Enterprise Server 3.5 release notes
Enterprise Server 3.5.19
Download GitHub Enterprise Server 3.5.19June 20, 2023
📣 This is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.19: Security fixes
MEDIUM: Scoped installation tokens for a GitHub App kept approved permissions after the permissions on the integration installation were downgraded or removed. GitHub has requested CVE ID CVE-2023-23765 for this vulnerability, which was reported via the GitHub Bug Bounty program.
MEDIUM: Updated Git to include fixes from 2.40.1.
If a user's request to the instance's API included authentication credentials within a URL parameter, administrators could see the credentials in JSON within the instance's audit log.
Packages have been updated to the latest security versions.
3.5.19: Bug fixes
If an administrator updated the instance's TLS certificate using the Management Console API's Set settings endpoint, sending the certificate and key data as a URL query parameter resulted in the data appearing unmasked in system logs.
Determining suggested reviewers on a pull request could time out or be very slow.
3.5.19: Changes
If a configuration runs fails due to Elasticsearch errors,
ghe-config-apply
displays a more actionable error message.
3.5.19: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.
Enterprise Server 3.5.18
Download GitHub Enterprise Server 3.5.18May 30, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.18: Security fixes
MEDIUM: Scoped installation tokens for a GitHub App kept approved permissions after the permissions on the integration installation were downgraded or removed. GitHub has requested CVE ID CVE-2023-23765 for this vulnerability, which was reported via the GitHub Bug Bounty program.
Packages have been updated to the latest security versions.
3.5.18: Bug fixes
On an instance in a cluster configuration, when upgrading the MySQL master node, the post-upgrade configuration run would take 600 seconds longer than required due to incorrect detection of unhealthy nodes.
If an instance has tens of thousands of deleted repositories, an upgrade from GitHub Enterprise Server 3.6 or 3.7 can take longer than expected. To decrease the risk of a long-running upgrade, before upgrading, someone with administrative SSH access to the instance can run the
ghe-purge-deleted-repositories
script. Warning: You cannot restore a purged repository. Use the script with caution. For assistance using the script, contact GitHub Enterprise Support.If a user clicked the link to share feedback or report bugs for the beta of user lists, the web interface responded with a
404
error.GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included
pre_receive.lfsintegrity.dist.referenced_oids
,pre_receive.lfsintegrity.dist.unknown_oids
, andgit.hooks.runtime
.
3.5.18: Changes
People with administrative SSH access to an instance can configure the maximum memory usage in gigabytes for Redis using
ghe-config redis.max-memory-gb VALUE
.
3.5.18: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.
Enterprise Server 3.5.17
Download GitHub Enterprise Server 3.5.17May 09, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.17: Security fixes
MEDIUM: Updated Git to include fixes from 2.40.1. For more information, see Git security vulnerabilities announced on the GitHub Blog.
3.5.17: Bug fixes
Users were unable to upload GIF files as attachments within a comment in an issue or pull request.
A site administrator could not bypass a proxy for a top-level domain (TLD) from the instance's exception list or IANAs registered top-level domains (TLDs).
On some platforms, after someone with administrative SSH access ran
ghe-diagnostics
, the command's output included a cosmeticSG_IO
error.After restoration of a deleted organization, the organization did not appear in the instances list of organizations.
When a site administrator used GitHub Enterprise Importer to import data from GitHub Enterprise Cloud, migrations failed during the import of file-level comments. This failure no longer prevents the import from proceeding.
When a site administrator used GitHub Enterprise Importer, import of a repository failed if a project column in the repository contained 2,500 or more archived cards.
The
GITHUB_REF_PROTECTED
environment variable andgithub.ref_protected
contexts were incorrectly set asfalse
when branch protections did exist.On an instance with a GitHub Advanced Security license that was also configured for a timezone greater than UTC, the list of secret scanning alerts displayed a "Loading secrets failed" error if a user sorted secrets by date in descending order.
3.5.17: Changes
People with administrative SSH access who generate a support bundle using the
ghe-support-bundle
orghe-cluster-support-bundle
utilities can specify the period of time to gather data with-p
or--period
without using spaces or quotes. For example, in addition to'-p 5 days'
or-p '4 days 10 hours'
,-p 5days
or-p 4days10hours
are valid.
3.5.17: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
When using an outbound web proxy server, the
ghe-btop
command may fail in some circumstances with the error "Error querying allocation: Unexpected response code: 401".If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail.When running
ghe-config-apply
, the process may stall with the messageDeployment is running pending automatic promotion
.On an instance with audit log streaming enabled, the
driftwood
service does not start, preventing the normal operation of audit log streaming. [Updated: 2023-06-06]
Enterprise Server 3.5.16
Download GitHub Enterprise Server 3.5.16April 18, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.16: Bug fixes
In some cases, graphs on the Management Console's monitor dashboard failed to render.
On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, issues in private and internal repositories were not included in users search results for GitHub.com.
3.5.16: Changes
To avoid a failure during a configuration run on a cluster, validation of
cluster.conf
with theghe-cluster-config-check
utility ensures that theconsul-datacenter
field for each node matches the top-levelprimary-datacenter
field.If a site administrator provides an invalid configuration for blob storage for GitHub Actions or GitHub Packages on an instance, the preflight checks page displays details and troubleshooting information.
