Skip to main content

Enterprise Server 3.3 release notes

September 21, 2022

📣 这不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.

  • MEDIUM: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.

  • Configuration runs could fail when retry-limit or retry-sleep-duration were manually set by an administrator using ghe-config.

  • In some cases, the Management Console's monitor dashboard would not load correctly.

  • Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.

  • When sending a support bundle to GitHub Enterprise Support using ghe-support-upload, the -t option would not successfully associate the uploaded bundle with the specified ticket.

  • A link back to the security settings for the instance's enterprise account could render an incorrect view.

  • Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.

  • After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.

  • After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.

  • Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.

  • When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the 管理控制台 when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

August 30, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Bug fixes

  • 解锁存储库以进行临时访问后,站点管理员无法管理存储库中安全产品的设置。

  • 管理控制台和 /home/admin/.ssh/authorized_keys 文件中可能会出现重复的管理 SSH 密钥。

  • 在某些情况下,运行 ghe-cluster-config-apply 可以将空配置复制到群集中的现有节点。

  • 在某些情况下,以 ghe-config-apply 开始的配置运行未完成,或返回了 Container count mismatch 错误。

  • 在 GitHub Enterprise Server 实例上更新自签名 TLS 证书后,Web 界面中某些页面上的 UI 元素没有显示。

  • 在某些情况下,尽管不是线程安全的,但由于同时使用的库,可能会导致后台任务停止。

    Changes

  • 由于并行日志清理,支持包的生成速度更快。有关支持包的详细信息,请参阅“将数据提供给 GitHub 支持”。

  • 企业审核日志现在包含更多用户生成的事件,例如 project.create。REST API 还返回其他用户生成的事件,例如 repo.create。有关详细信息,请参阅“[访问企业的审核日志](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for -your-enterprise)”和“[使用企业的审核日志 API](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit- log-api-for-your-enterprise#querying-the-audit-log-rest-api)”。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在以后解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

August 11, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.

  • HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.

    Bug fixes

  • When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the 管理控制台 when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

July 21, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 中****:防止服务器端请求伪造 (SSRF) 可能通过向 Memcached 注入任意数据来强制 Subversion (SVN) 桥执行远程代码的攻击。

  • 中****:通过利用 GitHub Enterprise Server Web 界面中下拉 UI 元素中的跨站脚本 (XSS) 漏洞来防止攻击者执行 Javascript 代码。

  • 将 Grafana 更新到版本 7.5.16,这样可以解决各种安全漏洞,包括 CVE-2020-13379CVE-2022-21702

  • 包已更新到最新的安全版本。

  • 中****:在 GitHub Enterprise Server 中发现了一个存储型 XSS 漏洞,该漏洞允许注入任意属性。此注入被 Github 内容安全策略 (CSP) 阻止。此漏洞通过 GitHub Bug 赏金计划报告,已分配 CVE-2022-23733。[更新时间:2022-07-31]

    Bug fixes

  • 修复了使用解压缩工具解压缩时项目压缩存档中的文件权限为 000 的问题。现在这些文件的权限将设置为 644,就像在 GitHub.com 中那样。

  • 在某些情况下,collectd 守护进程可能会消耗过多内存。

  • 在某些情况下,旋转日志文件备份可能会累积并消耗过多存储。

  • 在升级到新功能版本并运行后续配置之后,Elasticsearch 可能在重新生成索引时记录过多异常。

  • 在某些情况下,受保护的分支需要多个批准的审查,一个拉取请求可以合并少于所需数量的批准审查。

  • 在使用 LDAP 身份验证的实例中,当用户名和密码的文本字段都可见时,sudo 模式的身份验证提示在默认情况下将光标错误地放置在密码字段中。

    Changes

  • ghe-set-password 命令行实用程序在以恢复模式启动实例时自动启动所需的服务。

  • 将收集 aqueduct 后台进程指标进行 Collectd 转发并显示在管理控制台中。

  • 数据库迁移和配置运行日志 /data/user/common/ghe-config.log 的位置现在显示在详细描述正在进行的迁移的页面上。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 Blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据,并将在以后解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

June 28, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 中****:确保 github.company.comgithub-company.com 不会被内部服务评估为相同的主机名,从而防止潜在的服务器端安全性伪造 (SSRF) 攻击。

