Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Client IDs are now included in App API responses

The client_id field is now included in all API responses that describe a GitHub App. We are shifting to use the client ID as the primary identifier for an app, as client IDs are globally unique while application IDs and names are not.

Historically GitHub has used the app_name (aka slug) or the app_id (a database ID) to identify applications in our APIs. However, the app name is not immutable and the app ID is not sufficiently globally unique. We are gradually moving all App-related APIs to support the use of the client_id of an application as their primary identifier instead of the name or database ID – this was first seen in our change to support using the client ID to mint JWTs used for installation tokens.

We are making this change to prepare for upcoming features that allow programmatic management of applications in your enterprise. This additional data will make it easier to find the client ID of an application that you are interested in.

For more information about how to get application information, see our REST API documentation.

See more

Secret scanning non-provider patterns inclusion in recommended security configuration

Now, secret scanning non-provider patterns are included in the GitHub-recommended security configuration. Non-provider patterns have also been automatically enabled for any repositories with the recommended configuration previously attached.

Secret scanning non-provider patterns are generic detectors which help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Secret scanning now deduplicates non-provider patterns

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now dededuplicates non-provider patterns (generic patterns) against provider patterns.

Secret scanning non-provider patterns are generic detectors that help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Note: Custom patterns are not deduplicated, as removing a custom pattern will also delete those alerts. We recommend adjusting your custom patterns to avoid overlap with any GitHub-defined detectors.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Secret scanning non-provider patterns are included in security configurations

You can now enable non-provider patterns (generic patterns) through security configurations at the organization level.

Non-provider patterns will also be included in the GitHub-recommended security configuration on August 23, 2024. At that time, non-provider patterns will be automatically enabled for any repositories with the recommended configuration attached.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Anthropic is now a GitHub secret scanning partner

For Anthropic users, GitHub secret scanning now scans for Anthropic tokens to help secure your public repositories. Anthropic tokens enable users to access Claude through the Anthropic API. GitHub will forward any exposed tokens found in public repositories to Anthropic, who will then revoke the compromised tokens and notify the affected users. Read more information about Anthropic tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Anthropic tokens in their private repositories.

See more

Notice of upcoming deprecations and breaking changes in GitHub Actions runners

GitHub Actions will be making the following deprecations and breaking changes in our runners and services over the next 6 months.

Exclude hidden files by default in Upload Artifact GitHub Actions
From September 2nd, 2024, we will no longer include hidden files and folders as part of the default upload of the v3 and v4 upload-artifact actions. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, ‘include-hidden-files’, to continue to do so.

Ubuntu 20 & Ubuntu 22 arm64 Images
On September 3rd, 2024, we are deprecating the Ubuntu 22/20 base images for our arm64 hosted runners as these are not widely used and customers are better served using the new Arm owned images. At that time all workflows using the Ubuntu 22 or 20 base image on arm64 will begin to fail. To change the image your runner is using, you can delete the runner and recreate a runner with the same name, to prevent failures. We recommend using the partner images provided by Arm:

  • Ubuntu 24.04 by Arm Limited
  • Ubuntu 22.04 by Arm Limited

.NET6 deprecation in the runner
In October, 2024, at the same time as we move to Node20 on the Actions runner, we will be deprecating .NET6 in the Actions runner and moving to .NET8. This is because .NET6 will reach end of life in November 2024. Any customers who are still using operating systems which are reliant on unsupported binaries will need to upgrade prior to this change. The removal of support for .NET6 means the following operating systems will no longer be supported from this time:
– Debian 10
– macOS 11.0
– macOS 10.15

Along with those already marked as unsupported in our changelog for the removal of Node16.

macOS12 runner image
We are beginning the deprecation process for the macOS 12 runner image, which allows us to balance our fleet capacity ahead of our upcoming macOS 15 launch. This image will be fully retired by the December 3rd, 2024. We recommend updating workflows to use `macos-14`, `macos-13`, or `macos-latest`.

Unsupported macOS labels
On December 3rd, 2024, we are deprecating some of our older and less used labels which are used for smaller numbers of workflows. The following runner labels will stop working from that time:

  • macos-11.0
  • macos-12-xl
  • macos-13-xl
  • macos-13-xl-arm64
  • macos-latest-xl
  • Macos-latest-xl-arm64
See more

Prevention and autofix insights for CodeQL pull request alerts

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

  • Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
  • Fixes (autofix and manual): Track which alerts were addressed before merging.
  • Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community

See more

Content Exclusion beta now supports non-Git files

You can now exclude non-Git files from being accessed by Copilot, in addition to Git files. This update gives you greater control over the content Copilot can access, ensuring that it will not access files that an organization owner has marked for exclusion, whether the files are part of a Git repository or not.

How to exclude non-Git files

The wildcard scope has expanded to include both files within and outside Git repositories, supporting the exclusion of non-Git files.