3.5.16: Known issues
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.15
Download GitHub Enterprise Server 3.5.15March 23, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.15: Security fixes
HIGH: Addressed an improper authentication vulnerability that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23761. [Updated: 2023-04-07]
MEDIUM: Addressed an incorrect comparison vulnerability that allowed commit smuggling by displaying an incorrect diff. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23762. [Updated: 2023-04-07]
3.5.15: Bug fixes
In the Management Console's monitor dashboard, the
Cached Requests
andServed Requests
graphs, which are retrieved by thegit fetch catching
command, did not display metrics for the instance.After a site administrator exempted the @github-actions[bot] user from rate limiting by using the
ghe-config app.github.rate-limiting-exempt-users "github-actions[bot]"
command, runningghe-config-check
caused aValidation is-valid-characterset failed
warning to appear.GitHub Actions (
actions
) and Microsoft SQL (mssql
) did not appear in the list of processes within the instances monitor dashboard.After an administrator used the
/setup/api/start
REST API endpoint to upload a license, the configuration run failed with aConnection refused
error during the migrations phase.On an instance in a high availability configuration, if an administrator tore down replication from a replica node using
ghe-repl-teardown
immediately after runningghe-repl-setup
, but beforeghe-repl-start
, an error indicated that the scriptcannot launch /usr/local/bin/ghe-single-config-apply - run is locked
.ghe-repl-teardown
now displays an informational alert and continues the teardown.On an instance in a cluster configuration, when a site administrator set maintenance mode using
ghe-maintenance -s
, aPermission denied
error appeared when the utility tried to access/data/user/common/cluster.conf
.During configuration of high availability, if a site administrator interrupted the
ghe-repl-start
utility, the utility erroneously reported that replication was configured, and the instance would not perform expected clean-up operations.When a site administrator used
ghe-migrator
to migrate data to GitHub Enterprise Server, in some cases, nested team relationships would not persist after teams were imported.If a repository contained a
CODEOWNERS
file, pull requests in the repository intermittently failed to display the files validity or updated code owner information, requiring the user to reload the page.The CSV reports for all users and all active users, available from the site admin dashboard, did not consider recent access using SSH or personal access tokens.
On an instance with GitHub Connect enabled, if "Users can search GitHub.com" was enabled, users would not see issues in private and internal repositories in search results for GitHub.com.
GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included
pre_receive.lfsintegrity.dist.referenced_oids
,pre_receive.lfsintegrity.dist.unknown_oids
, andgit.hooks.runtime
.
3.5.15: Changes
After an enterprise owner enables Dependabot updates, the instance creates the initial set of updates faster.
On an instance in a cluster configuration, when a site administrator sets maintenance mode on a single cluster node using
ghe-maintenance -s
, the utility warns the administrator to useghe-cluster-maintenance -s
to set maintenance mode on all of the clusters nodes. For more information, see "Enabling and scheduling maintenance mode."When a site administrator configures an outbound web proxy server for GitHub Enterprise Server, the instance now validates top-level domains (TLDs) excluded from the proxy configuration. By default, you can exclude public TLDs that the IANA specifies. Site administrators can specify a list of unregistered TLDs to exclude using
ghe-config
. The.
prefix is required for any public TLDs. For example,.example.com
is valid, butexample.com
is invalid. For more information, see "Configuring an outbound web proxy server."To avoid intermittent issues with the success of Git operations on an instance with multiple nodes, GitHub Enterprise Server checks the status of the MySQL container before attempting a SQL query. The timeout duration has also been reduced.
The default path for output from
ghe-saml-mapping-csv -d
is/data/user/tmp
instead of/tmp
. For more information, see "Command-line utilities."
3.5.15: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.14
Download GitHub Enterprise Server 3.5.14March 02, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.14: Security fixes
HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23760. [Updated: 2023-03-10]
3.5.14: Bug fixes
When viewing a list of open sessions for the devices logged into a user account, the GitHub Enterprise Server web UI could display an incorrect location.
In the rare case when primary shards for Elasticsearch were located on a replica node, the
ghe-repl-stop
command would fail withERROR: Running migrations
.
3.5.14: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.13
Download GitHub Enterprise Server 3.5.13February 16, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.13: Security fixes
HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.
Packages have been updated to the latest security versions.
3.5.13: Bug fixes
When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.
3.5.13: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.12
Download GitHub Enterprise Server 3.5.12February 02, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.12: Security fixes
MEDIUM: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-22381.
Packages have been updated to the latest security versions.
3.5.12: Bug fixes
During the validation phase of a configuration run, a
No such object error
may have occurred for the Notebook and Viewscreen services.When enabling automatic TLS certificate management with Let's Encrypt, the process could fail with the error
The certificate is not signed by a trusted certificate authority (CA) or the certificate chain in missing intermediate CA signing certificates
.
3.5.12: Changes
When a timeout occurs during diff generation, such as when a commit displays an error that the diff is taking too long to generate, the
push
webhook event will deliver empty diff information. Previously, thepush
webhook event would fail to be delivered.
3.5.12: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.11
Download GitHub Enterprise Server 3.5.11January 17, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.11: Security fixes
-
HIGH: Updated Git to include fixes from 2.39.1, which address CVE-2022-41903 and CVE-2022-23521.
3.5.11: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.10
Download GitHub Enterprise Server 3.5.10January 12, 2023
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.10: Security fixes
Sanitize additional secrets in support bundles and the configuration log.
Dependencies for the CodeQL action have been updated to the latest security versions.
Packages have been updated to the latest security versions.
3.5.10: Bug fixes
The metrics
Active workers
andQueued requests
forgithub
(renamed from metadata),gitauth
, andunicorn
container services werent correctly read from collectd and displayed in the Management Console.Dependabot Alert emails would be sent to disabled repositories.
Repositories locked for migration would allow files to be edited in the web UI.
When viewing a pull requests diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
The
git-janitor
command was unable to fix outdatedmulti-pack-index.lock
files, resulting in the repository failing maintenance.
