Skip to main content

Enterprise Server 3.5 release notes

September 21, 2022

📣 Este no es el lanzamiento más reciente de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Features

  • Repository archives for migrations now include an is_archived field.

    Security fixes

  • HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.

  • MEDIUM: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access.

  • LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.

  • Configuration runs could fail when retry-limit or retry-sleep-duration were manually set by an administrator using ghe-config.

  • The ghe-find-insecure-git-operations command did not return all insecure Git operations after each invocation.

  • In some cases, the Management Console's monitor dashboard would not load correctly.

  • Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.

  • When sending a support bundle to GitHub Enterprise Support using ghe-support-upload, the -t option would not successfully associate the uploaded bundle with the specified ticket.

  • In rare cases, an upgrade from GitHub Enterprise Server 3.3 to 3.4 would incorrectly modify how data is stored, resulting in failures during future upgrades. When upgrading directly to this release from 3.3, the failure will not occur.

  • When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

  • Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.

  • A link back to the security settings for the instance's enterprise account could render an incorrect view.

  • After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.

  • After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.

  • After upgrading to GitHub Enterprise Server 3.5, releases would appear to be missing from repositories. This occurred when the required Elasticsearch index migrations had not successfully completed. The releases UI now indicates if it is waiting for the Elasticsearch index migrations to complete, and links to documentation on how to observe status and immediately complete the migration.

  • Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.

  • When viewing a pull request's diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.

  • If branch protections were enabled, the GITHUB_REF_PROTECTED environment variable and github.ref_protected contexts for GitHub Actions workflow runs were incorrectly set as false.

  • On instances using GitHub Advanced Security, secret scanning automatically revoked personal access tokens added to public repositories.

  • Repositories for packages erroneously displayed a "Used by" section.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full .pkg are unaffected. If the upgrade fails for your instance, either run the full .pkg upgrade, or work around the issue by performing the following steps.

    1. SSH into the affected node.

    2. To launch GRUB, run the following command.

      sudo dpkg --configure -a
      
    3. In the first GRUB window, you will see a list of devices. Do not modify the selection. Press the Tab key to highlight <Ok>, then press Return/Enter to accept.

    4. In the second GRUB window, to continue without installing GRUB, use the arrow keys to highlight <Yes>, then press Return/Enter to accept.

    5. After you are returned to the prompt, use ghe-upgrade to start the hotpatch installation again.

    If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-09-27]

August 30, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Bug fixes

  • Tras desbloquear un repositorio para su acceso temporal, un administrador de sitio no podía administrar los ajustes de los productos de seguridad en el repositorio.

  • Podían aparecer claves SSH administrativas duplicadas en la Consola de administración y en el archivo /home/admin/.ssh/authorized_keys.

  • La página de administración del sitio de usuarios individuales en http(s)://HOSTNAME/stafftools/users/USERNAME/admin contenía funciones no dirigidas a GitHub Enterprise Server.

  • En algunos casos, la ejecución de ghe-cluster-config-apply podía replicar una configuración vacía en nodos existentes de un clúster.

  • En algunos casos, las ejecuciones de configuración que se iniciaban con ghe-config-apply no se completaban, o devolvían un error de tipo Container count mismatch.

  • Después de actualizar un certificado TLS autofirmado en una instancia de GitHub Enterprise Server, los elementos de la interfaz de usuario de algunas páginas de la interfaz web no aparecían.

  • La barra de administrador del sitio de la parte superior de la interfaz web contenía un enlace roto al SHA de la versión en ejecución de la aplicación.

  • En algunos casos, las tareas en segundo plano se bloqueaban porque se utiliza una biblioteca simultáneamente a pesar de no ser segura para los subprocesos.

  • Las alertas de los clientes de escaneo de secretos de GitHub Advanced Security no aparecían en la interfaz de usuario web ni en la API REST si el administrador de un sitio no actualizaba directamente a GitHub Enterprise Server 3.4. Las alertas ya son visibles.

  • Cuando un usuario bifurcaba un repositorio en una organización, no se representaba la lista de organizaciones correctamente.

    Changes

  • Se ha acelerado la generación de conjuntos de soporte gracias a un saneamiento de bitácoras en paralelo. Si deseas más información sobre los conjuntos de soporte, consulta "Facilitar información al equipo de soporte de GitHub."

