Skip to main content

此版本的 GitHub Enterprise 将停止服务 2022-09-28. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

Enterprise Server 3.2 release notes

August 11, 2022

📣 这不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.

  • HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.

    Bug fixes

  • When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."

July 21, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.

  • Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.

  • 包已更新到最新的安全版本。

    Bug fixes

  • Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com.

  • In some cases, the collectd daemon could consume excess memory.

  • In some cases, backups of rotated log files could accumulate and consume excess storage.

  • After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.

  • In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.

  • On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.

    Changes

  • The ghe-set-password command-line utility starts required services automatically when the instance is booted in recovery mode.

  • Metrics for aqueduct background processes are gathered for Collectd forwarding and display in the Management Console.

  • The location of the database migration and configuration run log, /data/user/common/ghe-config.log, is now displayed on the page that details a migration in progress.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

June 28, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • MEDIUM: Ensures that github.company.com and github-company.com are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.

  • LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.

  • 包已更新到最新的安全版本。

    Bug fixes

  • In some cases, site administrators were not automatically added as enterprise owners.

  • After merging a branch into the default branch, the "History" link for a file would still link to the previous branch instead of the target branch.

    Changes

  • Creating or updating check runs or check suites could return 500 Internal Server Error if the value for certain fields, like the name, was too long.

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 当“用户可以搜索 GitHub.com”与 GitHub Connect 一起启用时,私有和内部存储库中的议题不会包含在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

June 09, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 包已更新到最新的安全版本。

    Bug fixes

  • An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).

  • In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured.

  • The --gateway argument was added to the ghe-setup-network command, to allow passing the gateway address when configuring network settings using the command line.

  • Image attachments that were deleted would return a 500 Internal Server Error instead of a 404 Not Found error.

  • The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.

  • An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server 备份实用程序.

    Changes

  • Optimised the inclusion of metrics when generating a cluster support bundle.

  • In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the ghe-repl-stop command and not allow replication to be stopped. Using ghe-repo-stop --force will now force Elasticsearch to stop when the service is in a normal or valid yellow status.

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 当“用户可以搜索 GitHub.com”与 GitHub Connect 一起启用时,私有和内部存储库中的议题不会包含在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

May 17, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • MEDIUM: A security issue in nginx resolver was identified, where an attacker who could forge UDP packets from the DNS server could cause 1-byte memory overwrite, resulting in worker process crashes or other potentially damaging impacts. The vulnerability has been assigned CVE-2021-23017.

  • Updated the actions/checkout@v2 and actions/checkout@v3 actions to address new vulnerabilities announced in the Git security enforcement blog post.

  • 包已更新到最新的安全版本。

    Bug fixes

  • In some cluster topologies, the ghe-cluster-status command left behind empty directories in /tmp.

  • SNMP incorrectly logged a high number of Cannot statfs error messages to syslog.

  • For instances configured with SAML authentication and built-in fallback enabled, built-in users would get stuck in a “login” loop when attempting to sign in from the page generated after logging out.

  • Videos uploaded to issue comments would not be rendered properly.

  • When using SAML encrypted assertions, some assertions were not correctly marking SSH keys as verified.

  • When using ghe-migrator, a migration would fail to import video file attachments in issues and pull requests.

  • The Releases page would return a 500 error when the repository has tags that contain non-ASCII characters. [Updated: 2022-06-10]

    Changes

  • In high availability configurations, clarify that the replication overview page in the Management Console only displays the current replication configuration, not the current replication status.

  • When enabling GitHub Packages, clarify that using a Shared Access Signature (SAS) token as connection string is not currently supported.

  • Support bundles now include the row count of tables stored in MySQL.

  • Dependency Graph can now be enabled without vulnerability data, allowing you to see what dependencies are in use and at what versions. Enabling Dependency Graph without enabling GitHub Connect will not provide vulnerability information.

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 当“用户可以搜索 GitHub.com”与 GitHub Connect 一起启用时,私有和内部存储库中的议题不会包含在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

April 20, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Upgrading the nodes in a high availability pair with an upgrade package could cause Elasticsearch to enter an inconsistent state in some cases.

  • In some cluster topologies, the command line utilities ghe-spokesctl and ghe-btop failed to run.

  • Elasticsearch indices could be duplicated during a package upgrade, due to an elasticsearch-upgrade service running multiple times in parallel.

  • When converting a user account to an organization, if the user account was an owner of the GitHub Enterprise Server enterprise account, the converted organization would incorrectly appear in the enterprise owner list.

  • Creating an impersonation OAuth token using the Enterprise Administration REST API worked incorrectly when an integration matching the OAuth Application ID already existed.

    Changes

  • Configuration errors that halt a config apply run are now output to the terminal in addition to the configuration log.

