Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Copilot July 14th Update

We continue our momentum with new capabilities for administrators and many improvements to Chat in our Visual Studio Code and Visual Studio extensions.

🤖 Automate GitHub Copilot access for your organization with User Management API (beta)

Note: This API is in Beta and is subject to change based on feedback.

Since the availability of GitHub Copilot for Business, we’ve heard feedback that assigning GitHub Copilot licenses to large sets of users through the UI can be tedious and time-consuming, particularly if you need to leverage Teams for your permissions management. Additionally, there has yet to be a way to routinely collect a list of stale users and revoke their access – forcing admins to spend precious time reviewing page after page of users’ last activity date and individually pruning access.

With the new User Management API for Copilot for Business, admins can list all Copilot-enabled organization members with their details and add/remove access for individuals and teams. This allows them to automate access at scale, fitting the company’s process and needs.

Check out our documentation to try it out today and leave feedback for us in our Discussion post!

✍️ New Create commands in Visual Studio Code 1.80

To help you create projects and notebooks and search for text in your workspace, we have introduced preview-only slash commands in the Chat view.

Note: To get access to the Chat view, inline chat, and slash commands (for example /search/createWorkspace), sign up for the GitHub Copilot chat waitlist and install the Pre-Release version of the GitHub Copilot extension.

Create workspaces

You can ask Copilot to create workspaces for popular project types with the /createWorkspace slash command. Copilot will first generate a directory structure for your request.

Create workspaces

You can then use the Create Workspace button to create and open the project directory as a new workspace.

Create notebooks

You can ask Copilot to create Jupyter notebooks based on your requirements with the /createNotebook slash command. Copilot will generate an outline of the notebook based on your needs.

You can then use the Create Notebook command to create the notebook and fill in the code cells based on the suggested outline.

Visual Studio extension improvements

  • Better support for other programming languages – We have improved the quality of the results of questions for XAML, Blazor, C++, etc.
  • Save & Restore chat history – This prevents the user from losing the discussion/chat whenever they close Visual Studio. It is now persisted and restored.
  • Clear chat history – added the ability to clear the chat history so context from previous conversations is not considered in the prompt and answer by Copilot.
  • Multiline prompt box – We improved the prompt input to allow users to ask more extended questions easily.
  • Streaming support for displaying content in the Chat tool window – We have added streaming support to all chat experiences.
  • Specific insertions for test generation – Test generation sometimes requires insertion into separate files or projects. We now support special handling through action buttons in the chat window.
  • Quality of life updates – better context, UI refresh, and error messages throughout the Chat experiences.

Context-aware actions shown based on embeddings

We are introducing context-aware actions like documentation, explanation, and generating tests. These actions take the existing inline context and craft specific intents to provide an optimal and magical experience on those tasks.

Context-aware actions shown based on embeddings

Analyze method with GitHub Copilot in CPU usage tool

When triggered, Copilot Chat will explain why the issue occurred and suggest a fix. These show up in the diagnostics experience. These require using preview versions of Visual Studio.

Analyze method with GitHub Copilot in CPU usage tool

To learn more about Copilot and take full advantage of all of its power, visit our YouTube Copilot playlist. To sign up, see our Copilot features page.

See more

Codespaces Port Forwarding Domain Name Updates

Codespaces is updating the domain used for forwarded ports

Starting in August, Codespaces will be updating web client port forwarding to improve security, reliability, and performance for users. As part of this update, the URL for forwarded ports will change from https://*.preview.app.github.dev to https://*.app.github.dev.

To prepare for this change, replace any hardcoded references to preview.app.github.dev in your code with the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable by July 31 to avoid any disruptions. The environment variable value will be updated from preview.app.github.dev to app.github.dev when the migration completes. Learn more about environments variables here.

See more

GitHub Issues & Projects – July 13th update

Today's Changelog brings you sorting improvements, the ability to select a template or form when creating a new issue from your project and adding a new option to a single select field from the side panel!

🗄 Improvements to sorting fields

You can now sort items in a view using two different fields. Select Sort by in the view menu and select a primary sort field, and then hold down Alt (Option on MacOS) to select the secondary sort field.

Accessing issue templates in Projects

When creating a new issue directly from a project, you can now choose an issue template or form to apply.

Simply use the + button in the project omnibar and select Create new issue to get started.

image shows a number of options for different issue templates and forms

Adding a new single-select field option from the side panel

We've updated the side panel so that you can add a new option when editing a single-select field. Start typing and you'll be prompted to add a new option if the text doesn't match an existing option.

Bug fixes and improvements

  • Items can now be dragged into collapsed groups in the roadmap layout
  • Empty cells can now be copied and pasted in the table layout
  • Export view data now includes the URL for issues and pull requests
  • Emojis now render in the browser tab title
  • Fixed a bug where you could not copy and paste Assignee information outside of a project
  • Fixed a bug where you could not use Tab to navigate Assignee values on board items
  • Your classic project link now has a working URL after completing migration

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more

Improved Issue creation experience for GitHub Mobile

Swiftly add content to new issues on GitHub Mobile

Introducing a new way of adding metadata while creating issues on GitHub Mobile

We are excited to enhance the Issue creation experience for GitHub Mobile by introducing a comprehensive Property Bar. This feature allows you to conveniently add assignees, labels, milestones, and projects while creating Issues on GitHub Mobile.

This powerful addition ensures that you have the necessary tools at your fingertips to create your issues with all relevant metadata even quicker than before.

Read more about GitHub Mobile and send us your feedback to help us improve.

See more

GitHub Actions – OIDC integration with AWS no longer requires pinning of intermediate TLS certificates

GitHub Actions – OpenId Connect (OIDC) integration with AWS is now optimized to avoid pinning any intermediary certificate thumbprints.

While configuring GitHub as an OIDC IdP (ID Provider), AWS now secures communication by trusting GitHub Actions’s trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify GitHub’s IdP server certificate.
This will address and avoid any issues caused due to pinning certificate thumbprints while authenticating from GitHub to AWS using OIDC. No action is needed for GitHub customers.

Learn more about using OIDC with GitHub Actions.

See more

Updates to the audit log api requests streaming public beta

In April, we announced that GitHub Enterprise Cloud customers could join a public beta for streaming API request events as part of their enterprise audit log. As part of that release, REST API calls against enterprise's private and internal repositories could be streamed to one of GitHub's supported streaming endpoints.

However, we've discovered the need to expand our api call coverage against private and internal repositories in order to capture other security significant api routes. Additionally, we've determined several api routes targeting internal and private repositories generate significant event volumes with little auditing or security value. To address these concerns, we partnered with GitHub's security team to define a set of auditing and security significant controllers to serve as the basis for the public beta. These adjustments to the beta should increase signal and decrease the noise generated by the api request event being streamed.
image (4)

Note: hashed_token and token_id have been redacted for security reasons.

Enterprise owners interested in the public beta can still follow the instructions in our docs for enabling audit log streaming of API requests. We welcome feedback on the changes made to this feature on our beta feedback community discussion post.

See more

Pull request merge queue is now generally available!

Today we are announcing the general availability of pull request merge queue! 🎉

Merge queue helps increase velocity in software delivery by automating pull request merges into your busiest branches. Screenshot of pull request merge queue

Before merge queue, developers would often need to update their pull request branches prior to merging to ensure their changes wouldn't break the main branch because of incompatibilities with pull requests already merged. Each of these updates caused a new round of continuous integration (CI) checks that would have to finish before the developer could attempt to merge. Merge queue automates this process by ensuring each pull request queued for merging is tested with any other pull requests queued ahead of it.

Merge queue is available on private and public repos on the GitHub Enterprise Cloud plan and all public repos owned by organizations.

Check out this video demo of how merge queue works.

Updates

Over the last few months, we've been busy fixing bugs and responding to feedback. As part of the general availability, we're announcing the following updates:

  • New: A merge_group webhook event with an action of destroyed is now published when a merge group is destroyed for any reason, including when it's merged or invalidated because a pull request is removed from the queue.
  • Fixed: The before and created properties of the push webhook event published when a temporary branch is created by the queue are now set to reflect a branch was created
  • Changed: Jumping to the front of the queue is now only available to admins by default in repos on GitHub Enterprise, but can be granted to individual users and teams using a custom repository role. Previously, any user with write access could jump the queue, but admins did not have a way to limit access to it or grant it to users without write access.
  • Fixed: A pull_request.dequeued webhook event is now consistently published whenever a pull request is removed from the queue for any reason, including when it has been merged by the queue.

Learn more

For more on how to get started with merge queue, check out details on our blog!

A special thanks

A huge shout out and thank you to our customers in the community that participated in the public beta of this feature. Your input will help teams prevent traffic jams on their busiest branches! Hooray!

See more

Passkeys Public Beta

Passkeys are a replacement for passwords when signing in, providing higher security, ease-of-use, and loss-protection. They're now available on GitHub.com as a public beta – see this blog post for more information.

This public beta is open to all users with a password, regardless of whether you use 2FA. To get started, enable passkeys as a feature preview.

By using passkeys, you no longer need to enter a password, or even your username, when you sign in – nor do you need to perform 2FA, if you have 2FA enabled on your account. That's because passkeys validate your identity, as well as possession of a device, so they count as two authentication factors in one.

Once enrolled, you can register a brand new passkey and upgrade many security keys to a passkey. If you're enrolled in the preview, the next time you use an eligible security key you'll be asked to upgrade it.
Screenshot of the security key upgrade prompt, asking the user if they'd like to upgrade a security key called 'fingerprint' to a passkey.

To learn more, check out this blog post about passkeys, as well as "About passkeys" in our documentation. If you have any feedback, please drop us a note in our public discussion – we're excited for this advance in account security, and would love to understand how we can make it better for you.

See more

Code scanning with CodeQL no longer installs Python dependencies automatically for new users

When analyzing a Python project with code scanning using CodeQL through advanced setup, we would try to automatically install dependencies for the project. Over the past months and years, we've made significant improvements to the Python analysis, which means CodeQL no longer needs to fetch these dependencies in order to analyze a codebase.

Therefore, starting now, we have disabled automatic dependency installation for new users of CodeQL for Python. This should improve scan times for Python projects, while having minimal impact on results. Code scanning users that have already set up CodeQL to scan at least one Python project will not see any changes to newly configured repos: the new behaviour only applies to those with no prior Python projects set up. We encourage existing users that configured code scanning with CodeQL via advanced setup to disable dependency installation by setting setup-python-dependencies: false as described in documentation.

Users of GitHub Enterprise Server (GHES) will benefit from this change starting version 3.11. We plan to deprecate all dependency installation (including for existing users) by the end of 2024.

See more

Warn when the npm provenance source commit or repository cannot be found

npm will now check the linked source commit and repository when you view a package's provenance information on npmjs.com. If the linked source commit or repository cannot be found, an error displays at the top of the page and alongside the provenance information to let you know that provenance for this package can no longer be established. This can happen when a repository is deleted or made private.

Note: In future releases, publishing a public package with provenance from a private source repository will not be allowed.

Read more about viewing npm provenance and publishing with provenance.

See more

Improvements to granular access tokens on npm

Today we are making further improvements to granular access tokens in npm.

Highlights of this update are

  • Custom Expiration Times: You can now create granular access tokens with custom expiration times, allowing for durations that span multiple years.
  • Increased Token Limit: We have expanded the maximum limit for granular access tokens creation to 1000. This enables maintainers with a large amount of packages to secure their publishing workflows more efficiently.

We recommend using granular access tokens with least privileges (for example one token per package) for automating your publishing and org management activities.

Read more about creating a granular access tokens here.

