The Wayback Machine - https://web.archive.org/web/20250402095728/https://github.blog/changelog/

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog
→ ~/github-changelog|main git log main
showing all changes successfully

GitHub Secret Protection and GitHub Code Security for GitHub Enterprise

Secret Protection and Code Security here for GitHub Enterprise

At GitHub, we believe that investing in the security of your codebases should be straightforward, affordable, and scalable. Today, we’re rolling out standalone GitHub Advanced Security products for GitHub Enterprise customers. This aligns with our ongoing mission to help organizations of all sizes secure their code with the flexibility they seek.

Getting started as an existing GitHub Advanced Security customer

Existing GitHub Advanced Security customers with plans subscription-based plans can choose to transition at renewal. Customers with pay-as-you-go, metered-based plans can transition at any time. Please reach out to your GitHub or Microsoft sales account team for details.

Customers on subscription billing can migrate to either a standalone subscription or a standalone metered plan. For pricing details, please contact your account representatives.

How do I right-size enablement for my enterprise?

Customers transitioning before May 2025 can work with their account teams on right-sizing enablement for their enterprise across both Secret Protection and Code Security. All repositories will have both Secret Protection and Code Security enabled at the time of transition, regardless of your contractual plan.

Customers on contractual plans limited to secret scanning features will be able to optionally choose to transition with only Secret Protection enabled (and Code Security disabled) for their enterprise starting in May 2025.

When will the standalone plans be available for Enterprise Server?

Standalone SKUs will be available for Enterprise Server customers starting with GHES 3.17. To use metered billing, GitHub Connect is required.

Getting started as an existing GitHub Advanced Security self-serve customer

For existing self-serve customers, instructions on how to transition to the new GitHub Advanced Security plans will be announced over the next 30 days. You’ll receive an email notification when the new plans are available to your enterprise. Transitioning to the standalone plans will be self-serve and optional.

Getting started for new customers

Starting today, GitHub Enterprise customers without an existing GitHub Advanced Security plan can self-serve purchase both Secret Protection and Code Security. To get started, admins can navigate to Advanced Security under their enterprise, organization, or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.

Learn more about enabling GitHub Advanced Security for your enterprise.

Trialing GitHub Advanced Security

You can try the new standalone SKUs before committing. Contact your account team for more details. Alternatively, you can get started with a GitHub Enterprise trial.

Talk to someone from GitHub

In addition, Enterprise customers are welcome to reach out to their existing account team or request a demo from someone at GitHub.

Learn more and share feedback

Learn more about Secret Protection and Code Security, or share feedback by joining the discussion in GitHub Community.

See more

Find secrets exposed in your organization with the secret risk assessment

Secret risk assessment

GitHub is committed to empowering the developer community by helping organizations recognize and address the risks of secret leaks. That’s why we’re launching a new free tool which will help provide clear insights into your organization’s exposure, along with actionable steps to strengthen your security and protect your code.

Starting today, you can scan your organization for aggregate insights on public leaks, private exposures, and token types.

Find secrets in your organization

What will this dashboard include?

Available in the Security tab, organization and security admins will be able to run a scan to understand how their organization is affected by secret leaks and exposures. Once a scan is initiated, GitHub will look for secret leaks and exposures across your organization, returning a collection of insights including:

  • The number of secrets leaked per type.
  • The number of publicly visible secrets in your public repositories.
  • The number of repositories affected for each secret type.

No specific secrets will be stored or shared.

Once enabled, GitHub will run a point-in-time scan across all public, private, internal, and archived repositories in your organization. Results are static and will not be automatically updated. You’ll also be able to download results as a CSV file.

For organizations ready to adopt a continuous monitoring tool, we recommend enabling secret scanning for detection and incident management of specific secrets. Learn more about GitHub Secret Protection.

Why are we doing this?

GitHub is committed to making a meaningful impact on the developer community by helping organizations recognize their secret leak footprint across their GitHub perimeter. Our goal is to provide clear insights into organizations’ potential secret exposure and a clear path to stronger security.

Who can use this feature?

This feature will be available for free to organizations with a GitHub Team or Enterprise plan. Organization admins and security managers will be able to run the report and review any results. This feature will be available for Enterprise Server starting with GHES 3.18.

