Enterprise Server 3.5 release notes

MEDIUM: Scoped installation tokens for a GitHub App kept approved permissions after the permissions on the integration installation were downgraded or removed. GitHub has requested CVE ID CVE-2023-23765 for this vulnerability, which was reported via the GitHub Bug Bounty program.

MEDIUM: Updated Git to include fixes from 2.40.1.

If a user's request to the instance's API included authentication credentials within a URL parameter, administrators could see the credentials in JSON within the instance's audit log.

Packages have been updated to the latest security versions.

If an administrator updated the instance's TLS certificate using the Management Console API's Set settings endpoint, sending the certificate and key data as a URL query parameter resulted in the data appearing unmasked in system logs.

Determining suggested reviewers on a pull request could time out or be very slow.

If a configuration runs fails due to Elasticsearch errors, ghe-config-apply displays a more actionable error message.

MEDIUM: Scoped installation tokens for a GitHub App kept approved permissions after the permissions on the integration installation were downgraded or removed. GitHub has requested CVE ID CVE-2023-23765 for this vulnerability, which was reported via the GitHub Bug Bounty program.

Packages have been updated to the latest security versions.

On an instance in a cluster configuration, when upgrading the MySQL master node, the post-upgrade configuration run would take 600 seconds longer than required due to incorrect detection of unhealthy nodes.

If an instance has tens of thousands of deleted repositories, an upgrade from GitHub Enterprise Server 3.6 or 3.7 can take longer than expected. To decrease the risk of a long-running upgrade, before upgrading, someone with administrative SSH access to the instance can run the ghe-purge-deleted-repositories script. Warning: You cannot restore a purged repository. Use the script with caution. For assistance using the script, contact GitHub Enterprise Support.

If a user clicked the link to share feedback or report bugs for the beta of user lists, the web interface responded with a 404 error.

GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included pre_receive.lfsintegrity.dist.referenced_oids, pre_receive.lfsintegrity.dist.unknown_oids, and git.hooks.runtime.

People with administrative SSH access to an instance can configure the maximum memory usage in gigabytes for Redis using ghe-config redis.max-memory-gb VALUE.

MEDIUM: Updated Git to include fixes from 2.40.1. For more information, see Git security vulnerabilities announced on the GitHub Blog.

Users were unable to upload GIF files as attachments within a comment in an issue or pull request.

A site administrator could not bypass a proxy for a top-level domain (TLD) from the instance's exception list or IANAs registered top-level domains (TLDs).

On some platforms, after someone with administrative SSH access ran ghe-diagnostics, the command's output included a cosmetic SG_IO error.

After restoration of a deleted organization, the organization did not appear in the instances list of organizations.

When a site administrator used GitHub Enterprise Importer to import data from GitHub Enterprise Cloud, migrations failed during the import of file-level comments. This failure no longer prevents the import from proceeding.

When a site administrator used GitHub Enterprise Importer, import of a repository failed if a project column in the repository contained 2,500 or more archived cards.

The GITHUB_REF_PROTECTED environment variable and github.ref_protected contexts were incorrectly set as false when branch protections did exist.

On an instance with a GitHub Advanced Security license that was also configured for a timezone greater than UTC, the list of secret scanning alerts displayed a "Loading secrets failed" error if a user sorted secrets by date in descending order.

People with administrative SSH access who generate a support bundle using the ghe-support-bundle or ghe-cluster-support-bundle utilities can specify the period of time to gather data with -p or --period without using spaces or quotes. For example, in addition to '-p 5 days' or -p '4 days 10 hours', -p 5days or -p 4days10hours are valid.

In some cases, graphs on the Management Console's monitor dashboard failed to render.

On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, issues in private and internal repositories were not included in users search results for GitHub.com.

To avoid a failure during a configuration run on a cluster, validation of cluster.conf with the ghe-cluster-config-check utility ensures that the consul-datacenter field for each node matches the top-level primary-datacenter field.

If a site administrator provides an invalid configuration for blob storage for GitHub Actions or GitHub Packages on an instance, the preflight checks page displays details and troubleshooting information.

HIGH: Addressed an improper authentication vulnerability that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23761. [Updated: 2023-04-07]

MEDIUM: Addressed an incorrect comparison vulnerability that allowed commit smuggling by displaying an incorrect diff. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23762. [Updated: 2023-04-07]

In the Management Console's monitor dashboard, the Cached Requests and Served Requests graphs, which are retrieved by the git fetch catching command, did not display metrics for the instance.

After a site administrator exempted the @github-actions[bot] user from rate limiting by using the ghe-config app.github.rate-limiting-exempt-users "github-actions[bot]" command, running ghe-config-check caused a Validation is-valid-characterset failed warning to appear.