3.5.10: Changes
The
ghe-support-bundle
andghe-cluster-support-bundle
commands were updated to include the-p/--period
flag to generate a time constrained support bundle. The duration can be specified in days and hours, for example:-p '2 hours'
,-p '1 day'
,-p '2 days 5 hours'
.The performance of configuration runs started with
ghe-config-apply
has been improved.When upgrading an instance with a new root partition, running the
ghe-upgrade
command with the-t/--target
option ensures the preflight check for the minimum disk storage size is executed against the target partition.When exporting account data, backing up a repository, or performing a migration, the link to a repository archive now expires after 1 hour. Previously the archive link expired after 5 minutes.
3.5.10: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.9
Download GitHub Enterprise Server 3.5.9December 13, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.9: Security fixes
HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.
HIGH: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23741.
MEDIUM: An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46257.
3.5.9: Bug fixes
If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
When a site administrator ran the
ghe-repl-sync-ca-certificates
command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.
When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
The
member
webhook event did not include thefrom
andto
field values for thepermission
field as part of thechanges
field.After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
If a user uploaded more than one file while creating a new Gist, the user could not delete any files uploaded after the first.
A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
3.5.9: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.8
Download GitHub Enterprise Server 3.5.8November 22, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.8: Security fixes
MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-23739.
MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.
MEDIUM: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "Repository contents" should enforce workflow scope. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-46258.
3.5.8: Bug fixes
Setting the maintenance mode with an IP Exception List would not persist across upgrades.
GitHub Pages builds could time out on instances in AWS that are configured for high availability.
After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.
When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked.
After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
Zombie processes no longer accumulate in the
gitrpcd
container.
3.5.8: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.7
Download GitHub Enterprise Server 3.5.7October 25, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.7: Security fixes
HIGH: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including CVE-2022-30123 and CVE-2022-29181.
HIGH: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned CVE-2022-23738.
MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
MEDIUM: Updated Redis to 5.0.14 to address CVE-2021-32672 and CVE-2021-32762.
MEDIUM: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of
docker
commands directly. For more information, see the Actions Runner security advisory.MEDIUM: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23737.
LOW: Due to a CSRF vulnerability, a
GET
request to the instance'ssite/toggle_site_admin_and_employee_status
endpoint could toggle a user's site administrator status unknowingly.Packages have been updated to the latest security versions.
3.5.7: Bug fixes
After a site administrator made a change that triggered a configuration run, such as disabling GitHub Actions, validation of services would sometimes fail with the message
WARNING: Validation encountered a problem
.After a site administrator installed a hotpatch containing changes to web interface assets such as JavaScript files or images, the instance did not serve the new assets.
When a user accessed a renamed repository using Git, the hostname in the Git output incorrectly indicated GitHub.com instead of the instance's hostname.
On instances using LDAP authentication and LDAP sync, sync would fail and print
undefined method ord for nil:NilClass
inldap-sync.log
.Addressed a bug in which the endpoint for creating a tag protection state for a repository was returning a 500 error.
Deleted assets and assets scheduled to be purged within a repository, such as LFS files, took too long to to be cleaned up.
If a user installed a GitHub App for the user account and then converted the account into an organization, the app was not granted organization permissions.
Missing secret scanning alerts on instance with a GitHub Advanced Security license that was not upgraded directly to GitHub Enterprise Server 3.4 are now visible in the web interface and through the REST API.
In some cases, on an instance with a GitHub Advanced Security license, secret scanning alerts did not include a provider type, and instead indicated that the provider type was "unknown."
3.5.7: Changes
To ensure that site administrators can successfully complete an upgrade, the instance will now execute a preflight check to ensure that the virtual machine meets minimum hardware requirements. The check also verifies Elasticsearch's health. You can review the current requirements for CPU, memory, and storage for GitHub Enterprise Server in the "Minimum requirements" section within each article in "Setting up a GitHub Enterprise Server instance."
3.5.7: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.6
Download GitHub Enterprise Server 3.5.6September 21, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.6: Features
Repository archives for migrations now include an
is_archived
field.
3.5.6: Security fixes
HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.
MEDIUM: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access.
LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.
Packages have been updated to the latest security versions.
3.5.6: Bug fixes
Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.
Configuration runs could fail when
retry-limit
orretry-sleep-duration
were manually set by an administrator usingghe-config
.The
ghe-find-insecure-git-operations
command did not return all insecure Git operations after each invocation.In some cases, the Management Console's monitor dashboard would not load correctly.
Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.
When sending a support bundle to GitHub Enterprise Support using
ghe-support-upload
, the-t
option would not successfully associate the uploaded bundle with the specified ticket.In rare cases, an upgrade from GitHub Enterprise Server 3.3 to 3.4 would incorrectly modify how data is stored, resulting in failures during future upgrades. When upgrading directly to this release from 3.3, the failure will not occur.
When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.
Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.
A link back to the security settings for the instance's enterprise account could render an incorrect view.
After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.
After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.
After upgrading to GitHub Enterprise Server 3.5, releases would appear to be missing from repositories. This occurred when the required Elasticsearch index migrations had not successfully completed. The releases UI now indicates if it is waiting for the Elasticsearch index migrations to complete, and links to documentation on how to observe status and immediately complete the migration.
Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.
When viewing a pull request's diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
If branch protections were enabled, the
GITHUB_REF_PROTECTED
environment variable andgithub.ref_protected
contexts for GitHub Actions workflow runs were incorrectly set asfalse
.On instances using GitHub Advanced Security, secret scanning automatically revoked personal access tokens added to public repositories.
Repositories for packages erroneously displayed a "Used by" section.
3.5.6: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Hotpatch upgrades to GitHub Enterprise Server 3.5.6 may fail. Upgrades with the full
.pkg
are unaffected. If the upgrade fails for your instance, workaround this issue by connecting to the administrative shell (ssh) and running the following non-interactive command:echo "grub-pc grub-pc/install_devices_empty boolean true" | sudo debconf-set-selections
If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-10-14]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.5
Download GitHub Enterprise Server 3.5.5August 30, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.5: Bug fixes
After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository.
