Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

You can now apply code security configurations to archived repositories. This makes it simpler to roll out configurations without having to filter for archived repos, and ensures features like Dependabot, code scanning, and secret scanning are automatically reapplied if a repo is unarchived.

If a repository has configurations applied and later becomes archived, the settings will persist and still apply.

Note: when a repository is archived, the only security feature that will still run is secret scanning. However, if the repository is ever unarchived, all other features in the applied configuration, such as Dependabot or code scanning, will be reapplied automatically.

This release also adds a new filter to the repository table on the code security configurations UI page, allowing you to filter for archived repositories with archived:true.

Learn more about code security configurations, the REST API and send us your feedback.

See more

A list of the GitHub Copilot Chat updates in the September VS Code release.

In the latest Visual Studio Code release, you will find a suite of enhancements to GitHub Copilot Chat, designed to streamline your coding, debugging, and testing processes.

These features are now available for you to try out in the latest version of Visual Studio Code.

Pick your language model

Sign up for early access to the latest OpenAI o1 models for more precise and efficient coding assistance. Once you have access, you will have the model picker control in Copilot Chat in VS Code. You can then choose which model version to use for your chat conversations.

Screenshot of the language model picker control in Cpilot Chat.

Enhanced code quality with GPT-4o

Copilot Inline Chat now uses GPT-4o, giving you faster, more accurate, and higher-quality code and explanations when you use Chat in the editor.

Public code matching in chat

You can allow GitHub Copilot to return code that could match publicly available code on GitHub.com. When this functionality is enabled for your organization subscription or personal subscription, Copilot code completions already provided you with details about the matches that were detected. We now show you these matches for public code in Copilot Chat as well.

If this is enabled for your organization or subscription, you might see a message at the end of the response with a View matches link. If you select the link, an editor opens that shows you the details of the matching code references with more details.

Screenshot of GitHub Chat in VS Code. A red rectangle highlights the end of a response that reads "Similar code found with 2 license types - View matches."

File suggestions in chat

In chat input fields, you can now type # to get file name suggestions and quickly attach them to your prompt as context. This works in chat locations that support file attachments, such as the Chat view, Quick Chat, Inline Chat, and Notebook Chat.

Drag and drop files to add chat context

You can now attach additional files as context for a chat prompt by dragging files or editor tabs from the workbench directly into chat. For Inline Chat, hold Shift and drop a file to add it as context instead of opening it in the editor.

File attachments included in history

When you attach a file or editor selection as relevant context to your chat request, Copilot Chat will include them in the history of follow-on requests so that you can keep referring to them without having to reattach them. Previously, this context was added only for the current request and was not included in the history of follow-on requests.

Chat conversation shows that Copilot keeps track of attached files across multiple prompts.

Inline Chat and completions in Python native REPL

The native REPL editor, used by the Python extension, now supports Copilot Inline Chat and code completions directly in the input box.

Semantic search results (Preview)

Setting: github.copilot.chat.search.semanticTextResults

You can perform an exact search across your files with the Search view. It also now uses Copilot to give search results that are semantically relevant.

This functionality is still in preview and by default, the setting is not enabled. Try it out and let us know what you think!

Fix test failure (Preview)

Setting: github.copilot.chat.fixTestFailure.enabled

New fix test logic now helps you diagnose failing unit tests. This logic is triggered in some scenarios by the /fix slash command, and you can also invoke it directly with the /fixTestFailure slash command. The command is enabled in chat by default but can be disabled via the setting github.copilot.chat.fixTestFailure.enabled.

Automated test setup (Experimental)

Setting: github.copilot.chat.experimental.setupTests.enabled

You can now use an experimental /setupTests slash command to configure the testing set up for your workspace. This command can recommend a testing framework, provide steps to set up and configure it, and suggest a VS Code extension to provide testing integration in VS Code.

When you use the /tests command to generate tests for your code, Copilot Chat can recommend /setupTests and testing extensions if it looks like such an integration has not been set up yet in your workspace.

Start debugging from Chat (Experimental)

Setting: github.copilot.chat.experimental.startDebugging.enabled

You can use the /startDebugging slash command to find or create a launch configuration and start debugging your application. When you use @vscode in Copilot Chat, /startDebugging is now available by default.

A user types /startDebugging flask app port 3000 in the panel chat and is provided with the launch configuration.

Chat in Command Center (Experimental)

Setting: chat.commandCenter.enabled

You can now access chat via the Command Center, which provides access to all relevant chat commands, like starting the different chat experiences or attaching context to your prompt. Note that the Command Center itself needs to be enabled for the chat Command Center entry to show.

Chat Command Center button and the drop-down menu with relevant chat actions.

Custom test generation instructions (Experimental)

Generating tests with Copilot helps you write code that is more robust. With custom instructions you can ensure that the generated tests meet your specific coding style and requirements.

