Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Notice of upcoming deprecations and changes in GitHub Actions services

Over the next six months, we will be making the following changes and deprecations to the GitHub Actions service:

Reduction to Webhook rate limit in GitHub Actions
Starting October 1st, 2024 we will be adding a new rate limit of 1,250 requests per 10 seconds per repository for incoming Webhook events for GitHub Actions. After monitoring usage over the past several weeks, we believe that no customers will be impacted by this change, but if you believe you will need to exceed this in the future, please reach out to GitHub support.

Cache v1-v2 deprecation
Starting February 1st, 2025, Actions’ cache storage will move to a new architecture, resulting in the deprecation of v1-v2 of actions/cache. Attempting to use a version of the action after the announced deprecation date will result in a workflow failure. Please note: if you are pinned to a specific version or SHA of the action, your workflows will also fail after February 1st. We strongly encourage you to update your workflows to begin using v3 or v4 of actions/cache as soon as possible.

This deprecation will not impact any existing versions of GitHub Enterprise Server that are currently in use. Cached entries within their retention period will remain accessible from the UI or REST API regardless of the version used to upload. This announcement will also be added to the actions/cache repository.

See more

CSV exports for the CodeQL pull request alerts report

New Export CSV button highlighted on the CodeQL pull request alerts report

You can now export data from the CodeQL pull request alerts report in CSV format, enabling you to analyze prevention and autofix metrics offline or archive the data for future use. This functionality is available at both the organization and enterprise levels. Exports will respect all filters applied, allowing you to focus on the specific data most relevant to your needs. You can download all data where you have an appropriate level of access.

Learn more about tracking metrics on CodeQL pull request alerts and join the discussion within the GitHub Community.

See more

What’s New in Mobile, September Update

Edit profile status on Android

Recent Highlights: Update your Profile status on Android, plus enhanced accessibility and project search on both iOS and Android

You can now update your Profile status directly from GitHub Mobile on Android. On both iOS and Android, you will find improvements in large accessibility sizes, better content descriptions and keyboard navigation, with particular focus on the “Request Reviewers” and “Merge Options” screens.

Android (NEW) iOS
Android-UpdateStatus iOS-UpdateStatus

iOS

  • Project pickers for a repository shows projects owned by the repository owner.
  • Moving an item from one project group to another updates the title of the group.
  • You are now prompted to confirm dismissal before dismissing any input forms.
  • Tapping on links to issue and pull request comments now scrolls to the destination comments.
  • Improved support for large accessibility sizes throughout the app. This includes user profiles, account lists, pull request review line numbers, repository headers, the Explore view, code review view, comment author usernames, and the edit “My Work” view.
  • You can now iterate through reviewer information in the pull request view using assistive technologies such as VoiceOver.
  • You can now dismiss user status update, repository watch settings or the edit “My Work” view using the Escape key on a connected hardware keyboard.
  • Code lines in code search scale with accessibility font sizes.
  • On iPad, Markdown keyboard controls no longer appear outside of their container.
  • Improved accessibility when editing project field values for issues or pull requests.
  • Merge buttons on pull requests indicate to assistive technologies when not enabled.
  • Merge options appear as a button to assistive technologies.
  • Selected merge option announced as selective for assistive technologies.
  • The markdown formatting bar no longer overlaps with the text on iPad.
  • Fixed accessibility label to correctly distinguish between issue and pull request on share button.

Android

  • You can now personalize and update the status in your Profile.
  • You can now quickly return to the top of the screen by double tapping the icon of the active tab in the navigation bar.
  • Improved search results when searching in projects.
  • Improved error messages in the check log screen.
  • A new date picker makes it easier to read the dates using a device configured with a large font.
  • The Files Changed screen now has better content descriptions.
  • Merge option buttons are now more accessible with large fonts.
  • Accessibility improvements in the Pull Request “Request Reviewers” and “Merge Options” screens.
  • Accessibility improvements to keyboard navigation and reset all filters button.
  • Fixed a bug that prevented you from dispatching a workflow with no prior runs.
  • Fixed a crash when prompting for biometrics.
  • Fixed a bug where you could not add starred repositories to Lists in landscape.
  • Fixed a crash opening the Triage sheet (i) in the issue and pull request screens.
See more

GitHub security advisories support CVSS 4.0

GitHub security advisories now support the new CVSS 4.0 schema. CVSS, or the Common Vulnerability Scoring System, is an industry standard maintained by FIRST. The CVSS 4.0 standard adds new metrics for a more thorough assessment of the risk of a particular vulnerability.

