jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 09:57:42 -05:00
Code Issues Projects Releases Wiki Activity

Deprecate 3.13 (#56623)

Browse Source
This commit is contained in:
Kevin Heis
2025-07-14 18:00:38 -07:00
committed by GitHub
parent 859ce37513
commit 4cab158957
132 changed files with 287 additions and 930066 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/managing-multiple-accounts.md
View File

@@ -16,12 +16,8 @@ In some cases, you may need to use multiple accounts on {% data variables.produc
You cannot use a {% data variables.enterprise.prodname_managed_user %} to contribute to public projects on {% data variables.location.product_location %}, so you must contribute to those resources using your personal account. For more information, see [About {% data variables.product.prodname_emus %}]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#abilities-and-restrictions-of-managed-user-accounts){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% elsif ghec %}.{% endif %}
{% ifversion account-switcher %}
If you need to use multiple accounts, you can stay signed in to your accounts and switch between them. For example, switching between a personal account and a service account. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/switching-between-accounts).
{% endif %}
If you want to use one workstation to contribute from both accounts, you can simplify contribution with Git by using a mixture of protocols to access repository data, or by using credentials on a per-repository basis.
> [!WARNING]

8
content/actions/how-tos/managing-workflow-runs-and-deployments/managing-deployments/viewing-deployment-history.md
View File

@@ -32,16 +32,16 @@ By default, the deployments page shows currently active deployments from select
1. In the right-hand sidebar of the home page of your repository, click **Deployments**.
1. Once you are on the "Deployments" page, you can view the following information about your deployment history.
* **To view recent deployments for a specific environment**, in the "Environments" section of the left sidebar, click an environment.{% ifversion deployment-dashboard-filter %}
* **To pin an environment to the top of the deployment history list**, repository administrators can click {% octicon "pin" aria-label="Pin environment" %} to the right of the environment. You can pin up to ten environments.{% endif %}
* **To view recent deployments for a specific environment**, in the "Environments" section of the left sidebar, click an environment.
* **To pin an environment to the top of the deployment history list**, repository administrators can click {% octicon "pin" aria-label="Pin environment" %} to the right of the environment. You can pin up to ten environments.
* **To view the commit that triggered a deployment**, in the deployment history list, click the commit message for the deployment you want to view.
>[!NOTE]Deployments from commits that originate from a fork outside of the repository will not show links to the source pull request and branch related to each deployment. For more information about forks, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks).
* **To view the URL for a deployment**, to the right of the commit message in the deployment history list, click {% octicon "link-external" aria-label="Navigate to deployment URL" %}.
* **To navigate to the workflow run logs associated with a deployment**, to the right of the commit message in the deployment history list, click {% octicon "kebab-horizontal" aria-label="View logs" %}, then click **View logs**.{% ifversion deployment-dashboard-filter %}
* **To navigate to the workflow run logs associated with a deployment**, to the right of the commit message in the deployment history list, click {% octicon "kebab-horizontal" aria-label="View logs" %}, then click **View logs**.
1. Optionally, to filter the deployment history list, create a filter.
1. Click on the **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter** button.
1. Click **{% octicon "plus" aria-hidden="true" aria-label="plus" %} Add a filter**.
1. Choose a qualifier you would like to filter the deployment history by.
1. Depending on the qualifier you chose, fill out information in the "Operator" and "Value" columns.
1. Optionally, click **{% octicon "plus" aria-hidden="true" aria-label="plus" %} Add a filter** to add another filter.
1. Click **Apply**.{% endif %}
1. Click **Apply**.

5
content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md
View File

@@ -288,8 +288,10 @@ ghe-reactivate-admin-login
### ghe-saml-mapping-csv
{% ifversion scim-for-ghes-ga %}
> [!NOTE]
> This utility does not work with configurations that use SAML with SCIM provisioning. For the SCIM version of this tool, please refer to [`ghe-scim-identities-csv` utility](#ghe-scim-identities-csv).
{% endif %}
This utility allows administrators to output or update the SAML `NameID` mappings for users on an instance. The utility can output a CSV file that lists all existing mappings. You can also update mappings for users on your instance by editing the resulting file, then using the utility to assign new mappings from the file.
@@ -1072,8 +1074,6 @@ This utility completely disables replication on an existing replica node, removi
ghe-repl-teardown
```
{% ifversion ghes > 3.13 %}
### ghe-repl-stop-all
This utility disables replication of all datastores on all replica nodes. Run this utility from the primary node before upgrading replicas. For more information, see [AUTOTITLE](/admin/upgrading-your-instance/performing-an-upgrade/upgrading-with-an-upgrade-package).
@@ -1081,7 +1081,6 @@ This utility disables replication of all datastores on all replica nodes. Run th
### ghe-repl-start-all
This utility begins replication of all datastores on all replica nodes. Run this utility from the primary node after upgrading replicas. For more information, see [AUTOTITLE](/admin/upgrading-your-instance/performing-an-upgrade/upgrading-with-an-upgrade-package).
{% endif %}
## Import and export

2
content/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance.md
View File

@@ -149,7 +149,7 @@ To apply the configuration from the {% data variables.enterprise.management_cons
You may want to power off a staging instance to save costs and power it back on when needed.
An instance can stay offline for {% ifversion ghes < 3.14 %}60 days as of the latest patch release of this version, increased from 7 days{% else %}60 days{% endif %}.
An instance can stay offline for 60 days.
If you bring the instance back online within the allowed offline time period, {% data variables.product.prodname_ghe_server %} instantiates successfully. If the instance stays offline for longer than the allowed period, {% data variables.product.prodname_ghe_server %} fails to instantiate successfully, and an error message with the text `server has been offline for more than the configured server_rejoin_age_max` may appear in the system logs. See [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs).

4
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md
View File

@@ -44,7 +44,7 @@ Before suspending site administrators, you must demote them to regular users. Se
If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line:
* If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync).
* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.{% ifversion scim-for-ghes-public-beta %} See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api).{% endif %}
* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api).
## Viewing suspended users in the site admin dashboard
@@ -90,7 +90,7 @@ You can create a custom message that suspended users will see when attempting to
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.messages-tab %}
1. To the right of "Suspended user page", click **Add message**.
1. To the right of "Suspended user page," click **Add message**.
![Screenshot of the "Suspend user page" section of the "Messages" settings. A button, labeled with a plus icon and "Add message," is outlined.](/assets/images/enterprise/site-admin-settings/add-message.png)
1. In the "Suspend user message" field, type your message. You can type Markdown, or use the Markdown toolbar to style your message.

25
content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md
View File

@@ -33,20 +33,14 @@ For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-acco
## Prerequisites
{% ifversion scim-for-ghes-public-beta %}
The general prerequisites for using SCIM on {% data variables.product.prodname_ghe_server %} apply. See the "Prerequisites" section in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#prerequisites).
In addition:
* To configure SCIM, you must have completed **steps 1 to 4** in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users).
* You will need the {% data variables.product.pat_v1 %} created for the setup user to authenticate requests from Entra ID.
{% else %}
* {% data reusables.saml.ghes-you-must-configure-saml-sso %}
* {% data reusables.saml.create-a-machine-user %}
{% endif %}
* To configure authentication and user provisioning using Entra ID, you must have an Entra ID account and tenant. For more information, see the [Entra ID website](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) and [Quickstart: Set up a tenant](https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant) in the Microsoft Docs.
{% ifversion scim-for-ghes-public-beta %}
* To configure authentication and user provisioning using Entra ID, you must have an Entra ID account and tenant. For more information, see the [Entra ID website](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) and [Quickstart: Set up a tenant](https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant) in the Microsoft Docs.
## 1. Configure SAML
@@ -90,20 +84,3 @@ Before starting this section, ensure you have followed steps **1 to 4** in [AUTO
1. To provision your EntraID users to your {% data variables.product.prodname_ghe_server %} appliance, Click **Start provisioning**.
When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#6-disable-optional-settings).
{% else %}
## Configuring authentication and user provisioning with Entra ID
1. Configure SAML SSO for {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
1. Configure user provisioning with SCIM for your instance. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise).
## Managing enterprise owners
The steps to make a person an enterprise owner depend on whether you only use SAML or also use SCIM. For more information about enterprise owners, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise).
If you configured provisioning, to grant the user enterprise ownership in {% data variables.product.github %}, assign the enterprise owner role to the user in Entra ID.
If you did not configure provisioning, to grant the user enterprise ownership in {% data variables.product.github %}, include the `administrator` attribute in the SAML assertion for the user account on the IdP, with the value of `true`. For more information about including the `administrator` attribute in the SAML claim from Entra ID, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
{% endif %}

67
content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
View File

@@ -1,8 +1,8 @@
---
title: '{% ifversion scim-for-ghes-public-beta %}About{% else %}Configuring{% endif %} user provisioning with SCIM on GitHub Enterprise Server'
shortTitle: '{% ifversion scim-for-ghes-public-beta %}About SCIM provisioning{% else %}Configure SCIM user provisioning{% endif %}'
intro: '{% ifversion scim-for-ghes-public-beta %}Learn about{% else %}Get started with{% endif %} managing the lifecycle of user accounts with SCIM on {% data variables.location.product_location %}.'
permissions: '{% ifversion scim-for-ghes-public-beta %}{% else %}Site administrators{% endif %}'
title: 'About user provisioning with SCIM on GitHub Enterprise Server'
shortTitle: 'About SCIM provisioning'
intro: 'Learn about managing the lifecycle of user accounts with SCIM on {% data variables.location.product_location %}.'
permissions: ''
versions:
ghes: '*'
allowTitleToDifferFromFilename: true
@@ -29,12 +29,10 @@ If you use SAML single sign-on (SSO) for {% data variables.location.product_loca
If you do not configure user provisioning with SCIM, your IdP will not communicate with {% data variables.product.prodname_ghe_server %} automatically when you assign or unassign the application to a user. Without SCIM, {% data variables.product.prodname_ghe_server %} creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to {% data variables.product.prodname_ghe_server %} and signs in by authenticating through your IdP.
To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.prodname_ghe_server %}, then {% ifversion scim-for-ghes-public-beta %}either {% endif %}install and configure a provisioning application on your IdP{% ifversion scim-for-ghes-public-beta %}, or configure SCIM provisioning manually using {% data variables.product.company_short %}'s REST API endpoints for SCIM{% endif %}.
To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.prodname_ghe_server %}, then either install and configure a provisioning application on your IdP, or configure SCIM provisioning manually using {% data variables.product.company_short %}'s REST API endpoints for SCIM.
## Supported identity providers
{% ifversion scim-for-ghes-public-beta %}
{% data reusables.enterprise_user_management.emu-paved-path-iam-integrations %}
### Partner identity providers
@@ -55,12 +53,6 @@ If you cannot use a single partner IdP for both authentication and provisioning,
* Provide **authentication using SAML**, adhering to SAML 2.0 specification
* Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api))
{% else %}
During the {% data variables.release-phases.private_preview %}, your account team will provide documentation for the configuration of SCIM for {% data variables.product.prodname_ghe_server %} on a supported IdP.
{% endif %}
## How will I manage user lifecycles with SCIM?
{% data reusables.enterprise_user_management.scim-manages-user-lifecycle %}
@@ -99,8 +91,6 @@ After an IdP administrator grants a person access to {% data variables.location.
* Additionally, for Entra ID, {% data variables.product.prodname_ghe_server %} compares the object identifier from the SAML request with an existing SCIM external ID.
* If your environment does not use `NameID` to uniquely identify users, a site administrator can configure custom user attributes for the instance. {% data variables.product.prodname_ghe_server %} will respect this mapping when SCIM is configured. For more information about mapping user attributes, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
{% ifversion scim-for-ghes-public-beta %}
## How is SCIM disabled?
For more information on the different ways that SCIM can be disabled, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users).
@@ -113,50 +103,3 @@ To get started with SCIM, you will:
1. Configure settings in your IdP.
* If you're using a partner IdP for authentication and provisioning, you'll follow a guide for your IdP.
* Otherwise, you'll set up a SCIM integration with the REST API, as described in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api).
{% else %}
## Prerequisites
* {% data reusables.saml.ghes-you-must-configure-saml-sso %}
* You must allow built-in authentication for users who don't have an account on your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider).
* Your IdP must support making SCIM calls to a Service Provider (SP).
* You must have administrative access on your IdP to configure the application for user provisioning for {% data variables.product.prodname_ghe_server %}.
## Enabling user provisioning for your enterprise
To perform provisioning actions on your instance, you will create a built-in user account and promote the account to an enterprise owner.
After you enable SCIM on a {% data variables.product.prodname_ghe_server %} instance, all user accounts are suspended. The built-in user account will continue to perform provisioning actions. After you grant a user access to your instance from your IdP, the IdP will communicate with the instance using SCIM to unsuspend the user's account.
1. Create a built-in user account to perform provisioning actions on your instance. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
1. Promote the dedicated user account to an enterprise owner. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#adding-an-enterprise-administrator-to-your-enterprise-account).
1. Sign into your instance as the new enterprise owner.
1. Create a {% data variables.product.pat_v1 %} with **admin:enterprise** scope. Do not specify an expiration date for the {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
> [!WARNING]
> Ensure that you don't specify an expiration date for the {% data variables.product.pat_v1 %}. If you specify an expiration date, SCIM will no longer function after the expiration date passes.
> [!NOTE]
> You'll need this {% data variables.product.pat_generic %} to test the SCIM configuration, and to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.
{% data reusables.enterprise_installation.ssh-into-instance %}
1. To enable SCIM, run the commands provided to you by your account manager on {% data variables.contact.contact_enterprise_sales %}.
{% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
1. To validate that SCIM is operational, run the following commands. Replace _PAT FROM STEP 3_ and _YOUR INSTANCE'S HOSTNAME_ with actual values.
```shell
$ GHES_PAT="PAT FROM STEP 3"
$ GHES_HOSTNAME="YOUR INSTANCE'S HOSTNAME"
$ curl --location --request GET 'https://$GHES_HOSTNAME/api/v3/scim/v2/Users' \
--header 'Content-Type: application/scim' \
--header 'Authorization: Bearer $GHES_PAT'
```
The command should return an empty array.
1. Configure user provisioning in the application for {% data variables.product.prodname_ghe_server %} on your IdP. To request documentation for a supported IdP, contact your account manager on {% data variables.contact.contact_enterprise_sales %}. If your IdP is unsupported, you must create the application and configure SCIM manually.
{% endif %}

6
content/admin/managing-iam/using-built-in-authentication/configuring-built-in-authentication.md
View File

@@ -24,12 +24,8 @@ shortTitle: Configure built-in authentication
By default, {% data variables.product.prodname_ghe_server %} uses built-in authentication. Each person creates a user account on {% data variables.location.product_location %} from an invitation or by signing up, and then authenticates with the credentials for the account to access your instance. Your {% data variables.product.prodname_ghe_server %} instance stores the authentication information for the account.
{% ifversion passkeys %}
By default, users can use passkeys for built-in authentication, but you can disable passkeys for your instance. See [AUTOTITLE](/admin/managing-iam/using-built-in-authentication/disabling-passkeys-for-your-instance).
{% endif %}
You can prevent unauthenticated people from creating new user accounts on your instance. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-built-in-authentication/disabling-unauthenticated-sign-ups).
{% data reusables.enterprise_user_management.alternatively-enable-external-authentication %}
@@ -39,7 +35,7 @@ You can prevent unauthenticated people from creating new user accounts on your i
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.authentication %}
1. Under "Authentication", select **Built in authentication**.
1. Under "Authentication," select **Built in authentication**.
{% data reusables.enterprise_user_management.two_factor_auth_header %}
{% data reusables.enterprise_user_management.2fa_is_available %}

6
content/admin/managing-iam/using-built-in-authentication/disabling-passkeys-for-your-instance.md
View File

@@ -1,9 +1,9 @@
---
title: Disabling passkeys for your instance
intro: 'Learn how to disable passkeys for all users on your instance.'
permissions: 'Site administrators'
intro: Learn how to disable passkeys for all users on your instance.
permissions: Site administrators
versions:
ghes: '>=3.14'
ghes: '*'
type: how_to
topics:
- Accounts

4
content/admin/monitoring-and-managing-your-instance/configuring-clustering/rebalancing-cluster-workloads.md
View File

@@ -73,10 +73,10 @@ You can schedule rebalancing of jobs on your cluster by setting and applying con
ghe-config app.cluster-rebalance.enabled true
```
1. Optionally, you can override the default schedule by defining a {% ifversion ghes > 3.13 %}[Systemd.time expression](https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html){% else %}cron expression{% endif %}. For example, run the following command to balance jobs daily.
1. Optionally, you can override the default schedule by defining a [Systemd.time expression](https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html). For example, run the following command to balance jobs daily.
```shell copy
ghe-config app.cluster-rebalance.schedule {% ifversion ghes > 3.13 %}'daily'{% else %}'0 0 * * *'{% endif %}
ghe-config app.cluster-rebalance.schedule 'daily'
```
{% data reusables.enterprise.apply-configuration %}

