Enterprise Server 3.15.1
Download GitHub Enterprise Server 3.15.1December 17, 2024
3.15.1: Security fixes
Packages have been updated to the latest security versions.
3.15.1: Bug fixes
On an instance in a cluster configuration,
ghe-repl-promote
failed if the primary node was unavailable.In a high availability configuration, with GitHub Actions, replication would fail on nodes where MSSQL was not configured to run.
The
--no-async
flag was not implemented for theghe-cluster-support-bundle
command, leading to a potentially increased load.Pre-receive hook environments with shared memory enabled could not access shared memory at runtime.
For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error.
Preflight checks now recognize the updated 500GB user disk as a recommendation, not a requirement.
The Enterprise Overview page incorrectly displayed a Beta label, even though it is generally available.
After a user made changes to the isolated subdomain setting, some user assets did not display properly.
Customers performing a feature version upgrade to 3.13.6 or 3.14.3 could experience issues with database migrations due to data issues during database conversions.
On an instance with secret scanning enabled, when selecting repositories for a dry run of an enterprise-level custom pattern, searches for full repository names (
ORGANIZATION/REPOSITORY
) did not return results.When adding bypass permissions to a ruleset, the dropdown menu failed to load if one of the suggested actors was an invalid integration.
When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts.
On an instance with GitHub Actions disabled, status check icons on a repositorys commit list failed to render.
Site administrators were unable to use the "Disable repository access" functionality on the site admin dashboard.
Attempting to access the code security settings page for a non-existent enterprise returned a 500 error instead of a 404 error.
Performing a browser back navigation to a pull request now displays up-to-date status checks
The removal rate of issues from Git repositories was slower than necessary.
3.15.1: Changes
When connecting to an appliance via SSH, a notification about upcoming root disk changes displays.
Log output for git maintenance now includes the time taken to complete the maintenance process.
When exporting repositories to blob storage using the migrations REST API endpoint to start an organization migration, the maximum compressed archive size is limited to 90 GB. This is an increase from 30 GB.
Removes the minimum date for the new commit filter bar.
When exporting repositories using the migrations REST API, prior to blob storage upload the tarball is staged in the root volume. For more disk capacity, the tarball will now be staged in the data volume.
3.15.1: Known issues
Admins setting up cluster high availability (HA) may encounter a
spokes
error when runningghe-cluster-repl-status
if a new organization and repositories are created before using theghe-cluster-repl-bootstrap
command. To avoid this issue, complete the cluster HA setup withghe-cluster-repl-bootstrap
before creating new organizations and repositories.During the validation phase of a configuration run, a
No such object
error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see 관리 콘솔에 대한 액세스 문제 해결.
On an instance with the HTTP
X-Forwarded-For
header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.In some situations, large
.adoc
files stored in a repository do not render properly in the web UI. The raw contents are still available to view as plaintext.Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
When following the steps for Replacing the primary MySQL node, step 14 (running
ghe-cluster-config-apply
) might fail with errors. If this occurs, re-runningghe-cluster-config-apply
is expected to succeed.Running a config apply as part of the steps for Replacing a node in an emergency may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
If a hotpatch upgrade requires the
haproxy-frontend
service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running
/usr/local/share/enterprise/ghe-es-search-repair
.An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
When following the steps for Replacing the primary MySQL node, step 14 (running
ghe-cluster-config-apply
) might fail with errors. If this occurs, re-runningghe-cluster-config-apply
is expected to succeed.In the header bar displayed to site administrators, some icons are not available.
When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
When restoring from a backup snapshot, a large number of
mapper_parsing_exception
errors may be displayed.An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
When initializing a new GHES cluster, nodes with the
consul-server
role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
3.15.1: Deprecations
Upcoming deprecation of projects (classic)
Projects (classic) will be removed from GitHub Enterprise Server 3.16 and later. For more information, see Sunset Notice – Projects (classic).
Enterprise Server 3.15.0
Download GitHub Enterprise Server 3.15.0December 03, 2024
📣 Enterprise Server의 최신 패치 릴리스가 아닙니다. 최신 보안, 성능 및 버그 수정을 위해 최신 릴리스를 사용하세요.
For upgrade instructions, see 업그레이드 프로세스 개요.
3.15.0: Features
Instance administration
New installations of GitHub Enterprise Server version 3.15 and upgrades to 3.15 now require a root disk size of at least 400GB. Otherwise, the system will not boot. For more information on how to increase the root disk size in the appliance, see 스토리지 용량 늘리기.
Minimum recommended requirements for vCPUs, memory, root storage, and data storage have been updated. See VMware에 GitHub Enterprise Server 설치.
Audit logs
Organization owners and security managers can monitor changes to the use of security configurations at the organization and repository levels. See 보안 기능의 대규모 사용 정보,"
security_configuration
, andrepository_security_configuration
Code scanning
Users can run CodeQL analysis of C# code without building the project,
build-mode: none
. When you enable code scanning using default setup on a repository, both Java and C# use this mode. Analysis of both languages using this method is generally available. See About build mode None for CodeQL.CodeQL analysis of Swift and Kotlin code is generally available.
