Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Issues – December 22nd update

👋 We just finished releasing the last feature update of the year for Projects. It was relatively light, mainly composed of bug fixes and minor improvements to some of our Private Beta features.

Since this is our last push to production for 2022, we wanted to take the opportunity and reflect on all the improvements shipped during this year – and boy, there were many of them! Along with General availability (GA) of Projects in July we delivered 210 feature releases 🚀. It’s been a year of listening to what you need to stay focused on code – and delivering on those requests.

Projects 2022 wrapped 210 features

Let's look at some of the highlights:

  • We adapted the Project’s side-panel to keep issues front-and-center. Quickly read and leave comments, edit fields and react to issues and comments without leaving a project view.
  • We simplified bulk adding issues to a project; you can expect to see more in 2023 as we make this process even sleeker. We also know you don’t need closed issues cluttering your views or the labor of manual archiving. GitHub’s solution: automated archiving.
  • Productivity is all about improving micro-actions, so we also shipped branching your code directly from an issue – to get code and context tied together quickly.
  • Want to keep up with changes to your Projects? Projects webhooks transmit events for any action taken on project items within your organization. But we didn’t stop there; the Projects GraphQL API was launched mid-year.
  • We also help you to collaborate with your team from anywhere, anytime. If you haven’t already, join the GitHub Mobile Public Beta and make quick edits to your projects and issues while you’re on the go. For those collaborating in Slack: this year, we enabled you to create, track, and manage your GitHub issues directly from your favorite channel (learn more).

We also did a fair amount of polish and 🐛 bug fixing along the way, as you can see by this chart.

Bug fixes 2022

Our momentum was palpable at Universe 🪐 as we announced initial iterations on tasklists and roadmap. We have started the Private Beta rollout on these features and look forward to your feedback as you use them in the new year.

As the home of all developers, we strive to provide you with planning and tracking experiences that are adaptable, fast, and close to your code. We had a great 2022, and we want to thank you for all your feedback and support. For 2023, we already have an exciting roadmap planned, and the team is energized to bring it to life.

See you all after the Holidays 🎄.

See more

Code security enablement settings on the list organization repositories REST API

You can now view (GET) the security feature enablement status for all repositories in your organization using the "list organization repositories" endpoint in the REST API for the following security features:

  • GitHub Advanced Security
  • Secret scanning
  • Push protection

Previously, you had to retrieve a list of repos and call the "get a repository" endpoint for each repository ID to accomplish this task.

This change is intended to make it easier to audit enablement status for compliance purposes and for those customers who build external dashboards.

Learn more about the "List organization repositories" REST API and send us your feedback

Learn more about GitHub Advanced Security

See more

Access the Audit Log REST API using scoped tokens

Enterprise and organizations administrators can now create personal access tokens (classic) and OAuth apps with the read:audit_log scope to access the Audit Log REST API.

Why is this important? Stolen and compromised credentials are the number one cause of data breaches across the industry. To mitigate the risk of compromised credentials, GitHub recommends adhering to the principle of least privilege which promotes "giving a user account or process only those privileges which are essential to perform its intended function." The new scope will enable access to the audit log endpoints, without requiring full administrative privileges.

This feature is generally available for GitHub Enterprise Cloud customers, and will be released to GitHub Enterprise Server in version 3.8. To learn more, read our documentation on using the audit log API for your enterprise.

See more

Tencent Weixin now partners with GitHub to notify users if their credentials are exposed in a public repository

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Tencent Weixin to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Tencent Weixin tokens allow users to verify the Weixin Official Accounts and Mini Programs developers, obtain sensitive information on business applications and can be used to verify merchant identities.

GitHub will forward access tokens found in public repositories to Tencent Weixin, who will notify affected users. Tencent Weixin encourages users to delete leaked API tokens on GitHub and to create a new token. More information about Tencent Weixin tokens can be found here.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Secret scanning alerts link to providers’ docs

Secret scanning alerts for third party API key detections now include a link to relevant documentation provided by the service provider, where available. These links are intended to help users better understand detections and take appropriate action.