Share feedback while the feature is in public preview

This feature is available in public preview and is subject to improvement. Have feedback? Let us know what you think by joining our discussion in GitHub Community — we’re listening.

See more

GitHub Advanced Security is here for GitHub Team organizations

Here for GitHub Team plans

At GitHub, we believe that investing in the security of your codebase should be accessible for organizations of all sizes.

Starting today, GitHub Team plan customers can purchase GitHub Secret Protection and GitHub Code Security without upgrading your organization to GitHub Enterprise. This makes it easier to secure your codebase with GitHub Advanced Security products.

GitHub Secret Protection

GitHub Team organizations can purchase GitHub Secret Protection, which detects and prevents secret leaks (e.g. secret scanning, AI-detected passwords, and push protection for secrets).

Secret Protection will be available for $19 per month per active committer, with features including:

  • Push protection, to prevent secret leaks before they happen.
  • AI detection with a low rate of false positives, so you can focus on what matters.
  • Secret scanning alerts with notifications, to help you catch exposures before they become a problem.
  • Custom patterns for secrets, so you can search for sensitive, organization-specific information.
  • Security overview, which provides insight into distribution of risk across your organization.
  • Push protection and alert dismissal enforcement for secrets, which supports governance at enterprise scale.

In addition, we’re launching a new scanning feature to help organizations understand their secret leak footprint across their GitHub perimeter. This feature is free for GitHub Team organizations.

GitHub Code Security

GitHub Team organizations will also be able to purchase Code Security, which detects and fixes vulnerabilities in your code before it reaches production.

Code Security will be available for $30 per month per active committer, with features including:

  • Copilot Autofix for vulnerabilities in existing code and pull requests to provide developer-first security management.
  • Security campaigns to address security debt at scale.
  • Dependabot features for protection against dependency-based vulnerabilities.
  • Security overview, which provides insight into the distribution of risk across your organization.
  • Security findings for third-party tools.

Get Started

To get started, admins can navigate to Advanced Security under their organization or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.

For example, from your organization settings, you can navigate to Security / Advanced Security / Configurations in order to create a new configuration with Secret Protection features enabled. Learn more about enabling GitHub Advanced Security.

In addition, admins can enable Secret Protection features in one click from their organization’s Security tab. Once the secret risk assessment has been run for your organization, you’ll be able to enable Secret Protection in one click from the system banner.

Purchase Secret Protection from your organization's risk assessment

Learn more about Secret Protection and Code Security, or share feedback by joining the discussion in GitHub Community.

See more

Multi-domain support and filterable changes are now in public preview on GitHub Desktop

We’re rolling out two exciting new features in the latest GitHub Desktop Beta to make your workflow even smoother:

  • Multi-domain support: Do you work across multiple GitHub instances? You can now sign into more than one domain so you can focus more on your code and less on sign-in flows.

  • Filterable changes: Do you find yourself endlessly scrolling through a long list of changed files? Now, you can filter by filename to review your changes faster. This makes it easier to locate and select exactly what you need for your next commit!

Download GitHub Desktop v3.4.19-beta1 today to try out the new features.

See more

Closing down Enterprise Cloud Importer (ECI) effective March 31, 2025

Enterprise Cloud Importer (ECI) and the GraphQL endpoints for importing migration data to GitHub Enterprise Cloud (GHEC) from an archive will be closing down today, March 31, 2025. These tools can no longer be used to import repository data into GitHub’s cloud-based products.

Moving forward, we recommend using GitHub Enterprise Importer (GEI) to migrate repositories to GitHub’s cloud-based products. If you are interested in migrating GitLab repositories to GitHub using GEI, please contact our Expert Services team.

For questions and feedback, please join the Community Discussion.

See more

Deprecation of cvss field in security advisories API

The cvss field for GitHub security advisories in the REST and GraphQL APIs will be deprecated in favor of the new cvss_severities field. cvss will be removed from the REST API on April 1, 2025, and removed from the GraphQL API on October 1, 2025.

Join the discussion within GitHub Community.

See more

Repository ownership limits

Starting on April 28th, 2025, GitHub will implement a new limit of 100,000 repositories on the total number of repositories per owner for both user accounts and organizations.