  • When attempting to cache a value larger than the maximum allowed in Memcached, an error was raised however the key was not reported.

  • The CodeQL starter workflow no longer errors even if the default token permissions for GitHub Actions are not used.

  • If GitHub Advanced Security features are enabled on your instance, the performance of background jobs has improved when processing batches for repository contributions.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

April 04, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 中:在 GitHub Enterprise Server 管理控制台中发现了一个路径遍历漏洞,该漏洞允许绕过 CSRF 保护。此漏洞影响了 3.5 之前的所有版本的 GitHub Enterprise Server ,并在版本 3.1.19、3.2.11、3.3.6、3.4.1 中得到修复。此漏洞是通过 GitHub Bug Bounty 程序报告的,并已分配 CVE-2022-23732。

  • 中:在 1.x 分支和 'yajil' 的 2.x 分支中发现了一个整数溢出漏洞,该漏洞导致在处理大型 (~2GB) 输入时导致后续堆内存损坏。此漏洞已在内部报告,并已分配 CVE-2022-24795。

  • 如果启用了 GitHub Actions ,则支持包可能包含敏感文件。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 如果在升级 GitHub Enterprise Server 后存在旧的配置选项,Minio 进程将具有高 CPU 使用率。

  • 显示了管理控制台的隐私设置中启用“TLS 1.0”和“TLS 1.1”的选项,尽管在早期版本中删除了这些协议版本。

  • 在 HA 环境中,首次启用 GitHub Actions msSQL 复制后,配置 MSSQL 复制可能需要额外的手动步骤。

  • 内部配置文件子集在热补丁后更可靠地更新。

  • “ghe-run-migrations”脚本有时无法正确生成临时证书名称。

  • 在群集环境中,Git LFS 操作可能会因跨多个 Web 节点的内部 API 调用失败而失败。

  • 由于syscall权限不足,使用 gpg --import 的预接收挂钩超时。

  • 在某些群集拓扑中,web 挂钩传递信息不可用。

  • 在 HA 配置中,如果以前启用了 GitHub Actions ,则销毁副本将失败。

  • Elasticsearch 运行状况检查不允许在运行迁移时出现黄色集群状态。

  • 由于用户将其用户帐户转换为组织而创建的组织不会添加到全局企业帐户中。

  • 当使用“ghe-migrator”或从 GitHub.com 导出时,如果数据在导出过程中被删除,长时间运行的导出将失败。

  • GitHub Actions 部署图将在呈现挂起的作业时显示错误。

  • 删除了指向无法访问的页面的链接。

  • 在 Web UI 中远离两个提交的比较,将使差异保留在其他页面中。

  • 将团队作为审阅者添加到拉取请求中有时会显示该团队中不正确的成员数。

  • 删除用户的团队成员身份 API 端点在尝试删除由 SCIM 组外部管理的成员时将响应错误。

  • 大量休眠用户可能会导致 GitHub Connect 配置失败。

  • 站点管理员 Web UI 中的“功能和测试版注册”页面不可用。

  • 单击站点页脚中的“站点管理模式”链接不会改变状态。

  • “spokesctl cache-policy rm”命令不再失败,并显示消息“error: failed to delete cache policy(错误:无法删除缓存策略)”。

    Changes

  • 增加了 Memcached 连接限制,以更好地适应大型集群拓扑。

  • 依赖关系图 API 以前使用静态定义的端口运行。

  • 与集群相关的 Elasticsearch 分片设置的默认分片计数已更新。

  • “分类”和“维护”团队角色在存储库迁移期间保留。

  • 改进了企业所有者发出的 Web 请求的性能。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 当“用户可以搜索 GitHub.com”与 GitHub Connect 一起启用时,私有和内部存储库中的议题不会包含在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

March 01, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 高:在 GitHub 的 markdown 解析器中发现了一个整数溢出漏洞,该漏洞可能导致信息泄漏和 RCE。此漏洞由 Google Project Zero 的 Felix Wilhelm 通过GitHub Bug Bounty 计划报告,并已分配 CVE-2022-24724。

    Bug fixes

  • 如果高可用性副本的时钟与主副本不同步,则升级有时可能会失败。

  • 2020 年 9 月 1 日之后创建的 OAuth 应用程序无法使用 检查授权 API 端点。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

February 17, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 用户可以注册名为“saml”的用户或组织。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 使用 Azure Blob 存储时,无法验证 GitHub 包存储设置并将其保存在管理控制台中。

