Enterprise Server 3.7 release notes

On an instance with GitHub Actions enabled, nested calls to reusable workflows within a reusable workflow job with a matrix correctly evaluate contexts within expressions, like strategy: ${{ inputs.strategies }}.

On an instance in a high availability configuration, a git push operation could fail if GitHub Enterprise Server was simultaneously creating the repository on a replica node.

In the Management Console's monitor dashboard, the Cached Requests and Served Requests graphs, which are retrieved by the git fetch catching command, did not display metrics for the instance.

After a site administrator exempted the @github-actions[bot] user from rate limiting by using the ghe-config app.github.rate-limiting-exempt-users "github-actions[bot]" command, running ghe-config-check caused a Validation is-valid-characterset failed warning to appear.

GitHub Actions (actions) and Microsoft SQL (mssql) did not appear in the list of processes within the instances monitor dashboard.

In some cases, graphs on the Management Console's monitor dashboard failed to render.

On an instance in a high availability configuration, if an administrator tore down replication from a replica node using ghe-repl-teardown immediately after running ghe-repl-setup, but before ghe-repl-start, an error indicated that the script cannot launch /usr/local/bin/ghe-single-config-apply - run is locked. ghe-repl-teardown now displays an informational alert and continues the teardown.

After an administrator used the /setup/api/start REST API endpoint to upload a license, the configuration run failed with a Connection refused error during the migrations phase.

On an instance in a cluster configuration, when a site administrator set maintenance mode using ghe-maintenance -s, a Permission denied error appeared when the utility tried to access /data/user/common/cluster.conf.

During configuration of high availability, if a site administrator interrupted the ghe-repl-start utility, the utility erroneously reported that replication was configured, and the instance would not perform expected clean-up operations.

On instances configured to use the private beta of SCIM for GitHub Enterprise Server, users' authentication with SSH keys and personal access tokens failed due to an erroneous requirement for authorization.

After a user imported a repository with push protection enabled, the repository was not immediately visible in the security overview's "Security Coverage" view.

Responses from the /repositories REST API endpoint erroneously included deleted repositories.

When a site administrator used ghe-migrator to migrate data to GitHub Enterprise Server, in some cases, nested team relationships would not persist after teams were imported.

If a repository contained a CODEOWNERS file with check annotations, pull requests "Files changed" tab returned a 500 error and displayed "Oops, something went wrong" in the "Unchanged files with check annotations" section.

On an instance with GitHub Actions enabled, if a user manually triggered a workflow using the REST API but did not specify values for optional booleans, the API failed to validate the request and returned a 422 error.

The CSV reports for all users and all active users, available from the site admin dashboard, did not consider recent access using SSH or personal access tokens.

In some cases on an instance with multiple nodes, GitHub Enterprise Server erroneously stopped writing to replica fileservers, causing repository data to fall out of sync.

GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included pre_receive.lfsintegrity.dist.referenced_oids, pre_receive.lfsintegrity.dist.unknown_oids, and git.hooks.runtime.

On an instance with a GitHub Advanced Security license, if code scanning had been used while running GitHub Enterprise Server 3.4 or earlier, a subsequent upgrade from 3.5 to 3.6 or 3.7 could fail when attempting to add a unique index to a database table.

When the dependency submission API received a submission with one or more dependencies without a version, the dependency graph will now correctly report this fact.

To avoid a failure during a configuration run on a cluster, validation of cluster.conf with the ghe-cluster-config-check utility ensures that the consul-datacenter field for each nodes matches the top-level primary-datacenter field.

On an instance in a cluster configuration, when a site administrator sets maintenance mode on a single cluster node using ghe-maintenance -s, the utility warns the administrator to use ghe-cluster-maintenance -s to set maintenance mode on all of the clusters nodes. For more information, see "Enabling and scheduling maintenance mode."

When a site administrator configures an outbound web proxy server for GitHub Enterprise Server, the instance now validates top-level domains (TLDs) excluded from the proxy configuration. By default, you can exclude public TLDs that the IANA specifies. Site administrators can specify a list of unregistered TLDs to exclude using ghe-config. The . prefix is required for any public TLDs. For example, .example.com is valid, but example.com is invalid. For more information, see "Configuring an outbound web proxy server."

