Enterprise Server 3.4 release notes

Packages have been updated to the latest security versions.

During the validation phase of a configuration run, a No such object error may have occurred for the Notebook and Viewscreen services.

When enabling automatic TLS certificate management with Let's Encrypt, the process could fail with the error The certificate is not signed by a trusted certificate authority (CA) or the certificate chain in missing intermediate CA signing certificates.

When a timeout occurs during diff generation, such as when a commit displays an error that the diff is taking too long to generate, the push webhook event will deliver empty diff information. Previously, the push webhook event would fail to be delivered.

高：更新了 Git，现在包含 2.39.1 中的修补程序，解决了 CVE-2022-41903 和 CVE-2022-23521 的问题。

清理支持包和配置日志中的其他机密。

CodeQL 操作的依赖项已更新到最新的安全版本。

包已更新到最新的安全版本。

github（从元数据重命名）、gitauth 和 unicorn 容器服务的 Active workers 和 Queued requests 指标未从 collectd 正确读取，并显示在管理控制台中。

为迁移锁定的存储库将允许在 Web UI 中编辑文件。

git-janitor 命令无法修复过时的 multi-pack-index.lock 文件，导致存储库维护失败。

ghe-support-bundle 和 ghe-cluster-support-bundle 命令已更新为包含 -p/--period 标志，以生成时间受限的支持包。 可以以天和小时为单位指定持续时间，例如：-p 2 hours、-p 1 day 和 -p 2 days 5 hours。

从 ghe-config-apply 开始的配置运行的性能已得到改进。

使用新的根分区升级实例时，使用 ghe-upgrade 选项运行 -t/--target 命令可确保针对目标分区执行最小磁盘存储大小的预检查。

导出帐户数据、备份存储库或执行迁移时，到存储库存档的链接现在将在 1 小时后过期。 以前该存档链接在 5 分钟后过期。

高：在 GitHub Enterprise Server 中发现了允许在生成 GitHub Pages 站点时远程执行代码的路径遍历漏洞。 要利用此漏洞，攻击者需要获得在实例上创建和构建 GitHub Pages 站点的权限。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-46256。

高：不正确的授权漏洞允许作用域内的用户到服务器令牌升级到存储区的完全管理员访问权限。 攻击者需要具有管理员访问权限的帐户才能安装恶意 GitHub 应用。 此漏洞影响 GitHub Enterprise Server 3.7.0 之前的所有版本。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23741。

当站点管理员通过管理 shell (SSH) 从实例主节点运行 ghe-repl-sync-ca-certificates 命令时，该命令仅将 CA 证书从实例主节点复制到单个副本节点。 此命令未将证书复制到所有可用的副本节点。

由于生成了容量值无效的 OVA 文件，在 VMware ESXi 虚拟机监控程序上安装 GitHub Enterprise Server 失败。

当用户使用 API 执行操作时，GitHub Enterprise Server 会强制执行存储库大小配额，即使全局禁用也是如此。

member Webhook 事件不包括作为 changes 字段一部分的 permission 字段的 from 和 to 字段值。

从实例中删除用户帐户后，用户在评论中上传的图像附件在 Web 界面中不再可见。

系统日志中出现调试级消息，这可能会快速消耗实例根存储卷上的空间。

中：更新了 CommonMarker，以解决对 Markdown REST API 的并行请求可能导致无限资源耗尽的情况。 此漏洞编号为 CVE-2022-39209。

中：访问非存储库资源时，GitHub 应用中的作用域内用户到服务器令牌可以绕过 GraphQL API 请求中的授权检查。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23739。

中：拉取请求预览链接未正确清理 URL，这使得恶意用户能够在实例 Web UI 中嵌入危险链接。 此漏洞通过 GitHub Bug 赏金计划报告。

中：在 GitHub Enterprise Server 中发现了一个不正确的授权漏洞，该漏洞允许具有读/写访问权限的存储库范围内的令牌在没有工作流范围的情况下修改 GitHub Actions 工作流文件。 “创建或更新文件内容 API”应强制实施工作流范围。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-46258。

如果将 GitHub Actions 配置为实例的 S3 Blob 存储，则已删除或过期工作流运行中的日志和项目等内容将无限期地保留在 Blob 存储中。 在下次定期运行后台清理作业时，实例将自动删除此内容。

使用 IP 异常列表设置维护模式不会在升级期间持续存在。

GitHub Pages 生成可能会在 AWS 中配置为高可用性的实例上超时。

配置 Dependabot 和警报摘要电子邮件后，实例将向挂起的用户发送摘要电子邮件。

如果用户为多个存储库配置了预接收挂钩，则实例“挂钩”页不会始终显示挂钩的正确状态。

在某些情况下，由于意外的状态检查，用户无法合并拉取请求。

在配置有高可用性的实例上运行 GitHub Enterprise Importer 的迁移后，迁移存储资产的复制无法跟上。

僵尸进程不再在 gitrpcd 容器中累积。

高：将管理控制台的依赖项更新为最新的补丁版本，解决了包括 CVE-2022-30123 和 CVE-2022-29181 在内的安全漏洞。

高：添加了检查，以解决允许未经授权的参与者通过公共存储库访问专用存储库文件的不当缓存密钥漏洞。 此漏洞编号为 CVE-2022-23738。

中：更新了 CommonMarker，以解决对 Markdown REST API 的并行请求可能导致无限资源耗尽的情况。 此漏洞编号为 CVE-2022-39209。

中：将 Redis 更新到了 5.0.14，以解决 CVE-2021-32672 和 CVE-2021-32762 漏洞。

中：更新了 GitHub Actions 运行器以修复允许 GitHub Actions 作业中的环境变量转义变量上下文并直接修改 docker 命令调用的 bug。 有关详细信息，请参阅操作运行器安全公告。

中：在 GitHub Enterprise Server 中发现了一个不当权限管理漏洞，允许具有不当权限的用户通过 API 创建或删除页面。 若要利用此漏洞，需要将攻击者添加到具有写入权限的组织存储库。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23737。