  • Mssql.backup.cadence 配置选项未通过 ghe-config-check,并显示无效的字符集警告。

  • 修复了从 memcached 获取超过 2 个^16 密钥时的 SystemStackError(堆栈太深)。

    Changes

  • 机密扫描将跳过扫描 ZIP 和其他存档文件的机密。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

February 01, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 包已更新到最新的安全版本。

    Bug fixes

  • 在 MySQL 机密轮换后,页面将变得不可用,直到“nginx”被手动重新启动。

  • 启用 GitHub Actions 时,迁移可能会失败。

  • 使用 ISO 8601 日期设置维护计划时,由于时区未转换为 UTC,因此实际计划时间将不匹配。

  • 有关“cloud-config.service”的虚假错误消息将输出到控制台。

  • 使用“ghe-cluster-each”安装热补丁后,版本号将无法正确更新。

  • Web 挂钩表清理作业可以同时运行,从而导致资源争用并增加作业运行时间。

  • 从主数据库运行时,副本上的“ghe-repl-teardown”不会从 MSSQL 可用性组中删除副本。

  • 使用 CAS 身份验证并启用“Reactivate suspended users(重新激活挂起的用户)”选项时,不会自动重新激活挂起的用户。

  • 将基于电子邮件的通知限制为在已验证或已批准的域上具有电子邮件的用户的功能无法正常工作。

  • 与安全警报设置相关的长时间运行的数据库迁移可能会延迟升级完成。

    Changes

  • GitHub Connect 数据连接记录现在包括活动用户数和休眠用户数以及配置的休眠期的计数。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

January 18, 2022

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 程序包已更新到最新的安全版本。在这些更新中,Log4j 已更新到版本 2.17.1。注意:3.3.1、3.2.6、3.1.14 和 3.0.22 中发布的先前缓解措施足以解决这些版本的 GitHub 企业服务器中 CVE-2021-44228、CVE-2021-45046、CVE-2021-45105 和 CVE-2021-44832 的影响。

  • 清理生成的支持包中的更多机密

  • 包已更新到最新的安全版本。

    Bug fixes

  • 操作自托管运行器在从较旧的 GHES 安装升级后将无法自行更新或运行新作业。

  • 将 MinIO 配置为 GitHub 包的 Blob 存储时,无法验证存储设置。

  • 运行“ghe-config-apply”有时可能会因为“/data/user/tmp/pages”中的权限问题而失败。

  • 管理控制台中的保存按钮无法在较低分辨率的浏览器中滚动访问。

  • 收集的版本升级后,IOPS 和存储流量监控图表未更新。

  • 一些与 web 挂钩相关的作业可能会生成大量日志。

  • 多个文档链接导致“404 未找到”错误。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

December 13, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 严重: Log4j 库中的远程执行代码漏洞(标识为 CVE-2021-44228)影响了 3.3.1 之前所有版本的 GitHub Enterprise Server 。Log4j 库用于在 GitHub Enterprise Server 实例上运行的开源服务中。此漏洞已在 GitHub Enterprise Server 版本 3.0.22、3.1.14、3.2.6 和 3.3.1 中修复。更多信息请参阅 GitHub博客上的这篇文章

  • 2021 年 12 月 17 日更新:此版本的现有修补程序还缓解了在此版本之后发布的 CVE-2021-45046。无需对 GitHub Enterprise Server 进行额外升级即可缓解 CVE-2021-44228 和 CVE-2021-45046。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

December 07, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 如果支持包满足一组特定条件,则它们可能包含敏感文件。

  • 在 GitHub Enterprise Server 中发现了一个 UI 虚假陈述漏洞,该漏洞允许在 GitHub 应用的用户授权 Web 流期间授予的权限多于在批准期间向用户显示的权限。此漏洞影响了 3.3 之前的所有版本的 GitHub Enterprise Server,已在版本 3.2.5、3.1.13、3.0.21 中修复。此漏洞是通过 GitHub Bug Bounty 程序报告的,并已分配 CVE-2021-41598

  • 在 GitHub Enterprise Server 中发现了一个远程执行代码漏洞,在构建 GitHub Pages 站点时可以利用该漏洞。此漏洞影响了 3.3 之前的所有 GitHub Enterprise Server 版本,已在版本 3.0.21、3.1.13、3.2.5 中修复。此漏洞是通过 GitHub Bug Bounty 程序报告的,并已分配 CVE-2021-41599。更新于 2022 年 2 月 17 日。

