Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Scheduled reminders updates in GitHub app for Microsoft Teams

The new Scheduled Reminders UI

We made significant enhancements to schedule reminders experience in GitHub app for Microsoft Teams.

  • We have introduced a first class UI to configure your pending pull request reminders. And as part of this UI, we added a bunch of advanced controls that will help you in fine tuning your reminders.
  • We relaxed the administrator requirement to configure reminders. Now, any contributor can schedule reminders in MS Teams for the repositories he/she has access.
    image

This will ensure you get reminders for the pull request that need your attention and there is no unnecessary noise in the channel.
Learn more about schedule reminders here.

Issue card updates

We made few more improvements to the issue notifications experience.

  • Introduced issue comment, close/reopen capabilities in GitHub personal app.
  • Made few updates to the look and feel of the GitHub issue notification card.
    image

For more information visit the GitHub app guidance for Microsoft Teams.

See more

Design improvements to GitHub Actions navigation

We've made exciting design improvements to GitHub Actions to promote better discoverability and accessibility. The improvements include:

  • An improved navigation experience that makes it easier to search workflows and workflow runs.
  • Added structure to better represent the hierarchy between caller and called reusable workflows.
  • A better mobile experience that is more consistent and supports multiple viewports.

Workflow run

For questions or to share your feedback, visit the GitHub Actions community.

See more

Reverted recent change that caused some pull requests to be incorrectly marked as merged

On September 5, 2022, we reverted a recent change to our indirect pull request merge logic that was causing some pull requests to be incorrectly marked as merged. This could happen if a pull request's head branch was force pushed and resulted in the pull request showing no new commits compared to the base branch. The original change went live on August 1, 2022 and caused confusion about why some pull requests were marked as merged by a contributor who did not have the necessary permissions. It also had the side effect of removing the "first time contributor" flag from these contributors without them having made an accepted contribution by the repository maintainers. Depending on repository settings, this could have allowed first time contributors to run GitHub Actions workflows based on their branches.

At no point were users able to push changes or merge pull requests in repositories to which they did not have appropriate authorization. After the change was reverted, GitHub conducted an investigation into any bypasses of the "first time contributor" flag and found no evidence of abuse.

See more

GitHub Actions: larger Hosted Runners now support `-latest` tag

GitHub now supports using the -latest image label on your larger hosted runners. With the -latest label developers can be sure that their workflows use the latest available GA image in GitHub Actions.
latestimagelabel

In general the -latest tag is used for the latest OS image version that is GA. You can find more information about the different image versions in our runner-images repository.

Interested in learning more about larger hosted runners? Read the announcement here or sign up for the beta here.

See more

On the go with GitHub Projects on GitHub Mobile (public beta)

an image showing a shipped project- bring projects to github mobile in mobile interface with text- projects on the go

Now more than ever flexibility is not only needed for how we work, but where we work. Stay connected and up to date on your work with GitHub Projects on GitHub Mobile, now in public beta. This marks the first milestone to bring GitHub Projects to your hands, so that you can track issues and projects from anywhere at any time. We would love for you to try it out on iOS TestFlight or Google Play (Beta) and give us your early feedback.

Let’s take a look at what you can do.

Access GitHub Projects

With GitHub Projects on GitHub Mobile you can quickly access the projects you need through a repository, organization, or your own user profile.

an image of quick navigation to access projects on mobile

Switch Views

You can view items as they’ve been configured and grouped and easily switch views on your projects to find what you need. Just tap on the title bar on top to pick a view from the pull-down menu. Project tables are rendered in a list layout for a simplified experience that still conveys all the necessary information you need for planning and tracking on the go. With collapsible buckets you can hide and reveal information as you wish for a better overview when you plan for a feature or track a sprint.

an image showing switching views in projects on mobile

Custom fields and quick actions

All your custom fields, such as status, category, priority, and iteration, are rendered as glanceable metadata pills in the list. Long-press on a project item to quickly edit these fields, delete the item, or preview its content so you can keep everything up to date and organized. Want to leave a comment on a specific issue? Simply tap on the preview and write a message in the issue detail view.

an image showing custom fields and quick actions to edit

Tell us what you think

GitHub Projects on GitHub Mobile is available today from Google Play (Beta) or iOS TestFlight.