  • Las API que contienen la ruta organization o org ahora aceptan el slug o el ID de la organización. Anteriormente, las API solo aceptaban slugs, lo que provocaba que los encabezados de enlaces de puntos de conexión de GitHub Advanced Security no fueran accesibles. Para más información, consulta "Organizaciones" en la documento de la API REST.

  • El registro de auditoría empresarial incluye ahora más eventos generados por el usuario, como project.create. La API REST también devuelve eventos adicionales generados por el usuario, como repo.create. Para más información, consulta "Acceso al registro de auditoría de tu empresa" y "Uso de la API de registro de auditoría para la empresa."

  • En algunos casos, las réplicas en caché rechazaban algunas operaciones de Git en repositorios recientemente actualizados. Para obtener más información sobre el almacenamiento en caché de repositorios, consulta la sección "Acerca del almacenamiento en caché de repositorios".

    Known issues

  • En una instancia recién configurada de GitHub Enterprise Server sin ningún usuario, un atacante podría crear el primer usuario administrador.

  • Las reglas de cortafuegos personalizadas se eliminan durante el proceso de actualización.

  • Los archivos supervisados de Git LFS cargados desde la interfaz web se agregan de manera incorrecta y directa al repositorio.

  • Las incidencias no se pueden cerrar si contienen un enlace permanente a un blob del mismo repositorio en el que la ruta es mayor de 255 caracteres.

  • Cuando se habilita "Los usuarios pueden buscar en GitHub.com" con GitHub Connect, las incidencias en los repositorios privados e internos no se incluyen en los resultados de la búsqueda de GitHub.com.

  • El registro npm de GitHub Packages ya no devuelve un valor de hora en las respuestas de metadatos. Esto se hacía para permitir mejoras de rendimiento importantes. Seguimos teniendo todos los datos necesarios para devolver un valor de tiempo como parte de la respuesta de metadatos y reanudaremos la devolución de este valor en el futuro una vez que hayamos resuelto las incidencias de rendimiento existentes.

  • Los límites de recursos que son específicos para procesar ganchos pre-recepción podían ocasionar errores en algunos de ellos.

  • Los servicios de Acciones se deben reiniciar después de restaurar el dispositivo a partir de una copia de seguridad realizada en otro host.

August 11, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Security fixes

  • CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.

  • HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.

    Bug fixes

  • In some cases, GitHub Enterprise Server instances on AWS that used the r4.4xlarge instance type would fail to boot.

  • In some cases, UI elements within a pull request's Files changed tab could overlap.

  • When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."

  • When calculating committers for GitHub Advanced Security, it was not possible to specify individual repositories. For more information, see "Site admin dashboard."

  • In some cases, Elasticsearch's post-upgrade es:upgrade process could crash before completion.

  • The script for migration to internal repositories failed to convert the visibility for public repositories to internal or private. For more information about the migration, see "Migrating to internal repositories."

  • Detection of GitHub Actions workflow files for the dependency graph was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "About the dependency graph."

  • The ability to reopen dismissed Dependabot alerts was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Viewing and updating Dependabot alerts."

  • The ability to always suggest updates from the base branch to a pull request's HEAD was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing suggestions to update pull request branches."

  • The light high contrast theme was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing your theme settings."

    Changes

  • pre_receive_hook.rejected_push events were not displayed in the enterprise audit log.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • En algunos casos, los clientes de GitHub Advanced Security que actualicen a GitHub Enterprise Server 3.5 pueden observar que faltan alertas del análisis de secretos en la interfaz de usuario web y la API REST. Para asegurarte de que las alertas permanecen visibles, no omitas la versión 3.4 cuando actualices a la versión más reciente. Para planear una actualización a través de la versión 3.4, consulta el Asistente para actualización.

    Hay disponible una corrección en la versión de revisión 3.5.5. [Actualizado: 01/09/2022]

July 21, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Security fixes

  • MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.

  • MEDIUM: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface.

  • Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.

  • Packages have been updated to the latest security versions.

  • MEDIUM: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23733. [Updated: 2022-07-31]

    Bug fixes

  • In some cases, the collectd daemon could consume excess memory.

  • In some cases, backups of rotated log files could accumulate and consume excess storage.

  • After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.

  • In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.

  • The GitHub Enterprise Importer did not correctly migrate settings for projects within repositories.

  • On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.

  • The site admin dashboard erroneously included an option to export a report listing dormant users.

  • The Billing API's "Get GitHub Advanced Security active committers for an organization" endpoint now returns Link headers to provide information about pagination.

  • The Billing API's "Get GitHub Advanced Security active committers for an organization" endpoint now returns the correct number of total committers.

  • In the sidebar for an organization's settings, the Archive navigation item contained no children.

  • VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

    Changes

  • The ghe-set-password command-line utility starts required services automatically when the instance is booted in recovery mode.

  • Metrics for aqueduct background processes are gathered for Collectd forwarding and display in the Management Console.

  • The location of the database migration and configuration run log, /data/user/common/ghe-config.log, is now displayed on the page that details a migration in progress.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

    • Detection of GitHub Actions workflow files for the dependency graph
    • Reopening of dismissed Dependabot alerts
    • Enabling the Update branch button for all pull requests in a repository
    • Light high contrast theme
  • En algunos casos, los clientes de GitHub Advanced Security que actualicen a GitHub Enterprise Server 3.5 pueden observar que faltan alertas del análisis de secretos en la interfaz de usuario web y la API REST. Para asegurarte de que las alertas permanecen visibles, no omitas la versión 3.4 cuando actualices a la versión más reciente. Para planear una actualización a través de la versión 3.4, consulta el Asistente para actualización.

    Hay disponible una corrección en la versión de revisión 3.5.5. [Actualizado: 01/09/2022]

June 28, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Security fixes

  • MEDIUM: Prevents an attack where an org query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers.

  • MEDIUM: Ensures that github.company.com and github-company.com are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.

  • LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.

  • In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server's web UI.

  • Management Console would appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5.

  • Redis timeouts no longer halt database migrations while running ghe-config-apply.

  • Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.

  • In some cases, site administrators were not automatically added as enterprise owners.

  • Actions workflows calling other reusable workflows failed to run on a schedule.

  • Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.

    Changes

  • Improved the performance of Dependabot Updates when first enabled.

  • Increase maximum concurrent connections for Actions runners to support the GHES performance target.

  • The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.

  • Added environment variable to configure Redis timeouts.

  • Creating or updating check runs or check suites could return 500 Internal Server Error if the value for certain fields, like the name, was too long.

  • Improves performance in pull requests' "Files changed" tab when the diff includes many changes.

  • The Actions repository cache usage policy no longer accepts a maximum value less than 1 for max_repo_cache_size_limit_in_gb.

  • When deploying cache-server nodes, it is now mandatory to describe the datacenter topology (using the --datacenter argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.

  • VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

    • Detection of GitHub Actions workflow files for the dependency graph
    • Reopening of dismissed Dependabot alerts
    • Enabling the Update branch button for all pull requests in a repository
    • Light high contrast theme
  • En algunos casos, los clientes de GitHub Advanced Security que actualicen a GitHub Enterprise Server 3.5 pueden observar que faltan alertas del análisis de secretos en la interfaz de usuario web y la API REST. Para asegurarte de que las alertas permanecen visibles, no omitas la versión 3.4 cuando actualices a la versión más reciente. Para planear una actualización a través de la versión 3.4, consulta el Asistente para actualización.

    Hay disponible una corrección en la versión de revisión 3.5.5. [Actualizado: 01/09/2022]

June 09, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

    Security fixes

  • Packages have been updated to the latest security versions.

    Bug fixes

  • An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).

  • In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured.

  • When GitHub Actions was enabled but TLS was disabled on GitHub Enterprise Server 3.4.1 and later, applying a configuration update would fail.

  • The --gateway argument was added to the ghe-setup-network command, to allow passing the gateway address when configuring network settings using the command line.

  • The GitHub Advanced Security billing API endpoints were not enabled and accessible.

  • Image attachments that were deleted would return a 500 Internal Server Error instead of a 404 Not Found error.

  • In environments configured with a repository cache server, the ghe-repl-status command incorrectly showed gists as being under-replicated.

  • The "Get a commit" and "Compare two commits" endpoints in the Commit API would return a 500 error if a file path in the diff contained an encoded and escaped unicode character.

  • The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.

  • An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server Backup Utilities.

  • A GitHub App would not be able to subscribe to the secret_scanning_alert_location webhook event on an installation.

  • The activity timeline for secret scanning alerts wasn't displayed.

  • Deleted repos were not purged after 90 days.

    Changes

  • Optimised the inclusion of metrics when generating a cluster support bundle.

