Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Copilot in GitHub.com now available on Copilot Individual and Copilot Business (Public Preview)

With a subscription to Copilot Individual or Copilot Business, you can now access Copilot in GitHub.com, allowing you to:

  • Discover codebases on GitHub effortlessly using powerful natural language code search using Copilot Chat.
  • Streamline development processes by receiving suggestions to resolve build failures and summarizing changes in pull requests.
  • Quickly get up to speed with the help of Copilot through summaries and key takeaways from discussions, issues, pull requests and more.
    These features are also now available in GitHub Mobile for all Copilot users.

If you’re enrolled into our recently announced o1 model limited beta, you can experiment with o1-preview and o1-mini directly in GitHub.com. To gain access to o1, please visit the waitlist.

Image

Finally, you can now open Copilot Chat by clicking on the floating Copilot icon in the bottom left corner of the GitHub.com interface.
Image

Join the discussion and let us know what you think on the  GitHub Community.

See more

Bring Your Own Identity Provider to Enterprise Managed Users

GitHub Enterprise Cloud’s open support for the System for Cross-domain Identity Management (SCIM) specification is now generally available for Enterprise Managed Users (EMUs). This allows administrators to mix and match their preferred choices of SAML and SCIM identity systems, providing the flexibility required to meet access management needs.

This release also includes significant improvements for security and auditing:
– A new reduced personal access token (PAT) scope, scim:enterprise, now lets you grant a least privilege, enterprise-level permission set just for read and write access to GitHub’s EMU SCIM API. Use of the admin:enterprise PAT scope is no longer required or recommended.
– New audit log entries exist for SCIM events to enable debugging of any provisioning failures with SCIM APIs.

Learn more about lifecycle management of Enterprise Managed Users with the SCIM API.

See more

Introducing “CI/CD Admin” – A New Pre-Defined Organization Role for GitHub Actions

We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.

In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.

With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables
  • Network configuration
  • Actions usage metrics

For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.

See more

CodeQL 2.19.0: TypeScript 5.6 and Go 1.23 support, new queries for JavaScript and Ruby

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

  • CodeQL 2.18.2
    • Support for scanning Java codebases without needing a build is generally available.
    • The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
    • One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
  • CodeQL 2.18.3
    • New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
  • CodeQL 2.18.4
    • Support for scanning C# codebases without needing a build is generally available.
    • Support for Go 1.23.
  • CodeQL 2.19.0
    • Support for TypeScript 5.6.
    • One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
    • A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more

Actions: new images and ubuntu-latest changes

Ubuntu 24 for GitHub-hosted runners is now GA

The Ubuntu 24.04 image for Actions is now generally available. To use Ubuntu 24 directly on your GitHub-hosted runners update runs-on: in your workflow file to ubuntu-24.04.

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Ubuntu 24.04 runner image has different tools and tool versions than Ubuntu 22.04.

ubuntu-latest migration

The ubuntu-latest label will migrate to Ubuntu 24 over the course of the next month, beginning September 23rd and finishing on October 30th. During migration, you can determine if your job has migrated by viewing the “Runner Image” information in the “Set up job” step of your Actions logs.

macOS 15 for GitHub-hosted runners in Public Beta

The macOS 15 image for Actions is now available in public beta. To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

The macOS 15 runner image has different tools and tool versions than macOS 14.

To view the list of installed software for each image, or report issues, head to the runner-images repository.

See more

End of life for Actions Node16

Following our change to default customers to use Node20, Node16 will reach end of life in the Actions runner on the 15th of October 2024.

From the 15th of October, we will no longer include Node16 in the Actions runner and customers will no longer be able to use Node16 Actions or operating systems that do not support Node20.

To prevent disruption to your Actions workflows, if you’re an Actions maintainer, update your actions to run on Node20 instead of Node16. If you’re an Actions user, update your workflows with latest versions of the actions, which run on Node20.

Learn more about Actions configuration settings or using versions for Actions. Join the discussion within GitHub Community.

See more

Enhanced billing platform for enterprises

Starting today, existing GitHub Enterprise customers will begin to transition to the enhanced billing platform.

What is the enhanced billing platform?

