3.0 Release notes

Enterprise Server 3.0.0

Download

February 16, 2021

The minimum infrastructure requirements have increased for GitHub Enterprise Server 3.0+. For more information, see "About minimum requirements for GitHub Enterprise Server 3.0 and later."

Features

GitHub Actions
- GitHub Actions is now generally available on GitHub Enterprise Server 3.0+. Build, test, and deploy your code from GitHub. Submit code reviews, branch management, and issue triaging work the way you want.
  
  This release includes several improvements from the beta of GitHub Actions on GitHub Enterprise Server:
  - Enterprise, organization, and repository admins can create security policies for access to GitHub Actions on GitHub.com.
  - Enterprise, organization, and repository admins can allow public repositories to use self-hosted runners.
  - Enterprise, organization, and repository admins can now allow workflows to run on pull requests raised from forks of private repositories.
  - The workflow_run event is now supported
  - Users now have the ability to disable workflows and enable them at a later date.
  - Workflow logs have been enhanced for a better user experience.
  - Users can now use private images in container jobs and services.
  - The max retention days for artifacts and logs can now be customized.
  - The runner group API now includes labels.
  - You can now create reusable actions using shell scripts with compose run steps.
  - Encrypted secrets for an organization allows you to consolidate secrets across repositories.
  - Workflow templates for an organization streamlines and promotes best practices and consistency across your organization.
  GitHub Actions is not currently supported for enterprises using cluster configurations.
GitHub Packages
- GitHub Package Registry is a package hosting service, natively integrated with GitHub APIs, Actions, and webhooks. Create an end-to-end DevOps workflow that includes your code, continuous integration, and deployment solutions.
  
  Supported storage back ends include AWS S3 and MinIO with support for Azure blob coming in a future release. Please note that the current Docker support will be replaced by a beta of the new GitHub Container Registry in the next release. Please review the updated minimum requirements for your platform before you turn on GitHub Package Registry.
  
  When publishing packages to NuGet, users can now use the --api-key option to pass their authentication token instead of writing it into a file. For more information, see Configuring dotnet CLI for use with GitHub Packages
  
  GitHub Package Registry is not currently supported for enterprises using cluster configurations.
GitHub Mobile beta
- GitHub para dispositivos móveis beta allows you to triage notifications and manage issues and pull requests from your device. You can be simultaneously signed into mobile with one user account on GitHub.com and one user account on GitHub Enterprise Server.
  
  GitHub para dispositivos móveis beta is now available for GitHub Enterprise Server. Sign in with our Android and iOS apps to triage notifications and manage issues and pull requests on the go. Administrators can disable mobile support for their Enterprise using the management console or by running ghe-config app.mobile.enabled false.
Advanced Security Secret Scanning beta
- Secret Scanning beta scans public and private repositories for committed credentials, finds secrets, and notifies the secret provider or admin the moment they are committed into a repository.
  
  Administrators using Segurança Avançada GitHub can enable and configure Segurança Avançada GitHub secret scanning. You can review the updated minimum requirements for your platform before you turn on Segurança Avançada GitHub secret scanning.
Advanced Security Code Scanning
- GitHub Advanced Security code scanning is now generally available on GitHub Enterprise Server. Organizations who have purchased Advanced Security can use this capability to do static analysis security testing against their code, and prevent vulnerabilities from making it to their production code using CodeQL, our semantic analysis engine. For more information, see "Configuring code scanning on your appliance"

Changes

Administration Changes
- The webhook events delivery system has been rearchitected for higher throughput, faster deliveries, and fewer delayed messages. It also uses less CPU and memory in GitHub Enterprise Server 3.0+.
- Organization and Enterprise owners can now see when a team member has been promoted to or demoted from being a team maintainer in the audit log through the new team.promote_maintainer and team.demote_maintainer audit log events. For more information, see "Audited actions."
- Repository maintainers with existing GitHub Pages sites can easily update their prior default branch name.
- Additional hardware resources are required to run GitHub Enterprise Server with any of Actions, Packages or Advanced Security enabled. For more infomation on the minimum required resources for each supported platform, see "Setting up a GitHub Enterprise Server instance."
- Administrators can now publish a message, which all users must accept. This can help to onboard new users and surface other organization-specific information and policies.
Security Changes
- Organization owners can now disable publication of GitHub Pages sites from repositories in the organization. Disabling GitHub Pages for the organization will prevent members from creating new Pages sites but will not unpublish existing sites. For more information, see "Disabling publication of GitHub Pages sites for your organization."
- A datacenter must be explicitly defined on all nodes before enabling an active replica.
- All usage of SSH fingerprints has been switched to use SHA256 fingerprints as they are used with OpenSSH since version 6.8 as well. This applies to the web interface and also the API where fingerprints are returned such as in GraphQL. The fingerprints follow the OpenSSH format.
- SHA-1 and SHA-256 signature headers (two headers) are sent on webhooks.
Developer Changes
- Majority of the services running in GitHub Enterprise Server 3.0+ are now on containers which internally enables GitHub to iterate fast and ship high quality releases
- The webhook events delivery system has been rearchitected for higher throughput, faster deliveries, and fewer delayed messages.
API Changes
- Administrators can now configure and manage the site-wide announcement banner via the REST API. For more information, see the endpoints for "GitHub Enterprise administration."
- A new API endpoint enables the exchange of a user to server token for a user to server token scoped to specific repositories. For more information, see "Apps" in the GitHub REST API documentation.
Default branch renaming
- Enterprise and organization administrators can now set the default branch name for new repositories. Enterprise administrators can also enforce their choice of default branch name across all organizations or allow individual organizations to choose their own.
  
  Existing repositories are unaffected by these settings, and their default branch name will not be changed.
  
  The default branch for newly-created repositories will be set to main in GHES 3.1, unless you opt out by setting the default branch setting at the enterprise level.
  
  This change is one of many changes GitHub is making to support projects and maintainers that want to rename their default branch. To learn more about the changes we're making, see github/renaming.

Bug fixes

Fixes for known issues from Release Candidates
- All known issues from Release Candidate 1 and Release Candidate 2 have been fixed, except those listed in the Known Issues section below.
Fixes for other issues
- Issues with migrations and upgrades to 3.0.0 have been fixed.
- Backup Utilities versioning now works for release candidate versions.
- Generating a support bundle resulted in an error in the orchestrator logs.
- A large restore could result in Redis running out of memory.
- The checkbox to enable GitHub Actions in the Management Console is now visible with any authentication method.
- GitHub Actions could be enabled if the required storage was also configured.
- ghe-repl-status could silently fail if MSSQL replication was not configured.
- The format of several log files have changed, including the addition of a PID for different log types. This does not affect how GitHub Enterprise Support uses support bundles to troubleshoot issues.
- A PATCH request to the webhook configuration API no longer erases the webhook secret.
- Certain types of pre-receive hooks were failing.

Known issues

On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
Custom firewall rules are not maintained during an upgrade.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
When maintenance mode is enabled, some services continue to be listed as "active processes". The services identified are expected to run during maintenance mode. If you experience this issue and are unsure, contact Suporte do GitHub Enterprise ou Suporte do GitHub Premium.
When GitHub Actions is enabled, use 'ghe-maintenance -u' to unset maintenance mode.

Deprecations

Deprecation of GitHub Enterprise Server 2.19
- GitHub Enterprise Server 2.19 is deprecated as of November 12, 2020. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
Deprecation of Legacy GitHub App Webhook Events
- Starting with GitHub Enterprise Server 2.21.0 two legacy GitHub Apps-related webhook events have been deprecated and will be removed in GitHub Enterprise Server 3.2.0. The deprecated events integration_installation and integration_installation_repositories have equivalent events which will be supported. More information is available in the deprecation announcement blog post.
Deprecation of Legacy GitHub Apps Endpoint
- Starting with GitHub Enterprise Server 2.21.0 the legacy GitHub Apps endpoint for creating installation access tokens was deprecated and will be removed in GitHub Enterprise Server 3.2.0. More information is available in the deprecation announcement blog post.
Deprecation of OAuth Application API
- GitHub no longer supports the OAuth application endpoints that contain access_token as a path parameter. We have introduced new endpoints that allow you to securely manage tokens for OAuth Apps by moving access_token to the request body. While deprecated, the endpoints are still accessible in this version. We intend to remove these endpoints on GitHub Enterprise Server 3.4. For more information, see the deprecation announcement blog post.
Deprecation of support for Semiotic
- The service supported a "Find by Symbol" experience in the pull request view that was not widely used.
Deprecation of workflow commands
- GitHub Actions set-env and add-path workflow commands have been deprecated. For more information, see the changelog.

Backups

GitHub Enterprise Server 3.0 requires at least GitHub Enterprise Backup Utilities 3.0.0 for Backups and Disaster Recovery.