GitHub Actions (actions) and Microsoft SQL (mssql) did not appear in the list of processes within the instances monitor dashboard.

After an administrator used the /setup/api/start REST API endpoint to upload a license, the configuration run failed with a Connection refused error during the migrations phase.

On an instance in a high availability configuration, if an administrator tore down replication from a replica node using ghe-repl-teardown immediately after running ghe-repl-setup, but before ghe-repl-start, an error indicated that the script cannot launch /usr/local/bin/ghe-single-config-apply - run is locked. ghe-repl-teardown now displays an informational alert and continues the teardown.

On an instance in a cluster configuration, when a site administrator set maintenance mode using ghe-maintenance -s, a Permission denied error appeared when the utility tried to access /data/user/common/cluster.conf.

During configuration of high availability, if a site administrator interrupted the ghe-repl-start utility, the utility erroneously reported that replication was configured, and the instance would not perform expected clean-up operations.

When a site administrator used ghe-migrator to migrate data to GitHub Enterprise Server, in some cases, nested team relationships would not persist after teams were imported.

If a repository contained a CODEOWNERS file, pull requests in the repository intermittently failed to display the files validity or updated code owner information, requiring the user to reload the page.

The CSV reports for all users and all active users, available from the site admin dashboard, did not consider recent access using SSH or personal access tokens.

On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, users would not see issues in private and internal repositories in search results for GitHub.com.

GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included pre_receive.lfsintegrity.dist.referenced_oids, pre_receive.lfsintegrity.dist.unknown_oids, and git.hooks.runtime.

After an enterprise owner enables Dependabot updates, the instance creates the initial set of updates faster.

On an instance in a cluster configuration, when a site administrator sets maintenance mode on a single cluster node using ghe-maintenance -s, the utility warns the administrator to use ghe-cluster-maintenance -s to set maintenance mode on all of the clusters nodes. For more information, see "Enabling and scheduling maintenance mode."

When a site administrator configures an outbound web proxy server for GitHub Enterprise Server, the instance now validates top-level domains (TLDs) excluded from the proxy configuration. By default, you can exclude public TLDs that the IANA specifies. Site administrators can specify a list of unregistered TLDs to exclude using ghe-config. The . prefix is required for any public TLDs. For example, .example.com is valid, but example.com is invalid. For more information, see "Configuring an outbound web proxy server."

To avoid intermittent issues with the success of Git operations on an instance with multiple nodes, GitHub Enterprise Server checks the status of the MySQL container before attempting a SQL query. The timeout duration has also been reduced.

The default path for output from ghe-saml-mapping-csv -d is /data/user/tmp instead of /tmp. For more information, see "Command-line utilities."

HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23760. [Updated: 2023-03-10]

When viewing a list of open sessions for the devices logged into a user account, the GitHub Enterprise Server web UI could display an incorrect location.

In the rare case when primary shards for Elasticsearch were located on a replica node, the ghe-repl-stop command would fail with ERROR: Running migrations.

HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.

Packages have been updated to the latest security versions.

When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

MEDIUM: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-22381.

Packages have been updated to the latest security versions.

During the validation phase of a configuration run, a No such object error may have occurred for the Notebook and Viewscreen services.

When enabling automatic TLS certificate management with Let's Encrypt, the process could fail with the error The certificate is not signed by a trusted certificate authority (CA) or the certificate chain in missing intermediate CA signing certificates.

When a timeout occurs during diff generation, such as when a commit displays an error that the diff is taking too long to generate, the push webhook event will deliver empty diff information. Previously, the push webhook event would fail to be delivered.

HIGH: Updated Git to include fixes from 2.39.1, which address CVE-2022-41903 and CVE-2022-23521.

Sanitize additional secrets in support bundles and the configuration log.

Dependencies for the CodeQL action have been updated to the latest security versions.

Packages have been updated to the latest security versions.

The metrics Active workers and Queued requests for github (renamed from metadata), gitauth, and unicorn container services werent correctly read from collectd and displayed in the Management Console.

Dependabot Alert emails would be sent to disabled repositories.

Repositories locked for migration would allow files to be edited in the web UI.

When viewing a pull requests diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.

The git-janitorcommand was unable to fix outdated multi-pack-index.lock files, resulting in the repository failing maintenance.

The ghe-support-bundle and ghe-cluster-support-bundle commands were updated to include the -p/--period flag to generate a time constrained support bundle. The duration can be specified in days and hours, for example: -p '2 hours', -p '1 day', -p '2 days 5 hours'.

The performance of configuration runs started with ghe-config-apply has been improved.

When upgrading an instance with a new root partition, running the ghe-upgrade command with the -t/--target option ensures the preflight check for the minimum disk storage size is executed against the target partition.

