Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Upcoming changes to data retention for Events API, Atom feed, /timeline and /dashboard-feed features

Currently, you are able to query back up to 90 days worth of events from data tables you have access to when reviewing or utilizing specific events features: Events API (including push events), Atom feed, /timeline, or /dashboard-feed. On January 30th, 2025, we will be modifying the window of data retention for these features from 90 days to 30 days.

Why are we making changes?

We are making this change to help GitHub continue to scale for all our users, while continuing to provide existing customers of these features with the ability to still query and view recent important event information.

Which APIs will be impacted in this change?

The relevant APIs that will be affected are:
– /events : List public events
– /networks/{owner}/{repo}/events : List public events for a network of repositories
– /orgs/{org}/events : List public organization events
– /repos/{owner}/{repo}/events : List repository events
– /users/{username}/events : List events for the authenticated user
– /users/{username}/events/orgs/{org} : List organization events for the authenticated user
– /users/{username}/events/public : List public events for a user
– /users/{username}/received_events : List events received by the authenticated user
– /users/{username}/received_events/public : List public events received by a user
– /feeds : Get feeds

When can you expect the changes to occur?

On January 30th, 2025, we will be reducing the window that can be queried across those specified events features from 90 days to 30 days. In advance of that, we will test this change for 24 hours on December 3rd, 2024.

Additional support

As part of this change, we are adding an additional event (DiscussionEvent) as a new EventType for the Events API. This will allow you to query for an event related to Discussions that was not previously available.

We recommend leveraging a workflow that uses weekly or daily exports if you require further historical access.

Where can I learn more?

If you have concerns, comments, or feedback, please join us in this Discussion in the GitHub Community.

See more

Updated limits for GitHub App private keys and scoped tokens

GitHub Apps are now subject to a limit of 25 private keys per application and can create scoped tokens with access to more repositories. These changes support safer key management and access practices in your applications.

25 key limit for GitHub Apps

There is now a limit (25) on the number of private keys a GitHub App can have registered at one time. 99.99%+ of apps are below this limit – the ones above this limit will be unable to create more keys until they have deleted all but 24 of their keys.

Use of multiple keys for zero-downtime key rotation is encouraged. However, sharing keys among multiple parties is not recommended, which an unlimited number of keys lead developers towards. This new limit should help app developers look for safe alternatives earlier in the development lifecycle.

See our documentation on GitHub App key management for more details and best practices.

No limit on repositories for permissions-scoped tokens

In February 2024, GitHub placed a limit on the complexity of the scoped tokens that apps could request. Now, part of this limit no longer applies. Apps can now be installed on any number of repositories in an organization and request a scoped token for all those repositories. The limitation on tokens that request a subset of both permissions and tokens remains.

To learn about scoped tokens, and how they can improve the least-privilege access of your App’s tokens, see our GitHub App authentication documentation.

See more

Organizations can now enable 2FA requirement without removing non-compliant members [GA]

Enterprises can now broadly roll out two-factor authentication (2FA) to all members of their organization through an enhanced 2FA enrollment experience in GitHub. With this update, non-compliant users will no longer be removed from organizations when an organization begins enforcing 2FA.

2FA will be enforced via conditional access policies, which means members who have not yet enabled 2FA will continue to have their organization membership, but be blocked from visiting any organization resources until they enable 2FA.

This enables organizations to enable a broader 2FA enrollment without disrupting the membership status of their members who are yet to enable 2FA. This also enables members without elevated privileges to enable or disable 2FA on their accounts without losing organization membership.

Learn more about how GitHub is securing developer accounts using 2FA, and why we’re urging more organizations to join us in these efforts.

See more

Copilot Immersive update for Copilot Enterprise customers

Screenshot showing the empty state of the new Copilot immersive experience with a number of suggestions how to get started and an a message in the input that reads - Who contribute to those files - with a repository and two files selected for context.