To avoid intermittent issues with the success of Git operations on an instance with multiple nodes, GitHub Enterprise Server checks the status of the MySQL container before attempting a SQL query. The timeout duration has also been reduced.

The default path for output from ghe-saml-mapping-csv -d is /data/user/tmp instead of /tmp. For more information, see "Command-line utilities."

"HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23760.

When viewing a list of open sessions for the devices logged into a user account, the GitHub Enterprise Server web UI could display an incorrect location.

In the rare case when primary shards for Elasticsearch were located on a replica node, the ghe-repl-stop command would fail with ERROR: Running migrations.

HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.

HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-22380.

Packages have been updated to the latest security versions.

When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

For instances with both GitHub Connect and automatic access to GitHub.com actions enabled, Dependabot would fail to update actions hosted on GitHub.com.

The CSV file containing details about GitHub Advanced Security contributors could not be downloaded if the instance did not have a GitHub Advanced Security license.

Collectd logs could grow rapidly in size due to the inclusion of kredz.* metrics, which can't be parsed by StatsD and resulted in error messages.

On an instance with a GitHub Advanced Security license, if code scanning had been used while running GitHub Enterprise Server 3.4 or earlier, a subsequent upgrade from 3.5 to 3.6 or 3.7 could fail when attempting to add a unique index to a database table.

After the Dependency submission REST API receives a submission with one or more dependencies without a version, the dependency graph will now correctly report this fact.

MEDIUM: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-22381.

Packages have been updated to the latest security versions.

After a site administrator adjusted the cutoff date for allowing SSH connections with RSA keys using ghe-config app.gitauth.rsa-sha1, the instance would still disallow connections with RSA keys if the connection attempt was signed by the SHA-1 hash function.

During the validation phase of a configuration run, a No such object error may have occurred for the Notebook and Viewscreen services.

After disabling Dependabot updates, the avatar for Dependabot was displayed as the @ghost user in the Dependabot alert timeline.

In some cases, users could experience a 500 error when viewing the Code security & analysis settings page for an instance with a very high number of active committers.

Some links to contact GitHub Support or view the GitHub Enterprise Server release notes were incorrect.

The additional committers count for GitHub Advanced Security always showed 0.

In some cases, users were unable to convert existing issues to discussions. If an issue is stuck while being converted to a discussion, enterprise owners can review the "Known issues" section below for more information.

HIGH: Updated Git to include fixes from 2.39.1, which address CVE-2022-41903 and CVE-2022-23521.

Sanitize additional secrets in support bundles and the configuration log.

Dependencies for the CodeQL action have been updated to the latest security versions.

Packages have been updated to the latest security versions.

Some services incorrectly connected directly to kafka-lite instead of through its internal proxy. In a cluster environment where web services and job services execute on separate nodes, messages generated from the Insights job service werent delivered to kafka-lite.

The metrics Active workers and Queued requests for github (renamed from metadata), gitauth, and unicorn container services werent correctly read from collectd and displayed in the Management Console.

Dependabot Alert emails would be sent to disabled repositories.

Data migrations could fail when the underlying database table contained only a single record.

Sorting and filtering the list of custom patterns for secret scanning at the organization level did not work correctly.

After upgrading to GitHub Enterprise Server 3.7, viewing the security settings page for an organization or repository could result in a 500 error due to a GitHub Advanced Security backfill job not completing before the upgrade started.

The git-janitorcommand was unable to fix outdated multi-pack-index.lock files, resulting in the repository failing maintenance.

Dropped launch.* metrics that can't be parsed by statsd, as the resulting statsd errors caused collectd logs to grow rapidly in size.

When updating custom patterns, the pattern state was immediately set to published.

Improved the reliability of the real time updates service (Alive) to make it more resilient against network issues with Redis.

The ghe-support-bundle and ghe-cluster-support-bundle commands were updated to include the -p/--period flag to generate a time constrained support bundle. The duration can be specified in days and hours, for example: -p '2 hours', -p '1 day', -p '2 days 5 hours'.

