You can now find all code scanning alerts associated with your pull request with the new pull request filter on the code scanning alerts page. The pull request checks page shows the alerts introduced in a pull request, but not existing alerts on the pull request branch. The new "View all branch alerts" link on the Checks page takes you to the code scanning alerts page with the specific pull request filter already applied, so you can see all the alerts associated with your pull request. This can be useful to manage lots of alerts, and to see more detailed information for individual alerts. For more information, see "Managing code scanning alerts for your repository."
GitHub Advanced Security now offers an organization-level view of the application security risks detected by code scanning, Dependabot, and secret scanning. The security overview shows the enablement status of security features on each repository, as well as the number of alerts detected.
In addition, the security overview lists all secret scanning alerts at the organization level. Similar views for Dependabot and code scanning alerts are coming in future releases. For more information, see "About the security overview."
Dependency graph is now available on GitHub AE. The dependency graph helps you understand the open source software that you depend on by parsing the dependency manifests checked into repositories. For more information, see "About the dependency graph."
Dependabot alerts can now notify you of vulnerabilities in your dependencies on GitHub AE. You can enable Dependabot alerts by enabling the dependency graph, enabling GitHub Connect, and syncing vulnerabilities from the GitHub Advisory Database. This feature is in beta and subject to change. For more information, see "About alerts for vulnerable dependencies."
After you enable Dependabot alerts, members of your organization will receive notifications any time a new vulnerability that affects their dependencies is added to the GitHub Advisory Database or a vulnerable dependency is added to their manifest. Members can customize notification settings. For more information, see "Configuring notifications for vulnerable dependencies."
Organizations can now grant teams permission to manage security alerts and settings on all their repositories. The "security manager" role can be applied to any team and grants the team's members the following permissions.
Read access on all repositories in the organization
Write access on all security alerts in the organization
Access to the organization-level security tab
Write access on security settings at the organization level
Write access on security settings at the repository level
GitHub AE now supports ephemeral (single job) self-hosted runners and a new workflow_job webhook to make autoscaling runners easier.
Ephemeral runners are good for self-managed environments where each job is required to run on a clean image. After a job is run, GitHub AE automatically unregisteres ephemeral runners, allowing you to perform any post-job management.
You can combine ephemeral runners with the new workflow_job webhook to automatically scale self-hosted runners in response to job requests from GitHub Actions.
You can reduce duplication in your workflows by using composition to reference other actions. Previously, actions written in YAML could only use scripts. For more information, see "Creating a composite action."
Managing self-hosted runners at the enterprise level no longer requires using personal access tokens with the admin:enterprise scope. You can instead use the new manage_runners:enterprise scope to restrict the permissions on your tokens. Tokens with this scope can authenticate to many REST API endpoints to manage your enterprise's self-hosted runners.
You can now use the REST API to programmatically interface with the audit log. While audit log forwarding provides you with the ability to retain and analyze data with your own toolkit and determine patterns over time, the new REST API will help you perform limited analysis on events of note that have happened in recent history. For more information, see "Reviewing the audit log for your organization."
You can now set an expiration date on new and existing personal access tokens. GitHub AE will send you an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original. When using a token with the GitHub AE API, you'll see a new header, GitHub-Authentication-Token-Expiration, indicating the token's expiration date. You can use this in scripts, for example to log a warning message as the expiration date approaches. For more information, see "Creating a personal access token" and "Getting started with the REST API."
New settings to manage code review assignment code review assignment help distribute a team's pull request review across the team members so reviews aren't the responsibility of just one or two team members.
Child team members: Limit assignment to only direct members of the team. Previously, team review requests could be assigned to direct members of the team or members of child teams.
Count existing requests: Continue with automatic assignment even if one or more members of the team are already requested. Previously, a team member who was already requested would be counted as one of the team's automatic review requests.
Team review request: Keep a team assigned to review even if one or more members is newly assigned.
You can now use footnote syntax in any Markdown field to reference relevant information without disrupting the flow of your prose. Footnotes are displayed as superscript links. Click a footnote to jump to the reference, displayed in a new section at the bottom of the document. For more information, see "Basic writing and formatting syntax."
You can now toggle between the source view and rendered Markdown view through the web UI by clicking the button to "Display the source diff" at the top of any Markdown file. Previously, you needed to use the blame view to link to specific line numbers in the source of a Markdown file.
You can now add images and videos to Markdown files in gists by pasting them into the Markdown body or selecting them from the dialog at the bottom of the Markdown file. For information about supported file types, see "Attaching files."
GitHub AE now automatically generates a table of contents for Wikis, based on headings.
