Skip to main content

Enterprise Server 3.6 release notes

November 22, 2022

📣 This is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

    Security fixes

  • HIGH: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]

  • MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.

  • MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program.

  • MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.

  • The Create or update file contents API correctly enforces workflow scope. This vulnerability was reported via the GitHub Bug Bounty program.

    Bug fixes

  • If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.

  • Setting the maintenance mode with an IP Exception List would not persist across upgrades.

  • GitHub Pages builds could time out on instances in AWS that are configured for high availability.

  • Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the ghe-repl-status output on those nodes.

  • After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.

  • The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.

  • When using the CodeQL action, the runs annotations would include a spurious HttpError: Upload not found error.

  • When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.

  • If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.

  • If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.

  • In some cases, an instance could replace an active repository with a deleted repository.

  • Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.

  • After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.

  • Zombie processes no longer accumulate in the gitrpcd container.

    Changes

  • If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.

  • To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the git-crash-fix utility.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an instance from a backup taken on a different host.

  • In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

  • In some cases, users cannot convert existing issues to discussions.

  • Custom patterns for secret scanning have .* as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the .* delimiter.

  • Hotpatch upgrades to GitHub Enterprise Server 3.6.2 may fail. Upgrades with the full .pkg are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:

    echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
    

    If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]

  • Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like invalid sha1 pointer 0000000000000000000000000000000000000000, Zero-length loose reference file, or Zero-length loose object file. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.

    If you suspect a problem like this exists in one of your repositories, you can run git-crash-fix analyze in the repository on your GitHub Enterprise Server instance. If git-crash-fix analyze reports problems, contact GitHub Enterprise Support for assistance, and include the command output in your support request.

  • Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact Suporte do GitHub. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

October 25, 2022

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

    Security fixes

  • HIGH: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including CVE-2022-30123 and CVE-2022-29181.

  • HIGH: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned CVE-2022-23738.

  • MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.

  • MEDIUM: Updated Redis to 5.0.14 to address CVE-2021-32672 and CVE-2021-32762.

  • MEDIUM: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of docker commands directly. For more information, see the Actions Runner security advisory.

  • MEDIUM: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23737.

  • LOW: Due to a CSRF vulnerability, a GET request to the instance's site/toggle_site_admin_and_employee_status endpoint could toggle a user's site administrator status unknowingly.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • After a site administrator made a change that triggered a configuration run, such as disabling GitHub Actions, validation of services would sometimes fail with the message WARNING: Validation encountered a problem.

  • After a site administrator installed a hotpatch containing changes to web interface assets such as JavaScript files or images, the instance did not serve the new assets.

  • When a user accessed a renamed repository using Git, the hostname in the Git output incorrectly indicated GitHub.com instead of the instance's hostname.

  • On instances using LDAP authentication and LDAP sync, sync would fail and print undefined method ord for nil:NilClass in ldap-sync.log.

  • When a user visited links to view history or suggest an improvement to the GitHub Advisory Database, the URLs were incorrect, resulting in a 404 error.

  • Deleted assets and assets scheduled to be purged within a repository, such as LFS files, took too long to to be cleaned up.

  • On instances configured for high availability, ghe-repl-status incorrectly reported that replication was behind for repositories that users had previously deleted.

  • If a user installed a GitHub App for the user account and then converted the account into an organization, the app was not granted organization permissions.

  • Missing secret scanning alerts on instance with a GitHub Advanced Security license that was not upgraded directly to GitHub Enterprise Server 3.4 are now visible in the web interface and through the REST API.

  • In some cases, on an instance with a GitHub Advanced Security license, some tokens detected by secret scanning were reported as "unknown tokens."

    Changes

  • To ensure that site administrators can successfully complete an upgrade, the instance will now execute a preflight check to ensure that the virtual machine meets minimum hardware requirements. The check also verifies Elasticsearch's health. You can review the current requirements for CPU, memory, and storage for GitHub Enterprise Server in the "Minimum requirements" section within each article in "Setting up a GitHub Enterprise Server instance."

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an instance from a backup taken on a different host.

  • In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

  • In some cases, users cannot convert existing issues to discussions.

  • Custom patterns for secret scanning have .* as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the .* delimiter.

  • Hotpatch upgrades to GitHub Enterprise Server 3.6.2 may fail. Upgrades with the full .pkg are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:

    echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
    

    If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]

  • GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

  • Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact Suporte do GitHub. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

September 21, 2022

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

    Features

  • Repository archives for migrations now include an is_archived field.

    Security fixes

  • HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.

  • LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • In some cases, collectd could log excessive metrics-related errors in /var/log/collectd.log.

