3.0

Enterprise Server 3.1 release notes

Enterprise Server 3.1.4

Download

July, 27, 2021

  • Packages have been updated to the latest security versions.

  • The counts on packages pages were not being incremented when a package was downloaded.

  • ghe-config-apply would timeout, ask for a prompt or fail for a customer that had 秘密扫描 enabled, and had either disabled or never enabled GitHub Actions on their instance.

  • Log files were not reopened after rotation in some cases leading to high disk space usage on instances with high uptime.

  • Upgrade could fail from older version of GitHub Enterprise Server due to a missing job in GitHub Actions.

  • Custom pre-receive hooks could lead to an error like error: object directory /data/user/repositories/0/nw/12/34/56/7890/network.git/objects does not exist; check .git/objects/info/alternates.

  • Unauthenticated HTTP proxy for the pages containers build was not supported for any users that use HTTP proxies.

  • A significant number of 503 errors were logged every time a user visited a repository's /settings page if the dependency graph was not enabled.

  • Internal repositories were only returned when a user had affiliations with the repository through a team or through collaborator status, or queried with the ?type=internal parameter.

  • Failed background jobs had unlimited retries which could cause large queue depths.

  • A significant number of 503 errors were being created if the scheduled job to sync vulnerabilities with GitHub.com attempted to run when dependency graph was not enabled and content analysis was enabled.

  • When GitHub Actions is enabled without running regular scheduled backups, the MSSQL transaction log could grow unbounded and can consume all available space on the appliance's data disk, causing a possible outage.

    If you have configured regularly scheduled MSSQL backups, no further actions is required. Otherwise, if you have GitHub Actions previously enabled, run the following commands after installing this patch.

    ghe-actions-console -s Mps -c 'Update-Service -Force'
    ghe-actions-console -s Token -c 'Update-Service -Force'
    ghe-actions-console -s Actions -c 'Update-Service -Force'
    
  • The logs for babeld now include a cmd field for HTTP ref advertisement requests instead of only including it during the negotiation requests.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Enterprise Server 3.1.3

Download

July, 14, 2021

📣 This is not the latest patch release of Enterprise Server. 请使用最新版本获取最新的安全性、性能和错误修复。

  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.3 and has been assigned CVE-2021-22867. This vulnerability was reported via the GitHub Bug Bounty program.

  • Packages have been updated to the latest security versions.

  • SAML expiration date variable was not configurable.

  • Application services would fail their health checks during config apply before they could enter a healthy state.

  • ghe-cluster-config-node-init would fail during cluster setup if HTTP proxy is enabled.

  • Pre-receive hooks could encounter an error Failed to resolve full path of the current executable due to /proc not being mounted on the container.

  • Collectd would not resolve the forwarding destination hostname after the initial startup.

  • The job that purged stale deleted repositories could fail to make progress if some of those repositories were protected from deletion by legal holds.

  • Background jobs were being queued to the spam queue which were not being processed.

  • The preferred merge method would be reset when retrying after a failed PR merge.

  • Git pushes could result in a 500 Internal Server Error during the user reconciliation process on instances using LDAP authentication mode.

  • After upgrading from 3.0.x to 3.1.x, in some cases GitHub Actions would fail with an error: An unexpected error occurred when executing this workflow.

  • Improved the efficiency of config apply by skipping IP allow firewall rules that had not changed, which saved significant time on large clusters.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Enterprise Server 3.1.2

Download

June, 24, 2021

📣 This is not the latest patch release of Enterprise Server. 请使用最新版本获取最新的安全性、性能和错误修复。

  • Packages have been updated to the latest security versions.

  • A large number of gauge-dependency-graph-api-dispatch_dispatch metrics could accumulate in the Management Console.

  • The sshd service would sometimes fail to start on instances running on Google Cloud Platform.

  • Old upgrade files would persist on the user disk, sometimes resulting in out of space conditions.

  • gh-migrator displayed an incorrect path to its log output.

  • An export archive would silently fail to import pull requests if they contained review requests from teams not present in the archive.

  • Update the GitHub Actions Runner version in GHES 3.1 to v2.278.0

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • After upgrading from 3.0.x to 3.1.x, in some cases GitHub Actions can fail with an error: An unexpected error occurred when executing this workflow. To workaround this problem, connect to the administrative shell (ssh) and run:

    ghe-actions-console -s actions -c "Queue-ServiceJob -JobId 4DB1F4CF-19FD-40E0-A253-91288813DE8B"
    

Enterprise Server 3.1.1

Download

June, 10, 2021

📣 This is not the latest patch release of Enterprise Server. 请使用最新版本获取最新的安全性、性能和错误修复。

  • Packages have been updated to the latest security versions.

