Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Private profiles are now generally available

Private profiles (now generally available) enables users to turn their GitHub profile "private", which gives users control over features that share user data across the GitHub platform. When a profile
is private, the following content is hidden from the profile page:

  • Achievements and highlights
  • Activity overview and activity feed
  • Contribution graph
  • Follower and following counts
  • Follow and Sponsor buttons
  • Organization memberships
  • Stars, projects, packages, and sponsoring tabs

To enable this setting, visit https://github.com/settings/profile.
image

Learn more about private profiles. As we continue to release new privacy control features, please share your feedback.

See more

Enterprise members CSV Report Now Available in Public Beta

GitHub Enterprise Cloud enterprise owners may now download an enterprise members CSV report, which is now available as a public beta. This new CSV report provides an extensive list of members associated with their Enterprise Cloud environment, including members synced from a GitHub Enterprise Server instance. To download the report, navigate to the enterprise's people page: https://github.com/enterprises/<enterprise>/people.

To learn more about this report, read our exporting membership information for your enterprise documentation.

See more

Dependabot alerts: page refresh after PR generation, suggest improvements to an advisory, and more!

We’ve been responding to your feedback – here’s a recap of some changes recently made to Dependabot alerts.

  • Dependabot Alerts details pages now auto-magically refresh after PR generation attempts are completed, rather than spinning forever
  • Alerts are more accurately mapped to Dependabot pull requests
  • Labels in the Dependabot Alerts row page now act as filters
  • You can now suggest improvements to an advisory directly from the alert details page (shown below).

Suggest improvements from a Dependabot alert

Let us know of other improvements you’d like to see in our GitHub community discussion page.

See more

Secret scanning alerts now have a timeline and users can add a comment when resolving

GitHub Advanced Security customers can now view a timeline of actions taken on a secret scanning alert, including when a contributor bypassed the push protection on a secret. Users can also now add an optional comment when closing an alert via the UI or the API.

secret-scanning-timeline-comment-on-close

For more information:

See more

More incremental improvements to community contributions

In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:

  • You're now prompted to add a reason for the change, so your contribution can be reviewed more quickly.
  • You can now submit a contributions without reference links getting reordered in the diff.
  • You can now click through to relevant docs from the advisories page.
  • You can overall enjoy a cleaner UX experience through a handful of other small fixes.

Further reading:

See more

Organization-level APIs for Codespaces

We recently released a set of organization-level APIs (in beta) to enable administrators to programmatically manage their organization-owned codespaces at scale. Today we're releasing support for additional organization-level APIs based on the feedback that you shared with us. With this release, we've added support for the following REST API commands:

  • Manage organization-level codespaces secrets
    • List organization secrets
    • Get an organization public key
    • Get an organization secret
    • Create or update an organization secret
    • Delete an organization secret
    • List selected repositories for an organization secret
    • Set selected repositories for an organization secret
    • Add selected repository to an organization secret
    • Remove selected repository from an organization secret
  • Manage access control for organization-owned codespaces
    • Enable Codespaces for all members of the organization
    • Enable Codespaces for select members of the organization
    • Enable Codespaces for all members and outside collaborators of the organization
    • Disable Codespaces for the organization

Organization-level APIs are in beta for GitHub Team and Enterprise Cloud plans. Here are links to our documentation to get started:

If you have any feedback to help improve this experience, be sure to post it on our discussions forum.

See more

GitHub Actions: Self-hosted runners now support Windows ARM hardware

Actions runner support for Windows ARM hardware, is now in public beta . This provides teams with the capability to run self-hosted Windows workflows in a Windows ARM64 runtime.

There are some limitations of the current beta product to be aware of:

  • Windows ARM runners are currently using nodejs's "unofficial" win-arm64 builds
  • Some first party actions will not work until a win-arm64 version of that language is released:
    • setup-node
    • Some first party actions don't support the arm64 architecture:
    • setup-python -issue tracking it here

For additional information on how to set up a self-hosted Windows ARM64 runner, please refer to our documentation. If you have any feedback or questions for Actions self-hosted Windows ARM support, you can submit an issue in the runner repository.