  • When configuring the external domain name of a repository cache replica node using ghe-repl-node --cache-domain, the command would return an error that prevented Git LFS caching from being enabled.

  • Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.

  • Configuration runs could fail when retry-limit or retry-sleep-duration were manually set by an administrator using ghe-config.

  • The option to enable TLS encryption for incoming SMTP connections to an instance was missing from the Management Console.

  • In some cases, the Management Console's monitor dashboard would not load correctly.

  • Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.

  • The ghe-find-insecure-git-operations command did not return all insecure Git operations after each invocation.

  • When sending a support bundle to GitHub Enterprise Support using ghe-support-upload, the -t option would not successfully associate the uploaded bundle with the specified ticket.

  • A link back to the security settings for the instance's enterprise account could render an incorrect view.

  • In rare cases, an upgrade from GitHub Enterprise Server 3.3 to 3.4 would incorrectly modify how data is stored, resulting in failures during future upgrades. When upgrading directly to this release from 3.3, the failure will not occur.

  • When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

  • Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.

  • After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.

  • After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.

  • Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.

  • When viewing a pull request's diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.

  • If branch protections were enabled, the GITHUB_REF_PROTECTED environment variable and github.ref_protected contexts for GitHub Actions workflow runs were incorrectly set as false.

  • Repositories for packages erroneously displayed a "Used by" section.

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an instance from a backup taken on a different host.

  • In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

  • In some cases, users cannot convert existing issues to discussions.

  • Custom patterns for secret scanning have .* as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the .* delimiter.

  • After upgrading a replica node to GitHub Enterprise Server 3.6.0 or later and restarting replication, in some situations Git replication may stop progressing and continue to show WARNING: git replication is behind the primary …. If you encounter this known issue contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-03]

  • Hotpatch upgrades to GitHub Enterprise Server 3.6.2 may fail. Upgrades with the full .pkg are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:

    echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
    

    If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]

  • GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

  • Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact Suporte do GitHub. For more information, see "Creating a support ticket." [Updated: 2022-12-07]

August 30, 2022

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

    Bug fixes

  • Após desbloquear um repositório para acesso temporário, o administrador do site não conseguiu gerenciar as configurações dos produtos de segurança no repositório.

  • Chaves SSH administrativas duplicadas podem aparecer tanto no Console de Gerenciamento quanto no arquivo /home/admin/.ssh/authorized_keys.

  • A página de administração do site para usuários individuais em http(s)://HOSTNAME/stafftools/users/USERNAME/admin continha funcionalidades não destinadas ao Servidor do GitHub Enterprise.

  • Em alguns casos, executar ghe-cluster-config-apply pode replicar uma configuração vazia para nós existentes em um cluster.

  • Em alguns casos, as execuções de configuração iniciadas com ghe-config-apply não foram concluídas ou retornaram um erro Incompatibilidade de contagem de contêiner.

  • Depois de atualizar um certificado TLS autoassinado em uma instância de4 servidor do GitHub Enterprise, os elementos da interface do usuário em algumas páginas da interface da Web não apareceram.

  • Em alguns casos, as tarefas em segundo plano podem parar devido a uma biblioteca que foi usada simultaneamente, apesar de não ser thread-safe.

  • A barra de administração do site na parte superior da interface da Web continha um link quebrado para o SHA para a versão do aplicativo em execução no momento.

  • Os proprietários da organização não conseguiram definir o nível de acesso necessário para criar discussões.

  • Os usuários das discussões foram direcionados incorretamente para as diretrizes da comunidade do GitHub.com.

  • Em alguns casos, os usuários foram instruídos incorretamente a verificar seus emails antes de criar uma discussão.

  • Alertas da verificação de segredo para clientes do GitHub Advanced Security estavam ausentes na interface do usuário da Web e na API REST se um administrador do site não atualizasse diretamente para o GitHub Enterprise Server 3.4. Os alertas agora estão visíveis.

    Changes

  • A geração de pacotes de suporte é mais rápida como resultado da sanitização de log paralelizada. Para ver mais informações sobre pacotes de suporte, confira "Como fornecer dados ao suporte do GitHub."

  • As APIs que contêm a rota organization ou org agora aceitam o slug ou a ID da organização. Anteriormente, as APIs aceitavam apenas slugs, o que fazia com que os cabeçalhos Link dos pontos de extremidade do GitHub Advanced Security ficassem inacessíveis. Para ver mais informações, confira "Organizações" na documentação da API REST.

