Enterprise owners can now configure whether repository administrators can enable or disable Dependabot alerts.
If you are owner of an enterprise with GitHub Advanced Security, you can now also set policies to allow or disallow repository administrators access to enablement for:
Learn more about enterprise policies for code security and send us your feedback
You can now hide individual Achievements.
Navigate to Achievements on your profile sidebar and click on an achievement to get started. Once in the detail view, the eye icon will indicate the current visibility of the achievement. Click on the eye icon to hide the achievement. When hidden, they are only visible to you.
You can still opt out of Achievements as a whole in your Profile Settings.
For more information, see Changing the visibility of Achievements. If you have any feedback to help us improve Achievements, be sure to post it in our discussions forum.
GitHub Enterprise Cloud customers can now stream their audit log to a Datadog endpoint. Enterprise owners need to be able to use the right tools for their job, whether that be short-term investigation or longer-term threat analysis and prevention. With audit log streaming to Datadog, customers can be assured that:
For GitHub Enterprise Server customers, this feature is planned to come to GHES 3.8.
For additional information, read our documentation about setting up streaming to Datadog.
“
GitHub Enterprise Cloud customers can now participate in a private beta enabling authentication token data to display for audit log events. In doing so, enterprise owners will be able to query their audit logs for activity associated with specific authentication tokens. With the introduction of this feature, enterprise owners will be better equipped to detect and trace activity associated with corrupt authentication tokens, which have the potential to provide threat actors access to sensitive private assets.
Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, enterprise owners can find guidance and provide feedback at the displaying authentication token data in enterprise audit log events community discussion..
If you are an owner of an enterprise with GitHub Advanced Security, you can now enable secret scanning and push protection across your entire enterprise with only 1 click.
This new enablement setting also allows you to set a default custom link that will appear on a push protection block.
You can now express disinterest on rollup items in the "For you" feed to cater the feed towards your preferences. Get started by selecting "Show less activity like this".
This will prompt you to select more information about your preferences.
For questions and feedback, visit Community Feed Feedback.
API users can now integrate with a new dependabot_alert webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing repository_vulnerability_alert.
Improvements with the new webhook include:
read permission.created, dismissed, reopened, fixed, or reintroduced. See below for descriptions:| Action | Action definition |
|---|---|
created |
github has opened the Dependabot alert |
dismissed |
GitHub user dismissed the alert with dismissed_reason and an optional dismissed_comment |
reopened |
GitHub user manually reopened the previously-dismissed alert |
fixed |
github detected the Dependabot alert is resolved |
reintroduced |
github reopened the previously-fixed alert |
The repository_vulnerability_alert webhook is being deprecated. In 2023, we plan to remove the existing repository_vulnerability_alert webhook, which is superseded by the dependabot_alert webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.
Learn more about the Dependabot alerts webhook in our documentation.
Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.
The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.
The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.
Learn more about:
Today, we're releasing updates that will optimize prebuilding codespaces for your repositories. With these updates, as long as there is an active prebuild for a given repository, branch, and devcontainer combination, you will be able to spin up prebuilt codespaces for it, even if the latest prebuild workflow for that branch might be failing. This ensures fast codespace creation most of the times regardless of any breaking changes that may be adversely affecting the latest prebuild update.
Repository admins will have the option to disable this optimization if needed by going to their prebuild configuration page under advanced options.
For more information, see Configuring prebuilds for your repository.
If you have any feedback to help improve this experience, be sure to post it on our discussions forum.
GitHub Desktop 3.1 improves submodule support and now supports multi-commit diffing.
Submodule support just got much better from GitHub Desktop by providing a more detailed “diff” when they have changes. You will now know whether submodules are just pointing at a different commit or if there are changes within them that you must commit. You can also open the submodule at the click of a button!
You can now also see all the changes across multiple commits by just selecting them. That way, you can be certain about the changes you’re about to push or merge onto another branch, and make sure no unintended changes are included in them.