We’re committed to keeping our platform safe and secure while delivering the experiences you expect. By capping repository ownership, we’re preventing slowdowns on administrators as well as ensuring the health of our infrastructure to provide a smooth and secure environment for all users. You can find more about the degraded performance large accounts can face exceeding 100,000 repositories in our documentation about repository limits.

Notification process

When an account surpasses 50,000 repositories, a banner noting the approaching limit will appear. Additionally, administrators will receive email notifications, and the audit log will update every additional 5,000 repositories created.

Temporary exemptions

For accounts at or nearing the 100,000-repository limit, GitHub will provide information on temporary exemptions and offer guidance on reducing repository counts. If you require more than 100,000 repositories, you can distribute ownership across multiple organizations, maintaining seamless operations.

Additional resources

The stale repos action that was launched in 2023 is designed to help organizations identify and report on repositories with no activity.

For further details and guidance on navigating these changes, please visit our documentation.

Or you could join the discussion in GitHub Community.

See more

GPT-4o Copilot: Your new code completion model is now generally available

Header introducing GPT-4o Copilot model

What’s changing

The GPT-4o Copilot model released in preview last month and updated this month now provides code completions for all Copilot users. This model delivers higher quality suggestions and improved latency.

Getting ready

No additional action is required if you’re on the latest version of the GitHub Copilot extension for VS Code, Visual Studio, or JetBrains. If you’re on an older version of the GitHub Copilot extension, the model will roll out to you in the coming days. Updating your extension will ensure quicker access.

Retirement of GPT-3.5 Turbo based model

Over the coming days, your code completion experience will switch to GPT-4o Copilot. The GPT-3.5 Turbo based copilot-codex model, which was the previous model, will no longer be available.

Your feedback

Thank you to the tens of thousands of developers who used this new model in preview. Please continue to share your feedback directly and in the GitHub Community!

See more

Transitive dependencies are now available for Maven

Following the ship of transitive labeling for npm packages, the same capabilities are now available for Maven packages:

  • Dependabot alerts now contain a direct label if they are associated with a package you’ve directly included. In addition, there’s now a relationship:direct filter in the search bar to only show those alerts caused by your direct dependencies.
  • The direct dependency that led to a package’s inclusion in your dependency graph is visible both in the text of any new Dependabot alerts and the dependency insights page (click the button, then Show options to view it).
  • A repository’s SBOM will contain a relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Similarly, the GraphQL API will now return a relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object.

Ability to refresh Dependabot alerts from the list view

In addition to the Maven-specific additions, the Alert Settings menu on Dependabot alert tables now provides a Refresh Dependabot alerts option which will rescan your repository’s manifest files, rebuild its dependency graph, and refresh its open Dependabot alerts.

New 'Refresh Dependabot alerts' option in the Alert Settings menu on the Dependabot alerts page.

Getting started

To get transitive dependency labeling on your repositories, make sure dependency graph is enabled, and either enable Automatic dependency submission on the same settings page or use a dependency submission action. As a beneficial side-effect of this change, other package ecosystems with actions that create transitive dependency trees – such as go – will also now receive transitive and direct labels.

To see the Dependabot labels, you’ll also need to enable Dependabot alerts.

Join the discussion within GitHub Community.

See more

Enterprise custom properties, enterprise rulesets, and pull request merge method rule are all now generally available

An image on a dark background with collaboration-themed colors, showcasing GitHub products. In the forefront, enterprise rulesets and custom properties are highlighted alongside a side angled profile of Mona the Octocat.

Enterprise custom properties and enterprise rulesets are now generally available, further improving the governance features for GitHub Enterprise customers.

Enterprise custom properties

With enterprise-level custom properties, you can now enrich your repositories with metadata across your entire enterprise. This ensures consistent properties across organizations without the need for manual synchronization. By sharing a common namespace, enterprise and organization properties prevent confusion when searching or targeting rulesets with properties. If you’re already using custom properties in your organizations, you can also promote those properties to the enterprise.

Learn more about enterprise custom properties in our documentation.

Enterprise rulesets

Enterprise-level rulesets enforce consistent code governance rules, helping ensure thorough reviews of critical repositories with pull requests, requiring actions workflows, protecting important locations from unauthorized pushes, and more. Rule insights and push rule bypasses are also available at the enterprise level, providing complete visibility into the rulesets.

Learn more about enterprise rulesets in our documentation.

We look forward to seeing how you leverage these new capabilities to streamline your workflows and maintain high standards of code governance.

Pull request merge method rule

An image of GitHub products displayed against a dark collaboration-themed background. In the foreground, there is text saying "Pull request merge method rule generally available", with Mona the Octocat looking at the title in a side-angled profile image.

The new pull request merge method rule is now generally available using whatever method is suitable for your branches, such as ensuring that all changes are squashed when merging to the default branch while rebasing into feature branches. This simplifies your workflows, ensuring consistency across your branches.

The merge method rule is available for rulesets at the repository and organization level. You can use this rule to choose what merge methods are allowed on the targeted branches when merging pull requests from the user interface or APIs. You can choose between merge commit, squash, or rebase.

Learn more in our documentation and join the discussion within the GitHub Community.

See more

Create, add, and remove sub-issues on GitHub Mobile

Sub-issues on GitHub Mobile

We’ve made it easier to break down and manage your work on the go! You can now create, add, and remove sub-issues seamlessly on GitHub Mobile, keeping everything organized and structured. Stay on top of your tasks with improved sub-issue management, ensuring smoother collaboration and better progress tracking.

See more

Enhance your productivity with Copilot Edits in JetBrains IDEs

Enhance Your Productivity with Copilot Edits in JetBrains IDEs

Copilot Edits support is now released in JetBrains IDEs! This update allows you to quickly refactor, optimize, and iterate more efficiently across multiple files.

What’s new ✨

Use Copilot Edits to smoothly make changes in one or multiple files directly from Copilot Chat. To use Copilot Edits, click the Copilot Chat icon in the JetBrains IDE and start a new Edit session.

Benefits for developers ⚡️

  • Enhanced clarity: Obtain a clear overview of the modifications with a summary of the affected files and the proposed changes.
  • Ability to preview changes: View code diffs directly in your editor and decide whether to accept or discard these changes individually or collectively.
  • Boosted productivity: Save time and effort with the help of Copilot Edits, enabling you to focus on more complex tasks.

Get involved 🛠

We encourage you to try out the latest version of the GitHub Copilot plugin and share your feedback. Your input is invaluable in helping us refine and improve the product.

Join the discussion 🚀

Connect with us and other developers in the GitHub Community to share your experiences, ask questions, and provide feedback.

See more

Notification of upcoming breaking changes in GitHub Actions

Decommissioned cache service brownouts

GitHub has migrated customers to a new cache service and will now be shutting down the old service. This process will include brownouts of the old service before turning it off completely on April 15th, 2025. If your Actions workflows are still hitting the old cache service, your workflows may fail during these brownouts.
The brownout dates and times are as follows:

  • April 1, 2025, 3 p.m. – 7 p.m. UTC
  • April 8, 2025, 2 p.m. – 10 p.m. UTC

You may still be using the old service if you’re interacting with the cache in one of the following ways:

  1. Using a third party action (i.e. not actions/cache) or product that uses an actions cache service to perform caching. In this case, you may need to upgrade to the latest version. Examples: mozilla/sccache, Mozilla-Actions/sccache-action, Docker with GitHub Actions as a caching backend
  2. Using a runner version older than 2.320.1
  3. Have manually changed (edited or removed) any of the environment variables below:
    • ACTIONS_CACHE_URL
    • ACTIONS_RESULTS_URL
    • ACTIONS_RUNTIME_TOKEN
    • ACTIONS_CACHE_SERVICE_V2

Modification to deployment permissions

GitHub is modifying how deployment permissions operate. Those with the deployment: read fine-grain permission can currently review, approve, or reject deployments.

As of April 1, 2025, GitHub will require the deployments: write permission to review, approve, or reject a deployment. Please update any impacted fine-grain PATs to provide write access where needed. Impacted customers were contacted via email in early March 2025.

Failure to update your fine-grained PATs by April 1, 2025 will result in the inability to review, approve, or reject deployments.