  • O log de auditoria empresarial agora inclui mais eventos gerados pelo usuário, como project.create. A API REST também retorna eventos adicionais gerados pelo usuário, como repo.create. Para ver mais informações, confira "Como acessar o log de auditoria da sua empresa" e "Como usar a API de log de auditoria da sua empresa."

  • Em alguns casos, as réplicas de cache podem rejeitar algumas operações do Git em repositórios atualizados recentemente. Para ver mais informações sobre o armazenamento em cache do repositório, confira "Sobre o armazenamento em cache do repositório."

  • Agora você pode configurar o banner de anúncio global como dispensável usando a API REST. Para ver mais informações, confira "[Como personalizar mensagens de usuário para sua empresa](/admin/user-management/managing-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global- anúncio-banner)."

    Known issues

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • Os serviços de ação devem ser reiniciados após a restauração do dispositivo a partir do backup tomado em um host diferente.

  • Nas configurações de um repositório, habilitar a opção de permitir que usuários com acesso de leitura criem discussões não habilita esta funcionalidade.

  • Em alguns casos, os usuários não podem converter problemas existentes em discussões.

  • Padrões personalizados para verificação de segredo têm .* como um delimitador final, especificamente no campo "Depois do segredo". Esse delimitador causa inconsistências nas verificações de segredos nos repositórios e você pode notar lacunas no histórico de um repositório em que nenhuma verificação foi concluída. As verificações incrementais também podem ser afetadas. Para evitar problemas com verificações, modifique o final do padrão para remover o delimitador .*.

August 16, 2022

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Note: If your GitHub Enterprise Server instance is running a release candidate build, you can't upgrade with a hotpatch. We recommend that you only run release candidates in a test environment.

For upgrade instructions, see "Upgrading GitHub Enterprise Server."

    Features

    Infrastructure

  • Repository caching is generally available. Repository caching increases Git read performance for distributed developers, providing the data locality and convenience of geo-replication without impact on push workflows. With the general availability release, GitHub Enterprise Server caches both Git and Git LFS data. For more information, see "About repository caching."

  • Instance security

  • GitHub has changed the supported algorithms and hash functions for all SSH connections to GitHub Enterprise Server, disabled the unencrypted and unauthenticated Git protocol, and optionally allowed the advertisement of an Ed25519 host key. For more information, see the GitHub Blog and the following articles.

  • You can require TLS encryption for incoming SMTP connections to your instance. For more information, see "Configuring email for notifications."

    • Note: This feature is unavailable in GitHub Enterprise Server 3.6.0 and 3.6.1. The feature is available in the 3.6.2 release. [Updated: 2022-09-22]
  • Audit logs

  • You can stream audit log and Git events for your instance to Amazon S3, Azure Blob Storage, Azure Event Hubs, Google Cloud Storage, or Splunk. Audit log streaming is in public beta and subject to change. For more information, see "Streaming the audit log for your enterprise."

  • GitHub Connect

  • Server Statistics is now generally available. Server Statistics collects aggregate usage data from your GitHub Enterprise Server instance, which you can use to better anticipate the needs of your organization, understand how your team works, and show the value you get from GitHub Enterprise Server. For more information, see "About Server Statistics."

  • Administrator experience

  • Enterprise owners can join organizations on the instance as a member or owner from the enterprise account's Organizations page. For more information, see "Managing your role in an organization owned by your enterprise."

  • Enterprise owners can allow users to dismiss the configured global announcement banner. For more information, see "Customizing user messages for your enterprise."

  • GitHub Advanced Security

  • Users on an instance with a GitHub Advanced Security license can opt to receive a webhook event that triggers when an organization owner or repository administrator enables or disables a code security or analysis feature. For more information, see the following documentation.

  • Users on an instance with a GitHub Advanced Security license can optionally add a comment when dismissing a code scanning alert in the web UI or via the REST API. Dismissal comments appear in the event timeline. Users can also add or retrieve a dismissal comment via the REST API. For more information, see "Triaging code scanning alerts in pull requests" and "Code Scanning" in the REST API documentation.

  • On instances with a GitHub Advanced Security license, secret scanning prevents the leak of secrets in the web editor. For more information, see "Protecting pushes with secret scanning."

  • Enterprise owners and users on an instance with a GitHub Advanced Security license can view secret scanning alerts and bypasses of secret scanning's push protection in the enterprise and organization audit logs, and via the REST API. For more information, see the following documentation.

  • Enterprise owners on an instance with a GitHub Advanced Security license can perform dry runs of custom secret scanning patterns for the enterprise, and all users can perform dry runs when editing a pattern. Dry runs allow you to understand a pattern's impact across the entire instance and hone the pattern before publication and generation of alerts. For more information, see "Defining custom patterns for secret scanning."

