We’ve enhanced the fullscreen Copilot chat experience on github.com/copilot with a streamlined UI and an even easier way to handle context:
Check out the updates, and let us know what you think using the in-product feedback option.
As of November 6, 2024, Dependabot no longer supports Composer version 1, which has reached its end-of-life. If you continue to use Composer version 1, Dependabot will be unable to create pull requests to update your dependencies. If this affects you, we recommend updating to a supported release of Composer. As of October 2024, the newest supported version of Composer is 2.8, and the long-term supported version is 2.2.
View Composer’s official documentation for more information about supported releases.
If you are using GitHub Enterprise Cloud with EMU and using OpenID Connect (OIDC) SSO, this new feature, currently in public preview, will help enforce IdP-defined IP restrictions to protect all web interactions on GitHub.
Currently, when your enterprise uses OIDC-based SSO and if any of the enterprise members change their IP address, GitHub can validate their access to your enterprise and its resources using your IdP’s Conditional Access Policy (CAP). IdP CAP validations previously covered only non-interactive flows where users authenticate with a personal access token or SSH key.
With this launch, we are now extending these validations to include all interactive web flows. If you already had IdP CAP turned ON previously, you will need to explicitly opt-in into extended protection for web sessions from their enterprise’s “Authentication security” settings. If you enable IdP CAP support after today’s public preview launch, you will get the coverage across web flows by default.
When this feature is generally available, we plan to have both interactive and non-interactive flows protected by the IdP CAP validations for all customers by default and remove the additional step of requiring to opt-in.
Learn more about GitHub’s support for your IdP’s Conditional Access Policy.
We will migrate the ubuntu-latest label to ubuntu 24 starting on December 5, 2024 and ending on January 17, 2025. The ubuntu 24 image has a different set of tools and packages than ubuntu 22. We have made cuts to the list of packages so that we can maintain our SLA for free disk space. This may break your workflows if you depend on certain packages that have been removed. Please review this list to see if you are using any affected packages.
Artifact actions v3 will be closing down by December 5, 2024. To raise awareness of the upcoming removal, we will temporarily fail jobs using v3 of actions/upload-artifact or actions/download-artifact. Builds that are scheduled to run during the brownout periods will fail. The brownouts are scheduled for the following dates and times:
– November 14, 12pm – 1pm EST
– November 21, 9am – 5pm EST
Currently, you can prevent Actions workflows from automatically running on pull requests made from forked repositories. Actions evaluates whether the actor initiating the request is trusted based on the repository’s settings. Effective today, Actions will require validation of both the pull request author and the event actor to determine if a workflow should run from a pull request event originating from a forked repository. For more information on for pull request approvals, see our documentation.
As GitHub continues to invest in availability, GitHub Actions is introducing a new webhook rate limit per repository. Each repository is now limited to 1500 triggered events every 10 seconds. For more details about the new webhook rate limit, please refer to our documentation.
With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to ghcr.io and *.actions.githubusercontent.com. If you require more specific domains, you can use pkg.actions.githubusercontent.com instead of *.actions.githubusercontent.com.
This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.
Additionally, our guidance for configuring Azure private networking has been updated to account for the the addional domains. The following IP addresses have been add to the NSG template in our documentation.
– 140.82.121.33/32
– 140.82.121.34/32
– 140.82.113.33/32
– 140.82.113.34/32
– 140.82.112.33/32
– 140.82.112.34/32
– 140.82.114.33/32
– 140.82.114.34/32
– 192.30.255.164/31
– 4.237.22.32/32
– 20.217.135.1/32
– 4.225.11.196/32
– 20.26.156.211/32
Network requests for Copilot are routed based on a user’s Copilot subscription. Requests for Copilot Individual, Copilot Business, and Copilot Enterprise users now route through different endpoints.
This change enables Copilot Business and Copilot Enterprise customers to make sure all Copilot users on their networks are accessing Copilot through their Copilot Business or Copilot Enterprise subscription, and that all Copilot user data is handled according to the terms of their Copilot Business or Copilot Enterprise agreement. In essence, customers will be able to use their network firewall to explicitly allow access to Copilot Business or Copilot Enterprise, and/or block access to Copilot Individual.