When creating a repository security advisory, you can now calculate either a CVSS 4.0 or 3.1 base score and view this data on the published global advisory, related Dependabot alerts, and through the API.

Learn more about CVSS scores and GitHub security advisories and the GitHub Advisory Database.

See more

Inline Chat is now available in GitHub Copilot in JetBrains

You can now interact with GitHub Copilot directly within your active code file with Inline Chat for GitHub Copilot in JetBrains! This new feature is designed to enhance your coding experience by integrating interactive assistance directly within your code editor.

To start using it, ensure you have the GitHub Copilot plugin version 1.5.21.6667 or above installed in your JetBrains IDEs.

How to get started?

  1. Open Your File: Begin by opening the file you want to work on.
  2. Place Your Cursor: Position your cursor on the specific line or code block you want to discuss.
  3. Use the Shortcut: To access GitHub Copilot’s inline chat feature, press Shift+Ctrl+I (Mac) or Shift+Ctrl+G (Windows). Alternatively, right-click and choose “GitHub Copilot > Copilot: Inline Chat”. You can also simply click on the Copilot icon that appears when you select a line or section of code

How Inline Chat enhances your coding experience

  • Enhanced Workflow: Keep your focus on coding while receiving suggestions directly within the editor.
  • Contextual Awareness: Provide Copilot with specific code snippets for more relevant recommendations.
  • Focused Interaction: Enjoy a streamlined experience without the need for frequent context switching.

When to use Inline Chat

  • Refactoring: Request alternative methods to achieve the same functionality with cleaner, more maintainable code.
  • Testing: Get help generating unit tests for specific sections of your code.
  • Code Improvement: Seek assistance with restructuring complex logic, renaming variables, or adding comments for better readability.
  • Vulnerability Assessment: Consult Copilot about potential vulnerabilities, but remember to use established security tools for a comprehensive evaluation.
  • Performance Optimization: Obtain suggestions for improving your code’s efficiency.

How Inline Chat differs from Side Panel Chat

While both Inline Chat and Side Panel Chat allow interaction with Copilot, Inline Chat provides a more focused experience by integrating conversations directly with your active file. The Side Panel Chat, on the other hand, offers a dedicated space for broader discussions and tracking past interactions.

Start leveraging the power of Inline Chat in JetBrains Copilot today and make your coding experience more seamless and efficient!

Join the discussion within GitHub Community.

See more

GitHub CLI renews GPG signing key for Linux packages

The GPG key used to verify GitHub CLI Debian and RedHat packages expired on Friday, September 6. If you have installed gh via our official package repositories, we ask that you update your keyring to the new key to continue verifying GitHub CLI releases.

Please refer to this documentation for instructions on how to do so with your respective package manager.

For reference, a note on this was also included in the CLI v2.56.0 release notes, published earlier this week.

See more

Copilot Chat in GitHub.com is now aware of common support scenarios and GitHub’s documentation

Copilot Chat in GitHub.com is now trained on common support scenarios and GitHub’s documentation to provide you the most up to date context to help you resolve common issues that may arise when using GitHub.

Here are some examples of questions you can now ask:
Can I use Copilot knowledge bases with Copilot Individual?
How do I configure SSH?
A job is stuck in a post-build clean up step and it refuses to cancel or timeout. How do I stop it?

For more information, check out our documentation or join the discussion within GitHub Community.

