Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Credential revocation API to revoke exposed PATs is now generally available

You can now revoke an exposed GitHub personal access token (PAT) you found outside of repositories, even if it’s not yours, to help quickly limit the impact of the exposure and improve the security of the software ecosystem.

If you find classic or fine grained PATs on GitHub or elsewhere, you can submit a bulk revocation request using the new Credential Revocation REST API. If the API receives a valid token, it automatically revokes the token and logs the revocation in the token owner’s audit log. If the exposed token was granted access to a GitHub organization, it will no longer have access to the organization.

A screenshot of the user's audit log event, titled "oauth_access.revoke".

It also notifies the token owner of the revocation through an email sent to the primary email address associated with the owner’s GitHub user account:

A screenshot of an email titled "Action needed: Personal access token was revoked"

This is an unauthenticated API and is available for all users on github.com. To prevent abuse, this API is limited to only 60 unauthenticated requests per hour and a max of 1000 tokens per API request.

Learn more in our documentation on best practices for revoking exposed tokens.

See more

Dependabot reviewers configuration option being replaced by code owners

To improve reliability and reduce review assignment conflicts, we’re removing the Dependabot reviewers configuration option on Tuesday, May 27, 2025.

We’re retiring this dependabot.yml configuration option because the functionality overlaps with GitHub code owners. This has caused issues in the past, and it’s duplicated effort to maintain the same functionality.

Moving forward, we recommend relying solely on code owners for assigning pull request reviewers. You can use a CODEOWNERS file to define individuals or teams responsible for code in a repository. GitHub natively supports code owners, ensuring more consistent and streamlined behavior. This change simplifies your configuration by having all your review requests come from one configuration file.

To get started using code owners today, check out these steps to set up a CODEOWNERS file.

See more

Copilot Edits for JetBrains IDEs is generally available

Screenshot of GitHub Copilot Edits interface in JetBrains IDEs.

Copilot Edits is now generally available in JetBrains IDEs. This powerful feature lets you refactor, optimize, and iterate on your code faster—across one or multiple files—all from within Copilot Chat.

✨ What’s new

Use Copilot Edits to smoothly make changes in one or multiple files directly from Copilot Chat. To use Copilot Edits, click the Copilot Chat icon in the JetBrains IDE and start a new Edit session.

⚡️ Benefits for developers

  • Enhanced clarity: See a summary of the affected files and proposed changes.
  • Ability to preview changes: View code diffs directly in your editor and decide whether to accept or discard these changes individually or collectively.
  • Increased productivity: Save time and effort with the help of Copilot Edits, enabling you to focus on more complex tasks.

🛠 Get involved

We encourage you to try out the latest version of the GitHub Copilot plugin and share your feedback. Your input is invaluable in helping us refine and improve the product.

💬 Share your feedback

Encounter a bug or have a feature request? Submit an issue here, we’d love to hear from you!

See more

User prompt improvement is now in public preview within the GitHub Models playground

You can now use the user prompt improvement feature in the GitHub Models playground. This new feature helps transform vague or broad prompts into clearer, more specific, and optimized ones for better model outputs. With just a few clicks, you can refine prompts to improve clarity, add focus, or adjust tone and style to match your needs. By providing specific suggestions—like requesting a particular format or style—you can save time and achieve high-quality, actionable results.

Try it out today and unlock more potential in your AI experimentation!

To learn more about GitHub Models, check out the docs. You can also join our community discussions.

See more

CodeQL improves JavaScript and Ruby analysis in version 2.21.1

CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released version 2.21.1 of CodeQL. Here’s what’s new and improved in this release.

GitHub Actions

  • This CodeQL release coincides with the general availability of support for analyzing GitHub Actions workflows. Learn more in the dedicated changelog post.
  • We’ve improved alert fix suggestions for the actions/missing-workflow-permissions query, making it easier for you to resolve alerts.

JavaScript/TypeScript

  • We’ve added new detections of sources and sinks in Next.js and DOM element references, improving the detection of XSS issues.
  • We’ve enhanced path injection detection for several additional methods.
  • We’ve fixed an issue where tsconfig.json files containing array literals and trailing commas weren’t correctly extracted.