  • In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the ghe-repl-stop command and not allow replication to be stopped. Using ghe-repo-stop --force will now force Elasticsearch to stop when the service is in a normal or valid yellow status.

  • VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 release. [Updated: 2022-06-10]

  • Management Console may appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5. [Updated: 2022-06-20]

  • The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

    • Detection of GitHub Actions workflow files for the dependency graph
    • Reopening of dismissed Dependabot alerts
    • Enabling the Update branch button for all pull requests in a repository
    • Light high contrast theme
  • En algunos casos, los clientes de GitHub Advanced Security que actualicen a GitHub Enterprise Server 3.5 pueden observar que faltan alertas del análisis de secretos en la interfaz de usuario web y la API REST. Para asegurarte de que las alertas permanecen visibles, no omitas la versión 3.4 cuando actualices a la versión más reciente. Para planear una actualización a través de la versión 3.4, consulta el Asistente para actualización.

    Hay disponible una corrección en la versión de revisión 3.5.5. [Actualizado: 01/09/2022]

May 31, 2022

📣 Este no es el lanzamiento de parche más reciente de esta serie de lanzamientos, y no es elúltimo lanzamiento de Enterprise Server. Utilice el lanzamiento más reciente para las últimas correcciones de seguridad, rendimiento y errores.

For upgrade instructions, see "Upgrading GitHub Enterprise Server."

    Features

    IP exception list for validation testing after maintenance

  • You can now configure an allow list of IP addresses that can access application services on your GitHub Enterprise Server instance while maintenance mode is enabled. Administrators who visit the instance's web interface from an allowed IP address can validate the instance's functionality post-maintenance and before disabling maintenance mode. For more information, see "Enabling and scheduling maintenance mode."

  • Custom repository roles are generally available

  • With custom repository roles, organizations now have more granular control over the repository access permissions they can grant to users. For more information, see "Managing custom repository roles for an organization."

    A custom repository role is created by an organization owner, and is available across all repositories in that organization. Each role can be given a custom name, and a description. It can be configured from a set of over 40 fine grained permissions. Once created, repository admins can assign a custom role to any user, team or outside collaborator in their repository.

    Custom repository roles can be created, viewed, edited and deleted via the new Repository roles tab in an organization's settings. A maximum of 3 custom roles can be created within an organization.

    Custom repository roles are also fully supported in the GitHub Enterprise Server REST APIs. The Organizations API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams have been extended to support custom repository roles. For more information, see "Organizations" in the REST API documentation.

  • GitHub Container registry in public beta

  • The GitHub Container registry (GHCR) is now available in GitHub Enterprise Server 3.5 as a public beta, offering developers the ability to publish, download, and manage containers. GitHub Packages container support implements the OCI standards for hosting Docker images. For more information, see "GitHub Container registry."

  • Dependabot updates are generally available

  • Dependabot version and security updates are now generally available in GitHub Enterprise Server 3.5. All the popular ecosystems and features that work on GitHub.com repositories now can be set up on your GitHub Enterprise Server instance. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted Dependabot runners, GitHub Connect enabled, and Dependabot enabled by an admin. For more information, see "Setting up Dependabot updates."

  • Server Statistics in public beta

  • You can now analyze how your team works, understand the value you get from GitHub Enterprise Server, and help us improve our products by reviewing your instance's usage data and sharing this aggregate data with GitHub. You can use your own tools to analyze your usage over time by downloading your data in a CSV or JSON file or by accessing it using the REST API. To see the list of aggregate metrics collected, see "About Server Statistics." Server Statistics data includes no personal data nor GitHub content, such as code, issues, comments, or pull requests content. For a better understanding of how we store and secure Server Statistics data, see "GitHub Security." For more information about Server Statistics, see "Analyzing how your team works with Server Statistics." This feature is available in public beta.

  • GitHub Actions rate limiting is now configurable

  • Site administrators can now enable and configure a rate limit for GitHub Actions. By default, the rate limit is disabled. When workflow jobs cannot immediately be assigned to an available runner, they will wait in a queue until a runner is available. However, if GitHub Actions experiences a sustained high load, the queue can back up faster than it can drain and the performance of the GitHub Enterprise Server instance may degrade. To avoid this, an administrator can configure a rate limit. When the rate limit is exceeded, additional workflow runs will fail immediately rather than being put in the queue. Once the rate has stabilized below the threshold, new runs can be queued again. For more information, see "Configuring rate limits."