We’ve enhanced the fullscreen Copilot chat experience on github.com/copilot with a streamlined UI and an even easier way to handle context:

  • Effortlessly see and navigate previous conversations with a new collapsible sidebar
  • Dynamically set and remove repository context to suit your workflow
  • Manage all your resources seamlessly in a unified attachment menu

These updates are available in preview for Copilot Business and Copilot Individual users. Check out the updates, and let us know what you think using the in-product feedback option.

See more

Deprecation – Dependabot no longer supports Composer v1

As of November 6, 2024, Dependabot no longer supports Composer version 1, which has reached its end-of-life. If you continue to use Composer version 1, Dependabot will be unable to create pull requests to update your dependencies. If this affects you, we recommend updating to a supported release of Composer. As of October 2024, the newest supported version of Composer is 2.8, and the long-term supported version is 2.2.

View Composer’s official documentation for more information about supported releases.

See more

EMU OIDC CAP support is now enhanced to protect web sessions [Public Preview]

If you are using GitHub Enterprise Cloud with EMU and using OpenID Connect (OIDC) SSO, this new feature, currently in public preview, will help enforce IdP-defined IP restrictions to protect all web interactions on GitHub.

Currently, when your enterprise uses OIDC-based SSO and if any of the enterprise members change their IP address, GitHub can validate their access to your enterprise and its resources using your IdP’s Conditional Access Policy (CAP). IdP CAP validations previously covered only non-interactive flows where users authenticate with a personal access token or SSH key.

With this launch, we are now extending these validations to include all interactive web flows. If you already had IdP CAP turned ON previously, you will need to explicitly opt-in into extended protection for web sessions from their enterprise’s “Authentication security” settings. If you enable IdP CAP support after today’s public preview launch, you will get the coverage across web flows by default.

When this feature is generally available, we plan to have both interactive and non-interactive flows protected by the IdP CAP validations for all customers by default and remove the additional step of requiring to opt-in.

Learn more about GitHub’s support for your IdP’s Conditional Access Policy.

See more

Notice of breaking changes for GitHub Actions

Ubuntu-latest upcoming breaking changes

We will migrate the ubuntu-latest label to ubuntu 24 starting on December 5, 2024 and ending on January 17, 2025. The ubuntu 24 image has a different set of tools and packages than ubuntu 22. We have made cuts to the list of packages so that we can maintain our SLA for free disk space. This may break your workflows if you depend on certain packages that have been removed. Please review this list to see if you are using any affected packages.

Artifacts v3 brownouts

Artifact actions v3 will be closing down by December 5, 2024. To raise awareness of the upcoming removal, we will temporarily fail jobs using v3 of actions/upload-artifact or actions/download-artifact. Builds that are scheduled to run during the brownout periods will fail. The brownouts are scheduled for the following dates and times:
– November 14, 12pm – 1pm EST
– November 21, 9am – 5pm EST

Changes to workflow validation for pull requests originating from forked repositories

Currently, you can prevent Actions workflows from automatically running on pull requests made from forked repositories. Actions evaluates whether the actor initiating the request is trusted based on the repository’s settings. Effective today, Actions will require validation of both the pull request author and the event actor to determine if a workflow should run from a pull request event originating from a forked repository. For more information on for pull request approvals, see our documentation.

New webhook rate limit

As GitHub continues to invest in availability, GitHub Actions is introducing a new webhook rate limit per repository. Each repository is now limited to 1500 triggered events every 10 seconds. For more details about the new webhook rate limit, please refer to our documentation.

Updates to the network allow list for self-hosted runners and Azure private networking

With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to ghcr.io and *.actions.githubusercontent.com. If you require more specific domains, you can use pkg.actions.githubusercontent.com instead of *.actions.githubusercontent.com.

This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.