See more

Push Rules are now generally available, and updates to custom properties

You can now restrict pushes into your private and internal repositories and their forks, with push rules – a new type of ruleset. Push rules enable you to limit updates to sensitive files like actions workflows, and help to enforce code hygiene by keeping unwanted objects out of your repositories.

In addition, organization owners can now allow repository property values to be set when repositories are created. This ensures appropriate rules are enforced from the moment of creation and improves discoverability of new repositories.

Push Rules

Organization and repository owners can now configure rules that govern what changes can be pushed to their repository, by attributes of the files changed – including their paths, extensions and sizes.

Screenshot showing the list of new push rules with options configured

Available push rules

  • Restrict file paths
    • This rule allows you to define files or file paths that cannot be pushed to. An example of when you might use this is if you wanted to limit changes to your Actions workflows in .github/workflows/**/*
  • Restrict file path length
    • You can limit the path length of folder and file names.
  • Restrict file extensions
    • You can keep binaries out of your repositories using this rule. By adding a list of extensions, you can exclude exe jar and more from entering the repository.
  • Restrict file size
    • Limit the size of files allowed to be pushed. Note: current GitHub limits are still enforced.

Push rules are available on GitHub Team plans for private repositories, and coverage extends to not just the repository, but also all forks of that repository. Additionally, GitHub Enterprise Cloud customers can set push rules on internal repositories and across organizations with custom repository properties. You can also access rule insights to see how push rules are applied across your repositories.

Additional details

  • Delegated bypass for push rules, currently in beta, allows your development teams to stay compliant with internal policies and keep a clean git history. Developers can easily request exceptions to push rules, that are reviewed and audited all within GitHub.
  • To ensure best performance push rules are designed to handle up to 1000 reference updates for branches and tags per push.

For more information, see the Push Rule documentation and to get started you can visit the ruleset-recipes repository to import an example push ruleset.

Custom properties

Organization owners can now allow their users to set custom properties during repository creation. Previously, this was only available to repository administrators or those with permissions to edit custom repository properties. By selecting Allow repository actors to set this property for your custom property, you can ensure repositories have properties attached from the start.

Screenshot of new repo being set up with a custom repository property

We want to hear from you

Questions or suggestions? Join the conversation in the community discussion.

See more

GitHub Desktop 3.4.4 – Introducing Custom Editor and Shell Integration

GitHub Desktop now allows you to open your repositories with any editor or shell, even if it’s not on the list of supported integrations. Supercharge your integrations with advanced configurations including specifying command line arguments.

Demonstrating adding a custom editor via the new integrations setting

Accessibility Improvements

  • Fixed: The “Open a Pull Request” and “About” dialog’s headings are announced via NVDA – #19107
  • Fixed: The branch selection popover in the “Open a Pull Request” dialog does not close on filter clearing – #19106
  • Fixed: The contrast ratio of icon in the diff file warnings is at least 3:1 – #19097
  • Fixed: The “Push Local Changes” confirmation dialog uses “alertdialog” role such that screen readers announce entire dialog contents – #19098
  • Fixed: Emoji’s provide descriptions for screen readers – #19101
  • Fixed: Stop improper announcement of \”dialog\” role on the autocompletion suggestions popover – #19114
  • Improved: Screen readers announces when users expand context in a diff – #19128
  • Improved: The squash dialog provides visual input labels – #19100
  • Improved: The search inputs across the app provide visual labeling in the form of a search icon – #19103

Community Contributions

  • Added: The external editor Cursor is supported on macOS – #17462. Thanks @bjorntechCarl!
  • Added: The external editor JetBrains RustRover is supported – #18802. Thanks @Radd-Sma!

Download GitHub Desktop

See more

Larger context window, improved test generation, and more in VS Code’s Copilot Chat

VS Code August recent updates

Since last month’s upgrade to GPT-4o, we now increased the available Chat context, so you can reference larger files and have longer chat conversations with GitHub Copilot Chat in VS Code. Additionally, you can now click Attach Context in Inline and Quick Chat to add more relevant context to your queries.