When exporting account data, backing up a repository, or performing a migration, the link to a repository archive now expires after 1 hour. Previously the archive link expired after 5 minutes.

HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.

HIGH: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23741.

MEDIUM: An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46257.

If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.

When a site administrator ran the ghe-repl-sync-ca-certificates command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.

Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.

When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.

The member webhook event did not include the from and to field values for the permission field as part of the changes field.

After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.

In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.

If a user uploaded more than one file while creating a new Gist, the user could not delete any files uploaded after the first.

A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.

MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.

MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-23739.

MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.

MEDIUM: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "Repository contents" should enforce workflow scope. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-46258.

Setting the maintenance mode with an IP Exception List would not persist across upgrades.

GitHub Pages builds could time out on instances in AWS that are configured for high availability.

After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.

The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.

When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.

If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.

If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.

When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked.

After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.

Zombie processes no longer accumulate in the gitrpcd container.

HIGH: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including CVE-2022-30123 and CVE-2022-29181.

HIGH: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned CVE-2022-23738.

MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.

MEDIUM: Updated Redis to 5.0.14 to address CVE-2021-32672 and CVE-2021-32762.

MEDIUM: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of docker commands directly. For more information, see the Actions Runner security advisory.

MEDIUM: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23737.

LOW: Due to a CSRF vulnerability, a GET request to the instance's site/toggle_site_admin_and_employee_status endpoint could toggle a user's site administrator status unknowingly.

Packages have been updated to the latest security versions.

After a site administrator made a change that triggered a configuration run, such as disabling GitHub Actions, validation of services would sometimes fail with the message WARNING: Validation encountered a problem.

After a site administrator installed a hotpatch containing changes to web interface assets such as JavaScript files or images, the instance did not serve the new assets.

When a user accessed a renamed repository using Git, the hostname in the Git output incorrectly indicated GitHub.com instead of the instance's hostname.

On instances using LDAP authentication and LDAP sync, sync would fail and print undefined method ord for nil:NilClass in ldap-sync.log.

Addressed a bug in which the endpoint for creating a tag protection state for a repository was returning a 500 error.

Deleted assets and assets scheduled to be purged within a repository, such as LFS files, took too long to to be cleaned up.

If a user installed a GitHub App for the user account and then converted the account into an organization, the app was not granted organization permissions.

Missing secret scanning alerts on instance with a GitHub Advanced Security license that was not upgraded directly to GitHub Enterprise Server 3.4 are now visible in the web interface and through the REST API.

In some cases, on an instance with a GitHub Advanced Security license, secret scanning alerts did not include a provider type, and instead indicated that the provider type was "unknown."

To ensure that site administrators can successfully complete an upgrade, the instance will now execute a preflight check to ensure that the virtual machine meets minimum hardware requirements. The check also verifies Elasticsearch's health. You can review the current requirements for CPU, memory, and storage for GitHub Enterprise Server in the "Minimum requirements" section within each article in "Setting up a GitHub Enterprise Server instance."

Repository archives for migrations now include an is_archived field.

HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.

MEDIUM: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access.

LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.

Packages have been updated to the latest security versions.

Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.

Configuration runs could fail when retry-limit or retry-sleep-duration were manually set by an administrator using ghe-config.

The ghe-find-insecure-git-operations command did not return all insecure Git operations after each invocation.

In some cases, the Management Console's monitor dashboard would not load correctly.

Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.

When sending a support bundle to GitHub Enterprise Support using ghe-support-upload, the -t option would not successfully associate the uploaded bundle with the specified ticket.

In rare cases, an upgrade from GitHub Enterprise Server 3.3 to 3.4 would incorrectly modify how data is stored, resulting in failures during future upgrades. When upgrading directly to this release from 3.3, the failure will not occur.

When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.

A link back to the security settings for the instance's enterprise account could render an incorrect view.

After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.

After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.

After upgrading to GitHub Enterprise Server 3.5, releases would appear to be missing from repositories. This occurred when the required Elasticsearch index migrations had not successfully completed. The releases UI now indicates if it is waiting for the Elasticsearch index migrations to complete, and links to documentation on how to observe status and immediately complete the migration.

Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.

When viewing a pull request's diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.

If branch protections were enabled, the GITHUB_REF_PROTECTED environment variable and github.ref_protected contexts for GitHub Actions workflow runs were incorrectly set as false.

On instances using GitHub Advanced Security, secret scanning automatically revoked personal access tokens added to public repositories.

Repositories for packages erroneously displayed a "Used by" section.

After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository.

Duplicate administrative SSH keys could appear in both the Management Console and the /home/admin/.ssh/authorized_keys file.

The site admin page for individual users at http(s)://HOSTNAME/stafftools/users/USERNAME/admin contained functionality not intended for GitHub Enterprise Server.