Setting: github.copilot.chat.experimental.testGeneration.instructions

In addition, you can now define instructions for test generation in settings or import them from a file. For example, if you always want to use a particular unit testing framework for your tests. Configure the test-generation instructions in the github.copilot.chat.experimental.testGeneration.instructions setting.

✍️ We want your feedback

Try out these new features and share your experiences and feedback in our issues.

See more

You can now report compromised GitHub personal access tokens to GitHub, directly from a secret scanning alert. When you let GitHub know that the secret has been compromised, GitHub will treat the token like a publicly leaked token and revoke it. This change simplifies remediation and makes it more easily actionable.

The token owner will receive an email notification when their token is revoked. As a best practice, you should review any associated token metadata and reach out to the token owner, if possible, before reporting the token. Consider rotating the secret first to prevent breaking workflows.

Learn more

Learn more about how to report a compromised GitHub personal access token. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Now you can find answers to commonly asked questions about GitHub Enterprise Cloud in the GitHub Trust Center, a comprehensive resource for understanding how GitHub meets security, privacy, and compliance standards. Designed with transparency in mind, this resource centralizes key information, empowering you to build on GitHub with complete confidence.

Key Highlights:

  • GitHub Enterprise Cloud FAQ: Addressing common questions on security, compliance, data residency, and privacy practices.
    • Security Practices: Detailed explanations of GitHub’s encryption, access management, and threat detection features.
    • Data Residency: Information on data storage locations and residency options.
    • Compliance and Certifications: Discover compliance standards, such as SOC 2, ISO 27001, and GDPR.
    • Privacy and Data Protection: Insight into GitHub’s approach to handling data in accordance with global privacy laws.

How to Access:

Visit the GitHub Trust Center and explore the GitHub Enterprise Cloud FAQ for all your security, privacy, and compliance queries.

Stay informed by regularly visiting the GitHub Trust Center, where updates are provided to ensure you have the latest insights.

Explore the new GitHub Trust Center today and build with confidence!

See more

GitHub is now a participant in TISAX with an Assessment Level 2 (AL2) label in the ENX Portal. TISAX is a recognized assessment and exchange mechanism for the German automotive industry, ensuring that companies meet specific information security requirements. It is based on the German Association of the Automotive Industry or Verband de Automobile (VDA) Information Security Assessment (ISA) catalog, which aligns most closely with ISO/IEC 27001.

What does this mean for me as a customer?

For our customers, this participation provides additional assurance that GitHub is a trusted partner in managing and securing their data. It opens new opportunities for customers who require TISAX participation to consider using GitHub Enterprise Cloud products, GitHub Copilot, and GitHub Actions.

Participating in the TISAX program at Assessment Level 2 means that GitHub has demonstrated the ability to adequately protect sensitive information in accordance with industry standards. This assessment level focuses on:

  • Information Security: Implementing robust security measures to prevent unauthorized data access and breaches.
  • Risk Management: Continuously identifying, evaluating, and mitigating potential risks to GitHub’s information systems.

The scope of the TISAX assessment, using the newly released VDA ISA version 6, is the same as the GitHub Information Security Management System (ISMS), which has already been assessed against ISO/IEC 27001:2013. To see the scope, you can review GitHub’s ISO/IEC 27001:2013 certification.

Customers who are interested and registered as TISAX participants with ENX can find the details of GitHub’s assessment via the ENX portal by searching for GitHub, our Assessment ID (APC0RT), or our AL2 scope ID (SY52MN).

If you have any questions or need more information about GitHub’s compliance practices, please visit the GitHub Trust Center.

See more

Actions Usage Metrics is in public preview for all GitHub Enterprise Cloud customers at the repository level.

Actions Usage Metrics enables you to view data about your Actions workflow runs in your repositories. Launched initially at the Organization level, this dashboard helps teams identify opportunities to optimize pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity.

To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.

See more

GitHub Issues has been how the world’s best software teams collaborate since it first launched in 2009. Today we are excited to unveil a major evolution of issues and projects, featuring a range of highly requested enhancements including sub-issues, issue types and advanced search for issues. Together, these additions make it easier than ever to break down work, visualize progress, categorize and find just the right issue in GitHub.

These new features are now available in public beta for you to try. To gain access for your organization, please sign up here.

🔗 Break down and nest issues with sub-issues

Sub-issues allow you to break down and organize issues within a parent-child hierarchy. You can create sub-issues from any issue and use their nested structure to track progress and understand remaining work. You can also easily track sub-issues progress within your projects.

Learn more and share feedback on sub-issues.

📁 Organize your work with issue types

Issues types allow you to classify and manage your issues with a shared and consistent language across all repositories in an organization. You can quickly understand the progress of your bug backlog, find all of the high level initiatives teams are working on, and understand the breakdown of work in a project.