See more

Enterprise fork policies for organizations

Previously, we announced the ability for enterprise owners to limit where private and internal repository forks can be created. We heard from some customers that they need a more granular control over fork permissions for each organization within the enterprise.

Now, we've added the ability for enterprise organization admins to set fork policy at the organization level, further restricting enterprise policy. Forking can be limited to organizations within the enterprise, within the same organization, user accounts and organization within the enterprise, user accounts, or everywhere. Fork policies cascade from the enterprise policy to organization policy to repository policy. Enterprise policies dictate the policy options available for organizations, i.e. an organization admin can only set a more restrictive forking policy than the enterprise allows.

Screenshot of organization fork policy settings

See more

The new GitHub Issues – September 27th update

Today’s Changelog brings numerical field sums, Team linked projects, project migration improvements, and URL pasting preferences!

➕ Display sum of numeric fields

Addressing a top user request, you can now display the sum of a numeric field on the group header in both the table and board layouts.

Select one or multiple numeric fields you would like to display the total for from the view configuration menu to assist with your planning! 📝

Ever wanted to curate the list of projects important to your team? Wouldn’t it be great to ensure your team has access to the projects they need to use all the time? With our latest ship, now you can link projects for quick access on your team pages and we’ll also automatically grant your team read access. Note, you currently need to be a maintainer for the team and a project admin to add it to the team page.

Navigate to the Projects tab for your team to add the projects you need today. 🎉

🚀 Migration improvements

Project Migration now includes archived items! We’ve also fixed several migration states so that your entire team is aware that the project has been transfered. Plan your migration today so that you can leverage all the new features and capabilities Projects has to offer 💖

🖌 Paste URLs formatted or as plain text

Choose your own adventure for URL pasting! Based on your feedback we have made paste preference part of our accessibility settings under your profile. Find it under editor settings to change from pasting as a formatted link (default) to pasting as plain text.

setting URL paste behavior

✨ Bug fixes & improvements

Other changes include:

  • Filtering by draft state (is:draft) now applies to open draft pull requests, in addition to draft issues
  • Issue and pull request numbers are now displayed alongside archived item titles
  • Improved condensed keyboard shortcut visuals

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.

See more

GitHub Actions: Additional information available in github.event payload for scheduled workflow runs

Additional information has been added to the payload of github.event for scheduled runs. Before this change, github.event for scheduled runs would only include the cron schedule. This change adds information about the repository, organization, and enterprise (when available).

For questions, visit the GitHub Actions community.

To see what’s next for Actions, visit our public roadmap.

See more

DevCycle is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with DevCycle to scan for their SDK tokens and help secure our mutual users on public repositories. DevCycle tokens allow users to target and toggle feature flags by environment and platform. GitHub will forward access tokens found in public repositories to DevCycle, who will immediately mark the token as compromised. More information about DevCycle Tokens can be found here.

GitHub Advanced Security customers can also scan for DevCycle tokens and block them from entering their private and public repositories with push protection.

See more

Improvements to audit log search

We've made some improvements to audit log search to make it easier to discover events. Since audit log events are found through key:value pairs, we now show you a list of possible options to choose from.
key-value pair dropdown menu available in audit log search

We've also linked to our documentation in the filter dropdown so that you can more easily discover all the possible options for audit log queries.

view advanced search syntax added to audit log filter

To learn more about how to query the audit log, check out our documentation, "About search for the enterprise audit log".

See more

Local timezones available on profiles

You can now display your local timezone on your profile to give others an idea of when to expect responses to pull requests or issues from you. You can opt into this feature by navigating to Settings > Public Profile and checking Display current local time. You can also update this information directly from your profile by clicking 'Edit Profile' under your avatar.
local timezone setting

This will display your timezone in the left sidebar of your profile as well as your timezone's current deviation from UTC. When other users see your profile or user hovercard, they'll see your timezone as well as how many hours behind or ahead they are from your local time.
local timezone display on profile

Learn more about personalizing your profile.

