Focused crawls are collections of frequently-updated webcrawl data from narrow (as opposed to broad or wide) web crawls, often focused on a single domain or subdomain.
Global code search is now available directly from the home screen on GitHub Mobile. This addition enables users to conveniently find code snippets, navigate repositories, and access content directly from the home screen.
With global code search, users can easily locate anything they need while on the go.
On December 13, 2023, we released CodeQL Action v3, which runs on the Node.js 20 runtime. CodeQL Action v2 will be deprecated at the same time as GHES 3.11, which is currently scheduled for December 2024.
How does this affect me?
Default setup
Users of code scanning default setup do not need to take any action in order to automatically move to CodeQL Action v3.
Advanced setup
Users of code scanning advanced setup need to change their workflow files in order to start using CodeQL Action v3.
Users of GitHub.com and GitHub Enterprise Server 3.12 (and newer)
All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:
GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
GitHub Enterprise Server (GHES) 3.12 (and newer)
Users of the above-mentioned platforms should update their CodeQL workflow file(s) to refer to the new v3 version of the CodeQL Action. Note that the upcoming release of GitHub Enterprise Server 3.12 will ship with v3 of the CodeQL Action included.
Users of GitHub Enterprise Server 3.11
While GHES 3.11 does support Node 20 Actions, it does not ship with CodeQL Action v3. Users who want to migrate to v3 on GHES 3.11 should request that their system administrator enables GitHub Connect to download v3 onto GHES before updating their workflow files.
Users of GitHub Enterprise Server 3.10 (and older)
GHES 3.10 (and earlier) does not support running Actions using the Node 20 runtime and is therefore unable to run CodeQL Action v3. Please upgrade to a newer version of GitHub Enterprise Server prior to changing your CodeQL Action workflow files.
Exactly what do I need to change?
To upgrade to CodeQL Action v3, open your CodeQL workflow file(s) in the .github directory of your repository and look for references to:
github/codeql-action/init@v2
github/codeql-action/autobuild@v2
github/codeql-action/analyze@v2
github/codeql-action/upload-sarif@v2
These entries need to be replaced with their v3 equivalents:
github/codeql-action/init@v3
github/codeql-action/autobuild@v3
github/codeql-action/analyze@v3
github/codeql-action/upload-sarif@v3
Can I use Dependabot to help me with this upgrade?
Yes, you can! For more details on how to configure Dependabot to automatically upgrade your Actions dependencies, please see this page.
What happens in December 2024?
In December 2024, CodeQL Action v2 will be officially deprecated (at the same time as the GHES 3.11 deprecation). At that point, no new updates will be made to CodeQL Action v2, which means that new CodeQL analysis capabilities will only be available to users of CodeQL Action v3. We will keep a close eye on the migration progress across GitHub. If many workflow files still refer to CodeQL Action v2, we might consider scheduling one or more brownout moments later in the year to increase awareness.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Copilot Chat now generally available for organizations and individuals
Recently, we announced that GitHub Copilot Chat in IDEs is now generally available for both Visual Studio Code and Visual Studio, and is included in all GitHub Copilot plans alongside the original GitHub Copilot productivity boosting code completion capabilities. It is also available at no cost to verified teachers, students, and maintainers of popular open source projects. As of now, GitHub Copilot Chat is still in the private beta for JetBrains IDEs.
If you’ve been using Copilot Chat in public beta or have already provided access to your development team, no additional actions are required. There’s also no need to install any additional extensions; Copilot chat extension is bundled together with the Copilot extension.
Enterprise and organization administrators can grant their development teams access to Copilot Chat by enabling the Copilot Chat setting for their users.
The new year brings new features and improvements for the Copilot Enterprise! 🎆 These changes are focused on streamlined onboarding and ease of use.
As a reminder, Copilot Enterprise is currently in limited public beta. Enterprises can request access by signing up to the waitlist.
Semantic search can be enabled on any repository
Developers in an enterprise with access to Copilot Enterprise can now enable semantic search on a repository through the click of a button. Once a repository is indexed, Copilot has a much improved understanding of the code base in that repository and can answer questions via Copilot Chat in GitHub.com.
Create docsets to access your company’s critical knowledge
Organizations with documentation hosted in GitHub repos and written in Markdown (.md, .mdx) can now create “docsets” and enable developers in those organizations to access that critical knowledge via Copilot Chat in GitHub.com.
To get started, admins can create a docset, including the repositories that contain Markdown documentation.
Members of the corresponding organization can start to ask questions about the documentation by selecting the docset from Copilot’s “New conversation” UI in GitHub.com.
An organization can have multiple docsets – so, for example, an admin could create a docset for each team with the repositories that are relevant to them.
Introducing Copilot chat for pull request diffs
Developers are now be able to ask Copilot Chat questions about diffs on GitHub.com. To see this in action, simply navigate to a diff and use one of the following two entry points:
Select some of the lines in the diff, and click on the icon on the right. You can click “Explain” to ask Copilot to explain those lines.
You can also ask Copilot to chat about an entire file in the diff by clicking on the three dots at the top-right of the file in the diff. Click on “Ask Copilot about this diff” to start chatting about it.