When upgrading an instance with a new root partition, running the ghe-upgrade command with the -t/--target option ensures the preflight check for the minimum disk storage size is executed against the target partition.

The performance of configuration runs started with ghe-config-apply has been improved.

When exporting account data, backing up a repository, or performing a migration, the link to a repository archive now expires after 1 hour. Previously the archive link expired after 5 minutes.

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Actions services need to be restarted after restoring an instance from a backup taken on a different host.

In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

In some cases, users cannot convert existing issues to discussions.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like invalid sha1 pointer 0000000000000000000000000000000000000000, Zero-length loose reference file, or Zero-length loose object file. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.

If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.

Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

On instances in a high availability configuration, git push operations may fail in the following situations. [Updated: 2023-03-17]

• During creation of the repository on a replica node
• After failure to create the repository on a replica node, before automatic repair of the repository

On instances in a high availability configuration, site administrators should only run the ghe-repl-start and ghe-repl-stop commands while the instance is in maintenance mode. For more information, see "Enabling and scheduling maintenance mode" and "About high availability configuration." [Updated: 2023-03-17]

HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.

A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade.

When a site administrator ran the ghe-repl-status command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication.

When a site administrator ran the ghe-repl-sync-ca-certificates command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.

In a high availability configuration, after promotion of a replica to be the primary node, a site administrator could not force replication to stop on a secondary replica node using the ghe-repl-stop -f command.

When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node.

Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.

When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.

In some cases, searches via the API returned a 500 error.

Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a 500 error.

In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.

Dismissing a Dependabot alert that contained certain characters could result in a 400 error.

After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.

On an instance that uses SAML for authentication, the Configure SSO dropdown menu appeared erroneously for personal access tokens and SSH keys.

An upgrade from GitHub Enterprise Server 3.5 to 3.7 could fail because the instance had not yet purged deleted repositories.

In a high availability or repository caching configuration, Unicorn services on nodes other than the primary node were unable to send log events to the primary node.

Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.

When viewing code scanning results for Ruby, an erroneous beta label appeared.

After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com.

A user's list of recently accessed repositories no longer includes deleted repositories.

For participants in the private beta of SCIM for GitHub Enterprise Server, custom mappings for SAML user attributes are now supported. Custom mappings allow the use of a value other than NameID as the unique identifying claim during SAML authentication. For more information, see "Configuring user provisioning with SCIM for your enterprise." [Updated: 2023-02-27]

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Actions services need to be restarted after restoring an instance from a backup taken on a different host.

In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

In some cases, users cannot convert existing issues to discussions.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like invalid sha1 pointer 0000000000000000000000000000000000000000, Zero-length loose reference file, or Zero-length loose object file. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.

If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.

Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

When validating domain settings on an instance with TLS and subdomain isolation enabled, the Management Console does not display GitHub Enterprise Server 3.7's two new subdomains, http(s)://notebooks.HOSTNAME and http(s)://viewscreen.HOSTNAME, in the list of domains. [Updated: 2023-01-12]

For participants in the private beta of SCIM for GitHub Enterprise Server, authentication for requests to resources other than the REST API using a personal access token or SSH key may not succeed. A fix will be available in a forthcoming release of GitHub Enterprise Server. [Updated: 2023-02-27]

On instances in a high availability configuration, git push operations may fail in the following situations. [Updated: 2023-03-17]

• During creation of the repository on a replica node
• After failure to create the repository on a replica node, before automatic repair of the repository

On instances in a high availability configuration, site administrators should only run the ghe-repl-start and ghe-repl-stop commands while the instance is in maintenance mode. For more information, see "Enabling and scheduling maintenance mode" and "About high availability configuration." [Updated: 2023-03-17]

HIGH: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This bug was originally reported via GitHub's Bug Bounty program and assigned CVE-2022-23740. [Updated: 2022-12-02]

HIGH: A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability has been assigned CVE-2022-46255.

MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.

MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-23739.

MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.

If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.

Running the ghe-spokesctl command returned a failed to get repo metrics error.

Setting the maintenance mode with an IP Exception List would not persist across upgrades.

GitHub Pages builds could time out on instances in AWS that are configured for high availability.

Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the ghe-repl-status output on those nodes.

The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.

When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.

If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.

If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.

In some cases, an instance could replace an active repository with a deleted repository.

Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.

After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.

Zombie processes no longer accumulate in the gitrpcd container.

On an instance with GitHub Packages configured, package upload and installation could fail for customers using a VPC endpoint URL for AWS S3 blob storage.

In some cases, after upgrading to GitHub Enterprise Server 3.7.0, users may encounter Internal Server Error or 500 errors when initiating Git operations over SSH or HTTPS.

If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.

To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated TXT record to verify domain ownership is now limited to 63 characters.

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

Actions services need to be restarted after restoring an instance from a backup taken on a different host.

In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

In some cases, users cannot convert existing issues to discussions.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like invalid sha1 pointer 0000000000000000000000000000000000000000, Zero-length loose reference file, or Zero-length loose object file. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.

If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.

Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

When validating domain settings on an instance with TLS and subdomain isolation enabled, the Management Console does not display GitHub Enterprise Server 3.7's two new subdomains, http(s)://notebooks.HOSTNAME and http(s)://viewscreen.HOSTNAME, in the list of domains. [Updated: 2023-01-12]

On instances in a high availability configuration, git push operations may fail in the following situations. [Updated: 2023-03-17]

• During creation of the repository on a replica node
• After failure to create the repository on a replica node, before automatic repair of the repository

On instances in a high availability configuration, site administrators should only run the ghe-repl-start and ghe-repl-stop commands while the instance is in maintenance mode. For more information, see "Enabling and scheduling maintenance mode" and "About high availability configuration." [Updated: 2023-03-17]

To increase the security of the Management Console, site administrators can configure the rate limit for sign-in attempts, as well as the lockout duration after exceeding the rate limit. For more information, see "Configuring rate limits."

The minimum password requirements for the Management Console are more stringent.

Attempts to authenticate to the Management Console and changes made by a site administrator within the Management Console are written to a log file in /var/log/enterprise-manage/audit.log.

Azure Maps replaces MapBox for rendering GeoJSON files as graphical maps. Administrators can enable map rendering and provide an Azure Maps token in the Management Console. For more information, see "Administering your instance from the Management Console."

Users can verify commits using an SSH public key. For more information, see "About commit signature verification."

Site administrators can provision users and groups on a GitHub Enterprise Server instance automatically with SCIM. SCIM for GitHub Enterprise Server is in private beta and subject to change. For more information, see "Configuring user provisioning with SCIM for your enterprise" and "SCIM" in the REST API documentation.

Users on an instance with a GitHub Advanced Security license can view and comment on code scanning alerts in their repository within a pull request's Conversation tab. If the Require conversation resolution before merging branch protection rule is enabled for the repository, all comments on these code scanning alerts must be resolved before a user merges the pull request. For more information, see "About code scanning," "About pull request reviews," and "About protected branches."

To simplify the rollout of secret scanning for instances with dozens, hundreds, or even thousands of organizations, enterprise owners on an instance with a GitHub Advanced Security license can enable secret scanning and push protection for the instance using the web interface. For more information, see "Managing GitHub Advanced Security features for your enterprise."

Organization owners on an instance with a GitHub Advanced Security license can perform a dry run of custom patterns for secret scanning for all repositories within an organization. For more information, see "Defining custom patterns for secret scanning."

If a site administrator has enabled email notifications for an instance with a GitHub Advanced Security license, users who watch a repository's secret scanning alerts will receive an email notification when a contributor bypasses a secret blocked by push protection. Previously, notifications were not sent if the secret was marked as a false positive or used in tests. For more information, see "Protecting pushes with secret scanning" and "Configuring email for notifications."

To ease the management of dozens or hundreds of custom patterns for secret scanning, users, organization owners, or enterprise owners on an instance with a GitHub Advanced Security license can sort and filter the list of patterns for a repository, organization, or the entire instance. For more information, see "Defining custom patterns for secret scanning."