Additionally, our guidance for configuring Azure private networking has been updated to account for the the addional domains. The following IP addresses have been add to the NSG template in our documentation.
– 140.82.121.33/32
– 140.82.121.34/32
– 140.82.113.33/32
– 140.82.113.34/32
– 140.82.112.33/32
– 140.82.112.34/32
– 140.82.114.33/32
– 140.82.114.34/32
– 192.30.255.164/31
– 4.237.22.32/32
– 20.217.135.1/32
– 4.225.11.196/32
– 20.26.156.211/32

See more

Copilot subscription-based network routing is now enforced

Network requests for Copilot are routed based on a user’s Copilot subscription. Requests for Copilot Individual, Copilot Business, and Copilot Enterprise users now route through different endpoints.

This change enables Copilot Business and Copilot Enterprise customers to make sure all Copilot users on their networks are accessing Copilot through their Copilot Business or Copilot Enterprise subscription, and that all Copilot user data is handled according to the terms of their Copilot Business or Copilot Enterprise agreement. In essence, customers will be able to use their network firewall to explicitly allow access to Copilot Business or Copilot Enterprise, and/or block access to Copilot Individual.

Today we enabled enforcement of the user’s subscription on the new endpoints, ensuring only Copilot Business users can connect to Copilot Business endpoints and only Copilot Enterprise users can connect to Copilot Enterprise endpoints.

Read more about subscription-based network routing here.

See more

Claude 3.5 Sonnet is now available to all Copilot users in public preview

Claude 3.5 Sonnet is now available in public preview

Announced at GitHub Universe 2024, Claude 3.5 Sonnet is now available to all GitHub Copilot customers. To see Claude 3.5 Sonnet in action in Visual Studio Code check out the video below.

Copilot Individual users

You can start using the new Claude 3.5 Sonnet today via the model selector in Copilot Chat in VS Code and immersive chat on GitHub.com.

Copilot Business or Enterprise users

Copilot Business and Enterprise organization administrators will need to grant access to Claude 3.5 Sonnet in Copilot via a new policy in Copilot settings. Once enabled, you will see the model selector in VS Code and chat on GitHub.com. You can confirm availability by checking individual Copilot settings and confirming the policy for Claude 3.5 Sonnet is set to enabled.

Share your feedback

We’re excited to hear from you! Please use our Community Discussions to provide feedback and share tips with others.

For additional information, check out the docs on Claude 3.5 Sonnet in Copilot.

See more

SAST vulnerabilities summary now available on the security overview dashboard

Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.

The SAST vulnerabilities table on the Detection tab of the overview dashboard

When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.

To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.

The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about security overview insights and join the discussion within the GitHub Community

See more

Actions Performance Metrics in public preview

Today, Actions Performance Metrics is now in public preview for all users of GitHub Actions. Actions Performance Metrics is an observability UI that gives you insights into your workflow or job performance for your organizations or repositories. To access the feature, on your organization home page, select Insights near the top of the page, and then select ‘Actions Performance Metrics’ on the left side of the page.

Performance metrics can help you answer these commonly asked questions about your Actions workflow runs:

  • How long does it take for my workflows or jobs to complete?
  • How long are my workflows or jobs waiting to run?
  • Which of my workflows or jobs are consistently failing?
  • Where are my longest running workflows or jobs originating from?

Actions Performance metrics dashboard job view

GitHub Actions Metrics for Free, Pro, and Team plans

We are also pleased to announce that with today’s release, GitHub Actions Metrics are now available to Free, Pro, and Team plans. Previously, this feature was only available to those on the GitHub Enterprise Cloud plan.

To learn more about GitHub Actions Metrics, check out our public documentation or head to our community discussion to ask questions and provide feedback.

See more

GitHub Copilot Metrics API GA release now available

We’re excited to announce the GA release of the GitHub Copilot Metrics API, available to all customers of GitHub Copilot Business and GitHub Copilot Enterprise.

What is the Copilot Metrics API?

