organization-level enablement trends report

Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.

Push protection insights for secret scanning

Organization-level secret scanning metrics page

Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.

To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.

These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report

See more

Code security configurations are supported in the audit log

GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.

With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.

Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes

Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.

See more

Code security configurations API now includes validity checks, enforcement, and removal

The REST API now supports the following code security configuration actions for organizations:
Detach configurations from repositories
Enforce configurations
Enable validity checks for secret scanning in a configuration

The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more

Secret scanning detects generic passwords with AI (public beta)

Secret scanning now detects generic passwords using AI. Passwords are difficult to find with custom patterns — the AI-powered detection offers greater precision for unstructured credentials that can cause security breaches if exposed.

Passwords found in git content will create a secret scanning alert in a separate tab from regular alerts. Passwords will not be detected in non-git content, like GitHub Issues or pull requests, and are not included in push protection. Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection.

To start detecting passwords, select “Use AI detection to find additional secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level.

See more

Filter repositories by configuration attachment failure reason in the code security configurations UI

Organization owners and security managers can now filter the table of repositories on the code security configurations settings page by configuration attachment failure reason.

This is useful when you’ve attempted to attach a code security configuration to many repositories at the same time, and some have failed. The reason for the failure is also now listed in the row with the repository name.

Use the search bar to filter by failure-reason: and then insert one of the following options:
actions_disabled – When you are attempting to rollout default setup for code scanning, but the repository does not have Actions enabled on it.
code_scanning – When you are attempting to rollout default setup for code scanning, but the repository already has advanced setup for code scanning.
enterprise_policy – When the enterprise does not permit GitHub Advanced Security to be enabled in this organization.
not_enough_licenses – When enabling advanced security on these repositories would exceed your seat allowance.
not_purchased – When you are attempting to rollout a configuration with GitHub Advanced Security features, but GitHub Advanced Security has not been purchased.
unknown – When something unexpected occurred.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more
View more changes