    Bug fixes

  • 在某些情况下,如果未启用操作,“ghe-support-bundle”会报告意外消息“找不到 MS SQL 容器”。

  • 运行“ghe-config-apply”有时可能会因为“/data/user/tmp/pages”中的权限问题而失败。

  • 管理控制台中的错误配置导致计划错误。

  • Docker 会在日志轮换后保持日志文件处于打开状态。

  • 由于不正确地处理了与 UTF-8 不兼容的“blob_path”值,迁移可能会卡住。

  • GraphQL 请求没有在预接收挂钩环境中设置 GITHUB_USER_IP 变量。

  • 组织审核日志上的分页链接不会保留查询参数。

  • 在热补丁期间,如果转换运行了多次,可能会出现重复的哈希。

    Changes

  • 阐明文档中操作路径样式的说明。

  • 更新支持联系人 URL 以使用当前支持站点 support.github.com。

  • 运行“ghe-mssql-diagnostic”时提供的其他故障排除。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

November 23, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

由于影响多个客户的重大错误,下载已禁用。修复程序将在下一个修补程序中提供。

    Security fixes

  • 包已更新到最新的安全版本。

    Bug fixes

  • 在启用 GitHub Actions 时,运行 ghe-repl-startghe-repl-status 有时会返回连接到数据库的错误。

  • 预接收挂钩会由于未定义的 PATH 而失败。

  • 如果实例之前已配置为副本运行 ghe-repl-setup 将返回错误:“cannot create directory /data/user/elasticsearch: File exists(无法创建目录/data/user/elasticsearch:文件存在)”。

  • 运行 ghe-support-bundle 返回错误:“integer expression expected(预期为整数表达式)”。

  • 设置高可用性副本后,ghe-repl-status 在输出中包含错误:“unexpected unclosed action in command(命令中意外的未关闭操作)”。

  • 在大型群集环境中,身份验证后端在前端节点子集上可能不可用。

  • 某些关键服务可能在 GHES 群集中的后端节点上不可用。

  • /repos API 返回的用户的存储库权限不会返回完整列表。

  • 在某些情况下,GraphQL 模式中 Team 对象上的 childTeams 连接产生不正确的结果。

  • 在高可用性配置中,存储库维护在 stafftools 中始终显示为失败,即使它成功了也是如此。

  • 用户定义的模式不会检测 package.jsonyarn.lock等文件中的机密。

    Changes

  • 现在,默认情况下,在创建具有 ghe-cluster-suport-bundle 的集群支持包时,gzip 压缩的附加外层处于关闭状态。这种外部压缩可以选择使用 ghe-cluster-suport-bundle -c 命令行选项来应用。

  • 我们在管理控制台中添加了额外的文本,以提醒用户移动应用程序收集数据来改善体验。

  • GitHub Connect 数据连接记录现在包括已启用 GitHub Connect 要素的列表。[2021 年 12 月 09 日更新]

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

November 09, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker needed permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3, and was fixed in versions 3.0.19, 3.1.11, and 3.2.3. This vulnerability was reported through the GitHub Bug Bounty program and has been assigned CVE-2021-22870.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Some Git operations failed after upgrading a GitHub Enterprise Server 3.x cluster because of the HAProxy configuration.

  • Unicorn worker counts might have been set incorrectly in clustering mode.

  • Resqued worker counts might have been set incorrectly in clustering mode.

  • If Ubuntu's Uncomplicated Firewall (UFW) status was inactive, a client could not clearly see it in the logs.

  • Upgrading from GitHub Enterprise Server 2.x to 3.x failed when there were UTF8 characters in an LDAP configuration.

  • Some pages and Git-related background jobs might not run in cluster mode with certain cluster configurations.

  • The documentation link for Server Statistics was broken.

  • When a new tag was created, the push webhook payload did not display a correct head_commit object. Now, when a new tag is created, the push webhook payload now always includes a head_commit object that contains the data of the commit that the new tag points to. As a result, the head_commit object will always contain the commit data of the payload's after commit.

  • The enterprise audit log page would not display audit events for 秘密扫描.

  • There was an insufficient job timeout for replica repairs.

  • A repository's releases page would return a 500 error when viewing releases.

  • Users were not warned about potentially dangerous bidirectional unicode characters when viewing files. For more information, see "Warning about bidirectional Unicode text" in GitHub 博客.

  • Hookshot Go sent distribution type metrics that Collectd could not handle, which caused a ballooning of parsing errors.

  • Public repositories displayed unexpected results from 秘密扫描 with a type of Unknown Token.

    Changes

  • Kafka configuration improvements have been added. When deleting repositories, package files are now immediately deleted from storage account to free up space. DestroyDeletedPackageVersionsJob now deletes package files from storage account for stale packages along with metadata records.