See more

GitHub Actions: All Actions will begin running on Node16 instead of Node12

Node 12 has been out of support since April 2022, as a result we have started the deprecation process of Node 12 for GitHub Actions. We plan to migrate all actions to run on Node16 by Summer 2023. We will monitor the progress of the migration and listen to the community for how things are going before we define a final date.
To raise awareness of the upcoming change, we are adding a warning into workflows which contain Actions running on Node 12. This will come into effect starting on September 27th.

What you need to do
For Actions maintainers: Update your actions to run on Node 16 instead of Node 12 (Actions configuration settings)
For Actions users: Update your workflows with latest versions of the actions which runs on Node 16 (Using versions for Actions)

See more

CodeQL for VS Code: download CodeQL databases from GitHub.com

We have started creating and storing CodeQL databases for the most popular open-source projects on GitHub.com. If you use CodeQL for security research, you can now obtain these databases easily and directly through the CodeQL extension for Visual Studio Code, which makes it much easier to write and run your own custom CodeQL queries.

Using CodeQL for security research

The CodeQL engine powers GitHub code scanning: it analyses source code and flags up potential security problems (for example, in pull requests). By default, code scanning runs a large set of open source queries that are able to identify the most important and common security problems.

CodeQL is also a powerful tool for variant analysis and other types of security research. CodeQL treats source code as data, and anyone can write custom CodeQL queries to explore a codebase and identify vulnerabilities. Like code search on steroids!

The first step of any CodeQL analysis is extracting the source code into a CodeQL database. This database contains a relational representation of the source code — including elements like the abstract syntax tree, the data flow graph, and the control flow graph. You can create CodeQL databases yourself using the CodeQL CLI, but with the feature we shipped today, it's much quicker to get started: you can download a ready-built CodeQL database from GitHub.com.

Downloading CodeQL databases from GitHub.com in VS Code

To download a CodeQL database for use in the CodeQL extension in VS Code:

  1. Make sure you have set up the CodeQL extension for VS Code. For more information, see Setting up CodeQL in Visual Studio Code.
  2. Open the CodeQL databases view in the extension.
  3. Hover over the sidebar, click the GitHub icon, and specify the owner/repo identifier of the public repository you'd like to analyze.

    image

Once you've downloaded a CodeQL database, you're ready to start your research. Find more information in the CodeQL documentation.

FAQs

How many CodeQL databases are available?

We currently store databases for over 200,000 repositories on GitHub.com. That list is constantly growing and evolving to make sure that it includes the most interesting codebases for security research.

What languages are can you download CodeQL databases for?

We create and store databases for all of the languages that we support in CodeQL code scanning. For more information, see About code scanning with CodeQL.

Can I download CodeQL databases outside VS Code?

Yes, you can also download CodeQL databases using the GitHub REST API. For more information, see Downloading databases from GitHub.com in the CodeQL CLI documentation.

Why is there no CodeQL codebase available for my favourite open source repository?

If there is a repository that you'd like to analyze, but a CodeQL database is not available yet, then you can trigger the creation (and storing) of a database by enabling GitHub code scanning with the CodeQL engine. Alternatively, you could fork the repository and enable code scanning on the fork. For more information, see the code scanning documentation.

See more

GitHub Sponsors: Fiscal host support for user accounts

Today, we're adding support for users to create a GitHub Sponsors profile and choose to receive sponsorship payouts via a fiscal host. This will give maintainers more flexibility and choice in how they receive funding. This has already been possible for organizations creating a GitHub Sponsors profile, and that remains unchanged. Users and organizations can still choose to use a Stripe Connect account instead of a fiscal host if they prefer. Learn more about signing up for a GitHub Sponsors profile using a fiscal host.

See more
View more changes