  • Users on an instance with a GitHub Advanced Security license can use sort and direction parameters in the REST API when retrieving secret scanning alerts, and sort based on the alert’s created or updated fields. The new parameters are available for the entire instance, or for individual organizations or repositories. For more information, see the following documentation.

  • The contents of the github/codeql-go repository have moved to the github/codeql repository, to live alongside similar libraries for all other programming languages supported by CodeQL. The open-source CodeQL queries, libraries, and extractor for analyzing codebases written in the Go programming language with GitHub's CodeQL code analysis tools can now be found in the new location. For more information, including guidance on migrating your existing workflows, see github/codeql-go#741.

  • Dependabot

  • Enterprise owners on instances with a GitHub Advanced Security license can see an overview of Dependabot alerts for the entire instance, including a repository-centric view of application security risks, and an alert-centric view of all secret scanning and Dependabot alerts. The views are in beta and subject to change, and alert-centric views for code scanning are planned for a future release of GitHub Enterprise Server. For more information, see "Viewing the security overview."

  • Users can select multiple Dependabot alerts, then dismiss or reopen or dismiss the alerts. For example, from the Closed alerts tab, you can select multiple alerts that have been previously dismissed, and then reopen them all at once. For more information, see "About Dependabot alerts."

    • Note: This feature is unavailable in GitHub Enterprise Server 3.6.0. The feature is available in GitHub Enterprise Server 3.7.0 and later. [Updated: 2022-10-19]
  • Dependabot updates @types dependencies alongside corresponding packages in TypeScript projects. Before this change, users would see separate pull requests for a package and the corresponding @types package. This feature is automatically enabled for repositories containing @types packages in the project's devDependencies within the package.json file. You can disable this behavior by setting the ignore field in your dependabot.yml file to @types/*. For more information, see "About Dependabot version updates" and "Configuration options for the dependabot.yml file."

  • Code security

  • GitHub Actions can enforce dependency reviews on users' pull requests by scanning for dependencies, and will warn users about associated security vulnerabilities. The dependency-review-action action is supported by a new API endpoint that diffs the dependencies between any two revisions. For more information, see "About dependency review."

  • The dependency graph detects Cargo.toml and Cargo.lock files for Rust. These files will be displayed in the Dependency graph section of the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date. For more information, see "About the dependency graph."

  • If GitHub Connect is enabled for your instance, users can contribute an improvement to a security advisory in the GitHub Advisory Database. To contribute, click Suggest improvements for this vulnerability while viewing an advisory's details. For more information, see the following articles.

  • GitHub Actions

  • Within a workflow that calls a reusable workflow, users can pass the secrets to the reusable workflow with secrets: inherit. For more information, see "Reusing workflows."

  • When using GitHub Actions, to reduce the risk of merging a change that was not reviewed by another person into a protected branch, enterprise owners and repository administrators can prevent Actions from creating pull requests. Organization owners could previously enable this restriction. For more information, see the following articles.

  • Users can write a single workflow triggered by workflow_dispatch and workflow_call, and use the inputs context to access input values. Previously, workflow_dispatch inputs were in the event payload, which increased difficulty for workflow authors who wanted to write one workflow that was both reusable and manually triggered. For workflows triggered by workflow_dispatch, inputs are still available in the github.event.inputs context to maintain compatibility. For more information, see "Contexts."

  • To summarize the result of a job, users can generate Markdown and publish the contents as a job summary. For example, after running tests with GitHub Actions, a summary can provide an overview of passed, failed, or skipped tests, potentially reducing the need to review the full log output. For more information, see "Workflow commands for GitHub Actions."

  • To more easily diagnose job execution failures during a workflow re-run, users can enable debug logging, which outputs information about a job's execution and environment. For more information, see "Re-running workflows and jobs" and "Using workflow run logs."

  • If you manage self-hosted runners for GitHub Actions, you can ensure a consistent state on the runner itself before and after a workflow run by defining scripts to execute. By using scripts, you no longer need to require that users manually incorporate these steps into workflows. Pre- and post-job scripts are in beta and subject to change. For more information, see "Running scripts before or after a job."

  • GitHub Packages

  • Enterprise owners can migrate container images from the GitHub Docker registry to the GitHub Container registry. The Container registry provides the following benefits.

    • Improves the sharing of containers within an organization
    • Allows the application of granular access permissions
    • Permits the anonymous sharing of public container images
    • Implements OCI standards for hosting Docker images

    The Container registry is in beta and subject to change. For more information, see "Migrating your enterprise to the Container registry from the Docker registry."