    Known issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

October 28, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 明文密码可能会最终出现在某些日志文件中。

  • 几个已知的弱 SSH 公钥已添加到拒绝列表中,无法再注册。此外,已知会生成弱 SSH 密钥的 GitKraken 版本(7.6.x、7.7.x 和 8.0.0)已被阻止注册新的公钥。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 如果业务流程协调程序运行状况不佳,则处于群集模式的企业服务器的还原可能会失败。

  • 代码空间链接显示在组织设置中。

  • 应用程序的几个部分对于是多个组织所有者的用户不可用。

  • 修复了指向 https://docs.github.com 的链接。

    Changes

  • 具有许多引用的存储库的浏览和作业性能优化。

    Known issues

  • 在存储库中保存新版本后,/releases 页面显示 500 错误。此问题的修复程序预计将在 3.2.3 中提供。

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

October 12, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

    Security fixes

  • 包已更新到最新的安全版本。

    Bug fixes

  • 自定义预接收挂钩可能由于限制过多的虚拟内存或 CPU 时间限制而失败。

  • 在 GitHub Enterprise Server 群集配置中,可能错误地应用了依赖关系图设置。

  • 尝试使用 ghe-cleanup-settings 擦除所有现有配置设置失败,无法重新启动管理控制台服务。

  • 在通过 ghe-repl-teardown 进行复制拆解期间,Memcached 无法重新启动。

  • 在高负载期间,当上游服务未通过内部运行状况检查时,用户将收到 HTTP 503 状态代码。

  • 预接收挂钩环境被禁止通过 Alpine 上的 BusyBox 调用 cat 命令。

  • 从主集群数据中心故障转移到辅助集群数据中心成功,但随后故障回复到原始主集群数据中心失败,无法提升 Elasticsearch 指标。

  • 组织的“团队”页面上的“Import teams(导入团队)”按钮返回了 HTTP 404。

  • 使用 API 禁用机密扫描可正确禁用该属性,但错误地返回 HTTP 422 和错误消息。

  • 在某些情况下,尝试查看“休眠用户”页面的 GitHub 企业管理员会收到“502 网关错误”或“504 网关超时”响应。

  • 在某些高负载情况下,由于 SynchronizePullRequestJob 作业的数量增加,性能受到负面影响。

  • 为秘密扫描创建的用户定义的模式即使在被删除后也将继续被扫描。

    Changes

  • GitHub 应用程序现在已在存储库上设置与 API 一致的机密扫描功能。

    Known issues

  • 在新建的没有任何用户的 GitHub Enterprise Server 上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的文件通过 Web 界面上传 被错误地直接添加到仓库。

  • 如果议题包含文件路径长于 255 个字符的同一仓库中 blob 的永久链接,则议题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,私有和内部仓库中的议题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再返回元数据响应的时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能会导致某些预接收挂钩失败。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]

September 28, 2021

📣 这不是此版本系列的最新修补版,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和错误修复。

For upgrade instructions, see "Upgrading GitHub Enterprise Server."

    Features

    Custom patterns for secret scanning

  • GitHub Advanced Security customers can now specify custom patterns for secret scanning. When a new pattern is specified, secret scanning searches a repository's entire Git history for the pattern, as well as any new commits.

    User defined patterns are in beta for GitHub Enterprise Server 3.2. They can be defined at the repository, organization, and enterprise levels. For more information, see "Defining custom patterns for secret scanning."

  • Security overview for Advanced Security (beta)

  • GitHub Advanced Security customers now have an organization-level view of the application security risks detected by 代码扫描, Dependabot, and 秘密扫描. The security overview shows the enablement status of security features on each repository, as well as the number of alerts detected.

    In addition, the security overview lists all 秘密扫描 alerts at the organization level. Similar views for Dependabot and 代码扫描 alerts are coming in future releases. For more information, see "About the security overview."

    Screenshot of security overview

  • Dependency review (beta)

  • GitHub Advanced Security customers can now see a rich diff of the dependencies changed in a pull request. Dependency review provides an easy-to-understand view of dependency changes and their security impact in the "Files changed" tab of pull requests. It informs you of which dependencies were added, removed, or updated, along with vulnerability information for these dependencies. For more information, see "Reviewing dependency changes in a pull request."

  • GitHub Actions environments

  • Environments, environment protection rules, and environment secrets are now generally available for GitHub Actions on GitHub Enterprise Server. For more information, see "Environments."

    Environment protection rules

  • SSH authentication with security keys

  • SSH authentication using a FIDO2 security key is now supported when you add a sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com SSH key to your account. SSH security keys store secret key material on a separate hardware device that requires verification, such as a tap, to operate. For more information, see "Generating a new SSH key and adding it to the ssh-agent."

  • Dark and dark dimmed themes

  • Dark and dark dimmed themes are now available for the web UI. GitHub Enterprise Server will match your system preferences when you haven't set theme preferences in GitHub Enterprise Server. You can also choose which themes are active during the day and night. For more information, see "Managing your theme settings."