低：由于存在 CSRF 漏洞，对实例的 site/toggle_site_admin_and_employee_status 终结点发出的 GET 请求可能会在不知情的情况下切换用户的站点管理员状态。

包已更新到最新的安全版本。

在站点管理员进行会触发配置运行的更改（例如禁用 GitHub Actions）后，服务验证有时会失败并显示消息 WARNING: Validation encountered a problem。

在站点管理员安装了包含对 Web 界面资产（如 JavaScript 文件或图像）的更改的热补丁后，该实例没有提供新资产。

当用户使用 Git 访问重命名的存储库时，Git 输出中的主机名错误地指示 GitHub.com 而不是实例的主机名。

已删除的资产和计划在存储库中清除的资产（如LFS文件）花费的时间太长，无法清理。

如果用户为用户帐户安装了 GitHub 应用，然后将该帐户转换为组织，则不会向该应用授予组织权限。

为确保站点管理员能够成功完成升级，实例现在将执行预检检查以确保虚拟机满足最低硬件要求。 该检查还会验证 Elasticsearch 的运行状况。 你可以在“设置 GitHub Enterprise Server 实例”中每篇文章的“最低要求”部分查看 GitHub Enterprise Server 的当前 CPU、内存和存储要求。

用于迁移的存储库存档现在包含 is_archived 字段。

高：GitHub 应用可以使用作用域内的用户到服务器令牌来绕过用户授权逻辑并提升权限。

中：在 GitHub 应用的可访问文件列表中使用 Unicode 从右到左替代字符可能会遮盖应用可以访问的其他文件。

低：授予用户绕过分支保护的能力不再允许用户绕过签名验证的要求。

包已更新到最新的安全版本。

当证书的主题字符串包含 UTF-8 字符时，TLS 证书安装失败。

当管理员使用 ghe-config 手动设置 retry-limit 或 retry-sleep-duration 时，配置运行可能会失败。

在某些情况下，管理控制台的监视器仪表板无法正确加载。

删除了用于将管理控制台监视器图导出为 PNG 图像的非功能性链接。

ghe-find-insecure-git-operations 命令在每次调用后不会返回所有不安全的 Git 操作。

在极少数情况下，从 GitHub Enterprise Server 3.3 升级到 3.4 会错误地修改数据的存储方式，从而导致将来升级期间失败。 从 3.3 直接升级到此版本时，不会发生失败。

使用 ghe-support-upload 将支持捆绑发送到 GitHub Enterprise 支持时，-t 选项不会成功将上传的捆绑包与指定的票证相关联。

返回到实例企业帐户的安全设置的链接可能会呈现不正确的视图。

通过 SSH 进行 Git 克隆或提取时，如果传输超过 1 GB，则可能会遇到数据损坏。

用户从 Web 界面删除或还原包后，包的计数可能会错误呈现。

成功配置 Dependabot 和警报摘要电子邮件后，实例不会发送摘要电子邮件。

升级到 GitHub Enterprise Server 3.4 后，存储库中似乎缺少版本。 当所需的 Elasticsearch 索引迁移未成功完成时，可能会发生这种情况。 发布 UI 现在指示是否正在等待 Elasticsearch 索引迁移完成，以及链接到有关如何观察状态并立即完成迁移的文档。

如果存储库收到包含超过 2048 个提交的推送，或者存储库的默认分支发生更改，则重新启用在存储库中手动禁用的 GitHub Actions 工作流。

如果启用了分支保护，则 GitHub Actions 工作流运行的 GITHUB_REF_PROTECTED 环境变量和 github.ref_protected 上下文被错误地设置为 false。

将 VPC 终结点 URL 用作 GitHub Packages 的 AWS S3 URL 时，包的发布和安装失败。

向组织添加成员时，SAML SSO 试用邀请出现了错误。

解锁存储库以进行临时访问后，站点管理员无法管理存储库中安全产品的设置。

管理控制台和 /home/admin/.ssh/authorized_keys 文件中可能会出现重复的管理 SSH 密钥。

http(s)://HOSTNAME/stafftools/users/USERNAME/admin 上单个用户的站点管理页面包含不适用于 GitHub Enterprise Server 的功能。

在某些情况下，运行 ghe-cluster-config-apply 可以将空配置复制到群集中的现有节点。

在某些情况下，以 ghe-config-apply 开头的配置运行未完成，或返回 Container count mismatch 错误。

在 GitHub Enterprise Server 实例上更新自签名 TLS 证书后，Web 界面中某些页面上的 UI 元素没有显示。

在某些情况下，尽管不是线程安全的，但由于同时使用的库，可能会导致后台任务停止。

由于并行日志清理，支持包的生成速度更快。 有关支持捆绑包的详细信息，请参阅“向 GitHub 支持提供数据”。

包含 organization 或 org 路由的 API 现在接受组织的数据域或 ID。 以前，API 只接受数据域，这导致 GitHub Advanced Security 终结点的 Link 标头无法访问。 有关详细信息，请参阅 REST API 文档中的“组织”。

企业审核日志现在包含更多用户生成的事件，例如 project.create。 REST API 还返回其他用户生成的事件，例如 repo.create。 有关详细信息，请参阅“在企业中访问审核日志”和“在企业中使用审核日志 API”。

严重：GitHub Enterprise Server 的 Elasticsearch 容器使用的 OpenJDK 8 版本在处理恶意 XSLT 样式表时容易出现整数截断问题。 该漏洞的编号为 CVE-2022-34169。