Enterprise Server 3.0.0.rc2

Release Candidate Download

January 29, 2021

As versões de candidatos devem ser testadas em ambientes que não são de produção. Para obter mais informações sobre o Programa Candidato de Versão, consulte o [Blogue do GitHub](https://github. log/2020-12-03-improving-the-ghes-release-process-release-candidates/) ou "Sobre atualizações de novas versões."

Bug fixes

Correções para problemas conhecidos do Candidato de Versão 1
- Se você desabilitou o GitHub Actions após uma tentativa mal sucedida de configurar o GitHub Actions, você não conseguirá criar o primeiro usuário e usar o dispositivo.
- O evento de log de auditoria "Mensagem obrigatória visualizada" não foi salvo.
- O ghe-config-apply necessário para ser executado em uma réplica durante uma configuração inicial antes que ghe-repl-setup pudesse executar para iniciar a replicação.
- Remover você mesmo como proprietário corporativo retornou 404.
Correções para outros problemas
- Foram corrigidos os problemas com migrações e melhorias para a versão 3.0.0.
- O versionamento do Backup de Utilitários agora funciona para versões de candidato de versões.
- Gerar um pacote de suporte resultou em um erro nos registros de orquestradores.
- Uma grande restauração pode resultar no esgotamento da memória do Redis.
- A caixa de seleção para habilitar o GitHub Actions no Console de Gerenciamento agora é visível com qualquer método de autenticação.
- O GitHub Actions só pode ser habilitado se o armazenamento necessário também estiver configurado.
- O 'ghe-repl-status' pode falhar silenciosamente se a replicação do MSSQL não estiver configurada.

Known issues

Os problemas conhecidos para o Candidato da Versão 1 ainda se aplicam, excluindo as correções de erros listadas.

Enterprise Server 3.0.0.rc1

Release Candidate Download

January 12, 2021

As versões de candidatos devem ser testadas em ambientes que não são de produção. Para obter mais informações sobre o Programa Candidato de Versão, consulte o [Blogue do GitHub](https://github. log/2020-12-03-improving-the-ghes-release-process-release-candidates/) ou "Sobre atualizações de novas versões".

Bug fixes

O formato de vários arquivos de registro foram alterados, incluindo a adição de um PID para diferentes tipos de registro. Isso não afeta como o Suporte GitHub Enterprise usa pacotes de suporte para solucionar problemas.
Uma solicitação de PATCH para a API de configuração de webhook não apaga mais o segredo do webhook.

Known issues

Em uma nova configuração de GitHub Enterprise Server sem qualquer usuário, um invasor pode criar o primeiro usuário administrador.
Candidato de Versão 1 não é compatível com o modo Cluster.
As regras personalizadas de firewall não são mantidas durante uma atualização.
Arquivos rastreados pelo LFS do Git carregados por meio da interface web foram adicionados incorreta e diretamente ao repositório.
Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.
Após uma tentativa mal sucedida de configurar ações, se você desabilitar as ações, você não poderá criar o primeiro usuário e usar o aplicativo
O evento de log de auditoria "Mensagem obrigatória visualizada" não está sendo salvo
ghe-config-apply deve ser executado em uma réplica durante a primeira configuração antes de ghe-repl-setup poder ser executado para iniciar a replicação.
Os utilitários de backup podem acionar e-mails desnecessários para administradores
As configurações incorretas de pacotes estão sendo exibidas na página de visualização dos integrantes da organização
Após remover-se como um Proprietário da Empresa, você será redirecionado para uma página 404. A operação é bem-sucedida.
Ocasionalmente, o ghe-config-apply falha com uma mensagem de ERROR: Failure waiting for nomad jobs to apply até que a fila de trabalho do Nomad seja esvaziada. De modo geral, isso exige que um administrador apague /etc/nomad-jobs/queue.
Ao configurar um nó de múltiplas réplicas, o status da réplica pode ser sincronizado incorretamente.
Os clientes que tentarem restaurar um backup 3.0 em uma nova instância não deverão pré-configurar a instância, pois isso pode gerar um estado ruim para logins de usuário. Recomendamos restaurar uma instância nova e não configurada.
Os candidatos da versão 3.0 do GitHub Enterprise Server ainda não estão disponíveis no marketplace do Azure. Para testar a versão de candidatos em ambientes de stage, inicie uma instância 2.21 ou 2.22 e, em seguida, atualize-a com o pacote de atualização do Azure na página de download.
O tamanho da imagem e atualização do pacote aumentou. Os clientes com conexão lenta à internet podem achar que os pacotes demoram mais para serem baixados.