The enhanced billing platform is a suite of new features designed to help administrators understand and manage GitHub spend for their enterprise. Benefits of the new platform include:

  • Cost allocation – create cost centers to allocate spend to different Azure subscriptions
  • Spend transparency – view usage for organizations, repositories, products, cost centers, and SKUs by hour, day, month, or year
  • Improved control – set budgets to limit spending and configure alerts to stay informed of budget utilization

View of the usage page of the enhanced billing platform

What to expect

Existing enterprises will gain access to the enhanced billing platform on a rolling basis, and all enterprises will have access by March 2025. You will be informed via email as well as through an in-app banner on the billing page in advance of the transition .

Here are some things to know about the transition:
– Once transitioned, a new Billing & Licensing section will appear in the enterprise account menu.
Spending limits will be migrated and renamed as budgets in the new billing platform. For more details about budgets, visit “Preventing overspending.”
– While the new billing platform will not visually display historical usage, you will be able to download a usage report to get your pre-transition historical usage.

Other important changes

  • Git Large File Storage will transition from prepaid, quota-based data packs to a usage-based metered billing model. If you use Git Large File Storage today, you’ll receive credits for any unused data packs. For more information, visit “About enhanced billing for Git Large File Storage.”
  • Note: some billing-related APIs will no longer work or will work differently, and the relevant API documentation will be updated to reflect this information. In the coming weeks, there will be a separate changelog post that summarizes these changes. For more information about the billing API, visit “REST API endpoints for enterprise billing.”

Learn more

For more information, visit “Using the enhanced billing platform for enterprises” or join the GitHub Community discussion.

See more

Updates to repository enterprise policy, ruleset and custom properties

Recent improvements to enterprise repository policy, rulesets, and custom properties now ensure a more consistent, intuitive experience, making it easier for you to navigate and accomplish your tasks efficiently.

  • Enterprise repository policy page has been renamed to “Member privileges” to align the page title with the current URL path, API endpoints and the corresponding organization setting.

Screenshot of member privileges

  • Repository rulesets now support enterprise owners as a bypass actor, ensuring your most privileged roles across your enterprise can bypass rulesets.

Screenshot of ruleset bypass with enterprise owners

Screenshot of additional repository property section

We want to hear from you

Questions or suggestions? Join the conversation in the community discussion.

See more

Heading elements have been added to Project board views to improve screen reader page navigation

Headings have been added to GitHub Projects’ board layout.

Each column’s title is now a second level heading, and each card’s title is a third level heading. We hope this update helps make navigation via screen reader easier and more intuitive for this experience.

An example project, placed in board layout. Each column of the board has a unique title, and contains multiple cards that communicate different initiatives. Each card also has a distinct title.

This update affects all GitHub plans, and is part of GitHub’s ongoing commitment to accessibility.

Feedback welcome

You can reach out to us in the GitHub Community discussions. Your feedback is invaluable as we continue on our journey to create an inclusive and accessible environment for all.

See more

Enhanced security overview dashboard – detection, remediation, and prevention at the forefront

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

  • Track historical metrics for CodeQL pull request alerts
  • Monitor code as it progresses from feature branches to the default branch
  • Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more

Sign up for OpenAI o1 access on GitHub

You can now join the waitlist for early access to OpenAI o1 for use in GitHub Copilot in Visual Studio Code and GitHub Models. The waitlist is currently available to all Copilot users.

Join the waitlist for access to OpenAI o1 on GitHub.

In Visual Studio Code, you can choose to use o1-preview or o1-mini to power GitHub Copilot Chat in place of the current default model, GPT-4o.

Note: to access this feature, you’ll need to be on VS Code Insiders with the latest pre-release version of the Copilot Chat extension.

Model Picker in Visual Studio Code

In GitHub Models, you can use o1 models both in the playground and via the API. GitHub Models is currently in limited preview and you can sign up for access today.

OpenAI o1 in GitHub Models Playground

Access to these models will roll out progressively while in preview and usage will be rate-limited.

Join the discussion and share feedback with us via Discussions.

See more

Enable secret scanning for non-provider patterns for enterprises with the REST API

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the enterprise level. This enables you to manage your enterprise settings programatically.