  • SVN 1.7 and older clients showed an error when using the svn co and svn export commands.

  • Accessing a repository through the administrative shell using ghe-repo <owner>/<reponame> would hang.

  • After upgrading, users experienced reduced availability during heavy usage, because services restarted too frequently. This would occur due to timeout mismatches between the nomad configuration and that of the internal services.

  • In some instances, running ghe-repl-status after setting up GitHub Actions would produce an error and ghe-actions-teardown would fail.

  • ghe-dbconsole would return errors under some circumstances.

  • Import failures of organizations or repositories from non-GitHub sources could produce an undefined method '[]' for nil:NilClass error.

  • GitHub profile names might have changed unintentionally when using SAML authentication, if the GitHub profile name did not match the value of the attribute mapped to the Full name field in the Management Console.

  • Upgrading an instance that had previously ran a 2.13 release, but not a 2.14 release, resulted in a database migration error relating to the AddRepositoryIdToCheckRuns data transition.

  • Users of the GraphQL API can query the public field closingIssuesReferences on the PullRequest object. This field retrieves issues that will be automatically closed when the related pull request is merged. This approach will also allow this data to be migrated in future, as part of a higher fidelity migration process.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • After upgrading from 3.0.x to 3.1.x, in some cases GitHub Actions can fail with an error: An unexpected error occurred when executing this workflow. To workaround this problem, connect to the administrative shell (ssh) and run:

    ghe-actions-console -s actions -c "Queue-ServiceJob -JobId 4DB1F4CF-19FD-40E0-A253-91288813DE8B"
    
  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.1.0

Download

June, 03, 2021

📣 This is not the latest patch release of Enterprise Server. 请使用最新版本获取最新的安全性、性能和错误修复。

有关最低的基础架构要求,请参阅“关于 GitHub Enterprise Server 3.0 及更高版本的最低要求”。

  • GitHub Advanced Security 密码扫码

    • 密钥扫描 现在一般在 GitHub Enterprise Server 3.1 + 上提供。扫描公共和私有仓库以查找提交的凭据,查找密钥,并在密钥提交到仓库时通知提供商或管理员。

      此版本包括 GitHub Enterprise Server 密钥扫描测试版的几项改进:

      • 扩展了我们的 模式覆盖 合作伙伴从 24 个到 37 个
      • 添加了 API and webhooks
      • 添加了提交作者的通知 当他们提交密钥时通知
      • 更新了索引视图,使大量分类密钥更容易
      • 减少了使用许多模式中的误报率

      使用 GitHub Advanced Security 的管理员可以[启用和配置] (/enterprise-server@3.1/admin/configuration/configuring-secret-scanning-for-your-appliance) GitHub Advanced Security 密钥扫描。您可以在打开 GitHub Advanced Security 密钥扫描之前查看平台的更新最低要求

  • GitHub Advanced Security 计费改进

    • 本版本包括 GitHub Enterprise Server中 GitHub Advanced Security 计费的几项改进:

      • GitHub Advanced Security 客户现在可以在其组织或企业帐户的帐单页面上查看其活跃的提交者人数和未使用的提交者席位剩余数。如果为企业购买了 Advanced Security,管理员还可以查看其企业内其他组织正在使用的活跃提交者席位。更多信息请参阅“关于 GitHub Advanced Security 许可”和“查看 GitHub Advanced Security 安全使用情况”。
      • GitHub Advanced Security 客户现在可以在其组织或企业帐户的帐单页面上查看其启用的任何 Advanced Security 仓库的活跃提交者人数。这些更改有助于帐单管理员根据他们购买的提交许可证数量跟踪其使用情况。更多信息请参阅“管理组织的安全性和分析设置”。
  • Dependabot 改进

    • 本版本包括对 GitHub Enterprise Server 中 Dependabot 警报的改进:

      • 启用 Dependabot 警报的用户可以通过导航到 GitHub 公告数据库 中的条目,查看其哪些仓库受到指定漏洞的影响。此功能可在公共测试版中使用。更多信息请参阅“查看和更新仓库中的漏洞依赖项”。
      • 对于中低严重程度漏洞的 Dependabot 警报,您将不再收到 电子邮件和 Web 通知。这些警报仍然可以从仓库的 Security(安全)选项卡访问。更多信息请参阅“查看和更新仓库中的漏洞依赖项”。
      • 您现在可以通过在仓库的 rootdocs.github 文件夹中添加 SECURITY.md 文件,向人们说明如何负责任地报告项目中的安全漏洞。当某人在您的仓库中创建议题时,他们将看到指向项目安全策略的链接。更多信息请参阅“将安全策略添加到仓库”。
  • GitHub Actions 工作流程可视化试用版