There’s a lot more to come, and we’re excited to keep you updated as we make GitHub Projects on Mobile even better. In the meantime, we want to hear from you. Leave us your thoughts in GitHub Mobile Discussions, by tapping Share Feedback in your app profile, or reviewing our app in the Play Store or iOS App store.

See more

GitHub Actions: Deprecating save-state and set-output commands

To avoid untrusted logged data to use set-stateand set-output workflow commands without the intention of the workflow author we have introduced a new set of environment files to manage state and output.

Patching your actions and workflows

If you are using self-hosted runners make sure they are updated to version 2.297.0 or greater.

Action authors who are using the toolkit should update the @actions/core package to v1.10.0 or greater to get the updated saveState and setOutput functions.

Action and workflow authors who are using save-state or set-output via stdout should update to use the new environment files.

Starting today runner version 2.298.2 will begin to warn you if you use the save-state or set-output commands via stdout. We are monitoring telemetry for the usage of these commands and plan to fully disable them in the future.

See more

Packages: Consolidated owner and admin role

Previously, the original publisher of a package in GitHub Packages had the owner attribute, which granted them admin privileges for the package. The current package admin role has the exact same privileges.

As of today the two roles with identical privileges are being merged and the admin role can be used as the ultimate authority. By default, both the original publisher and the organization owner will have admin privileges on that package.

In addition to uploading and downloading a package, admins can manage a package, read and write package metadata and grant package permissions.

As part of this change, the owner badge is no longer shown next to the package publisher's username.

Learn more about permissions for packages

See more

New enterprise policies for code security

Enterprise owners can now configure whether repository administrators can enable or disable Dependabot alerts.

If you are owner of an enterprise with GitHub Advanced Security, you can now also set policies to allow or disallow repository administrators access to enablement for:

  • GitHub Advanced Security
  • Secret scanning

image

Learn more about enterprise policies for code security and send us your feedback

See more

Visibility settings for individual Achievements

You can now hide individual Achievements.
Navigate to Achievements on your profile sidebar and click on an achievement to get started. Once in the detail view, the eye icon will indicate the current visibility of the achievement. Click on the eye icon to hide the achievement. When hidden, they are only visible to you.
achievements-detail-view

You can still opt out of Achievements as a whole in your Profile Settings.

For more information, see Changing the visibility of Achievements. If you have any feedback to help us improve Achievements, be sure to post it in our discussions forum.

See more

Audit Log Streaming to Datadog is generally available

GitHub Enterprise Cloud customers can now stream their audit log to a Datadog endpoint. Enterprise owners need to be able to use the right tools for their job, whether that be short-term investigation or longer-term threat analysis and prevention. With audit log streaming to Datadog, customers can be assured that:

  • no audit log event will be lost,
  • they may satisfy longer-term data retention goals, and
  • they can analyze GitHub's audit log data using Datadog products.

For GitHub Enterprise Server customers, this feature is planned to come to GHES 3.8.

For additional information, read our documentation about setting up streaming to Datadog.

See more

Display Authentication Token Data in your Enterprise Audit Log – Beta

GitHub Enterprise Cloud customers can now participate in a private beta enabling authentication token data to display for audit log events. In doing so, enterprise owners will be able to query their audit logs for activity associated with specific authentication tokens. With the introduction of this feature, enterprise owners will be better equipped to detect and trace activity associated with corrupt authentication tokens, which have the potential to provide threat actors access to sensitive private assets.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, enterprise owners can find guidance and provide feedback at the displaying authentication token data in enterprise audit log events community discussion..

See more

Enable secret scanning for an enterprise with one click

If you are an owner of an enterprise with GitHub Advanced Security, you can now enable secret scanning and push protection across your entire enterprise with only 1 click.

