Enterprise Server 3.13 release notes

Instance administration

• The root navigational experience for enterprise accounts lands all users on an "Enterprise Overview". From this page, enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The "Organization" page still exists and can be accessed from the left sidebar of the enterprise account.

• To improve the pre-flight checks experience, all pre-flight checks run even if one check fails. A consolidated report of the results is shown in the UI.

• The editor role for a Management Console user has been deprecated in the Manage GitHub Enterprise Server API.

• People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).

• As part of the upgrade to GitHub Enterprise Server 3.13, Elasticsearch (ES) is upgraded from version 5.6.16 to 8.7.0. Upgrading platform components improves performance and security posture. For important upgrade considerations, see "Подготовка к обновлению Elasticsearch в GitHub Enterprise Server 3.13."

• To improve existing tooling for license handling, the ghe-license script handles all operations regarding the active license. Commands can be performed on new licenses without importing them first. The script allows direct application of the license without a full configuration run and avoids restarting the instance to reduce downtime. See "Служебные программы командной строки."

  Administrators can upload the license to their instance using multiple interfaces, including the Management Console, Manage GHES API, CLI, or SSH. See "Отправка новой лицензии в GitHub Enterprise Server."

Audit logs

• Enterprise and organization audit log events include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information displays in the external_identity_nameid field and the SCIM identity data displays in the external_identity_username field within the audit log payloads. For more information, see "Просмотр журнала аудита для вашей организации."

GitHub Actions

• For self-hosted GitHub Actions runners on this GitHub Enterprise Server release, the minimum required version of the GitHub Actions Runner application is 2.314.1. See the release notes for this version in the actions/runner repository on GitHub.com. If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, you must upgrade your runners to this version of the Runner application before upgrading your instance to this GitHub Enterprise Server release.

• To ensure Actions runners are truly ephemeral and more secure, execution timeouts on self-hosted jobs are limited to 5 days. If a job reaches this limit, the job is terminated and fails to complete. For more information, see "О самостоятельно размещенных средствах выполнения."

Repositories

• Users can use repository properties to add meaningful metadata to repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. For more information, see "Управление настраиваемыми свойствами для репозиториев в организации."

• Users can browse and view code in a revamped experience for GitHub repositories, providing a tree pane for browsing files, fuzzy search for files, sticky code headers, and more.

• Users can migrate existing tag protection rules into repository rules. For more information, see "Настройка правил защиты тегов."

Projects

• Users can post status updates on their projects to share the current status, start date, and target date of the project itself. For more information, see "Предоставление общего доступа к обновлениям project."

• Users can migrate their projects (classic) to the new Projects experience. For more information, see "Миграция с projects (classic)."

Pull requests

• Rebase commits are now created using the merge-ort strategy.

Secret scanning

• In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see "Управление оповещениями о проверке секретов."

• To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See "Управление функциями расширенной безопасности GitHub для вашего предприятия."

Code scanning

• Users can enable code scanning on repositories even if they don’t contain any code written in the languages currently supported by CodeQL. Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see "Настройка настройки по умолчанию для сканирования кода."

• Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see "Настройка расширенной настройки для сканирования кода."

• The CodeQL action for code scanning analysis uses version 2.16.5 of the CodeQL CLI by default, an upgrade from 2.15.5 compared to the previous GitHub Enterprise Server feature release. For a detailed list of changes included in each version, see the CodeQL change logs. Significant changes include:

  • Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
  • Installation of Python dependencies is disabled for all Python scans by default. See the GitHub Blog post.
  • A new python_executable_name option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as py.exe on Windows machines). See the changelog in the CodeQL documentation.
  • A fix for CVE-2024-25129, a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
  • The code scanning UI now includes partially extracted files. See the GitHub Blog post.
  • 2 new C/C++ queries: cpp/use-of-unique-pointer-after-lifetime-ends and cpp/incorrectly-checked-scanf
  • 6 new Java queries: java/insecure-randomness , java/exec-tainted-environment , java/android/sensitive-text, java/android/sensitive-notification, java/android/insecure-local-authentication, and java/android/insecure-local-key-gen
  • 2 new Swift queries: swift/weak-password-hashing and swift/unsafe-unpacking

Code security

• On the security overview dashboard, users can find detailed insights for the security alerts in an organization or enterprise, including trending data that tracks alert counts and activity over time and snapshot data that reflects the current state of the security landscape. Alerts are displayed for both GitHub's security features and third-party tools. Filters are available for the type and visibility of alerts, date range, repository custom properties, and more. The overview dashboard is in public beta and subject to change. For more information, see "Просмотр аналитических сведений о безопасности."