    • GitHub Actions 现在可以在每次运行时生成工作流程的可视图。通过工作流程可视化, 您可以:

      • 查看和理解复杂的工作流程
      • 实时跟踪工作流程的进度
      • 通过轻松访问日志和工作元数据进行疑难排解
      • 监控部署作业的进度,并轻松访问部署目标

      更多信息请参阅“使用可视化图”。

  • OAuth 2.0 设备授权授予

  • 拉取请求自动合并

    • 通过自动合并,当所有合并要求都得到满足时,拉取请求可以自动设置为合并。这样可以避免用户需要不断检查其拉取请求的状态来合并它们。自动合并可以由有权限合并的用户启用,也可以在对合并要求不满意的拉取请求上启用。更多信息请参阅“自动合并拉取请求”。

  • 自定义通知

    • 您可以自定义要从单个仓库接收的通知类型。更多信息请参阅“配置通知”。

  • GitHub Mobile 过滤

    • 手机版 GitHub 过滤允许您从设备搜索和查找议题、拉取请求及讨论。议题和拉取请求列表项的新元数据可让您按受理人、检查状态、审查状态及评论数过滤。

      手机版 GitHub 测试版可用于 GitHub Enterprise Server。使用我们的 AndroidiOS app 登录,以随时对通知分类以及管理议题和拉取请求。管理员可以使用管理控制台或运行 ghe-config app.mobile.enabled false 来禁用对其企业的移动支持。更多信息请参阅“GitHub for mobile”。

  • 管理更改

    • 通过预先计算校验和,仓库处于锁定状态的时间大大减少, 允许更多的写入操作立即成功并改进单仓库性能。

    • 最新版本的 CodeQL CLI 支持上传分析结果到 GitHub。这更便于为想要使用 GitHub Actions 以外的 CI/CD 系统的客户运行代码分析。 以前,这些用户必须使用单独的 CodeQL 运行器,这将继续可用。更多信息请参阅“[关于 CI 系统中的 CodeQL 扫描”。

    • GitHub Actions 现在支持通过在您的提交消息中寻找一些常见的关键字,以跳过 pushpull_request 工作流程。

    • 超过四个月的检查注释将存档。

  • 安全性更改

  • 开发者更改

    • 您可以在配置 GitHub 应用程序时指定多个回调URL。这可以用于多个域名或子域的服务。 如果来自请求的回调 URL 不在授权回调 URL 列表中,GitHub 将始终拒绝授权。

    • GitHub 应用程序文件权限已更新,以允许应用程序开发者指定最多 10 个文件可供其应用程序申请只读或读写访问权限。

    • CodeQL 现在支持多种语言(C++JavaScriptPython、[Java](https://github. om/github/codeql/tree/main/java)、Go)的更多 仓库和框架。CodeQL 引擎现在可以检测到更多不信任的用户数据来源,这提高了代码扫描警报的质量和深度。更多信息请参阅“关于 CodeQL”。

    • 配置 GitHub 应用程序时,授权回调 URL 是必填字段。现在,我们允许开发者指定多个回调 URL。 这可以用于多个域或子域的服务。 如果来自请求的回调 URL 不在授权回调 URL 列表,GitHub 将始终拒绝授权。

    • 从 Web 浏览器中删除整个文件目录(包括子目录)。更多信息请参阅“删除文件或目录”。

    • 在议题、讨论或拉取请求评论的 # 后包括多个单词以进一步缩小搜索范围。

    • 当您撰写议题、拉取请求或讨论评论时,项目符号、编号和任务的列表语法在按下 returnenter 后自动完成。

  • API 更改

    • 代码扫描 API 允许用户上传有关静态分析安全测试结果的数据,或导出有关警报的数据。更多信息请参阅代码扫描 API 引用

    • 用于管理安装的 GitHub Apps API 现已从 API 预览升级到一般可用的 API。 访问这些端点不再需要 预览头

  • 在某些情况下,从团队或组织中删除的用户可以保留对现有拉取请求打开的分支的写入权限。

  • 包已更新到最新的安全版本。

  • 修复候选版中的已知问题

    • 除“已知问题”部分所列问题外,候选版 1 中的所有已知问题均已解决。

  • 其他问题的修复

    • 在初始安装过程的“Configure Actions and Packages(配置 Actions 和 Packages)”页面,点击“Test domain settings(测试域设置)”按钮未完成测试。