The GitHub Copilot Metrics API is designed to supply you with information about Copilot’s usage within your GitHub enterprise, organizations, and teams. The data from the API is intended to be consumed and combined with your organization’s own data to create greater visibility into how Copilot fits into the bigger picture of your software development cycle. It offers visibility into utilization of individual Copilot features and the volume of daily active users.

What’s included in the GA release?

  • New metrics for Pull Request summaries.
  • New metrics for Copilot Chat in GitHub.com.
  • Improved clarity for code completions and Copilot Chat in IDE metrics.
  • Daily summary of total engaged users.
  • Built in support for slicing data on custom models, arriving shortly after release.
  • Aggregation by GitHub enterprise, organization, and team.
  • Up to 28 days of history is available.
  • Metrics are loaded end of day UTC, and are summarized by day.
  • Terminology alignment with the User Management API.

Will my current reporting be impacted?

The GA release of the Copilot Metrics API introduces a newly revised schema. To ensure that your existing reports are not interrupted, the Beta route will remain online through the end of the calendar year.

Documentation and Resources

  • Docs: Explore detailed API documentation, including schema and metrics definitions here.
  • Questions or suggestions? Join the community conversation.
See more

GitHub Copilot is now available in Windows Terminal

GitHub Copilot in Windows Terminal

GitHub Copilot in Windows Terminal

You can now access the power of GitHub Copilot to get command suggestions and explanations without leaving the terminal with Terminal Chat in Windows Terminal Canary. This is available for all Copilot Individual, Business, and Enterprise customers.

Get started today!

GitHub Copilot is available in Windows Terminal Canary. Consult the Terminal Chat documentation to learn how to connect Copilot and get started.

If you are a Copilot Business or Enterprise user

Share your feedback

We are dedicated to continuous improvement and innovation. Your feedback remains a crucial part of our development process, and we look forward to hearing more about your experiences with GitHub Copilot in Windows Terminal. Please use the Windows Terminal repository to provide feedback or ideas on how to improve the product.

Join Our Community

Join our dedicated Community Discussions to discuss this update and share tips with others.

See more

Web search in GitHub Copilot Chat now available for Copilot Individual

GitHub Copilot Chat in VS Code, Visual Studio, and GitHub.com now supports web search, enabling you to easily chat about recent events, new developments, trends, and technologies. This feature is already available for Copilot Business and Copilot Enterprise.

To get started, first enable the “Copilot Access to Bing” policy in your Copilot Settings.

Then try it out with Copilot Chat by asking a question that would benefit from web search. Here are some examples:

  • What's the latest release of node.js
  • What are some recent articles about SAT tokens securing against vulnerabilities in Node?

For more information, check out our documentation and join the discussion within the GitHub Community!

See more

GitHub Copilot code review in GitHub.com (public preview)

Copilot code review hero image

With Copilot code review in GitHub.com, you get fast, AI-powered feedback on your code, so you can start iterating while you wait for a human review.

Copilot code review on GitHub.com is launching in public preview today for Copilot Individual, Copilot Business and Copilot Enterprise subscribers. Sign up to the waitlist to request access.

You can request a review on your pull request by picking “Copilot” from the Reviewers menu. Administrators can configure automatic reviews for every pull request using repository rules.

Screenshot of requesting a review from Copilot

Copilot will review your changes and attach its comments to specific lines of your code, including one-click fixes where possible.

Screenshot of committing a suggestion from Copilot

You can jump from these suggestions into the new Copilot Workspace experience in the context of the pull request to refine and validate Copilot’s suggestions. Learn more in the changelog.

Copilot can also review your code in Visual Studio Code before you push; see the changelog for more details.

To learn more about GitHub Copilot Code review, head over to the docs. To ask questions or share feedback, head to our discussion on the GitHub Community.

See more

View an organization’s REST API activity with API insights in public preview

As a GitHub Enterprise Cloud organization owner, you and your designated users can now use API insights to visualize REST API activity for your entire organization or specific apps and users. This new feature, currently in public preview, helps you understand the sources of your REST API activity and manage against your primary rate limits—giving you visibility into the timeframe, apps, and API endpoints involved.