Ruby

  • We’ve improved the rb/useless-assignment-to-local query, so you’ll see fewer false positives and will get helpful documentation for alerts.
  • The rb/uninitialized-local-variable query now only generates an alert when a variable is used as a method call receiver. This should reduce noise. In addition, new help content is available for this query.
  • Calls to super without explicit arguments now have their implicit arguments generated, resulting in more accurate analysis.

For a full list of changes, check out the complete changelog for version 2.21.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.1 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you’re using an older version of GHES, you can manually upgrade your CodeQL version.

See more

Users can now choose whether merging linked pull requests automatically closes the issue

Linking a pull request to an issue makes it easy for collaborators to see that work for the issue is underway. Today, when a linked pull request is merged, the associated issue is automatically closed.

But for many teams, merging a PR doesn’t mean the work is done. There might be QA, validation, or follow-up steps before an issue is truly resolved. With this new repository setting, you can choose whether merging a pull request should automatically close its linked issues.

Repository admins and maintainers can manage this setting under Repository settingsGeneralIssues. It’s enabled by default to preserve existing behavior.

Shows the repository setting for auto-closing issues

For questions and feedback, join the discussion in GitHub Community.

See more

GitHub Copilot code review now supports C, C++, Kotlin, and Swift

GitHub Copilot code review now supports C, C++, Kotlin, Swift, and several other popular languages.

With this update, you can receive AI-powered review suggestions for even more code in your pull requests. See the full list of supported languages in our documentation.

Copilot code review now covers over 90% of the file types typically found in pull requests, so more of your code benefits from intelligent insights.

We’ve also improved the quality of suggestions. Copilot code review now surfaces higher-quality, more actionable feedback by better handling of low-confidence and suppressed results. These improvements are especially noticeable in C#, where Copilot now provides more accurate and relevant suggestions with improved version awareness.

In addition, Copilot has improved its ability to understand context. Instead of primarily looking at the file diff in the pull request, it now considers the entire file. This leads to more holistic and relevant review suggestions.

For more details or to join the conversation, visit GitHub Community discussions.

See more

Updates to security configuration settings for customers in existing grace periods

For customers affected by ongoing grace periods, GitHub will automatically update the enable for new repositories security configuration setting for customers not opted out. This change helps you avoid unexpected billing charges without manual effort needed from your part.

Team and Enterprise customers with a configuration applied before April 1, 2025 enabling paid security features for newly created private repositories will see one of the following two changes applied:

  • Configurations with enable for new repositories set to for all public and private repositories will be adjusted to for all public repositories only.
  • Configurations with enable for new repositories set to for all private repositories will be adjusted to for no newly created repositories.

Customers who haven’t yet opted out with a representative from GitHub will see these settings enabled on the follow dates:

  • Team customers will see this change on April 23, 2025.
  • Enterprise customers will see this change on April 28, 2025.

Have questions? Reach out to GitHub for support.

See more

GitHub Actions workflow security analysis with CodeQL is now generally available

GitHub code scanning now offers enhanced security protection for your GitHub Actions workflow files through CodeQL analysis, which is now generally available. This feature enables you to identify and remediate security vulnerabilities in your Actions workflows through automated code scanning, helping prevent potential security issues before they impact your CI/CD pipeline. CodeQL automatically analyzes your workflows to detect common security vulnerabilities, including missing required permissions, dangerous inputs without proper validation, and script injection vulnerabilities.

During the public preview period, we’ve helped secure over 158,000 repositories, detecting more than 800,000 potential vulnerabilities in Actions workflows, with approximately 15% of these issues being fixed by repository maintainers. This strong adoption demonstrates the value of automated security analysis for CI/CD workflows that use GitHub Actions.

For repositories using code scanning’s default setup, we will now automatically enable Actions workflow analysis when workflow files are detected in the default branch. For repositories using advanced setup, simply add the actions language to your existing configuration to enable this protection.