Improved onboarding and discoverability
Enterprise admins have now access to improved onboarding as they enable Copilot Enterprise within their enterprise.
GitHub Copilot on GitHub.com can now be accessed via the search bar.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
The min attribute in Action-Runner-Controller is now updated to enhance system responsiveness and efficiency. Previously, the min attribute was focused on determining the minimum number of runners that the system could scale down to during periods of inactivity. This meant that when there were few to no jobs running, the system would maintain this minimum number of runners, which could be either active or idle.
The new behavior of the min attribute shifts focus to maintaining a minimum number of idle runners at all times. This means that even when there are many jobs in progress, the system will ensure that a certain number of runners are always idle and ready to immediately take on new jobs. This change allows for smoother handling of incoming jobs, reducing wait times and improving overall job processing efficiency.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Starting today, you will need to be signed-in to your GitHub account to access our Support portal. If you already have a GitHub account, please sign in as usual when accessing the Support Portal. If you don't have an account or are unable to sign in, we'll guide you through a simple email verification process.
We're excited about this change and confident that it will make your experience with GitHub Support more secure and personalized.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
As announced last year, and after two brownouts to raise awareness, GitHub has now removed support for the Subversion protocol on github.com. It will also be disabled in GitHub Enterprise Server 3.13, scheduled for release in June 2024. Please be aware that the GitHub Importer supports migrating Subversion repositories to Git on GitHub.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
If you are signed into multiple accounts on GitHub.com, you'll be able to pick between them when you sign in using the device flow. This authentication method is typically used for console applications, like the GitHub CLI and remote use of VS Code.
GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Canva to scan for their tokens to help secure our mutual users in public repositories. Canva tokens enable users to perform authentication for their Canva Connect API integrations. GitHub will forward any exposed tokens found in public repositories to Canva, who will then rotate the token and notify the user about the leaked token. Read more information about Canva tokens.
GitHub Advanced Security customers can also scan for and block Canva tokens in their private repositories.
GitHub Codespaces will promote the current beta host image configuration to stable on 16 January as part of regular maintenance for hosts. This change includes major version updates to the Docker engine and Docker Compose packages installed on the host as well as several minor version updates. These changes should not impact development container configurations.
If your dev container depends on Docker compose, please test the beta image to ensure that your dev container does not require changes. For more details about the specific changes, see our documentation regarding host image configurations here. You can test the beta host configuration with your own codespaces by selecting the beta host image in your personal settings.
Use CodeQL threat model settings for Java (beta) to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in your code.
No two codebases are the same and each is subject to different security risks and threats. Such risks and threats can be captured in a codebase's threat model which, in turn, depends on how the code has been designed and will be deployed. To understand the threat model you need to know what type of data is untrusted and poses a threat to the codebase. Additonally, you need to know how that unstrusted (or tainted) data interacts with the application. For example, one codebase might only consider data from remote network requests to be untrusted, whereas another might also consider data from local files to be tainted.
CodeQL can perform security analysis on all such codebases, but it needs to have the right context. It needs the threat model in order to behave slightly differently on different codebases. That way, CodeQL can include (or exclude) the appropriate sources of tainted data during its analysis, and flag up the most relevant security vulnerabilities to developers who work on the code.
CodeQL's default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. Using new CodeQL threat model settings for Java, you can now optionally mark local sources of data as tainted. This includes data from local files, command-line arguments, environment variables, and databases. You can enable the local threat model option in code scanning to help security teams and developers uncover and fix more potential security vulnerabilities in their code.
If your repository is running code scanning default setup on Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.
If your repository is running code scanning advanced setup on Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.
CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java code. It will be shipped in GitHub Enterprise Server 3.13.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
The public beta Activity Overview of Organization Insights for GitHub Enterprise Cloud will be deprecated on January 5, 2024. Since its initial beta launch in 2019, the amount of data calculation and storage required for these views has proven untenable in its current format and the underlying service will be taken offline later in January. Metrics-specific integrations such as Cauldron are available to read, store, and visualize your organization’s data via the GitHub API, as well as more general-purpose data visualization platforms such as PowerBI or Grafana. The Dependency Insights feature will not be impacted.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Code scanning default setup is now available for self-hosted runners on GitHub.com. To use default setup for code scanning, assign the code-scanning label to your runner. Default setup now uses actions/github-script instead of the GH CLI. If your organization has a policy which limits GitHub Actions you will need to allow this action in your policy.
Code scanning sees assigned runners when default setup is enabled. As a result, if a runner is assigned to a repository which is already running default setup, you must disable and re-enable default setup to initiate using the runner.
Larger runners are in beta support, with the limitations that you can only define one single larger runner at the org level with the label code-scanning, and Swift analysis is not supported.
Introducing support for multiple GitHub accounts on a single host within the CLI! Log in with your work and personal accounts to manage your projects, wherever they're happening.
To add multiple accounts in the CLI, use the gh auth login command just as before. Now, instead of replacing your previous account, you will see the addition of a new account under gh auth status. This account will be marked as active, to indicate that gh will use it when communicating with GitHub. Run gh auth switch to change the active account, or gh auth logout to remove an account. Further details can be found in the v2.40.0 release notes.