高：在用户帐户转换为组织帐户后，用户帐户上以前安装的应用程序会自动获得访问作用域内访问令牌上的组织的权限。 此漏洞通过 GitHub Bug 赏金计划报告。

在某些情况下，AWS 上使用 r4.4xlarge 实例类型的 GitHub Enterprise Server 实例将无法启动。

在为 GitHub Advanced Security 计算提交者时，无法指定各个存储库。 有关详细信息，请参阅“站点管理仪表板”。

当为实例设置自定义休眠阈值时，暂停所有休眠用户并不能可靠地遵从阈值。 有关休眠的详细信息，请参阅“管理休眠用户”。

企业审核日志中未显示 pre_receive_hook.rejected_push 事件。

存储库迁移存档和用户帐户存档导出都包括发布反应。

中：防止服务器端请求伪造 (SSRF) 可能通过向 Memcached 注入任意数据来强制 Subversion (SVN) 桥执行远程代码的攻击。

中：通过利用 GitHub Enterprise Server Web 界面中下拉 UI 元素中的跨站脚本 (XSS) 漏洞来防止攻击者执行 Javascript 代码。

将 Grafana 更新到版本 7.5.16，该版本解决了各种安全漏洞，包括 CVE-2020-13379 和 CVE-2022-21702。

包已更新到最新的安全版本。

中：在 GitHub Enterprise Server 中发现了一个存储型 XSS 漏洞，该漏洞允许注入任意属性。 此注入被 Github 内容安全策略 (CSP) 阻止。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23733。 [更新日期：2022-07-31]

中：GitHub Enterprise Server 中发现了一个涉及反序列化不受信任数据的漏洞，该漏洞可能会导致在 Subversion (SVN) 桥上远程执行代码。 若要利用此漏洞，攻击者需要通过服务器端请求伪造 (SSRF) 获取访问权限，以便攻击者控制被反序列化的数据。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23734。

在某些情况下，collectd 守护进程可能会消耗过多内存。

在某些情况下，旋转日志文件备份可能会累积并消耗过多存储。

在升级到新功能版本并运行后续配置之后，Elasticsearch 可能在重新生成索引时记录过多异常。

在某些情况下，受保护的分支需要多个批准的审查，一个拉取请求可以合并少于所需数量的批准审查。

在使用 LDAP 身份验证的实例中，当用户名和密码的文本字段都可见时，sudo 模式的身份验证提示在默认情况下将光标错误地放置在密码字段中。

在某些情况下，计划的 GitHub Actions 工作流可能会被禁用。

计费 API 的“获取组织的 GitHub Advanced Security 活动提交者”终结点现在返回 Link 标头，用于提供有关分页的信息。

计费 API 的“获取组织的 GitHub Advanced Security 活动提交者”终结点现在返回正确的提交者总数。

ghe-set-password 命令行实用程序在以恢复模式启动实例时自动启动所需的服务。

将收集 aqueduct 后台进程指标进行 Collectd 转发并显示在管理控制台中。

数据库迁移和配置运行日志 /data/user/common/ghe-config.log 的位置现在显示在详细描述正在进行的迁移的页面上。

中：防止为 GitHub Enterprise Server URL 指定 org 查询字符串参数，然后访问另一个组织的活动提交者的攻击。

中：确保 github.company.com 和 github-company.com 不会被内部服务评估为相同的主机名，从而防止潜在的服务器端安全性伪造 (SSRF) 攻击。

低：即使外部防火墙规则阻止了 HTTP 访问，攻击者也可以使用路径遍历攻击通过 HTTP 访问管理控制台。

包已更新到最新的安全版本。

由于权限限制，解压缩后无法打开项目存档中的文件。

运行 ghe-config-apply 时，Redis 超时不再停止数据库迁移。

后台作业处理器将陷入部分关闭状态，从而导致某些类型的后台作业（如代码扫描）出现停滞。

在某些情况下，站点管理员未自动添加为企业所有者。

呈现问题可能会影响存储库中筛选机密扫描警报的下拉列表。

首次启用后，改进了 Dependabot 版本更新的性能。

现在可以在管理控制台中配置 GitHub Pages 生成和同步超时。

如果某些字段（如名称）的值过长，则创建或更新检查运行或检查套件可能返回 500 Internal Server Error。

部署缓存服务器节点时，现在必须描述系统中每个节点的数据中心拓扑（使用 --datacenter 参数）。 这一要求可以避免将数据中心成员设置为“默认”导致工作负载跨多个数据中心未合理平衡的情况。

包已更新到最新的安全版本。

如果主机名字符串以“.”开头（句点字符），则 GitHub Enterprise Server 配置文件中用于验证主机名的内部脚本将返回错误。

在主节点的主机名超过 60 个字符的 HA 配置中，MySQL 将无法配置。

当 GitHub Actions 启用，但在 GitHub Enterprise Server 3.4.1 和更高版本上禁用 TLS 时，应用配置更新将失败。

--gateway 参数已添加到 ghe-setup-network 命令，以允许使用命令行配置网络设置时传递网关地址。

GitHub Advanced Security 计费 API 终结点未启用且可访问。

已删除的图像附件将返回 500 Internal Server Error 而不是 404 Not Found 错误。

在配置了存储库缓存服务器的环境下，ghe-repl-status 命令将 Gist 错误显示为迟缓复制。

如果差异中的文件路径包含编码和转义 Unicode 字符，则提交 API 中的“获取提交”和“比较两个提交”终结点将返回 500 错误。

站点管理员仪表板中报告的“跨整个实例的最大提交者”的计算不正确。

使用 GitHub Enterprise Server Backup Utilities 执行还原时，存储库复制的数据库输入不正确导致数据库损坏。

机密扫描警报的活动时间线未显示。

优化了生成群集支持包时包含的指标。

在 Elasticsearch 报告有效的标黄状态的 HA 配置中，之前修复中引入的更改将阻止 ghe-repl-stop 命令，并且不允许停止复制。 当服务处于正常或有效标黄状态时，使用 ghe-repo-stop --force 现将强制 Elasticsearch 停止运行。

中：发现了 nginx 解析器中的一个安全问题，可以从 DNS 服务器伪造 UDP 数据包的攻击者可能导致 1 字节内存覆盖，从而导致工作进程崩溃或其他潜在的破坏性影响。 此漏洞编号为 CVE-2021-23017。