In some cases, running ghe-cluster-config-apply could replicate an empty configuration to existing nodes in a cluster.

In some cases, configuration runs started with ghe-config-apply did not complete, or returned a Container count mismatch error.

After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear.

The site admin bar at the top of the web interface contained a broken link to the SHA for the currently running version of the application.

In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe.

Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible.

When a user forked a repository into an organization, a long list of organizations would not render properly.

Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "Providing data to GitHub Support."

APIs that contain the organization or org route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which caused Link headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "Organizations" in the REST API documentation.

The enterprise audit log now includes more user-generated events, such as project.create. The REST API also returns additional user-generated events, such as repo.create. For more information, see "Accessing the audit log for your enterprise" and "Using the audit log API for your enterprise."

In some cases, cache replicas could reject some Git operations on recently updated repositories. For more information about repository caching, see "About repository caching."

CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.

HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.

In some cases, GitHub Enterprise Server instances on AWS that used the r4.4xlarge instance type would fail to boot.

In some cases, UI elements within a pull request's Files changed tab could overlap.

When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."

When calculating committers for GitHub Advanced Security, it was not possible to specify individual repositories. For more information, see "Site admin dashboard."

In some cases, Elasticsearch's post-upgrade es:upgrade process could crash before completion.

The script for migration to internal repositories failed to convert the visibility for public repositories to internal or private. For more information about the migration, see "Migrating to internal repositories."

Detection of GitHub Actions workflow files for the dependency graph was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "About the dependency graph."

The ability to reopen dismissed Dependabot alerts was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Viewing and updating Dependabot alerts."

The ability to always suggest updates from the base branch to a pull request's HEAD was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing suggestions to update pull request branches."

The light high contrast theme was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing your theme settings."

pre_receive_hook.rejected_push events were not displayed in the enterprise audit log.

MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.

MEDIUM: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface.

Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.

Packages have been updated to the latest security versions.

MEDIUM: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23733. [Updated: 2022-07-31]

MEDIUM: A vulnerability involving deserialization of untrusted data was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the Subversion (SVN) bridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23734.

In some cases, the collectd daemon could consume excess memory.

In some cases, backups of rotated log files could accumulate and consume excess storage.

After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.

In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.

The GitHub Enterprise Importer did not correctly migrate settings for projects within repositories.

On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.

The site admin dashboard erroneously included an option to export a report listing dormant users.

The Billing API's "Billing" endpoint now returns Link headers to provide information about pagination.

The Billing API's "Billing" endpoint now returns the correct number of total committers.

In the sidebar for an organization's settings, the Archive navigation item contained no children.

VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

The ghe-set-password command-line utility starts required services automatically when the instance is booted in recovery mode.

Metrics for aqueduct background processes are gathered for Collectd forwarding and display in the Management Console.

The location of the database migration and configuration run log, /data/user/common/ghe-config.log, is now displayed on the page that details a migration in progress.

MEDIUM: Prevents an attack where an org query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers.

MEDIUM: Ensures that github.company.com and github-company.com are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.

LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.

Packages have been updated to the latest security versions.

Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.

In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server's web UI.

Management Console would appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5.

Redis timeouts no longer halt database migrations while running ghe-config-apply.

Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.

In some cases, site administrators were not automatically added as enterprise owners.

Actions workflows calling other reusable workflows failed to run on a schedule.

Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.

Improved the performance of Dependabot Updates when first enabled.

Increase maximum concurrent connections for Actions runners to support the GHES performance target.

The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.

Added environment variable to configure Redis timeouts.

Creating or updating check runs or check suites could return 500 Internal Server Error if the value for certain fields, like the name, was too long.

Improves performance in pull requests' "Files changed" tab when the diff includes many changes.

The Actions repository cache usage policy no longer accepts a maximum value less than 1 for max_repo_cache_size_limit_in_gb.

When deploying cache-server nodes, it is now mandatory to describe the datacenter topology (using the --datacenter argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.

VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

Packages have been updated to the latest security versions.

An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).

In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured.

When GitHub Actions was enabled but TLS was disabled on GitHub Enterprise Server 3.4.1 and later, applying a configuration update would fail.

The --gateway argument was added to the ghe-setup-network command, to allow passing the gateway address when configuring network settings using the command line.

The GitHub Advanced Security billing API endpoints were not enabled and accessible.

Image attachments that were deleted would return a 500 Internal Server Error instead of a 404 Not Found error.

In environments configured with a repository cache server, the ghe-repl-status command incorrectly showed gists as being under-replicated.

The "Get a commit" and "Compare two commits" endpoints in the Commit API would return a 500 error if a file path in the diff contained an encoded and escaped unicode character.

The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.

An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server Backup Utilities.

A GitHub App would not be able to subscribe to the secret_scanning_alert_location webhook event on an installation.

The activity timeline for secret scanning alerts wasn't displayed.

Deleted repos were not purged after 90 days.

Optimised the inclusion of metrics when generating a cluster support bundle.

In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the ghe-repl-stop command and not allow replication to be stopped. Using ghe-repo-stop --force will now force Elasticsearch to stop when the service is in a normal or valid yellow status.

VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

You can now configure an allow list of IP addresses that can access application services on your GitHub Enterprise Server instance while maintenance mode is enabled. Administrators who visit the instance's web interface from an allowed IP address can validate the instance's functionality post-maintenance and before disabling maintenance mode. For more information, see "Enabling and scheduling maintenance mode."

With custom repository roles, organizations now have more granular control over the repository access permissions they can grant to users. For more information, see "Managing custom repository roles for an organization."

A custom repository role is created by an organization owner, and is available across all repositories in that organization. Each role can be given a custom name, and a description. It can be configured from a set of over 40 fine grained permissions. Once created, repository admins can assign a custom role to any user, team or outside collaborator in their repository.

Custom repository roles can be created, viewed, edited and deleted via the new Repository roles tab in an organization's settings. A maximum of 3 custom roles can be created within an organization.

Custom repository roles are also fully supported in the GitHub Enterprise Server REST APIs. The Organizations API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams have been extended to support custom repository roles. For more information, see "Organizations" in the REST API documentation.

The GitHub Container registry (GHCR) is now available in GitHub Enterprise Server 3.5 as a public beta, offering developers the ability to publish, download, and manage containers. GitHub Packages container support implements the OCI standards for hosting Docker images. For more information, see "GitHub Container registry."

Dependabot version and security updates are now generally available in GitHub Enterprise Server 3.5. All the popular ecosystems and features that work on GitHub.com repositories now can be set up on your GitHub Enterprise Server instance. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted Dependabot runners, GitHub Connect enabled, and Dependabot enabled by an admin. For more information, see "Setting up Dependabot updates."

You can now analyze how your team works, understand the value you get from GitHub Enterprise Server, and help us improve our products by reviewing your instance's usage data and sharing this aggregate data with GitHub. You can use your own tools to analyze your usage over time by downloading your data in a CSV or JSON file or by accessing it using the REST API. To see the list of aggregate metrics collected, see "About Server Statistics." Server Statistics data includes no personal data nor GitHub content, such as code, issues, comments, or pull requests content. For a better understanding of how we store and secure Server Statistics data, see "GitHub Security." For more information about Server Statistics, see "Analyzing how your team works with Server Statistics." This feature is available in public beta.

Site administrators can now enable and configure a rate limit for GitHub Actions. By default, the rate limit is disabled. When workflow jobs cannot immediately be assigned to an available runner, they will wait in a queue until a runner is available. However, if GitHub Actions experiences a sustained high load, the queue can back up faster than it can drain and the performance of the GitHub Enterprise Server instance may degrade. To avoid this, an administrator can configure a rate limit. When the rate limit is exceeded, additional workflow runs will fail immediately rather than being put in the queue. Once the rate has stabilized below the threshold, new runs can be queued again. For more information, see "Configuring rate limits."

GitHub Actions on GitHub Enterprise Server now supports OIDC for secure deployments to cloud providers, which uses short-lived tokens that are automatically rotated for each deployment. OIDC enables the following functionality.

• Seamless authentication between cloud providers and GitHub Enterprise Server without the need for storing any long-lived cloud secrets on your instance
• Cloud administrators can rely on the security mechanisms of a particular cloud provider to ensure that GitHub Actions workflows have minimal access to cloud resources. There is no duplication of secret management between GitHub Enterprise Server and the cloud.

For more information, see "Security hardening your deployments."

Support for GitHub Actions in internal repositories is now generally available for organizations on your GitHub Enterprise Server instance. You can innersource automation by sharing actions in internal repositories. You can manage a repository's settings or use the REST API to allow access to workflows in other repositories within the organization or in any organization on the instance. For more information, see "Sharing actions and workflows with your enterprise," "Managing GitHub Actions settings for a repository," and "Actions Permissions" in the REST API documentation.

You can now use dependency caching to speed up your GitHub Actions workflows. To cache dependencies for a job, you can include the actions/cache action to create a cache with a unique key. You can share caches across all workflows in the same repository. These workflows can then restore the cache and run faster.

Actions users can also use our cache APIs to:

• Define the enterprise policy for cache size range allowed per repository.
• Query the cache usage within each repository and monitor if the total size of all caches is reaching the upper limit.
• Increase the maximum cache size for a repository within the allowed enterprise limits, based on the cache requirements of the repository.
• Monitor aggregate cache usage at organization level or at enterprise level.