Users on an instance with a GitHub Advanced Security license who protect pushes with secret scanning can specify a custom link that will display in the error message when push protection detects and blocks a potential secret. For more information, see "Protecting pushes with secret scanning."

Users can publish CodeQL packs to the Container registry. For more information, see Creating and working with CodeQL packs in the CodeQL CLI documentation.

Users on an instance with a GitHub Advanced Security license can use CodeQL packs with code scanning, including packs that are published to the instance's GitHub Container registry. For more information, see "Configuring code scanning" and Publishing and using CodeQL packs" in the CodeQL CLI documentation.

Users on an instance with a GitHub Advanced Security license can exclude unnecessary CodeQL queries for code scanning by using query filters. For more information, see "Configuring code scanning."

Enterprise owners on an instance with a GitHub Advanced Security license can retrieve code scanning results for the entire instance using the REST API. The new endpoint supplements the existing endpoints for repositories and organizations. For more information, see "Code Scanning" in the REST API documentation.

Organization owners on an instance with a GitHub Advanced Security license can retrieve the enablement status or configure the automatic enablement of the following features using the REST API.

• GitHub Advanced Security
• Secret scanning
• Push protection

For more information, see "Organizations" in the REST API documentation.

Users on an instance with a GitHub Advanced Security license can use cursors to paginate secret scanning alert results retrieved with the REST API's organization and repository endpoints. For more information, see "Secret scanning" in the REST API documentation.

The security overview for the instance includes information about Dependabot. For more information, see "Viewing the security overview."

Users can see more information about the activity associated with a Dependabot alert. Within the details for a Dependabot alert, users can see a timeline of events, such as when the alert was opened, fixed, or reopened. Events will also show additional metadata when available, like relevant pull requests. For more information, see "About Dependabot alerts."

Users' Dependabot alerts are sorted by importance by default. Importance considers CVSS as the primary factor, as well as potential risk, relevancy, and ease of fixing the vulnerability. The calculation will improve over time.

Users can sort Dependabot alerts by the scope of the dependency, either runtime or development.

Users can optionally add a comment when dismissing a Dependabot alert. Dismissal comments appear in the event timeline and within the dismissComment field in the GraphQL API's RepositoryVulnerabilityAlert object. For more information about the GraphQL API, see "Objects" in the GraphQL API documentation.

Users can select multiple Dependabot alerts, then dismiss or reopen the alerts. For example, from the Closed alerts tab, you can select multiple alerts that have been previously dismissed, and then reopen them all at once.

Organization owners on an instance can retrieve the enablement status or configure the automatic enablement of the following features for dependency management using the REST API.

• Dependency graph
• Dependabot alerts
• Dependabot security updates

For more information, see "Organizations" in the REST API documentation.

Enterprise owners, organization owners, and security managers can access a centralized view of risk across the entire instance. The view also includes an alert-centric view of all code scanning, secret scanning, and Dependabot alerts. Enterprise owners can view alerts for organizations that they are owners of. Organization owners and security managers can view repositories and alerts for the organizations that they have full access to. For more information, see "About the security overview."

Organization owners can manage teams of security managers using the REST API. For more information, see "Security Managers" in the REST API documentation.

Users can take advantage of the following improvements to the GitHub Advisory Database.

• The database displays advisories for for Elixir, Erlang's Hex package manager, and more.
• Users can find malware advisories by searching for type:malware.
• The database displays advisories for GitHub Actions vulnerabilities.

For more information, see "Browsing security advisories in the GitHub Advisory Database."

Users can populate a repository's dependency graph by submitting the dependencies for the repository using the REST API. The dependency graph powers Dependabot alerts and Dependabot security updates. For more information, see "Using the Dependency submission API."

GitHub Actions supports Google Cloud Storage as a storage provider for logs, artifacts, and caches. For more information, see "Enabling GitHub Actions with Google Cloud Storage."

GitHub Actions users who use dependency caching to speed up workflows can now use the GitHub CLI to manage the GitHub Actions cache for a repository. To manage caches using the GitHub CLI, install the gh-actions-cache extension. For more information, see the gh-actions-cache documentation.