    Dark and dark dimmed themes

  • Approving unverified domains for email notifications

  • Domains that are not able to be verified can now be approved for email notification routing. Enterprise and organization owners will be able to approve domains and immediately augment their email notification restriction policy, allowing notifications to be sent to collaborators, consultants, acquisitions, or other partners. For more information, see "Verifying or approving a domain for your enterprise" and "Restricting email notifications for your enterprise."

  • Git Credential Manager (GCM) secure credential storage and multi-factor authentication support

  • Git Credential Manager (GCM) versions 2.0.452 and later now provide security-hardened credential storage and multi-factor authentication support for GitHub Enterprise Server.

    GCM with support for GitHub Enterprise Server is included with Git for Windows versions 2.32 and later. GCM is not included with Git for macOS or Linux, but can be installed separately. For more information, see the latest release and installation instructions in the GitCredentialManager/git-credential-manager repository.

    Changes

    Administration Changes

  • A 'User Agent Referrer Policy' setting has been added to the enterprise settings. This allows an admin to set a stricter Referrer-Policy to hide the hostname of a GitHub Enterprise Server installation from external sites. The setting is disabled by default and is tracked by audit log events for staff and enterprise owners when enabled or disabled. For more information, see "Configuring Referrer Policy for your enterprise."

  • The MySQL health check was changed to use mysqladmin ping instead of TCP checks, which removes some unnecessary noise in the MySQL error log. Also, Orchestrator failover checks were improved to prevent unnecessary MySQL failovers when applying cluster config changes.

  • The Resque service, which supports background job processing, has been replaced with Aqueduct Lite. This change makes the job system easier to manage and should not affect the user experience. For the new administration and debugging commands for Aqueduct, see "Command-line utilities."

  • Token Changes

  • The format of authentication tokens for GitHub Enterprise Server has changed. The change affects the format of personal access tokens and access tokens for OAuth 应用程序, as well as user-to-server, server-to-server, and refresh tokens for GitHub 应用程序.

    The different token types now have unique identifiable prefixes, which allows for secret scanning to detect the tokens so that you can mitigate the impact of someone accidentally committing a token to a repository. GitHub recommends updating existing tokens as soon as possible. For more information, see "About authentication to GitHub" and "About 秘密扫描."

  • Repositories changes

  • Repositories on user profiles and organization profiles now support sorting by star count.

  • When viewing the commit history of a single file, you can now click to view that file at the selected point in history.

  • When a submodule is defined with a relative path in 您的 GitHub Enterprise Server 实例, the submodule is now clickable in the web UI. Clicking the submodule in the web UI will take you to the linked repository. Previously, only submodules with absolute URLs were clickable. This is supported for relative paths for repositories with the same owner that follow the pattern ../REPOSITORY or relative paths for repositories with a different owner that follow the pattern ../OWNER/REPOSITORY. For more information about working with submodules, see Working with submodules on GitHub 博客.

  • The web UI can now be used to synchronize an out-of-date branch of a fork with the fork's upstream branch. If there are no merge conflicts between the branches, the branch is updated either by fast-forwarding or by merging from upstream. If there are conflicts, you will be prompted to create a pull request to resolve the conflicts. For more information, see "Syncing a fork."

  • Markdown changes

  • The markdown editor used when creating or editing a release in a repository now has a text-editing toolbar. For more information, see "Managing releases in a repository."

  • Uploading video files is now supported everywhere you write Markdown on GitHub Enterprise Server. Share demos, reproduction steps, and more in your issue and pull request comments, as well as in Markdown files within repositories, such as READMEs. For more information, see "Attaching files."

  • Markdown files will now automatically generate a table of contents in the header when there are 2 or more headings. The table of contents is interactive and links to the selected section. All 6 Markdown heading levels are supported.

  • There is a new keyboard shortcut, cmd+e on macOS or ctrl+e on Windows, to insert codeblocks in Markdown files, issues, pull requests, and comments.

  • Appending ?plain=1 to the URL for any Markdown file will now display the file without rendering and with line numbers. The plain view can be used to link other users to specific lines. For example, appending ?plain=1#L52 will highlight line 52 of a plain text Markdown file. For more information, "Creating a permanent link to a code snippet."

  • Issues and pull requests changes

  • With the latest version of Octicons, the states of issues and pull requests are now more visually distinct so you can scan their status more easily. For more information, see GitHub 博客.

  • A new "Require conversation resolution before merging" branch protection rule and "Conversations" menu is now available. Easily discover your pull request comments from the "Files changed" tab, and require that all your pull request conversations are resolved before merging. For more information, see "About pull request reviews" and "About protected branches."

