Skip to main content

Enterprise Server 3.5 release notes

Enterprise Server 3.5.0.rc1

Release CandidateDownload GitHub Enterprise Server 3.5.0

May 10, 2022

Note: If your GitHub Enterprise Server instance is running a release candidate build, you can't upgrade with a hotpatch. We recommend only running release candidates on test environments.

For upgrade instructions, see "Upgrading GitHub Enterprise Server."


    IP exception list for validation testing after maintenance

  • You can now configure an allow list of IP addresses that can access application services on your GitHub Enterprise Server instance while maintenance mode is enabled. Administrators who visit the instance's web interface from an allowed IP address can validate the instance's functionality post-maintenance and before disabling maintenance mode. For more information, see "Enabling and scheduling maintenance mode."

  • Custom repository roles are generally available

  • With custom repository roles, organizations now have more granular control over the repository access permissions they can grant to users. For more information, see "Managing custom repository roles for an organization."

    A custom repository role is created by an organization owner, and is available across all repositories in that organization. Each role can be given a custom name, and a description. It can be configured from a set of over 40 fine grained permissions. Once created, repository admins can assign a custom role to any user, team or outside collaborator in their repository.

    Custom repository roles can be created, viewed, edited and deleted via the new Repository roles tab in an organization's settings. A maximum of 3 custom roles can be created within an organization.

    Custom repository roles are also fully supported in the GitHub Enterprise Server REST APIs. The Organizations API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams have been extended to support custom repository roles. For more information, see "Organizations" in the REST API documentation.

  • GitHub Container registry in public beta

  • The GitHub Container registry (GHCR) is now available in GitHub Enterprise Server 3.5 as a public beta, offering developers the ability to publish, download, and manage containers. GitHub Packages container support implements the OCI standards for hosting Docker images. For more information, see "GitHub Container registry."

  • Dependabot updates are generally available

  • Dependabot version and security updates are now generally available in GitHub Enterprise Server 3.5. All the popular ecosystems and features that work on repositories now can be set up on your GitHub Enterprise Server instance. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted Dependabot runners, GitHub Connect enabled, and Dependabot enabled by an admin.

    Following on from the public beta release, we will be supporting the use of GitHub Actions runners hosted on a Kubernetes setup.

    For more information, see "Setting up Dependabot updates."

  • Server Statistics in public beta

  • You can now analyze how your team works, understand the value you get from GitHub Enterprise Server, and help us improve our products by reviewing your instance's usage data and sharing this aggregate data with GitHub. You can use your own tools to analyze your usage over time by downloading your data in a CSV or JSON file or by accessing it using the REST API. To see the list of aggregate metrics collected, see "About Server Statistics." Server Statistics data includes no personal data nor GitHub content, such as code, issues, comments, or pull requests content. For a better understanding of how we store and secure Server Statistics data, see "GitHub Security." For more information about Server Statistics, see "Analyzing how your team works with Server Statistics." This feature is available in public beta.

  • GitHub Actions rate limiting is now configurable

  • Site administrators can now enable and configure a rate limit for GitHub Actions. By default, the rate limit is disabled. When workflow jobs cannot immediately be assigned to an available runner, they will wait in a queue until a runner is available. However, if GitHub Actions experiences a sustained high load, the queue can back up faster than it can drain and the performance of the GitHub Enterprise Server instance may degrade. To avoid this, an administrator can configure a rate limit. When the rate limit is exceeded, additional workflow runs will fail immediately rather than being put in the queue. Once the rate has stabilized below the threshold, new runs can be queued again. For more information, see "Configuring rate limits."

  • OpenID Connect (OIDC) for secure deployments with GitHub Actions

  • GitHub Actions on GitHub Enterprise Server now supports OIDC for secure deployments to cloud providers, which uses short-lived tokens that are automatically rotated for each deployment. OIDC enables the following functionality.

    • Seamless authentication between cloud providers and GitHub Enterprise Server without the need for storing any long-lived cloud secrets on your instance
    • Cloud administrators can rely on the security mechanisms of a particular cloud provider to ensure that GitHub Actions workflows have minimal access to cloud resources. There is no duplication of secret management between GitHub Enterprise Server and the cloud.

    For more information, see "Security hardening your deployments."

  • Sharing GitHub Actions within your enterprise is generally available

  • Support for GitHub Actions in internal repositories is now generally available for organizations on your GitHub Enterprise Server instance. You can innersource automation by sharing actions in internal repositories. You can manage a repository's settings or use the REST API to allow access to workflows in other repositories within the organization or in any organization on the instance. For more information, see "Sharing actions and workflows with your enterprise," "Managing GitHub Actions settings for a repository," and "Actions Permissions" in the REST API documentation.