  • OpenID Connect (OIDC) for secure deployments with GitHub Actions

  • GitHub Actions on GitHub Enterprise Server now supports OIDC for secure deployments to cloud providers, which uses short-lived tokens that are automatically rotated for each deployment. OIDC enables the following functionality.

    • Seamless authentication between cloud providers and GitHub Enterprise Server without the need for storing any long-lived cloud secrets on your instance
    • Cloud administrators can rely on the security mechanisms of a particular cloud provider to ensure that GitHub Actions workflows have minimal access to cloud resources. There is no duplication of secret management between GitHub Enterprise Server and the cloud.

    For more information, see "Security hardening your deployments."

  • Sharing GitHub Actions within your enterprise is generally available

  • Support for GitHub Actions in internal repositories is now generally available for organizations on your GitHub Enterprise Server instance. You can innersource automation by sharing actions in internal repositories. You can manage a repository's settings or use the REST API to allow access to workflows in other repositories within the organization or in any organization on the instance. For more information, see "Sharing actions and workflows with your enterprise," "Managing GitHub Actions settings for a repository," and "Actions Permissions" in the REST API documentation.

  • Cache support for GitHub Actions on GitHub Enterprise Server is now generally available

  • You can now use dependency caching to speed up your GitHub Actions workflows. To cache dependencies for a job, you can include the actions/cache action to create a cache with a unique key. You can share caches across all workflows in the same repository. These workflows can then restore the cache and run faster.

    Actions users can also use our cache APIs to:

    • Define the enterprise policy for cache size range allowed per repository.
    • Query the cache usage within each repository and monitor if the total size of all caches is reaching the upper limit.
    • Increase the maximum cache size for a repository within the allowed enterprise limits, based on the cache requirements of the repository.
    • Monitor aggregate cache usage at organization level or at enterprise level.

    The external blob storage that is configured within your enterprise account will now be shared across workflow artifacts, logs, and also the caches. For more information, see "Caching dependencies to speed up workflows."

  • Automatically sign commits made in the web UI

  • You can now configure GitHub Enterprise Server to automatically sign commits made in the web interface, such as from editing a file or merging a pull request. Signed commits increase confidence that changes come from trusted sources. This feature allows the Require signed commits branch protection setting to block unsigned commits from entering a repository, while allowing entry of signed commits – even those made in the web interface. For more information, see "Configuring web commit signing."

  • Sync license usage any time

  • For customers that sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud automatically using GitHub Connect, you now have the ability to sync your license usage independently of the automatic weekly sync. This feature also reports the status of sync job. For more information, see "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud."

  • Reusable workflows for GitHub Actions are generally available

  • Reusable workflows are now generally available. Reusable workflows help you reduce duplication by enabling you to reuse an entire workflow as if it were an action. With the general availability release, a number of improvements are now available for GitHub Enterprise Server. For more information, see "Reusing workflows."

    • You can utilize outputs to pass data from reusable workflows to other jobs in the caller workflow.
    • You can pass environment secrets to reusable workflows.
    • The audit log includes information about which reusable workflows are used.
    • Reusable workflows in the same repository as the calling repository can be referenced with just the path and filename (PATH/FILENAME). The called workflow will be from the same commit as the caller workflow.
  • Self-hosted runners for GitHub Actions can now disable automatic updates

  • You now have more control over when your self-hosted runners perform software updates. If you specify the --disableupdate flag to the runner then it will not try to perform an automatic software update if a newer version of the runner is available. This allows you to update the self-hosted runner on your own schedule, and is especially convenient if your self-hosted runner is in a container.

    For compatibility with the GitHub Actions service, you will need to manually update your runner within 30 days of a new runner version being available. For instructions on how to install the latest runner version, please see the installation instructions for the latest release in the runner repo.

  • Secure self-hosted runners for GitHub Actions by limiting workflows

  • Organization owners can now increase the security of CI/CD workflows on self-hosted runners by choosing which workflows can access a runner group. Previously, any workflow in a repository, such as an issue labeler, could access the self-hosted runners available to an organization. For more information, see "Managing access to self-hosted runners using groups" and the GitHub Blog.