7
content/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources/increasing-storage-capacity.md
View File

@@ -68,7 +68,6 @@ Root storage refers to the total size of your instance's root disk. The availabl
> [!WARNING]
> Before increasing the root partition size, you must put your instance in maintenance mode. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode).
{% ifversion ghes > 3.13 %}
Before resizing the root partition, determine whether the appliance has a GUID partition table.
On instances created from GHES releases 3.14 and later, follow the instructions for [Increasing the root partition size on a GUID partition table](#increasing-the-root-partition-size-on-a-guid-partition-table).
@@ -81,13 +80,9 @@ To verify the partition table type, run the following command. The result should
sudo lsblk -no pttype $(findmnt -no source /)
```
{% endif %}
1. Attach a new disk to your {% data variables.product.prodname_ghe_server %} appliance.
1. Run the `lsblk` command to identify the new disk's device name.
{% ifversion ghes > 3.13 %}
### Increasing the root partition size on a GUID partition table
1. Back up your existing EFI boot partition:
@@ -143,8 +138,6 @@ If your appliance is configured for high-availability or geo-replication, rememb
### Increasing the root partition size on a legacy partition table
{% endif %}
1. Run the `parted` command to format the disk, substituting your device name for `/dev/xvdg`:
```shell

2
content/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources/using-generation-2-virtual-machines.md
View File

@@ -4,7 +4,7 @@ intro: 'New installs of {% data variables.product.prodname_ghe_server %} 3.14 or
redirect_from:
- /admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/using-generation-2-virtual-machines
versions:
ghes: '>3.13'
ghes: '*'
type: reference
topics:
- Enterprise

4
content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md
View File

@@ -102,8 +102,6 @@ To align secret detection with internal security policies and more effectively p
{% endif %}
{% ifversion push-protection-delegated-bypass %}
## Setting up an approval process for sensitive actions
You may want to set up an approval process for better control over who in your enterprise can perform sensitive actions. An approval process helps mitigate the risk of unauthorized or malicious changes, and can provide a record of who used the bypass and why, ensuring that all actions are traceable and accountable.
@@ -116,8 +114,6 @@ Approval processes are available for:
{% endif %}
{% endif %}
## Identifying security vulnerabilities and errors
Many industries have regulations that require regular security assessments and vulnerability management. **{% data variables.product.prodname_code_scanning_caps %}** helps ensure compliance with industry standards by identifying and mitigating security risks in your code, such as insecure patterns.

2
content/admin/overview/system-overview.md
View File

@@ -27,7 +27,7 @@ The root filesystem is included in the distributed machine image. It contains th
The root storage volume is split into two equally-sized partitions. One of the partitions will be mounted as the root filesystem (`/`). The other partition is only mounted during upgrades and rollbacks of upgrades as `/mnt/upgrade`, to facilitate easier rollbacks if necessary. For example, if a {% ifversion ghes > 3.14 %}400GB root volume is allocated, there will be 200GB allocated to the root filesystem and 200GB{% else %}200GB root volume is allocated, there will be 100GB allocated to the root filesystem and 100GB{% endif %} reserved for the upgrades and rollbacks.
{% ifversion ghes > 3.13 %}In new installations of 3.14 and later, the root storage volume is split into four partitions. Two small partitions are for the supported boot modes (BIOS and UEFI), and the other two equally large partitions are for the {% data variables.product.prodname_ghe_server %} primary, and upgrades and rollbacks.{% endif %}
In new installations of 3.14 and later, the root storage volume is split into four partitions. Two small partitions are for the supported boot modes (BIOS and UEFI), and the other two equally large partitions are for the {% data variables.product.prodname_ghe_server %} primary, and upgrades and rollbacks.
The root filesystem contains files that store the following information. This list is not exhaustive.

4
content/admin/upgrading-your-instance/performing-an-upgrade/upgrading-with-an-upgrade-package.md
View File

@@ -78,7 +78,7 @@ To upgrade an instance that comprises multiple nodes using an upgrade package, y
1. On the primary node, enable maintenance mode and wait for all active processes to complete. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode).
{% data reusables.enterprise_installation.replica-ssh %}
1. To stop replication on all nodes, run `ghe-repl-stop` on each node.{% ifversion ghes > 3.13 %} Alternatively, if there are multiple replicas, run `ghe-repl-stop-all` on the primary node instead, which will stop replication in a single run.{% endif %}
1. To stop replication on all nodes, run `ghe-repl-stop` on each node. Alternatively, if there are multiple replicas, run `ghe-repl-stop-all` on the primary node instead, which will stop replication in a single run.
1. To upgrade the primary node, follow the instructions in [Upgrading a standalone instance using an upgrade package](#upgrading-a-standalone-instance-using-an-upgrade-package).
### Upgrading additional nodes with an upgrade package
@@ -86,7 +86,7 @@ To upgrade an instance that comprises multiple nodes using an upgrade package, y
1. Upgrade the node by following the instructions in [Upgrading a standalone instance using an upgrade package](#upgrading-a-standalone-instance-using-an-upgrade-package).
{% data reusables.enterprise_installation.replica-ssh %}
{% data reusables.enterprise_installation.replica-verify %}
{% data reusables.enterprise_installation.start-replication %}{% ifversion ghes > 3.13 %} Alternatively, if there are multiple replicas, run `ghe-repl-start-all` on the primary node instead, which will start replications in a single run.{% endif %}
{% data reusables.enterprise_installation.start-replication %} Alternatively, if there are multiple replicas, run `ghe-repl-start-all` on the primary node instead, which will start replications in a single run.
{% data reusables.enterprise_installation.replication-status %} {% data reusables.enterprise_installation.replication-status-upgrade %}
{% data reusables.enterprise_installation.multiple-node-repeat-upgrade-process %}
{% data reusables.enterprise_installation.disable-maintenance-mode-after-replica-upgrade %}

2
content/admin/upgrading-your-instance/troubleshooting-upgrades/known-issues-with-upgrades-to-your-instance.md
View File

@@ -64,7 +64,7 @@ If undecryptable records are detected, you will be prompted whether you want to
If you have any questions during the upgrade, you can reach out to {% data variables.contact.github_support %}. Once you have had the time and opportunity to understand the impact, you can retrigger the upgrade.
{% endif %}
{% ifversion ghes > 3.13 and ghes < 3.17 %}
{% ifversion ghes < 3.17 %}
## Upgrading from 3.14 to 3.16.0

4
content/admin/upgrading-your-instance/troubleshooting-upgrades/restoring-from-a-failed-upgrade.md
View File

@@ -19,9 +19,9 @@ If your instance is configured for high availability and your primary node upgra
## Rolling back a patch release
To roll back a patch release, use the `ghe-upgrade` command with the `--allow-patch-rollback` switch. Before rolling back, replication must be temporarily stopped by running `ghe-repl-stop` on all replica nodes{% ifversion ghes > 3.13 %}, or `ghe-repl-stop-all` on the primary node{% endif %}. {% data reusables.enterprise_installation.command-line-utilities-ghe-upgrade-rollback %}
To roll back a patch release, use the `ghe-upgrade` command with the `--allow-patch-rollback` switch. Before rolling back, replication must be temporarily stopped by running `ghe-repl-stop` on all replica nodes, or `ghe-repl-stop-all` on the primary node. {% data reusables.enterprise_installation.command-line-utilities-ghe-upgrade-rollback %}
After the rollback is complete, restart replication by running `ghe-repl-start` on all nodes{% ifversion ghes > 3.13 %}, or `ghe-repl-start-all` on the primary node{% endif %}. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-upgrade).
After the rollback is complete, restart replication by running `ghe-repl-start` on all nodes, or `ghe-repl-start-all` on the primary node. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-upgrade).
## Rolling back a feature release