• Users can view trending data for the enablement of security features in an organization. In security overview for an organization, the "Enablement trends" view shows historical data for the activation of security features including Dependabot updates, code scanning alerts, and secret scanning alerts. This feature is in public beta and subject to change. For more information, see "Оценка внедрения функций безопасности кода."

• For users who use devcontainer.json files to define development containers for repositories, Dependabot version updates can keep "features" defined for the dev container up to date. Once configured in dependabot.yml, Dependabot will open pull requests on a specified schedule to update the listed features to the latest version. Dependabot security updates for dev containers are not currently supported. For more information, see "Сведения об обновлениях версий Dependabot."

Authentication

• For enterprises or organizations that use an SSH certificate authority (CA) to provide SSH certificates to members, to protect against a security risk involving user renames, new SSH CAs that are uploaded to a GitHub Enterprise Server 3.13 instance can only be used to sign certificates that are set to expire. For new CAs, you must use the -V parameter with ssh-keygen to generate a certificate with a valid-after claim.

  The valid-after claim allows GitHub to validate that the user named in the SSH certificate hasn't been renamed since the certificate was signed. CAs uploaded prior to version 3.13 are exempt from this requirement and can be used to sign certificates that do not expire. However, when you've ensured that your certificate signing process uses the -V flag, GitHub encourages you to upgrade existing certificates to enforce the expiration requirement. For more information, see "Управление центрами сертификации SSH в вашей организации" or "Применение политик для параметров безопасности в вашем предприятии."

TCP port 9103 is opened for future administrative features related to support for Prometheus scraping. The port has been open since GitHub Enterprise Server 3.12, but this change wasn't communicated at the time release notes for version 3.12 were first published.

Upcoming change: In version 3.14 and later of GitHub Enterprise Server, for instances with GitHub Actions and GitHub Connect enabled, self-hosted runners that download actions from GitHub.com via GitHub Connect will need to allow access to the following new hosts.

• ghcr.io
• *.actions.githubusercontent.com

Please update the outbound firewall rules on your self-hosted runners to allow requests to these services. You can make this change on version 3.13, or on a previous version of GitHub Enterprise Server. For a smooth upgrade to version 3.14, we recommend you make changes to your firewall rules now, as failing to do so will result in your runners being unable to download certain actions in version 3.14 and later.

The "Create a reference" REST API endpoint is restricted from accepting POSTs from users and apps that only have permission to read and write packages. Previously, this endpoint accepted updates to both tags and branches.

To ensure security updates are applied correctly regardless of your repository's configuration settings, Dependabot uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. Security updates still do not support target-branch configuration. For more information, see "Настройка доступа к частным реестрам для Dependabot."

Custom firewall rules are removed during the upgrade process.

During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "Устранение неполадок с доступом к консоли управления."

On an instance with the HTTP X-Forwarded-For header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.

On an instance in a cluster configuration, restoration of a backup using ghe-restore will exit prematurely if Redis has not restarted properly.

When enabling log forwarding, specific service logs, including babeld, are duplicated. For more information, see "Пересылка журналов."

Repositories originally imported using ghe-migrator do not correctly track committers for GitHub Advanced Security billing.

When log forwarding is enabled, some forwarded log entries may be duplicated.

Due to a known regression, operators will not be able to use the ghe-migrations visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in /var/log/dbmigration to see the status and progress of migrations.

TokenScanningServiceMetricsApiError errors may appear after the upgrade.

The log entry irb: warn: can't alias delete from irb_delete may appear during creation and upload of support bundles.

The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised.

When following the steps for "Replacing the primary MySQL node," step 14 (running ghe-cluster-config-apply) might fail with errors. If this occurs, re-running ghe-cluster-config-apply is expected to succeed.

Running ghe-cluster-config-apply as part of the steps for "Replacing a node in an emergency" might fail with errors if the node being replaced has not first been turned off. If this occurs, turn the node off and repeat the steps.

For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.

Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.

As part of sunsetting Subversion compatibility, Subversion support is now disabled by default. Subversion can be re-enabled in the 3.13 release series by setting app.svnbridge.enabled = true. In 3.14, subversion support will be permanently removed. For more information, see Sunsetting Subversion support on the GitHub blog.

The Manage GHES API reached feature parity with the Management Console API in GHES 3.12. As a result, we will deprecate the Management Console API in GitHub Enterprise Server 3.14. For information about updating tooling that relies on the Management Console API, see "Конечные точки REST API для консоли управления."