You can now require approval from a user with write permissions to the repository before a workflow run can be triggered from a private fork. This can be useful for some inner source scenarios, where you want to ensure that the code is reviewed before it is run.
Learn more about enabling workflows for forks of private repositories
For questions, visit the GitHub Actions community.
To see what's next for Actions, visit our public roadmap.
The dependency review API is now generally available.
The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:
fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the listallow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detectionlicense-check and vulnerability-check: a boolean option that allows you disable either one of the checks Learn more about the dependency graph and dependency review
As part of the ongoing initiative to deprecate legacy global IDs, you will begin to see deprecation warnings for GraphQL node queries using the legacy ID format.
The deprecation warnings will look like this:
{
"data": {
"node": {
"login": "ahoglund",
}
},
"extensions": {
"warnings": [
{
"type": "DEPRECATION",
"message": "The id MDQ6VXNlcjM0MDczMDM= is deprecated. Update your cache to use the next_global_id from the data payload.",
"data": {
"next_global_id": "U_kgDOADP9xw"
},
"link": "https://docs.github.com"
}
]
}
}This will not impact the data portion of the payload. We recommend using these deprecation warnings along with the X-Github-Next-Global-ID to begin migrating any of your caches that contain legacy IDs. More information on how to migrate can be found in our last update as well as in the GitHub documentation.
If you have any concerns about the rollout of this change impacting your usage of the GitHub GraphQL API, please contact us and include any relevant information, so that we can better assist you.
Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.
Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.
The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:
The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:
Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.
Learn more about the new risk and coverage views and send us your feedback
GitHub's code navigation features jump to definition and find all references are now available for all Rust projects on GitHub.
When you view an Rust file on github.com, you can click on the name of a function, module, or macro to see its definition and its references within that repository. We use the tree-sitter library to find definitions and call sites in your code.
Learn more about code navigation for Rust and other languages in the GitHub documentation: Navigating code on GitHub.
Also, check out the tree-sitter library to learn how support for different languages is implemented.
Cross-repo code navigation is now available for all Python repositories. When showing the definition of a function or method, we now include definitions from other repositories, and from the Python standard library.
Cross-repo code navigation is powered by the stack graphs framework and by the Dependency Graph. You can read about how we use stack graphs for code navigation and visit the stack-graphs repo to learn more. You can also read more about code navigation for Python and other languages in our documentation.
The npm CLI v9 is now generally available! As of today, running npm i -g npm will install the latest version (v9.1.1). Details on the major breaking changes, features and bug fixes of v9 can be found in our last changelog post.
A huge shout out to all of the contributors who helped make this release possible and who continue to make npm awesome.
Learn more about v9.1.1 in the release notes. You can also find references to previous releases in the project's CHANGELOG.md.
Understanding code is one of the most important parts of software development. Developers need to be able to quickly search, navigate, and understand their code to do their best work. That’s why we have dramatically upgraded the code search and browsing experience on GitHub with an all-new code search and code view beta that we’re excited to announce today!
You can access the new features by joining the waitlist.
We’ve developed a new code search engine at GitHub completely from scratch, capable of finding relevant results with incredible speed. The all-new code search engine supports powerful features, like regular expressions, Boolean expressions, qualifiers, symbol search, and more!
We’ve also totally redesigned the search input, adding powerful capabilities like suggestions and completions as you type.
And the new search results UI allows you to slice and dice your results.
These improvements replace the 2021 technology preview for GitHub code search at cs.github.com.
This is the revamped code viewing experience for GitHub repositories. This experience has several new features including a tree pane for browsing files, symbol search, fuzzy search for files, sticky code headers, and much more! We’ve designed this code viewing experience to provide a generational jump in code browsing and viewing on GitHub.
Starting with the new tree pane on the left, you can explore repository folders and files without changing pages or losing context. You can also search files within the repository, making it easier than ever to find the right file.
Moving on to the right-side symbols pane, you can simply click on a symbol in code, such as a function name, to view its definition and references across files.
In addition to symbol navigation, we re-vamped find-in-file and bound it to CMD/CTRL+F to be even better than before.
Along with the overhauled code view, we updated the blame view. You can toggle the blame view from the code view to keep context and view a file’s history.
Lastly, we reworked the file editing experience! Now you can edit a file without losing context, and we’ve made it easy to open a file in github.dev or GitHub Desktop.