This new enablement setting also allows you to set a default custom link that will appear on a push protection block.

enterprise enablement

See more

New Dependabot alerts webhook

API users can now integrate with a new dependabot_alert webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing repository_vulnerability_alert.

What's new

Improvements with the new webhook include:

  • More informative payload, including state and scope of the dependency, dismissal comments, and helpful information about a vulnerability (e.g. CVE ID, summary, description, CWEs, and reference URL).
  • Support for GitHub Apps with the Dependabot alerts read permission.
  • Actions on an alert now include the full set of created, dismissed, reopened, fixed, or reintroduced. See below for descriptions:
Action Action definition
created github has opened the Dependabot alert
dismissed GitHub user dismissed the alert with dismissed_reason and an optional dismissed_comment
reopened GitHub user manually reopened the previously-dismissed alert
fixed github detected the Dependabot alert is resolved
reintroduced github reopened the previously-fixed alert

Deprecation notice

The repository_vulnerability_alert webhook is being deprecated. In 2023, we plan to remove the existing repository_vulnerability_alert webhook, which is superseded by the dependabot_alert webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.

Learn more about the Dependabot alerts webhook in our documentation.

See more

GitHub’s supply chain features now support Dart

Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.

The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.

The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.

Learn more about:

See more

Codespaces prebuilds optimization

Today, we're releasing updates that will optimize prebuilding codespaces for your repositories. With these updates, as long as there is an active prebuild for a given repository, branch, and devcontainer combination, you will be able to spin up prebuilt codespaces for it, even if the latest prebuild workflow for that branch might be failing. This ensures fast codespace creation most of the times regardless of any breaking changes that may be adversely affecting the latest prebuild update.

Repository admins will have the option to disable this optimization if needed by going to their prebuild configuration page under advanced options.
screenshot to disable prebuild optimization

For more information, see Configuring prebuilds for your repository.

If you have any feedback to help improve this experience, be sure to post it on our discussions forum.

See more

GitHub Desktop improves submodule support and now supports multi-commit diffing

GitHub Desktop 3.1 improves submodule support and now supports multi-commit diffing.

Submodule support just got much better from GitHub Desktop by providing a more detailed “diff” when they have changes. You will now know whether submodules are just pointing at a different commit or if there are changes within them that you must commit. You can also open the submodule at the click of a button!

Screenshot of GitHub Desktop displaying a submodule diff

You can now also see all the changes across multiple commits by just selecting them. That way, you can be certain about the changes you’re about to push or merge onto another branch, and make sure no unintended changes are included in them.

Screenshot of GitHub Desktop displaying multi-commit diffs

Learn more about GitHub Desktop

See more

Stream audit log to AWS S3 with OpenID Connect (OIDC)

The functionality for GitHub Enterprise Cloud customers to configure audit log streaming to AWS S3 with OpenID Connect (OIDC) is now generally available. Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.

For additional information, please read about setting up audit log streaming to AWS S3 with OpenID Connect.

See more

Introducing Actions on GitHub Mobile

Actions on GitHub Mobile

Actions are coming to GitHub Mobile! You can now view and manage your pull requests on the go.

Tapping on checks when viewing a pull request now leads to a vastly improved experience, including the ability to view a workflow-run, its jobs and even the logs of completed steps inside.

A run did not go as planned? No problem. GitHub Mobile now supports re-running single jobs, failed jobs as well as entire workflows directly from your mobile device. For checks that are already running, support for cancellation has been added as well.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more

Removing Opt-out of GitHub Sponsors Custom Amounts

As previously mentioned, starting today, all Sponsors profiles will have custom amounts enabled by default. This means if you have a GitHub Sponsors profile, people can sponsor you for a dollar amount they choose, rather than just the amounts you published. This will simplify setting up Sponsors profiles as well as make it easier for users to make sponsorships.

For maintainers who did not have custom amounts previously enabled, and therefore had no minimum, we set a minimum based on their lowest tier value. If you prefer to change your minimum custom amount, you can do so via the Sponsors dashboard. Learn more about managing sponsorship tiers.

Custom sponsorship amounts settings on the Sponsors dashboard page

See more
View more changes