  • 低****:即使外部防火墙规则阻止了 HTTP 访问,攻击者也可以使用路径遍历攻击通过 HTTP 访问管理控制台。

  • 包已更新到最新安全版本。

    Bug fixes

  • 在某些情况下,网站管理员未自动添加为企业所有者。

  • 将一个分支合并到默认分支之后,文件的“历史记录”链接仍然会链接到前一个分支,而不是目标分支。

    Changes

  • 如果某些字段(如名称)的值过长,则创建或更新检查运行或检查套件可能返回“500 内部服务器错误”。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在以后解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

June 09, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 包已更新到最新安全版本。

    Bug fixes

  • 如果主机名字符串以“.”开头(句点字符),则 GitHub Enterprise Server 配置文件中用于验证主机名的内部脚本将返回错误。

  • 在主节点的主机名超过 60 个字符的 HA 配置中,MySQL 将无法配置

  • --gateway 参数已添加到 ghe-setup-network 命令,以允许使用命令行配置网络设置时传递网关地址。

  • 删除的图像附件将返回 500 内部服务器错误 而非 404 未找到 错误。

  • 站点管理员仪表板中报告的“跨整个实例的最大提交者”的计算不正确。

  • 使用 GitHub Enterprise Server Backup Utilities 执行还原时,存储库复制的数据库输入不正确导致数据库损坏。

    Changes

  • 优化了生成群集支持包时包含的指标。

  • 在 Elasticsearch 报告有效的标黄状态的 HA 配置中,之前修复中引入的更改将阻止 ghe-repl-stop 命令,并且不允许停止复制。当服务处于正常或有效标黄状态时,使用 ghe-repo-stop --force 将强制 Elasticsearch 停止运行。

  • 使用 ghe-migrator 或从 GitHub.com 导出时,迁移将无法导出拉取请求附件。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在以后解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

May 17, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 中:发现了 nginx 解析器中的一个安全问题,可以从 DNS 服务器伪造 UDP 数据包的攻击者可能导致 1 字节内存覆盖,从而导致工作进程崩溃或其他潜在的破坏性影响。该漏洞的编号为 CVE-2021-23017

  • 更新了 actions/checkout@v2actions/checkout@v3 操作以解决 Git 安全措施实施博客文章中公布的新漏洞。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 在某些群集拓扑中,ghe-cluster-status 命令会在 /tmp 中留下空目录。

  • SNMP 错误地将大量 Cannot statfs 错误消息记录到 syslog

  • 对于配置了 SAML 身份验证和启用内置回退的实例,内置用户在尝试从退出登录后生成的页面登录时会陷入“登录”循环。

  • 尝试从 /stafftools/repositories/:owner/:repo/disk 页面查看 git fsck 输出将失败并显示“500 内部服务器错误”。

  • 使用 SAML 加密断言时,某些断言未正确将 SSH 密钥标记为已验证。

  • 上传到问题评论的视频将无法正确呈现。

  • 在存储库页面上使用文件查找器时,在搜索字段中键入退格键会多次列出搜索结果并导致呈现问题。

  • 使用 GitHub Enterprise Importer 导入存储库时,由于项目时间线事件配置不正确,某些问题将无法导入。

  • 使用 ghe-migrator 时,迁移将无法在问题和拉取请求中导入视频文件附件。

  • 当存储库具有包含非 ASCII 字符的标记时,发布页面将返回 500 错误。[更新时间:2022-06-10]

    Changes

  • 在高可用性配置中,阐明管理控制台中的复制概述页面仅显示当前复制配置,而不是当前复制状态。

  • 启用 GitHub Packages 时,阐明当前不支持使用共享访问签名 (SAS) 令牌作为连接字符串。

  • 支持包现在包括存储在 MySQL 中的表的行数。

  • 在确定要在哪些存储库网络上计划维护时,我们不再计入无法访问对象的大小。

  • run_started_at 响应字段现在包含在工作流运行 APIworkflow_run 事件 Webhook 有效负载中。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • Git LFS 跟踪的通过 Web 界面上传的 文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

April 20, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 包已更新到最新的安全版本。

    Bug fixes

  • 从存储库中删除清单文件时,不会从存储库的“依赖项关系图”页面中删除该清单。

  • 解决了一个可能导致检索生成工件和下载 GitHub Actions 的日志存档始终失败的回归问题。在某些情况下,我们停止解析使用 localhost 的内部通信的 URL,反而错误地使用了实例主机名。