Previously

Wildcard rules applied exclusively to files within the Git repository. For example:

"*":
  - /test1 # => Blocks from the root of all git repositories: `/test1`

Now

Wildcard rules apply to files within the Git repository and the filesystem root. For example:

"*":
  - /test1 # => Blocks from the root of all git repositories AND the filesystem root: `/test1`, `/test1`

Note: These changes to our Content Exclusion beta apply to the latest versions of both the VS Code and JetBrains Copilot extensions, covering the code completions and chat features in each.

See more

Secret scanning for non-code GitHub surfaces is now generally available

GitHub secret scanning now detects and alerts you on secrets found in GitHub issues, wikis, discussions, and pull requests.

Secrets, like API keys, passwords, and tokens, can hide in many places. Throughout 2024, we’ve discovered over 100k unique secrets hiding in mediums outside of code. If these leaks aren’t managed correctly, each one of them could pose a substantial risk.

To help protect you from leaked secrets – anywhere within your GitHub perimeter – GitHub provides visibility across all major surfaces. We scan these surfaces for over 200+ token formats and work with relevant partners to help protect you from publicly leaked secrets. GitHub also supports generic patterns like RSA private keys and Copilot-detected passwords.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Retrieve the code security configuration currently applied to a repository via API

You can now retrieve the code security configuration applied to a specific repository via the repos endpoint in the REST API. Previously, you could only retrieve all the repositories associated with a configuration rather than the inverse.

Code security configurations help you manage and enforce the enablement of your security features like Dependabot, code scanning, and secret scanning.

To learn more about retrieving code security configurations with our repository REST API endpoint, check out our docs here.

See more

High contrast theme improvements

A screenshot showing the adjusted UI elements for the high and dark color contrast themes

The light and dark high contrast themes have been updated to improve readability.

Now:

  • Both themes aim to meet a minimum contrast ratio of 7:1 for all elements, and the secondary or “muted” text and icons appear slightly lighter or darker than the default text, enhancing the visual hierarchy throughout GitHub’s interface.
  • In the light high contrast theme, the global navigation bar appears inset with a darker background color.
  • In the dark high contrast theme, the foreground text over solid backgrounds is now white, and higher contrast borders have been added to all interactive elements.
See more

Copilot Enterprise now helps you fix failed Actions jobs, plus other August updates (public beta)

Image

In this latest release, you can now ask Copilot Chat in GitHub.com questions about failed Actions jobs. With this feature, you can now speed up your pull request review cycle by asking Copilot about build failures to quickly get them resolved. In addition, we’ve added a quality improvement to how Copilot Chat in GitHub.com handles complex questions. This internal improvement will help you get the most out of your Copilot Chat conversations. Both of these features are in beta.

Copilot Chat in GitHub.com now has knowledge of failed Actions jobs

You can now click into a failed job on a pull request and ask Copilot what went wrong.

Open an existing PR and try it yourself:
Tell me why this job failed
Suggest a fix for this error

To learn more, check out our documentation.

Copilot Chat in GitHub.com can now answer complex questions

Copilot Chat can now access context from multiple primitives across pull requests, commits, discussions, issues, code, repos, and more to provide informed responses to more complex questions.

See it live by asking:
How do I get started in this project?
What are all of the open PRs assigned to me?
Who can I talk to about this project?
What changed on this PR?

We’re excited to bring these more advanced Copilot capabilities to customers in beta and would love your feedback!

How to enable these beta features for your enterprise

An enterprise owner can enable beta features using the Copilot policy “Opt in to preview features.”

Image

For more information about policies for Copilot Enterprise, see the documentation.

Join the discussion within the GitHub Community.

See more

Code security configurations will replace feature enablement on the organization-level security coverage page on October 15

We are streamlining the deployment of GitHub’s security products at scale with code security configurations. This functionality simplifies the rollout of GitHub security products by defining collections of security settings and enabling you to apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As of October 15th, 2024, you will no longer be able to enable or disable GitHub security features for repositories from the organization-level security coverage view.

Learn more about code security configurations and send us your feedback.

See more

Bypass list for secret scanning push protection can include the maintainer role

Starting in April 2024, GitHub Advanced Security customers using secret scanning have been able to specify which teams or roles have the ability to bypass push protection using a delegated bypass list.

Administrators can now add the maintainer role to this list.

See more

Copilot Autofix for CodeQL code scanning alerts is now generally available

Today, we’ve announced the general availability of Copilot Autofix for CodeQL alerts in GitHub code scanning! Powered by GitHub Copilot, this feature brings automatic fixes for vulnerabilities found by CodeQL into the developer workflow.

Through a deep integration in GitHub pull requests, autofixes help developers to fix vulnerabilities quickly and early in the development process, thereby preventing new vulnerabilities from entering your codebase. Data from our beta programme shows that vulnerabilities with a fix suggestion are fixed 3x faster across all vulnerability types, and even faster for complicated vulnerability types like cross-site scripting (7x faster) and SQL injection (12x faster). For security debt that already exists in your codebases, Copilot Autofix can help you with on-demand autofixes for historical alerts. Copilot Autofix for CodeQL code scanning was previously called “code scanning autofix”, and is now generally available for all GitHub Advanced Security customers on GitHub.com.