  • Prevent GitHub Actions from approving pull requests

  • You can now control whether GitHub Actions can approve pull requests. This feature protects against a user using GitHub Actions to satisfy the "Required approvals" branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, Allow GitHub Actions reviews to count towards required approval is enabled by default. Organization owners can disable the feature in the organization's GitHub Actions settings. For more information, see "Disabling or limiting GitHub Actions for your organization."

  • Re-run failed or individual GitHub Actions jobs

  • You can now re-run only failed jobs or an individual job in a GitHub Actions workflow run. For more information, see "Re-running workflows and jobs."

  • Dependency graph supports GitHub Actions

  • The dependency graph now detects YAML files for GitHub Actions workflows. GitHub Enterprise Server will display the workflow files within the Insights tab's dependency graph section. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the "Used By" control on the repository homepage. For more information, see "About the dependency graph."

    • Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
  • Security overview for enterprises in public beta

  • GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new Security tab at the enterprise level provides a repository-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. For more information, see "About the security overview."

  • Security view for organizations is generally available

  • The overview of security alerts at the organization level is now generally available. GitHub Advanced Security customers can use the security overview to view a repository-centric view of application security risks, or an alert-centric view of all code scanning, Dependabot, and secret scanning alerts for all repositories in an organization. For more information, see "About the security overview."

  • Code scanning detects more security issues, supports new language versions

  • Code scanning now detects a larger number of CWEs, and CodeQL code scanning fully supports the standard language features in the following language releases.

    • C# 10 / .NET 6
    • Python 3.10
    • Java 17
    • TypeScript 4.5

    For more information, see the GitHub Blog.

  • View code scanning alerts across an organization

  • GitHub Advanced Security customers can now view code scanning alerts in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

  • Users can now retrieve code scanning alerts for an organization on your GitHub Enterprise Server instance via the REST API. This new API endpoint supplements the existing endpoint for repositories. For more information, see Code Scanning in the REST API documentation.

  • Secret scanning available as a push protection

  • GitHub Enterprise Server can now block any pushes where a token is detected with high confidence. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI. For more information, see "Protecting pushes with secret scanning."

  • Dry runs for custom patterns with secret scanning

  • GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization or repository level. Dry runs allow people with owner or admin access to review and hone their patterns before publishing them and generating alerts. You can compose a pattern, then use Save and dry run to retrieve results. The scans typically take just a few seconds, but GitHub Enterprise Server will also notify organization owners or repository admins via email when dry run results are ready. For more information, see "About secret scanning" and "Defining custom patterns for secret scanning."

  • Secret scanning custom pattern events now in the audit log

  • The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository-, organization-, or enterprise-level custom patterns for security and compliance audits. For more information, see "Reviewing the audit log for your organization" or "Reviewing audit logs for your enterprise."

  • Configure permissions for secret scanning with custom repository roles

  • You can now configure two new permissions for secret scanning when managing custom repository roles.

    • View secret scanning results
    • Dismiss or reopen secret scanning results

    For more information, see "Managing custom repository roles for an organization."

  • Secret scanning now supports archived repositories

  • GitHub Advanced Security customers can now enable secret scanning for archived repositories via the UI and API. For more information, see "About secret scanning," "About archived repositories," and "Repositories" in the REST API documentation.

  • Secret scanning webhooks for alert locations

  • GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret. For more information, see "Webhook events and payloads."

  • View Dependabot alerts across an organization

  • GitHub Advanced Security customers can now view Dependabot alerts in in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

  • Configure permissions for Dependabot alerts with custom repository roles

  • You can now configure two new permissions for Dependabot alerts when managing custom repository roles.

    • View Dependabot alerts
    • Dismiss or reopen Dependabot alerts

    For more information, see "Managing custom repository roles for an organization."

  • Reopen dismissed Dependabot alerts

  • You can now reopen dismissed Dependabot alerts through the UI page for a closed alert. This does not affect Dependabot pull requests or the GraphQL API. For more information, see "About Dependabot alerts."

    • Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
  • Pub support for Dependabot version updates is in public beta

  • Users of Dependabot version updates can now proactively update dependencies for Flutter or Dart projects that use the Pub package manager.