45
content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app.md
View File

@@ -20,7 +20,7 @@ Your JWT must be signed using the `RS256` algorithm and must contain the followi
|---|---|---|
|`iat`| Issued At | The time that the JWT was created. To protect against clock drift, we recommend that you set this 60 seconds in the past and ensure that your server's date and time is set accurately (for example, by using the Network Time Protocol). |
|`exp`| Expires At | The expiration time of the JWT, after which it can't be used to request an installation token. The time must be no more than 10 minutes into the future. |
|`iss`| Issuer | The {% ifversion client-id-for-app %}client ID or {% endif %}application ID of your {% data variables.product.prodname_github_app %}. This value is used to find the right public key to verify the signature of the JWT. You can find your app's ID{% ifversion client-id-for-app %}s{% endif %} on the settings page for your {% data variables.product.prodname_github_app %}.{% ifversion client-id-for-app %} Use of the client ID is recommended.{% endif %} For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration#navigating-to-your-github-app-settings).|
|`iss`| Issuer | The client ID or application ID of your {% data variables.product.prodname_github_app %}. This value is used to find the right public key to verify the signature of the JWT. You can find your app's IDs on the settings page for your {% data variables.product.prodname_github_app %}. Use of the client ID is recommended. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration#navigating-to-your-github-app-settings).|
|`alg`| Message authentication code algorithm | This should be `RS256` since your JWT must be signed using the `RS256` algorithm. |
To use a JWT, pass it in the `Authorization` header of an API request. For example:
@@ -47,7 +47,7 @@ Most programming languages have a package that can generate a JWT. In all cases,
> [!NOTE]
> You must run `gem install jwt` to install the `jwt` package in order to use this script.
In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` and {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} in double quotes.
In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace `YOUR_CLIENT_ID` with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` and `YOUR_CLIENT_ID` in double quotes.
```ruby
require 'openssl'
@@ -63,11 +63,10 @@ payload = {
iat: Time.now.to_i - 60,
# JWT expiration time (10 minute maximum)
exp: Time.now.to_i + (10 * 60),
{% ifversion client-id-for-app %}
# {% data variables.product.prodname_github_app %}'s client ID
iss: "YOUR_CLIENT_ID"{% else %}
# {% data variables.product.prodname_github_app %}'s app ID
iss: "YOUR_APP_ID"{% endif %}
iss: "YOUR_CLIENT_ID"
}
jwt = JWT.encode(payload, private_key, "RS256")
@@ -93,19 +92,12 @@ if len(sys.argv) > 1:
else:
pem = input("Enter path of private PEM file: ")
{% ifversion client-id-for-app %}
# Get the Client ID
if len(sys.argv) > 2:
client_id = sys.argv[2]
else:
client_id = input("Enter your Client ID: ")
{% else %}
# Get the App ID
if len(sys.argv) > 2:
app_id = sys.argv[2]
else:
app_id = input("Enter your APP ID: ")
{% endif %}
# Open PEM
with open(pem, 'rb') as pem_file:
@@ -116,11 +108,10 @@ payload = {
'iat': int(time.time()),
# JWT expiration time (10 minutes maximum)
'exp': int(time.time()) + 600,
{% ifversion client-id-for-app %}
# {% data variables.product.prodname_github_app %}'s client ID
'iss': client_id{% else %}
# {% data variables.product.prodname_github_app %}'s app ID
'iss': app_id{% endif %}
'iss': client_id
}
# Create JWT
@@ -134,17 +125,14 @@ This script will prompt you for the file path where your private key is stored a
### Example: Using Bash to generate a JWT
> [!NOTE]
> You must pass your {% ifversion client-id-for-app %}Client ID{% else %}App ID{% endif %} and the file path where your private key is stored as arguments when running this script.
> You must pass your Client ID and the file path where your private key is stored as arguments when running this script.
```bash copy
#!/usr/bin/env bash
set -o pipefail
{% ifversion client-id-for-app %}
client_id=$1 # Client ID as first argument
{% else %}
app_id=$1 # App ID as first argument
{% endif %}
pem=$( cat $2 ) # file path of the private key as second argument
now=$(date +%s)
@@ -163,7 +151,7 @@ header=$( echo -n "${header_json}" | b64enc )
payload_json="{
\"iat\":${iat},
\"exp\":${exp},
{% ifversion client-id-for-app %}\"iss\":\"${client_id}\"{% else %}\"iss\":\"${app_id}\"{% endif %}
\"iss\":\"${client_id}\"
}"
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
@@ -182,16 +170,13 @@ printf '%s\n' "JWT: $JWT"
### Example: Using PowerShell to generate a JWT
In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` in double quotes.
In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace `YOUR_CLIENT_ID` with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` in double quotes.
```powershell copy
#!/usr/bin/env pwsh
{% ifversion client-id-for-app %}
$client_id = YOUR_CLIENT_ID
{% else %}
$app_id = YOUR_APP_ID
{% endif %}
$private_key_path = "YOUR_PATH_TO_PEM"
$header = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
@@ -202,7 +187,7 @@ $header = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((Conve
$payload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
iat = [System.DateTimeOffset]::UtcNow.AddSeconds(-10).ToUnixTimeSeconds()
exp = [System.DateTimeOffset]::UtcNow.AddMinutes(10).ToUnixTimeSeconds()
{% ifversion client-id-for-app %} iss = $client_id {% else %} iss = $app_id {% endif %}
iss = $client_id
}))).TrimEnd('=').Replace('+', '-').Replace('/', '_');
$rsa = [System.Security.Cryptography.RSA]::Create()

2
content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md
View File

@@ -46,7 +46,7 @@ If your app runs in the browser, you should use the web application flow to gene
`code_challenge_method` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` is included. Must be `S256` - the `plain` code challenge method is not supported.{% endif %}
`login` | `string` | Optional | When specified, the web application flow will prompt users with a specific account they can use for signing in and authorizing your app.
`allow_signup` | `boolean` | Optional | Whether unauthenticated users will be offered an option to sign up for {% data variables.product.prodname_dotcom %} during the OAuth flow. The default is `true`. Use `false` when a policy prohibits signups.
{% ifversion oauth_account_picker %} `prompt` | `string` | Optional | Forces the account picker to appear if set to `select_account`. The account picker will also appear if the application has a non-HTTP redirect URI or if the user has multiple accounts signed in. {% endif %}
`prompt` | `string` | Optional | Forces the account picker to appear if set to `select_account`. The account picker will also appear if the application has a non-HTTP redirect URI or if the user has multiple accounts signed in.
1. If the user accepts your authorization request, {% data variables.product.company_short %} will redirect the user to one of the callback URLs in your app settings, and provide a `code` query parameter you can use in the next step to create a user access token. If you specified `redirect_uri` in the previous step, that callback URL will be used. Otherwise, the first callback URL on your app's settings page will be used.

2
content/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps.md
View File

@@ -69,9 +69,7 @@ This endpoint takes the following input parameters.
| `code_challenge_method` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` is included. Must be `S256` - the `plain` code challenge method is not supported.
| {% endif %} |
| `allow_signup`|`string` | Optional | Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is `true`. Use `false` when a policy prohibits signups. |
| {% ifversion oauth_account_picker %} |
| `prompt` | `string` | Optional | Forces the account picker to appear if set to `select_account`. The account picker will also appear if the application has a non-HTTP redirect URI or if the user has multiple accounts signed in. |
| {% endif %} |
{% ifversion not pkce_support %}The PKCE (Proof Key for Code Exchange) parameters `code_challenge` and `code_challenge_method` are not supported at this time. {% endif %}CORS pre-flight requests (OPTIONS) are not supported at this time.

4
content/authentication/authenticating-with-a-passkey/about-passkeys.md
View File

@@ -3,7 +3,9 @@ title: About passkeys
intro: 'Passkeys allow you to sign in safely and easily, without requiring a password and two-factor authentication.'
permissions: '{% ifversion fpt or ghec %}Personal account owners who manage their own credentials{% endif %}'
versions:
feature: passkeys
fpt: '*'
ghec: '*'
ghes: '*'
shortTitle: About passkeys
---

8
content/authentication/authenticating-with-a-passkey/managing-your-passkeys.md
View File

@@ -3,7 +3,9 @@ title: Managing your passkeys
intro: 'You may be prompted to register a passkey during sign-in, or you can choose to register a new passkey in your account settings. For 2FA users, you can upgrade existing eligible security keys into passkeys.'
permissions: '{% ifversion fpt or ghec%}Personal account owners who manage their own credentials{% endif %}'
versions:
feature: passkeys
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
shortTitle: Manage your passkeys
---
@@ -34,7 +36,7 @@ Before starting the upgrade procedure, make sure that you are using the device t
{% data reusables.user-settings.security %}
{% data reusables.passkeys.add-passkey-settings-page %}
1. If prompted, authenticate with your password, or use another existing authentication method.
1. Under “Configure passwordless authentication”, under "Upgrade your security key registration to a passkey", review the information that confirms the name of the security key to be upgraded, then click **Upgrade to passkey**.
1. Under “Configure passwordless authentication”, under "Upgrade your security key registration to a passkey," review the information that confirms the name of the security key to be upgraded, then click **Upgrade to passkey**.
1. At the prompt, follow the steps outlined by the passkey provider.
{% data reusables.passkeys.passkey-success-done %}
@@ -49,7 +51,7 @@ Before starting the upgrade procedure, make sure that you are using the device t
Many passkeys support syncing, where your passkey is backed up by the provider's account system (iCloud, Google account, password manager, etc.). If you ever lose your device, you can recover your synced passkeys by signing in to your passkey provider.
In some cases, your passkey may be "device-bound", which means the passkey cannot be synced and is not backed up to the cloud. For example, you can register FIDO2 hardware security keys (such as a YubiKey) as a passkey, but that passkey will not be synced. If your passkey is device-bound, and you lose or wipe the device, the passkey cannot be recovered. If you are only using device-bound passkeys, it is a best practice to register passkeys on at least two different devices, in case you lose access to one.
In some cases, your passkey may be "device-bound," which means the passkey cannot be synced and is not backed up to the cloud. For example, you can register FIDO2 hardware security keys (such as a YubiKey) as a passkey, but that passkey will not be synced. If your passkey is device-bound, and you lose or wipe the device, the passkey cannot be recovered. If you are only using device-bound passkeys, it is a best practice to register passkeys on at least two different devices, in case you lose access to one.
You can see which of your passkeys are synced, and which are device-bound, under "Passkeys" in your account security settings. Synced passkeys will include a blue `Synced` label next to their name.

4
content/authentication/authenticating-with-a-passkey/signing-in-with-a-passkey.md
View File

@@ -3,7 +3,9 @@ title: Signing in with a passkey
intro: 'You can use a passkey to sign in safely and easily to {% data variables.product.prodname_dotcom %} in your browser, without requiring a password and two-factor authentication. You can also sign in using a passkey on a nearby device.'
permissions: '{% ifversion fpt or ghec%}Personal account owners who manage their own credentials{% endif %}'
versions:
feature: passkeys
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
shortTitle: Sign in with a passkey
---

12
content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md
View File

@@ -20,7 +20,7 @@ To keep your account secure, you must authenticate before you can access certain
You can access your resources in {% data variables.product.github %} in a variety of ways: in the browser, via {% data variables.product.prodname_desktop %} or another desktop application, with the API, or via the command line. Each way of accessing {% data variables.product.github %} supports different modes of authentication.
{%- ifversion not fpt %}
* Your identity provider (IdP){% endif %}
* Username and password with two-factor authentication{% ifversion passkeys %}, or a passkey{% endif %}
* Username and password with two-factor authentication, or a passkey
* {% data variables.product.pat_generic_caps %}
* SSH key
@@ -30,7 +30,7 @@ You can access your resources in {% data variables.product.github %} in a variet
If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you will authenticate to {% data variables.product.github %} in your browser using your IdP. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#authenticating-as-a-managed-user){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %}
If you're not a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you will authenticate using your {% data variables.product.prodname_dotcom %} username and password{% ifversion passkeys %}, or a passkey{% endif %}. You may also use two-factor authentication and SAML single sign-on, which can be required by organization and enterprise owners.
If you're not a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you will authenticate using your {% data variables.product.prodname_dotcom %} username and password, or a passkey. You may also use two-factor authentication and SAML single sign-on, which can be required by organization and enterprise owners.
{% else %}
@@ -42,12 +42,8 @@ You can authenticate to {% data variables.product.github %} in your browser in a
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
{% endif %}
{% ifversion account-switcher %}
If you need to use multiple accounts on {% data variables.location.product_location %}, such as a personal account and a service account, you can quickly switch between your accounts without always needing to reauthenticate each time. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/switching-between-accounts).
{% endif %}
* **Username and password only**
* You'll create a password when you create your account on {% data variables.product.github %}. We recommend that you use a password manager to generate a random and unique password. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password).{% ifversion fpt or ghec %}
* If you have not enabled 2FA, {% data variables.product.github %} may ask for additional verification when you first sign in from a new or unrecognized device, such as a new browser profile, a browser where the cookies have been deleted, or a new computer. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/verifying-new-devices-when-signing-in).{% endif %}
@@ -62,9 +58,9 @@ If you need to use multiple accounts on {% data variables.location.product_locat
> [!NOTE]
> {% data reusables.two_fa.unlink-email-address %}
{% endif %}{% ifversion passkeys %}
{% endif %}
* **Passkey**
* You can add a passkey to your account to enable a secure, passwordless login. Passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).{% endif %}
* You can add a passkey to your account to enable a secure, passwordless login. Passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
{% ifversion ghes %}
* **External authentication**

4
content/authentication/keeping-your-account-and-data-secure/creating-a-strong-password.md
View File

@@ -22,8 +22,8 @@ You must choose or generate a password for your account on {% data variables.pro
To keep your account secure, we recommend you follow these best practices:
* Use a password manager to generate a password of at least 15 characters.
* Generate a unique password for {% data variables.product.github %}. If you use your {% data variables.product.github %} password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your account.
* Configure two-factor authentication for your personal account. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication).{% ifversion passkeys %}
* {% data reusables.passkeys.add-passkey-option %}{% endif %}
* Configure two-factor authentication for your personal account. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication).
* {% data reusables.passkeys.add-passkey-option %}
* Never share your password, even with a potential collaborator. Each person should use their own personal account on {% data variables.product.github %}. For more information on ways to collaborate, see: [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository), [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/getting-started/about-collaborative-development-models), or [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations).
{% data reusables.repositories.blocked-passwords %}

3
content/authentication/keeping-your-account-and-data-secure/preventing-unauthorized-access.md
View File

@@ -19,8 +19,7 @@ shortTitle: Unauthorized access
After changing your password, you should perform these actions to make sure that your account is secure:
* Enable two-factor authentication on your account so that access requires more than just a password. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication).
{%- ifversion passkeys %}
* Add a passkey to your account to enable a secure, passwordless login. Passkeys are phishing-resistant, and they don't require memorization or active management. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).{% endif %}
* Add a passkey to your account to enable a secure, passwordless login. Passkeys are phishing-resistant, and they don't require memorization or active management. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
* Review your SSH keys, deploy keys, and authorized OAuth apps and GitHub Apps and revoke unauthorized or unfamiliar access in your SSH and Applications settings. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys), [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-deploy-keys), [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-oauth-apps), and [AUTOTITLE](/apps/using-github-apps/reviewing-your-authorized-integrations).
{% ifversion fpt or ghec %}
* Verify all your email addresses. If an attacker added their email address to your account, it could allow them to force an unintended password reset. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address).

2
content/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log.md
View File

@@ -41,9 +41,7 @@ The events listed in your security log are triggered by your actions. Actions ar
| {% endif %} |
| `oauth_access` | Contains all activities related to OAuth access tokens. |
| `oauth_authorization` | Contains all activities related to authorizing {% data variables.product.prodname_oauth_apps %}. For more information, see [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps). |
| {% ifversion passkeys %} |
| `passkey` | Contains activities related to your passkeys. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys). |
| {% endif %} |
| {% ifversion fpt or ghec %} |
| `payment_method` | Contains all activities related to paying for your {% data variables.product.prodname_dotcom %} subscription.
| {% endif %} |

8
content/authentication/keeping-your-account-and-data-secure/sudo-mode.md
View File

@@ -42,11 +42,10 @@ After you authenticate to perform a sensitive action, your session is temporaril
## Confirming access for sudo mode
To confirm access for sudo mode, you can authenticate with your password. Optionally, you can use a different authentication method, like {% ifversion passkeys %}a passkey, {% endif %}{% ifversion fpt or ghec %}a security key, {% data variables.product.prodname_mobile %}, or a 2FA code{% elsif ghes %}a security key or a 2FA code{% endif %}.
To confirm access for sudo mode, you can authenticate with your password. Optionally, you can use a different authentication method, like a passkey, {% ifversion fpt or ghec %}a security key, {% data variables.product.prodname_mobile %}, or a 2FA code{% elsif ghes %}a security key or a 2FA code{% endif %}.
{%- ifversion passkeys %}
* [Confirming access using a passkey](#confirming-access-using-a-passkey)
{%- endif %}
* [Confirming access using a security key](#confirming-access-using-a-security-key)
{%- ifversion fpt or ghec %}
* [Confirming access using GitHub Mobile](#confirming-access-using-github-mobile)
@@ -54,12 +53,9 @@ To confirm access for sudo mode, you can authenticate with your password. Option
* [Confirming access using a 2FA code](#confirming-access-using-a-2fa-code)
* [Confirming access using your password](#confirming-access-using-your-password)
{% ifversion passkeys %}
### Confirming access using a passkey
You must have a passkey registered to your account to confirm access to your account for sudo mode using a passkey. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
{% endif %}
### Confirming access using a security key

8
content/authentication/keeping-your-account-and-data-secure/switching-between-accounts.md
View File

@@ -1,9 +1,11 @@
---
title: 'Switching between accounts'
title: Switching between accounts
intro: 'Learn how to switch between multiple {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} accounts and {% data variables.enterprise.prodname_managed_users %}{% else %}accounts{% endif %}.'
allowTitleToDifferFromFilename: true
versions:
feature: account-switcher
fpt: '*'
ghec: '*'
ghes: '*'
type: overview
topics:
- Identity
@@ -38,7 +40,7 @@ When you have added accounts to the account switcher, you can quickly change bet
1. In the menu, click **{% octicon "arrow-switch" aria-hidden="true" aria-label="arrow-switch" %} Switch account**.
1. In the submenu, click on the account that you want to switch to.
![Screenshot of the "Switch account" menu with three options, "octocat", "hubot", and "Add account".](/assets/images/help/profile/switch-accounts.png)
![Screenshot of the "Switch account" menu with three options, "octocat," "hubot," and "Add account."](/assets/images/help/profile/switch-accounts.png)
## Removing accounts from the account switcher

2
content/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication.md
View File

@@ -22,9 +22,7 @@ For {% data variables.product.github %}, the second form of authentication is a
{% data reusables.two_fa.after-2fa-add-security-key %}
{% ifversion passkeys %}
{% data reusables.passkeys.after-2fa-optional-add-passkey %} See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
{% endif %}
{% ifversion fpt or ghec %}
You can also use {% data variables.product.prodname_mobile %} for 2FA after configuring a TOTP mobile app or text messages. {% data variables.product.prodname_mobile %} uses public-key cryptography to secure your account, allowing you to use any mobile device that you've used to sign in to {% data variables.product.prodname_mobile %} as your second factor.

4
content/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication.md
View File

@@ -50,14 +50,10 @@ If you've set up a security key on your account, and your browser supports secur
1. To trigger the security key prompt from your operating system, select "Use security key."
1. Select the appropriate option in the prompt. Depending on your security key configuration, you may type a PIN, complete a biometric prompt, or use a physical security key.
{% ifversion passkeys %}
### Using a passkey
If you have enabled 2FA, and you have added a passkey to your account, you can use the passkey to sign in. Since passkeys satisfy both password and 2FA requirements, you can complete your sign in with a single step. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
{% endif %}
{% ifversion fpt or ghec %}
### Receiving a text message

22
content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md
View File

@@ -37,14 +37,18 @@ If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}
{% endif %}
{% ifversion ghes < 3.17 %}
> [!WARNING]
> * If you're a member or outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
> * If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable 2FA and contact an organization owner.
{% else %}
> [!WARNING]
> * If you're an outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
> * If you're a member{% ifversion fpt or ghec %} or billing manager{% endif %} of an organization that requires 2FA, you will be unable to access that organization's resources while you have 2FA disabled.
> * If you disable 2FA, you will automatically lose access to the organization. To regain access to the organization, if you're a member{% ifversion fpt or ghec %} or billing manager{% endif %}, you must re-enable 2FA. If you're an outside collaborator, you will also lose access to any private forks you have of the organization's private repositories after disabling 2FA, and must re-enable 2FA and contact an organization owner to have access restored.
{% endif %}
> [!NOTE]
@@ -55,7 +59,7 @@ If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}
A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. These apps can be downloaded to your phone or desktop. We recommend using cloud-based TOTP apps. {% data variables.product.prodname_dotcom %} is app-agnostic when it comes to TOTP apps, so you have the freedom to choose any TOTP app you prefer. Just search for `TOTP app` in your browser to find various options. You can also refine your search by adding keywords like `free` or `open source` to match your preferences.
> [!TIP]
> To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time or save the "setup key", which is the TOTP secret. If 2FA is already enabled and you want to add another device, you must re-configure your TOTP app from your security settings.
> To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time or save the "setup key," which is the TOTP secret. If 2FA is already enabled and you want to add another device, you must re-configure your TOTP app from your security settings.
1. Download a TOTP app of your choice to your phone or desktop.
{% data reusables.user-settings.access_settings %}
@@ -87,8 +91,6 @@ If you're unable to configure a TOTP app, you can also register your phone numbe
{% endif %}
{% ifversion passkeys %}
## Configuring two-factor authentication using a passkey
{% data reusables.passkeys.about-passkeys %} See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
@@ -99,31 +101,21 @@ If you're unable to configure a TOTP app, you can also register your phone numbe
1. You must have already configured 2FA via a TOTP mobile app{% ifversion fpt or ghec %} or via SMS{% endif %}.
{% data reusables.passkeys.adding-a-passkey %}
{% endif %}
## Configuring two-factor authentication using a security key
{% ifversion passkeys %}
Not all FIDO authenticators can be used as passkeys, but you can still register those authenticators as security keys. Security keys are also WebAuthn credentials, but unlike passkeys they don't require user validation. Since security keys only need to verify user presence, they only count as a second factor and must be used in conjunction with your password.
{% else %}
On most devices and browsers, you can use a physical security key over USB or NFC. Most browsers can use the fingerprint reader, facial recognition, or password/PIN on your device as a security key as well.
{% endif %}
Registering a security key for your account is available after enabling 2FA with a TOTP application{% ifversion fpt or ghec %} or a text message{% endif %}. If you lose your security key, you'll still be able to use your phone's code to sign in.
1. You must have already configured 2FA via a TOTP mobile app{% ifversion fpt or ghec %} or via SMS{% endif %}.
1. Ensure that you have a WebAuthn compatible security key inserted into your device.
{% data reusables.user-settings.access_settings %}
{% data reusables.user-settings.security %}
1. Next to "Security keys", click **Add**.
1. Next to "Security keys," click **Add**.
![Screenshot of the "two-factor methods" section of the 2FA settings. A gray button labeled "Add" is outlined in orange.](/assets/images/help/2fa/add-security-keys-option.png)
1. Under "Security keys", click **Register new security key**.
1. Under "Security keys," click **Register new security key**.
1. Type a nickname for the security key, then click **Add**.
1. Following your security key's documentation, activate your security key.
1. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods#downloading-your-two-factor-authentication-recovery-codes).

14
content/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials.md
View File

@@ -34,17 +34,13 @@ Use one of your recovery codes to automatically regain entry into your account.
> [!NOTE]
> If you do not know your password, you can use a recovery code after requesting a new password. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials#requesting-a-new-password).
1. Under "Having problems?", click **Use a recovery code{% ifversion fpt or ghec %} or begin 2FA account recovery{% endif %}**.
1. Under "Having problems?," click **Use a recovery code{% ifversion fpt or ghec %} or begin 2FA account recovery{% endif %}**.
1. Type one of your recovery codes, then click **Verify**.
{% ifversion passkeys %}
## Authenticating with a passkey
If you have added a passkey to your account, you can use your passkey to automatically regain access to your account. Passkeys satisfy both password and 2FA requirements, so you don't need to know your password in order to recover your account. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/about-passkeys).
{% endif %}
## Authenticating with a security key
If you configured two-factor authentication using a security key, you can use your security key as a secondary authentication method to automatically regain access to your account. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key).
@@ -72,11 +68,11 @@ You can use your two-factor authentication credentials or two-factor authenticat
> [!WARNING]
> {% data reusables.accounts.you-must-know-your-password %}
1. Under "Having problems?", click **Use a recovery code or begin 2FA account recovery**.
1. Under "Locked out?", click **Try 2FA account recovery, or unlink your account email address(es)**.
1. Under "Having problems?," click **Use a recovery code or begin 2FA account recovery**.
1. Under "Locked out?," click **Try 2FA account recovery, or unlink your account email address(es)**.
1. Click **I understand, get started** to request a reset of your authentication settings.
1. Click **Send one-time password** to send a one-time password to all eligible addresses associated with your account. Only verified emails are eligible for account recovery. If you've restricted password resets to your primary and/or backup addresses, these addresses are the only addresses eligible for account recovery.
1. Under "One-time password", type the temporary password from the recovery email {% data variables.product.prodname_dotcom %} sent, then click **Verify email address**.
1. Under "One-time password," type the temporary password from the recovery email {% data variables.product.prodname_dotcom %} sent, then click **Verify email address**.
1. {% data reusables.accounts.alternative-authentication %}
{% data reusables.accounts.alternative-authentication-note %}
1. {% data reusables.accounts.support-request-recovery %}
@@ -95,7 +91,7 @@ If you have lost access to your two-factor authentication credentials and your r
{% data reusables.accounts.request-password-reset-link %}
1. On {% data variables.product.prodname_dotcom %}, you will be prompted for your 2FA credentials. Under "Having problems?", click **Start a 2FA recovery request or unlink your account email address(es)**.
1. On {% data variables.product.prodname_dotcom %}, you will be prompted for your 2FA credentials. Under "Having problems?," click **Start a 2FA recovery request or unlink your account email address(es)**.
1. To complete your recovery request, you'll need to verify an alternative authentication factor.
{% data reusables.accounts.alternative-authentication %}
{% data reusables.accounts.alternative-authentication-note %}

11
content/billing/managing-your-billing/adding-a-sales-tax-certificate.md
View File

@@ -1,11 +1,13 @@
---
title: Adding a sales tax certificate
intro: If you're a customer in the United States with a {% data variables.product.company_short %} Customer Agreement and you're exempt from sales tax, you can upload a certificate to ensure the correct sales tax amount is calculated.
intro: 'If you''re a customer in the United States with a {% data variables.product.company_short %} Customer Agreement and you''re exempt from sales tax, you can upload a certificate to ensure the correct sales tax amount is calculated.'
redirect_from:
- /billing/managing-your-github-billing-settings/adding-a-sales-tax-certificate
- /billing/using-the-billing-platform/adding-a-sales-tax-certificate
versions:
feature: us-sales-tax
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
topics:
- Organizations
@@ -29,12 +31,13 @@ You can upload a sales tax exemption certificate to your organization account if
> [!NOTE]
> This option is not available for accounts that use the {% data variables.product.company_short %} Standard Terms of Service. For information about updating your organization, see [AUTOTITLE](/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement).
{% endif %}
{% data reusables.organizations.billing-settings %}
1. In the sidebar, under **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**, click **Payment information**.
1. Review your "Billing information" and update any incorrect data. You must ensure that the address fields are correct and that the "City" and "Postal/Zip code" fields are accepted. If there is any missing information or any errors are reported, the option to upload a sales tax certificate is hidden.
1. At the bottom of the page in the "Additional information" section next to "Sales Tax", click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America".
1. At the bottom of the page in the "Additional information" section next to "Sales Tax," click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America."
1. To remove a sales tax certificate, click {% octicon "trash" aria-label="Delete sales tax certificate" %} next to the certificate you want to remove.
{% ifversion ghec or ghes %}
@@ -47,7 +50,7 @@ Enterprise owners and billing managers can upload a sales tax exemption certific
{% data reusables.enterprise-accounts.billing-tab %}
1. In the sidebar, under **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**, click **Payment information**.
1. Review your "Billing information" and update any incorrect data. You must ensure that the address fields are correct and that the "City" and "Postal/Zip code" fields are accepted. If there is any missing information or any errors are reported, the option to upload a sales tax certificate is hidden.
1. At the bottom of the page, next to "Sales Tax", click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America".
1. At the bottom of the page, next to "Sales Tax," click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America."
1. To remove a sales tax certificate, click {% octicon "trash" aria-label="Delete sales tax certificate" %} next to the certificate you want to remove.
{% endif %}

76
content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md
View File

@@ -34,30 +34,16 @@ topics:
## About the {% data variables.code-scanning.codeql_workflow %} and compiled languages
{% data variables.product.prodname_code_scanning_caps %} works by running queries against one or more {% data variables.product.prodname_codeql %} databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages {% data variables.code-scanning.compiled_languages %}, the process of populating this database {% ifversion codeql-no-build %}often{% endif %} involves building the code and extracting data.
{% ifversion codeql-no-build %}
{% data variables.product.prodname_code_scanning_caps %} works by running queries against one or more {% data variables.product.prodname_codeql %} databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages {% data variables.code-scanning.compiled_languages %}, the process of populating this database often involves building the code and extracting data.
When you enable {% data variables.product.prodname_code_scanning %}, both default and advanced setup generate a {% data variables.product.prodname_codeql %} database for analysis using the simplest method available. For {% data variables.code-scanning.no_build_support %}, the {% data variables.product.prodname_codeql %} database is generated directly from the codebase without requiring a build (`none` build mode). For other compiled languages, {% data variables.product.prodname_codeql %} builds the codebase using the `autobuild` build mode. Alternatively, you can use the `manual` build mode to specify explicit build commands to analyze only the files that are built by these custom commands.
{% elsif ghes %}
If you enable default setup, the `autobuild` action will be used to build your code, as part of your automatically configured {% data variables.code-scanning.codeql_workflow %}. If you enable advanced setup, the basic {% data variables.code-scanning.codeql_workflow %} uses `autobuild`. Alternatively, you can disable `autobuild` and instead specify explicit build commands to analyze only the files that are built by these custom commands.
{% else %}
The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild` action to build your code. Alternatively, you can disable `autobuild` and instead specify explicit build commands to analyze only the files that are built by these custom commands.
{% endif %}
{% ifversion codeql-dependency-caching %}
You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. For more information, see [About dependency caching for {% data variables.product.prodname_codeql %}](#about-dependency-caching-for-codeql) later in this article.
{% endif %}
{% ifversion codeql-no-build %}
## {% data variables.product.prodname_codeql %} build modes
The {% data variables.product.prodname_codeql %} action supports three different build modes for compiled languages:
@@ -120,8 +106,6 @@ steps:
exit 1
```
{% endif %}
For information about the languages, libraries, and frameworks that are supported in the latest version of {% data variables.product.prodname_codeql %}, see [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks) in the {% data variables.product.prodname_codeql %} documentation. For information about the system requirements for running the latest version of {% data variables.product.prodname_codeql %}, see [System requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/#additional-software-requirements) in the {% data variables.product.prodname_codeql %} documentation.
{% ifversion codeql-dependency-caching %}
@@ -159,8 +143,6 @@ For example, the following settings would enable dependency caching for the {% d
{% endif %}
{% ifversion codeql-no-build %}
## About build mode None for {% data variables.product.prodname_codeql %}
For {% data variables.code-scanning.no_build_support %}, {% data variables.product.prodname_codeql %} creates a database without requiring a build when you enable default setup for {% data variables.product.prodname_code_scanning %} unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.
@@ -174,18 +156,14 @@ To use `autobuild` or manual build steps, you can use advanced setup.
>[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See [Building Java and Kotlin](#building-java-and-kotlin).
{% endif %}
## About Autobuild for {% data variables.product.prodname_codeql %}
The {% data variables.product.prodname_codeql %} action uses `autobuild` to analyze compiled languages in the following cases.
* Default setup is enabled{% ifversion codeql-no-build %} and the language does not support `none` build (supported for {% data variables.code-scanning.no_build_support %}).
* Advanced setup is enabled and the workflow specifies `build-mode: autobuild`{% endif %}.
* Default setup is enabled and the language does not support `none` build (supported for {% data variables.code-scanning.no_build_support %}).
* Advanced setup is enabled and the workflow specifies `build-mode: autobuild`.
* Advanced setup is enabled and the workflow has an Autobuild step for the language using the `autobuild` action (`{% data reusables.actions.action-codeql-action-autobuild %}`).
{% ifversion codeql-no-build %}
### Example using the `build-mode` option
```yaml
@@ -210,12 +188,6 @@ steps:
### Example using the Autobuild step
{% elsif ghes < 3.14 %}
The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild` action to build your code.
{% endif %}
```yaml
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
@@ -233,7 +205,6 @@ You can only specify manual build steps if you have enabled advanced setup, see
{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow).
{% ifversion codeql-no-build %}
Update your workflow to define the `build-mode` as `manual`.
```yaml
@@ -250,8 +221,6 @@ Update your workflow to define the `build-mode` as `manual`.
Alternatively, update your workflow to comment out the "Autobuild" step.
{% endif %}
```yaml
# Autobuild attempts to build any compiled languages.
# - name: Autobuild
@@ -270,26 +239,7 @@ When manual building is enabled, uncomment the `run` step in the workflow and ad
For more information about the `run` keyword, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun).
{% ifversion codeql-no-build %}<!-- For "no-build" this is covered earlier in the article under "About CodeQL build modes". -->
{% elsif ghes %}
### Specifying build commands for multiple languages
For repositories with multiple compiled languages, you can specify language-specific build commands. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here Java). This specifies build steps for Java while still using `autobuild` for C/C++ and C#.
```yaml
- if: matrix.language == 'c-cpp' || matrix.language == 'csharp'
name: Autobuild
uses: {% data reusables.actions.action-codeql-action-autobuild %}
- if: matrix.language == 'java-kotlin'
name: Build Java
run: |
make bootstrap
make release
```
For more information about the `if` conditional, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif).
{% endif %}
<!-- For "no-build" this is covered earlier in the article under "About CodeQL build modes". -->
If you added manual build steps for compiled languages and {% data variables.product.prodname_code_scanning %} is still not working on your repository, contact {% data variables.contact.contact_support %}.
@@ -308,7 +258,7 @@ If you added manual build steps for compiled languages and {% data variables.pro
## Building C/C++
{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-c-cpp %}`none`, {% endif %}`autobuild` or `manual` for C/C++ code.
{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-c-cpp %}`none`, {% endif %}`autobuild` or `manual` for C/C++ code.
{% ifversion codeql-no-build-c-cpp %}
@@ -318,7 +268,7 @@ When you enable default setup for a repository that contains C/C++ code, the bui
{% endif %}
### Autobuild summary for C/C++{% endif %}
### Autobuild summary for C/C++
| Supported system type | System name |
|----|----|
@@ -354,7 +304,7 @@ Windows runners require `powershell.exe` to be on the `PATH`.
## Building C#
{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-csharp %}`none`, {% endif %}`autobuild` or `manual` for C# code.{% endif %}
{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-csharp %}`none`, {% endif %}`autobuild` or `manual` for C# code.
{% ifversion codeql-no-build-csharp %}
@@ -453,9 +403,9 @@ For some legacy projects, and projects that use `.sqlproj` files, you may see th
## Building Go
{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code.
{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code.
### Autobuild summary for Go{% endif %}
### Autobuild summary for Go
| Supported system type | System name |
|----|----|
@@ -482,7 +432,7 @@ Additionally, `vendor` directories are excluded from {% data variables.product.p
## Building Java and Kotlin
{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports the following build modes.
{% data variables.product.prodname_codeql %} supports the following build modes.
* Java: `none`, `autobuild`, or `manual`
* Kotlin: `autobuild` or `manual`
@@ -511,7 +461,7 @@ You can ensure a more accurate analysis by taking the following steps:
* Check whether more than one version of the JDK API is required by different source Java files. When multiple versions are seen, {% data variables.product.prodname_codeql %} will use the highest version required by any build script. This may mean that some files that require a lower version of the JDK will be partially analyzed. For example, if some files require JDK 8 but a JDK 17 requirement is found in one or more build scripts, {% data variables.product.prodname_codeql %} will use JDK 17. Any files that require JDK 8 and could not be built using JDK 17 will be partially analyzed.
* Avoid colliding class names (for example, multiple files defining `org.myproject.Test`), otherwise this may cause missing method call targets, which has an impact on dataflow analysis.
### Autobuild summary for Java{% endif %}
### Autobuild summary for Java
| Supported system type | System name |
|----|----|
@@ -546,9 +496,9 @@ Windows runners require `powershell.exe` to be on the `PATH`.
## Building Swift
{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Swift code.
{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Swift code.
### Autobuild summary for Swift{% endif %}
### Autobuild summary for Swift
| Supported system type | System name |
|----|----|