There are so many features that couldn’t be listed here and we can’t wait for you to discover them! Over the next weeks we’ll ship many improvements that focus on accessibility and integrating feedback from the community.
We are eager for you to try the new code search and code view beta! Join the waitlist to get access.
This project is a major update to GitHub’s user experience that was made possible by the feedback you provided. Help make the experience even better by sharing your latest feedback here.
GitHub Enterprise and organization owners will have improved visibility into authentication activity with the addition of authentication token data to audit logs events. Stolen and compromised credentials are the number one cause of data breaches across the industry, and now enterprise and organization owners can query their audit logs for activity associated with a specific authentication token. They will be better equipped to detect and trace activity associated with corrupt authentication tokens. This feature is generally available for GitHub Enterprise Cloud customers, and will be released to GitHub Enterprise server as part of GHES 3.8.
To learn more, read our documentation on identifying audit log events performed by an access token.
Open source maintainers can now opt-in to private vulnerability reporting, a dedicated communications channel where the community can disclose security issues directly to you on GitHub.
You can see reports sent to you under the new "Needs triage" status on your advisories list:
If the report is accepted, it becomes a draft security advisory. The reporter remains involved unless explicitly removed, so you can collaborate on phrasing the resulting draft advisory or fixing the issue in a private fork.
GitHub Codespaces with included free usage is now rolling out to all GitHub Free and Pro accounts. Over the coming days you'll see a new option under the green "Code" button (where you are used to getting the info you need to clone a repository) that enables you to spin up and manage cloud based development environments that free you from the pain and hassle of setting up and maintaining local configurations. Until now, only Teams and Enterprise managed GitHub Organization members had access to Codespaces.
With this update, GitHub will provide each Free plan account 120 core hours, or 60 hours of run time for a 2 core codespace, plus 15 GB of storage to use each month. Pro accounts get 180 core hours and 20 GB storage per month. You can see how much included usage is remaining for your account during the current billing period on your billing page. If you use up all of your included usage, it is easy to set up a spending limit and keep working. For more details see "About billing for GitHub Codespaces."
We hope that everyone will take Codespaces for a spin, and come join us in the community discussion space to tell us your story!
This changelog only applies if you participated in the beta program for Codespaces for Individuals.
Today marks the start of the rollout of Codespaces for Free and Pro accounts, and thus the end of the beta for Individuals. Unfortunately, this also ends unlimited free use of Codespaces.
The good news is that this marks the beginning of much broader collaboration with more people who can now take advantage of included free compute and storage. All Free and Pro GitHub accounts receive a generous amount of free included usage each month.
Note that the default spending limit for GitHub Codespaces is $0. So even if you already have a payment method configured with GitHub, you will not automatically be billed unless you change your spending limit.
The rollout will take place over several days, so these changes will affect you in the coming days. For more details see "About billing for GitHub Codespaces."
For those who participated, a heartfelt THANK YOU for all the feedback that has been instrumental to our getting to this milestone.
We hope that you'll continue to enjoy Codespaces, and come join us in the community discussion space to tell us your story!
GitHub now supports the use of GitHub Codespaces with JetBrains IDEs via the JetBrains Gateway. After downloading the JetBrains Gateway and installing the GitHub Codespaces plugin, users will be able to connect to their codespaces with the JetBrains IDE of their choice.
Once connected, users can leverage the full power of JetBrains' IDEs in the cloud: fast, accurate code completion; integrated run and debug configurations; and unparalleled code navigation tools. Rather than needing to install each IDE on a developer machine, using GitHub Codespaces with JetBrains IDEs enables the use of any JetBrains IDEs in the cloud.
The beta supports connectivity to a codespace, private port forwarding, and a fully featured code editing experience in the following IDEs:
Additional IDE support, codespace management tools (e.g. creation, deletion, changing the machine type), and better support for Development Container creation will be added as the beta progresses.
In order to connect to a codespace via the JetBrains Gateway, users will need the following:
>=2.18.0)Check out the documentation to learn more and get started.
For feedback or questions, create an issue in this repository and we will get back to you.
GitHub is excited to announce support for using GitHub Codespaces with JupyterLab. JupyterLab is the next-generation user interface for Project Jupyter offering all the familiar building blocks of the classic Jupyter Notebook (notebook, terminal, text editor, file browser, rich outputs, etc.) in a flexible and powerful user interface.