The following endpoints have been updated:
Get code security and analysis features for an enterprise: check if non-provider patterns are enabled for the enterprise
Update code security and analysis features for an enterprise: enable or disable non-provider patterns for all new repositories in an enterprise
Enable or disable a security feature: enable or disable non-provider patterns for all existing repositories in an enterprise

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

Learn more about secret scanning and non-provider patterns.

Join the community discussion and share feedback with us in this dedicated community post.

See more

Secret scanning indicates known public leaks and duplicate alerts for private exposures (public beta)

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.

These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.

The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.

In the future, GitHub will surface locations of the known public leak, as well as repository names with duplicate alerts. This metadata will also be surfaced via the REST API and webhooks.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

New commit details page (public beta)

A new version of the commit details page is now available in public beta!

This new page, which is enabled by default, lets you quickly understand and navigate the changes in a commit with improvements to filtering, commenting, and keyboard navigation.

Screen shot of the new commit details page that shows the metadata about the commit, a file tree showing the 3 files changed by the commit, diff snippets for each of the changed files, and a floating comment

What’s new 🎉

Here are a few of the noteworthy changes:

  • Floating comments: Code comments float over the diff when selected. To select, click on the commenter’s avatar to the right of the line.
  • Comment counts: To help you identify files with comments, the number of comments for a file now appears in the file tree.
  • Keyboard navigation within diffs: You can now navigate around changed lines in the diff using the up and down keys on your keyboard. A new context menu also makes it easier to comment, copy, and select.
  • Quick view switching: Switching between unified and split views no longer reloads the page.
  • Filter by file extension: Easily filter changed files by file extension in the diff to see the content most relevant to you.
  • Filtered out diffs hidden: When filtering the file tree, diffs are filtered as well, allowing you to reduce distraction and see the files you care about most.

Next steps 📣

To give feedback, ask questions, or report a bug join us in the feedback discussion.

To opt out of the preview, go the Feature Preview dialog on your profile, select New Commit Details Page, and click Disable.

To learn more about viewing commits, see About commits.

See more

New advanced filters for code security configurations

When reviewing code security configurations, you can now more easily filter repositories with new filter options.

The new filters allow you to sort repositories based on the status of specific features or GHAS itself:

  • advanced-security:enabled
  • dependabot-alerts:enabled
  • dependabot-security-updates:enabled
  • code-scanning-alerts:enabled
  • code-scanning-default-setup:enabled
  • code-scanning-pull-request-alerts:enabled
  • secret-scanning-alerts:enabled
  • secret-scanning-push-protection:enabled

Note that :disabled also works for each of the filters above to achieve the inverse.

Additionally, you can filter based on whether or not a repository is eligible for code scanning default setup:
– code-scanning-default-setup:eligible
– code-scanning-default-setup:not-eligible

These filters are available for organizations with GitHub Advanced Security (GHAS) enabled, and are only available in the UI at this time.

Learn more about code security configurations and send us your feedback.

See more

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

Now you can remediate existing security issues in your public repositories faster with Copilot Autofix for CodeQL alerts. Following our general availability release for all Advanced Security customers, Copilot Autofix for CodeQL alerts is now generally available (GA) for all public repositories, for free.

Powered by GitHub Copilot, this feature provides automatic fixes for vulnerabilities found by CodeQL, both on pull requests and for historical alerts that already exist in a codebase.

Importantly, you stay in full control of your codebase: Copilot Autofix will try and suggest fixes for CodeQL alerts in pull requests, but it’s ultimately up to you to decide whether you wish to accept Copilot’s suggestion wholly, partially, or not at all. The same applies to historical alerts in a codebase: you can request an autofix from Copilot, then review it, and decide whether you want to open a PR with the fix suggestion or commit straight to the affected branch (or neither).

Example of Copilot Autofix generation on the alert page

Copilot Autofix is available for all public repositories that use code scanning CodeQL, and is enabled by default for alerts on PRs. It does not generate additional notifications. If you would like to enable Copilot Autofix on your organization’s private repositories, please have a look at this blog post where we announce Autofix for GitHub Advanced Security.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more

Manage secret scanning bypass requests at the organization level

GitHub Advanced Security customers that have enabled delegated bypass rules for push protection can now manage and review their bypass requests at the organization level. The list is located within the Security tab of your organization.