4
content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md
View File

@@ -37,8 +37,6 @@ For repositories that are not eligible for default setup, you can use a bulk con
* NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository
* PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository
{% ifversion codeql-model-packs-org %}
### Extending {% data variables.product.prodname_codeql %} coverage with model packs
{% data reusables.code-scanning.beta-model-packs %}
@@ -46,5 +44,3 @@ For repositories that are not eligible for default setup, you can use a bulk con
If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs).
Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure model packs with {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup).
{% endif %}

20
content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md
View File

@@ -212,22 +212,12 @@ If your workflow does not contain a matrix called `language`, then {% data varia
## Defining the alert severities that cause a check failure for a pull request
{% ifversion code-scanning-merge-protection-rulesets %}
You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
{% data reusables.code-scanning.merge-protection-rulesets-conditions %}
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
{% else %}
{% data reusables.code-scanning.pull-request-checks %}
You can edit which severity and security severity alert levels cause a check failure. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request).
{% endif %}
## Configuring a category for the analysis
Use `category` to distinguish between multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. The category you specify in your workflow will be included in the SARIF results file.
@@ -493,7 +483,7 @@ For more information about using `exclude` and `include` filters in your custom
### Specifying directories to scan
When codebases are analyzed without building the code, you can restrict {% data variables.product.prodname_code_scanning %} to files in specific directories by adding a `paths` array to the configuration file. You can also exclude the files in specific directories from analysis by adding a `paths-ignore` array. You can use this option when you run the {% data variables.product.prodname_codeql %} actions on an interpreted language (Python, Ruby, and JavaScript/TypeScript){% ifversion codeql-no-build %} or when you analyze a compiled language without building the code (currently supported for {% data variables.code-scanning.no_build_support %}){% endif %}.
When codebases are analyzed without building the code, you can restrict {% data variables.product.prodname_code_scanning %} to files in specific directories by adding a `paths` array to the configuration file. You can also exclude the files in specific directories from analysis by adding a `paths-ignore` array. You can use this option when you run the {% data variables.product.prodname_codeql %} actions on an interpreted language (Python, Ruby, and JavaScript/TypeScript) or when you analyze a compiled language without building the code (currently supported for {% data variables.code-scanning.no_build_support %}).
``` yaml copy
paths:
@@ -553,16 +543,8 @@ You can use the same approach to specify any valid configuration options in the
## Configuring {% data variables.product.prodname_code_scanning %} for compiled languages
{% ifversion codeql-no-build %}
For compiled languages, you can decide how the {% data variables.product.prodname_codeql %} action creates a {% data variables.product.prodname_codeql %} database for analysis. For information about the build options available, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages).
{% else %}
For compiled languages, the {% data variables.product.prodname_codeql %} action builds the codebase to create a {% data variables.product.prodname_codeql %} database for analysis. By default, {% data variables.product.prodname_codeql %} uses `autobuild` steps to identify the most likely build method for the codebase. {% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages).
{% endif %}
## Uploading {% data variables.product.prodname_code_scanning %} data to {% data variables.product.prodname_dotcom %}
{% data variables.product.prodname_dotcom %} can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the `upload-sarif` action. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github).

12
content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md
View File

@@ -78,7 +78,7 @@ Through the "{% data variables.product.UI_advanced_security %}" page of your org
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
1. Click **Enable all** next to "{% data variables.product.prodname_code_scanning_caps %}".
1. Click **Enable all** next to "{% data variables.product.prodname_code_scanning_caps %}."
1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites).
1. To enable your configuration of default setup, click **Enable for eligible repositories**.
1. Optionally, to recommend the "Extended" query suite throughout your organization when enabling default setup, select "Recommend the extended query suite for repositories enabling default setup."
@@ -90,12 +90,9 @@ Through the "{% data variables.product.UI_advanced_security %}" page of your org
{% endif %}
{% ifversion codeql-model-packs-org %}
### Extending {% data variables.product.prodname_codeql %} coverage in default setup
Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).
{% endif %}
## Configuring default setup for a subset of repositories in an organization
@@ -116,7 +113,7 @@ Through security overview for your organization, you can find eligible repositor
{% data reusables.security-overview.security-overview-coverage-view %}
1. In the search bar, enter one of the following queries:
{%- ifversion ghes > 3.12 %}
{%- ifversion ghes %}
- `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
- `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GHAS %} enabled.
- `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GHAS %} enabled. Once you enable {% data variables.product.prodname_GHAS %} for these repositories, they can also be added to default setup.
@@ -145,7 +142,8 @@ You can select all of the displayed repositories, or a subset of them, and enabl
1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes.
> [!NOTE]
{%- ifversion ghes > 3.12 %}
{%- ifversion ghes %}
> * Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.
> * You can enable default setup for eligible repositories that do not contain {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.
{%- else %}
@@ -158,7 +156,6 @@ You can select all of the displayed repositories, or a subset of them, and enabl
{% endif %}
{% ifversion code-scanning-merge-protection-rulesets %}
{% ifversion ghes or ghec %}
## Configuring merge protection for all repositories in an organization
@@ -170,4 +167,3 @@ You can use rulesets to prevent pull requests from being merged when one of the
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection#creating-a-merge-protection-ruleset-for-all-repositories-in-an-organization). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
{% endif %}
{% endif %}

2
content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md
View File

@@ -50,7 +50,7 @@ Your repository is eligible for default setup for {% data variables.product.prod
You can use default setup for all {% data variables.product.prodname_codeql %}-supported languages for self-hosted runners or {% data variables.product.prodname_dotcom %}-hosted runners. See [Assigning labels to runners](#assigning-labels-to-runners), later in this article.
{% ifversion codeql-no-build %}Default setup uses the `none` build mode for {% data variables.code-scanning.no_build_support %} and uses the `autobuild` build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% else %}Default setup runs the `autobuild` action, so you should configure your self-hosted runners to make sure they can run all the necessary commands for {% data variables.code-scanning.compiled_languages %} analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% endif %}
Default setup uses the `none` build mode for {% data variables.code-scanning.no_build_support %} and uses the `autobuild` build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.
### Customizing default setup

10
content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md
View File

@@ -113,22 +113,12 @@ When an alert has a security severity level, {% data variables.product.prodname_
### Pull request check failures for {% data variables.product.prodname_code_scanning %} alerts
{% ifversion code-scanning-merge-protection-rulesets %}
You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
{% data reusables.code-scanning.merge-protection-rulesets-conditions %}
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
{% else %}
{% data reusables.code-scanning.pull-request-checks %}
You can edit which severity and security severity alert levels cause a check failure. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request).
{% endif %}
### Calculation of security severity levels
When a security query is added to the {% data variables.product.prodname_codeql %} Default or Extended query suite, the {% data variables.product.prodname_codeql %} engineering team calculates the security severity as follows.

22
content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md
View File

@@ -36,7 +36,7 @@ If you need to change any other aspects of your {% data variables.product.prodna
{% ifversion code-scanning-default-setup-customize-labels %}
1. Optionally, to use labeled runners, in the "Runner type" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} to open a dropdown menu, then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).
1. Optionally, to use labeled runners, in the "Runner type" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} to open a dropdown menu, then select **Labeled runner**. Then, next to "Runner label," enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).
{% endif %}
@@ -46,26 +46,12 @@ If you need to change any other aspects of your {% data variables.product.prodna
## Defining the alert severities that cause a check failure for a pull request
{% ifversion code-scanning-merge-protection-rulesets %}
You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
{% data reusables.code-scanning.merge-protection-rulesets-conditions %}
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
{% else %}
{% data reusables.code-scanning.pull-request-checks %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. Under "{% data variables.product.prodname_code_scanning_caps %}", to the right of "Check Failure", use the drop-down menu to select the level of severity you would like to cause a pull request check failure.
{% endif %}
## Including local sources of tainted data in default setup
{% data reusables.code-scanning.beta-threat-models %}
@@ -90,8 +76,6 @@ For more information about {% data variables.product.prodname_codeql %} model pa
1. The model packs will be automatically detected and used in your {% data variables.product.prodname_code_scanning %} analysis.
1. If you later change your configuration to use advanced setup, any model packs in the `.github/codeql/extensions` directory will still be recognized and used.
{% ifversion codeql-model-packs-org %}
### Extending coverage for all repositories in an organization
>[!NOTE]
@@ -105,11 +89,9 @@ For more information about {% data variables.product.prodname_codeql %} model pa
1. Click **{% data variables.product.UI_advanced_security %}**.
{% endif %}
1. Find the "{% data variables.product.prodname_code_scanning_caps %}" section.
1. Next to "Expand {% data variables.product.prodname_codeql %} analysis", click **Configure**.
1. Next to "Expand {% data variables.product.prodname_codeql %} analysis," click **Configure**.
1. Enter references to the published model packs you want to use, one per line, then click **Save**.
![Screenshot of the "Expand CodeQL analysis" view" in the settings for an organization.](/assets/images/help/security/enable-codeql-org-model-packs.png)
1. The model packs will be automatically detected and used when {% data variables.product.prodname_code_scanning %} runs on any repository in the organization with default setup enabled.
{% endif %}

4
content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md
View File

@@ -5,7 +5,9 @@ intro: 'You can use rulesets to set {% data variables.product.prodname_code_scan
permissions: '{% data reusables.permissions.security-org-enable %}'
product: '{% data reusables.gated-features.code-scanning %}'
versions:
feature: code-scanning-merge-protection-rulesets
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
topics:
- Code scanning

7
content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed.md
View File

@@ -13,10 +13,9 @@ redirect_from:
{% data reusables.code-scanning.codeql-action-version-ghes %}
If an automatic build of code for a compiled language within your project fails, you can try {% ifversion codeql-no-build %}changing to the `manual` build mode or {% endif %}removing the `autobuild` step from your {% data variables.product.prodname_code_scanning %} workflow and adding specific build steps. If you're not already using advanced setup, you'll need to enable it first to create a workflow you can edit.
If an automatic build of code for a compiled language within your project fails, you can try changing to the `manual` build mode or removing the `autobuild` step from your {% data variables.product.prodname_code_scanning %} workflow and adding specific build steps. If you're not already using advanced setup, you'll need to enable it first to create a workflow you can edit.
## Further reading
* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning).{% ifversion codeql-no-build %}
* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes){% elsif ghes %}
* [Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language).{% endif %}
* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning).
* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)

8
content/code-security/code-scanning/troubleshooting-code-scanning/fewer-lines-scanned-than-expected.md
View File

@@ -13,18 +13,18 @@ redirect_from:
## About analysis of compiled languages
{% ifversion codeql-no-build %}When compiled languages are analyzed using the `autobuild` or `manual` build mode,{% elsif ghes %}For compiled languages like {% data variables.code-scanning.compiled_languages %},{% endif %} {% data variables.product.prodname_codeql %} only scans files that are built during the analysis. Therefore the number of lines of code scanned will be lower than expected if some of the source code isn't compiled correctly. This can happen for several reasons:
When compiled languages are analyzed using the `autobuild` or `manual` build mode, {% data variables.product.prodname_codeql %} only scans files that are built during the analysis. Therefore the number of lines of code scanned will be lower than expected if some of the source code isn't compiled correctly. This can happen for several reasons:
1. The {% data variables.product.prodname_codeql %} `autobuild` feature uses heuristics to build the code in a repository. However, sometimes this approach results in an incomplete analysis of a repository. For example, when multiple `build.sh` commands exist in a single repository, the analysis may not be complete since the `autobuild` step will only execute one of the commands, and therefore some source files may not be compiled.
1. Some compilers do not work with {% data variables.product.prodname_codeql %} and can cause issues while analyzing the code. For example, most vendor-specific C compilers will not be recognized by {% data variables.product.prodname_codeql %}. C code will need to be compiled with a recognized compiler (for example GCC, Clang or MSVC) in order to be analyzed.
If your {% data variables.product.prodname_codeql %} analysis scans fewer lines of code than expected, you can try {% ifversion codeql-no-build %}changing the build mode to `manual` and specifying build commands if your workflow specifies a build mode, {% endif %} replacing the `autobuild` step with build commands if your workflow contains an `autobuild` step, or inspecting the copy of the source files in the {% data variables.product.prodname_codeql %} database.
If your {% data variables.product.prodname_codeql %} analysis scans fewer lines of code than expected, you can try changing the build mode to `manual` and specifying build commands if your workflow specifies a build mode, replacing the `autobuild` step with build commands if your workflow contains an `autobuild` step, or inspecting the copy of the source files in the {% data variables.product.prodname_codeql %} database.
## {% ifversion codeql-no-build %}Change to a `manual` build process{% elsif ghes %}Replace the `autobuild` step{% endif %}
## Change to a `manual` build process
Replace the `autobuild` process with the same build commands you would use in production. This makes sure that {% data variables.product.prodname_codeql %} knows exactly how to compile all of the source files you want to scan.
For more information about defining build steps, see {% ifversion codeql-no-build %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}.
For more information about defining build steps, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps).
## Inspect the copy of the source files in the {% data variables.product.prodname_codeql %} database

9
content/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build.md
View File

@@ -4,7 +4,9 @@ shortTitle: Kotlin detected in no build
allowTitleToDifferFromFilename: true
intro: '{% data variables.product.prodname_codeql %} databases can be created for Java without building the code, but Kotlin files are excluded unless the code is built.'
versions:
feature: codeql-no-build
fpt: '*'
ghec: '*'
ghes: '*'
---
## About this warning
@@ -55,6 +57,5 @@ Update your calls to run the {% data variables.product.prodname_codeql_cli %} fo
## Further reading
* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning)
* [Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin){% ifversion codeql-no-build %}
* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes){% elsif ghes %}
* [Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}
* [Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin)
* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)

2
content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md
View File

@@ -28,7 +28,7 @@ If your workflow fails with `Error: "No source code was seen during the build"`
For more information, see the workflow extract in [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed).
1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#, Go, or Java), but the code was not compiled. {% ifversion codeql-no-build %}When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step,{% elsif ghes %}By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step and{% endif %} {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see {% ifversion codeql-no-build %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}.
1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#, Go, or Java), but the code was not compiled. When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step, {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps).
1. _Cached components not detected:_ Your workflow builds a compiled language (C, C++, C#, Go, or Java) to create a {% data variables.product.prodname_codeql %} database for analysis, but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis.

8
content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md
View File

@@ -73,9 +73,7 @@ You can specify additional options depending on the location of your source file
| `<database>` | {% octicon "check" aria-label="Required" %} | Specify the name and location of a directory to create for the {% data variables.product.prodname_codeql %} database. The command will fail if you try to overwrite an existing directory. If you also specify `--db-cluster`, this is the parent directory and a subdirectory is created for each language analyzed. |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| <code><span style="white-space: nowrap;">--command</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from <code><span style="white-space: nowrap;">--source-root</span></code>. Not needed for Python and JavaScript/TypeScript analysis. |
| {% ifversion codeql-no-build %} |
| <code><span style="white-space: nowrap;">--build-mode</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). |
| {% endif %} |
| <code><span style="white-space: nowrap;">--db-cluster</span></code> | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by <code><span style="white-space: nowrap;">--language</span></code>. |
| <code><span style="white-space: nowrap;">--no-run-unnecessary-builds</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). |
| <code><span style="white-space: nowrap;">--source-root</span></code> | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. |
@@ -187,21 +185,19 @@ Here, we have specified a `--source-root` path, which is the location where data
## Creating databases for compiled languages
For {% ifversion codeql-no-build %}most{% endif %} compiled languages, {% data variables.product.prodname_codeql %} needs to invoke the required build system to generate a database, therefore the build method must be available to the CLI. This approach creates databases that include generated code. {% data variables.product.prodname_codeql %} has two methods for building codebases:
For most compiled languages, {% data variables.product.prodname_codeql %} needs to invoke the required build system to generate a database, therefore the build method must be available to the CLI. This approach creates databases that include generated code. {% data variables.product.prodname_codeql %} has two methods for building codebases:
* [Automatic build detection (autobuild)](#automatically-detecting-the-build-system)
* [User-specified build commands](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
{% ifversion codeql-no-build %}
In addition, for {% data variables.code-scanning.no_build_support %}, there is an option to generate a database without building the code. This is particularly useful when you want to enable {% data variables.product.prodname_code_scanning %} for many repositories. For more information, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes).
{% endif %}
### Automatically detecting the build system
The {% data variables.product.prodname_codeql_cli %} includes autobuilders for {% data variables.code-scanning.compiled_languages %} code. {% data variables.product.prodname_codeql %} autobuilders allow you to build projects for compiled languages without specifying any build commands. When an autobuilder is invoked, {% data variables.product.prodname_codeql %} examines the source for evidence of a build system and attempts to run the optimal set of commands required to extract a database. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild).
An autobuilder is invoked automatically when you execute `codeql database create` for a compiled language if you dont include a
`--command` option{% ifversion codeql-no-build %} or set `--build-mode none`{% endif %}. For example, for a Swift codebase, you could simply run:
`--command` option or set `--build-mode none`. For example, for a Swift codebase, you could simply run:
```shell
codeql database create --language=swift <output-folder>/swift-database

4
content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md
View File

@@ -70,8 +70,6 @@ When you merge a pull request that contains a security update, the corresponding
{% data reusables.dependabot.automated-tests-note %}
{% ifversion dependabot-grouped-security-updates-config %}
## About grouped security updates
To further reduce the number of pull requests you may be seeing, you can enable grouped security updates to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many vulnerable dependencies as possible in the group to secure versions at the same time.
@@ -83,8 +81,6 @@ For security updates, {% data variables.product.prodname_dependabot %} will only
For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).
{% endif %}
{% ifversion fpt or ghec %}
## About compatibility scores