  • To prevent the merge of unexpected changes after auto-merge is enabled for a pull request, auto-merge is now disabled automatically when new changes are pushed by a user without write access to the repository. Users without write access can still update the pull request with changes from the base branch when auto-merge is enabled. To prevent a malicious user from using a merge conflict to introduce unexpected changes to the pull request, auto-merge for the pull request is disabled if the update causes a merge conflict. For more information about auto-merge, see "Automatically merging a pull request."

  • People with maintain permissions can now manage the repository-level "Allow auto-merge" setting. This setting, which is off by default, controls whether auto-merge is available on pull requests in the repository. Previously, only people with admin permissions could manage this setting. Additionally, this setting can now by controlled using the "Create a repository" and "Update a repository" REST APIs. For more information, see "Managing auto-merge for pull requests in your repository."

  • The assignees selection for issues and pull requests now supports type ahead searching so you can find users in your organization faster. Additionally, search result rankings have been updated to prefer matches at the start of a person's username or profile name.

  • When a review is requested from a team of more than 100 people, developers are now shown a confirmation dialog box in order to prevent unnecessary notifications for large teams.

  • Back-tick code blocks are now supported in issue titles, pull request titles, and in any place issue and pull request titles are referenced in GitHub Enterprise Server.

  • Events for pull requests and pull request reviews are now included in the audit log for both enterprises and organizations. These events help admins better monitor pull request activity and help ensure security and compliance requirements are being met. Events can be viewed from the web UI, exported as CSV or JSON, or accessed via REST API. You can also search the audit log for specific pull request events. For more information, see "Reviewing the audit log for your organization."

  • Branches changes

  • The default branch name for new repositories is now main. Existing repositories are not impacted by this change. If users, organization owners, or enterprise owners have previously specified a default branch for new repositories, they are also not impacted.

    If you want to set a different default branch name, you can do so in the user, organization, or enterprise settings.

  • Branches, including the default branch, can now be renamed using the the GitHub Enterprise Server web UI. When a branch is renamed, any open pull requests and draft releases targeting the renamed branch will be retargeted automatically, and branch protection rules that explicitly reference the renamed branch will be updated.

    Admin permissions are required to rename the default branch, but write permissions are sufficient to rename other branches.

    To help make the change as seamless as possible for users:

    • A notice is shown to contributors, maintainers, and admins on the repository homepage with instructions for updating their local repository.
    • Web requests to the old branch will be redirected.
    • A "moved permanently" HTTP response will be returned to REST API calls.
    • An informational message is displayed to Git command line users that push to the old branch.

    For more information, see "Renaming a branch."

  • GitHub Actions changes

  • GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret. The GITHUB_TOKEN is an automatically-generated secret that lets you make authenticated calls to the API for GitHub Enterprise Server in your workflow runs. GitHub Actions generates a new token for each job and expires the token when a job completes. The token usually has write permissions to a number of API endpoints, except in the case of pull requests from forks, which are always read. These new settings allow you to follow a principle of least privilege in your workflows. For more information, see "Authentication in a workflow."

  • GitHub CLI 1.9 and later allows you to work with GitHub Actions in your terminal. For more information, see the GitHub changelog.

  • The audit log now includes events associated with GitHub Actions workflow runs. This data provides administrators with a greatly expanded data set for security and compliance audits. For more information, see "Reviewing the audit log for your organization."

  • GitHub Enterprise Server 3.2 contains performance improvements for job concurrency with GitHub Actions. For more information about the new performance targets for a range of CPU and memory configurations, see "Getting started with GitHub Actions for GitHub Enterprise Server."

    • The "Maximum Concurrency" values were modified to reflect our most up to date performance testing. [Updated: 2021-12-07]
  • The GitHub Actions Runner application in GitHub Enterprise Server 3.2 has been updated to v2.279.0.

  • GitHub Packages changes

  • Any package or package version for GitHub Packages can now be deleted from GitHub Enterprise Server's web UI. You can also undo the deletion of any package or package version within 30 days. For more information, see "Deleting and restoring a package".

  • Dependabot and Dependency graph changes

  • The dependency graph can now be enabled using the Management Console, rather than needing to run a command in the administrative shell. For more information, see "Enabling alerts for vulnerable dependencies GitHub Enterprise Server."

  • Notifications for multiple Dependabot 警报 are now grouped together if they're discovered at the same time. This significantly reduces the volume of Dependabot alert notifications that users receive. For more information, see the GitHub changelog.

  • Dependency graph and Dependabot 警报 now support Go modules. GitHub Enterprise Server analyzes a repository's go.mod files to understand the repository’s dependencies. Along with security advisories, the dependency graph provides the information needed to alert developers to vulnerable dependencies. For more information about enabling the dependency graph on private repositories, see "Securing your repository."