更新了 actions/checkout@v2 和 actions/checkout@v3 操作以解决 Git 安全措施实施博客文章中公布的新漏洞。

包已更新到最新的安全版本。

在某些群集拓扑中，ghe-cluster-status 命令会在 /tmp 中留下空目录。

SNMP 错误地将大量 Cannot statfs 错误消息记录到 syslog。

添加自定义模式并提供非 UTF8 测试字符串时，匹配突出显示不正确。

用户名中带有下划线字符 (_) 的 LDAP 用户现在可以成功登录。

对于配置了 SAML 身份验证和启用内置回退的实例，内置用户在尝试从退出登录后生成的页面登录时会陷入“登录”循环。

使用 Azure 作为标识提供者启用 SAML 加密断言后，登录页面将失败并出现 500 错误。

不遵从字符键快捷方式首选项。

尝试从 /stafftools/repositories/:owner/:repo/disk 页面查看 git fsck 输出将失败并显示 500 Internal Server Error。

使用 SAML 加密断言时，某些断言未正确将 SSH 密钥标记为已验证。

上传到问题评论的视频将无法正确呈现。

使用 GitHub Enterprise Importer 导入存储库时，由于项目时间线事件配置不正确，某些问题将无法导入。

使用 ghe-migrator 时，迁移将无法在问题和拉取请求中导入视频文件附件。

当存储库具有包含非 ASCII 字符的标记时，发布页面将返回 500 错误。 [更新日期：2022-06-10]

迁移依赖项关系图数据时，升级有时会失败。 [更新日期：2022-06-30]

在高可用性配置中，阐明管理控制台中的复制概述页面仅显示当前复制配置，而不是当前复制状态。

依赖项关系图的 Nomad 分配超时已增加，以确保升级后迁移可以完成。

启用 GitHub Packages 时，阐明当前不支持使用共享访问签名 (SAS) 令牌作为连接字符串。

支持包现在包括存储在 MySQL 中的表的行数。

在确定要在哪些存储库网络上计划维护时，我们不再计入无法访问对象的大小。

run_started_at 响应字段现在包含在工作流运行 API 和 workflow_run 事件 Webhook 有效负载中。

Packages have been updated to the latest security versions.

Resolved a regression that could lead to consistent failures to retrieve artifacts and download log archives for GitHub Actions. In some circumstances we stopped resolving URLs for internal communications that used localhost, and instead incorrectly used the instance hostname.

When a manifest file was deleted from a repository, the manifest would not be removed from the repository's "Dependency graph" page.

Upgrading the nodes in a high availability pair with an upgrade package could cause Elasticsearch to enter an inconsistent state in some cases.

Rotated log files with the extension .backup would accumulate in directories containing system logs.

In some cluster topologies, the command line utilities ghe-spokesctl and ghe-btop failed to run.

Elasticsearch indices could be duplicated during a package upgrade, due to an elasticsearch-upgrade service running multiple times in parallel.

Repository cache servers could serve data from non-cache locations even when the data was available in the local cache location.

When converting a user account to an organization, if the user account was an owner of the GitHub Enterprise Server enterprise account, the converted organization would incorrectly appear in the enterprise owner list.

The /stafftools/users/ip_addresses/:address page responded with a 500 Internal Server Error when attempting to display the page for an IPv6 address.

Creating an impersonation OAuth token using the Enterprise Administration REST API resulted in an error when an integration matching the OAuth Application ID already existed.

Added support for replica domain names that are more than 63 characters.

Configuration errors that halt a config apply run are now output to the terminal in addition to the configuration log.

If GitHub Advanced Security features are enabled on your instance, the performance of background jobs has improved when processing batches for repository contributions.

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

After registering a self-hosted runner with the --ephemeral parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]

After upgrading to GitHub Enterprise Server 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed.

在某些情况下，升级到 GitHub Enterprise Server 3.5 或更高版本的 GitHub Advanced Security 客户可能会注意到 Web UI 和 REST API 中缺少来自机密扫描的警报。 若要确保警报保持可见，请勿在从早期版本升级到 3.5 或更高版本时跳过 3.4。 3.5.5 和 3.6.1 补丁版本中提供了修补程序。

若要计划到 3.4 的升级，请参阅升级助手。 [更新日期：2022-09-01]

GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

GitHub Enterprise Server 3.0 was discontinued on February 16, 2022. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

GitHub Enterprise Server 3.1 will be discontinued on June 3, 2022. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Starting in GitHub Enterprise Server 3.3, GitHub Enterprise Server on XenServer was deprecated and is no longer supported. Please contact GitHub Support with questions or concerns.

Due to low usage, we have deprecated the Content References API preview in GitHub Enterprise Server 3.4. The API was previously accessible with the corsair-preview header. Users can continue to navigate to external URLs without this API. Any registered usages of the Content References API will no longer receive a webhook notification for URLs from your registered domain(s) and we no longer return valid response codes for attempted updates to existing content attachments.

The Codes of Conduct API preview, which was accessible with the scarlet-witch-preview header, is deprecated and no longer accessible in GitHub Enterprise Server 3.4. We instead recommend using the "Get community profile metrics" endpoint to retrieve information about a repository's code of conduct. For more information, see the "Deprecation Notice: Codes of Conduct API preview" in the GitHub changelog.

Starting with GitHub Enterprise Server 3.4, the deprecated version of the OAuth Application API endpoints have been removed. If you encounter 404 error messages on these endpoints, convert your code to the versions of the OAuth Application API that do not have access_tokens in the URL. We've also disabled the use of API authentication using query parameters. We instead recommend using API authentication in the request header.

The CodeQL runner is deprecated in GitHub Enterprise Server 3.4 and is no longer supported. The deprecation only affects users who use CodeQL code scanning in third party CI/CD systems; GitHub Actions users are not affected. We strongly recommend that customers migrate to the CodeQL CLI, which is a feature-complete replacement for the CodeQL runner. For more information, see the GitHub changelog.

Starting in GitHub Enterprise Server 3.1, support for GitHub's proprietary bit-cache extensions began to be phased out. These extensions are deprecated in GitHub Enterprise Server 3.3 onwards.