Workflow re-runs in GitHub Actions use the actor who initially triggered the workflow for privilege evaluation. The actor who triggered the re-run will continue to be displayed in the UI, and can be accessed in a workflow via the triggering_actor field in the github context. For more information, see "Re-running workflows and jobs" and "Contexts."

Users can call reusable workflows from a matrix or other reusable workflows. For more information, see "Reusing workflows."

When querying GitHub Actions for artifacts, the REST API returns information about the run and branch that produced the artifact. For more information, see "GitHub Actions Artifacts" in the REST API documentation.

To support secure cloud deployments at scale, organization owners and repository administrators can complete the following tasks with the OpenID Connect REST API. For more information, see "GitHub Actions OIDC" in the REST API documentation

• Enable a standard OpenID Connect configuration across cloud deployment workflows by customizing the subject claim format.
• Ensure additional compliance and security for OpenID Connect deployments by appending the issuer URL with the enterprise's slug.
• Configure advanced OpenID Connect policies by using additional OpenID Connect token claims like repository_id and repo_visibility.

For more information, see "About security hardening with OpenID Connect."

GitHub Actions users who use dependency caching to speed up workflows can now use the GitHub Actions Cache REST API to accomplish the following tasks.

• List all caches within a repository and sort by metadata.
• Delete a corrupt or stale cache entry. For more information, see "Caching dependencies to speed up workflows" and "GitHub Actions Cache" in the REST API documentation.

If a non-ephemeral self-hosted GitHub Actions runner does not communicate with the GitHub Enterprise Server instance for more than 14 days, the instance will automatically remove the runner. If an ephemeral self-hosted runner does not communicate with the instance for more than one day, the instance will automatically remove the runner. Previously, GitHub Enterprise Server removed runners after 30 days. For more information, see "About self-hosted runners."

GitHub Actions can run self-hosted macOS workflows in a macOS ARM64 runtime with runner support for Apple silicon, such as the M1 or M2 chip. For more information, see "Using self-hosted runners in a workflow."

Users can deploy a GitHub Pages site directly from a repository using GitHub Actions, without configuration of a publishing source. Using GitHub Actions provides control over the authoring framework and version, as well as more control over the publishing process with features like deployment gates. For more information, see "Configuring a publishing source for your GitHub Pages site."

Enterprise owners can prevent users from creating repositories owned by their user accounts. For more information, see "Enforcing repository management policies in your enterprise."

Enterprise owners can control where users can fork repositories. Forking can be limited to preset combinations of organizations, the same organization as the parent repository, user accounts, or everywhere. For more information, see "Enforcing repository management policies in your enterprise."

Repository administrators can block potentially destructive pushes by limiting the number of branches and tags that can be updated by a single push. By default, there is no limit to the number of branches and tags that can be updated in a single push. For more information, see "Managing the push policy for your repository."

Users can further customize the default commit message when squash-merging a pull request. For more information, see "Configuring commit merging for pull requests" and "Configuring commit squashing for pull requests."

Users can create a branch from a repository's Branches overview page by clicking the New branch button. For more information, see "Creating and deleting branches within your repository."

When a user renames or moves a file to a new directory, if at least half of the file's contents are identical, the commit history indicates that the file was renamed, similar to git log --follow. For more information, see the GitHub Blog. [Updated: 2023-02-10]

Improvements have been made to the creation and management of forks.

• When forking a repository, users can choose to only include the repository's default branch in the fork.
• Users can use a repository's' Fork button to see existing forks of the repository.
• The Fetch upstream button has been renamed to Sync fork to better describe the button's behavior. If the sync causes a conflict, the web UI prompts the user to contribute changes to the parent repository, discard changes, or resolve the conflict.
• To address situations where people work within one organization and don't want to fork a repository to a different organization or user account, users can fork a repository to the same organization as the parent repository.
• Users can fork an internal repository to another organization and the fork will retain internal visibility. When forking an internal repository, users can choose which organization should own the fork.

For more information, see "Fork a repo."

Repository administrators can block the creation of branches that match a configured name pattern with the Restrict pushes that create matching branches branch protection rule. For example, if a repository's default branch changes from master to main, a repository administrator can prevent any subsequent creation or push of the master branch. For more information, see "About protected branches" and "Managing a branch protection rule."