Duplicate administrative SSH keys could appear in both the Management Console and the
/home/admin/.ssh/authorized_keys
file.The site admin page for individual users at
http(s)://HOSTNAME/stafftools/users/USERNAME/admin
contained functionality not intended for GitHub Enterprise Server.In some cases, running
ghe-cluster-config-apply
could replicate an empty configuration to existing nodes in a cluster.In some cases, configuration runs started with
ghe-config-apply
did not complete, or returned aContainer count mismatch
error.After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear.
The site admin bar at the top of the web interface contained a broken link to the SHA for the currently running version of the application.
In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe.
Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible.
When a user forked a repository into an organization, a long list of organizations would not render properly.
3.5.5: Changes
Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "Providing data to GitHub Support."
APIs that contain the
organization
ororg
route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which causedLink
headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "Organizations" in the REST API documentation.The enterprise audit log now includes more user-generated events, such as
project.create
. The REST API also returns additional user-generated events, such asrepo.create
. For more information, see "Accessing the audit log for your enterprise" and "Using the audit log API for your enterprise."In some cases, cache replicas could reject some Git operations on recently updated repositories. For more information about repository caching, see "About repository caching."
3.5.5: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.4
Download GitHub Enterprise Server 3.5.4August 11, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.4: Security fixes
CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.
HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.
3.5.4: Bug fixes
In some cases, GitHub Enterprise Server instances on AWS that used the
r4.4xlarge
instance type would fail to boot.In some cases, UI elements within a pull request's Files changed tab could overlap.
When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."
When calculating committers for GitHub Advanced Security, it was not possible to specify individual repositories. For more information, see "Site admin dashboard."
In some cases, Elasticsearch's post-upgrade
es:upgrade
process could crash before completion.The script for migration to internal repositories failed to convert the visibility for public repositories to internal or private. For more information about the migration, see "Migrating to internal repositories."
Detection of GitHub Actions workflow files for the dependency graph was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "About the dependency graph."
The ability to reopen dismissed Dependabot alerts was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Viewing and updating Dependabot alerts."
The ability to always suggest updates from the base branch to a pull request's HEAD was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing suggestions to update pull request branches."
The light high contrast theme was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see "Managing your theme settings."
3.5.4: Changes
pre_receive_hook.rejected_push
events were not displayed in the enterprise audit log.
3.5.4: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.3
Download GitHub Enterprise Server 3.5.3July 21, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.3: Security fixes
MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.
MEDIUM: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface.
Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.
Packages have been updated to the latest security versions.
MEDIUM: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23733. [Updated: 2022-07-31]
MEDIUM: A vulnerability involving deserialization of untrusted data was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the Subversion (SVN) bridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23734.
3.5.3: Bug fixes
In some cases, the collectd daemon could consume excess memory.
In some cases, backups of rotated log files could accumulate and consume excess storage.
After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.
In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.
The GitHub Enterprise Importer did not correctly migrate settings for projects within repositories.
On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.
The site admin dashboard erroneously included an option to export a report listing dormant users.
The Billing API's "Billing" endpoint now returns
Link
headers to provide information about pagination.The Billing API's "Billing" endpoint now returns the correct number of total committers.
In the sidebar for an organization's settings, the Archive navigation item contained no children.
VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
3.5.3: Changes
The
ghe-set-password
command-line utility starts required services automatically when the instance is booted in recovery mode.Metrics for
aqueduct
background processes are gathered for Collectd forwarding and display in the Management Console.The location of the database migration and configuration run log,
/data/user/common/ghe-config.log
, is now displayed on the page that details a migration in progress.
3.5.3: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]
- Detection of GitHub Actions workflow files for the dependency graph
- Reopening of dismissed Dependabot alerts
- Enabling the Update branch button for all pull requests in a repository
- Light high contrast theme
In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.2
Download GitHub Enterprise Server 3.5.2June 28, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.2: Security fixes
MEDIUM: Prevents an attack where an
org
query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers.MEDIUM: Ensures that
github.company.com
andgithub-company.com
are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.
Packages have been updated to the latest security versions.
3.5.2: Bug fixes
Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.
In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server's web UI.
Management Console would appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5.
Redis timeouts no longer halt database migrations while running
ghe-config-apply
.Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.
In some cases, site administrators were not automatically added as enterprise owners.
Actions workflows calling other reusable workflows failed to run on a schedule.
Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.
3.5.2: Changes
Improved the performance of Dependabot Updates when first enabled.
Increase maximum concurrent connections for Actions runners to support the GHES performance target.
The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.
Added environment variable to configure Redis timeouts.
Creating or updating check runs or check suites could return
500 Internal Server Error
if the value for certain fields, like the name, was too long.Improves performance in pull requests' "Files changed" tab when the diff includes many changes.
The Actions repository cache usage policy no longer accepts a maximum value less than 1 for
max_repo_cache_size_limit_in_gb
.When deploying cache-server nodes, it is now mandatory to describe the datacenter topology (using the
--datacenter
argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
3.5.2: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]
- Detection of GitHub Actions workflow files for the dependency graph
- Reopening of dismissed Dependabot alerts
- Enabling the Update branch button for all pull requests in a repository
- Light high contrast theme
In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.1
Download GitHub Enterprise Server 3.5.1June 09, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
3.5.1: Security fixes
Packages have been updated to the latest security versions.
3.5.1: Bug fixes
An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).
In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured.
When GitHub Actions was enabled but TLS was disabled on GitHub Enterprise Server 3.4.1 and later, applying a configuration update would fail.
The
--gateway
argument was added to theghe-setup-network
command, to allow passing the gateway address when configuring network settings using the command line.The GitHub Advanced Security billing API endpoints were not enabled and accessible.