Issue types displayed as part of a repo index page

Learn more and share feedback on issue types.

From the repository issues page, you can build advanced searches using the AND and OR keywords and parentheses for nested searches. This allows you to build more complex filters to find the exact set of issues you’re looking for.

A user searches for type bug OR type task

Learn more and share feedback on advanced search for issues.

🎨 Issues UI updates

All these new features are based upon an update to the issues front end, designed to be fast and familiar. This means there are no new UI patterns to slow you down, but we did include a few tweaks to speed you up, including:

  • The issues index page has a new filter bar with autocomplete and syntax highlighting.
  • Creating multiple issues is faster with a ‘create more’ option to quickly get back to the creation screen.
  • Issue form and templates are now presented in alphabetical order based on file name, making it easier for you to set just the right order.
  • Easily share the URL to an issue with a new ‘copy link’ button.
  • On long issues, selecting ‘load more’ will now fetch 150 events instead of 50.

Learn more and share feedback on the updated issues UI.

♾️ Increased items in GitHub Projects

Earlier this year, we introduced the private beta of increased project item limits, expanding the capacity from 1,200 to 50,000 items in a project. Today, we’re expanding the audience for these increased limits.

Since the private beta, we’ve added support for slice by, swimlanes, and GraphQL API. We’ve also fixed your top bug reports and made performance improvements.

If you’re a project admin and your project is approaching the item limit without utilizing Insights (our only currently unsupported feature), a banner will appear over your project to notify you.

As this update is on a project by project basis rather than per organization, to join, just click the “Join waitlist” button on eligible projects.

Learn more and share feedback on increased items in projects.

✍️ We want your feedback – join the public beta

Join here and let us know your feedback!

See more

With a subscription to Copilot Individual or Copilot Business, you can now access Copilot in GitHub.com, allowing you to:

  • Discover codebases on GitHub effortlessly using powerful natural language code search using Copilot Chat.
  • Streamline development processes by receiving suggestions to resolve build failures and summarizing changes in pull requests.
  • Quickly get up to speed with the help of Copilot through summaries and key takeaways from discussions, issues, pull requests and more.
    These features are also now available in GitHub Mobile for all Copilot users.

If you’re enrolled into our recently announced o1 model limited beta, you can experiment with o1-preview and o1-mini directly in GitHub.com. To gain access to o1, please visit the waitlist.

Image

Finally, you can now open Copilot Chat by clicking on the floating Copilot icon in the bottom left corner of the GitHub.com interface.
Image

Join the discussion and let us know what you think on the  GitHub Community.

See more

GitHub Enterprise Cloud’s open support for the System for Cross-domain Identity Management (SCIM) specification is now generally available for Enterprise Managed Users (EMUs). This allows administrators to mix and match their preferred choices of SAML and SCIM identity systems, providing the flexibility required to meet access management needs.

This release also includes significant improvements for security and auditing:
– A new reduced personal access token (PAT) scope, scim:enterprise, now lets you grant a least privilege, enterprise-level permission set just for read and write access to GitHub’s EMU SCIM API. Use of the admin:enterprise PAT scope is no longer required or recommended.
– New audit log entries exist for SCIM events to enable debugging of any provisioning failures with SCIM APIs.

Learn more about lifecycle management of Enterprise Managed Users with the SCIM API.

See more

We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.

In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.

With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables
  • Network configuration
  • Actions usage metrics

For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.

See more

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

  • CodeQL 2.18.2
    • Support for scanning Java codebases without needing a build is generally available.
    • The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
    • One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
  • CodeQL 2.18.3
    • New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
  • CodeQL 2.18.4
    • Support for scanning C# codebases without needing a build is generally available.
    • Support for Go 1.23.
  • CodeQL 2.19.0
    • Support for TypeScript 5.6.
    • One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
    • A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more

Ubuntu 24 for GitHub-hosted runners is now GA

The Ubuntu 24.04 image for Actions is now generally available. To use Ubuntu 24 directly on your GitHub-hosted runners update runs-on: in your workflow file to ubuntu-24.04.

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Ubuntu 24.04 runner image has different tools and tool versions than Ubuntu 22.04.

ubuntu-latest migration

The ubuntu-latest label will migrate to Ubuntu 24 over the course of the next month, beginning September 23rd and finishing on October 30th. During migration, you can determine if your job has migrated by viewing the “Runner Image” information in the “Set up job” step of your Actions logs.

macOS 15 for GitHub-hosted runners in Public Beta

The macOS 15 image for Actions is now available in public beta. To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

The macOS 15 runner image has different tools and tool versions than macOS 14.

To view the list of installed software for each image, or report issues, head to the runner-images repository.

See more

Following our change to default customers to use Node20, Node16 will reach end of life in the Actions runner on November 12, 2024.