  • 在某些情况下,使用升级包升级高可用性对中的节点可能会导致 Elasticsearch 进入不一致状态。

  • 扩展名为 .backup 的轮换日志文件将累积在包含系统日志的目录中。

  • 在某些群集拓扑中,命令行实用程序 ghe-spokesctlghe-btop 无法运行。

  • 由于 elasticsearch-upgrade 服务并行运行多次,因此 Elasticsearch 索引可能会在包升级期间重复。

  • 在拉取请求和提交视图中,对于 Git LFS 跟踪的某些文件,丰富的差异将无法加载。

  • 将用户帐户转换为组织帐户时,如果用户帐户是 GitHub Enterprise Server 企业帐户的所有者,则转换后的组织将无法正确显示在企业所有者列表中。

  • 当与 OAuth 应用程序 ID 匹配的集成已存在时,使用企业管理 REST API 创建模拟 OAuth 标记会导致错误。

  • 当检测到的机密中存在 UTF8 字符时,机密扫描 REST API 将返回 500 响应代码。

  • 即使数据在本地缓存位置可用,存储库缓存服务器也可以提供来自非缓存位置的数据。

    Changes

  • 除了配置日志之外,停止 config apply 运行的配置错误现在会输出到终端。

  • 尝试缓存大于 Memcached 中允许的最大值的值时,会引发错误,但不会报告密钥。

  • 如果在实例上启用了 GitHub Advanced Security 功能,则在处理存储库贡献的批次时,后台作业的性能会有所提高。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样做是为了大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在我们解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

April 04, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 中:在 GitHub Enterprise Server 管理控制台中发现了一个允许绕过 CSRF 保护的路径遍历漏洞。此漏洞影响 3.5 之前的所有 GitHub Enterprise Server 版本,并在 3.1.19、3.2.11、3.3.6 和 3.4.1 中修复。该漏洞通过 GitHub Bug 悬赏计划报告,编号为 CVE-2022-23732。

  • 中:在 yajil 的 1.x 分支和 2.x 分支中发现了一个整数溢出漏洞,该漏洞在处理大型 (~2GB) 输入时会导致随后的堆内存损坏。此漏洞是内部报告的,编号为 CVE-2022-24795。

  • 如果启用了 GitHub Actions,支持包可能包含敏感文件。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 启用 Dependabot 时,一个错误导致某些安全公告暂时读取为不再适用。