Image attachments that were deleted would return a
500 Internal Server Error
instead of a404 Not Found
error.In environments configured with a repository cache server, the
ghe-repl-status
command incorrectly showed gists as being under-replicated.The "Get a commit" and "Compare two commits" endpoints in the Commit API would return a
500
error if a file path in the diff contained an encoded and escaped unicode character.The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.
An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server Backup Utilities.
A GitHub App would not be able to subscribe to the
secret_scanning_alert_location
webhook event on an installation.The activity timeline for secret scanning alerts wasn't displayed.
Deleted repos were not purged after 90 days.
3.5.1: Changes
Optimised the inclusion of metrics when generating a cluster support bundle.
In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the
ghe-repl-stop
command and not allow replication to be stopped. Usingghe-repo-stop --force
will now force Elasticsearch to stop when the service is in a normal or valid yellow status.VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
3.5.1: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 release. [Updated: 2022-06-10]
Management Console may appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5. [Updated: 2022-06-20]
The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]
- Detection of GitHub Actions workflow files for the dependency graph
- Reopening of dismissed Dependabot alerts
- Enabling the Update branch button for all pull requests in a repository
- Light high contrast theme
In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
Enterprise Server 3.5.0
Download GitHub Enterprise Server 3.5.0May 31, 2022
📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.
For upgrade instructions, see "Upgrading GitHub Enterprise Server."
3.5.0: Features
IP exception list for validation testing after maintenance
You can now configure an allow list of IP addresses that can access application services on your GitHub Enterprise Server instance while maintenance mode is enabled. Administrators who visit the instance's web interface from an allowed IP address can validate the instance's functionality post-maintenance and before disabling maintenance mode. For more information, see "Enabling and scheduling maintenance mode."
Custom repository roles are generally available
With custom repository roles, organizations now have more granular control over the repository access permissions they can grant to users. For more information, see "Managing custom repository roles for an organization."
A custom repository role is created by an organization owner, and is available across all repositories in that organization. Each role can be given a custom name, and a description. It can be configured from a set of over 40 fine grained permissions. Once created, repository admins can assign a custom role to any user, team or outside collaborator in their repository.
Custom repository roles can be created, viewed, edited and deleted via the new Repository roles tab in an organization's settings. A maximum of 3 custom roles can be created within an organization.
Custom repository roles are also fully supported in the GitHub Enterprise Server REST APIs. The Organizations API can be used to list all custom repository roles in an organization, and the existing APIs for granting repository access to individuals and teams have been extended to support custom repository roles. For more information, see "Organizations" in the REST API documentation.
GitHub Container registry in public beta
The GitHub Container registry (GHCR) is now available in GitHub Enterprise Server 3.5 as a public beta, offering developers the ability to publish, download, and manage containers. GitHub Packages container support implements the OCI standards for hosting Docker images. For more information, see "GitHub Container registry."
Dependabot updates are generally available
Dependabot version and security updates are now generally available in GitHub Enterprise Server 3.5. All the popular ecosystems and features that work on GitHub.com repositories now can be set up on your GitHub Enterprise Server instance. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted Dependabot runners, GitHub Connect enabled, and Dependabot enabled by an admin. For more information, see "Setting up Dependabot updates."
Server Statistics in public beta
You can now analyze how your team works, understand the value you get from GitHub Enterprise Server, and help us improve our products by reviewing your instance's usage data and sharing this aggregate data with GitHub. You can use your own tools to analyze your usage over time by downloading your data in a CSV or JSON file or by accessing it using the REST API. To see the list of aggregate metrics collected, see "About Server Statistics." Server Statistics data includes no personal data nor GitHub content, such as code, issues, comments, or pull requests content. For a better understanding of how we store and secure Server Statistics data, see "GitHub Security." For more information about Server Statistics, see "Analyzing how your team works with Server Statistics." This feature is available in public beta.
GitHub Actions rate limiting is now configurable
Site administrators can now enable and configure a rate limit for GitHub Actions. By default, the rate limit is disabled. When workflow jobs cannot immediately be assigned to an available runner, they will wait in a queue until a runner is available. However, if GitHub Actions experiences a sustained high load, the queue can back up faster than it can drain and the performance of the GitHub Enterprise Server instance may degrade. To avoid this, an administrator can configure a rate limit. When the rate limit is exceeded, additional workflow runs will fail immediately rather than being put in the queue. Once the rate has stabilized below the threshold, new runs can be queued again. For more information, see "Configuring rate limits."
OpenID Connect (OIDC) for secure deployments with GitHub Actions
GitHub Actions on GitHub Enterprise Server now supports OIDC for secure deployments to cloud providers, which uses short-lived tokens that are automatically rotated for each deployment. OIDC enables the following functionality.
- Seamless authentication between cloud providers and GitHub Enterprise Server without the need for storing any long-lived cloud secrets on your instance
- Cloud administrators can rely on the security mechanisms of a particular cloud provider to ensure that GitHub Actions workflows have minimal access to cloud resources. There is no duplication of secret management between GitHub Enterprise Server and the cloud.
For more information, see "Security hardening your deployments."
Sharing GitHub Actions within your enterprise is generally available
Support for GitHub Actions in internal repositories is now generally available for organizations on your GitHub Enterprise Server instance. You can innersource automation by sharing actions in internal repositories. You can manage a repository's settings or use the REST API to allow access to workflows in other repositories within the organization or in any organization on the instance. For more information, see "Sharing actions and workflows with your enterprise," "Managing GitHub Actions settings for a repository," and "Actions Permissions" in the REST API documentation.
Cache support for GitHub Actions on GitHub Enterprise Server is now generally available
You can now use dependency caching to speed up your GitHub Actions workflows. To cache dependencies for a job, you can include the actions/cache action to create a cache with a unique key. You can share caches across all workflows in the same repository. These workflows can then restore the cache and run faster.