The user impersonation process is improved. An impersonation session now requires a justification for the impersonation, actions are recorded in the audit log as being performed as an impersonated user, and the user who is impersonated will receive an email notification that they have been impersonated by an enterprise owner. For more information, see "Impersonating a user."
To mitigate insider man-in-the-middle attacks when using actions resolved through GitHub Connect to GitHub.com from GitHub AE, GitHub AE retires the actions namespace (OWNER/NAME) on use. Retiring the namespace prevents that namespace from being created in your enterprise, and ensures all workflows referencing the action will download it from GitHub.com. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
The audit log now includes additional events for GitHub Actions. GitHub AE now records audit log entries for the following events.
A self-hosted runner is registered or removed.
A self-hosted runner is added to a runner group, or removed from a runner group.
A runner group is created or removed.
A workflow run is created or completed.
A workflow job is prepared. Importantly, this log includes the list of secrets that were provided to the runner.
Code scanning will now map alerts identified in on:push workflows to show up on pull requests, when possible. The alerts shown on the pull request are those identified by comparing the existing analysis of the head of the branch to the analysis for the target branch that you are merging against. Note that if the pull request's merge commit is not used, alerts can be less accurate when compared to the approach that uses on:pull_request triggers. For more information, see "About code scanning with CodeQL."
Some other CI/CD systems can exclusively be configured to trigger a pipeline when code is pushed to a branch, or even exclusively for every commit. Whenever such an analysis pipeline is triggered and results are uploaded to the SARIF API, code scanning will try to match the analysis results to an open pull request. If an open pull request is found, the results will be published as described above. For more information, see "Uploading a SARIF file to GitHub."
The timeline and Reviewers sidebar on the pull request page now indicate if a review request was automatically assigned to one or more team members because that team uses code review assignment.
You can now filter pull request searches to only include pull requests you are directly requested to review by choosing Awaiting review from you. For more information, see "Searching issues and pull requests."
If you specify the exact name of a branch when using the branch selector menu, the result now appears at the top of the list of matching branches. Previously, exact branch name matches could appear at the bottom of the list.
When viewing a branch that has a corresponding open pull request, GitHub AE now links directly to the pull request. Previously, there would be a prompt to contribute using branch comparison or to open a new pull request.
You can now click a button to copy the full raw contents of a file to the clipboard. Previously, you would need to open the raw file, select all, and then copy. To copy the contents of a file, navigate to the file and click in the toolbar. Note that this feature is currently only available in some browsers.
A warning is now displayed when viewing a file that contains bidirectional Unicode text. Bidirectional Unicode text can be interpreted or compiled differently than it appears in a user interface. For example, hidden bidirectional Unicode characters can be used to swap segments of text in a file. For more information about replacing these characters, see the GitHub Changelog.
GitHub AE now includes enhanced support for CITATION.cff files. CITATION.cff files are plain text files with human- and machine-readable citation information. GitHub AE parses this information into convenient formats such as APA and BibTeX that can be copied by others. For more information, see "About CITATION files."
Customers with active or trial subscriptions for GitHub AE can now provision GitHub AE resources from the Azure Portal. Your Azure subscription must be feature-flagged to access GitHub AE resources in the portal. Contact your account manager or GitHub's Sales team to validate your Azure subscription's eligibility. For more information, see "Setting up a trial of GitHub AE."
Self-hosted runners are the default type of runner system on GitHub AE, and are now generally available for GitHub Actions. With self-hosted runners, you can manage your own machines or containers for the execution of GitHub Actions jobs. For more information, see "About self-hosted runners" and "Adding self-hosted runners."
Environments, environment protection rules, and environment secrets are now generally available for GitHub Actions on GitHub AE. For more information, see "Environments."
GitHub Actions can now generate a visual graph of your workflow on every run. With workflow visualization, you can achieve the following.
View and understand complex workflows.
Track progress of workflows in real-time.
Troubleshoot runs quickly by easily accessing logs and jobs metadata.
Monitor progress of deployment jobs and easily access deployment targets.
GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret. The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the API for GitHub AE in your workflow runs. GitHub Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks, which are always read. These new settings allow you to follow a principle of least privilege in your workflows. For more information, see "Authentication in a workflow."
GitHub Actions now supports skipping push and pull_request workflows by looking for some common keywords in your commit message.
GitHub CLI 1.9 and later allows you to work with GitHub Actions in your terminal. For more information, see the GitHub Blog.
You can now specify your own patterns for secret scanning with the beta of custom patterns on GitHub AE. You can specify patterns for repositories, organizations, and your entire enterprise. When you specify a new pattern, secret scanning searches a repository's entire Git history for the pattern, as well as any new commits. For more information, see "Defining custom patterns for secret scanning."