    To test version updates on your own Dart or Flutter repository, add the following configuration file in .github/dependabot.yaml. Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.

    version: 2
    enable-beta-ecosystems: true
    updates:
      - package-ecosystem: "pub"
        directory: "/"
        schedule:
          interval: "weekly"
    
  • See pull request associated with a repository's Dependabot alerts via GraphQL API

  • The new DependabotUpdate GraphQL object lets you view information about what happens to your repository's security updates. When GitHub Enterprise Server detects that a dependency in your repository is vulnerable, Dependabot will attempt to open a pull request to update that dependency to a non-vulnerable version. You can now see the pull request that fixes the vulnerability. In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the "Dependabot Alerts" section of the Security tab. Now, if Dependabot runs into an error when trying to open a pull request for a security alert, you can determine the reason using the GraphQL API. For more information, see "Objects" in the GraphQL API documentation.

  • Access more information about Dependabot alerts via GraphQL API

  • You can now view fixed alerts from Dependabot with the GraphQL API. You can also access and filter by state, as well as by unique numeric identifier, and you can filter by state on the vulnerability alert object. The following fields now exist for a RepositoryVulnerabilityAlert.

    • number
    • fixed_at
    • fix_reason
    • state

    For more information, see "Objects" in the GraphQL API documentation.

  • Git events in the enterprise audit log

  • The following Git-related events can now appear in the enterprise audit log. If you enable the feature and set an audit log retention period, the new events will be available for search via the UI and API, or export via JSON or CSV.

    • git.clone
    • git.fetch
    • git.push

    Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "Configuring the audit log for your enterprise."

  • Improvements to CODEOWNERS

  • This release includes improvements to CODEOWNERS.

    • Syntax errors are now surfaced when viewing a CODEOWNERS file from the web. Previously, when a line in a CODEOWNERS file had a syntax error, the error would be ignored or in some cases cause the entire CODEOWNERS file to not load. GitHub Apps and Actions can access the same list of errors using new REST and GraphQL APIs. For more information, see "Repositories" in the REST API documentation or "Objects" in the GraphQL API documentation.
    • After someone creates a new pull request or pushes new changes to a draft pull request, any code owners that will be requested for review are now listed in the pull request under "Reviewers". This feature gives you an early look at who will be requested to review once the pull request is marked ready for review.
    • Comments in CODEOWNERS files can now appear at the end of a line, not just on dedicated lines.

    For more information, see "About code owners."

  • More ways to keep a pull request's topic branch up to date

  • The Update branch button on the pull request page lets you update your pull request's branch with the latest changes from the base branch. This is useful for verifying your changes are compatible with the current version of the base branch before you merge. Two enhancements now give you more ways to keep your branch up-to-date.

    • When your pull request's topic branch is out of date with the base branch, you now have the option to update it by rebasing on the latest version of the base branch. Rebasing applies the changes from your branch onto the latest version of the base branch, resulting in a branch with a linear history since no merge commit is created. To update by rebasing, click the drop down menu next to the Update Branch button, click Update with rebase, and then click Rebase branch. Previously, Update branch performed a traditional merge that always resulted in a merge commit in your pull request branch. This option is still available, but now you have the choice. For more information, see "Keeping your pull request in sync with the base branch."

    • A new repository setting allows the Update branch button to always be available when a pull request's topic branch is not up to date with the base branch. Previously, this button was only available when the Require branches to be up to date before merging branch protection setting was enabled. People with admin or maintainer access can manage the Always suggest updating pull request branches setting from the Pull Requests section in repository settings. For more information, see "Managing suggestions to update pull request branches."

      • Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
  • Configure custom HTTP headers for GitHub Pages sites

  • You can now configure custom HTTP headers that apply to all GitHub Pages sites served from your GitHub Enterprise Server instance. For more information, see "Configuring GitHub Pages for your enterprise."

  • Ignore commits in blame view

  • It's now possible to ignore revisions in the blame view by creating a .git-blame-ignore-revs file in the root of your repository. For more information, see "Viewing a file."

  • Light high contrast theme is generally available

  • A light high contrast theme, with greater contrast between foreground and background elements, is now generally available. For more information, see "Managing your theme settings."

    • Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
  • Tag protection rules

  • Repository owners can now configure tag protection rules to protect a repository's tags. Once protected by a tag protection rule, tags matching a specified name pattern can only be created and deleted by users with the Maintain or Admin role in the repository. For more information, see "Configuring tag protection rules."

  • Edit files within pull requests in GitHub Mobile for iOS

  • In GitHub Mobile for iOS 1.80.0 and later, users can now edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]

    Bug fixes

  • It is now possible for GitHub Apps to upload release assets.