The functionality for GitHub Enterprise Cloud customers to configure audit log streaming to AWS S3 with OpenID Connect (OIDC) is now generally available. Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.
For additional information, please read about setting up audit log streaming to AWS S3 with OpenID Connect.
Actions are coming to GitHub Mobile! You can now view and manage your pull requests on the go.
Tapping on checks when viewing a pull request now leads to a vastly improved experience, including the ability to view a workflow-run, its jobs and even the logs of completed steps inside.
A run did not go as planned? No problem. GitHub Mobile now supports re-running single jobs, failed jobs as well as entire workflows directly from your mobile device. For checks that are already running, support for cancellation has been added as well.
Read more about GitHub Mobile and send us your feedback to help us improve.
As previously mentioned, starting today, all Sponsors profiles will have custom amounts enabled by default. This means if you have a GitHub Sponsors profile, people can sponsor you for a dollar amount they choose, rather than just the amounts you published. This will simplify setting up Sponsors profiles as well as make it easier for users to make sponsorships.
For maintainers who did not have custom amounts previously enabled, and therefore had no minimum, we set a minimum based on their lowest tier value. If you prefer to change your minimum custom amount, you can do so via the Sponsors dashboard. Learn more about managing sponsorship tiers.
GitHub's audit log allows admins to quickly review the actions performed by members of their Enterprise. It includes details such as who performed the action, what the action was, and when it was performed. GitHub's audit log provides users with the ability to export audit log activity for your enterprise as a JSON or CSV file download. Moving forward, customers can expect to see the following enhancements to their audit log exports:
actions events will be present in audit log exports.This feature will be gradually enabled for an increasing percentage of GitHub Enterprise Cloud customers with a goal of 100% enablement by October 28, 2022. Should you encounter a problem with your audit log exports, please reach out to GitHub Support for assistance.
macOS 12 became generally available on GitHub-hosted runners in June 2022. Over the next 10 weeks, jobs using the macos-latest runner label will migrate from macOS 11 to 12. During migration, you can determine if your job has migrated by viewing the Runner Image information in the Set up job step of your logs.
Start using GitHub Actions to build and publish apps for the Apple ecosystem by updating your jobs to include runs-on: macos-latest
jobs:
build:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: swift build
- name: Run tests
run: swift testThe macOS 12 runner image has different tools and tool versions than macOS 11. See the full list of changed software.
If you spot any issues with your workflows when using macOS 12, please let us know by creating an issue in the runner image repository.
Organization administrators are now able to prevent outside collaborators from requesting the installation of both GitHub and OAuth apps to their organization. The "Allow integration requests from outside collaborators" setting can be found under Organization Settings > Member Privileges > Integration installation requests. This setting is enabled by default, and disabling it prevents outside collaborators from making app installation requests, unless the app has already been approved for use within the organization.
On the app integration page, organizations that do not permit installation requests will be disabled.
Learn more about outside collaborators permissions in our documentation, "Setting permissions for adding outside collaborators".
Private profiles (now generally available) enables users to turn their GitHub profile "private", which gives users control over features that share user data across the GitHub platform. When a profile
is private, the following content is hidden from the profile page:
To enable this setting, visit https://github.com/settings/profile.
Learn more about private profiles. As we continue to release new privacy control features, please share your feedback.
GitHub Enterprise Cloud enterprise owners may now download an enterprise members CSV report, which is now available as a public beta. This new CSV report provides an extensive list of members associated with their Enterprise Cloud environment, including members synced from a GitHub Enterprise Server instance. To download the report, navigate to the enterprise's people page: https://github.com/enterprises/<enterprise>/people.
To learn more about this report, read our exporting membership information for your enterprise documentation.
We’ve been responding to your feedback – here’s a recap of some changes recently made to Dependabot alerts.
Let us know of other improvements you’d like to see in our GitHub community discussion page.
GitHub Advanced Security customers can now view a timeline of actions taken on a secret scanning alert, including when a contributor bypassed the push protection on a secret. Users can also now add an optional comment when closing an alert via the UI or the API.
For more information: