Enterprise Server 3.6.20
Download GitHub Enterprise Server 3.6.20October 24, 2023
📣 This is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.20: Security fixes
Packages have been updated to the latest security versions.
3.6.20: Bug fixes
/var/log/lastlog
was not copied over as a sparse file duringghe-upgrade
, which could cause issues by using additional disk space.
3.6.20: Changes
As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. When the page builder encounters a symbolic link, the build will fail with an error indicating that the symbolic link should be dereferenced. Custom workflows for GitHub Pages are available in GitHub Enterprise Server 3.7 and later.
3.6.20: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support.
Enterprise Server 3.6.19
Download GitHub Enterprise Server 3.6.19September 21, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.19: Security fixes
To prevent commits from a detached repository from syncing to prior forks that are now in a separate repository network, GitHub Enterprise Server closes pull requests between repositories during detachment.
Packages have been updated to the latest security versions.
3.6.19: Bug fixes
On an instance in a cluster configuration, the Cluster-Balance daemon would run against jobs not specified in the configuration.
On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, custom patterns would erroneously show no results for a dry run.
3.6.19: Changes
When providing data to GitHub Support, GitHub Enterprise Server displays a notice describing how support data is used before uploading the support files.
3.6.19: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support.
Enterprise Server 3.6.18
Download GitHub Enterprise Server 3.6.18August 24, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.18: Security fixes
Packages have been updated to the latest security versions.
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after the fork's visibility was changed to private. This vulnerability was reported via the GitHub Bug Bounty Program and assigned CVE-2023-23763. [Updated: 2023-09-01]
3.6.18: Bug fixes
If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail.
syslog-ng configurations for containerized services caused errors for log forwarding services. The configurations have been removed.
When an instance exhausted available memory, in some cases, the system's out-of-memory killer (OOMK) killed the process for
dockerd
, causing Nomad to fail to recover after systemd restarted Docker.When an administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up.
On an instance with Dependabot alerts enabled, repository creation could fail if an organization owner did not set a primary email address.
3.6.18: Changes
Administrators with SSH access to an instance can view the version of GitHub Enterprise Server on the instance by using the
-v
flag with theghe-version
utility.As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. When the page builder encounters a symbolic link, the build will fail with an error indicating that the symbolic link should be dereferenced. Custom workflows for GitHub Pages are available in GitHub Enterprise Server 3.7 and later.
3.6.18: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-09-04]
Enterprise Server 3.6.17
Download GitHub Enterprise Server 3.6.17August 10, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.17: Security fixes
LOW: An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a reopened pull request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty program and was assigned CVE-2023-23766. [Updated: 2023-09-22]
Packages have been updated to the latest security versions.
3.6.17: Bug fixes
On an instance in a high availability configuration, on some platforms, replication could perform poorly over links with very high latency.
On an instance with custom firewall rules defined, a configuration run with
ghe-config-apply
could take longer than expected.Events related to repository notifications did not appear in the audit log.
A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository.
On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories.
GitHub Enterprise Server was queuing zip jobs unnecessarily.
On an instance configured to use an outbound web proxy server, an administrator could not exclude private domains in this list from the proxy configuration. [Updated: 2023-11-27]
3.6.17: Changes
The secondary abuse rate limits of the GraphQL API are now configurable in the Management Console.
The description of the
ghe-cluster-balance
command line utility clarifies that it can be used to balance jobs other thangithub-unicorn
.Administrators can display all repositories in a network with
spokesctl
by using therepositories
subcommand.
3.6.17: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.16
Download GitHub Enterprise Server 3.6.16July 18, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.16: Security fixes
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
Packages have been updated to the latest security versions.
LOW: An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program and was assigned CVE-2023-23765.
3.6.16: Bug fixes
Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the
EndpointSuffix
part of their Connection string was anything other thancore.windows.net
. Now all validEndpointSuffix
are accepted.After creation of a blob object from the web UI, pre-receive hook events were missing from the instance's audit log.
On an instance with an outbound web proxy server configured, the proxy interfered with internal operations that used
nomad alloc exec
.On an instance in a cluster configuration, the
ghe-cluster-balance
behaved inconsistently when displaying status or managing jobs with more than one task group.On an instance configured for LDAP authentication, if the LDAP server sent an empty string for the
sshPublicKey
attribute, LDAP user sync would fail.On an instance with Dependabot enabled, in some situations, Dependabot alerts were not updated when a user pushed to a repository.
On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily.
Determining suggested reviewers on a pull request could time out or be very slow.
On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an
http://
link.
3.6.16: Changes
On an instance in a cluster configuration, the
ghe-cluster-config-check
command-line utility will return an affirmative message when no warnings or errors are detected. The affirmative message is "Configuration validation complete. No errors found."On an instance with 170 or fewer vCPUs, the default for
app.babeld.threads-max
is 512 instead of 3 times the number of vCPUs. The monitor dashboard also includes metrics within the "Babeld threads" section.The Management Console displays a warning about unexpected consequences that may result from modification of the instance's hostname after initial configuration.
3.6.16: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.15
Download GitHub Enterprise Server 3.6.15June 20, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.15: Security fixes
If a user's request to the instance's API included authentication credentials within a URL parameter, administrators could see the credentials in JSON within the instance's audit log.
Packages have been updated to the latest security versions.
3.6.15: Bug fixes
If an administrator updated the instance's TLS certificate using the Management Console API's Set settings endpoint, sending the certificate and key data as a URL query parameter resulted in the data appearing unmasked in system logs.