The external blob storage that is configured within your enterprise account will now be shared across workflow artifacts, logs, and also the caches. For more information, see "Caching dependencies to speed up workflows."

You can now configure GitHub Enterprise Server to automatically sign commits made in the web interface, such as from editing a file or merging a pull request. Signed commits increase confidence that changes come from trusted sources. This feature allows the Require signed commits branch protection setting to block unsigned commits from entering a repository, while allowing entry of signed commits – even those made in the web interface. For more information, see "Configuring web commit signing."

For customers that sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud automatically using GitHub Connect, you now have the ability to sync your license usage independently of the automatic weekly sync. This feature also reports the status of sync job. For more information, see "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud."

Reusable workflows are now generally available. Reusable workflows help you reduce duplication by enabling you to reuse an entire workflow as if it were an action. With the general availability release, a number of improvements are now available for GitHub Enterprise Server. For more information, see "Reusing workflows."

• You can utilize outputs to pass data from reusable workflows to other jobs in the caller workflow.
• You can pass environment secrets to reusable workflows.
• The audit log includes information about which reusable workflows are used.
• Reusable workflows in the same repository as the calling repository can be referenced with just the path and filename (PATH/FILENAME). The called workflow will be from the same commit as the caller workflow.

You now have more control over when your self-hosted runners perform software updates. If you specify the --disableupdate flag to the runner then it will not try to perform an automatic software update if a newer version of the runner is available. This allows you to update the self-hosted runner on your own schedule, and is especially convenient if your self-hosted runner is in a container.

For compatibility with the GitHub Actions service, you will need to manually update your runner within 30 days of a new runner version being available. For instructions on how to install the latest runner version, please see the installation instructions for the latest release in the runner repo.

Organization owners can now increase the security of CI/CD workflows on self-hosted runners by choosing which workflows can access a runner group. Previously, any workflow in a repository, such as an issue labeler, could access the self-hosted runners available to an organization. For more information, see "Managing access to self-hosted runners using groups" and the GitHub Blog.

You can now control whether GitHub Actions can approve pull requests. This feature protects against a user using GitHub Actions to satisfy the "Required approvals" branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, Allow GitHub Actions reviews to count towards required approval is enabled by default. Organization owners can disable the feature in the organization's GitHub Actions settings. For more information, see "Disabling or limiting GitHub Actions for your organization."

You can now re-run only failed jobs or an individual job in a GitHub Actions workflow run. For more information, see "Re-running workflows and jobs."

The dependency graph now detects YAML files for GitHub Actions workflows. GitHub Enterprise Server will display the workflow files within the Insights tab's dependency graph section. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the "Used By" control on the repository homepage. For more information, see "About the dependency graph."

• Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]

GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new Security tab at the enterprise level provides a repository-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. For more information, see "About the security overview."

The overview of security alerts at the organization level is now generally available. GitHub Advanced Security customers can use the security overview to view a repository-centric view of application security risks, or an alert-centric view of all code scanning, Dependabot, and secret scanning alerts for all repositories in an organization. For more information, see "About the security overview."

Code scanning now detects a larger number of CWEs, and CodeQL code scanning fully supports the standard language features in the following language releases.

• C# 10 / .NET 6
• Python 3.10
• Java 17
• TypeScript 4.5

For more information, see the GitHub Blog.

GitHub Advanced Security customers can now view code scanning alerts in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

Users can now retrieve code scanning alerts for an organization on your GitHub Enterprise Server instance via the REST API. This new API endpoint supplements the existing endpoint for repositories. For more information, see Code Scanning in the REST API documentation.

GitHub Enterprise Server can now block any pushes where a token is detected with high confidence. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI. For more information, see "Protecting pushes with secret scanning."

GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization or repository level. Dry runs allow people with owner or admin access to review and hone their patterns before publishing them and generating alerts. You can compose a pattern, then use Save and dry run to retrieve results. The scans typically take just a few seconds, but GitHub Enterprise Server will also notify organization owners or repository admins via email when dry run results are ready. For more information, see "About secret scanning" and "Defining custom patterns for secret scanning."

The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository-, organization-, or enterprise-level custom patterns for security and compliance audits. For more information, see "Reviewing the audit log for your organization" or "Reviewing audit logs for your enterprise."

You can now configure two new permissions for secret scanning when managing custom repository roles.

• View secret scanning results
• Dismiss or reopen secret scanning results

For more information, see "Managing custom repository roles for an organization."

GitHub Advanced Security customers can now enable secret scanning for archived repositories via the UI and API. For more information, see "About secret scanning," "About archived repositories," and "Repositories" in the REST API documentation.

GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret. For more information, see "Webhook events and payloads."