  • The default notification settings for security alerts have changed. Previously, if you had permission to view security alerts in a repository, you would receive notifications for that repository as long as your settings allowed for security alert notifications. Now, you must opt in to security alert notifications by watching the repository. You will be notified if you select All Activity or configure Custom to include Security alerts. All existing repositories will be automatically migrated to these new settings and you will continue to receive notifications; however, any new repositories will require opting-in by watching the repository. For more information see "Configuring notifications for Dependabot 警报" and "Managing alerts from secret scanning."

  • Code scanning and secret scanning changes

  • 代码扫描 with CodeQL now generates diagnostic information for all supported languages. This helps check the state of the created database to understand the status and quality of performed analysis. The diagnostic information is available starting in version 2.5.6 of the CodeQL CLI. You can see the detailed diagnostic information in the GitHub Actions logs for CodeQL. For more information, see "Viewing code scanning logs."

  • 代码扫描 with CodeQL CLI now supports analyzing several languages during a single build. This makes it easier to run code analysis to use CI/CD systems other than GitHub Actions. The new mode of the codeql database create command is available starting version 2.5.6 of the CodeQL CLI. For more information about setting this up, see "Installing CodeQL CLI in your CI system."

  • 代码扫描 alerts from all enabled tools are now shown in one consolidated list, so that you can easily prioritize across all alerts. You can view alerts from a specific tool by using the "Tool" filter, and the "Rule" and "Tag" filters will dynamically update based on your "Tool" selection.

  • 代码扫描 with CodeQL now includes beta support for analyzing C++20 code. This is only available when building codebases with GCC on Linux. C++20 modules are not supported yet.

  • The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models for several languages (C++, JavaScript, Python, and Java). As a result, CodeQL can now detect even more potential sources of untrusted user data, review the steps through which that data flows, and identify potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the 代码扫描 alerts. For more information, see the GitHub changelog.

  • 代码扫描 now shows security-severity levels for CodeQL security alerts. You can configure which security-severity levels will cause a check failure for a pull request. The severity level of security alerts can be critical, high, medium, or low. By default, any 代码扫描 alerts with a security-severity of critical or high will cause a pull request check failure.

    Additionally, you can now also configure which severity levels will cause a pull request check to fail for non-security alerts. You can configure this behavior at the repository level, and define whether alerts with the severity error, warning, or note will cause a pull request check to fail. By default, non-security 代码扫描 alerts with a severity of error will cause a pull request check failure.

    For more information see "Defining which alert severity levels cause pull request check failure."

    List of code scanning alerts with security levels

  • Improvements to the branch filter for 代码扫描 alerts make it clearer which 代码扫描 alerts are being displayed on the alerts page. By default, 代码扫描 alerts are filtered to show alerts for the default branch of the repository only. You can use the branch filter to display the alerts on any of the non-default branches. Any branch filter that has been applied is shown in the search bar.

    The search syntax has also been simplified to branch:<branch name>. This syntax can be used multiple times in the search bar to filter on multiple branches. The previous syntax, ref:refs/heads/<branch name>, is still supported, so any saved URLs will continue to work.

  • Free text search is now available for code scanning alerts. You can search code scanning results to quickly find specific alerts without having to know exact search terms. The search is applied across the alert's name, description, and help text. The syntax is:

    • A single word returns all matches.
    • Multiple search words returns matches to either word.
    • Words in double quotes returns exact matches.
    • The keyword 'AND' returns matches to multiple words.
  • 秘密扫描 added patterns for 23 new service providers. For the updated list of supported secrets, see "About secret scanning."

  • API Changes

  • Pagination support has been added to the Repositories REST API's "compare two commits" endpoint, which returns a list of commits reachable from one commit or branch, but unreachable from another. The API can also now return the results for comparisons over 250 commits. For more information, see the "Commits" REST API documentation and "Traversing with pagination."

  • The REST API can now be used to programmatically resend or check the status of webhooks. For more information, see "Repositories," "Organizations," and "Apps" in the REST API documentation.

  • Improvements have been made to the code scanning and GitHub Advanced Security APIs:

    • The code scanning API now returns the CodeQL query version used for an analysis. This can be used to reproduce results or confirm that an analysis used the latest query. For more information, see "Code scanning" in the REST API documentation.
    • Admin users can now use the REST API to enable or disable GitHub Advanced Security for repositories, using the security_and_analysis object on repos/{org}/{repo}. In addition, admin users can check whether Advanced Security is currently enabled for a repository by using a GET /repos/{owner}/{repo} request. These changes help you manage Advanced Security repository access at scale. For more information, see "Repositories" in the REST API documentation.

    Known issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix for 3.5 and later will be available in an upcoming patch release.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-08-16]