19
content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md
View File

@@ -57,9 +57,7 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. To the right of "{% data variables.product.prodname_dependabot %} security updates", click **Enable** to enable the feature or **Disable** to disable it. {% ifversion fpt or ghec %}For public repositories, the button is disabled if the feature is always enabled.{% endif %}
{% ifversion dependabot-grouped-security-updates-config %}
1. To the right of "{% data variables.product.prodname_dependabot %} security updates," click **Enable** to enable the feature or **Disable** to disable it. {% ifversion fpt or ghec %}For public repositories, the button is disabled if the feature is always enabled.{% endif %}
## Grouping {% data variables.product.prodname_dependabot_security_updates %} into a single pull request
@@ -82,7 +80,7 @@ Repository administrators can enable or disable grouped security updates for the
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}", to the right of "Grouped security updates", click **Enable** to enable the feature or **Disable** to disable it.
1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}," to the right of "Grouped security updates," click **Enable** to enable the feature or **Disable** to disable it.
### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization
@@ -95,21 +93,18 @@ Organization owners can enable or disable grouped security updates for all repos
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
1. Under "{% data variables.product.UI_advanced_security %}", to the right of "Grouped security updates", click **Disable all** or **Enable all**.
1. Under "{% data variables.product.UI_advanced_security %}," to the right of "Grouped security updates," click **Disable all** or **Enable all**.
1. Optionally, to enable grouped {% data variables.product.prodname_dependabot_security_updates %} for new repositories in your organization, select **Automatically enable for new repositories**.
{% endif %}
{% endif %}
## Overriding the default behavior with a configuration file
You can override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} by adding a `dependabot.yml` file to your repository. {% ifversion dependabot-grouped-security-updates-config %}With a `dependabot.yml` file, you can have more granular control of grouping, and override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} settings.{% endif %}
You can override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} by adding a `dependabot.yml` file to your repository. With a `dependabot.yml` file, you can have more granular control of grouping, and override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} settings.
{% ifversion dependabot-grouped-security-updates-config %}
Use the `groups` option with the `applies-to: security-updates` key to create sets of dependencies (per package manager), so that {% data variables.product.prodname_dependabot %} opens a single pull request to update multiple dependencies at the same time. You can define groups by package name (the `patterns` and `exclude-patterns` keys), dependency type (`dependency-type` key), and SemVer (the `update-types` key).
{% data reusables.dependabot.dependabot-version-updates-groups-match-first %}
{% endif %}
If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`.
@@ -120,7 +115,7 @@ For more information about the configuration options available for security upda
# - Has a private registry
# - Ignores lodash dependency
# - Disables version-updates
{% ifversion dependabot-grouped-security-updates-config %}# - Defines a group by package name, for security updates for golang dependencies{%- endif %}
# - Defines a group by package name, for security updates for golang dependencies
version: 2
registries:
@@ -140,12 +135,12 @@ updates:
open-pull-requests-limit: 0
registries:
- example
{% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod"
- package-ecosystem: "gomod"
groups:
golang:
applies-to: security-updates
patterns:
- "golang.org*"{% endif %}
- "golang.org*"
```
> [!NOTE]

28
content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md
View File

@@ -34,16 +34,12 @@ If you haven't yet configured a `dependabot.yml` file for your repository and yo
You can then consider what your needs and priorities are for security updates, and apply a combination of the customization options outlined below.
{% ifversion dependabot-grouped-security-updates-config %}
## Prioritizing meaningful updates
To create a more **targeted review process** that prioritizes meaningful updates, use `groups` to combine security updates for multiple dependencies into a single pull request.
For detailed guidance, see [Prioritizing meaningful updates](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates).
{% endif %}
{% ifversion dependabot-reviewers-deprecation %}
## Automatically adding reviewers
@@ -92,8 +88,8 @@ For detailed guidance, see [Changing the separator in the pull request branch na
In this example, the `dependabot.yml` file:
* Uses a private registry for updates to npm dependencies.
* Disables version updates for dependencies, so that any customizations apply to security updates only.
* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees.{% ifversion dependabot-grouped-security-updates-config %}
* Groups security updates for golang dependencies into a single pull request.{% endif %}
* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees.
* Groups security updates for golang dependencies into a single pull request.
{% ifversion dependabot-reviewers-deprecation %}
@@ -103,7 +99,7 @@ In this example, the `dependabot.yml` file:
# - Ignores lodash dependency
# - Disables version-updates
# - Applies custom labels
{% ifversion dependabot-grouped-security-updates-config %}# - Group security updates for golang dependencies into a single pull request{%- endif %}
# - Group security updates for golang dependencies into a single pull request
version: 2
registries:
@@ -132,14 +128,14 @@ updates:
# Raise all npm pull requests for security updates with assignees
assignees:
- "user-name"
{% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod"
- package-ecosystem: "gomod"
groups:
# Group security updates for golang dependencies
# into a single pull request
golang:
applies-to: security-updates
patterns:
- "golang.org*"{% endif %}
- "golang.org*"
```
{% else %}
@@ -151,7 +147,7 @@ updates:
# - Disables version-updates
# - Applies custom labels
# - Adds reviewers and assignees
{% ifversion dependabot-grouped-security-updates-config %}# - Group security updates for golang dependencies into a single pull request{%- endif %}
# - Group security updates for golang dependencies into a single pull request
version: 2
registries:
@@ -184,14 +180,14 @@ updates:
# Raise all npm pull requests for security updates with assignees
assignees:
- "user-name"
{% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod"
- package-ecosystem: "gomod"
groups:
# Group security updates for golang dependencies
# into a single pull request
golang:
applies-to: security-updates
patterns:
- "golang.org*"{% endif %}
- "golang.org*"
```
{% endif %}
@@ -199,10 +195,10 @@ updates:
## Example 2: configuration for version updates and security updates
In this example, the `dependabot.yml` file:
* Is customized so that {% data variables.product.prodname_dependabot %} adds reviewers and custom labels to both version updates and security updates.{% ifversion dependabot-grouped-security-updates-config %}
* Is customized so that {% data variables.product.prodname_dependabot %} adds reviewers and custom labels to both version updates and security updates.
* Uses the `groups` customization option to create two groups ("`angular`" and "`production-dependencies`") in order to group multiple updates into single pull requests.
* Specifies that the `groups` customization for `angular` applies to security updates only.
* Specifies that the `groups` customization for `production-dependencies` applies to version updates only.{% endif %}
* Specifies that the `groups` customization for `production-dependencies` applies to version updates only.
```yaml copy
version: 2
@@ -219,7 +215,7 @@ updates:
# Raise all npm pull requests for security and version updates with reviewers
reviewers:
- "my-org/team-name"
- "octocat"{% ifversion dependabot-grouped-security-updates-config %}
- "octocat"
groups:
angular:
# Group security updates for Angular dependencies into a single pull request
@@ -229,7 +225,7 @@ updates:
production-dependencies:
# Group version updates for dependencies of type "production" into a single pull request
applies-to: version-updates
dependency-type: "production"{%- endif %}
dependency-type: "production"
```
## Further reading

6
content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md
View File

@@ -66,7 +66,7 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
1. For each package manager, use:
* `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem).
* {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` to specify the location of multiple manifest or other definition files.{% ifversion dependabot-updates-multidirectory-support %} For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).{% endif %}
* `directories` or `directory` to specify the location of multiple manifest or other definition files. For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).
* `schedule.interval` to specify how often to check for new versions.
{% data reusables.dependabot.check-in-dependabot-yml %}
@@ -117,13 +117,13 @@ On a fork, you also need to explicitly enable {% data variables.product.prodname
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}", to the right of "{% data variables.product.prodname_dependabot_version_updates %}", click **Enable** to allow {% data variables.product.prodname_dependabot %} to initiate version updates.
1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}," to the right of "{% data variables.product.prodname_dependabot_version_updates %}," click **Enable** to allow {% data variables.product.prodname_dependabot %} to initiate version updates.
## Checking the status of version updates
After you enable version updates, the **Dependabot** tab in the dependency graph for the repository is populated. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions.
![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png)
![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}," is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png)
For information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates).

19
content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md
View File

@@ -21,8 +21,6 @@ You can customize your {% data variables.product.prodname_dependabot %} configur
This article collates customization options you may find useful.
{% ifversion dependabot-updates-multidirectory-support %}
## Defining multiple locations for manifest files
If you want to enable {% data variables.product.prodname_dependabot_version_updates %} for manifest files stored in more than one location, you can use `directories` in place of `directory`. For example, this configuration sets two different update schedules for manifest files stored in different directories.
@@ -79,16 +77,14 @@ updates:
interval: "weekly"
```
{% endif %}
## Ignoring specific dependencies
If you are not ready to adopt changes from certain dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods.
If you are not ready to adopt changes from certain dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates and security updates. You can do this using one of the following methods.
* Configure the `ignore` option for the dependency in your `dependabot.yml` file.
* **You can use this to ignore updates for specific dependencies, versions, and types of updates.**
* For more information, see `ignore` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--).
* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}.
* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates and security updates.
* **You can use comment commands to ignore updates for specific dependencies and versions.**
* For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands).
@@ -122,20 +118,13 @@ Here are some examples showing how `ignore` can be used to customize which depen
If you want to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request.
For pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request:
For pull requests for grouped updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request:
* Un-ignore a specific ignore condition
* Un-ignore a specific dependency
* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request
{% ifversion dependabot-grouped-security-updates-config %}{% else %}
> [!NOTE]
> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates.
{% endif %}
For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).
For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-updates-with-comment-commands).
## Allowing specific dependencies to be updated

3
content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md
View File

@@ -62,8 +62,7 @@ You can use `groups` to consolidate updates for multiple dependencies into a sin
You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria:
{% ifversion dependabot-grouped-security-updates-config %}
* {% data variables.product.prodname_dependabot %} update type: `applies-to`{% endif %}
* {% data variables.product.prodname_dependabot %} update type: `applies-to`
* Type of dependency: `dependency-type`.
* Dependency name: `patterns` and `exclude-patterns`
* Semantic versioning levels: `update-types`

4
content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md
View File

@@ -97,9 +97,9 @@ By following these practices, you can significantly reduce the risk posed by out
* **{% data variables.product.prodname_dependabot_security_updates %}**: Automatically opens pull requests to update vulnerable dependencies to versions that do not have known vulnerabilities. This allows you to quickly review and merge fixes. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
* **{% data variables.product.prodname_dependabot_version_updates %}**: Can also be configured to automatically open pull requests to update your dependencies to their latest versions regularly, ensuring you are always using current packages. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).{% ifversion dependabot-grouped-security-updates-config %}
* **{% data variables.product.prodname_dependabot_version_updates %}**: Can also be configured to automatically open pull requests to update your dependencies to their latest versions regularly, ensuring you are always using current packages. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).
* **Grouped updates**: Makes it easier to review and deploy pull requests for {% data variables.product.prodname_dependabot_updates %} by grouping several updates into a single pull request, see [About grouped security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and examples in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#reducing-the-volume-of-dependabot-pull-requests){% endif %}
* **Grouped updates**: Makes it easier to review and deploy pull requests for {% data variables.product.prodname_dependabot_updates %} by grouping several updates into a single pull request, see [About grouped security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and examples in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#reducing-the-volume-of-dependabot-pull-requests)
**Security Advisories**{% ifversion fpt or ghec %}

20
content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md
View File

@@ -44,7 +44,7 @@ For more information about troubleshooting when running {% data variables.produc
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.
![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. To the right of one alert, a link to a pull request, titled "#353", is outlined in orange.](/assets/images/help/dependabot/dependabot-alert-pr-link.png)
![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. To the right of one alert, a link to a pull request, titled "#353," is outlined in orange.](/assets/images/help/dependabot/dependabot-alert-pr-link.png)
There are several reasons why an alert may have no pull request link:
@@ -62,7 +62,7 @@ When {% data variables.product.prodname_dependabot %} is blocked from creating a
To view the full logs files for a particular job, to the right of the log entry you are interested in, click **view logs**.
![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png)
![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs," is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png)
For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
@@ -159,9 +159,9 @@ To allow {% data variables.product.prodname_dependabot %} to update the dependen
### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_version_updates %}
{% ifversion dependabot-grouped-security-updates-config %}The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied.
The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied.
{% data reusables.dependabot.dependabot-grouped-updates-applies-to %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %}
{% data reusables.dependabot.dependabot-grouped-updates-applies-to %}
When you configure grouped version updates, you must configure groups per package ecosystem. To debug the problem, we recommend you look at the logs. For information about accessing the logs for a manifest, see [Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}](#investigating-errors-with-dependabot-version-updates) above.
@@ -187,8 +187,6 @@ You need to ensure that configuration settings don't cancel each other, and upda
For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups).
{% ifversion dependabot-grouped-security-updates-config %}
### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_security_updates %}
The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates.
@@ -204,13 +202,11 @@ For grouped security updates, {% data variables.product.prodname_dependabot %} u
For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs).
{% endif %}
### {% data variables.product.prodname_dependabot %} fails to update one of the dependencies in a grouped pull request
{% ifversion dependabot-grouped-security-updates-config %}There are different troubleshooting techniques you can use for failed version updates and failed security updates.
There are different troubleshooting techniques you can use for failed version updates and failed security updates.
#### Handling failures in grouped version updates{% endif %}
#### Handling failures in grouped version updates
**Version updates only.** {% data variables.product.prodname_dependabot %} will show the failed update in your logs, as well as in the job summary at the end of your logs. You should use the `@dependabot recreate` comment on the pull request to build the group again. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands).
@@ -220,16 +216,12 @@ If the dependency still fails to update, there may be a problem with the depende
{% data reusables.dependabot.dependabot-ignore-dependencies %}
{% ifversion dependabot-grouped-security-updates-config %}
#### Handling failures in grouped security updates
**Security updates only.** If a grouped pull request for security updates fails or is unable to be merged, we recommend you manually open pull requests to bump the versions of breaking changes. When you manually update a package that is included in a grouped pull request, {% data variables.product.prodname_dependabot %} will rebase the pull request so it does not include the manually updated package.
{% data reusables.dependabot.dependabot-ignore-dependencies %}
{% endif %}
### Continuous integration (CI) fails on my grouped pull request
**Version updates only.** If the failure is due to a single dependency, you should use the `exclude-patterns` configuration so that the dependency is excluded from the group. {% data variables.product.prodname_dependabot %} will then raise a separate pull request to update the dependency.