  • 如果升级 GitHub Enterprise Server 后存在旧配置选项,Minio 进程的 CPU 使用率会很高。

  • 显示了在管理控制台的“隐私”设置中启用 TLS 1.0TLS 1.1 的选项,尽管在早期版本中删除了这些协议版本。

  • 在 HA 环境中,在首次启用 GitHub Actions 后,配置 MSSQL 复制可能需要额外的手动步骤。

  • 经过热补丁,内部配置文件的子集更新会更可靠。

  • ghe-run-migrations 脚本有时无法正确生成临时证书名称。

  • 在群集环境中,Git LFS 操作可能会因跨多个 Web 节点的内部 API 调用失败而失败。

  • 由于 syscall 权限不足,使用 gpg --import 的预接收挂钩超时。

  • 在某些群集拓扑中,Webhook 交付信息不可用。

  • 在运行迁移时,Elasticsearch 运行状况检查不允许出现黄色群集状态。

  • 存储库将在 Web UI 中显示非功能性讨论选项卡。

  • 由于用户将其用户帐户转换为组织帐户而创建的组织未添加到全局企业帐户中。

  • 指向无法访问页面的链接已被删除。

  • GitHub Actions 部署图在呈现待处理作业时会显示错误。

  • 由于大量不必要的后台作业排队,一些实例遇到了高 CPU 使用率。

  • 尝试同步之前已同步的 GPG 密钥时,LDAP 用户同步作业会失败。

  • 跟踪用户的拉取请求仪表板中的拉取请求链接将导致存储库标头无法加载。

  • 将团队添加为拉取请求的审阅者时,有时会显示不正确的团队成员数量。

  • 尝试删除通过 SCIM 组外部管理的成员时,删除团队成员资格 API 终结点将响应错误。

  • 大量休眠用户可能会导致 GitHub Connect 配置失败。

  • 站点管理员 Web UI 中的“功能和 beta 版本注册”页面无法正确使用。

  • 站点页脚中的“站点管理员模式”链接在单击时未更改状态。

  • spokesctl cache-policy rm 命名不再失败且显示消息 error: failed to delete cache policy

    Changes

  • 增加了 Memcached 连接上限,可更好地适应大型群集拓扑。

  • 依赖项关系图 API 以前使用静态定义的端口运行。

  • 与群集相关的 Elasticsearch 分片设置的默认分片计数已更新。

  • 在“人员”页面上按组织角色筛选企业成员时,改进了下拉菜单项的文本。

  • “会审”和“维护”团队角色在存储库迁移期间保留。

  • 企业所有者提出的 Web 请求的性能已得到改进。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 对 GitHub Connect 启用“用户可以搜索 GitHub.com”后,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据,并将在以后解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

March 01, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 高:在 GitHub 的 Markdown 分析程序中发现了可能会导致信息泄漏和 RCE 的整数溢出漏洞。该漏洞由 Google Project Zero 的成员 Felix Wilhelm 通过 GitHub Bug 悬赏计划报告,编号为 CVE-2022-24724。

    Bug fixes

  • 如果高可用性副本的时钟与主要副本不同步,升级有时会失败。

  • 在 2020 年 9 月 1 日之后创建的 OAuth 应用程序无法使用检查授权 API 终结点。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 在 GitHub Connect 中启用了“用户可以搜索 GitHub.com”时,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在以后解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

February 17, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 用户可以注册名为“saml”的用户或组织。

  • 包已更新到最新安全版本。

    Bug fixes

  • 使用 Azure Blob 存储时,无法验证 GitHub Packages 存储设置并将其保存在管理控制台中。

  • mssql.backup.cadence 配置选项的 ghe-config-check 失败,并发出无效字符集警告。

  • 修复从 memcached 获取超过 2^16 个密钥时的 SystemStackError(堆栈太深)。

  • 网站上的许多选择菜单呈现不正确,无法使用。

    Changes

  • 现在可以在没有漏洞数据的情况下启用依赖项关系图,允许客户查看正在使用的依赖项和版本。启用依赖项关系图而不启用 GitHub Connect 不会**提供漏洞信息。

  • 机密扫描将跳过扫描 ZIP 和其他存档文件的机密。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 在 GitHub Connect 中启用了“用户可以搜索 GitHub.com”时,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。作为元数据响应的一部分,我们继续拥有返回时间值所需的所有数据,并将在以后解决现有性能问题后恢复返回这个值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

February 01, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • :机密扫描 API 可能会为请求范围外的存储库返回警报。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 在 MySQL 机密轮换后,页面将不可用,直到手动重启 nginx

  • 如果启用 GitHub Actions,迁移可能会失败。

  • 使用 ISO 8601 日期设置维护计划时,由于时区未转换为 UTC,因此实际计划时间将不匹配。

  • 有关 cloud-config.service 的虚假错误消息将输出到控制台。

  • 使用 ghe-cluster-each 安装热补丁后,版本号将无法正确更新。

  • Webhook 表清理作业可能同时运行,从而导致资源争用且作业运行时间增加。

  • 从主节点运行时,副本节点上的 ghe-repl-teardown 不会将副本节点从 MSSQL 可用性组中删除。

  • 以下功能无法正常使用:仅限对在经过验证或批准的域上具有电子邮件的用户发送基于电子邮件的通知。

  • 使用 CAS 身份验证并启用“重新激活暂停的用户”选项时,暂停的用户不会自动重新激活。

  • 与“安全警报”设置相关的长期数据库迁移可能会延迟升级完成。

    Changes

  • GitHub Connect 数据连接记录现在包括活动和休眠用户数量计数以及配置的休眠期。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 在 GitHub Connect 中启用了“用户可以搜索 GitHub.com”时,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表在元数据响应中不再返回时间值。这样可以大幅改善性能。我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据,并将在以后解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