GitHub Connect is now available in beta for GitHub AE. GitHub Connect brings the power of the world's largest open source community to your enterprise. You can allow users to view search results from GitHub.com on GitHub AE, show contribution counts from GitHub AE on GitHub.com, and use GitHub Actions from GitHub.com. For more information, see "Managing connections between your enterprise accounts."
You can now delete any package or package version for GitHub Packages from GitHub AE's web UI. You can also undo the deletion of any package or package version within 30 days. For more information, see "Deleting and restoring a package."
The npm registry for GitHub Packages and GitHub.com no longer returns a time value in metadata responses, providing substantial performance improvements. GitHub will continue returning the time value in the future.
Events for pull requests and pull request reviews are now included in the audit log for both enterprises and organizations. These events help administrators better monitor pull request activity and ensure security and compliance requirements are being met. Events can be viewed from the web UI, exported as CSV or JSON, or accessed via REST API. You can also search the audit log for specific pull request events.
The format of authentication tokens for GitHub AE has changed. The change affects the format of personal access tokens and access tokens for OAuth Apps, as well as user-to-server, server-to-server, and refresh tokens for GitHub Apps. GitHub recommends updating existing tokens as soon as possible to improve security and allow secret scanning to detect the tokens. For more information, see "About authentication to GitHub" and "About secret scanning."
You can now authenticate SSH connections to GitHub AE using a FIDO2 security key by adding an email@example.com SSH key to your account. SSH security keys store secret key material on a separate hardware device that requires verification, such as a tap, to operate. Storing the key on separate hardware and requiring physical interaction for your SSH key offers additional security. Since the key is stored on hardware and is non-extractable, the key can't be read or stolen by software running on the computer. The physical interaction prevents unauthorized use of the key since the security key will not operate until you physically interact with it. For more information, see "Generating a new SSH key and adding it to the ssh-agent."
Git Credential Manager (GCM) Core versions 2.0.452 and later now provide secure credential storage and multi-factor authentication support for GitHub AE. GCM Core with support for GitHub AE is included with Git for Windows versions 2.32 and later. GCM Core is not included with Git for macOS or Linux, but can be installed separately. For more information, see the latest release and installation instructions in the microsoft/Git-Credential-Manager-Core repository.
You can now configure which events you would like to be notified about on GitHub AE. From any repository, select the Watch drop-down, then click Custom. For more information, see "Configuring notifications."
You can now see all pull request review comments in the Files tab for a pull request by selecting the Conversations drop-down. You can also require that all pull request review comments are resolved before anyone merges the pull request. For more information, see "About pull request reviews" and "About protected branches." For more information about management of branch protection settings with the API, see "Branches" in the REST API documentation and "Mutations" in the GraphQL API documentation.
You can now upload video files everywhere you write Markdown on GitHub AE. Share demos, show reproduction steps, and more in issue and pull request comments, as well as in Markdown files within repositories, such as READMEs. For more information, see "Attaching files."
GitHub AE now shows a confirmation dialog when you request a review from a team with more than 100 members, allowing you to prevent unnecessary notifications for large teams.
When an issue or pull request has fewer than 30 possible assignees, the assignees control will list all potential users rather than a limited set of suggestions. This behavior helps people in small organizations to quickly find the right user. For more information about assigning users to issues and pull requests, see "Assigning issues and pull requests to other GitHub users."
You can now include multiple words after the # in a comment for an issue or pull request to further narrow your search. To dismiss the suggestions, press Esc.
To prevent the merge of unexpected changes after you enable auto-merge for a pull request, auto-merge is now disabled automatically when new changes are pushed by a user without write access to the repository. Users without write access can still update the pull request with changes from the base branch when auto-merge is enabled. To prevent a malicious user from using a merge conflict to introduce unexpected changes to the pull request, GitHub AE will disable auto-merge for the pull request if the update causes a merge conflict. For more information about auto-merge, see "Automatically merging a pull request."
People with maintain access can now manage the repository-level "Allow auto-merge" setting. This setting, which is off by default, controls whether auto-merge is available on pull requests in the repository. Previously, only people with admin access could manage this setting. Additionally, this setting can now by controlled using the "Create a repository" and "Update a repository" REST APIs. For more information, see "Managing auto-merge for pull requests in your repository."
The assignees selection for issues and pull requests now supports type ahead searching so you can find users in your organization faster. Additionally, search result rankings have been updated to prefer matches at the start of a person's username or profile name.
When viewing the commit history for a file, you can now click to view the file at the specified time in the repository's history.