See more

Mistral Small 3.1 (25.03) is now generally available in GitHub Models

Mistral Small 3.1 (25.03) release on GitHub Models

Mistral Small 3.1 (25.03) is now available in GitHub Models.

Mistral Small 3.1 (25.03) is a versatile AI model designed to assist with programming, mathematical reasoning, dialogue, and in-depth document comprehension. Equipped with multimodal capabilities, it processes both text and visual inputs, making it suitable for chat-based interactions and instruction-following tasks.

Try, compare, and implement this model in your code for free in the playground or through the GitHub API. Compare it to other models using side-by-side comparisons in GitHub Models.

To learn more about GitHub Models, check out the docs. You can also join our Community discussions.

See more

GitHub Issues & Projects: REST API support for issue types

Issue types can now be managed using the REST API, expanding the ability to automate and incorporate them in your workflows. Check out our documentation on issue types for more details. You can also review the examples below to get started.

Managing issue types for the organization

You can create, update, delete, and list issue types for an organization.

Creating a new issue type:

curl --request POST \
  --url https://api.github.com/orgs/{org}/issue-types \
  --header 'authorization: token <YOUR-TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
      "name": "Initiative",
      "description": "A large body of work that spans a quarter.",
      "color": "orange",
      "is_enabled": true
    }'

Adding an issue type to an issue

You can specify the issue type when creating a new issue, or update it on an existing issue.

Creating a new issue:

curl --request POST \
  --url https://api.github.com/repos/{org}/{repo}/issues \
  --header 'authorization: ' \
  --header 'content-type: application/json' \
  --data '{
      "title": "Error when refreshing the settings page",
      "type": "Bug"
    }'

Updating an issue:

 curl --request PATCH \
  --url https://api.github.com/repos/{org}/{repo}/issues/{issue_number} \
  --header 'authorization: ' \
  --header 'content-type: application/json' \
  --data '{
      "type": "bug"
    }'

Searching for issues by issue type

You can search for issues by issue type at the repository or organization level.

Searching within a repository:

curl --request GET \
  --url 'https://api.github.com/repos/{org}/{repo}/issues?type=bug' \
  --header 'authorization: '

Join the discussion within GitHub Community.

See how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the documentation.

See more

Fine-grained PATs are now generally available

Fine-grained Personal Access Tokens (PATs) have been used by millions of users to make tens of billions of API calls over the last two years in public preview. In that time, we’ve added requested features such as management APIs and webhooks, mandatory expiration policies, and usability improvements.

However, feedback has been clear on one item in particular – while fine-grained PATs solve a significant set of challenges in their current state, many organizations cannot fully adopt them due to the lack of support statements and the risk of breaking changes while they’re in public preview. Our goal at GitHub is to ensure that everyone can secure their workflows as best they can, which is why we’re graduating fine-grained PATs to a generally available (GA) state.

Changes with this release

This update brings two major changes to PATs at GitHub. Most notably, fine-grained PATs are now enabled by default for all organizations on GitHub, unless that organization or enterprise explicitly disabled them during the preview. The PAT approval flow is also enabled by default, so developers must request organization owner approval in order to successfully use their fine-grained PAT against their organizations.

We’re also updating the release state for both fine-grained PATs and PAT expiration policies. These features are now fully supported by GitHub and adhere to the same breaking change policies as the rest of the product. While there are some scenarios where fine-grained PATs are not yet supported, your organization should be confident in suggesting, or even requiring, the use of these more secure tokens.

Administrators, auditors, and security teams can also look for improved auditability of PATs – the token_id is now included in all API calls and supported as a built-in filter in the audit logs. With this filter, you can now easily track the use of a token throughout your enterprise or organization.

A screenshot of enterprise audit logs, filtered to a specific token_id

Customers on GHES should expect these changes to arrive in version 3.17.

Feature gaps in fine-grained PATs

There are several scenarios where fine-grained PATs are not a suitable solution at this time. GitHub continues to invest in building more secure access patterns and will implement these capabilities over time. You can track our progress and goals on our public roadmap. The most notable scenarios are:

  • Calling APIs that manage the Enterprise object (e.g. SCIM APIs or creating organizations)
  • Accessing multiple organizations with a single token
  • Contributing to repositories where you’re an outside collaborator or an unaffiliated open source contributor
  • Accessing internal repositories in your enterprise, outside of a targeted organization
  • Calling the Packages and Checks APIs

We’re currently focused on implementing enterprise access for GitHub Apps and fine-grained PATs so that enterprise owners can reduce the over-permissioning of their current automation solutions. After that, we’ll continue to invest in this area with a goal of enabling organizations to eventually disable the use of PATs (Classic) for their resources.