January 18, 2022

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 包已更新到最新的安全版本。在这些更新中,Log4j 已更新至版本 2.17.1。注意:以前在 3.3.1、3.2.6、3.1.14 和 3.0.22 中发布的缓解措施已经足够解决这些 GitHub Enterprise Server 版本中 CVE-2021-44228、CVE-2021-45046、CVE-2021-45105 和 CVE-2021-44832 的影响。

  • 清理生成的支持包中的更多机密

  • 具有安全管理员角色的团队中的用户现在将收到有关他们所监视的存储库的安全警报的通知。

  • 达到最大团队数量后,安全管理员组件将显示一个不那么激进的警告。

  • 当尝试从存储库中删除安全管理员团队时,存储库管理访问页面应返回 403。

  • 包已更新到最新的安全版本。

    Bug fixes

  • 操作自托管运行器在从较旧的 GHES 安装升级后将无法自我更新或运行新作业。

  • 将 MinIO 配置为 GitHub 包的 Blob 存储时,无法验证存储设置。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在管理控制台中。

  • 在设置了维护模式的更新后,操作将保持停止状态。

  • 由于 /data/user/tmp/pages 中存在权限问题,运行 ghe-config-apply 有时可能会失败。

  • 在低分辨率的浏览器中滚动,可能无法找到管理控制台中的保存按钮。

  • Collectd 版本升级后,IOPS 和存储流量监视图未更新。

  • 一些与 Webhook 相关的作业可能会产生大量的日志。

  • 账单导航项在站点管理员页面中可见。

  • 多个文档链接导致“404 找不到”错误。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在新建的没有任何用户的 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被删除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接,则问题无法关闭。

  • 在 GitHub Connect 中启用了“用户可以搜索 GitHub.com”时,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样可以大幅改善性能。我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据,并将在以后解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

December 13, 2021

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

    Security fixes

  • 严重:****在 Log4j 库中发现远程代码执行漏洞,该漏洞会影响 3.3.1 之前的所有 GitHub Enterprise Server 版本,漏洞编号为 CVE-2021-44228。Log4j 库用于在 GitHub Enterprise Server 实例上运行的开源服务。已在 GitHub Enterprise Server 3.0.22、3.1.14、3.2.6 和 3.3.1 中修复该漏洞。 有关详细信息,请参阅 GitHub 博客文章

  • 2021 年 12 月 17 日更新****:此版本中的修复也能缓解在该版本之后发布的 CVE-2021-45046。无需再升级 GitHub Enterprise Server,即可缓解 CVE-2021-44228 和 CVE-2021-45046。

    Known issues

  • 升级到 GitHub Enterprise Server 3.3 后,GitHub Actions 可能无法自动启动。若要解决此问题,请通过 SSH 连接到设备并运行 ghe-actions-start 命令。

  • 在没有任何用户的新建 GitHub Enterprise Server 实例上,攻击者可以创建第一个管理员用户。

  • 自定义防火墙规则在升级过程中被移除。

  • 通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

  • 如果问题包含同一存储库中 blob 的永久链接并且该 blob de 文件路径长于 255 个字符,则问题无法关闭。

  • 在 GitHub Connect 中启用了“用户可以搜索 GitHub.com”时,专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

  • GitHub Packages npm 注册表不再在元数据响应中返回时间值。这样做是为了大幅改善性能。我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据,并将在以后解决现有性能问题后恢复返回该值。

  • 特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

  • 选择“强制路径样式”时,无法验证 GitHub Actions 存储设置并将其保存在 管理控制台 中,而必须使用 ghe-actions-precheck 命令行实用程序进行配置。

  • 由于当前 Linux 内核中存在 bug,安装在 Azure 上并预配了 32 个以上 CPU 内核的 GitHub Enterprise Server 3.3 实例将无法启动。[更新时间:2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

December 07, 2021

📣 这不是此版本系列的最新补丁版本,也不是 Enterprise Server 的最新版本 请使用最新版本获取最新的安全性、性能和 bug 修复程序。

For upgrade instructions, see "Upgrading GitHub Enterprise Server."

Note: We are aware of an issue where GitHub Actions may fail to start automatically following the upgrade to GitHub Enterprise Server 3.3. To resolve, connect to the appliance via SSH and run the ghe-actions-start command.