Any repositories that were already present and active on 你的 GitHub Enterprise Server 实例 running version 3.1 or 3.2 will have been automatically updated.

Repositories which were not present and active before upgrading to GitHub Enterprise Server 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed.

To start a repository maintenance task manually, browse to https://<hostname>/stafftools/repositories/<owner>/<repository>/network for each affected repository and click the Schedule button.

The theme picker for GitHub Pages has been removed from the Pages settings. For more information about configuration of themes for GitHub Pages, see "Adding a theme to your GitHub Pages site using Jekyll."

中：在 GitHub Enterprise Server 管理控制台中发现了一个允许绕过 CSRF 保护的路径遍历漏洞。 此漏洞影响 3.5 之前的所有 GitHub Enterprise Server 版本，并在 3.1.19、3.2.11、3.3.6 和 3.4.1 中得到了修复。 此漏洞通过 GitHub Bug 赏金计划报告，编号为 CVE-2022-23732。

中：在 yajil 的 1.x 分支和 2.x 分支中发现了一个整数溢出漏洞，在处理大型 (~2GB) 输入时，该漏洞会导致随后出现堆内存损坏。 此漏洞是内部报告的，编号为 CVE-2022-24795。

如果启用了 GitHub Actions，支持包可能包含敏感文件。

包已更新到最新的安全版本。

如果使用复合操作，工作流运行可能无法完成。

启用 Dependabot 时，一个错误导致某些安全公告暂时读取为不再适用。

如果升级 GitHub Enterprise Server 后存在旧配置选项，Minio 进程的 CPU 使用率会很高。

显示了用于在管理控制台的“隐私”设置中启用 TLS 1.0 和 TLS 1.1 的选项，尽管在早期版本中移除了这些协议版本。

在 HA 环境中，首次启用 GitHub Actions 后，可能需要执行额外的手动步骤才能配置 MSSQL 复制。

经过热补丁，内部配置文件的子集更新会更可靠。

ghe-run-migrations 脚本有时无法正确生成临时证书名称。

由于 syscall 权限不足，使用 gpg --import 的预接收挂钩超时。

在某些群集拓扑中，Webhook 交付信息不可用。

GitHub Actions 部署图在呈现待处理作业时会显示错误。

运行迁移时，Elasticsearch 运行状况检查不允许出现黄色群集状态。

使用迁移 API 时，未处理排队的导出作业。

存储库将在 Web UI 中显示非功能性讨论选项卡。

由于用户将其用户帐户转换为组织帐户而创建的组织未添加到全局企业帐户中。

尝试同步之前已同步的 GPG 密钥时，LDAP 用户同步作业会失败。

指向无法访问页面的链接已被删除。

由于大量不必要的后台作业排队，一些实例遇到了高 CPU 使用率。

空存储库未正确同步到缓存服务器。

将团队添加为拉取请求的审阅者时，有时会显示不正确的团队成员数量。

尝试删除通过 SCIM 组外部管理的成员时，删除团队成员资格 API 终结点将响应错误。

大量休眠用户可能会导致 GitHub Connect 配置失败。

站点管理员 Web UI 中的“功能和 beta 版本注册”页面无法正确使用。

单击站点页脚中的“站点管理员模式”链接时，其状态未发生更改。

使用 ghe-migrator 或从 GitHub.com 导出时，导出将不包含拉取请求附件。

增加了 Memcached 连接上限，可更好地适应大型群集拓扑。

依赖项关系图 API 以前使用静态定义的端口运行。

已更新与群集相关的 Elasticsearch 分片设置的默认分片计数。

迁移 API 现在生成存储库的导出。

在“人员”页面上按组织角色筛选企业成员时，改进了下拉菜单项的文本。

“会审”和“维护”团队角色在存储库迁移期间保留。

企业所有者提出的 Web 请求的性能已得到改进。

在新建的没有任何用户的 GitHub Enterprise Server 实例上，攻击者可以创建第一个管理员用户。

自定义防火墙规则在升级过程中被删除。

通过 Web 界面上传的 Git LFS 跟踪文件被错误地直接添加到存储库。

如果问题包含文件路径长于 255 个字符的同一存储库中 blob 的永久链接，则问题无法关闭。

对 GitHub Connect 启用“用户可以搜索 GitHub.com”后，专用和内部存储库中的问题不包括在 GitHub.com 搜索结果中。

GitHub Packages npm 注册表不再在元数据响应中返回时间值。 这样可以大幅改善性能。 我们继续拥有将时间值作为元数据响应的一部分返回所需的所有数据，并将在以后解决现有性能问题后恢复返回该值。

特定于处理预接收挂钩的资源限制可能导致部分预接收挂钩失败。

在多个级别（例如，企业和组织）使用 --ephemeral 参数注册自承载运行器后，运行器可能会陷入空闲状态并需要重新注册。 [更新时间：2022-06-17]

在 GitHub Enterprise Server 3.4.0 和 3.4.1 中使用 SAML 加密断言时，SPSSODescriptor 中的新 XML 属性 WantAssertionsEncrypted 包含 SAML 元数据的无效属性。 使用此 SAML 元数据终结点的 IdP 在验证 SAML 元数据 XML 模式时可能会遇到错误。 修复程序将在下一个修补程序版本中提供。 [更新时间：2022-04-11]

若要解决此问题，可以执行以下两个操作之一。

• WantAssertionsEncrypted 属性的 SAML 元数据的静态副本来重新配置 IdP。
• 复制 SAML 元数据，删除 WantAssertionsEncrypted 属性，将其托管在 Web 服务器上，然后重新配置 IdP 以指向该 URL。

在某些情况下，升级到 GitHub Enterprise Server 3.5 或更高版本的 GitHub Advanced Security 客户可能会注意到 Web UI 和 REST API 中缺少来自机密扫描的警报。 若要确保警报保持可见，请勿在从早期版本升级到 3.5 或更高版本时跳过 3.4。 3.5.5 和 3.6.1 补丁版本中提供了修补程序。