This month’s release also brings the following improvements to Copilot Chat in VS Code:

  • Easily generate tests using the Generate Tests using Copilot action or the /tests slash command. Copilot will now update and append tests to existing files or create a new test file if none exists. Learn more.

  • Revisit previous chat sessions with the Show Chats button. Sessions now have AI-generated names and can be manually renamed. Entries are sorted by the date of the last request and grouped by date buckets. Learn more.

  • Provide specifics on unsatisfactory Chat responses by selecting the Thumbs down button. A dropdown with detailed options helps you pick a problem type or report it as an issue to us, helping us improve Copilot. Learn more.

  • Code Actions now have clearer names: Generate Tests using Copilot and Generate Documentation using Copilot. Just place the cursor on an identifier and choose the action. Learn more.

Experimental New Features

Experimental settings are available in VS Code to gather your feedback and influence the future development of Copilot. Share your thoughts in our issues.

Check out the full release notes for VS Code’s August release (version 1.93) for more details and to learn more about the features in this release.

See more

Lower permissions for GitHub Enterprise Cloud Team Sync for Microsoft Entra ID

You can now use GitHub Enterprise Cloud Team Sync for Microsoft Entra ID with a new lower permission, GroupMember.Read.All, to sync group state into GitHub.

The new permission provides the least privileged permissions needed in order to access data and function correctly. New installations will request the new permission while existing installations will continue to work without interruption.

Administrators who wish to reduce the permissions of their existing installation can reinstall the application, or use the App Role Assignments API to modify the permissions of their existing service.

Learn more about team synchronization.

See more

Deprecation notice: Dependabot dropping support for Bundler v1

As of October 7, 2024, Dependabot will no longer support Bundler version 1, which has reached its end-of-life. If you continue to use Bundler version 1, there’s a risk that Dependabot will not create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Bundler. As of September 2024, the newest supported version of Bundler is 2.5. View Bundler’s official support policies for more information about supported releases.

See more

Pull request commits page refresh (public beta)

The pull request commits page has been refreshed to improve performance, improve consistency with other pages, and to make the experience more accessible!

Screenshot of the updated PR commits page showing a list of commits for a PR

To minimize disruptions, the capabilities of the classic commits page have been maintained, with a few exceptions: you can now use arrow keys to navigate the list of commits (instead of j and k) and focus indicators have been improved for better visual distinction.

Opt out

To switch back to the classic commits page, disable the “New Pull Request Commits Experience” feature preview (learn more).

Feedback

To provide feedback, ask questions, learn about known issues, visit the GitHub Community feedback discussion!

See more

Copilot Chat in GitHub.com is now contextually aware of GitHub Advanced Security alerts

You can now use Copilot Chat in GitHub.com to search across GitHub to find and learn more about GitHub Advanced Security Alerts from code scanning, secret scanning, and Dependabot. This change helps you to better understand and seamlessly fix security alerts in your pull request. ✨

Try it yourself by asking questions like:
– How would I fix this alert?
– How many alerts do I have on this PR?
– What class is this code scanning alert referencing?
– What library is affected by this Dependabot alert?
– What security alerts do I have in this repository?

Learn more about asking questions in Copilot Chat on GitHub.com or about GitHub Advanced Security.

See more

Enterprise audit logs can be streamed to two endpoints (private beta)

You can now stream your Enterprise’s audit log to two of GitHub’s supported streaming endpoints.

This update allows you as an Enterprise owner to easily employ your choice of tools for log storage and analysis. When managing your Enterprise, you may need to employ multiple tools to ensure compliance and maintain a strong security posture. This can involve different teams, requiring different levels of access, employing different technology to accomplish their objectives in supporting your Enterprise’s security and compliance requirements. By streaming your audit logs to two endpoints, you can employ multiple log storage and analysis tools without the need for a complex log routing architecture or deal with increased latency.

Interested in signing up? Please reach out to your GitHub account manager or contact our sales team to have this feature enabled for your Enterprise. Once enabled, you can follow our documents setting up audit log streaming to set up a second stream.