From November 12 onward, we will no longer include Node16 in the Actions runner and customers will no longer be able to use Node16 Actions or operating systems that do not support Node20.

To prevent disruption to your Actions workflows, if you’re an Actions maintainer, update your actions to run on Node20 instead of Node16. If you’re an Actions user, update your workflows with latest versions of the actions, which run on Node20.

Learn more about Actions configuration settings or using versions for Actions. Join the discussion within GitHub Community.

See more

Starting today, existing GitHub Enterprise customers will begin to transition to the enhanced billing platform.

What is the enhanced billing platform?

The enhanced billing platform is a suite of new features designed to help administrators understand and manage GitHub spend for their enterprise. Benefits of the new platform include:

  • Cost allocation – create cost centers to allocate spend to different Azure subscriptions
  • Spend transparency – view usage for organizations, repositories, products, cost centers, and SKUs by hour, day, month, or year
  • Improved control – set budgets to limit spending and configure alerts to stay informed of budget utilization

View of the usage page of the enhanced billing platform

What to expect

Existing enterprises will gain access to the enhanced billing platform on a rolling basis, and all enterprises will have access by March 2025. You will be informed via email as well as through an in-app banner on the billing page in advance of the transition .

Here are some things to know about the transition:
– Once transitioned, a new Billing & Licensing section will appear in the enterprise account menu.
Spending limits will be migrated and renamed as budgets in the new billing platform. For more details about budgets, visit “Preventing overspending.”
– While the new billing platform will not visually display historical usage, you will be able to download a usage report to get your pre-transition historical usage.

Other important changes

  • Git Large File Storage will transition from prepaid, quota-based data packs to a usage-based metered billing model. If you use Git Large File Storage today, you’ll receive credits for any unused data packs. For more information, visit “About enhanced billing for Git Large File Storage.”
  • Note: some billing-related APIs will no longer work or will work differently, and the relevant API documentation will be updated to reflect this information. In the coming weeks, there will be a separate changelog post that summarizes these changes. For more information about the billing API, visit “REST API endpoints for enterprise billing.”

Learn more

For more information, visit “Using the enhanced billing platform for enterprises” or join the GitHub Community discussion.

See more

Recent improvements to enterprise repository policy, rulesets, and custom properties now ensure a more consistent, intuitive experience, making it easier for you to navigate and accomplish your tasks efficiently.

  • Enterprise repository policy page has been renamed to “Member privileges” to align the page title with the current URL path, API endpoints and the corresponding organization setting.

Screenshot of member privileges

  • Repository rulesets now support enterprise owners as a bypass actor, ensuring your most privileged roles across your enterprise can bypass rulesets.

Screenshot of ruleset bypass with enterprise owners

Screenshot of additional repository property section

We want to hear from you

Questions or suggestions? Join the conversation in the community discussion.

See more

Headings have been added to GitHub Projects’ board layout.

Each column’s title is now a second level heading, and each card’s title is a third level heading. We hope this update helps make navigation via screen reader easier and more intuitive for this experience.

An example project, placed in board layout. Each column of the board has a unique title, and contains multiple cards that communicate different initiatives. Each card also has a distinct title.

This update affects all GitHub plans, and is part of GitHub’s ongoing commitment to accessibility.

Feedback welcome

You can reach out to us in the GitHub Community discussions. Your feedback is invaluable as we continue on our journey to create an inclusive and accessible environment for all.

See more

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

  • Track historical metrics for CodeQL pull request alerts
  • Monitor code as it progresses from feature branches to the default branch
  • Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more

You can now join the waitlist for early access to OpenAI o1 for use in GitHub Copilot in Visual Studio Code and GitHub Models. The waitlist is currently available to all Copilot users.

Join the waitlist for access to OpenAI o1 on GitHub.

In Visual Studio Code, you can choose to use o1-preview or o1-mini to power GitHub Copilot Chat in place of the current default model, GPT-4o.

Note: to access this feature, you’ll need to be on VS Code Insiders with the latest pre-release version of the Copilot Chat extension.

Model Picker in Visual Studio Code

In GitHub Models, you can use o1 models both in the playground and via the API. GitHub Models is currently in limited preview and you can sign up for access today.

OpenAI o1 in GitHub Models Playground

Access to these models will roll out progressively while in preview and usage will be rate-limited.

Join the discussion and share feedback with us via Discussions.

See more

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the enterprise level. This enables you to manage your enterprise settings programatically.

The following endpoints have been updated:
Get code security and analysis features for an enterprise: check if non-provider patterns are enabled for the enterprise
Update code security and analysis features for an enterprise: enable or disable non-provider patterns for all new repositories in an enterprise
Enable or disable a security feature: enable or disable non-provider patterns for all existing repositories in an enterprise

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

Learn more about secret scanning and non-provider patterns.

Join the community discussion and share feedback with us in this dedicated community post.

See more