    • 运行 ghe-btop 失败并有错误,找不到 'babeld' 容器。

    • 如果您更改了自动故障转移设置,MySQL 可能会重新加载并导致停机。

    • 升级后,内部和外部超时值不匹配导致服务不可用。

    • MSSQL 中的预期复制延迟会生成警告。

    • 管理控制台上的“配置集群”链接不正确。

    • 在创建或编辑预接收挂钩时,用户界面中的竞争情况意味着在选择仓库后,仓库中的文件有时不会填充到文件下拉列表中。

    • 当使用“Create Whitelist Entry(创建白名单条目)”按钮将 IP 地址添加到白名单时,它仍然可能显示为锁定。

    • 对“依赖关系图”和“Dependabot 警报”功能的引用在某些仓库上未显示为禁用。

    • 在企业帐户设置中设置公告可能导致 500 内部服务器错误。

    • /hooks 端点的 HTTP POST 请求可能会因为 hookID 配置不正确而失败,出现 401 响应。

    • build-server进程未能清理进程,将它们留在 defunct 状态下。

    • spond 创建了过多的日志条目,包括“修复位置已跳过”短语。

    • 升级 Actions 时,如果实例无法通过其配置的主机名自行提出请求,升级可能会失败。

    • 从 2.22.x 升级到 3.1.0.rc1 可能会导致与 BackfillIntegrationApplicationCallbackUrlsTransition 数据转换相关的数据库迁移错误。

  • 使用"ghe-repo /"通过管理 shell 访问仓库将挂起。作为解决方法,可使用"ghe-repo / -c"bash-i",直到下一个版本中进行了修正。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级期间不会保持。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • 升级以前运行过 2.13 版本但未运行 2.14 版本的实例,会导致与 AddRepositoryIdToCheckRuns 数据转换相关的数据库迁移错误。

  • After upgrading from 3.0.x to 3.1.x, in some cases GitHub Actions can fail with an error: An unexpected error occurred when executing this workflow. To workaround this problem, connect to the administrative shell (ssh) and run:

    ghe-actions-console -s actions -c "Queue-ServiceJob -JobId 4DB1F4CF-19FD-40E0-A253-91288813DE8B"
    
  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

  • GitHub Enterprise Server 2.20 的弃用

    • *GitHub Enterprise Server 2.20 自 2021 年 3 月 2 日起停止使用。这意味着在此日期之后,即使对于关键的安全问题,也不会发布修补程序。为获得更好的性能、更高的安全性和新功能,请尽快升级到最新版本的 GitHub Enterprise Server

  • 弃用 GitHub Enterprise Server 2.21

    • *GitHub Enterprise Server 2.21 自 2021 年 6 月 9 日起停止使用**。这意味着在此日期之后,即使对于关键的安全问题,也不会发布修补程序。为获得更好的性能、更高的安全性和新功能,请尽快升级到最新版本的 GitHub Enterprise Server

  • 弃用旧版的 GitHub App web 挂钩事件

    • 从 GitHub Enterprise Server 2.21.0 开始,两个旧的 GitHub 应用程序相关的 web 挂钩事件已弃用,并将在 GitHub Enterprise Server 3.2.0 中删除。弃用的事件 integration_installationintegration_installation_repositories 都有受支持的相应事件。更多信息请见弃用公告博文

  • 弃用旧版 GitHub Apps 端点

    • 从 GitHub Enterprise Server 2.21.0 开始,用于创建安装访问令牌的旧 GitHub 应用程序端点已弃用,并将在 GitHub Enterprise Server 3.2.0 中删除。更多信息请见弃用公告博文

  • 弃用 OAuth Application API

    • GitHub 不再支持包含 access_token 作为路径参数的 OAuth 应用程序端点。我们引入了新的端点,允许您通过将 access_token 移动到请求正文来安全地管理 OAuth 应用程序的令牌。虽然已弃用,但这些端点仍然可以在这个版本中访问。我们打算在 GitHub Enterprise Server 3.4 中删除这些端点。更多信息请参阅弃用公告博文

  • GitHub Actions 短 SHA 支持弃用

    • GitHub Actions 将取消对使用 git commit SHA 短版本的引用操作的支持。 这可能会导致仓库中的一些工作流程中断。 要修复这些工作流程,您需要更新操作引用以使用完整提交 SHA。 更多信息请参阅“GitHub Actions 安全强化”。

  • XenServer Hypervisor 支持终止

    • 从 GitHub Enterprise Server 3.1 开始,我们将开始停止对 Xen Hypervisor 的支持。计划对 GitHub Enterprise Server 3.3 完全停止支持,遵循标准的一年停止窗口期。

此文档对您有帮助吗?隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。