If an instance had tens of thousands of deleted repositories, an upgrade to GitHub Enterprise Server 3.7 could take longer than expected.
After an enterprise owner set a permanent rate limit for a users GitHub App at
http(s)://HOSTNAME/stafftools/users/USERNAME/installations
, the instance did not respect the rate limit.Determining suggested reviewers on a pull request could time out or be very slow.
3.6.15: Changes
If a configuration runs fails due to Elasticsearch errors,
ghe-config-apply
displays a more actionable error message.
3.6.15: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.14
Download GitHub Enterprise Server 3.6.14May 30, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.14: Security fixes
MEDIUM: Scoped installation tokens for a GitHub App kept approved permissions after the permissions on the integration installation were downgraded or removed. This vulnerability was reported via the GitHub Bug Bounty program.
Packages have been updated to the latest security versions.
3.6.14: Bug fixes
On an instance in a cluster configuration, when upgrading the MySQL master node, the post-upgrade configuration run would take 600 seconds longer than required due to incorrect detection of unhealthy nodes.
In some situations on an instance with multiple nodes, Git replication failed to fully replicate repositories that had previously been deleted, which resulted in a warning in
ghe-repl-status
output.If a user clicked the link to share feedback or report bugs for the beta of user lists, the web interface responded with a
404
error.If an instance had tens of thousands of deleted repositories, an upgrade to GitHub Enterprise Server 3.6 could take longer than expected.
GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included
pre_receive.lfsintegrity.dist.referenced_oids
,pre_receive.lfsintegrity.dist.unknown_oids
, andgit.hooks.runtime
.
3.6.14: Changes
People with administrative SSH access to an instance can configure the maximum memory usage in gigabytes for Redis using
ghe-config redis.max-memory-gb VALUE
.
3.6.14: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. The performance of this upgrade has been improved in 3.6.14 and 3.7.11, however if you have tens of thousands of recently deleted repositories the upgrade could still take multiple hours. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have tens of thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-30]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.13
Download GitHub Enterprise Server 3.6.13May 09, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.13: Security fixes
MEDIUM: Updated Git to include fixes from 2.40.1. For more information, see Git security vulnerabilities announced on the GitHub Blog.
3.6.13: Bug fixes
Users were unable to upload GIF files as attachments within a comment in an issue or pull request.
On an instance in a high availability configuration, a
git push
operation could fail if GitHub Enterprise Server was simultaneously creating the repository on a replica node.A site administrator could not bypass a proxy for a top-level domain (TLD) from the instance's exception list or IANAs registered top-level domains (TLDs).
On some platforms, after someone with administrative SSH access ran
ghe-diagnostics
, the command's output included a cosmeticSG_IO
error.When a site administrator used GitHub Enterprise Importer to import data from GitHub Enterprise Cloud, migrations failed during the import of file-level comments. This failure no longer prevents the import from proceeding.
When a site administrator used GitHub Enterprise Importer, import of a repository failed if a project column in the repository contained 2,500 or more archived cards.
In some situations on an instance with multiple nodes, Git replication failed to fully replicate repositories that had previously been deleted, which resulted in a warning in
ghe-repl-status
output.Dropped
launch.*
metrics that can't be parsed by statsd, as the resulting statsd errors caused collectd logs to grow rapidly in size.On an instance with a GitHub Advanced Security license that was also configured for a timezone greater than UTC, the list of secret scanning alerts displayed a "Loading secrets failed" error if a user sorted secrets by date in descending order.
3.6.13: Changes
People with administrative SSH access who generate a support bundle using the
ghe-support-bundle
orghe-cluster-support-bundle
utilities can specify the period of time to gather data with-p
or--period
without using spaces or quotes. For example, in addition to'-p 5 days'
or-p '4 days 10 hours'
,-p 5days
or-p 4days10hours
are valid.
3.6.13: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories.
On an instance with audit log streaming enabled, the
driftwood
service does not start, preventing the normal operation of audit log streaming. [Updated: 2023-06-06]On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.12
Download GitHub Enterprise Server 3.6.12April 18, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.12: Bug fixes
Download requests for Git LFS objects did not complete until reporting the final download size, which affected the latency of these requests, particularly on an instance with nodes functioning as repository caches.
In some cases, graphs on the Management Console's monitor dashboard failed to render.
On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, issues in private and internal repositories were not included in users search results for GitHub.com.
After restoration of a deleted organization, the organization did not appear in the instance's list of organizations.
3.6.12: Changes
To avoid a failure during a configuration run on a cluster, validation of
cluster.conf
with theghe-cluster-config-check
utility ensures that theconsul-datacenter
field for each node matches the top-levelprimary-datacenter
field.If a site administrator provides an invalid configuration for blob storage for GitHub Actions or GitHub Packages on an instance, the preflight checks page displays details and troubleshooting information.
3.6.12: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.11
Download GitHub Enterprise Server 3.6.11March 23, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.11: Security fixes
HIGH: Addressed an improper authentication vulnerability that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23761. [Updated: 2023-04-07]
MEDIUM: Addressed an incorrect comparison vulnerability that allowed commit smuggling by displaying an incorrect diff. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23762. [Updated: 2023-04-07]
3.6.11: Bug fixes
In the Management Console's monitor dashboard, the
Cached Requests
andServed Requests
graphs, which are retrieved by thegit fetch catching
command, did not display metrics for the instance.After a site administrator exempted the @github-actions[bot] user from rate limiting by using the
ghe-config app.github.rate-limiting-exempt-users "github-actions[bot]"
command, runningghe-config-check
caused aValidation is-valid-characterset failed
warning to appear.GitHub Actions (
actions
) and Microsoft SQL (mssql
) did not appear in the list of processes within the instances monitor dashboard.After an administrator used the
/setup/api/start
REST API endpoint to upload a license, the configuration run failed with aConnection refused
error during the migrations phase.In some cases, on an instance with a GitHub Advanced Security license and secret scanning enabled, users may have seen a discrepancy between the number of alerts displayed on a repositorys "Security" tab and in the sidebar for the "Security" tab.