Users can create files with geoJSON, topoJSON, and STL diagrams and render the diagrams in the web interface. For more information, see "Working with non-code files."

Users can create autolink references using either alphanumeric or numeric identifiers. For more information, see "Configuring autolinks to reference external resources autolinks."

Users can customize exclusions in the file finder like vendor/ and build/ by using linguist attributes in a .gitattributes file. For more information, see "Finding files on GitHub" and "Customizing how changed files appear on GitHub."

Users can browse the files modified in an individual commit using the tree view. For more information, see "About commits."

Users can manually link existing branches or pull requests to an issue from the "Development" section in the issue's sidebar. For more information, see "Linking a pull request to an issue."

Users can use Mermaid syntax when writing Markdown, which displays a diagram when rendering the Markdown. For more information, see "Creating diagrams."

Users can write mathematical expressions using fenced code blocks with the math syntax in addition to the existing delimiters. $$ is not required with this method. For more information, see "Writing mathematical expressions."

• Note: This feature is unavailable in GitHub Enterprise Server 3.7. The feature will be available in an upcoming release. [Updated: 2022-11-16]

Users can render maps directly in Markdown using fenced code blocks with the geojson or topojson syntax, and embed STL 3D renders using stl syntax. For more information, see "Creating diagrams."

In Markdown, users can write LaTeX-style syntax to render math expressions inline using $ delimiters, or in blocks using $$ delimiters. For more information, see "Writing mathematical expressions."

To improve stability, the service for rendering GeoJSON, Jupyter Notebook, PDF, PSD, SVG, SolidWorks, and other binary formats has been replaced.

If TLS and subdomain isolation are configured for your instance and your certificate is not a wildcard certificate, you must generate a new certificate that includes the additional subdomains for these services, notebooks.HOSTNAME and viewscreen.HOSTNAME. For more information, see "Enabling subdomain isolation." [Updated: 2022-12-02]

Secret scanning no longer supports custom patterns that use .* as an end delimiter in the "After secret" field, as the pattern syntax would cause scan problems and inconsistencies.

When creating a new release, users can now submit the form using Ctrl + Enter in macOS, or Ctrl + Enter in Windows or Linux.

The Wiki tab in a repository only appears when a wiki exists. Previously, the tab always appeared.

Rendered wikis display mathematical expressions and Mermaid diagrams.

The size of the search field for user, organization, and enterprise audit logs has increased.

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

Actions services need to be restarted after restoring an instance from a backup taken on a different host.

In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

In some cases, users cannot convert existing issues to discussions.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

In some cases after upgrading to GitHub Enterprise Server 3.7.0, users may encounter Internal Server Error or 500 errors when initiating git operations over SSH or HTTPS. Example:

git push origin master
Total 0 (delta 0), reused 0 (delta 0)
remote: Internal Server Error
To ghes.hostname.com:User/repo.git
! [remote rejected]       master -> master (Internal Server Error)

If these are encountered, please contact GitHub Enterprise Support with a support bundle. The known temporary workaround at this time is to restart the github-gitauth service with the commands below:

nomad stop github-gitauth
nomad run /etc/nomad-jobs/github/gitauth.hcl
nomad status github-gitauth

We are currently investigating a permanent fix for a future hot patch [Updated: 2022-11-24].

Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

When validating domain settings on an instance with TLS and subdomain isolation enabled, the Management Console does not display GitHub Enterprise Server 3.7's two new subdomains, http(s)://notebooks.HOSTNAME and http(s)://viewscreen.HOSTNAME, in the list of domains. [Updated: 2023-01-12]

On instances in a high availability configuration, git push operations may fail in the following situations. [Updated: 2023-03-17]

• During creation of the repository on a replica node
• After failure to create the repository on a replica node, before automatic repair of the repository

On instances in a high availability configuration, site administrators should only run the ghe-repl-start and ghe-repl-stop commands while the instance is in maintenance mode. For more information, see "Enabling and scheduling maintenance mode" and "About high availability configuration." [Updated: 2023-03-17]