The links will appear in the alert view for all repositories with secret scanning enabled. You can enable secret scanning on your public repositories and any private repository with GitHub Advanced Security. If you have feedback on any provided links, please write us a note in our code security discussion.

example alert with provider docs

For more information:

See more

GitHub Actions: SBOMs now attached to hosted runner image releases for Ubuntu & Windows

GitHub Actions hosted runner images are now more secure than ever, with the ability to see exactly what software is pre-installed on the image that was used by the runner during your build. GitHub now attaches a software bill of materials (SBOM) as an asset to each image release for Ubuntu and Windows. Support for Mac runners is targeted for Q1 2023.

In the context of GitHub Actions hosted runners, an SBOM details the software pre-installed on the virtual machine that is running your Actions workflows. This is useful in the situation where there is a vulnerability detected, you will be able to quickly tell if you are affected or not. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software.

To check out the new files, head over to the runner-images repository release page now or check out our docs for more information.

See more

Secret scanning now push protects custom patterns

Previously, GitHub Advanced Security customers could enable push protection for all patterns supported by default.

Now, admins can also enable push protection for any custom pattern defined at the repository or organization level. Push protection for enterprise-level custom patterns will come in January.

blocked custom pattern

See more

Secret scanning is now available for free on public repositories

Previously, only organizations with GitHub Advanced Security could enable secret scanning's user experience on their repositories. Now, any admin of a public repository on GitHub.com can detect leaked secrets in their repositories with GitHub secret scanning.

The new secret scanning user experience complements the secret scanning partner program, which alerts over 100 service providers if their tokens are exposed in public repositories. You can read more about this change and how secret scanning can protect your contributions in our blog post.

See more

GitHub Actions – Sharing actions and reusable workflows from private repositories is now GA

The actions and reusable workflows from private repositories can now be shared with other private repositories within the same organization, user account, or enterprise.
See managing the repository settings and managing the enterprise repository settings to allow access to workflows in other repositories.

We have also added the API support to configure Actions share policy. Refer to API support or API support for Enterprise for more details.

Learn more about Sharing actions and workflows from your private repository, Sharing actions and workflows with your organization, and Sharing Actions and workflows with your enterprise.

See more

Enable secret scanning with the enterprise-level REST API

Enterprises with GitHub Advanced Security can now enable secret scanning and push protection on all their organizations using a single call to an enterprise-level REST API endpoint.

You can also use the enterprise API to set a default custom link that will appear on a push protection block.

This new endpoint supplements the existing enterprise enablement settings in the UI and the repository-level and organization-level REST API enablement endpoints.

See more

Rename repositories while transferring them

Now admins can transfer and rename a repository at the same time. Before, each action was separate.

In the transfer repository screen, choose “Select one of my organizations”. The “Repository name” field will appear below. You must be an admin on the target organization to rename the repository. Renaming isn’t available if you “Specify an organization or username”.

Optionally change the name the repository will have after transferring. Then complete the transfer!

Learn more about transferring a repository.

See more

Telnyx is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Telnyx to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Telnyx tokens allow users to manage their usage and resources on the Telnyx communications and connectivity platform.

GitHub will forward access tokens found in public repositories to Telnyx, who will immediately reach out to the user and work to swiftly rotate the key. More information about Telnyx tokens can be found here.

GitHub Advanced Security customers can also block Telnyx tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Learn more about protecting pushes
Partner with GitHub on secret scanning

See more

Fixed bug affecting npm package and organization maintainers

GitHub Security was recently notified about a caching issue affecting npm. This bug had been present since 2016 and sporadically caused npm maintainers to be re-invited upon removal from packages or organizations. Our Security team investigated potential instances of the issue and believe this bug only occurred if a user was removed, followed shortly by the addition of a different member. This bug affected npm-cli version 6 and above, and was fixed in version 7+.