On an instance in a cluster configuration, when a site administrator set maintenance mode using
ghe-maintenance -s
, aPermission denied
error appeared when the utility tried to access/data/user/common/cluster.conf
.On an instance in a high availability configuration, if an administrator tore down replication from a replica node using
ghe-repl-teardown
immediately after runningghe-repl-setup
, but beforeghe-repl-start
, an error indicated that the scriptcannot launch /usr/local/bin/ghe-single-config-apply - run is locked
.ghe-repl-teardown
now displays an informational alert and continues the teardown.During configuration of high availability, if a site administrator interrupted the
ghe-repl-start
utility, the utility erroneously reported that replication was configured, and the instance would not perform expected clean-up operations.Responses from the
/repositories
REST API endpoint erroneously included deleted repositories.When a site administrator used
ghe-migrator
to migrate data to GitHub Enterprise Server, in some cases, nested team relationships would not persist after teams were imported.If a repository contained a
CODEOWNERS
file with check annotations, pull requests "Files changed" tab returned a500
error and displayed "Oops, something went wrong" in the "Unchanged files with check annotations" section.After upgrading an instance with a GitHub Advanced Security license to GitHub Enterprise Server 3.6 or 3.7, creating a repository or viewing the security settings page for an organization or repository could result in a
500
error due to a GitHub Advanced Security backfill job not completing before the upgrade started.On an instance with GitHub Actions enabled, if a user manually triggered a workflow using the REST API but did not specify values for optional booleans, the API failed to validate the request and returned a
422
error.The CSV reports for all users and all active users, available from the site admin dashboard, did not consider recent access using SSH or personal access tokens.
On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, users would not see issues in private and internal repositories in search results for GitHub.com.
GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included
pre_receive.lfsintegrity.dist.referenced_oids
,pre_receive.lfsintegrity.dist.unknown_oids
, andgit.hooks.runtime
.On an instance with a GitHub Advanced Security license, if code scanning had been used while running GitHub Enterprise Server 3.4 or earlier, a subsequent upgrade from 3.5 to 3.6 or 3.7 could fail when attempting to add a unique index to a database table.
On an instance with GitHub Packages enabled, after users pushed to the Container registry, the instance erroneously responded with a
429 Too Many Requests
error in cases when the instance could accommodate the request. The limits have been raised, and users should receive this message less often. [Updated: 2023-05-30]
3.6.11: Changes
After an enterprise owner enables Dependabot updates, the instance creates the initial set of updates faster.
On an instance in a cluster configuration, when a site administrator sets maintenance mode on a single cluster node using
ghe-maintenance -s
, the utility warns the administrator to useghe-cluster-maintenance -s
to set maintenance mode on all of the clusters nodes. For more information, see "Enabling and scheduling maintenance mode."When a site administrator configures an outbound web proxy server for GitHub Enterprise Server, the instance now validates top-level domains (TLDs) excluded from the proxy configuration. By default, you can exclude public TLDs that the IANA specifies. Site administrators can specify a list of unregistered TLDs to exclude using
ghe-config
. The.
prefix is required for any public TLDs. For example,.example.com
is valid, butexample.com
is invalid. For more information, see "Configuring an outbound web proxy server."To avoid intermittent issues with the success of Git operations on an instance with multiple nodes, GitHub Enterprise Server checks the status of the MySQL container before attempting a SQL query. The timeout duration has also been reduced.
The default path for output from
ghe-saml-mapping-csv -d
is/data/user/tmp
instead of/tmp
. For more information, see "Command-line utilities."Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.11: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.10
Download GitHub Enterprise Server 3.6.10March 02, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.10: Security fixes
HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23760. [Updated: 2023-03-10]
3.6.10: Bug fixes
When viewing a list of open sessions for the devices logged into a user account, the GitHub Enterprise Server web UI could display an incorrect location.
In the rare case when primary shards for Elasticsearch were located on a replica node, the
ghe-repl-stop
command would fail withERROR: Running migrations
.The settings page for discussions in an organization returned a
500
error after a repository owned by the organization was deleted.
3.6.10: Changes
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.10: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In some cases, while converting an issue to a discussion, the conversion process may hang. In this situation, an enterprise owner can try the following troubleshooting steps to resolve the issue.
- At the end of the stuck discussion's URL, note the discussion's number.
- In the web UI, browse to the repository where the conversion is stuck.
- In the top-right corner of the web UI, click .
- Under "Collaboration", click NUMBER discussions.
- In the list, click the number from step 1.
- Under "Conversion", click Enqueue conversion job.
- Wait a few minutes, then check the issue's status.
If the conversion still hasn't completed, contact GitHub Enterprise Support for assistance.
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.9
Download GitHub Enterprise Server 3.6.9February 16, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.9: Security fixes
HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.
Packages have been updated to the latest security versions.
3.6.9: Bug fixes
When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.
On an instance with a GitHub Advanced Security license, if code scanning had been used while running GitHub Enterprise Server 3.4 or earlier, a subsequent upgrade from 3.5 to 3.6 or 3.7 could fail when attempting to add a unique index to a database table.