See more

GitHub Actions: arm64 Linux and Windows runners are now generally available

Arm64 Linux and Windows GitHub-hosted runners for Actions are now generally available. This new addition to our suite of hosted runners provides power, performance & sustainability improvements for all your Actions jobs. Arm64 runners are available to customers on our Team and Enterprise Cloud plans.

“We switched to the GitHub arm64 runners from a custom, self-managed setup on AWS Graviton instances. Switching to GitHub runners has saved us over 75% on our monthly fees and removed all the management overhead, which is particularly important given we’re a seed stage startup. The ARM runners have significantly improved build times from over 30 minutes on x86 runners to around 4 minutes on ARM. This allows us to iterate on pull requests much faster, and run the build process for ARM and x86 in parallel as part of the same GitHub Actions workflow, simplifying the process of getting code to production for our development team.” -David Mytton, Founder, Arcjet

Head over to the GitHub blog to read more about the benefits of arm64 runners and how to get started.

See more

Add repository permissions to custom organization roles

You can now add repository permissions to custom organization roles, granting a specific level of access to all the repositories in your organization.

This builds on the release of organization-wide permission grants in GitHub’s pre-defined organization roles. These updates enable admins to easily scale access management across large teams and organizations.

Creating a custom organization role using the new repository permissions. The role is based on the Write base role, and adds 3 permissions - delete issues, request solo merge, and update repo properties

Using repository permissions in organization roles

Organization roles do not have to contain organization permissions (i.e. read_org_audit_log) in order to include a repository role and permissions (i.e. close_issue). This lets you create your own versions of the pre-defined organization base roles like Write or Triage, assigning those roles to everyone in your organization to ensure a set standard of access that matches your requirements.

A popular use case is to create elevated roles for your on-call rotation. For instance, a role based on Write with the “Jump the merge queue” and “Request a solo merge” repository permissions added so that your on-call team can get that fixed quickly. Using the APIs you can automate assignment of this role to your current on-call, granting them those elevated permissions as a break-glass or shift-based privilege.

Managing repository access

Both the UI for organization role creation and the REST API have been updated to support repository permissions.

In addition, we’ve updated the repository access management page to distinguish between access granted by the repository owner to a user or team versus organization-wide grants made by the organization owner. This helps explain how a user got access to a specific repository.

The new repository collaborators view, showing the organization based access.

For more information, see GitHub’s documentation as well as the REST API methods for automating role creation and assignment.

See more

Unkey is now a GitHub secret scanning partner

For Unkey users, GitHub secret scanning now scans for Unkey tokens to help secure your public repositories. Unkey’s Root API Key enables users to create and manage Unkey resources including APIs, API keys, global rate limiting, and access controls. GitHub will forward any exposed tokens found in public repositories to Unkey, who will then revoke the compromised tokens and notify the affected users. Read more information about Unkey tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Unkey tokens in their private repositories.

See more

Secret scanning fine-grained permissions for bypasses

You can now grant fine-grained permissions to review and manage push protection bypass requests within your organization.

Anyone with this permission will have the ability to approve and manage the list of bypass requests. You can still also grant these permissions by adding roles or teams to the “Bypass list” in your code security and analysis settings.

Next month, GitHub will be removing custom role support from the bypass list along with this change. To avoid disruption, existing custom roles that were added as bypass reviewers previously will be granted the fine grained permissions to review and manage bypass requests.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in the dedicated GitHub community discussion or signing up for a 60 minute feedback session.

See more

What’s New in GitHub Sponsors

View all your organization’s Sponsors activity in one place.

It’s now easier for organizations to view GitHub Sponsors related activities in one place. From the Sponsors dashboard you can view your current and past sponsorships, create bulk sponsorships, and view your dependencies. You can search for a specific project or export all of your dependencies to easily find maintainers to sponsor.

Learn more about the Sponsors dashboard.

Share Sponsorships on Social Media

Maintainers and sponsors can share and celebrate sponsorships on social media with a click of a button. Maintainers can connect with their sponsors and share their goals.

Learn more about sharing on social.

See more
View more changes