  • Cache support for GitHub Actions on GitHub Enterprise Server is now generally available

  • You can now use dependency caching to speed up your GitHub Actions workflows. To cache dependencies for a job, you can include the actions/cache action to create a cache with a unique key. You can share caches across all workflows in the same repository. These workflows can then restore the cache and run faster.

    Actions users can also use our cache APIs to:

    • Define the enterprise policy for cache size range allowed per repository.
    • Query the cache usage within each repository and monitor if the total size of all caches is reaching the upper limit.
    • Increase the maximum cache size for a repository within the allowed enterprise limits, based on the cache requirements of the repository.
    • Monitor aggregate cache usage at organization level or at enterprise level.

    The external blob storage that is configured within your enterprise account will now be shared across workflow artifacts, logs, and also the caches. For more information, see "Caching dependencies to speed up workflows."

  • Automatically sign commits made in the web UI

  • You can now configure GitHub Enterprise Server to automatically sign commits made in the web interface, such as from editing a file or merging a pull request. Signed commits increase confidence that changes come from trusted sources. This feature allows the Require signed commits branch protection setting to block unsigned commits from entering a repository, while allowing entry of signed commits – even those made in the web interface. For more information, see "Configuring web commit signing."

  • Sync license usage any time

  • For customers that sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud automatically using GitHub Connect, you now have the ability to sync your license usage independently of the automatic weekly sync. This feature also reports the status of sync job. For more information, see "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud."

  • Reusable workflows for GitHub Actions are generally available

  • Reusable workflows are now generally available. Reusable workflows help you reduce duplication by enabling you to reuse an entire workflow as if it were an action. With the general availability release, a number of improvements are now available for GitHub Enterprise Server. For more information, see "Reusing workflows."

    • You can utilize outputs to pass data from reusable workflows to other jobs in the caller workflow.
    • You can pass environment secrets to reusable workflows.
    • The audit log includes information about which reusable workflows are used.
    • Reusable workflows in the same repository as the calling repository can be referenced with just the path and filename (PATH/FILENAME). The called workflow will be from the same commit as the caller workflow.
  • Self-hosted runners for GitHub Actions can now disable automatic updates

  • You now have more control over when your self-hosted runners perform software updates. If you specify the --disableupdate flag to the runner then it will not try to perform an automatic software update if a newer version of the runner is available. This allows you to update the self-hosted runner on your own schedule, and is especially convenient if your self-hosted runner is in a container.

    For compatibility with the GitHub Actions service, you will need to manually update your runner within 30 days of a new runner version being available. For instructions on how to install the latest runner version, please see the installation instructions for the latest release in the runner repo.

  • Secure self-hosted runners for GitHub Actions by limiting workflows

  • Organization owners can now increase the security of CI/CD workflows on self-hosted runners by choosing which workflows can access a runner group. Previously, any workflow in a repository, such as an issue labeler, could access the self-hosted runners available to an organization. For more information, see "Managing access to self-hosted runners using groups" and the GitHub Blog.

  • Prevent GitHub Actions from approving pull requests

  • You can now control whether GitHub Actions can approve pull requests. This feature protects against a user using GitHub Actions to satisfy the "Required approvals" branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, Allow GitHub Actions reviews to count towards required approval is enabled by default. Organization owners can disable the feature in the organization's GitHub Actions settings. For more information, see "Disabling or limiting GitHub Actions for your organization."

  • Re-run failed or individual GitHub Actions jobs

  • You can now re-run only failed jobs or an individual job in a GitHub Actions workflow run. For more information, see "Re-running workflows and jobs."

  • Dependency graph supports GitHub Actions

  • The dependency graph now detects YAML files for GitHub Actions workflows. GitHub Enterprise Server will display the workflow files within the Insights tab's dependency graph section. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the "Used By" control on the repository homepage. For more information, see "About the dependency graph."

  • Security overview for enterprises in public beta

  • GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new Security tab at the enterprise level provides a repository-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. For more information, see "About the security overview."

  • Security view for organizations is generally available

  • The overview of security alerts at the organization level is now generally available. GitHub Advanced Security customers can use the security overview to view a repository-centric view of application security risks, or an alert-centric view of all code scanning, Dependabot, and secret scanning alerts for all repositories in an organization. For more information, see "About the security overview."

  • Code scanning detects more security issues, supports new language versions

  • Code scanning now detects a larger number of CWEs, and CodeQL code scanning fully supports the standard language features in the following language releases.

    • C# 10 / .NET 6
    • Python 3.10
    • Java 17
    • TypeScript 4.5

    For more information, see the GitHub Blog.

  • View code scanning alerts across an organization

  • GitHub Advanced Security customers can now view code scanning alerts in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

  • Users can now retrieve code scanning alerts for an organization on your GitHub Enterprise Server instance via the REST API. This new API endpoint supplements the existing endpoint for repositories. For more information, see Code Scanning in the REST API documentation.