To view and manage requests from this list, you must either be an organization owner, security manager, or have the fine-grained permission to review and manage push protection bypass requests within your organization.

Learn more about secret scanning or delegated bypass. If you have feedback, we would love for you to join the discussion within GitHub Community.

See more

New Contribution Widget for Android

You can now can easily track your GitHub contributions right from your Android home screen with the new Contribution Widget for GitHub Mobile.

Add the widget by either long-pressing your home screen or long-pressing the GitHub app icon and selecting the widget option. Whether you’re on the move or just curious about your progress, the Contribution Widget makes it easier than ever to track your contributions.

This widget will be available on the Android GitHub Mobile Beta on September 17th, 2024. Join the beta for early access. The widget will be available to all users September 27th, 2024.

Download or update GitHub Mobile today from the Apple App Store or Google Play Store to get started.

Learn more about GitHub Mobile and share your feedback to help us improve.

See more

Announcing the Public Beta of GitHub Copilot Extensions 🎉

Copilot Extensions header image

GitHub Copilot Extensions are now available in public beta 🚀 to all GitHub Copilot users and open for any developer or organization to create extensions. Alongside, we’re introducing a comprehensive Copilot Extensions Toolkit,
designed to equip developers by centralizing the information they need
to build quality extensions.

💡 What are Copilot Extensions and how to use them

Copilot Extensions integrate with your favorite dev tools directly into Copilot Chat across Visual Studio, VS Code, and GitHub.com (with support for JetBrains IDE coming soon!). Interact with databases, testing frameworks, deployment tools, and more — all without leaving your flow. For example:
Docker’s extension can help you generate the right Docker assets for your project
New Relic’s extension can help instrument your system and onboard with New Relic from within your editor

Docker extension being invoked in chat

Additionally, enterprises and organizations have the ability to build private extensions. Copilot can interact with context from your internal developer tooling, execute workflows, and adhere to your organization’s best practices.

🏁 Getting Started

To use extensions
– If you have access to Copilot through a Copilot Business or Copilot Enterprise subscription, an organization or enterprise owner needs to enable the Copilot Extensions policy for your organization or enterprise.
– Visit the GitHub Marketplace to install extensions.
– Get started with our documentation and start using extensions in Copilot Chat in GitHub.com or in the VS Code and Visual Studio editors.

To build extensions
– Access our documentation and Copilot Extensions Toolkit for tutorials and tools
– Develop your extension, and decide whether you want to keep it private to your organization or submit it to the GitHub Marketplace.
– VS Code extension developers can also add Copilot functionality to their existing VS Code extensions. Learn more here.

Share your experiences to help us improve the platform!
– Join the discussion within the GitHub Community.
– To share feedback on specific extensions, let us know in our Copilot Extensions feedback hub.
– If you’re building extensions, fill out the Extension Developer Survey for detailed feedback and feature requests.

See more

Notice of upcoming deprecations and changes in GitHub Actions services

Over the next six months, we will be making the following changes and deprecations to the GitHub Actions service:

Reduction to Webhook rate limit in GitHub Actions
Starting October 1st, 2024 we will be adding a new rate limit of 1,250 requests per 10 seconds per repository for incoming Webhook events for GitHub Actions. After monitoring usage over the past several weeks, we believe that no customers will be impacted by this change, but if you believe you will need to exceed this in the future, please reach out to GitHub support.

Cache v1-v2 deprecation
Starting February 1st, 2025, Actions’ cache storage will move to a new architecture, resulting in the deprecation of v1-v2 of actions/cache. Attempting to use a version of the action after the announced deprecation date will result in a workflow failure. Please note: if you are pinned to a specific version or SHA of the action, your workflows will also fail after February 1st. We strongly encourage you to update your workflows to begin using v3 or v4 of actions/cache as soon as possible.

This deprecation will not impact any existing versions of GitHub Enterprise Server that are currently in use. Cached entries within their retention period will remain accessible from the UI or REST API regardless of the version used to upload. This announcement will also be added to the actions/cache repository.

See more
View more changes