Today we enabled enforcement of the user’s subscription on the new endpoints, ensuring only Copilot Business users can connect to Copilot Business endpoints and only Copilot Enterprise users can connect to Copilot Enterprise endpoints.
Announced at GitHub Universe 2024, Claude 3.5 Sonnet is now available to all GitHub Copilot customers. To see Claude 3.5 Sonnet in action in Visual Studio Code check out the video below.
You can start using the new Claude 3.5 Sonnet today via the model selector in Copilot Chat in VS Code and immersive chat on GitHub.com.
Copilot Business and Enterprise organization administrators will need to grant access to Claude 3.5 Sonnet in Copilot via a new policy in Copilot settings. Once enabled, you will see the model selector in VS Code and chat on GitHub.com. You can confirm availability by checking individual Copilot settings and confirming the policy for Claude 3.5 Sonnet is set to enabled.
We’re excited to hear from you! Please use our Community Discussions to provide feedback and share tips with others.
For additional information, check out the docs on Claude 3.5 Sonnet in Copilot.
Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.
When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.
To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.
The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.
Learn more about security overview insights and join the discussion within the GitHub Community
Today, Actions Performance Metrics is now in public preview for all users of GitHub Actions. Actions Performance Metrics is an observability UI that gives you insights into your workflow or job performance for your organizations or repositories. To access the feature, on your organization home page, select Insights near the top of the page, and then select ‘Actions Performance Metrics’ on the left side of the page.
Performance metrics can help you answer these commonly asked questions about your Actions workflow runs:
We are also pleased to announce that with today’s release, GitHub Actions Metrics are now available to Free, Pro, and Team plans. Previously, this feature was only available to those on the GitHub Enterprise Cloud plan.
To learn more about GitHub Actions Metrics, check out our public documentation or head to our community discussion to ask questions and provide feedback.
We’re excited to announce the GA release of the GitHub Copilot Metrics API, available to all customers of GitHub Copilot Business and GitHub Copilot Enterprise.
The GitHub Copilot Metrics API is designed to supply you with information about Copilot’s usage within your GitHub enterprise, organizations, and teams. The data from the API is intended to be consumed and combined with your organization’s own data to create greater visibility into how Copilot fits into the bigger picture of your software development cycle. It offers visibility into utilization of individual Copilot features and the volume of daily active users.
The GA release of the Copilot Metrics API introduces a newly revised schema. To ensure that your existing reports are not interrupted, the Beta route will remain online through the end of the calendar year.
You can now access the power of GitHub Copilot to get command suggestions and explanations without leaving the terminal with Terminal Chat in Windows Terminal Canary. This is available for all Copilot Individual, Business, and Enterprise customers.
GitHub Copilot is available in Windows Terminal Canary. Consult the Terminal Chat documentation to learn how to connect Copilot and get started.
If you are a Copilot Business or Enterprise user
We are dedicated to continuous improvement and innovation. Your feedback remains a crucial part of our development process, and we look forward to hearing more about your experiences with GitHub Copilot in Windows Terminal. Please use the Windows Terminal repository to provide feedback or ideas on how to improve the product.
Join our dedicated Community Discussions to discuss this update and share tips with others.
GitHub Copilot Chat in VS Code, Visual Studio, and GitHub.com now supports web search, enabling you to easily chat about recent events, new developments, trends, and technologies. This feature is already available for Copilot Business and Copilot Enterprise.
To get started, first enable the “Copilot Access to Bing” policy in your Copilot Settings.
Then try it out with Copilot Chat by asking a question that would benefit from web search. Here are some examples:
What's the latest release of node.jsWhat are some recent articles about SAT tokens securing against vulnerabilities in Node?For more information, check out our documentation and join the discussion within the GitHub Community!
With Copilot code review in GitHub.com, you get fast, AI-powered feedback on your code, so you can start iterating while you wait for a human review.
Copilot code review on GitHub.com is launching in public preview today for Copilot Individual, Copilot Business and Copilot Enterprise subscribers. Sign up to the waitlist to request access.
