Enterprise Server 3.13 release notes

Instance administration

• The root navigational experience for enterprise accounts lands all users on an "Enterprise Overview". From this page, enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The "Organization" page still exists and can be accessed from the left sidebar of the enterprise account.

• To improve the pre-flight checks experience, all pre-flight checks run even if one check fails. A consolidated report of the results is shown in the UI.

• The editor role for a Management Console user has been deprecated in the Manage GitHub Enterprise Server API.

• People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).

• As part of the upgrade to GitHub Enterprise Server 3.13, Elasticsearch (ES) is upgraded from version 5.6.16 to 8.7.0. Upgrading platform components improves performance and security posture. For important upgrade considerations, see "Preparing for the Elasticsearch upgrade in GitHub Enterprise Server 3.13."

• To improve existing tooling for license handling, the ghe-license script handles all operations regarding the active license. Commands can be performed on new licenses without importing them first. The script allows direct application of the license without a full configuration run and avoids restarting the instance to reduce downtime. See "Utilidades de la ea de comandos."

  Administrators can upload the license to their instance using multiple interfaces, including the Management Console, Manage GHES API, CLI, or SSH. See "Cargar una licencia nueva a GitHub Enterprise Server."

Audit logs

• Enterprise and organization audit log events include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information displays in the external_identity_nameid field and the SCIM identity data displays in the external_identity_username field within the audit log payloads. For more information, see "Revisar el registro de auditoría de tu organización."

GitHub Actions

• For self-hosted GitHub Actions runners on this GitHub Enterprise Server release, the minimum required version of the GitHub Actions Runner application is 2.314.1. See the release notes for this version in the actions/runner repository on GitHub.com. If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, you must upgrade your runners to this version of the Runner application before upgrading your instance to this GitHub Enterprise Server release.

• To ensure Actions runners are truly ephemeral and more secure, execution timeouts on self-hosted jobs are limited to 5 days. If a job reaches this limit, the job is terminated and fails to complete. For more information, see "Acerca de los ejecutores autohospedados."

Repositories

• Users can use repository properties to add meaningful metadata to repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. For more information, see "Administración de propiedades personalizadas para repositorios de la organización."

• Users can browse and view code in a revamped experience for GitHub repositories, providing a tree pane for browsing files, fuzzy search for files, sticky code headers, and more.

• Users can migrate existing tag protection rules into repository rules. For more information, see "Configuración de reglas de protección de etiquetas."

Projects

• Users can post status updates on their projects to share the current status, start date, and target date of the project itself. For more information, see "Uso compartido de actualizaciones project."

• Users can migrate their projects (classic) to the new Projects experience. For more information, see "Migración desde projects (classic)."

Pull requests

• Rebase commits are now created using the merge-ort strategy.

Secret scanning

• In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "Administración de alertas del examen de secretos."

• To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See "Administración de las características de GitHub Advanced Security para la empresa."

Code scanning

• Users can enable code scanning on repositories even if they don't contain any code written in the languages currently supported by CodeQL. Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "Establecimiento de la configuración predeterminada para el examen del código."

• Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "Personalizar la configuración avanzado de el análisis de código."

• The CodeQL action for code scanning analysis uses version 2.16.5 of the CodeQL CLI by default, an upgrade from 2.15.5 compared to the previous GitHub Enterprise Server feature release. For a detailed list of changes included in each version, see the CodeQL change logs. Significant changes include:

  • Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
  • Installation of Python dependencies is disabled for all Python scans by default. See the GitHub Blog post.
  • A new python_executable_name option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as py.exe on Windows machines). See the changelog in the CodeQL documentation.
  • A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
  • The code scanning UI now includes partially extracted files. See the GitHub Blog post.
  • 2 new C/C++ queries: cpp/use-of-unique-pointer-after-lifetime-ends and cpp/incorrectly-checked-scanf
  • 6 new Java queries: java/insecure-randomness , java/exec-tainted-environment , java/android/sensitive-text, java/android/sensitive-notification, java/android/insecure-local-authentication, and java/android/insecure-local-key-gen
  • 2 new Swift queries: swift/weak-password-hashing and swift/unsafe-unpacking

Code security

• On the security overview dashboard, users can find detailed insights for the security alerts in an organization or enterprise, including trending data that tracks alert counts and activity over time and snapshot data that reflects the current state of the security landscape. Alerts are displayed for both GitHub's security features and third-party tools. Filters are available for the type and visibility of alerts, date range, repository custom properties, and more. The overview dashboard is in public beta and subject to change. For more information, see "Visualización de información de seguridad."