3.6.9: Changes
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.9: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In some cases, while converting an issue to a discussion, the conversion process may hang. In this situation, an enterprise owner can try the following troubleshooting steps to resolve the issue.
- At the end of the stuck discussion's URL, note the discussion's number.
- In the web UI, browse to the repository where the conversion is stuck.
- In the top-right corner of the web UI, click .
- Under "Collaboration", click NUMBER discussions.
- In the list, click the number from step 1.
- Under "Conversion", click Enqueue conversion job.
- Wait a few minutes, then check the issue's status.
If the conversion still hasn't completed, contact GitHub Enterprise Support for assistance.
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.8
Download GitHub Enterprise Server 3.6.8February 02, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.8: Security fixes
MEDIUM: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-22381.
Packages have been updated to the latest security versions.
3.6.8: Bug fixes
After a site administrator adjusted the cutoff date for allowing SSH connections with RSA keys using
ghe-config app.gitauth.rsa-sha1
, the instance would still disallow connections with RSA keys if the connection attempt was signed by the SHA-1 hash function.During the validation phase of a configuration run, a
No such object error
may have occurred for the Notebook and Viewscreen services.When enabling automatic TLS certificate management with Let's Encrypt, the process could fail with the error
The certificate is not signed by a trusted certificate authority (CA) or the certificate chain in missing intermediate CA signing certificates
.In some cases, users were unable to convert existing issues to discussions. If an issue is stuck while being converted to a discussion, enterprise owners can review the "Known issues" section below for more information.
3.6.8: Changes
When a timeout occurs during diff generation, such as when a commit displays an error that the diff is taking too long to generate, the
push
webhook event will deliver empty diff information. Previously, thepush
webhook event would fail to be delivered.Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.8: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
In some cases, while converting an issue to a discussion, the conversion process may hang. In this situation, an enterprise owner can try the following troubleshooting steps to resolve the issue.
- At the end of the stuck discussion's URL, note the discussion's number.
- In the web UI, browse to the repository where the conversion is stuck.
- In the top-right corner of the web UI, click .
- Under "Collaboration", click NUMBER discussions.
- In the list, click the number from step 1.
- Under "Conversion", click Enqueue conversion job.
- Wait a few minutes, then check the issue's status.
If the conversion still hasn't completed, contact GitHub Enterprise Support for assistance.
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.7
Download GitHub Enterprise Server 3.6.7January 17, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.7: Security fixes
-
HIGH: Updated Git to include fixes from 2.39.1, which address CVE-2022-41903 and CVE-2022-23521.
3.6.7: Changes
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.7: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.6
Download GitHub Enterprise Server 3.6.6January 12, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.6: Security fixes
Sanitize additional secrets in support bundles and the configuration log.
Dependencies for the CodeQL action have been updated to the latest security versions.
Packages have been updated to the latest security versions.
3.6.6: Bug fixes
The metrics
Active workers
andQueued requests
forgithub
(renamed from metadata),gitauth
, andunicorn
container services werent correctly read from collectd and displayed in the Management Console.Dependabot Alert emails would be sent to disabled repositories.
Data migrations could fail when the underlying database table contained only a single record.
When viewing a pull requests diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
The
git-janitor
command was unable to fix outdatedmulti-pack-index.lock
files, resulting in the repository failing maintenance.The
GITHUB_REF_PROTECTED
environment variable andgithub.ref_protected
contexts were incorrectly set asfalse
when branch protections did exist.Dropped
launch.*
metrics that can't be parsed by statsd, as the resulting statsd errors caused collectd logs to grow rapidly in size.When updating custom patterns, the pattern state was immediately set to published.
3.6.6: Changes
Improved the reliability of the real time updates service (Alive) to make it more resilient against network issues with Redis.
The
ghe-support-bundle
andghe-cluster-support-bundle
commands were updated to include the-p/--period
flag to generate a time constrained support bundle. The duration can be specified in days and hours, for example:-p '2 hours'
,-p '1 day'
,-p '2 days 5 hours'
.When upgrading an instance with a new root partition, running the
ghe-upgrade
command with the-t/--target
option ensures the preflight check for the minimum disk storage size is executed against the target partition.The performance of configuration runs started with
ghe-config-apply
has been improved.When exporting account data, backing up a repository, or performing a migration, the link to a repository archive now expires after 1 hour. Previously the archive link expired after 5 minutes.
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.6: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.5
Download GitHub Enterprise Server 3.6.5December 13, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.5: Security fixes
HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.
HIGH: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23741.
MEDIUM: An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46257.
3.6.5: Bug fixes
A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade.
Site administrators were not able to manage security products settings for repositories they had unlocked.
When a site administrator ran the
ghe-repl-status
command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication.When a site administrator ran the
ghe-repl-sync-ca-certificates
command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node.
Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.
When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
If a user uploaded more than one file while creating a new Gist, the user could not delete any files uploaded after the first.
In some cases, searches via the API returned a
500
error.In some cases, when browsing repositories in the web interface, an erroneous banner indicated that a repository didn't contain a specific undefined path on the current branch.
The
member
webhook event did not include thefrom
andto
field values for thepermission
field as part of thechanges
field.Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a
500
error.In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
3.6.5: Changes
To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated
TXT
record to verify domain ownership is now limited to 63 characters.After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com.
A user's list of recently accessed repositories no longer includes deleted repositories.
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.5: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.4
Download GitHub Enterprise Server 3.6.4November 22, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.4: Security fixes
MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-23739.
MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.
MEDIUM: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "Repository contents" should enforce workflow scope. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-46258.
3.6.4: Bug fixes
If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
Setting the maintenance mode with an IP Exception List would not persist across upgrades.
GitHub Pages builds could time out on instances in AWS that are configured for high availability.
Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the
ghe-repl-status
output on those nodes.After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
When using the CodeQL action, the runs annotations would include a spurious
HttpError: Upload not found
error.When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.
In some cases, an instance could replace an active repository with a deleted repository.
Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.
After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
Zombie processes no longer accumulate in the
gitrpcd
container.
3.6.4: Changes
If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.4: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like
invalid sha1 pointer 0000000000000000000000000000000000000000
,Zero-length loose reference file
, orZero-length loose object file
. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.3
Download GitHub Enterprise Server 3.6.3October 25, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.3: Security fixes
HIGH: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including CVE-2022-30123 and CVE-2022-29181.
HIGH: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned CVE-2022-23738.
MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
MEDIUM: Updated Redis to 5.0.14 to address CVE-2021-32672 and CVE-2021-32762.
MEDIUM: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of
docker
commands directly. For more information, see the Actions Runner security advisory.MEDIUM: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23737.
LOW: Due to a CSRF vulnerability, a
GET
request to the instance'ssite/toggle_site_admin_and_employee_status
endpoint could toggle a user's site administrator status unknowingly.Packages have been updated to the latest security versions.
3.6.3: Bug fixes
After a site administrator made a change that triggered a configuration run, such as disabling GitHub Actions, validation of services would sometimes fail with the message
WARNING: Validation encountered a problem
.After a site administrator installed a hotpatch containing changes to web interface assets such as JavaScript files or images, the instance did not serve the new assets.
When a user accessed a renamed repository using Git, the hostname in the Git output incorrectly indicated GitHub.com instead of the instance's hostname.
On instances using LDAP authentication and LDAP sync, sync would fail and print
undefined method ord for nil:NilClass
inldap-sync.log
.When a user visited links to view history or suggest an improvement to the GitHub Advisory Database, the URLs were incorrect, resulting in a
404
error.Deleted assets and assets scheduled to be purged within a repository, such as LFS files, took too long to to be cleaned up.
On instances configured for high availability,
ghe-repl-status
incorrectly reported that replication was behind for repositories that users had previously deleted.If a user installed a GitHub App for the user account and then converted the account into an organization, the app was not granted organization permissions.
Missing secret scanning alerts on instance with a GitHub Advanced Security license that was not upgraded directly to GitHub Enterprise Server 3.4 are now visible in the web interface and through the REST API.
In some cases, on an instance with a GitHub Advanced Security license, some tokens detected by secret scanning were reported as "unknown tokens."
3.6.3: Changes
To ensure that site administrators can successfully complete an upgrade, the instance will now execute a preflight check to ensure that the virtual machine meets minimum hardware requirements. The check also verifies Elasticsearch's health. You can review the current requirements for CPU, memory, and storage for GitHub Enterprise Server in the "Minimum requirements" section within each article in "Setting up a GitHub Enterprise Server instance."
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.3: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.2
Download GitHub Enterprise Server 3.6.2September 21, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.2: Features
Repository archives for migrations now include an
is_archived
field.
3.6.2: Security fixes
HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.
LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.
Packages have been updated to the latest security versions.
3.6.2: Bug fixes
In some cases, collectd could log excessive metrics-related errors in
/var/log/collectd.log
.When configuring the external domain name of a repository cache replica node using
ghe-repl-node --cache-domain
, the command would return an error that prevented Git LFS caching from being enabled.Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.
Configuration runs could fail when
retry-limit
orretry-sleep-duration
were manually set by an administrator usingghe-config
.The option to enable TLS encryption for incoming SMTP connections to an instance was missing from the Management Console.
In some cases, the Management Console's monitor dashboard would not load correctly.
Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.
The
ghe-find-insecure-git-operations
command did not return all insecure Git operations after each invocation.When sending a support bundle to GitHub Enterprise Support using
ghe-support-upload
, the-t
option would not successfully associate the uploaded bundle with the specified ticket.A link back to the security settings for the instance's enterprise account could render an incorrect view.
In rare cases, an upgrade from GitHub Enterprise Server 3.3 to 3.4 would incorrectly modify how data is stored, resulting in failures during future upgrades. When upgrading directly to this release from 3.3, the failure will not occur.
When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.
Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.
After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.
After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.
Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.
When viewing a pull request's diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
If branch protections were enabled, the
GITHUB_REF_PROTECTED
environment variable andgithub.ref_protected
contexts for GitHub Actions workflow runs were incorrectly set asfalse
.Repositories for packages erroneously displayed a "Used by" section.
3.6.2: Changes
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.2: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.After upgrading a replica node to GitHub Enterprise Server 3.6.0 or later and restarting replication, in some situations Git replication may stop progressing and continue to show
WARNING: git replication is behind the primary …
. If you encounter this known issue contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-03]Hotpatch upgrades to GitHub Enterprise Server 3.6.2 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.1
Download GitHub Enterprise Server 3.6.1August 30, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.6.1: Bug fixes
After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository.
Duplicate administrative SSH keys could appear in both the Management Console and the
/home/admin/.ssh/authorized_keys
file.The site admin page for individual users at
http(s)://HOSTNAME/stafftools/users/USERNAME/admin
contained functionality not intended for GitHub Enterprise Server.In some cases, running
ghe-cluster-config-apply
could replicate an empty configuration to existing nodes in a cluster.In some cases, configuration runs started with
ghe-config-apply
did not complete, or returned aContainer count mismatch
error.After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear.