  • Secret scanning available as a push protection

  • GitHub Enterprise Server can now block any pushes where a token is detected with high confidence. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI. For more information, see "Protecting pushes with secret scanning."

  • Dry runs for custom patterns with secret scanning

  • GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization or repository level. Dry runs allow people with owner or admin access to review and hone their patterns before publishing them and generating alerts. You can compose a pattern, then use Save and dry run to retrieve results. The scans typically take just a few seconds, but GitHub Enterprise Server will also notify organization owners or repository admins via email when dry run results are ready. For more information, see "About secret scanning" and "Defining custom patterns for secret scanning."

  • Secret scanning custom pattern events now in the audit log

  • The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository-, organization-, or enterprise-level custom patterns for security and compliance audits. For more information, see "Reviewing the audit log for your organization" or "Reviewing audit logs for your enterprise."

  • Configure permissions for secret scanning with custom repository roles

  • You can now configure two new permissions for secret scanning when managing custom repository roles.

    • View secret scanning results
    • Dismiss or reopen secret scanning results

    For more information, see "Managing custom repository roles for an organization."

  • Secret scanning now supports archived repositories

  • GitHub Advanced Security customers can now enable secret scanning for archived repositories via the UI and API. For more information, see "About secret scanning," "About archived repositories," and "Repositories" in the REST API documentation.

  • Secret scanning webhooks for alert locations

  • GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret. For more information, see "Webhook events and payloads."

  • View Dependabot alerts across an organization

  • GitHub Advanced Security customers can now view Dependabot alerts in in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

  • Configure permissions for Dependabot alerts with custom repository roles

  • You can now configure two new permissions for Dependabot alerts when managing custom repository roles.

    • View Dependabot alerts
    • Dismiss or reopen Dependabot alerts

    For more information, see "Managing custom repository roles for an organization."

  • Reopen dismissed Dependabot alerts

  • You can now reopen dismissed Dependabot alerts through the UI page for a closed alert. This does not affect Dependabot pull requests or the GraphQL API. For more information, see "About Dependabot alerts."

  • Pub support for Dependabot version updates is in public beta

  • Users of Dependabot version updates can now proactively update dependencies for Flutter or Dart projects that use the Pub package manager.

    To test version updates on your own Dart or Flutter repository, add the following configuration file in .github/dependabot.yaml. Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.

    version: 2
    enable-beta-ecosystems: true
      - package-ecosystem: "pub"
        directory: "/"
          interval: "weekly"
  • See pull request associated with a repository's Dependabot alerts via GraphQL API

  • The new DependabotUpdate GraphQL object lets you view information about what happens to your repository's security updates. When GitHub Enterprise Server detects that a dependency in your repository is vulnerable, Dependabot will attempt to open a pull request to update that dependency to a non-vulnerable version. You can now see the pull request that fixes the vulnerability. In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the "Dependabot Alerts" section of the Security tab. Now, if Dependabot runs into an error when trying to open a pull request for a security alert, you can determine the reason using the GraphQL API. For more information, see "Objects" in the GraphQL API documentation.

  • Access more information about Dependabot alerts via GraphQL API

  • You can now view fixed alerts from Dependabot with the GraphQL API. You can also access and filter by state, as well as by unique numeric identifier, and you can filter by state on the vulnerability alert object. The following fields now exist for a RepositoryVulnerabilityAlert.

    • number
    • fixed_at
    • fix_reason
    • state

    For more information, see "Objects" in the GraphQL API documentation.

  • Git events in the enterprise audit log

  • The following Git-related events can now appear in the enterprise audit log. If you enable the feature and set an audit log retention period, the new events will be available for search via the UI and API, or export via JSON or CSV.

    • git.clone
    • git.fetch
    • git.push

    Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "Audit log events for your enterprise" and "Monitoring storage."

  • Improvements to CODEOWNERS

  • This release includes improvements to CODEOWNERS.

    • Syntax errors are now surfaced when viewing a CODEOWNERS file from the web. Previously, when a line in a CODEOWNERS file had a syntax error, the error would be ignored or in some cases cause the entire CODEOWNERS file to not load. GitHub Apps and Actions can access the same list of errors using new REST and GraphQL APIs. For more information, see "Repositories" in the REST API documentation or "Objects" in the GraphQL API documentation.
    • After someone creates a new pull request or pushes new changes to a draft pull request, any code owners that will be requested for review are now listed in the pull request under "Reviewers". This feature gives you an early look at who will be requested to review once the pull request is marked ready for review.
    • Comments in CODEOWNERS files can now appear at the end of a line, not just on dedicated lines.

    For more information, see "About code owners."

  • More ways to keep a pull request's topic branch up to date

  • The Update branch button on the pull request page lets you update your pull request's branch with the latest changes from the base branch. This is useful for verifying your changes are compatible with the current version of the base branch before you merge. Two enhancements now give you more ways to keep your branch up-to-date.