See more

New license information for 17.5 million packages

We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.

These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.

See more

Anonymous users have access to new code view and navigation

A total redesign of GitHub’s code search and navigation was released to all logged in GitHub users in May. Starting today, the new redesigned code navigation experience, including a file tree and symbols pane, will be available to anyone browsing anonymously on GitHub.com. To access the new code search experience, and make full use of the symbol navigation, create an account or log in to GitHub.com.

See more

Workato is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Workato to scan for their API tokens and help secure our mutual users on public repositories. Workato Developer API tokens allow users to effectively manage their Workato workspaces programmatically and reduce administrative overhead as they onboard teams from across their organisation. GitHub will forward access tokens found in public repositories to Workato, which will then notify the user about the leaked token. You can read more information about Workato's tokens here.

All users can scan for and block Workato's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Workato tokens in their private repositories.

See more

New and Updated ISO and CSA STAR Certifications Are Now Available

The 2023 updates to our ISO/IEC 27001:2013 certificate can be downloaded now. In addition, we have completed the processes for ISO/IEC 27701:2019 (PII Processor), ISO/IEC 27018:2019, and CSA STAR certifications. Those certificates can also be downloaded now.

  • For enterprises, administrators may download this report by navigating to the Compliance tab of the enterprise account: https://github.com/enterprises/"your-enterprise"/settings/compliance.
  • For organizations, owners may find these reports under Security > Compliance settings tab of their organization: https://github.com/organizations/"your-org"/settings/compliance.

For detailed guidance on accessing these reports, read our compliance documentation for organizations and enterprises.

Check out the GitHub blog for more information.

See more

Dependabot alerts can be enabled at the repository, organization, and enterprise levels in GHES 3.9

With GHES 3.9, you and your organization can better manage your Dependabot alerts thanks to more granular enablement controls. You can now enable Dependabot alerts at the repository, organization, and enterprise level, rather than having to enable Dependabot alerts across an entire enterprise at once.

This release also adds support for “automatically enable for new repositories" at the organization and enterprise levels.

Enterprise admins still need to opt in to Dependabot alerts via GitHub Connect, which approves outbound calls for advisories to sync.

Learn more about changes for GHES 3.9 for Dependabot.

See more

Code scanning with CodeQL supports Swift 5.8

After we released Swift in beta on the 1st June, we are now adding support for long awaited Swift 5.8.1 and Xcode 14.3.1. This release also brings better support for Swift 5.x on Linux, which now supports versions up to and including 5.8.1.

Swift 5.8.1 support is available starting with CodeQL version 2.13.5. Code scanning users on GitHub.com will automatically benefit from the latest CodeQL version, while those on GitHub Enterprise Server can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.

While our Swift analysis support remains in public beta we welcome your input. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack.

See more

New rate limit is coming for the audit log API endpoints

GitHub provides Enterprise customers with the ability to programmatically retrieve enterprise and organization audit log events in near real-time using the audit log API. A high-quality audit log is an essential tool used by enterprises to ensure compliance, maintain security, investigate issues, and promote accountability. To support these objectives, the audit log API needs to be highly reliable, consistently available, and extremely scalable.

Recognizing the audit log API's importance as a data source to enterprises, each audit log API endpoint will impose a rate limit of 15 queries per minute per enterprise or org starting August 1st, 2023. Based on a thorough analysis of event generation data, we are confident that the new rate limit will continue to support customers in accessing near real-time data via the audit log API. Additionally, query cost is a crucial consideration, and in the future, the audit log may impose further rate limiting for high-cost queries that place significant strain on our data stores.

What can you do to prepare for these changes? First, programs or integrations querying the audit log API should be adjusted to query at a maximum frequency of 15 queries per minute. Additionally, applications querying the audit log API should be updated to be capable of honoring HTTP 429 responses, enabling them to dynamically adjust to the back-pressure exerted by our systems. Alternatively, Enterprises seeking access to near real-time data should consider streaming your enterprise audit log.

See more
View more changes