You can request a review on your pull request by picking “Copilot” from the Reviewers menu. Administrators can configure automatic reviews for every pull request using repository rules.
Copilot will review your changes and attach its comments to specific lines of your code, including one-click fixes where possible.
You can jump from these suggestions into the new Copilot Workspace experience in the context of the pull request to refine and validate Copilot’s suggestions. Learn more in the changelog.
Copilot can also review your code in Visual Studio Code before you push; see the changelog for more details.
To learn more about GitHub Copilot Code review, head over to the docs. To ask questions or share feedback, head to our discussion on the GitHub Community.
As a GitHub Enterprise Cloud organization owner, you and your designated users can now use API insights to visualize REST API activity for your entire organization or specific apps and users. This new feature, currently in public preview, helps you understand the sources of your REST API activity and manage against your primary rate limits—giving you visibility into the timeframe, apps, and API endpoints involved.
The API insights feature is available only at the organization level. By default, only organization owners can access it. However, organization owners can grant access to non-owners by creating a custom role at the organization level, assigning the permission named View organization API insights to the custom role, and then assigning the custom role to an organization member or team. See the documentation for managing organization custom roles.
The API insights public preview feature is enabled for all GitHub Enterprise Cloud organizations. To access it on your organization home page, select Insights near the top of the page, and then select REST API on the left side of the page.
Use the Period and Interval drop-downs to choose the range of time displayed in the chart and how granularly to display REST API requests on the chart. These drop-downs also set the time range for the “Total REST requests,” the “Primary-rate-limited requests,” and the Actors table below the chart.
The Actors table displays the GitHub Apps and users that made REST API requests in the current organization within the selected time period. Select a GitHub App to display its REST API activity and any primary-rate-limiting. Select a user to display their personal REST API activity from personal access tokens (PATs) and OAuth apps acting on their behalf.
We welcome your feedback in this community discussion.
Refer to the documentation for API insights for more details about understanding your organization’s REST API activity and investigating primary-rate-limiting.
GitHub Models has entered public preview! GitHub Models provides every GitHub developer with access to top AI models via a playground, API, and more.
Since the announcement of GitHub Models almost three months ago, we’ve shipped a number of enhancements and new models.
New features include:
New surfaces to use models include:
@models in GitHub Copilot Chat.New model ships include:
To learn more about GitHub Models, check out the docs.
Join our Community
Join our dedicated Community Discussions to discuss this update, swap tips, and share feedback.
Copilot Autofix for Dependabot is now available in private preview for TypeScript repositories.
This new feature combines the power of GitHub Copilot with Dependabot, making it easier than ever to automatically fix breaking changes introduced by dependency updates. With Copilot Autofix, you can save time and minimize disruptions by receiving AI-generated fixes to resolve breaking changes caused by dependency upgrades in Dependabot-authored pull requests.
Dependency updates can introduce breaking changes that lead to failing CI tests and deployment delays. Identifying the exact cause of these breaks and implementing the correct fix can require significant time and effort, making it challenging to stay on the most up-to-date and secure version of a dependency.
Dependabot can now leverage the power of Copilot Autofix to analyze dependency updates that fail CI tests and suggest fixes, all within the pull request. Copilot Autofix for Dependabot not only helps keep your dependencies up to date, but also keeps your CI green. Staying up-to-date on dependencies upgrades with breaking changes is now easier and faster than ever.
To sign up for the feature waitlist, fill out the form to express your interest. We’ll notify selected participants as we roll out the feature over the coming weeks.
This feature is available in private preview to GitHub Advanced Security customers on cloud deployments. Starting today, we support TypeScript repos with tests set up in GitHub Actions. As we continue to develop this feature, we will expand coverage for additional languages and testing requirements.
Please keep an eye on future changelogs for more updates as the feature moves to public preview and general availability.
To learn more, please join the waitlist or check out the latest GitHub feature previews.
To hear what others are saying and offer your own take, join the discussion in the GitHub Community.