As developers start using autofixes, security teams can see an overview of how their organisation adopts autofixes generated by Copilot on their security overview dashboard. This includes detailed information about remediation rates.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

Example of Copilot Autofix operating on a CodeQL alert in a pull request

See more

Secret scanning push protection is supported for content upload REST API endpoints

Push protection blocks you from pushing secrets to a repository and generates an alert whenever you bypass the block.

Push protection is now supported for the following REST API endpoints:
* Create a blob
* Create or update file contents

If the content of a PUT request to these endpoints includes a secret, the API will respond with a 409 error and provide a link for bypassing push protection, along with a placeholder_id.

There is also a new API endpoint to bypass push protection programatically, Create a push protection bypass. You or your application can use the placeholder_id from your push protection block in your call to this endpoint.

You need to be the individual or application that initially got blocked to be able to bypass the block successfully.

See more

Secret scanning backfilling existing secrets in GitHub wikis

Secret scanning is now performing a backfill to detect historically existing secrets in GitHub wikis. For repositories with secret scanning enabled, you may notice newly created alerts for these exposed secrets.

Learn how to secure your repositories with secret scanning or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

See more

Sign-up for the GitHub Copilot Extensions waitlist

Today, we are excited to open our waitlist for all GitHub Copilot users to start using Copilot Extensions!

Join the Copilot Extensions waitlist.

With extensions, you can extend the capabilities of GitHub Copilot Chat and enhance the experience to perform a wide range of actions across third-party tools, services, and data. Create feature flags, check log errors, access API documentation, and even deploy your application to the cloud, all through natural language.

Copilot Extensions are live on the GitHub Marketplace, with extensions from Octopus Deploy, Sentry, New Relic, and many more.

Questions or suggestions? Join the conversation in the community discussion.

See more

Enhanced Repo Insights Views

New Enhanced Repo Insights Views

We’re thrilled to introduce improvements to Repo Insights! With this update, you’ll find significant enhancements to two of our repository insights views—Contributors and Code Frequency. Both now utilize an SVG-based solution, offering improved focus navigation for precise, point-by-point interaction. You can also hide a series by interacting with the chart legend and view or download the data in both table format and as PNGs. Let’s dive into the details!

Contributors

  • Date Range Filter: While the click-and-drag date range selection was a handy feature, it was also a hidden feature. The new date range filter is always visible and fully navigable by keyboard, making it more accessible and easier to use.

  • Clear Date Range Display: The current date range is now explicitly listed under the heading, giving you a clear and immediate understanding of the data timeframe.

  • Responsive Contributor Cards: Previously locked to a two-column view, contributor cards are now more responsive on small screens, seamlessly wrapping to a single-column layout for a better viewing experience.

Code Frequency

  • Enhanced Axes Differentiation: The two different axes are now distinguished not just by color but also by line style, making it easier to interpret the data at a glance.

  • Detailed Tooltips: Data points are now navigable and display more details in a tooltip. Previously, you could only visually reference data against the axes. Now, you get more information directly from the chart itself.

Explore the new features and let us know what you think! Join the discussion within the GitHub Community.

To revert this update, click on your profile picture in the top right corner of the page, go to the feature preview menu, select “Enhanced Repo Insights Views” and click disable. If you choose to turn this feature off – please let us know why using the link listed above!

 

See more

Copilot Metrics API Organization Team Metrics

We’re excited to share that usage metrics for GitHub Organization Teams are now available on the public beta of the GitHub Copilot Metrics API!

What metrics are available for GitHub Organization Teams?

  • Organization Team aggregates are available for teams with five or more Copilot license holders.
  • Teams must belong to the GitHub Organization which provisioned team members’ licenses.
  • The beta of the GitHub Copilot Metrics API is focused on serving metrics for Copilot Chat and code completions that take place in the IDE.
  • Code completion metrics include: Lines of Code Suggested, Lines of Code Accepted, Number of Suggestions, Number of Acceptances, and Active Users, with slices on language and IDE.
  • Copilot Chat metrics include: Number of Chats, Chat Suggestions Accepted, and Active Users. The endpoint does not currently feature slices on language or IDE for Chat metrics.

Documentation and Resources

See the following resources for help getting started:
– API Documentation: Explore the detailed API documentation, including metrics definitions here.
– Learning Pathway: You can find an extended article on measuring the impact of GitHub Copilot here.

Participate in the Public Beta!

Your feedback during this beta phase is invaluable to us. We encourage you to share your experiences, which will be instrumental in refining and enhancing the API as we look forward to the GA release.

Join the discussion within GitHub Community.

See more
View more changes