Actions users can also use our cache APIs to:
- Define the enterprise policy for cache size range allowed per repository.
- Query the cache usage within each repository and monitor if the total size of all caches is reaching the upper limit.
- Increase the maximum cache size for a repository within the allowed enterprise limits, based on the cache requirements of the repository.
- Monitor aggregate cache usage at organization level or at enterprise level.
The external blob storage that is configured within your enterprise account will now be shared across workflow artifacts, logs, and also the caches. For more information, see "Caching dependencies to speed up workflows."
Automatically sign commits made in the web UI
You can now configure GitHub Enterprise Server to automatically sign commits made in the web interface, such as from editing a file or merging a pull request. Signed commits increase confidence that changes come from trusted sources. This feature allows the Require signed commits branch protection setting to block unsigned commits from entering a repository, while allowing entry of signed commits – even those made in the web interface. For more information, see "Configuring web commit signing."
Sync license usage any time
For customers that sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud automatically using GitHub Connect, you now have the ability to sync your license usage independently of the automatic weekly sync. This feature also reports the status of sync job. For more information, see "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud."
Reusable workflows for GitHub Actions are generally available
Reusable workflows are now generally available. Reusable workflows help you reduce duplication by enabling you to reuse an entire workflow as if it were an action. With the general availability release, a number of improvements are now available for GitHub Enterprise Server. For more information, see "Reusing workflows."
- You can utilize outputs to pass data from reusable workflows to other jobs in the caller workflow.
- You can pass environment secrets to reusable workflows.
- The audit log includes information about which reusable workflows are used.
- Reusable workflows in the same repository as the calling repository can be referenced with just the path and filename (
PATH/FILENAME
). The called workflow will be from the same commit as the caller workflow.
Self-hosted runners for GitHub Actions can now disable automatic updates
You now have more control over when your self-hosted runners perform software updates. If you specify the
--disableupdate
flag to the runner then it will not try to perform an automatic software update if a newer version of the runner is available. This allows you to update the self-hosted runner on your own schedule, and is especially convenient if your self-hosted runner is in a container.For compatibility with the GitHub Actions service, you will need to manually update your runner within 30 days of a new runner version being available. For instructions on how to install the latest runner version, please see the installation instructions for the latest release in the runner repo.
Secure self-hosted runners for GitHub Actions by limiting workflows
Organization owners can now increase the security of CI/CD workflows on self-hosted runners by choosing which workflows can access a runner group. Previously, any workflow in a repository, such as an issue labeler, could access the self-hosted runners available to an organization. For more information, see "Managing access to self-hosted runners using groups" and the GitHub Blog.
Prevent GitHub Actions from approving pull requests
You can now control whether GitHub Actions can approve pull requests. This feature protects against a user using GitHub Actions to satisfy the "Required approvals" branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, Allow GitHub Actions reviews to count towards required approval is enabled by default. Organization owners can disable the feature in the organization's GitHub Actions settings. For more information, see "Disabling or limiting GitHub Actions for your organization."
Re-run failed or individual GitHub Actions jobs
You can now re-run only failed jobs or an individual job in a GitHub Actions workflow run. For more information, see "Re-running workflows and jobs."
Dependency graph supports GitHub Actions
The dependency graph now detects YAML files for GitHub Actions workflows. GitHub Enterprise Server will display the workflow files within the Insights tab's dependency graph section. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the "Used By" control on the repository homepage. For more information, see "About the dependency graph."
- Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
Security overview for enterprises in public beta
GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new Security tab at the enterprise level provides a repository-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. For more information, see "About the security overview."
Security view for organizations is generally available
The overview of security alerts at the organization level is now generally available. GitHub Advanced Security customers can use the security overview to view a repository-centric view of application security risks, or an alert-centric view of all code scanning, Dependabot, and secret scanning alerts for all repositories in an organization. For more information, see "About the security overview."
Code scanning detects more security issues, supports new language versions
Code scanning now detects a larger number of CWEs, and CodeQL code scanning fully supports the standard language features in the following language releases.
- C# 10 / .NET 6
- Python 3.10
- Java 17
- TypeScript 4.5
For more information, see the GitHub Blog.
View code scanning alerts across an organization
GitHub Advanced Security customers can now view code scanning alerts in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."
Users can now retrieve code scanning alerts for an organization on your GitHub Enterprise Server instance via the REST API. This new API endpoint supplements the existing endpoint for repositories. For more information, see Code Scanning in the REST API documentation.
Secret scanning available as a push protection
GitHub Enterprise Server can now block any pushes where a token is detected with high confidence. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI. For more information, see "Protecting pushes with secret scanning."
Dry runs for custom patterns with secret scanning
GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization or repository level. Dry runs allow people with owner or admin access to review and hone their patterns before publishing them and generating alerts. You can compose a pattern, then use Save and dry run to retrieve results. The scans typically take just a few seconds, but GitHub Enterprise Server will also notify organization owners or repository admins via email when dry run results are ready. For more information, see "About secret scanning" and "Defining custom patterns for secret scanning."
Secret scanning custom pattern events now in the audit log
The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository-, organization-, or enterprise-level custom patterns for security and compliance audits. For more information, see "Reviewing the audit log for your organization" or "Reviewing audit logs for your enterprise."
Configure permissions for secret scanning with custom repository roles
You can now configure two new permissions for secret scanning when managing custom repository roles.
- View secret scanning results
- Dismiss or reopen secret scanning results
For more information, see "Managing custom repository roles for an organization."
Secret scanning now supports archived repositories
GitHub Advanced Security customers can now enable secret scanning for archived repositories via the UI and API. For more information, see "About secret scanning," "About archived repositories," and "Repositories" in the REST API documentation.