若要计划到 3.4 的升级，请参阅升级助手。 [更新日期：2022-09-01]

GitHub Pages 构建可能会在 AWS 中配置为高可用性的实例上超时。 [更新时间：2022-11-28]

GitHub Enterprise Server 3.0 已于 2022 年 2 月 16 日停用。 这意味着，在此日期之后，即使针对重大安全问题，也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能，请尽快升级到最新版本的 GitHub Enterprise Server。

GitHub Enterprise Server 3.1 将于 2022 年 6 月 3 日停用。 这意味着，在此日期之后，即使针对重大安全问题，也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能，请尽快升级到最新版本的 GitHub Enterprise Server。

从 GitHub Enterprise Server 3.3 开始，XenServer 上的 GitHub Enterprise Server 已弃用且不再受支持。 如果有任何疑问或顾虑，请联系 GitHub 支持。

由于使用率低，我们已在 GitHub Enterprise Server 3.4 中弃用了内容引用 API 预览版。 以前可通过 corsair-preview 标头访问 API。 用户可以在没有此 API 的情况下继续导航到外部 URL。 内容引用 API 的任何注册使用将不再收到来自注册域的 URL 的 Webhook 通知，并且我们不再返回有效的响应代码来尝试更新现有内容附件。

可通过 scarlet-witch-preview 标头访问的行为准则 API 预览版已弃用，并且在 GitHub Enterprise Server 3.4 中不再可访问。 我们建议使用“获取社区配置文件指标”终结点来检索有关存储库行为准则的信息。 有关详细信息，请参阅 GitHub 更改日志中的“弃用通知：行为准则 API 预览版”。

从 GitHub Enterprise Server 3.4 开始，OAuth 应用程序 API 终结点的弃用版本已删除。 如果在这些终结点上遇到 404 错误消息，请将代码转换为 URL 中没有 access_tokens 的 OAuth 应用程序 API 版本。 我们还禁用了使用查询参数的 API 身份验证。 我们建议使用请求标头中的 API 身份验证。

CodeQL 运行器在 GitHub Enterprise Server 3.4 中已弃用且不再受支持。 弃用仅影响在第三方 CI/CD 系统中使用 CodeQL 代码扫描的用户；GitHub Actions 用户不受影响。 我们强烈建议客户迁移到 CodeQL CLI，它是 CodeQL 运行器功能完善的替代项。 有关详细信息，请参阅 GitHub 更改日志。

从 GitHub Enterprise Server 3.1 开始，对 GitHub 的专有位缓存扩展的支持开始逐步停止。这些扩展在 GitHub Enterprise Server 3.3 及更高版本中已弃用。

运行版本 3.1 或 3.2 的 你的 GitHub Enterprise Server 实例 上已经存在并处于活动状态的任何存储库都将自动更新。

存储库维护任务运行并成功完成后，在升级到 GitHub Enterprise Server 3.3 之前不存在且处于活动状态的存储库才能够以最佳方式执行。

若要手动启动存储库维护任务，请浏览到每个受影响的存储库的 https://<hostname>/stafftools/repositories/<owner>/<repository>/network，然后单击计划按钮。

GitHub Advanced Security customers can now use the REST API to retrieve commit details of secrets detected in private repository scans. The new endpoint returns details of a secret's first detection within a file, including the secret's location and commit SHA. For more information, see "Secret scanning" in the REST API documentation.

Enterprise and organization owners can now export their GitHub Advanced Security license usage data to a CSV file. The Advanced Security billing data can also be retrieved via billing endpoints in the REST API. For more information, see the "GitHub changelog."

You can now reuse entire workflows as if they were an action. This feature is available in public beta. Instead of copying and pasting workflow definitions across repositories, you can now reference an existing workflow with a single line of configuration. For more information, see the "GitHub changelog."

Dependabot is now available in GitHub Enterprise Server 3.4 as a public beta, offering both version updates and security updates for several popular ecosystems. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted runners configured for Dependabot use. Dependabot on GitHub Enterprise Server also requires GitHub Connect and Dependabot to be enabled by an administrator. Beta feedback and suggestions can be shared in the Dependabot Feedback GitHub discussion. For more information and to try the beta, see "Setting up Dependabot security and version updates on your enterprise."

If you use SAML authentication for GitHub Enterprise Server, you can now configure encrypted assertions from your IdP to improve security. Encrypted assertions add an additional layer of encryption when your IdP transmits information to 你的 GitHub Enterprise Server 实例. For more information, see "Using SAML."

In GitHub Mobile for iOS 1.80.0 and later, users can now edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]

Users can now choose the number of spaces a tab is equal to, by setting their preferred tab size in the "Appearance" settings of their user account. All code with a tab indent will render using the preferred tab size.

The GitHub Connect data connection record now includes a count of the number of active and dormant users and the configured dormancy period.

You can now give users access to enterprise-specific links by adding custom footers to GitHub Enterprise Server. For more information, see "Configuring custom footers."

WireGuard, used to secure communication between GitHub Enterprise Server instances in a High Availability configuration, has been migrated to the Kernel implementation.

Organization owners can now unsubscribe from email notifications when new deploy keys are added to repositories belonging to their organizations. For more information, see "Configuring notifications."

Notification emails from newly created issues and pull requests now include (Issue #xx) or (PR #xx) in the email subject, so you can recognize and filter emails that reference these types of issues.

Organizations can now display a README.md file on their profile Overview. For more information, see the "GitHub changelog."

Members of organizations can now view a list of their enterprise owners under the organization's "People" tab. The enterprise owners list is also now accessible using the GraphQL API. For more information, see the "enterpriseOwners" field under the Organization object in the GraphQL API documentation.

A "Manage Access" section is now shown on the "Collaborators and teams" page in your repository settings. The new section makes it easier for repository administrators to see and manage who has access to their repository, and the level of access granted to each user. Administrators can now:

• Search all members, teams and collaborators who have access to the repository.
• View when members have mixed role assignments, granted to them directly as individuals or indirectly via a team. This is visualized through a new "mixed roles" warning, which displays the highest level role the user is granted if their permission level is higher than their assigned role.
• Manage access to popular repositories reliably, with page pagination and fewer timeouts when large groups of users have access.

GitHub Enterprise Server 3.4 includes improvements to the repository invitation experience, such as notifications for private repository invites, a UI prompt when visiting a private repository you have a pending invitation for, and a banner on a public repository overview page when there is an pending invitation.

You can now use single-character prefixes for custom autolinks. Autolink prefixes also now allow ., -, _, +, =, :, /, and # characters, as well as alphanumerics. For more information about custom autolinks, see "Configuring autolinks to reference external resources."

A CODE_OF_CONDUCT.md file in the root of a repository is now highlighted in the "About" sidebar on the repository overview page.

GitHub Enterprise Server 3.4 includes improvements to the Releases UI, such as automatically generated release notes which display a summary of all the pull requests for a given release. For more information, see the "GitHub changelog."

When a release is published, an avatar list is now displayed at the bottom of the release. Avatars for all user accounts mentioned in the release notes are shown. For more information, see "Managing releases in a repository."

You can now use the new "Accessibility" settings page to manage your keyboard shortcuts. You can choose to disable keyboard shortcuts that only use single characters like S, G C, and . (the period key). For more information, see the "GitHub changelog."

You can now choose to use a fixed-width font in Markdown-enabled fields, like issue comments and pull request descriptions. For more information, see the "GitHub changelog."

You can now paste a URL on selected text to quickly create a Markdown link. This works in all Markdown-enabled fields, such as issue comments and pull request descriptions. For more information, see the "GitHub changelog."

An image URL can now be appended with a theme context, such as #gh-dark-mode-only, to define how the Markdown image is displayed to a viewer. For more information, see the "GitHub changelog."

When creating or editing a gist file with the Markdown (.md) file extension, you can now use the "Preview" or "Preview Changes" tab to display a Markdown rendering of the file contents. For more information, see the "GitHub changelog."

When typing the name of a GitHub user in issues, pull requests and discussions, the @mention suggester now ranks existing participants higher than other GitHub users, so that it's more likely the user you're looking for will be listed.

Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.

The diff setting to hide whitespace changes in the pull request "Files changed" tab is now retained for your user account for that pull request. The setting you have chosen is automatically reapplied if you navigate away from the page and then revisit the "Files changed" tab of the same pull request.

When using auto assignment for pull request code reviews, you can now choose to only notify requested team members independently of your auto assignment settings. This setting is useful in scenarios where many users are auto assigned but not all users require notification. For more information, see the "GitHub changelog."

Organization and repository administrators can now trigger webhooks to listen for changes to branch protection rules on their repositories. For more information, see the "branch_protection_rule" event in the webhooks events and payloads documentation.

When configuring protected branches, you can now enforce that a required status check is provided by a specific GitHub App. If a status is then provided by a different application, or by a user via a commit status, merging is prevented. This ensures all changes are validated by the intended application. For more information, see the "GitHub changelog."

Only users with administrator permissions are now able to rename protected branches and modify branch protection rules. Previously, with the exception of the default branch, a collaborator could rename a branch and consequently any non-wildcard branch protection rules that applied to that branch were also renamed. For more information, see "Renaming a branch" and "Managing a branch protection rule."

Administrators can now allow only specific users and teams to bypass pull request requirements. For more information, see the "GitHub changelog."

Administrators can now allow only specific users and teams to force push to a repository. For more information, see the "GitHub changelog."

When requiring pull requests for all changes to a protected branch, administrators can now choose if approved reviews are also a requirement. For more information, see the "GitHub changelog."

GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events now always receive a read-only token and no secrets. Similarly, workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot, now always receive a read-only token and no secrets. These changes are designed to prevent potentially malicious code from executing in a privileged workflow. For more information, see "Automating Dependabot with GitHub Actions."

Workflow runs on push and pull_request events triggered by Dependabot will now respect the permissions specified in your workflows, allowing you to control how you manage automatic dependency updates. The default token permissions will remain read-only. For more information, see the "GitHub changelog."

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets. You can now pull from private package registries in your CI using the same secrets you have configured for Dependabot to use, improving how GitHub Actions and Dependabot work together. For more information, see "Automating Dependabot with GitHub Actions."

You can now manage runner groups and see the status of your self-hosted runners using new Runners and Runner Groups pages in the UI. The Actions settings page for your repository or organization now shows a summary view of your runners, and allows you to deep dive into a specific runner to edit it or see what job it may be currently running. For more information, see the "GitHub changelog."

Actions authors can now have their action run in Node.js 16 by specifying runs.using as node16 in the action's action.yml. This is in addition to the existing Node.js 12 support; actions can continue to specify runs.using: node12 to use the Node.js 12 runtime.

For manually triggered workflows, GitHub Actions now supports the choice, boolean, and environment input types in addition to the default string type. For more information, see "on.workflow_dispatch.inputs."

Actions written in YAML, also known as composite actions, now support if conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.

The search order behavior for self-hosted runners has now changed, so that the first available matching runner at any level will run the job in all cases. This allows jobs to be sent to self-hosted runners much faster, especially for organizations and enterprises with lots of self-hosted runners. Previously, when running a job that required a self-hosted runner, GitHub Actions would look for self-hosted runners in the repository, organization, and enterprise, in that order.

Runner labels for GitHub Actions self-hosted runners can now be listed, added and removed using the REST API. For more information about using the new APIs at a repository, organization, or enterprise level, see "Repositories", "Organizations", and "Enterprises" in the REST API documentation.

Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml and poetry.lock manifest files.

When configuring Dependabot security and version updates on GitHub Enterprise Server, we recommend you also enable Dependabot in GitHub Connect. This will allow Dependabot to retrieve an updated list of dependencies and vulnerabilities from GitHub.com, by querying for information such as the changelogs of the public releases of open source code that you depend upon. For more information, see "Enabling the dependency graph and Dependabot alerts for your enterprise."