This release comes installed with version 2.18.4 of the CodeQL CLI, used in the CodeQL action for code scanning. Significant updates since the default version installed on GitHub Enterprise Server 3.14 include:
- Support for Go 1.23 and TypeScript 5.5
- C# can now use
build-mode: none
, which allows scanning C# code without requiring working builds - Kotlin & Swift support for mobile applications is generally available
- Java
build-mode: none
analyses only report a warning on the tool status page when significant analysis problems are detected - Two new JavaScript queries,
js/functionality-from-untrusted-domain
, have been added to detect usage of scripts from untrusted domains, includingpolyfill.io
content delivery network andjs/insecure-helmet-configuration
to detect instances where important Helmet security features are disabled - The precision of
cpp/iterator-to-expired-container
&cpp/unsafe-strncat
have been increased to high
Secret scanning
Secret scanning for discussions, issues, and pull request titles, bodies, and comments is now generally available. See 비밀 검사 정보.
Users can bypass push protection using the existing
Create a blob
andCreate or update file contents
REST API endpoints. This action can also be performed programmatically using the newCreate a push protection bypass
API endpoint. See the GitHub Blog post.Organization owners can enable the detection of non-provider patterns for their organization using a security configuration. This feature is in public beta and is subject to change. See Enabling detection of non-provider patterns for an organization.
Dependabot
Organization owners, security managers and users with admin access can manage Dependabot auto-triage rules, as well as create custom auto-triage rules. Auto-triage rules are a powerful tool that automatically dismiss Dependabot alerts matching certain criteria. This feature is generally available. See Dependabot 자동 심사 규칙 정보.
GitHub Connect
For enterprises with a deployment of GitHub Enterprise Cloud on GHE.com, automatic license sync is supported from GitHub Enterprise Server to GHE.com.
GitHub Advanced Security
Organization owners and security managers can use a "CodeQL pull request alerts" view in security overview to proactively identify and mitigate security risks at the organization and enterprise level. For example, they can see the most common alerts found in pull requests and see the corresponding remediation rates. See pull request 경고에 대한 메트릭 보기.
Code security
Organization owners and security managers can simplify the rollout of GitHub security products at scale with security configurations. They can define collections of security settings, save them as a custom configuration, and apply them across groups of repositories. Security configurations can be enforced using policies to stop repositories making any changes to the enablement of security features. See 보안 기능의 대규모 사용 정보.
Organization owners and security managers can create, apply, enforce, and monitor security configurations programmatically using REST API calls and audit logs. See 구성 and
security_configuration
.
GitHub Actions
For self-hosted GitHub Actions runners on this GitHub Enterprise Server release, the minimum required version of the GitHub Actions Runner application is 2.319.1. See the release notes for this version in the
actions/runner
repository. If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, you must upgrade your runners to this version of the Runner application before upgrading your instance to this GitHub Enterprise Server release.
GitHub Packages
Package managers benefit from improved performance as the npm registry no longer includes README content in package version metadata, reducing the size of package packuments (metadata manifest). This change enhances registry and npm CLI efficiency.
Repositories
Users can use new property types when creating a custom property:
Multi select
andTrue/False
.Users can gain deeper insights into contributors and code frequency with enhanced focus navigation, and a new table format for viewing and downloading data.
Users can require that merges must be performed with a merge queue at the repository level. For more information about merge queues, see 병합 큐와 끌어오기 요청 병합.
Admins can enforce status checks and workflow runs on existing refs while allowing the creation of new refs.
Organization members can use the new repository view and advanced filters to find repositories by visibility, language, custom properties, size, license, and more.
Projects
Users can interact with project status updates programmatically using the
ProjectV2StatusUpdate
GraphQL object and theprojects_v2_status_update
webhook event. See GitHub Issues & Projects on the GitHub Blog.For better accessibility, swimlanes and card titles have heading elements attached to them.
Project custom field changes are included directly in the project_v2_item webhook event when a project item's fields are edited, allowing users to understand how project fields change over time and how long they have a particular value.
Accessibility
Users can navigate and dismiss hovercards using keyboard shortcuts, enhancing accessibility. Additionally, a new setting allows users to disable all hovercards.
Math equations are rendered with standardized MathML, replacing custom HTML MathJax to enhance accessibility and security. While most users will see minimal changes, slight differences in font and alignment may occur.
The light and dark high contrast themes have been updated to improve readability.
Integrations and extensions
The
client_id
field is included in all API responses that describe a GitHub App. This is part of a shift to use the client ID as the primary identifier for an app. See Client IDs are now included in App API responses on the GitHub Blog.When users go through the device code flow for an OAuth app, such as the GitHub CLI, they are prompted to use an account picker if they have multiple accounts.