Who can access it

The API insights feature is available only at the organization level. By default, only organization owners can access it. However, organization owners can grant access to non-owners by creating a custom role at the organization level, assigning the permission named View organization API insights to the custom role, and then assigning the custom role to an organization member or team. See the documentation for managing organization custom roles.

Where to find it

The API insights public preview feature is enabled for all GitHub Enterprise Cloud organizations. To access it on your organization home page, select Insights near the top of the page, and then select REST API on the left side of the page.

An image of an organization homepage where selecting Insights and then REST API will navigate to the new API insights feature.

How to use it

Use the Period and Interval drop-downs to choose the range of time displayed in the chart and how granularly to display REST API requests on the chart. These drop-downs also set the time range for the “Total REST requests,” the “Primary-rate-limited requests,” and the Actors table below the chart.

An image of the API insights feature page showing the Period drop-down expanded for selecting the time period of REST API activity to include.

The Actors table displays the GitHub Apps and users that made REST API requests in the current organization within the selected time period. Select a GitHub App to display its REST API activity and any primary-rate-limiting. Select a user to display their personal REST API activity from personal access tokens (PATs) and OAuth apps acting on their behalf.

An image of the API insights feature page showing a table of actors, including GitHub Apps and users, that created REST API activity in the selected time period.

Tell us what you think

We welcome your feedback in this community discussion.

Refer to the documentation for API insights for more details about understanding your organization’s REST API activity and investigating primary-rate-limiting.

See more

GitHub Models is now available in public preview

GitHub Models has entered public preview! GitHub Models provides every GitHub developer with access to top AI models via a playground, API, and more.

GitHub Models product screenshot showing the model playground

Since the announcement of GitHub Models almost three months ago, we’ve shipped a number of enhancements and new models.

New features include:

  • Side-by-side comparisons – Compare the output of two models as they respond to the same prompt in real time.
  • Model presets – Save prompts, parameters, and messages to use later or share with a friend.
  • Multimodal support – Provide images in the playground to models that support multimodal capabilities.
  • Streamlined deployment process – Quickly move your application from development to production with an Azure production key.

New surfaces to use models include:

  • Models CLI extension – Use any model from the command line by extending the GitHub CLI with `gh extension install https://github.com/github/gh-models`.
  • Models Copilot extensionInstall the GitHub Models Copilot Extension and call GitHub Models with @models in GitHub Copilot Chat.
  • Azure AI Toolkit for VS Code – Access GitHub Models in VS Code with the pre-release of Azure AI Toolkit, available on the VS Code Marketplace.

New model ships include:

To learn more about GitHub Models, check out the docs.

Join our Community

Join our dedicated Community Discussions to discuss this update, swap tips, and share feedback.

See more

Copilot Autofix for Dependabot now available for TypeScript repositories (private preview)

Copilot Autofix for Dependabot is now available in private preview for TypeScript repositories.

This new feature combines the power of GitHub Copilot with Dependabot, making it easier than ever to automatically fix breaking changes introduced by dependency updates. With Copilot Autofix, you can save time and minimize disruptions by receiving AI-generated fixes to resolve breaking changes caused by dependency upgrades in Dependabot-authored pull requests.

Why Copilot Autofix for Dependabot?

Dependency updates can introduce breaking changes that lead to failing CI tests and deployment delays. Identifying the exact cause of these breaks and implementing the correct fix can require significant time and effort, making it challenging to stay on the most up-to-date and secure version of a dependency.

Dependabot can now leverage the power of Copilot Autofix to analyze dependency updates that fail CI tests and suggest fixes, all within the pull request. Copilot Autofix for Dependabot not only helps keep your dependencies up to date, but also keeps your CI green. Staying up-to-date on dependencies upgrades with breaking changes is now easier and faster than ever.