Dependabot alerts alerts can now be dismissed using the GraphQL API. For more information, see the "dismissRepositoryVulnerabilityAlert" mutation in the GraphQL API documentation.

The CodeQL CLI now supports including markdown-rendered query help in SARIF files, so that the help text can be viewed in the code scanning UI when the query generates an alert. For more information, see the "GitHub changelog."

The CodeQL CLI and Visual Studio Code extension now support building databases and analyzing code on machines powered by Apple Silicon, such as Apple M1. For more information, see the "GitHub changelog."

The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks from the Python ecosystem. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of code scanning alerts. For more information, see the "GitHub changelog."

Code scanning with CodeQL now includes beta support for analyzing code in all common Ruby versions, up to and including 3.02. For more information, see the "GitHub changelog."

Several improvements have been made to the code scanning API:

• The fixed_at timestamp has been added to alerts. This timestamp is the first time that the alert was not detected in an analysis.
• Alert results can now be sorted using sort and direction on either created, updated or number. For more information, see "List code scanning alerts for a repository."
• A Last-Modified header has been added to the alerts and alert endpoint response. For more information, see Last-Modified in the Mozilla documentation.
• The relatedLocations field has been added to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the SARIF spec and for more information see "Get a code scanning analysis for a repository."
• Both help and tags data have been added to the webhook response alert rule object. For more information, see "Code scanning alert webhooks events and payloads."
• Personal access tokens with the public_repo scope now have write access for code scanning endpoints on public repos, if the user has permission.

For more information, see "Code scanning" in the REST API documentation.

GitHub Advanced Security customers can now use the REST API to retrieve private repository secret scanning results at the enterprise level. The new endpoint supplements the existing repository-level and organization-level endpoints. For more information, see "Secret scanning" in the REST API documentation.

Support for GitHub Mobile is now enabled by default for new GitHub Enterprise Server instances. If you have not explicitly disabled or enabled GitHub Mobile, GitHub Mobile will be enabled when you upgrade to GitHub Enterprise Server 3.4.0 or later. If you previously disabled or enabled GitHub Mobile for your instance, your preference will be preserved upon upgrade. For more information, see "Managing GitHub Mobile for your enterprise."

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

Actions services needs to be restarted after restoring appliance from backup taken on a different host.

After registering a self-hosted runner with the --ephemeral parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]

When using SAML encrypted assertions with GitHub Enterprise Server 3.4.0 and 3.4.1, a new XML attribute WantAssertionsEncrypted in the SPSSODescriptor contains an invalid attribute for SAML metadata. IdPs that consume this SAML metadata endpoint may encounter errors when validating the SAML metadata XML schema. A fix will be available in the next patch release. [Updated: 2022-04-11]

To work around this problem, you can take one of the two following actions.

• Reconfigure the IdP by uploading a static copy of the SAML metadata without the WantAssertionsEncrypted attribute.
• Copy the SAML metadata, remove WantAssertionsEncrypted attribute, host it on a web server, and reconfigure the IdP to point to that URL.

在某些情况下，升级到 GitHub Enterprise Server 3.5 或更高版本的 GitHub Advanced Security 客户可能会注意到 Web UI 和 REST API 中缺少来自机密扫描的警报。 若要确保警报保持可见，请勿在从早期版本升级到 3.5 或更高版本时跳过 3.4。 3.5.5 和 3.6.1 补丁版本中提供了修补程序。

若要计划到 3.4 的升级，请参阅升级助手。 [更新日期：2022-09-01]

GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

GitHub Enterprise Server 3.0 was discontinued on February 16, 2022. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

GitHub Enterprise Server 3.1 will be discontinued on June 3, 2022. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Starting in GitHub Enterprise Server 3.3, GitHub Enterprise Server on XenServer was deprecated and is no longer supported. Please contact GitHub Support with questions or concerns.

Due to low usage, we have deprecated the Content References API preview in GitHub Enterprise Server 3.4. The API was previously accessible with the corsair-preview header. Users can continue to navigate to external URLs without this API. Any registered usages of the Content References API will no longer receive a webhook notification for URLs from your registered domain(s) and we no longer return valid response codes for attempted updates to existing content attachments.

The Codes of Conduct API preview, which was accessible with the scarlet-witch-preview header, is deprecated and no longer accessible in GitHub Enterprise Server 3.4. We instead recommend using the "Get community profile metrics" endpoint to retrieve information about a repository's code of conduct. For more information, see the "Deprecation Notice: Codes of Conduct API preview" in the GitHub changelog.

Starting with GitHub Enterprise Server 3.4, the deprecated version of the OAuth Application API endpoints have been removed. If you encounter 404 error messages on these endpoints, convert your code to the versions of the OAuth Application API that do not have access_tokens in the URL. We've also disabled the use of API authentication using query parameters. We instead recommend using API authentication in the request header.

The CodeQL runner is deprecated in GitHub Enterprise Server 3.4 and is no longer supported. The deprecation only affects users who use CodeQL code scanning in third party CI/CD systems; GitHub Actions users are not affected. We strongly recommend that customers migrate to the CodeQL CLI, which is a feature-complete replacement for the CodeQL runner. For more information, see the GitHub changelog.

Starting in GitHub Enterprise Server 3.1, support for GitHub's proprietary bit-cache extensions began to be phased out. These extensions are deprecated in GitHub Enterprise Server 3.3 onwards.

Any repositories that were already present and active on 你的 GitHub Enterprise Server 实例 running version 3.1 or 3.2 will have been automatically updated.

Repositories which were not present and active before upgrading to GitHub Enterprise Server 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed.

To start a repository maintenance task manually, browse to https://<hostname>/stafftools/repositories/<owner>/<repository>/network for each affected repository and click the Schedule button.

GitHub Connect will no longer work after June 3rd for instances running GitHub Enterprise Server 3.1 or older, due to the format of GitHub authentication tokens changing. For more information, see the GitHub changelog. [Updated: 2022-06-14]