Secret scanning webhooks for alert locations
GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The
secret_scanning_alert_location
webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret. For more information, see "Webhook events and payloads."View Dependabot alerts across an organization
GitHub Advanced Security customers can now view Dependabot alerts in in an organization's Security tab. This view is available to organization owners and members of teams with the security manager role. For more information, see "About the security overview."
Configure permissions for Dependabot alerts with custom repository roles
You can now configure two new permissions for Dependabot alerts when managing custom repository roles.
- View Dependabot alerts
- Dismiss or reopen Dependabot alerts
For more information, see "Managing custom repository roles for an organization."
Reopen dismissed Dependabot alerts
You can now reopen dismissed Dependabot alerts through the UI page for a closed alert. This does not affect Dependabot pull requests or the GraphQL API. For more information, see "About Dependabot alerts."
- Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
Pub support for Dependabot version updates is in public beta
Users of Dependabot version updates can now proactively update dependencies for Flutter or Dart projects that use the Pub package manager.
To test version updates on your own Dart or Flutter repository, add the following configuration file in
.github/dependabot.yaml
. Note thepackage-ecosystem: "pub"
andenable-beta-ecosystems: true
flags.version: 2 enable-beta-ecosystems: true updates: - package-ecosystem: "pub" directory: "/" schedule: interval: "weekly"
See pull request associated with a repository's Dependabot alerts via GraphQL API
The new
DependabotUpdate
GraphQL object lets you view information about what happens to your repository's security updates. When GitHub Enterprise Server detects that a dependency in your repository is vulnerable, Dependabot will attempt to open a pull request to update that dependency to a non-vulnerable version. You can now see the pull request that fixes the vulnerability. In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the "Dependabot Alerts" section of the Security tab. Now, if Dependabot runs into an error when trying to open a pull request for a security alert, you can determine the reason using the GraphQL API. For more information, see "Objects" in the GraphQL API documentation.Access more information about Dependabot alerts via GraphQL API
You can now view fixed alerts from Dependabot with the GraphQL API. You can also access and filter by state, as well as by unique numeric identifier, and you can filter by state on the vulnerability alert object. The following fields now exist for a
RepositoryVulnerabilityAlert
.number
fixed_at
fix_reason
state
For more information, see "Objects" in the GraphQL API documentation.
Git events in the enterprise audit log
The following Git-related events can now appear in the enterprise audit log. If you enable the feature and set an audit log retention period, the new events will be available for search via the UI and API, or export via JSON or CSV.
git.clone
git.fetch
git.push
Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "Configuring the audit log for your enterprise."
Improvements to CODEOWNERS
This release includes improvements to CODEOWNERS.
- Syntax errors are now surfaced when viewing a CODEOWNERS file from the web. Previously, when a line in a CODEOWNERS file had a syntax error, the error would be ignored or in some cases cause the entire CODEOWNERS file to not load. GitHub Apps and Actions can access the same list of errors using new REST and GraphQL APIs. For more information, see "Repositories" in the REST API documentation or "Objects" in the GraphQL API documentation.
- After someone creates a new pull request or pushes new changes to a draft pull request, any code owners that will be requested for review are now listed in the pull request under "Reviewers". This feature gives you an early look at who will be requested to review once the pull request is marked ready for review.
- Comments in CODEOWNERS files can now appear at the end of a line, not just on dedicated lines.
For more information, see "About code owners."
More ways to keep a pull request's topic branch up to date
The Update branch button on the pull request page lets you update your pull request's branch with the latest changes from the base branch. This is useful for verifying your changes are compatible with the current version of the base branch before you merge. Two enhancements now give you more ways to keep your branch up-to-date.
-
When your pull request's topic branch is out of date with the base branch, you now have the option to update it by rebasing on the latest version of the base branch. Rebasing applies the changes from your branch onto the latest version of the base branch, resulting in a branch with a linear history since no merge commit is created. To update by rebasing, click the drop down menu next to the Update Branch button, click Update with rebase, and then click Rebase branch. Previously, Update branch performed a traditional merge that always resulted in a merge commit in your pull request branch. This option is still available, but now you have the choice. For more information, see "Keeping your pull request in sync with the base branch."
-
A new repository setting allows the Update branch button to always be available when a pull request's topic branch is not up to date with the base branch. Previously, this button was only available when the Require branches to be up to date before merging branch protection setting was enabled. People with admin or maintainer access can manage the Always suggest updating pull request branches setting from the Pull Requests section in repository settings. For more information, see "Managing suggestions to update pull request branches."
- Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
-
Configure custom HTTP headers for GitHub Pages sites
You can now configure custom HTTP headers that apply to all GitHub Pages sites served from your GitHub Enterprise Server instance. For more information, see "Configuring GitHub Pages for your enterprise."
Ignore commits in blame view
It's now possible to ignore revisions in the blame view by creating a .git-blame-ignore-revs file in the root of your repository. For more information, see "Viewing a file."
Light high contrast theme is generally available
A light high contrast theme, with greater contrast between foreground and background elements, is now generally available. For more information, see "Managing your theme settings."
- Note: This feature was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The feature is available in 3.5.4 and later. [Updated: 2022-08-16]
Tag protection rules
Repository owners can now configure tag protection rules to protect a repository's tags. Once protected by a tag protection rule, tags matching a specified name pattern can only be created and deleted by users with the Maintain or Admin role in the repository. For more information, see "Configuring tag protection rules."
Edit files within pull requests in GitHub Mobile for iOS
In GitHub Mobile for iOS 1.80.0 and later, users can now edit files within a pull request's topic branch. Support for editing files will come to GitHub Mobile for Android in a future release. [Updated: 2022-09-13]
3.5.0: Bug fixes
It is now possible for GitHub Apps to upload release assets.