3.15.0: Changes
The API endpoint for listing custom deployment rule integrations for an environment (
GET /repos/{owner}/{repo}/environments/{environment_name}/deployment_protection_rules/apps
) requires "Administration" repository permissions (read) for fine-grained tokens. Previously, the token required "Actions" repository permissions (read).Pushes that update over 5,000 branches no longer trigger webhooks or GitHub Actions workflows.
Organization owners and security managers will see a new organization-level code security settings UI. In the organization settings sidebar, the Code security and analysis option has been replaced by an expanding Code security option. This contains new Configurations and Global settings options. See 보안 기능의 대규모 사용 정보.
3.15.0: Known issues
An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
When initializing a new GHES cluster, nodes with the
consul-server
role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.Attempting to stop replications after stopping GitHub Actions on a GHES instance would fail, reporting that MSSQL was not responding. This can be avoided by starting MSSQL prior to stopping replication by running
/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl
.Admins setting up cluster high availability (HA) may encounter a
spokes
error when runningghe-cluster-repl-status
if a new organization and repositories are created before using theghe-cluster-repl-bootstrap
command. To avoid this issue, complete the cluster HA setup withghe-cluster-repl-bootstrap
before creating new organizations and repositories.During the validation phase of a configuration run, a
No such object
error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See 관리 콘솔에 대한 액세스 문제 해결.
On an instance with the HTTP
X-Forwarded-For
header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.In some situations, large
.adoc
files stored in a repository do not render properly in the web UI. The raw contents are still available to view as plaintext.Repositories originally imported using
ghe-migrator
will not correctly track GitHub Advanced Security contributions.Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
When following the steps for Replacing the primary MySQL node, step 14 (running
ghe-cluster-config-apply
) might fail with errors. If this occurs, re-runningghe-cluster-config-apply
is expected to succeed.Running a
config apply
as part of the steps for Replacing a node in an emergency may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.If a hotpatch upgrade requires the
haproxy-frontend
service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running
/usr/local/share/enterprise/ghe-es-search-repair
.An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
In the header bar displayed to site administrators, some icons are not available.
When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
When restoring from a backup snapshot, a large number of
mapper_parsing_exception
errors may be displayed.Services may respond with a
503
status due to an out of datehaproxy
configuration. This can usually be resolved with aghe-config-apply
run.Customers doing feature version upgrade to 3.14.3 may experience issues with database migrations due to data issues during database conversions.
When operating in a high availability configuration, running
ghe-repl-promote
on a replica node will fail if the original primary cannot be reached by the replica node. This is because theghe-repl-promote
script attempts to decommission all Elasticsearch nodes other than the promoted node, however these requests are made to the original primary node which is no longer reachable. The error message written to the terminal will be similar to:Maintenance mode has been enabled for active replica <REPLICA_HOSTNAME> {"message": "No server is currently available to service your request. Sorry about that. Please try resubmitting your request and contact your local GitHub Enterprise site administrator if the problem persists."} jq: error (at :3): Cannot index string with string "node"
If this occurs, workaround this issue by running the following command — this changes the
ghe-repl-promote
script in place:sudo sed -i.bak -e '/for node_hostname in/i if ! $forced; then' -e '/^ done/a fi' /usr/local/bin/ghe-repl-promote
Then re-run the updated
ghe-repl-promote
script.On Azure instances, a failed pre-upgrade check due to insufficient user disk size can result in the Management Console displaying an
Internal Server Error
. To restore access to the Management Console, runsudo rm /var/log/preflight-check-report.json
to remove the file. If enabled, theautomatic update checks
need to be disabled from the Management Console until user disk size is increased to minimum 500 GB. To increase the user disk size, see 스토리지 용량 늘리기.
3.15.0: Closing down
In GitHub Enterprise Server 3.16, tag protection rules will be migrated to a ruleset and the tag protection rule feature will no longer be available.
In GitHub Enterprise Server 3.16, the
/explore
functionality, including theActivity
andTrending
pages, will be removed.We are closing down the API endpoints and parameters that complemented the old organization-level code security settings UI experience. These have been replaced by a new API for security configurations. See 구성.
The following things are scheduled for removal in GitHub Enterprise Server 3.16.
- Closing down: The GET response for security product status in an organization: Get an organization is deprecated. This attribute will return inaccurate information.
- Closing down: The PATCH functionality for security products to set a default status for new repos in an organization: Update an organization is deprecated. The PATCH operation will be ignored.
- Closing down: The POST endpoint to enable or disable a security feature for all repositories in an organization: Enable or disable a security feature for an organization is deprecated. Using the POST operation may result in a code security configuration being unintentionally removed from a repository.
3.15.0: Retired
The Management Console API has been removed. The Manage GHES API reached feature parity with the Management Console API in GitHub Enterprise Server version 3.12. For information about the Manage GHES API, see GitHub Enterprise Server를 관리하기 위한 REST API 엔드포인트.
The option to "copy Storage settings from Actions" in the Management Console ("GitHub Packages" > "Packages Storage Settings") has been removed.