  • Community experience

  • GitHub Discussions is available for GitHub Enterprise Server. GitHub Discussions provides a central gathering space to ask questions, share ideas, and build connections. For more information, see "GitHub Discussions."

  • Enterprise owners can configure a policy to control whether people's usernames or full names are displayed within internal or public repositories. For more information, see "Enforcing repository management policies in your enterprise."

  • Organizations

  • Users can create member-only READMEs for an organization. For more information, see "Customizing your organization's profile."

  • Organization owners can pin a repository to an organization's profile directly from the repository via the new Pin repository dropdown. Pinned public repositories appear to all users of your instance, while public, private, and internal repositories are only visible to organization members.

  • Repositories

  • While creating a fork, users can customize the fork's name. For more information, see "Fork a repo."

  • Users can delete a branch that's associated with an open pull request. For more information, see "Creating and deleting branches within your repository."

  • Repositories with multiple licenses display all of the licenses in the "About" sidebar on the Code tab. For more information, see "Licensing a repository."

  • When a user renames or moves a file to a new directory, if at least half of the file's contents are identical, the commit history indicates that the file was renamed, similar to git log --follow. For more information, see the GitHub Blog.

  • Users can require a successful deployment of a branch before anyone can merge the pull request associated with the branch. For more information, see "About protected branches" and "Managing a branch protection rule."

  • Enterprise owners can prevent organization owners from inviting collaborators to repositories on the instance. For more information, see "Enforcing a policy for inviting collaborators to repositories."

  • Users can grant exceptions to GitHub Apps for any branch protection rule that supports exceptions. For more information, see "About apps" and "Managing a branch protection rule."

  • Commits

  • For public GPG signing keys that are expired or revoked, GitHub Enterprise Server verifies Git commit signatures and show commits as verified if the user made the commit while the key was still valid. Users can also upload expired or revoked GPG keys. For more information, see "About commit signature verification."

  • To affirm that a commit complies with the rules and licensing governing a repository, organization owners and repository administrators can now require developers to sign off on commits made through the web interface. For more information, see "Managing the commit signoff policy for your organization" and "Managing the commit signoff policy for your repository."

  • Pull requests

  • Using the file tree located in the Files changed tab of a pull request, users can navigate modified files, understand the size and scope of changes, and focus reviews. The file tree appears if a pull request modifies at least two files, and the browser window is sufficiently wide. For more information, see "Reviewing proposed changes in a pull request" and "Filtering files in a pull request."

  • Users can default to using pull requests titles as the commit message for all squash merges. For more information, see "Configuring commit squashing for pull requests."

  • GitHub Mobile

  • In GitHub Mobile for iOS 1.80.0 and later, users can edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]

  • Releases

  • When viewing the details for a particular release, users can see the creation date for each release asset. For more information, see "Viewing your repository's releases and tags."

  • While creating a release with automatically generated release notes, users can see the tag identified as the previous release, then choose to select a different tag to specify as the previous release. For more information, see "Automatically generated release notes."

  • Markdown

  • Editing Markdown in the web interface has been improved.

    • After a user selects text and pastes a URL, the selected text will become a Markdown link to the pasted URL.
    • When a user pastes spreadsheet cells or HTML tables, the resulting text will render as a table.
    • When a user copies text containing links, the pasted text will include the link as a Markdown link.

    For more information, see "Basic writing and formatting syntax."

  • When editing a Markdown file in the web interface, clicking the Preview tab will automatically scroll to the place in the preview that you were editing. The scroll location is based on the position of your cursor before you clicked the Preview tab.

    Changes

  • Interactive elements in the web interface such as links and buttons show a visible outline when focused with a keyboard, to help users find the current position on a page. In addition, when focused, form fields have a higher contrast outline.

  • If a user refreshes the page while creating a new issue or pull request, the assignees, reviewers, labels and projects will all be preserved.

  • VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

    Known issues

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • Actions services need to be restarted after restoring an instance from a backup taken on a different host.

  • In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

  • In some cases, users cannot convert existing issues to discussions.

  • Custom patterns for secret scanning have .* as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the .* delimiter.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.6 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.

    A fix is available in the 3.6.1 patch release. [Updated: 2022-09-01]

  • After upgrading a replica node to GitHub Enterprise Server 3.6.0 or later and restarting replication, Git replication may stop progressing and continue to show WARNING: git replication is behind the primary …. If you encounter this known issue, contact Suporte do GitHub Enterprise. [Updated: 2022-10-03]

  • GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

  • Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact Suporte do GitHub. For more information, see "Creating a support ticket." [Updated: 2022-12-07]