Out of an abundance of caution, we are recommending all npm users review the maintainers of their projects and organizations for any discrepancies that may be a result of this bug and remove any unexpected members. Please feel free to reach out to us with any additional questions or concerns through the following contact form: https://www.npmjs.com/support.

See more

Packages: Fine-grained permissions and organization-level publishing are now available for the GitHub Packages NuGet registry

The GitHub Packages NuGet registry now runs on a new architecture, unlocking great new capabilities:

Publishing packages at organization level with GitHub Packages

Previously, NuGet packages published to GitHub Packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.

Learn more about connecting a repository to a package.

Fine grained permissions for NuGet packages published to GitHub Packages

You can now configure Actions and Codespaces repository access on the package's settings page, or invite other users to access the package. Additionally, NuGet packages published to GitHub Packages can still be configured to automatically inherit all permissions from a linked repository.

Learn more about configuring a package's access control.

Internal visibility

In addition to public and private, a package's visibility can now also be set to internal. It is then visible for all members of the GitHub organization.

These new features are now available to all users on github.com.

Read more about working with the GitHub NuGet registry

We appreciate your feedback on these new changes in GitHub's public community discussions!

See more

Improvements to GitHub Advanced Security billing pages

We've shipped improvements to the billing pages for GitHub Advanced Security so it is easier for you to see how many licenses you are using.

  • You can now see how enterprises and organizations are using licenses in the summary tiles.
  • You can download a CSV report for each item in the billing table so it is easier to report on license usage.
  • For enterprises, the table is sorted by the number of unique committers in each organization, so it is easy to see where GitHub Advanced Security licenses are used.
  • If an organization chooses to disable GitHub Advanced Security on a repository, the confirmation popup now informs you how this would impact your overall licenses usage.

Enterprise and Organisation GitHub Advanced Security usage

This is available on the GitHub Advanced Security section on the enterprise's billing settings page enterprise-name/settings/billing and the organization's code security and analysis settings page organization-name/settings/security_analysis.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about the GitHub Advanced Security billing.

See more

Secret scanning now detects new secrets in issue content

GitHub Advanced Security customers using secret scanning can now view any new secrets exposed in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.

We have also expanded the secret scanning partner program. Secret scanning partners will now receive notifications for secrets found in public issues that match their token formats.

See more

GitHub app in Slack and Microsoft Teams – improvements

We have made bunch of improvements to our GitHub app in Slack and Microsoft Teams.

Slack

1. Introduced comment capability within Pull request notification cards

We have now added support to add comments on your pull requests directly from the notification card in Slack.
image

2. Introduced threading for Pull request notifications

Notifications for any Pull request will be grouped under a parent card as replies. The parent card always shows the latest status of the PR along with other meta-data like title, description, reviewers, labels and checks. Threading gives context, improve collaboration and reduces noise in the channel.
image

3. Added support to turn on/off threading for Issues and Pull requests

If you do not want to use threading or need some flexibility, we are also rolling out an option to turn on/off threading for issues and pull requests.
image

For more information, please visit the GitHub app guidance for Slack

Microsoft Teams

1. Improved the create issue functionality

You can now create issues with just a click, right from the place where you interact with your team i.e. from your channels and personal app.
image

  • The content of the chat is automatically added into the description along with the link to the MS Teams conversation.
  • The last used repo in the channel will be automatically filled in. However, you can go ahead and change to the repo if needed.
  • You can optionally fill in labels, assignees and milestones when you create an issue.
  • Once the issue is created you will receive a confirmation card in the channel where you created the issue.

2. Enhanced the PR notification cards in Channel and Personal App

We made few UI improvements to the Pull request notifications experience in MS Teams.

  • Introduced PR comment capability in GitHub personal app.
  • Made few updates to the look and feel of the Pull request notification card.

image

For more information, please visit the GitHub app guidance for Microsoft Teams

See more
View more changes