Install or update the GitHub CLI today from your preferred source.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
In early November we announced a set of changes to improve troubleshooting SCIM activity at scale for enterprise managed users. Today, we are making each of those changes generally available. No updates were required during the public beta period. The following restates the beta changes that are now GA.
Enterprise audit log fields:
New field external_group.update_display_name: Our logs will now capture and report any changes made to an external group's display name.
New field external_group.add_member: When a team member is added to an external group, this action will be audit logged.
New field external_group.remove_member: When a team member is removed from an external group, this action will be audit logged.
Enhancements to external_group.update and external_identity.update to ensure consistency whenever an external group or identity is updated.
The SSO page for each user also now includes SCIM metadata for that user in addition to existing SAML metadata. Check out what's new by filling in this url https://github.com/enterprises/your-enterprise/people/username/sso with your enterprise and a valid username.
Team membership synchronization status checks GitHub's understanding of identity groups against the current members of linked teams. This allows us to flag mismatches for administrators related to license allocation or other concerns.
Today's changelog brings you the general availability (GA) of organization project templates.
🎨 Organization project templates
We've shipped exciting updates that allow you to quickly create, share, and use project templates for your organizations, making it easy to get started with a new project and share inspiration and best practices with others.
🔄 Creating a project template
You can create a project template a few different ways:
Using New template from the "Templates" section found in your organization, team, or repository "Projects" pages
Converting a project to a template by toggling Make template from the project settings page
Making a copy of an existing project or project template
Once you set up your project template, any views, fields, workflows, insights, and draft items will be included when using the template or making a copy of it.
⬆ Configuring recommended templates in your organization
With a growing number of project templates within an organization, organization administrators can designate a set of recommended templates from the organization settings page. These will appear as "Recommended" templates when creating a new project, so they are surfaced more prominently to help guide you in the right direction when getting started.
➕ Improved experience when creating a project
When you create a new project, you'll notice an improved experience to browse and search across all available templates and choose one to quickly get started. You will find a new set of "Featured" templates provided by GitHub to help you get started depending on your use case for a project, such as the "Team planning" or "Feature release" templates, as well as separate sections for templates from your organization and starting from scratch.
We listened to your feedback and released new versions (v4) of actions/upload-artifact and actions/download-artifact. While this version of the artifact actions includes up to 10x performance improvements and several new features, there are also key differences from previous versions that may require updates to your workflows.
Artifacts will be scoped to a job rather than a workflow. This allows the artifact to become immediately available to download from the API after being uploaded, which was not possible before.
Artifacts v4 is not cross-compatible with previous versions. For example, an artifact uploaded using v3 cannot be used with actions/download-artifact@v4.
Using upload-artifact@v4 ensures artifacts are immutable, improving performance and protecting objects from corruption, which would often happen with concurrent uploads. Artifacts should be uploaded separately and then downloaded into a single directory using the two new inputs, pattern and merge-multiple, available in download-artifact@v4. These objects can then be re-uploaded as a single artifact.
A single job can upload a maximum of 500 artifacts.
Customers will still be able to use v1 – v3 of the artifact actions. If you wish to upgrade your workflow to use v4, please carefully consider the impact the aforementioned major version changes will have on your project and any downstream dependencies.
Artifacts v4 is only available to GitHub.com customers today but we will be extending support to GitHub Enterprise Server (GHES) customers in the future.
Alerts are a Markdown extension displayed with distinctive colors and icons to indicate the significance of the content. Five different types of alerts are supported:
Note: Useful information that users should know, even when skimming content.
Tip: Helpful advice for doing things better or more easily.
Important: Key information users need to know to achieve their goal.
Warning: Urgent info that needs immediate user attention to avoid problems.
Caution: Advises about risks or negative outcomes of certain actions.
Learn more about how to use them within your Markdown content in the documentation.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
In the secret scanning list view, you can now apply a filter to display alerts that are the result of having bypassed push protection. This filter can be applied at the repository, organization, and enterprise levels from the sort menu in the list view UI or by adding bypassed:true to the search bar.
CodeQL 2.15.4 is rolling out to users of GitHub code scanning on github.com this week, and all new functionality will also be included in GHES 3.12. Users of GHES 3.11 or older can upgrade their CodeQL version.
Important changes in this release include:
Performance improvements on large runners (instances with 8 to 16 vCPUs) lead to a reduction in end to end analysis time between 5% and 15%, due to more effective parallelization. Where possible, upgrading to larger instances is recommend for projects that currently use 4 or fewer vCPUs and take more than 10 minutes to analyze.
Analysis times for C and C++ code bases of any size are reduced on average by 6%
TypeScript 5.3, Java 21 and Python 3.12 are now supported.
We have resolved a problem causing scan timeouts on macOS (the default for Swift analysis). This problem affected up to 10% of scans for some projects. Although timeouts may still occur, they are now expected in less than 0.5% of scans. We are actively addressing the remaining issues.