Using GitHub Codespaces with JupyterLab combines the delightful notebook editing, data exploration, and narrative building experiences of JupyterLab with the power, standardization, and simplicity of a codespace.
You can open any codespace in JupyterLab via the repository page or the GitHub CLI:
You can also set JupyterLab as your preferred editor, enabling single click access to codespaces via JupyterLab:
JupyterLab support is even more powerful when combined with GPU-powered codespaces. Though GPU access is not yet generally available, you can request early access here.
Click here to learn more about GitHub Codespaces support for Machine Learning and AI, or jump straight into our template repository and try it out!
We recently released organization-level API support that enables administrators to programmatically manage their organization-owned codespaces at scale. Today we're announcing that these APIs are generally available.
With organization APIs providing a wide range of management operations, organizations can seamlessly integrate GitHub Codespaces into their existing workflows to automate and manage their development processes at scale.
Organization-level APIs are generally available to GitHub Team and Enterprise Cloud plans. Here is a link to our documentation to get started:
GitHub Codespaces with included free usage is now rolling out to all GitHub Free and Pro accounts. We've added experiences to quickly start new projects in a codespace using many of the frameworks you know and love. These templates are a prebuilt development environment all boxed up to work with one click, without the need to configure your development environment.
Codespace templates come with a pre-configured devcontainer. Using a forwarded port you can see your running web application. The configuration of the devcontainer enables the necessary files to be open by default, run the services necessary, and preview the output of the application in your web editor.
Do you want to start developing in Codespaces, but you're unsure what framework to start with? Use the Blank Template to jump right into a brand new codespace! We've also included a set of starter templates for you on the Codespaces index page. You can even make your own your template for developers to use by creating your own repository template! By creating your own codespace template from a repo template, you can create a one-click, prebuilt development environment for others to use your projects.
We hope you take Codespace Templates out for a spin, and join us in the community discussion space to share your templates and collaborate with us!
Last year, we launched Ruby analysis support in beta for GitHub code scanning. Today, we're announcing the general availability of this feature — covering even more vulnerabilities in Ruby code.
Ruby is part of the top 10 most popular languages on GitHub today. In the past year alone, code scanning (powered by the CodeQL engine) helped Ruby developers resolve more than 4,000 security issues. Set up code scanning on your repositories today and receive actionable security alerts right on your pull-requests.
Since shipping in beta, our Ruby analysis has more than doubled the number of common weaknesses (CWEs) that it can detect. A total of 30 rules check your code for a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. We currently support all common Ruby versions, up to and including 3.1. Check out the documentation for more details on compatibility.
Ruby support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.4 shipped with Ruby (beta) support, and GHES 3.8 will include this GA release.
Workflows using the ubuntu-latest runner label will soon run on Ubuntu-22.04.
Ubuntu 22.04 became generally available on GitHub-hosted runners in August 2022. Now Ubuntu-22.04 is ready to be the default version for the ubuntu-latest label in GitHub Actions workflows. This change will be rolled out over a period of 8 weeks beginning on October 1, 2022.
If you see any issues with your workflows when they are transitioned to Ubuntu-22.04:
ubuntu-20.04 runner label. We will continue to support Ubuntu 20.04.Note that image software between Ubuntu-20.04 and Ubuntu-22.04 differs by the pre-installed and default versions versions of some tools. See the full list.
GitHub Enterprise Server 3.7 is now generally available. This release continues our trend of bringing new features to GitHub Enterprise Server (GHES) in record numbers. Beyond the numbers, the features in GHES 3.7 not only enable developers to build world class software every day, but also provide administrators with the tools needed to reliably run GitHub at scale.
We're making more than 70 features available, including:
To learn more about GitHub Enterprise Server 3.7, read the release notes, and download it now.
Dependabot helps you keep your dependencies up-to-date with Dependabot version updates. These pull requests are configured via a dependabot.yml file.
Starting today, if you fork a repository with an existing dependabot.yml, Version updates will be disabled by default. To enable Dependabot pull requests based on this configuration, you can click “enable” from your forked repository’s “Code security and analysis” settings page.
After enabling Dependabot version updates, you will also be able to disable with a single click from this settings page.
Learn more about configuring Dependabot version updates.