    Changes

  • Minimum requirements for root storage and memory increased for GitHub Enterprise Server 2.10 and 3.0, and are now enforced as of 3.5.0.

    • In version 2.10, the minimum requirement for root storage increased from 80 GB to 200 GB. As of 3.5.0, system preflight checks will fail if the root storage is smaller than 80 GB.
    • In version 3.0, the minimum requirement for memory increased from 16 GB to 32 GB. As of 3.5.0, system preflight checks will fail if the system has less than 28 GB of memory.

    For more information, see the minimum requirements for each supported deployment platform in "Setting up a GitHub Enterprise Server instance." [Updated: 2022-06-20]

  • VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

  • To use the device authorization flow for OAuth and GitHub Apps, you must manually enable the feature. This change reduces the likelihood of apps being used in phishing attacks against GitHub Enterprise Server users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication. If you own or manage an OAuth App or GitHub App and you want to use the device flow, you can enable it for your app via the app's settings page. The device flow API endpoints will respond with status code 400 to apps that have not enabled this feature. For more information, see "Authorizing OAuth Apps."

  • The code scanning alert page now always shows the alert status and information for the default branch. There is a new "Affected branches" panel in the sidebar where you can see the status of the alert in other branches. If the alert does not exist in your default branch, the alert page will show the status as "In branch" or "In pull request" for the location where the alert was last seen. This improvement makes it easier to understand the status of alerts which have been introduced into your code base. For more information, see "About code scanning alerts."

    The alert list page is not changed and can be filtered by branch. You can use the code scanning API to retrieve more detailed branch information for alerts. For more information, see "Code Scanning" in the REST API documentation.

  • Code scanning now shows the details of the analysis origin of an alert. If an alert has more than one analysis origin, it is shown in the "Affected branches" sidebar and in the alert timeline. You can hover over the analysis origin icon in the "Affected branches" sidebar to see the alert status in each analysis origin. If an alert only has a single analysis origin, no information about analysis origins is displayed on the alert page. These improvements will make it easier to understand your alerts. In particular, it will help you understand those that have multiple analysis origins. This is especially useful for setups with multiple analysis configurations, such as monorepos. For more information, see "About code scanning alerts."

  • Lists of repositories owned by a user or organization now have an additional filter option, "Templates", making it easier to find template repositories.

  • GitHub Enterprise Server can display several common image formats, including PNG, JPG, GIF, PSD, and SVG, and provides several ways to compare differences between versions. Now when reviewing added or changed images in a pull request, previews of those images are shown by default. Previously, you would see a message indicating that binary files could not be shown and you would need to toggle the "Display rich diff" option. For more information, see "Working with non-code files."

  • New gists are now created with a default branch name of either main or the alternative default branch name defined in your user settings. This matches how other repositories are created on GitHub Enterprise Server. For more information, see "About branches" and "Managing the default branch name for your repositories."

  • Gists now only show the 30 most recent comments when first displayed. You can click Load earlier comments... to view more. This allows gists that have many comments to appear more quickly. For more information, see "Editing and sharing content with gists."

  • Settings pages for users, organizations, repositories, and teams have been redesigned, grouping similar settings pages into sections for improved information architecture and discoverability. For more information, see the GitHub changelog.

  • Focusing or hovering over a label now displays the label description in a tooltip.

  • Creating and removing repository invitations, whether done through the API or web interface, are now subject to rate limits that may be enabled on your GitHub Enterprise Server instance. For more information about rate limits, see "Configuring rate limits."

  • MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository."

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

  • Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 patch release. [Updated: 2022-06-10]

  • Management Console may appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5. [Updated: 2022-06-20]

  • The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

    • Detection of GitHub Actions workflow files for the dependency graph
    • Reopening of dismissed Dependabot alerts
    • Enabling the Update branch button for all pull requests in a repository
    • Light high contrast theme
  • En algunos casos, los clientes de GitHub Advanced Security que actualicen a GitHub Enterprise Server 3.5 pueden observar que faltan alertas del análisis de secretos en la interfaz de usuario web y la API REST. Para asegurarte de que las alertas permanecen visibles, no omitas la versión 3.4 cuando actualices a la versión más reciente. Para planear una actualización a través de la versión 3.4, consulta el Asistente para actualización.

    Hay disponible una corrección en la versión de revisión 3.5.5. [Actualizado: 01/09/2022]