Today we are deprecating the theme picker we introduced in 2012 for GitHub Pages.
While this experience allowed users to preview a theme in the user interface, we are doing this to increase the security of github.com.
You can of course continue to use any Jekyll theme you want with Pages, and publish beautiful sites with a small configuration change.
Reusable workflows can now be called from a matrix and other reusable workflows.
You can now nest up to 4 levels of reusable workflows giving you greater flexibility and better code reuse. Calling a reusable workflow from a matrix allows you to create richer parameterized builds and deployments.
Learn more about nesting reusable workflows.
Learn more about using reusable workflows with the matrix strategy..
For questions and feedback, visit the GitHub Actions community.
Dependabot alerts users can now add an optional comment when dismissing an alert. These comments (maximum 280 characters) are viewable in the alert timeline and via the new dismissComment field in the GraphQL API.
Learn more about Dependabot alerts and the GraphQL API.
This feature is available to repositories enrolled in the Pull Request Merge Queue beta.
A new webhook event and GitHub Actions workflow trigger (merge_group) makes it easier to run required status checks on merge groups created by merge queue. A merge group includes the changes from one or more pull requests and must pass the status checks required by the target branch.
A merge_group webhook event, which currently has one supported action (checks_requested), is sent after a merge group is created and informs receivers, including GitHub Actions, when status checks are needed on the merge group. The event payload includes head_sha, the commit SHA that should be validated and have status reported on using check runs or commit statuses. For GitHub Actions, status is reported automatically at the conclusion of jobs in the triggered workflow.
To trigger a GitHub Actions workflow for a merge group, the merge_group trigger should be used. The following example triggers on individual pull requests and merge groups targeting the main branch:
# Trigger this workflow on individual pull requests and merge groups that target the `main` branch
on:
pull_request:
branches: [ main ]
merge_group:
branches: [ main ]A push event is still sent when a merge group branch is created, and will trigger a GitHub Actions workflow. However, unlike a merge_group event, a push event does not include the target branch of the merge group.
Learn more about using merge queue.
Learn more about the new GitHub Actions merge_group workflow trigger and the merge_group webhook event.
We’ve made a series of improvements to the GitHub Connect license sync feature in addition to the "Sync now" button we recently added in GHES:
saml_name_id and the GitHub Enterprise Cloud email address (for verified domains only) for each user;consumed-licenses: returns the same Consumed License data found in the CSV downloadlicense-sync-status: returns information related to the license sync job statusGitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Prefect to scan for their access tokens and help secure our mutual users on public and private repositories. The Prefect service account API keys are not associated with a user and are restricted to a specific tenant, but they are recommended for application and automation use. GitHub will forward access tokens found in public repositories to Prefect, who will immediately email the owner of the leaked key. More information about Prefect API Tokens can be found here.
GitHub Advanced Security customers can also scan for Prefect tokens and block them from entering their private and public repositories with push protection.
You can now create a custom role to bypass branch protections without having to grant the Admin role. Previously, to bypass branch protections you had to be an Admin which provides additional permissions that may not be needed. For tighter control of Admin permissions, you can now craft a custom role that has the Bypass branch protections permission, allowing just the right amount of access.
To enforce branch protections for all Admins and roles with the "Bypass branch protections" permission, enable Do not allow bypassing the above settings in your branch protection rules.
This permission differs from the Push commits to protected branches permission, which allows pushing to a protected branch, but branch protection rules will still apply and could result in a push being denied.
For more information, visit Managing custom repository roles for an organization in the GitHub documentation.
We appreciate feedback on this and other topics in GitHub's public feedback discussions.
Users with 2FA enabled may see false-alert flags in their security log for recovery_code_regenerated events between July 15 and August 11, 2022.
These events were improperly emitted during an upgrade to the 2FA platform. The storage format of the per-user value GitHub uses to generate your recovery codes was updated, causing the watch job to trigger the erroneous recovery_code_regenerated event.
No action is required from impacted users with regards to these events. GitHub has a policy to not delete security log events, even ones generated in error. For this reason, we are adding flags to signal that these events are false-alerts. No recovery codes were regenerated, and your existing saved recovery codes are still valid.