We’ve also added Copilot autofix functionality for the actions/missing-workflow-permissions query, one of the most frequent findings in Actions workflows. When this vulnerability is detected, you’ll receive automated fix suggestions to implement the principle of least privilege in your workflows, making remediation faster and easier.

To improve analysis quality, we’ve moved the actions/unversioned-immutable-action query to the extended query suite, allowing for more targeted and comprehensive analysis. If you’re using default setup, you can configure your scanning options to include extended queries. For repositories with advanced setup, you can specify this query suite in your CodeQL configuration. You can find more information about this change in the CodeQL release notes for 2.20.6.

Code scanning’s analysis of GitHub Actions workflow files will be available in GitHub Enterprise Server 3.18.

Learn more about configuring code scanning, securing your use of Actions, and vulnerabilities identified with CodeQL.

See more

Dependabot now lets you schedule update frequencies with cron expressions

Dependabot users can now schedule custom update frequencies by using cron expressions in schedule.interval in the Dependabot configuration file. This enhances the predefined intervals (daily, weekly, and monthly) and provides a more generic and robust solution. This gives Dependabot users the ability to define custom schedules that meet their specific needs.

For help writing a cron expression, try this tool.

To learn more about using cron expressions to schedule Dependabot updates in the dependabot.yml file, check out GitHub’s Dependabot schedule.interval docs.

To engage with the Dependabot community on the topic of cron-based update scheduling, join the conversation.

See more

Reminder for changes to npm replication feeds APIs

This is a follow-up to our previous announcement about npm replication APIs.

The new replication feed APIs are now live. While the legacy feeds will remain available—with limitations and scheduled brownout periods—until May 29, 2025, we strongly encourage all users to begin transitioning to the new APIs as soon as possible.

To access the updated feeds ahead of the deprecation, include the npm-replication-opt-in header with a value of true in your requests. This will route your traffic to the new APIs, bypassing the legacy feeds and avoiding any disruptions during brownout phases.

Please note that starting May 29, 2025, the legacy feeds will be fully deprecated. After this date, all requests to the replication feeds will automatically be served by the new APIs, regardless of header usage.

This change is part of our ongoing efforts to improve the performance and reliability of our services. We appreciate your understanding and cooperation during this transition.

Check out the migration guide and join the discussion in GitHub Community.

See more

Mobile monthly: April’s general availability and more

What's new in GitHub Mobile

During March and April, GitHub Mobile introduced several updates, including bug fixes, accessibility improvements, and a range of new features to make coding and collaboration on the go more seamless. From selecting the model you prefer when using Copilot, to a new way to search within a file, these updates enhance productivity and keep you connected wherever you are.

What’s new?

Introducing sub-issues on GitHub Mobile

  • Introducing multi-model selection in Copilot Chat on GitHub Mobile. Pick your favorite models such as OpenAI o1 and o3-mini, Anthropic Claude 3.5 Sonnet, and Google Gemini 2.0 from the model picker in Copilot Chat to accelerate your workflow.
  • Introducing sub-issues on GitHub Mobile. Track progress and understand remaining work within a parent-child hierarchy on the go.
  • Issue timelines now include events related to sub-issues.
  • Introduced the “find in file” feature on iOS, enabling users to seamlessly search within files for specific content.
Timeline events Find in file
New timeline events related to sub-issues New "find in file" feature on iOS

iOS bug fixes:

  • Widgets reflect the accent colour when tinted.
  • Add reactions to the latest release in the Releases view.
  • Inbox swipe actions get dismissed before entering batch selection mode.
  • When closing Copilot Chat, the Copilot button no longer moves vertically.
  • Render notifications with stripping out HTML comments.
  • Fix an error when navigating to a workflow summary view.
  • Assistive technologies, such as VoiceOver, indicate the selected state of label filters.
  • Forking a repository with a duplicate name announces an error for accessibility users.
  • Fork button in the repository view announces the correct accessibility label.
  • Accessibility traits announce correctly for all templates in the template picker when creating an issue.
  • Access legal documents about Copilot in Copilot settings.
  • Copilot Chat view changes its color correctly when the system color theme changes.
  • Text scales more naturally in the fork repository view.
  • Improved keyboard navigation for toggles in the settings view.
  • When using VoiceOver, the triage sheet button in Discussions announces its title.
  • The selected email associates with a merge when merging a pull request, instead of using the default email.
  • Discussion polls showcase all content when larger Dynamic Type sizes are selected.
  • When selecting a preferred model in Copilot fails, the application shows an error message instead of crashing.
  • Pull request numbers display without commas in the pull request widget.
  • Copilot Chat messages render markdown headings, ordered and unordered lists, and bold texts.
  • Deep links to issues and pull requests work for renamed repositories.
  • Markdown bar works well with hardware keyboards.

Android bug fixes:

  • Tabs now render correctly viewing repository files.
  • The triage sheet in the discussion screen is now navigable using the keyboard
  • Improved scrolling experience for list of web view items with videos or images.
  • The Floating action button won’t obscure your lists content anymore.
  • Links to resolved Pull Request discussions now open the resolved conversation.
  • Fixed crash that occurred when navigating to some check summaries in the Workflow screen.
  • Notifications no longer display HTML comments in the body.
  • Pull requests from forked repositories now show the repository owner for both base and head branches.
  • Navigate to the correct file when viewing a diff of a pull request from forked repository to parent repository.
  • Selected tabs in the bottom navigation bar now open the expected destination.
  • Improved error handling for contribution widget.
  • Dynamic font size improvements for Discussions buttons.
  • Improved login flow for users experiencing issues with redirects.
  • The bottom sheet closes when assignees are selected again.

Learn more about GitHub Mobile and share your feedback to help us improve.

Join the discussion in GitHub Community.

See more

GitHub Copilot for Xcode adds @workspace and support for Claude 3.7 Sonnet and GPT-4.5

Screenshot of GitHub Copilot for Xcode adds @workspace and support for Claude 3.7 Sonnet and GPT-4.5.

The GitHub Copilot for Xcode extension now allows you to ask questions about your entire codebase using the @workspace context. Additionally, we have added support for new models, including Claude 3.7 Sonnet and GPT 4.5, to enhance your chat conversations and introduce some UX improvements to boost your productivity.

What’s new ✨

  • @workspace context: By referencing @workspace in Copilot Chat, you can ask questions about your entire codebase. GitHub Copilot will analyze your project’s codebase and provide detailed answers, including references to relevant files and symbols. The @workspace context helps you find the code you’re looking for, understand how functionality is implemented, and much more.
  • New model options: Claude 3.7 Sonnet and GPT 4.5 are now available in the model selector of Copilot Chat. Learn more about the models available in our documentation.

UX improvements & bug fixes ⚡️

This update also includes a few other UX improvements and bug fixes:

  • Simplified Workflow: Open Copilot Chat with a single click from our Copilot for Xcode app, making it easier and faster to access. This helps streamline the development process and reduce time spent navigating various menus.
  • Bug fixes: Notifications for enabling background functionality to address crashes or non-responsive states.

Get involved 🛠

We encourage you to try out the latest version of the GitHub Copilot for Xcode extension and share your feedback. Your input is invaluable in helping us refine and improve the product.

Join the discussion 🚀

Connect with us and other developers in the Copilot for Xcode to share your experiences, ask questions, create issues, and provide feedback.

See more

Manage secret scanning alert dismissal requests with the REST API

With delegated alert dismissal for secret scaning alerts, you can require a review process before alerts are dismissed. This helps you better manage your security risk as well as meet audit and compliance requirements.

Managing alert dismissal requests is now available with the REST API, offering flexibility for triage and reviews by integrating with your existing workflows.

Reviewers can retrieve dismissal requests for an organization or repository with the following endpoints:

Reviewers can review a dismissal request with the following endpoint:

Learn more about how to secure your repositories with secret scanning.

See more

Performance improvements for the organizational feed

Rolled up push events grouping

What’s changing?