You can now use the web UI to synchronize an out-of-date branch for a fork with the fork's upstream branch. If there are no merge conflicts between the branches, GitHub AE updates your branch either by fast-forwarding or by merging from upstream. If there are conflicts, GitHub AE will prompt you to open pull request to resolve the conflicts. For more information, see "Syncing a fork."
You can now sort the repositories on a user or organization profile by star count.
The Repositories REST API's "compare two commits" endpoint, which returns a list of commits reachable from one commit or branch, but unreachable from another, now supports pagination. The API can also now return the results for comparisons over 250 commits. For more information, see the "Commits" REST API documentation and "Traversing with pagination."
When you define a submodule in your enterprise with a relative path, the submodule is now clickable in the web UI. Clicking the submodule in the web UI will take you to the linked repository. Previously, only submodules with absolute URLs were clickable. Relative paths for repositories with the same owner that follow the pattern ../REPOSITORY or relative paths for repositories with a different owner that follow the pattern ../OWNER/REPOSITORY are supported. For more information about working with submodules, see Working with submodules on the GitHub Blog.
By precomputing checksums, the amount of time a repository is under lock has reduced dramatically, allowing more write operations to succeed immediately and improving monorepo performance.
Dark and dark dimmed themes are now available for the web UI. GitHub AE will match your system preferences when you haven't set theme preferences in GitHub AE. You can also customize the themes that are active during day and night. For more information, see "Managing your theme settings."
Markdown files in your repositories now automatically generate a table of contents in the header the file has two or more headings. The table of contents is interactive and links to the corresponding section. All six Markdown heading levels are supported. For more information, see "About READMEs."
code markup is now supported in titles for issues and pull requests. Text within backticks (`) will appear rendered in a fixed-width font anywhere the issue or pull request title appears in the web UI for GitHub AE.
While editing Markdown in files, issues, pull requests, or comments, you can now use a keyboard shortcut to insert a code block. The keyboard shortcut is command + E on a Mac or Ctrl + E on other devices. For more information, see "Basic writing and formatting syntax."
You can append ?plain=1 to the URL for any Markdown file to display the file without rendering and with line numbers. You can use the plain view to link other users to specific lines. For example, appending ?plain=1#L52 will highlight line 52 of a plain text Markdown file. For more information, "Creating a permanent link to a code snippet."
API requests to create an installation access token now respect IP allow lists for an enterprise or organization. Any API requests made with an installation access token for a GitHub App installed on your organization already respect IP allow lists. This feature does not currently consider any Azure network security group (NSG) rules that GitHub Support has configured for your enterprise. For more information, see "Restricting network traffic to your enterprise," "Managing allowed IP addresses for your organization," and "Apps" in the REST API documentation.
Please note that when GitHub Actions is enabled during this upgrade, two organizations named "GitHub Actions" (@actions and @github) will appear in your enterprise. These organizations are required by GitHub Actions. Users named @ghost and @actions appear as the actors for creation of these organizations in the audit log.
GitHub Packages is a package hosting service, natively integrated with GitHub Actions, APIs, and webhooks. Create an end-to-end DevOps workflow that includes your code, continuous integration, and deployment solutions. During this beta, GitHub Packages is offered free of charge to GitHub AE customers.
GitHub Advanced Security is available in beta and includes both code scanning and secret scanning. During this beta, GitHub Advanced Security features are being offered free of charge to GitHub AE customers. Repository and organization administrators can opt-in to use GitHub Advanced Security in the Security and Analysis tab under settings.
Customers using SCIM (System for Cross-domain Identity Management) can now sync security groups in Azure Active Directory with GitHub teams. Once a team has been linked to a security group, membership will be automatically updated in GitHub AE when a user is added or removed from their assigned security group.
GitHub IP allow lists provide the ability to filter traffic from administrator-specified IP ranges, defined by CIDR notation. The allow list is defined at the enterprise or organization account level in Security > Settings. All traffic that attempts to reach resources within the enterprise account and organizations are filtered by the IP allow lists. This functionality is provided in addition to the ability to request network security group changes that filter traffic to the entirety of the GHAE tenant.
When configuring a GitHub App, the authorization callback URL is a required field. Now we will permit the integrator to specify multiple callback URLs. GitHub AE denies authorization if the callback URL from the request is not listed.
A new API endpoint enables the exchange of a user to server token for a user to server token scoped to specific repositories.
Enterprise and organization owners can now set the default branch name for new repositories. Enterprise owners can also enforce their choice of default branch name across all organizations or allow individual organizations to choose their own.
Existing repositories are unaffected by these settings, and their default branch name will not be changed.
This change is one of many changes GitHub is making to support projects and maintainers that want to rename their default branch. To learn more, see github/renaming.