Today’s Changelog brings improved date filtering and the command palette (beta) to Projects!
We’ve improved filters so you can use relative offsets for dates and iterations. Try it out by adding date:@today+7 or iteration:@current+2 to the filter bar.
The command palette is now available in Projects as a beta release and includes project-specific commands.
With this update, the command palette enables users to navigate Repos and Projects and search for Issues and PRs across GitHub directly from Projects.
Quickly access commands related to the project you’re viewing:
Or search and navigate throughout GitHub directly from a project:
Other changes include:
cmd+s/ctrl+s) to save a project viewSee how to use GitHub for project planning with GitHub Issues, check out what’s on the roadmap, and learn more in the docs.
GitHub Packages is being re-platformed, unlocking great capabilities such as fine-grained permissions, org-level publishing and increased performance.
Package registries on the new GitHub Packages architecture, including container registry and npm packages, no longer expose data through the GraphQL API. We recommend using the REST API instead.
In the coming months we will be migrating our other GitHub Package registries to this new architecture deprecating the GraphQL API for those registries as well.
If you have any questions, please contact GitHub Support.
The GitHub Support Portal at support.github.com is now available in 7 new languages – Brazilian Portuguese, Korean, Chinese Simplified, French, German, Spanish, and Japanese. Users with their browser language set to these languages can now view the Support Portal contents in the language of their choice.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with ReadMe to scan for their API keys and help secure our mutual users on public and private repositories. ReadMe’s API keys allow users to sync OpenAPI and Markdown files to their developer hubs using the rdme GitHub Action, as well as perform other programmatic updates using the ReadMe API. We’ll forward exposed API keys found in public repositories to ReadMe, who will immediately revoke the token and notify the project administrators via email. More information about ReadMe’s API keys can be found here.
GitHub Advanced Security customers can also scan for ReadMe tokens and block them from entering their private and public repositories with push protection.
GitHub Enterprise Server 3.6 is now generally available. With a host of improvements for developers, security and administration teams, this update makes developing secure software easier for everyone.
It brings more than 60 new features, including:
To learn more about GitHub Enterprise Server 3.6, read the release notes, and download it now.
You can now place a support request for an export of your npm data.
Once a request is placed, our support team will review it and initiate an export. You will get an email with a link to download the archive which is valid for 7 days. You must login to your account to download the archive.
Read more in our documentation
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with UNIwise to scan for their access tokens and help secure our mutual users on public and private repositories. The WISEflow API Key allows for institutions to manage key aspects of their license, such as exams and their life cycle. GitHub forwards access tokens found in public repositories to UNIwise, who will immediately disable the API Key and contact the customer. More information about WISEflow API Keys can be found here
GitHub Advanced Security customers can also scan for UNIwise tokens and block them from entering their private and public repositories with push protection.
GitHub Enterprise Cloud customers can elect to participate in a public beta to configure audit log streaming to AWS S3 with OpenID Connect (OIDC). Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.
For additional information, please follow the instructions for setting up audit log streaming to AWS S3 with OpenID Connect.
Dependabot alerts listed at the organization level are now easier to prioritize with the new "Most Important" sort, which released recently for the repository list view of Dependabot alerts.
Learn more about Dependabot alerts and the Security overview.
You can now specify whether to display images for light or dark themes in Markdown, using the HTML <picture> element in combination with the prefers-color-scheme media feature.
For example:
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/25423296/163456776-7f95b81a-f1ed-45f7-b7ab-8fa810d529fa.png">
<img alt="Shows an illustrated sun in light color mode and a moon with stars in dark color mode." src="https://user-images.githubusercontent.com/25423296/163456779-a8556205-d0a5-45e2-ac17-42d089e3c3f8.png">
</picture>GitHub Advanced Security customers can now dry run their secret scanning custom patterns on all repositories within an organization. Previously, admins could only dry run on a maximum of 10 selected repositories.
Learn more about secret scanning
Learn more about defining custom patterns