As part of our effort to help optimize activity feed load times and reduce timeouts, we’re migrating the organizational feed to a newer infrastructure. This migration from our existing system to an improved infrastructure will enable us to have a more performant experience for all users interacting with the organizational feed.

While this change is primarily back end, with minimal impact to the user experience, organizational feed users may notice a slight change to the UI. In our current experience, push event activity notifications have one line per event, mixed in with other event types in the feed. With this improvement, users can see all push events grouped into one card, sorted in chronological order with the most recent events appearing first.

Push events grouping unfurled

When is the change occurring?

This change will occur on April 21st, 2025 for all users that interact with the organizational feed.

Where can I experience this?

You can see these changes on the organizational feed.

See more

Organization custom instructions now available

Image of organization custom instructions on github.com

Copilot Chat on github.com now supports organization custom instructions! This feature allows Copilot Enterprise customers to set default instructions for all users in their organization, ensuring a consistent experience across teams.

Getting started

  • Navigate to your organization settings on github.com.
  • Select the Copilot tab.
  • Click Custom Instructions in the left sidebar.
  • Add your custom instructions in the provided text box.

That’s it! Copilot will now apply custom instructions to all chats by members of your organization.

Looking for inspiration? 💡

Here are some suggestions to get you started.

  • Set consistent standards: For questions related to security, always redirect to #ask-security on Slack.
  • Establish information architecture: Always refer to the Primer Knowledge Base when answering questions about frontend theming and components.
  • Steer response style: Never include code blocks in responses.
See more

MAI-DS-R1 is now generally available in GitHub Models

MAI-DS-R1 GitHub Models

MAI-DS-R1 is now available on GitHub Models.

MAI-DS-R1 is an updated version of DeepSeek-R1, refined by Microsoft AI. It handles complex queries more effectively, works across multiple languages, and provides access to previously restricted information. The model maintains the reasoning strengths of the original while improving reliability.

Try, compare, and implement this model in your code for free in the playground or through the GitHub API. Compare it to other models using side-by-side comparisons in GitHub Models.

To learn more about GitHub Models, check out the docs. You can also join our community discussions.

See more

Share Copilot Chat conversations in public preview

Share Copilot Chat conversation is in public preview

Sharing a Copilot Chat used to mean screenshots and copy-paste. Now it’s as easy as sending a link. Shared conversations are now available in public preview in immersive chat on github.com.

Sharing Copilot Chats makes it easier to:

  • 🕵 Troubleshoot with teammates—like this chat digging into a React onClick issue.
  • 🧠 Showcase learning workflows with a friend. Here’s an example walking through Python interview prep, step by step.
  • 🤗 Drop useful insights into a pull request review or team chat—like this example that clears up an open team debate.
  • 🎬️ Demo cool Copilot tricks on social—like this one where Copilot asks smart follow-up questions before jumping in.

How sharing works

  • Start a conversation. Once you enter your first prompt, the Share button will appear.
  • Click Share and copy the generated link. Anyone with the link can view the conversation.
  • If the chat includes private repository content or other restricted GitHub data, viewers will need the appropriate permissions to see it.
  • As the conversation continues, recipients will see new messages appear in real time.
  • You can unshare a conversation at any time to revoke access.

Shared conversations are currently in public preview for individual users (not members of organizations or enterprises). We’re actively working on expanding access to all Copilot users soon.

Learn more about sharing Copilot Chat conversations and send us your feedback

See more

Scheduled Codespaces maintenance on April 21 and 22

Codespaces will be undergoing global maintenance from 16:30 UTC on Monday, April 21 to 16:30 UTC on Tuesday, April 22. Maintenance will begin in our Europe, Asia, and Australia regions. Once it is complete, maintenance will start in our US regions. Each batch of regions will take approximately three to four hours to complete.

During this time period, users may experience intermittent connectivity issues when creating new Codespaces or accessing existing ones.

To avoid disruptions, ensure that any uncommitted changes are committed and pushed before the maintenance starts. Codespaces with uncommitted changes will remain accessible as usual after the maintenance is complete.

See more
View more changes