GitHub Advanced Security customers can now view Dependabot alerts in in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."

You can now configure two new permissions for Dependabot alerts when managing custom repository roles.

• View Dependabot alerts
• Dismiss or reopen Dependabot alerts

For more information, see "Managing custom repository roles for an organization."

You can now reopen dismissed Dependabot alerts through the UI page for a closed alert. This does not affect Dependabot pull requests or the GraphQL API. For more information, see "About Dependabot alerts."

• Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]

Users of Dependabot version updates can now proactively update dependencies for Flutter or Dart projects that use the Pub package manager.

To test version updates on your own Dart or Flutter repository, add the following configuration file in .github/dependabot.yaml. Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.

version: 2
enable-beta-ecosystems: true
updates:
  - package-ecosystem: "pub"
    directory: "/"
    schedule:
      interval: "weekly"

The new DependabotUpdate GraphQL object lets you view information about what happens to your repository's security updates. When GitHub Enterprise Server detects that a dependency in your repository is vulnerable, Dependabot will attempt to open a pull request to update that dependency to a non-vulnerable version. You can now see the pull request that fixes the vulnerability. In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the "Dependabot Alerts" section of the Security tab. Now, if Dependabot runs into an error when trying to open a pull request for a security alert, you can determine the reason using the GraphQL API. For more information, see "Objects" in the GraphQL API documentation.

You can now view fixed alerts from Dependabot with the GraphQL API. You can also access and filter by state, as well as by unique numeric identifier, and you can filter by state on the vulnerability alert object. The following fields now exist for a RepositoryVulnerabilityAlert.

• number
• fixed_at
• fix_reason
• state

For more information, see "Objects" in the GraphQL API documentation.

The following Git-related events can now appear in the enterprise audit log. If you enable the feature and set an audit log retention period, the new events will be available for search via the UI and API, or export via JSON or CSV.

• git.clone
• git.fetch
• git.push

Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "Configuring the audit log for your enterprise."

This release includes improvements to CODEOWNERS.

• Syntax errors are now surfaced when viewing a CODEOWNERS file from the web. Previously, when a line in a CODEOWNERS file had a syntax error, the error would be ignored or in some cases cause the entire CODEOWNERS file to not load. GitHub Apps and Actions can access the same list of errors using new REST and GraphQL APIs. For more information, see "Repositories" in the REST API documentation or "Objects" in the GraphQL API documentation.
• After someone creates a new pull request or pushes new changes to a draft pull request, any code owners that will be requested for review are now listed in the pull request under "Reviewers". This feature gives you an early look at who will be requested to review once the pull request is marked ready for review.
• Comments in CODEOWNERS files can now appear at the end of a line, not just on dedicated lines.

For more information, see "About code owners."

The Update branch button on the pull request page lets you update your pull request's branch with the latest changes from the base branch. This is useful for verifying your changes are compatible with the current version of the base branch before you merge. Two enhancements now give you more ways to keep your branch up-to-date.

• When your pull request's topic branch is out of date with the base branch, you now have the option to update it by rebasing on the latest version of the base branch. Rebasing applies the changes from your branch onto the latest version of the base branch, resulting in a branch with a linear history since no merge commit is created. To update by rebasing, click the drop down menu next to the Update Branch button, click Update with rebase, and then click Rebase branch. Previously, Update branch performed a traditional merge that always resulted in a merge commit in your pull request branch. This option is still available, but now you have the choice. For more information, see "Keeping your pull request in sync with the base branch."

• A new repository setting allows the Update branch button to always be available when a pull request's topic branch is not up to date with the base branch. Previously, this button was only available when the Require branches to be up to date before merging branch protection setting was enabled. People with admin or maintainer access can manage the Always suggest updating pull request branches setting from the Pull Requests section in repository settings. For more information, see "Managing suggestions to update pull request branches."

  • Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]

You can now configure custom HTTP headers that apply to all GitHub Pages sites served from your GitHub Enterprise Server instance. For more information, see "Configuring GitHub Pages for your enterprise."

It's now possible to ignore revisions in the blame view by creating a .git-blame-ignore-revs file in the root of your repository. For more information, see "Viewing a file."

A light high contrast theme, with greater contrast between foreground and background elements, is now generally available. For more information, see "Managing your theme settings."

• Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]

Repository owners can now configure tag protection rules to protect a repository's tags. Once protected by a tag protection rule, tags matching a specified name pattern can only be created and deleted by users with the Maintain or Admin role in the repository. For more information, see "Configuring tag protection rules."

In GitHub Mobile for iOS 1.80.0 and later, users can now edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]

It is now possible for GitHub Apps to upload release assets.

Minimum requirements for root storage and memory increased for GitHub Enterprise Server 2.10 and 3.0, and are now enforced as of 3.5.0.