To learn more about fine-grained PATs and how your organization can control them, see our documentation on managing your personal access tokens, and enforcing policies for PATs in your enterprise.

See more

As of March 29, fine-grained PATs and GitHub Apps need updates to access GitHub Models playground

Starting March 29, 2025, fine-grained Personal Access Tokens (PATs) and GitHub Apps accessing the GitHub Models playground will require the models:read permission. If your tokens or GitHub Apps currently do not include the models:read permission, requests to the playground will return an Unauthorized response after this date. Please update your fine-grained PATs and GitHub Apps permissions proactively to avoid disruption.

PAT models permissions

Coarse-grained tokens are unaffected and will continue working without any changes.

To learn more about GitHub Models, check out the docs. You can also join our Community discussions.

See more

Planned GitHub Enterprise Importer (GEI) maintenance notice

Migrations will be undergoing maintenance starting at 21:00 UTC on Tuesday, March 18, 2025, with an expected duration of up to eight hours.

During this maintenance period, users will experience delays importing repositories into GitHub.

Once the maintenance period is complete, all pending imports will automatically proceed.

See more

GitHub Actions now supports a digest for validating your artifacts at runtime

Developers using upload-artifact and download-artifact in their Actions workflows can now ensure the integrity of their artifacts with the new SHA256 digest. This feature automatically verifies that the artifact uploaded is identical to the one downloaded, providing security for Actions runs and ensuring the artifact remains unchanged.

How it works

Whenever upload-artifact is used, it now computes and stores an output called digest. This is the SHA256 digest of the artifact uploaded during the run.

When download-artifact is used to download that same artifact, it uses the same process to compute a digest for the downloaded file and compares the two digests to validate that they match.

If a mismatch is detected, the run displays a warning in the UI and in the job logs. The workflow won’t fail if the digests don’t match, but this may change in a future release.

Note: This functionality is only available with artifacts v4 or newer. It’s also not currently available on GitHub Enterprise Server.

Where can I view the digest?

The digest will appear in the logs of the workflow run under the “upload-artifact” step. They’ll also appear in the Artifact output that appears in the workflow run UI.

Learn more

To get started using the artifacts actions view our documentation on storing and sharing data from a workflow.

See more

Instant previews, flexible editing, and working with issues in Copilot available in public preview

A dark-themed code editor interface displaying a preview of a 'Planetary Travel Time' calculator. The interface includes a rocket icon, a title, and a description prompting users to select a planet and a NASA spacecraft to calculate travel time from Earth. Dropdown menus show 'Mars' as the selected planet and 'Voyager 1' as the selected spacecraft. A floating 3D GitHub Copilot assistant with a glowing, futuristic helmet is visible in the bottom-right corner.

Inspired by our previous release, working with Copilot Chat on GitHub has become even more seamless. You can instantly preview HTML files, edit files you’ve created, and work on issues right away. Several exciting new capabilities give you more control and flexibility.

What’s new

  • Preview your rendered HTML files directly in the side panel
  • Edit files in the side panel to seamlessly refine and adjust them
  • Generate and preview Mermaid diagrams for fast visualizations, whether they’re flowcharts or sequence diagrams
  • Keep tabs on your issues in the same right side panel, ensuring you can tackle open tasks while discussing them
  • Track issues or pull requests in responses that are rendered in a familiar GitHub style, making working with them easier

In addition, you can enjoy a smoother streaming experience and enhanced rendering of attachments.

Try it out

See the updated experience in action by submitting any of the following example prompts:

Join us as we continue to streamline Copilot Chat, giving you instant previews, flexible editing, and more power right where you need it! Your feedback drives our improvements. Let us know how these new changes enhance your workflow by using the in-product feedback option or sharing your thoughts in the GitHub Community.

See more
View more changes