    • When your pull request's topic branch is out of date with the base branch, you now have the option to update it by rebasing on the latest version of the base branch. Rebasing applies the changes from your branch onto the latest version of the base branch, resulting in a branch with a linear history since no merge commit is created. To update by rebasing, click the drop down menu next to the Update Branch button, click Update with rebase, and then click Rebase branch. Previously, Update branch performed a traditional merge that always resulted in a merge commit in your pull request branch. This option is still available, but now you have the choice. For more information, see "Keeping your pull request in sync with the base branch."

    • A new repository setting allows the Update branch button to always be available when a pull request's topic branch is not up to date with the base branch. Previously, this button was only available when the Require branches to be up to date before merging branch protection setting was enabled. People with admin or maintainer access can manage the Always suggest updating pull request branches setting from the Pull Requests section in repository settings. For more information, see "Managing suggestions to update pull request branches."

  • Configure custom HTTP headers for GitHub Pages sites

  • You can now configure custom HTTP headers that apply to all GitHub Pages sites served from your GitHub Enterprise Server instance. For more information, see "Configuring GitHub Pages for your enterprise."

  • Ignore commits in blame view

  • It's now possible to ignore revisions in the blame view by creating a .git-blame-ignore-revs file in the root of your repository. For more information, see "Viewing a file."

  • Light high contrast theme is generally available

  • A light high contrast theme, with greater contrast between foreground and background elements, is now generally available. For more information, see "Managing your theme settings."

  • Tag protection rules

  • Repository owners can now configure tag protection rules to protect a repository's tags. Once protected by a tag protection rule, tags matching a specified name pattern can only be created and deleted by users with the Maintain or Admin role in the repository. For more information, see "Configuring tag protection rules."

    Bug fixes

  • It is now possible for GitHub Apps to upload release assets.


  • To use the device authorization flow for OAuth and GitHub Apps, you must manually enable the feature. This change reduces the likelihood of apps being used in phishing attacks against GitHub Enterprise Server users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication. If you own or manage an OAuth App or GitHub App and you want to use the device flow, you can enable it for your app via the app's settings page. The device flow API endpoints will respond with status code 400 to apps that have not enabled this feature. For more information, see "Authorizing OAuth Apps."

  • The code scanning alert page now always shows the alert status and information for the default branch. There is a new "Affected branches" panel in the sidebar where you can see the status of the alert in other branches. If the alert does not exist in your default branch, the alert page will show the status as "In branch" or "In pull request" for the location where the alert was last seen. This improvement makes it easier to understand the status of alerts which have been introduced into your code base. For more information, see "About code scanning alerts."

    The alert list page is not changed and can be filtered by branch. You can use the code scanning API to retrieve more detailed branch information for alerts. For more information, see "Code Scanning" in the REST API documentation.

  • Code scanning now shows the details of the analysis origin of an alert. If an alert has more than one analysis origin, it is shown in the "Affected branches" sidebar and in the alert timeline. You can hover over the analysis origin icon in the "Affected branches" sidebar to see the alert status in each analysis origin. If an alert only has a single analysis origin, no information about analysis origins is displayed on the alert page. These improvements will make it easier to understand your alerts. In particular, it will help you understand those that have multiple analysis origins. This is especially useful for setups with multiple analysis configurations, such as monorepos. For more information, see "About code scanning alerts."

  • Lists of repositories owned by a user or organization now have an additional filter option, "Templates", making it easier to find template repositories.

  • GitHub Enterprise Server can display several common image formats, including PNG, JPG, GIF, PSD, and SVG, and provides several ways to compare differences between versions. Now when reviewing added or changed images in a pull request, previews of those images are shown by default. Previously, you would see a message indicating that binary files could not be shown and you would need to toggle the "Display rich diff" option. For more information, see "Working with non-code files."

  • New gists are now created with a default branch name of either main or the alternative default branch name defined in your user settings. This matches how other repositories are created on GitHub Enterprise Server. For more information, see "About branches" and "Managing the default branch name for your repositories."

  • Gists now only show the 30 most recent comments when first displayed. You can click Load earlier comments... to view more. This allows gists that have many comments to appear more quickly. For more information, see "Editing and sharing content with gists."

  • Settings pages for users, organizations, repositories, and teams have been redesigned, grouping similar settings pages into sections for improved information architecture and discoverability. For more information, see the GitHub changelog.

  • Focusing or hovering over a label now displays the label description in a tooltip.

  • Creating and removing repository invitations, whether done through the API or web interface, are now subject to rate limits that may be enabled on your GitHub Enterprise Server instance. For more information about rate limits, see "Configuring rate limits."

  • MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository."

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search" is enabled with GitHub Connect, issues in private and internal repositories are not included in search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.