How to join the private preview

To sign up for the feature waitlist, fill out the form to express your interest. We’ll notify selected participants as we roll out the feature over the coming weeks.

This feature is available in private preview to GitHub Advanced Security customers on cloud deployments. Starting today, we support TypeScript repos with tests set up in GitHub Actions. As we continue to develop this feature, we will expand coverage for additional languages and testing requirements.

Learn more

Please keep an eye on future changelogs for more updates as the feature moves to public preview and general availability.

To learn more, please join the waitlist or check out the latest GitHub feature previews.

To hear what others are saying and offer your own take, join the discussion in the GitHub Community.

See more

Security campaigns with Copilot Autofix are now in public preview

Security campaigns with Copilot Autofix are now in public preview. Available as part of GitHub Advanced Security, security campaigns rapidly reduce your backlog of application security debt. By using Copilot Autofix to generate contextual explanations and code suggestions for up to 1,000 historical code scanning alerts at a time, security campaigns help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

Code scanning detection engines such as GitHub’s CodeQL are incredibly effective at automatically notifying developers about potential security vulnerabilities in their code in the form of code scanning alerts. Most developers fix these vulnerabilities with the help of Copilot Autofix when they’re flagged pull requests. However, in situations where these alerts aren’t remediated in a timely manner, security debt can build up and pose a serious risk to deployed applications. Using security campaigns, security teams and developers can easily collaborate to remediate and eradicate security debt at scale, with the help of Copilot Autofix.

A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes for all supported alerts, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate the security debt.

Security teams can monitor the progress of the campaign and track the number of alerts that have been fixed. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.

Organization-level view of a security campaign to remediate SQL injection alerts

Security campaigns are available for users of GitHub Advanced Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.

If you have any feedback on security campaigns: join the discussion in the GitHub Community.

See more

GitHub Copilot code completion in Xcode is now available in public preview

GitHub Copilot code completion in Xcode

We are excited to announce that GitHub Copilot for Xcode is now available in public preview. This is a major milestone in our ongoing mission to make Copilot an essential tool for developers across a wide variety of platforms. Now, Apple developers can enjoy the same intelligent coding assistance, seamlessly integrated into their favorite IDE. With this public beta, Xcode users can boost productivity, speed up development, and enhance their overall coding experience using Copilot. We’re excited to bring the power of Copilot to even more developers, empowering them to innovate and build faster.

Key features of GitHub Copilot for Xcode:

  • Code completions: Copilot is now seamlessly embedded within Xcode, providing real-time code suggestions as you type.
  • Multi-language support: GitHub Copilot for Xcode supports multiple programming languages commonly used in the Apple ecosystem, including Swift and Objective-C. This broad language support ensures that all developers, regardless of their preferred language, can benefit from Copilot’s intelligent assistance.
  • Multiline suggestions: By default, you’ll see a single-line suggestion, but if multiple-line suggestions are available, you can access them by holding the Option key and pressing Option + Tab to accept the full suggestion.
  • Content filtering: Copilot includes advanced filters to screen out harmful or inappropriate content from its suggestions. This ensures that all code recommendations adhere to professional standards and contribute to a safe, respectful coding environment.
  • Block suggestions matching public code: You have the option to activate our duplicate detection filter that blocks suggestions matching public code on GitHub.

Video of code completion in Xcode

How to get started

You need to have a Copilot license to get access to Copilot for Xcode. All Copilot individual, business, and enterprise users have access to the public beta. To install the extension, simply follow the steps outlined in our getting started guide.

Feedback

To provide feedback or report issues, please open an issue on GitHub at https://github.com/github/CopilotForXcode/issues. If you’re experiencing a similar problem, please check existing issues and add a comment to share your experience or ask questions.

Join the Community

Connect with other developers, share tips, and discuss other updates to Copilot in our dedicated Copilot Community Discussions.

See more
View more changes