In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe.
The site admin bar at the top of the web interface contained a broken link to the SHA for the currently running version of the application.
Organization owners were unable to set the level of access required to create discussions.
Discussions users were incorrectly directed to the community guidelines for GitHub.com.
In some cases, users were incorrectly instructed to verify their email before creating a discussion.
Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible.
3.6.1: Changes
Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "Providing data to GitHub Support."
APIs that contain the
organization
ororg
route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which causedLink
headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "Organizations" in the REST API documentation.The enterprise audit log now includes more user-generated events, such as
project.create
. The REST API also returns additional user-generated events, such asrepo.create
. For more information, see "Accessing the audit log for your enterprise" and "Using the audit log API for your enterprise."In some cases, cache replicas could reject some Git operations on recently updated repositories. For more information about repository caching, see "About repository caching."
You can now configure the global announcement banner to be dismissable using the REST API. For more information, see "Customizing user messages for your enterprise."
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.1: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.After upgrading a replica node to GitHub Enterprise Server 3.6.0 or later and restarting replication, in some situations Git replication may stop progressing and continue to show
WARNING: git replication is behind the primary …
. If you encounter this known issue contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-03]GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
Enterprise Server 3.6.0
Download GitHub Enterprise Server 3.6.0August 16, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
Note: If your GitHub Enterprise Server instance is running a release candidate build, you can't upgrade with a hotpatch. We recommend that you only run release candidates in a test environment.
For upgrade instructions, see "Upgrading GitHub Enterprise Server."
3.6.0: Features
Infrastructure
Repository caching is generally available. Repository caching increases Git read performance for distributed developers, providing the data locality and convenience of geo-replication without impact on push workflows. With the general availability release, GitHub Enterprise Server caches both Git and Git LFS data. For more information, see "About repository caching."
Instance security
Site administrators can configure a cutoff date for allowing Git operations over SSH that use an RSA key and are signed by the SHA-1 hash function. By default, these connections will fail for RSA keys added to user accounts after the cutoff date of midnight UTC on August 1, 2022. For more information, see Deprecations. [Updated: 2023-01-31]
GitHub Enterprise Server optionally allows the advertisement of an Ed25519 host key. For more information, see "Configuring host keys for your instance."
You can require TLS encryption for incoming SMTP connections to your instance. For more information, see "Configuring email for notifications."
- Note: This feature is unavailable in GitHub Enterprise Server 3.6.0 and 3.6.1. The feature is available in the 3.6.2 release. [Updated: 2022-09-22]
Audit logs
You can stream audit log and Git events for your instance to Amazon S3, Azure Blob Storage, Azure Event Hubs, Google Cloud Storage, or Splunk. Audit log streaming is in public beta and subject to change. Enabling this feature can cause a minor impact on the performance of your GitHub Enterprise Server instance. For more information, see "Streaming the audit log for your enterprise." [Updated: 2023-09-12]
GitHub Connect
Server Statistics is now generally available. Server Statistics collects aggregate usage data from your GitHub Enterprise Server instance, which you can use to better anticipate the needs of your organization, understand how your team works, and show the value you get from GitHub Enterprise Server. For more information, see "About Server Statistics."
Administrator experience
Enterprise owners can join organizations on the instance as a member or owner from the enterprise account's Organizations page. For more information, see "Managing your role in an organization owned by your enterprise."
Enterprise owners can allow users to dismiss the configured global announcement banner. For more information, see "Customizing user messages for your enterprise."
GitHub Advanced Security
Users on an instance with a GitHub Advanced Security license can opt to receive a webhook event that triggers when an organization owner or repository administrator enables or disables a code security or analysis feature. For more information, see the following documentation.
- "Webhook events and payloads" in the webhook documentation
- "Managing security and analysis settings for your organization"
- "Managing security and analysis features for your repository"
Users on an instance with a GitHub Advanced Security license can optionally add a comment when dismissing a code scanning alert in the web UI or via the REST API. Dismissal comments appear in the event timeline. Users can also add or retrieve a dismissal comment via the REST API. For more information, see "Triaging code scanning alerts in pull requests" and "Code Scanning" in the REST API documentation.
On instances with a GitHub Advanced Security license, secret scanning prevents the leak of secrets in the web editor. For more information, see "Protecting pushes with secret scanning."
Enterprise owners and users on an instance with a GitHub Advanced Security license can view secret scanning alerts and bypasses of secret scanning's push protection in the enterprise and organization audit logs, and via the REST API. For more information, see the following documentation.
- "Protecting pushes with secret scanning"
- "Audit log events for your enterprise"
- "Reviewing the audit log for your organization"
- "Secret Scanning" in the REST API documentation
Enterprise owners on an instance with a GitHub Advanced Security license can perform dry runs of custom secret scanning patterns for the enterprise, and all users can perform dry runs when editing a pattern. Dry runs allow you to understand a pattern's impact across the entire instance and hone the pattern before publication and generation of alerts. For more information, see "Defining custom patterns for secret scanning."
Users on an instance with a GitHub Advanced Security license can use
sort
anddirection
parameters in the REST API when retrieving secret scanning alerts, and sort based on the alert’screated
orupdated
fields. The new parameters are available for the entire instance, or for individual organizations or repositories. For more information, see the following documentation.- "List secret scanning alerts for an enterprise"
- "List secret scanning alerts for an organization"
- "List secret scanning alerts for a repository"
- "Secret Scanning" in the REST API documentation
The contents of the
github/codeql-go
repository have moved to thegithub/codeql
repository, to live alongside similar libraries for all other programming languages supported by CodeQL. The open-source CodeQL queries, libraries, and extractor for analyzing codebases written in the Go programming language with GitHub's CodeQL code analysis tools can now be found in the new location. For more information, including guidance on migrating your existing workflows, see github/codeql-go#741.
Dependabot
Enterprise owners on instances with a GitHub Advanced Security license can see an overview of Dependabot alerts for the entire instance, including a repository-centric view of application security risks, and an alert-centric view of all secret scanning and Dependabot alerts. The views are in beta and subject to change, and alert-centric views for code scanning are planned for a future release of GitHub Enterprise Server. For more information, see "Viewing the security overview."
Users can select multiple Dependabot alerts, then dismiss or reopen or dismiss the alerts. For example, from the Closed alerts tab, you can select multiple alerts that have been previously dismissed, and then reopen them all at once. For more information, see "About Dependabot alerts."
- Note: This feature is unavailable in GitHub Enterprise Server 3.6.0. The feature is available in GitHub Enterprise Server 3.7.0 and later. [Updated: 2022-10-19]
Dependabot updates
@types
dependencies alongside corresponding packages in TypeScript projects. Before this change, users would see separate pull requests for a package and the corresponding@types
package. This feature is automatically enabled for repositories containing@types
packages in the project'sdevDependencies
within the package.json file. You can disable this behavior by setting theignore
field in yourdependabot.yml
file to@types/*
. For more information, see "About Dependabot version updates" and "Configuration options for the dependabot.yml file."
Code security
GitHub Actions can enforce dependency reviews on users' pull requests by scanning for dependencies, and will warn users about associated security vulnerabilities. The
dependency-review-action
action is supported by a new API endpoint that diffs the dependencies between any two revisions. For more information, see "About dependency review."The dependency graph detects Cargo.toml and Cargo.lock files for Rust. These files will be displayed in the Dependency graph section of the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date. For more information, see "About the dependency graph."
If GitHub Connect is enabled for your instance, users can contribute an improvement to a security advisory in the GitHub Advisory Database. To contribute, click Suggest improvements for this vulnerability while viewing an advisory's details. For more information, see the following articles.
- "Managing GitHub Connect"
- "Browsing security vulnerabilities in the GitHub Advisory Database" in the GitHub Enterprise Cloud documentation
- "About GitHub Security Advisories for repositories" in the GitHub Enterprise Cloud documentation
- "Editing security advisories in the GitHub Advisory Database" in the GitHub Enterprise Cloud documentation
GitHub Actions
Within a workflow that calls a reusable workflow, users can pass the secrets to the reusable workflow with
secrets: inherit
. For more information, see "Reusing workflows."When using GitHub Actions, to reduce the risk of merging a change that was not reviewed by another person into a protected branch, enterprise owners and repository administrators can prevent Actions from creating pull requests. Organization owners could previously enable this restriction. For more information, see the following articles.
Users can write a single workflow triggered by
workflow_dispatch
andworkflow_call
, and use theinputs
context to access input values. Previously,workflow_dispatch
inputs were in the event payload, which increased difficulty for workflow authors who wanted to write one workflow that was both reusable and manually triggered. For workflows triggered byworkflow_dispatch
, inputs are still available in thegithub.event.inputs
context to maintain compatibility. For more information, see "Contexts."To summarize the result of a job, users can generate Markdown and publish the contents as a job summary. For example, after running tests with GitHub Actions, a summary can provide an overview of passed, failed, or skipped tests, potentially reducing the need to review the full log output. For more information, see "Workflow commands for GitHub Actions."
To more easily diagnose job execution failures during a workflow re-run, users can enable debug logging, which outputs information about a job's execution and environment. For more information, see "Re-running workflows and jobs" and "Using workflow run logs."
If you manage self-hosted runners for GitHub Actions, you can ensure a consistent state on the runner itself before and after a workflow run by defining scripts to execute. By using scripts, you no longer need to require that users manually incorporate these steps into workflows. Pre- and post-job scripts are in beta and subject to change. For more information, see "Running scripts before or after a job."
GitHub Packages
Enterprise owners can migrate container images from the GitHub Docker registry to the GitHub Container registry. The Container registry provides the following benefits.
- Improves the sharing of containers within an organization
- Allows the application of granular access permissions
- Permits the anonymous sharing of public container images
- Implements OCI standards for hosting Docker images
The Container registry is in beta and subject to change. For more information, see "Migrating your enterprise to the Container registry from the Docker registry."
Community experience
GitHub Discussions is available for GitHub Enterprise Server. GitHub Discussions provides a central gathering space to ask questions, share ideas, and build connections. For more information, see "GitHub Discussions."
Enterprise owners can configure a policy to control whether people's usernames or full names are displayed within internal or public repositories. For more information, see "Enforcing repository management policies in your enterprise."
Organizations
Users can create member-only READMEs for an organization. For more information, see "Customizing your organization's profile."
Organization owners can pin a repository to an organization's profile directly from the repository via the new Pin repository dropdown. Pinned public repositories appear to all users of your instance, while public, private, and internal repositories are only visible to organization members.
Repositories
While creating a fork, users can customize the fork's name. For more information, see "Fork a repo."
Users can delete a branch that's associated with an open pull request. For more information, see "Creating and deleting branches within your repository."
Repositories with multiple licenses display all of the licenses in the "About" sidebar on the Code tab. For more information, see "Licensing a repository."
Users can require a successful deployment of a branch before anyone can merge the pull request associated with the branch. For more information, see "About protected branches" and "Managing a branch protection rule."
Enterprise owners can prevent organization owners from inviting collaborators to repositories on the instance. For more information, see "Enforcing a policy for inviting collaborators to repositories."
Users can grant exceptions to GitHub Apps for any branch protection rule that supports exceptions. For more information, see "About apps" and "Managing a branch protection rule."
Commits
For public GPG signing keys that are expired or revoked, GitHub Enterprise Server verifies Git commit signatures and show commits as verified if the user made the commit while the key was still valid. Users can also upload expired or revoked GPG keys. For more information, see "About commit signature verification."
To affirm that a commit complies with the rules and licensing governing a repository, organization owners and repository administrators can now require developers to sign off on commits made through the web interface. For more information, see "Managing the commit signoff policy for your organization" and "Managing the commit signoff policy for your repository."
Pull requests
Using the file tree located in the Files changed tab of a pull request, users can navigate modified files, understand the size and scope of changes, and focus reviews. The file tree appears if a pull request modifies at least two files, and the browser window is sufficiently wide. For more information, see "Reviewing proposed changes in a pull request" and "Filtering files in a pull request."
Users can default to using pull requests titles as the commit message for all squash merges. For more information, see "Configuring commit squashing for pull requests."
GitHub Mobile
In GitHub Mobile for iOS 1.80.0 and later, users can edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]
Releases
When viewing the details for a particular release, users can see the creation date for each release asset. For more information, see "Viewing your repository's releases and tags."
While creating a release with automatically generated release notes, users can see the tag identified as the previous release, then choose to select a different tag to specify as the previous release. For more information, see "Automatically generated release notes."
Markdown
Editing Markdown in the web interface has been improved.
- After a user selects text and pastes a URL, the selected text will become a Markdown link to the pasted URL.
- When a user pastes spreadsheet cells or HTML tables, the resulting text will render as a table.
- When a user copies text containing links, the pasted text will include the link as a Markdown link.
For more information, see "Basic writing and formatting syntax."
When editing a Markdown file in the web interface, clicking the Preview tab will automatically scroll to the place in the preview that you were editing. The scroll location is based on the position of your cursor before you clicked the Preview tab.
3.6.0: Changes
The unencrypted and unauthenticated Git protocol is now disabled by default. If you do not re-enable the protocol after you upgrade to GitHub Enterprise Server 3.6 or later,
git://
connections on port 9418 will return the following error.The unauthenticated git protocol on port 9418 is no longer supported.
If you wish to support the protocol in your environment, you must manually re-enable the feature. For more information, see "Enforcing repository management policies in your enterprise" and the GitHub Blog. [Updated: 2023-01-31]
Interactive elements in the web interface such as links and buttons show a visible outline when focused with a keyboard, to help users find the current position on a page. In addition, when focused, form fields have a higher contrast outline.
VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
Releases in the 3.6 series of GitHub Enterprise Server are no longer suitable for testing SCIM. To continue using the private beta of SCIM, upgrade your instance to version 3.7.3 or later. For more information, see "Upgrading GitHub Enterprise Server." [Updated: 2023-04-17]
3.6.0: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an instance from a backup taken on a different host.
In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
In some cases, users cannot convert existing issues to discussions.
Custom patterns for secret scanning have
.*
as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the.*
delimiter.In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.6 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.6.1 patch release.
[Updated: 2022-09-01]
After upgrading a replica node to GitHub Enterprise Server 3.6.0 or later and restarting replication, Git replication may stop progressing and continue to show
WARNING: git replication is behind the primary …
. If you encounter this known issue, contact GitHub Enterprise Support. [Updated: 2022-10-03]GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket."
On instances in a high availability configuration,
git push
operations may fail in the following situations.- During creation of the repository on a replica node
- After failure to create the repository on a replica node, before automatic repair of the repository [Updated: 2023-03-17]
An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]
On an instance configured for SAML authentication, when signing in, users may erroneously see an error indicating "User has already been taken." [Updated: 2023-07-18]
In rare circumstances, a small instance with both high availability and GitHub Actions configured may report that MSSQL replication is unhealthy after many upgrades with full upgrade packages. If you encounter this issue, contact GitHub Support. [Updated: 2023-08-24]
3.6.0: Deprecations
Changes to supported SSH algorithms
In GitHub Enterprise Server 3.6 and later, GitHub is changing the supported algorithms and hash functions for Git operations over SSH. By default, SSH connections that satisfy both of the following conditions will fail.
- The RSA key was added to a user account on your GitHub Enterprise Server instance after the cutoff date of midnight UTC on August 1, 2022.
- The SSH client signs the connection attempt with the SHA-1 hash function.
You can adjust the cutoff date. For more information, see "Configuring SSH connections to your instance." [Updated: 2023-01-31]
3.6.0: Errata
"Using secrets in GitHub Actions" incorrectly indicated that secrets for GitHub Actions are encrypted in the instance's database. The article has been updated to reflect that secrets are not encrypted on the instance. To encrypt secrets at rest, you must encrypt your instance's block storage device. For more information, refer to the documentation for your hypervisor or cloud service. [Updated: 2023-06-01]
The "Changes" section of these release notes indicated that if a user refreshes the page while creating a new issue or pull request, the assignees, reviewers, labels and projects will all be preserved. This change is not available in GitHub Enterprise Server 3.6, but is available in GitHub Enterprise Server 3.7 and later. [Updated: 2023-09-06]