• Users can view trending data for the enablement of security features in an organization. In security overview for an organization, the "Enablement trends" view shows historical data for the activation of security features including Dependabot updates, code scanning alerts, and secret scanning alerts. This feature is in public beta and subject to change. For more information, see "Evaluación de la adopción de características de seguridad de código."

• For users who use devcontainer.json files to define development containers for repositories, Dependabot version updates can keep "features" defined for the dev container up to date. Once configured in dependabot.yml, Dependabot will open pull requests on a specified schedule to update the listed features to the latest version. Dependabot security updates for dev containers are not currently supported. For more information, see "Acerca de las actualizaciones a la versión del Dependabot."

Authentication

• For enterprises or organizations that use an SSH certificate authority (CA) to provide SSH certificates to members, to protect against a security risk involving user renames, new SSH CAs that are uploaded to a GitHub Enterprise Server 3.13 instance can only be used to sign certificates that are set to expire. For new CAs, you must use the -V parameter with ssh-keygen to generate a certificate with a valid-after claim.

  The valid-after claim allows GitHub to validate that the user named in the SSH certificate hasn't been renamed since the certificate was signed. CAs uploaded prior to version 3.13 are exempt from this requirement and can be used to sign certificates that do not expire. However, when you've ensured that your certificate signing process uses the -V flag, GitHub encourages you to upgrade existing certificates to enforce the expiration requirement. For more information, see "Administrar las autoridades de certificación SSH de tu organización" or "Requerir las políticas para los ajustes de seguridad en tu empresa."

TCP port 9103 is opened for future administrative features related to support for Prometheus scraping. The port has been open since GitHub Enterprise Server 3.12, but this change wasn't communicated at the time release notes for version 3.12 were first published.

Upcoming change: In version 3.14 and later of GitHub Enterprise Server, for instances with GitHub Actions and GitHub Connect enabled, self-hosted runners that download actions from GitHub.com via GitHub Connect will need to allow access to the following new hosts.

• ghcr.io
• *.actions.githubusercontent.com

You can make this change to your firewall rules on version 3.13, or on a previous version of GitHub Enterprise Server. For a smooth upgrade to version 3.14, we recommend you make changes to your firewall rules now, as failing to do so will result in your runners being unable to download certain actions in version 3.14 and later.

The "Create a reference" REST API endpoint is restricted from accepting POSTs from users and apps that only have permission to read and write packages. Previously, this endpoint accepted updates to both tags and branches.

To ensure security updates are applied correctly regardless of your repository's configuration settings, Dependabot uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. Security updates still do not support target-branch configuration. For more information, see "Configuración del acceso a registros privados para Dependabot."

Custom firewall rules are removed during the upgrade process.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "Solución de problemas de acceso a la Consola de administración."

On an instance with the HTTP X-Forwarded-For header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.

On an instance in a cluster configuration, restoration of a backup using ghe-restore will exit prematurely if Redis has not restarted properly.

When enabling log forwarding, specific service logs, including babeld, are duplicated. For more information, see "Redireccionamiento de registro."

As part of sunsetting Subversion compatibility, Subversion support is now disabled by default. Subversion can be re-enabled in the 3.13 release series by setting app.svnbridge.enabled = true. In 3.14, subversion support will be permanently removed. For more information, see Sunsetting Subversion support on the GitHub blog.

The Manage GHES API reached feature parity with the Management Console API in GHES 3.12. As a result, we will deprecate the Management Console API in GitHub Enterprise Server 3.14. For information about updating tooling that relies on the Management Console API, see "Puntos de conexión de API de REST para la consola de administración."