3.5.0: Changes
Minimum requirements for root storage and memory increased for GitHub Enterprise Server 2.10 and 3.0, and are now enforced as of 3.5.0.
- In version 2.10, the minimum requirement for root storage increased from 80 GB to 200 GB. As of 3.5.0, system preflight checks will fail if the root storage is smaller than 80 GB.
- In version 3.0, the minimum requirement for memory increased from 16 GB to 32 GB. As of 3.5.0, system preflight checks will fail if the system has less than 28 GB of memory.
For more information, see the minimum requirements for each supported deployment platform in "Setting up a GitHub Enterprise Server instance." [Updated: 2022-06-20]
VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
To use the device authorization flow for OAuth and GitHub Apps, you must manually enable the feature. This change reduces the likelihood of apps being used in phishing attacks against GitHub Enterprise Server users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication. If you own or manage an OAuth App or GitHub App and you want to use the device flow, you can enable it for your app via the app's settings page. The device flow API endpoints will respond with status code
400
to apps that have not enabled this feature. For more information, see "Authorizing OAuth Apps."The code scanning alert page now always shows the alert status and information for the default branch. There is a new "Affected branches" panel in the sidebar where you can see the status of the alert in other branches. If the alert does not exist in your default branch, the alert page will show the status as "In branch" or "In pull request" for the location where the alert was last seen. This improvement makes it easier to understand the status of alerts which have been introduced into your code base. For more information, see "About code scanning alerts."
The alert list page is not changed and can be filtered by
branch
. You can use the code scanning API to retrieve more detailed branch information for alerts. For more information, see "Code Scanning" in the REST API documentation.Code scanning now shows the details of the analysis origin of an alert. If an alert has more than one analysis origin, it is shown in the "Affected branches" sidebar and in the alert timeline. You can hover over the analysis origin icon in the "Affected branches" sidebar to see the alert status in each analysis origin. If an alert only has a single analysis origin, no information about analysis origins is displayed on the alert page. These improvements will make it easier to understand your alerts. In particular, it will help you understand those that have multiple analysis origins. This is especially useful for setups with multiple analysis configurations, such as monorepos. For more information, see "About code scanning alerts."
Lists of repositories owned by a user or organization now have an additional filter option, "Templates", making it easier to find template repositories.
GitHub Enterprise Server can display several common image formats, including PNG, JPG, GIF, PSD, and SVG, and provides several ways to compare differences between versions. Now when reviewing added or changed images in a pull request, previews of those images are shown by default. Previously, you would see a message indicating that binary files could not be shown and you would need to toggle the "Display rich diff" option. For more information, see "Working with non-code files."
New gists are now created with a default branch name of either
main
or the alternative default branch name defined in your user settings. This matches how other repositories are created on GitHub Enterprise Server. For more information, see "About branches" and "Managing the default branch name for your repositories."Gists now only show the 30 most recent comments when first displayed. You can click Load earlier comments... to view more. This allows gists that have many comments to appear more quickly. For more information, see "Editing and sharing content with gists."
Settings pages for users, organizations, repositories, and teams have been redesigned, grouping similar settings pages into sections for improved information architecture and discoverability. For more information, see the GitHub changelog.
Focusing or hovering over a label now displays the label description in a tooltip.
Creating and removing repository invitations, whether done through the API or web interface, are now subject to rate limits that may be enabled on your GitHub Enterprise Server instance. For more information about rate limits, see "Configuring rate limits."
MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository."
3.5.0: Deprecations
Change to the format of authentication tokens affects GitHub Connect
GitHub Connect will no longer work after June 3rd for instances running GitHub Enterprise Server 3.1 or older, due to the format of GitHub authentication tokens changing. To continue using GitHub Connect, upgrade to GitHub Enterprise Server 3.2 or later. For more information, see the GitHub Blog. [Updated: 2022-06-14]
CodeQL runner deprecated in favor of CodeQL CLI
The CodeQL runner is deprecated in favor of the CodeQL CLI. GitHub Enterprise Server 3.4 and later no longer include the CodeQL runner. This deprecation only affects users who use CodeQL code scanning in 3rd party CI/CD systems. GitHub Actions users are not affected. GitHub strongly recommends that customers migrate to the CodeQL CLI, which is a feature-complete replacement for the CodeQL runner and has many additional features. For more information, see "Migrating from the CodeQL runner to CodeQL CLI."
Theme picker for GitHub Pages has been removed
The theme picker for GitHub Pages has been removed from the Pages settings. For more information about configuration of themes for GitHub Pages, see "Adding a theme to your GitHub Pages site using Jekyll."
3.5.0: Known issues
On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.
Custom firewall rules are removed during the upgrade process.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 patch release. [Updated: 2022-06-10]
Management Console may appear stuck on the Starting screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5. [Updated: 2022-06-20]
The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]
- Detection of GitHub Actions workflow files for the dependency graph
- Reopening of dismissed Dependabot alerts
- Enabling the Update branch button for all pull requests in a repository
- Light high contrast theme
In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 as you upgrade to the latest release. To plan an upgrade through 3.4, see the Upgrade assistant.
- To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's Code security and analysis settings, then click Enable all for secret scanning. For more information, see "Managing security and analysis settings for your organization."
- To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "Managing security and analysis settings for your repository."
A fix is available in the 3.5.5 patch release. [Updated: 2022-09-01]
GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-12-07]
3.5.0: Errata
"Encrypted secrets" incorrectly indicated that secrets for GitHub Actions are encrypted in the instance's database. The article has been updated to reflect that secrets are not encrypted on the instance. To encrypt secrets at rest, you must encrypt your instance's block storage device. For more information, refer to the documentation for your hypervisor or cloud service. [Updated: 2023-06-01]