    Features

    Security Manager role

  • Organization owners can now grant teams the access to manage security alerts and settings on their repositories. The "security manager" role can be applied to any team and grants the team's members the following access:

    • Read access on all repositories in the organization.
    • Write access on all security alerts in the organization.
    • Access to the organization-level security tab.
    • Write access on security settings at the organization level.
    • Write access on security settings at the repository level.

    The security manager role is available as a public beta and subject to change. For more information, see "Managing security managers in your organization." [Updated 2022-07-29]

  • Ephemeral self-hosted runners for GitHub Actions & new webhooks for auto-scaling

  • GitHub Actions now supports ephemeral (single job) self-hosted runners and a new workflow_job webhook to make autoscaling runners easier.

    Ephemeral runners are good for self-managed environments where each job is required to run on a clean image. After a job is run, ephemeral runners are automatically unregistered from your GitHub Enterprise Server instance, allowing you to perform any post-job management.

    You can combine ephemeral runners with the new workflow_job webhook to automatically scale self-hosted runners in response to GitHub Actions job requests.

    For more information, see "Autoscaling with self-hosted runners" and "Webhook events and payloads."

  • Dark high contrast theme

  • A dark high contrast theme, with greater contrast between foreground and background elements, is now available on GitHub Enterprise Server 3.3. This release also includes improvements to the color system across all GitHub themes.

    Animated image of switching between dark default theme and dark high contrast on the appearance settings page

    For more information about changing your theme, see "Managing your theme settings."

    Changes

    Administration Changes

  • GitHub Enterprise Server 3.3 includes improvements to the maintenance of repositories, especially for repositories that contain many unreachable objects. Note that the first maintenance cycle after upgrading to GitHub Enterprise Server 3.3 may take longer than usual to complete.

  • GitHub Enterprise Server 3.3 includes the public beta of a repository cache for geographically-distributed teams and CI infrastructure. The repository cache keeps a read-only copy of your repositories available in additional geographies, which prevents clients from downloading duplicate Git content from your primary instance. For more information, see "About repository caching."

  • GitHub Enterprise Server 3.3 includes improvements to the user impersonation process. An impersonation session now requires a justification for the impersonation, actions are recorded in the audit log as being performed as an impersonated user, and the user who is impersonated will receive an email notification that they have been impersonated by an enterprise administrator. For more information, see "Impersonating a user."

  • A new stream processing service has been added to facilitate the growing set of events that are published to the audit log, including events associated with Git and GitHub Actions activity.

  • The GitHub Connect data connection record now includes a list of enabled GitHub Connect features. [Updated 2021-12-09]

  • Token Changes

  • An expiration date can now be set for new and existing personal access tokens. Setting an expiration date on personal access tokens is highly recommended to prevent older tokens from leaking and compromising security. Token owners will receive an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving users a duplicate token with the same properties as the original.

    When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token."

  • Notifications changes

  • Notification emails from discussions now include (Discussion #xx) in the subject, so you can recognize and filter emails that reference discussions.

  • Repositories changes

  • Public repositories now have a Public label next to their names like private and internal repositories. This change makes it easier to identify public repositories and avoid accidentally committing private code.

  • If you specify the exact name of a branch when using the branch selector menu, the result now appears at the top of the list of matching branches. Previously, exact branch name matches could appear at the bottom of the list.

  • When viewing a branch that has a corresponding open pull request, GitHub Enterprise Server now links directly to the pull request. Previously, there would be a prompt to contribute using branch comparison or to open a new pull request.

  • You can now click a button to copy the full raw contents of a file to the clipboard. Previously, you would need to open the raw file, select all, and then copy. To copy the contents of a file, navigate to the file and click in the toolbar. Note that this feature is currently only available in some browsers.

  • When creating a new release, you can now select or create the tag using a dropdown selector, rather than specifying the tag in a text field. For more information, see "Managing releases in a repository."

  • A warning is now displayed when viewing a file that contains bidirectional Unicode text. Bidirectional Unicode text can be interpreted or compiled differently than it appears in a user interface. For example, hidden bidirectional Unicode characters can be used to swap segments of text in a file. For more information about replacing these characters, see the GitHub changelog.

  • You can now use CITATION.cff files to let others know how you would like them to cite your work. CITATION.cff files are plain text files with human- and machine-readable citation information. GitHub Enterprise Server parses this information into common citation formats such as APA and BibTeX. For more information, see "About CITATION files."

  • Markdown changes

  • You can use new keyboard shortcuts for quotes and lists in Markdown files, issues, pull requests, and comments.

    • To add quotes, use cmd shift . on Mac, or ctrl shift . on Windows and Linux.
    • To add an ordered list, use cmd shift 7 on Mac, or ctrl shift 7 on Windows and Linux.
    • To add an unordered list, use cmd shift 8 on Mac, or ctrl shift 8 on Windows and Linux.

    See "Keyboard shortcuts" for a full list of available shortcuts.

  • You can now use footnote syntax in any Markdown field. Footnotes are displayed as superscript links that you can click to jump to the referenced information, which is displayed in a new section at the bottom of the document. For more information about the syntax, see "Basic writing and formatting syntax."

  • When viewing Markdown files, you can now click in the toolbar to view the source of a Markdown file. Previously, you needed to use the blame view to link to specific line numbers in the source of a Markdown file.

  • You can now add images and videos to Markdown files in gists by pasting them into the Markdown body or selecting them from the dialog at the bottom of the Markdown file. For information about supported file types, see "Attaching files."

  • GitHub Enterprise Server now automatically generates a table of contents for Wikis, based on headings.

  • When dragging and dropping files into a Markdown editor, such as images and videos, GitHub Enterprise Server now uses the mouse pointer location instead of the cursor location when placing the file.

  • Issues and pull requests changes

  • You can now search issues by label using a logical OR operator. To filter issues using logical OR, use the comma syntax. For example, label:"good first issue","bug" will list all issues with a label of good first issue or bug. For more information, see "Filtering and searching issues and pull requests."

  • Improvements have been made to help teams manage code review assignments. You can now:

    • Limit assignment to only direct members of the team.
    • Continue with automatic assignment even if one or more members of the team are already requested.
    • Keep a team assigned to review even if one or more members is newly assigned.

    The timeline and reviewers sidebar on the pull request page now indicate if a review request was automatically assigned to one or more team members.

    For more information, see the GitHub changelog.

  • You can now filter pull request searches to only include pull requests you are directly requested to review.

  • Filtered files in pull requests are now completely hidden from view, and are no longer shown as collapsed in the "Files Changed" tab. The "File Filter" menu has also been simplified. For more information, see "Filtering files in a pull request."

  • GitHub Actions changes

  • You can now create "composite actions" which combine multiple workflow steps into one action, and includes the ability to reference other actions. This makes it easier to reduce duplication in workflows. Previously, an action could only use scripts in its YAML definition. For more information, see "Creating a composite action."

  • Managing self-hosted runners at the enterprise level no longer requires using personal access tokens with the admin:enterprise scope. You can instead use the new manage_runners:enterprise scope to restrict the permissions on your tokens. Tokens with this scope can authenticate to many REST API endpoints to manage your enterprise's self-hosted runners.

  • The audit log now includes additional events for GitHub Actions. Audit log entries are now recorded for the following events:

    • A self-hosted runner is registered or removed.
    • A self-hosted runner is added to a runner group, or removed from a runner group.
    • A runner group is created or removed.
    • A workflow run is created or completed.
    • A workflow job is prepared. Importantly, this log includes the list of secrets that were provided to the runner.

    For more information, see "Security hardening for GitHub Actions."

  • GitHub Enterprise Server 3.3 contains performance improvements for job concurrency with GitHub Actions. For more information about the new performance targets for a range of CPU and memory configurations, see "Getting started with GitHub Actions for GitHub Enterprise Server."

  • To mitigate insider man in the middle attacks when using actions resolved through GitHub Connect to GitHub.com from GitHub Enterprise Server, the actions namespace (owner/name) is retired on use. Retiring the namespace prevents that namespace from being created on your GitHub Enterprise Server instance, and ensures all workflows referencing the action will download it from GitHub.com.

  • GitHub Packages changes

  • When a repository is deleted, any associated package files are now immediately deleted from your GitHub Packages external storage.

  • Dependabot and Dependency graph changes

  • Dependency review is out of beta and is now generally available for GitHub Advanced Security customers. Dependency review provides an easy-to-understand view of dependency changes and their security impact in the "Files changed" tab of pull requests. It informs you of which dependencies were added, removed, or updated, along with vulnerability information. For more information, see "Reviewing dependency changes in a pull request."