Security campaigns with Copilot Autofix are now in public preview. Available as part of GitHub Advanced Security, security campaigns rapidly reduce your backlog of application security debt. By using Copilot Autofix to generate contextual explanations and code suggestions for up to 1,000 historical code scanning alerts at a time, security campaigns help developers and security teams collaborate to fix vulnerabilities with speed and confidence.
Code scanning detection engines such as GitHub’s CodeQL are incredibly effective at automatically notifying developers about potential security vulnerabilities in their code in the form of code scanning alerts. Most developers fix these vulnerabilities with the help of Copilot Autofix when they’re flagged pull requests. However, in situations where these alerts aren’t remediated in a timely manner, security debt can build up and pose a serious risk to deployed applications. Using security campaigns, security teams and developers can easily collaborate to remediate and eradicate security debt at scale, with the help of Copilot Autofix.
A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes for all supported alerts, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate the security debt.
Security teams can monitor the progress of the campaign and track the number of alerts that have been fixed. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.
Security campaigns are available for users of GitHub Advanced Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.
If you have any feedback on security campaigns: join the discussion in the GitHub Community.
We are excited to announce that GitHub Copilot for Xcode is now available in public preview. This is a major milestone in our ongoing mission to make Copilot an essential tool for developers across a wide variety of platforms. Now, Apple developers can enjoy the same intelligent coding assistance, seamlessly integrated into their favorite IDE. With this public beta, Xcode users can boost productivity, speed up development, and enhance their overall coding experience using Copilot. We’re excited to bring the power of Copilot to even more developers, empowering them to innovate and build faster.
You need to have a Copilot license to get access to Copilot for Xcode. All Copilot individual, business, and enterprise users have access to the public beta. To install the extension, simply follow the steps outlined in our getting started guide.
To provide feedback or report issues, please open an issue on GitHub at https://github.com/github/CopilotForXcode/issues. If you’re experiencing a similar problem, please check existing issues and add a comment to share your experience or ask questions.
Connect with other developers, share tips, and discuss other updates to Copilot in our dedicated Copilot Community Discussions.
With GitHub Copilot code review in Visual Studio Code, you can now get fast, AI-powered feedback on your code as you write it, or request a review of all your changes before you push.
There are two ways to use Copilot code review in VS Code:
Copilot’s feedback shows up as comments in the editor, attached to lines of your code. Where possible, the comments include actionable code suggestions, which you can apply in one click.
To learn more about Copilot code review, head to the docs.
Copilot Autofix now supports fix suggestions for problems detected by ESLint, a partner code scanning tool. Autofixes are available both in pull requests and for historical alerts.
ESLint is the first partner tool supported by Copilot Autofix. Support for additional partner tools, such as JFrog SAST and Black Duck’s Polaris™ platform powered by Coverity®, will be announced by future changelogs when available. To opt out of fix suggestions for third-party tools, you can disable this feature from the code scanning settings page.
In order for Copilot Autofix to pick up ESLint alerts, you need to enable ESLint as a code scanning tool in the target repository. For reference, you can select an updated starter workflow when setting up a new GitHub Actions workflow in your repository. You can use both ESLint scanning and the CodeQL analysis in the same repository.
For more information, see: Responsible use of Copilot Autofix for code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.
GitHub Copilot Extensions are now available in public preview for GitHub Mobile!
With Copilot Extensions, you can extend GitHub Copilot’s capabilities on the go with GitHub Mobile. Use extensions to query third-party tools or private data in natural language.
How to join the preview program:
• On iOS: Install TestFlight and follow the prompts to join the GitHub Mobile beta program.
• On Android: Become a beta tester on Google Play and follow the prompts to download the beta version of GitHub Mobile.
You can also build your own private extensions for internal use or publish extensions to the GitHub Marketplace. For more info, see our docs on building Copilot Extensions.
Notice: We have temporarily rolled back support for GitHub Copilot Extensions on JetBrains IDEs to perform maintenance. Extensions are not currently supported on JetBrains, but we’re working to restore access as soon as possible. Further updates will be posted to the GitHub Changelog.
Learn more about GitHub Mobile and share your feedback to help us improve.