• In version 2.10, the minimum requirement for root storage increased from 80 GB to 200 GB. As of 3.5.0, system preflight checks will fail if the root storage is smaller than 80 GB.
• In version 3.0, the minimum requirement for memory increased from 16 GB to 32 GB. As of 3.5.0, system preflight checks will fail if the system has less than 28 GB of memory.

For more information, see the minimum requirements for each supported deployment platform in "Setting up a GitHub Enterprise Server instance." [Updated: 2022-06-20]

VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]

To use the device authorization flow for OAuth and GitHub Apps, you must manually enable the feature. This change reduces the likelihood of apps being used in phishing attacks against GitHub Enterprise Server users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication. If you own or manage an OAuth App or GitHub App and you want to use the device flow, you can enable it for your app via the app's settings page. The device flow API endpoints will respond with status code 400 to apps that have not enabled this feature. For more information, see "Authorizing OAuth Apps."

The code scanning alert page now always shows the alert status and information for the default branch. There is a new "Affected branches" panel in the sidebar where you can see the status of the alert in other branches. If the alert does not exist in your default branch, the alert page will show the status as "In branch" or "In pull request" for the location where the alert was last seen. This improvement makes it easier to understand the status of alerts which have been introduced into your code base. For more information, see "About code scanning alerts."

The alert list page is not changed and can be filtered by branch. You can use the code scanning API to retrieve more detailed branch information for alerts. For more information, see "Code Scanning" in the REST API documentation.

Code scanning now shows the details of the analysis origin of an alert. If an alert has more than one analysis origin, it is shown in the "Affected branches" sidebar and in the alert timeline. You can hover over the analysis origin icon in the "Affected branches" sidebar to see the alert status in each analysis origin. If an alert only has a single analysis origin, no information about analysis origins is displayed on the alert page. These improvements will make it easier to understand your alerts. In particular, it will help you understand those that have multiple analysis origins. This is especially useful for setups with multiple analysis configurations, such as monorepos. For more information, see "About code scanning alerts."

Lists of repositories owned by a user or organization now have an additional filter option, "Templates", making it easier to find template repositories.

GitHub Enterprise Server can display several common image formats, including PNG, JPG, GIF, PSD, and SVG, and provides several ways to compare differences between versions. Now when reviewing added or changed images in a pull request, previews of those images are shown by default. Previously, you would see a message indicating that binary files could not be shown and you would need to toggle the "Display rich diff" option. For more information, see "Working with non-code files."

New gists are now created with a default branch name of either main or the alternative default branch name defined in your user settings. This matches how other repositories are created on GitHub Enterprise Server. For more information, see "About branches" and "Managing the default branch name for your repositories."

Gists now only show the 30 most recent comments when first displayed. You can click Load earlier comments... to view more. This allows gists that have many comments to appear more quickly. For more information, see "Editing and sharing content with gists."

Settings pages for users, organizations, repositories, and teams have been redesigned, grouping similar settings pages into sections for improved information architecture and discoverability. For more information, see the GitHub changelog.

Focusing or hovering over a label now displays the label description in a tooltip.

Creating and removing repository invitations, whether done through the API or web interface, are now subject to rate limits that may be enabled on your GitHub Enterprise Server instance. For more information about rate limits, see "Configuring rate limits."

MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository."

GitHub Connect will no longer work after June 3rd for instances running GitHub Enterprise Server 3.1 or older, due to the format of GitHub authentication tokens changing. To continue using GitHub Connect, upgrade to GitHub Enterprise Server 3.2 or later. For more information, see the GitHub Blog. [Updated: 2022-06-14]

The CodeQL runner is deprecated in favor of the CodeQL CLI. GitHub Enterprise Server 3.4 and later no longer include the CodeQL runner. This deprecation only affects users who use CodeQL code scanning in 3rd party CI/CD systems. GitHub Actions users are not affected. GitHub strongly recommends that customers migrate to the CodeQL CLI, which is a feature-complete replacement for the CodeQL runner and has many additional features. For more information, see "Migrating from the CodeQL runner to CodeQL CLI."

The theme picker for GitHub Pages has been removed from the Pages settings. For more information about configuration of themes for GitHub Pages, see "Adding a theme to your GitHub Pages site using Jekyll."

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

Actions services need to be restarted after restoring an appliance from a backup taken on a different host.

Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 patch release. [Updated: 2022-06-10]

Management Console may appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5. [Updated: 2022-06-20]

The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

• Detection of GitHub Actions workflow files for the dependency graph
• Reopening of dismissed Dependabot alerts
• Enabling the Update branch button for all pull requests in a repository
• Light high contrast theme

In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.

• To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
• To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."

A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]

GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]