  • Dependabot is now available as a private beta, offering both version updates and security updates for several popular ecosystems. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted runners configured for Dependabot use. Dependabot on GitHub Enterprise Server also requires GitHub Connect to be enabled. To learn more and sign up for the beta, contact the GitHub Sales team.

  • Code scanning and secret scanning changes

  • The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models. JavaScript analysis now supports most common templating languages, and Java now covers more than three times the endpoints of previous CodeQL versions. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of code scanning alerts.

  • CodeQL now supports scanning standard language features in Java 16, such as records and pattern matching. CodeQL is able to analyze code written in Java version 7 through 16. For more information about supported languages and frameworks, see the CodeQL documentation.

  • Improvements have been made to the code scanning on:push trigger when code is pushed to a pull request. If an on:push scan returns results that are associated with a pull request, code scanning will now show these alerts on the pull request.

    Some other CI/CD systems can be exclusively configured to trigger a pipeline when code is pushed to a branch, or even exclusively for every commit. Whenever such an analysis pipeline is triggered and results are uploaded to the SARIF API, code scanning will also try to match the analysis results to an open pull request. If an open pull request is found, the results will be published as described above. For more information, see the GitHub changelog.

  • You can now use the new pull request filter on the code scanning alerts page to find all the code scanning alerts associated with a pull request. A new "View all branch alerts" link on the pull request "Checks" tab allows you to directly view code scanning alerts with the specific pull request filter already applied. For more information, see the GitHub changelog.

  • User defined patterns for secret scanning is out of beta and is now generally available for GitHub Advanced Security customers. Also new in this release is the ability to edit custom patterns defined at the repository, organization, and enterprise levels. After editing and saving a pattern, secret scanning searches for matches both in a repository's entire Git history and in any new commits. Editing a pattern will close alerts previously associated with the pattern if they no longer match the updated version. Other improvements, such as dry-runs, are planned in future releases. For more information, see "Defining custom patterns for secret scanning."

  • API and webhook changes

  • Most REST API previews have graduated and are now an official part of the API. Preview headers are no longer required for most REST API endpoints, but will still function as expected if you specify a graduated preview in the Accept header of a request. For previews that still require specifying the preview in the Accept header of a request, see "API previews."

  • You can now use the REST API to configure custom autolinks to external resources. The REST API now provides beta GET/POST/DELETE endpoints which you can use to view, add, or delete custom autolinks associated with a repository. For more information, see "Autolinks."

  • You can now use the REST API to sync a forked repository with its upstream repository. For more information, see "Branches" in the REST API documentation.

  • Enterprise administrators on GitHub Enterprise Server can now use the REST API to enable or disable Git LFS for a repository. For more information, see "Repositories."

  • You can now use the REST API to query the audit log for an enterprise. While audit log forwarding provides the ability to retain and analyze data with your own toolkit and determine patterns over time, the new endpoint can help you perform limited analysis on recent events. For more information, see "GitHub Enterprise administration" in the REST API documentation.

  • GitHub App user-to-server API requests can now read public resources using the REST API. This includes, for example, the ability to list a public repository's issues and pull requests, and to access a public repository's comments and content.

  • When creating or updating a repository, you can now configure whether forking is allowed using the REST and GraphQL APIs. Previously, APIs for creating and updating repositories didn't include the fields allow_forking (REST) or forkingAllowed (GraphQL). For more information, see "Repositories" in the REST API documentation and "Repositories" in the GraphQL API documentation.

  • A new GraphQL mutation createCommitOnBranch makes it easier to add, update, and delete files in a branch of a repository. Compared to the REST API, you do not need to manually create blobs and trees before creating the commit. This allows you to add, update, or delete multiple files in a single API call.

    Commits authored using the new API are automatically GPG signed and are marked as verified in the GitHub Enterprise Server UI. GitHub Apps can use the mutation to author commits directly or on behalf of users.

  • When a new tag is created, the push webhook payload now always includes a head_commit object that contains the data of the commit that the new tag points to. As a result, the head_commit object will always contain the commit data of the payload's after commit.

  • Performance Changes

  • Page loads and jobs are now significantly faster for repositories with many Git refs.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the 管理控制台 when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]