7
content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md
View File

@@ -157,8 +157,7 @@ updates:
Examples of how to configure access to the private registries supported by {% data variables.product.prodname_dependabot %}.
{% ifversion dependabot-updates-cargo-private-registry-support %}
* [`cargo-registry`](#cargo-registry){% endif %}
* [`cargo-registry`](#cargo-registry)
* [`composer-repository`](#composer-repository)
* [`docker-registry`](#docker-registry)
* [`git`](#git)
@@ -172,8 +171,6 @@ Examples of how to configure access to the private registries supported by {% da
* [`rubygems-server`](#rubygems-server)
* [`terraform-registry`](#terraform-registry)
{% ifversion dependabot-updates-cargo-private-registry-support %}
### `cargo-registry`
The `cargo-registry` type supports a token.
@@ -182,8 +179,6 @@ The `cargo-registry` type supports a token.
{% data reusables.dependabot.cargo-private-registry-config-example %}
{% endif %}
### `composer-repository`
The `composer-repository` type supports username and password. {% data reusables.dependabot.password-definition %}

33
content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
View File

@@ -40,7 +40,7 @@ You must store this file in the `.github` directory of your repository in the de
| `version` | Top level| {% data variables.product.prodname_dependabot %} configuration syntax to use. Always: `2`.|
| `updates` | Top level| Section where you define each `package-ecosystem` to update.|
| [`package-ecosystem`](#package-ecosystem-) | Under `updates` | Define a package manager to update. |
| {% ifversion dependabot-updates-multidirectory-support %}[`directories` or `directory`](#directories-or-directory--){% else %}[`directory`](#directory--){% endif %} | Under each `package-ecosystem` entry | Define the location of the manifest or other definition files to update. |
| [`directories` or `directory`](#directories-or-directory--) | Under each `package-ecosystem` entry | Define the location of the manifest or other definition files to update. |
| [`schedule.interval`](#schedule-) | Under each `package-ecosystem` entry | Define whether to look for version updates: `daily`, `weekly`, or `monthly`. |
Optionally, you can also include a top-level `registries` key to define access details for private registries, see [Top-level `registries` key](#top-level-registries-key).
@@ -146,7 +146,7 @@ When `commit-message` is defined:
| `include` | Follow the commit message prefix with additional information. |
> [!TIP]
> When pull requests are raised for grouped updates, the branch name and pull request title are defined by the group `IDENTIFIER`, see {% ifversion dependabot-grouped-security-updates-config %}[`groups`](#groups--){% else %}[`groups`](#groups-){% endif %}.
> When pull requests are raised for grouped updates, the branch name and pull request title are defined by the group `IDENTIFIER`, see [`groups`](#groups--).
### `prefix`
@@ -167,50 +167,43 @@ Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`.
* Supports only the value `scope`
* When defined any prefix is followed by the type of dependencies updated in the commit: `deps` or `deps-dev`.
## {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}
## `directories` or `directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}
**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see {% ifversion dependabot-updates-multidirectory-support %}[Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files){% else %}[Example dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file){% endif %}.
**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).
{% ifversion dependabot-updates-multidirectory-support %}
* Use `directory` to define a single directory of manifests.
* Use `directories` to define a list of multiple directories of manifests.
* Define directories relative to the root of the repository for most package managers.{% else %}
* Define the directory relative to the root of the repository for most package managers.{% endif %}
* Define directories relative to the root of the repository for most package managers.
* For {% data variables.product.prodname_actions %}, use the value `/`. {% data variables.product.prodname_dependabot %} will search the `/.github/workflows` directory, as well as the `action.yml/action.yaml` file from the root directory.
If you need to use more than one block in the configuration file to define updates for a single target branch of an ecosystem, you must ensure that all values are unique and there is no overlap in directories defined.
{% ifversion dependabot-updates-multidirectory-support %}
> [!NOTE]
> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key.
{% endif %}
## `enable-beta-ecosystems` {% octicon "versions" aria-label="Version updates only" height="24" %}
Not currently in use.
## `groups` {% ifversion dependabot-grouped-security-updates-config %}{% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}{% else %}{% octicon "versions" aria-label="Version updates only" height="24" %}{% endif %}
## `groups` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}
Define rules to create one or more sets of dependencies managed by a package manager, to group updates into fewer, targeted pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).
{% data variables.product.prodname_dependabot %} default behavior:
* Open a single pull request for each dependency that needs to be updated to a newer version for version updates{% ifversion dependabot-grouped-security-updates-config %} and for security updates{% endif %}.
* Open a single pull request for each dependency that needs to be updated to a newer version for version updates and for security updates.
When `groups` is used to define rules:
* All {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates for dependencies that match a rule are combined in a single pull request.
* All updates for dependencies that match a rule are combined in a single pull request.
* If a dependency matches more than one rule, it's included in the first group that it matches.
* Any outdated dependencies that do not match a rule are updated in individual pull requests.
Parameters | Purpose |
-------|-------------|
| `IDENTIFIER` | Define an identifier for the group to use in branch names and pull request titles. This must start and end with a letter, and can contain letters, pipes `\|`, underscores `_`, or hyphens `-`. |
| {% ifversion dependabot-grouped-security-updates-config %} |
| `applies-to` | Specify which type of update the group applies to. When undefined, defaults to version updates. Supported values: `version-updates` or `security-updates`. |
| {% endif %} |
| `dependency-type` | Limit the group to a type. Supported values: `development` or `production`. |
| `patterns` | Define one or more patterns to include dependencies with matching names. |
| `exclude-patterns` | Define one or more patterns to exclude dependencies from the group. |
@@ -436,7 +429,7 @@ Package manager | YAML value | Supported versions |
| Gradle | `gradle` | Not applicable |
| Maven | `maven` | Not applicable |
| npm | `npm` | v7, v8, v9 |
| NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% elsif ghes = 3.14 or ghes = 3.13 %}<= 6.8.0 {% endif %} |
| NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} |
| pip| `pip` | v21.1.2 |
| pip-compile | `pip` | 6.1.0 |
| pipenv | `pip` | <= 2021-05-29 |
@@ -716,8 +709,8 @@ Specify authentication details that {% data variables.product.prodname_dependabo
> [!NOTE]
> Private registries behind firewalls on private networks are supported for the following ecosystems:
>
> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %}
> * Cargo{% endif %}
> * Bundler
> * Cargo
> * Docker
> * Gradle
> * Maven
@@ -766,9 +759,7 @@ The parameters used to provide authentication details for access to a private re
| Registry `type` | Required authentication parameters |
|--|--|
| {% ifversion dependabot-updates-cargo-private-registry-support %} |
| `cargo-registry` | `token` |
| {% endif %} |
| `composer-repository` | `username` and `password` |
| `docker-registry` | `username` and `password` |
| `git` | `username` and `password` |

8
content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md
View File

@@ -30,8 +30,8 @@ You'll find detailed guidance for the setup of the following package managers:
{% ifversion dependabot-bun-support %}
* [Bun](#bun){% endif %}
* [Bundler](#bundler){% ifversion dependabot-updates-cargo-private-registry-support %}
* [Cargo](#cargo){% endif %}
* [Bundler](#bundler)
* [Cargo](#cargo)
* [Docker](#docker){% ifversion dependabot-docker-compose-support %}
* [Docker Compose](#docker-compose){% endif %}
* [Gradle](#gradle){% ifversion dependabot-helm-support %}
@@ -103,8 +103,6 @@ registries:
{% data reusables.dependabot.access-private-dependencies-link %}
{% ifversion dependabot-updates-cargo-private-registry-support %}
### Cargo
Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#cargo-registry).
@@ -113,8 +111,6 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token.
{% data reusables.dependabot.cargo-private-registry-config-example %}
{% endif %}
### Docker
Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry).

26
content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md
View File

@@ -30,7 +30,7 @@ shortTitle: Manage Dependabot PRs
When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository.
{% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% endif %}
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %}
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).
> [!NOTE]
> If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates).
@@ -76,8 +76,6 @@ If you run any of the commands for ignoring dependencies or versions, {% data va
For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore).
{% ifversion dependabot-grouped-security-updates-config %}
### Managing {% data variables.product.prodname_dependabot %} pull requests for grouped updates with comment commands
In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates and security updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped updates.
@@ -92,25 +90,3 @@ In {% data variables.product.prodname_dependabot %} pull requests for grouped ve
> [!TIP]
> When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
{% else %}
### Managing {% data variables.product.prodname_dependabot %} pull requests for grouped version updates with comment commands
In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped version updates.
> [!NOTE]
> The following comment commands do not work for grouped {% data variables.product.prodname_dependabot_security_updates %}.
* `@dependabot ignore DEPENDENCY_NAME` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency.
* `@dependabot ignore DEPENDENCY_NAME major version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's major version.
* `@dependabot ignore DEPENDENCY_NAME minor version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's minor version.
* `@dependabot ignore DEPENDENCY_NAME patch version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's patch version.
* `@dependabot unignore *` closes the current pull request, clears all `ignore` conditions stored for all dependencies in the group, then opens a new pull request.
* `@dependabot unignore DEPENDENCY_NAME` closes the current pull request, clears all `ignore` conditions stored for the dependency, then opens a new pull request that includes available version updates for the specified dependency. For example, `@dependabot unignore lodash` would open a new pull request that includes version updates for the Lodash dependency.
* `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` closes the current pull request, clears the stored `ignore` condition, then opens a new pull request that includes available version updates for the specified ignore condition. For example, `@dependabot unignore express [< 1.9, > 1.8.0]` would open a new pull request that includes version updates for Express between versions 1.8.0 and 1.9.0.
> [!TIP]
> When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
{% endif %}

4
content/code-security/getting-started/github-security-features.md
View File

@@ -162,14 +162,10 @@ Push protection proactively scans your code, and any repository contributors' co
{% data reusables.advanced-security.available-for-public-repos %}
{% ifversion push-protection-delegated-bypass %}
### Delegated bypass for push protection
Delegated bypass for push protection lets you control which individuals, roles and teams can bypass push protection, and implements a review and approval cycle for pushes containing secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).
{% endif %}
### Custom patterns
You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}, such as patterns that are internal to your organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).

14
content/code-security/secret-scanning/introduction/about-push-protection.md
View File

@@ -30,7 +30,7 @@ Push protection helps you avoid the risks associated with exposed secrets, like
You can enable push protection:
* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users." It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
{% endif %}
@@ -60,7 +60,7 @@ By default, anyone with write access to the repository can choose to bypass push
{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}
If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).
{% ifversion secret-scanning-push-protection-content-endpoints %}You can also bypass push protection using the REST API. For more information, see [AUTOTITLE](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#create-a-push-protection-bypass).{% endif %}
@@ -76,7 +76,7 @@ By default, anyone with write access to the repository can choose to bypass push
* **Ability to detect custom patterns:** Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.
{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility:** For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
* **Delegated bypass for flexibility:** For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.
{% ifversion secret-scanning-push-protection-for-users %}
@@ -100,18 +100,14 @@ Customize which secret patterns are included in push protection at the enterpris
Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).
{% ifversion push-protection-delegated-bypass %}
### Configure delegated bypass
Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning){% ifversion push-protection-delegated-bypass %}
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection){% endif %}
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)

6
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md
View File

@@ -1,9 +1,11 @@
---
title: About delegated bypass for push protection
intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.'
intro: You can control which teams or roles have the ability to bypass push protection in your organization or repository.
product: '{% data reusables.gated-features.delegated-bypass %}'
versions:
feature: push-protection-delegated-bypass
fpt: '*'
ghec: '*'
ghes: '*'
type: overview
topics:
- Secret scanning

20
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md
View File

@@ -3,7 +3,9 @@ title: Enabling delegated bypass for push protection
intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.'
permissions: '{% data reusables.permissions.delegated-bypass %}'
versions:
feature: push-protection-delegated-bypass
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
topics:
- Secret scanning
@@ -32,13 +34,13 @@ When you enable this feature, you will create a bypass list of roles and teams w
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghas-products %}
1. Under "{% data variables.product.prodname_secret_protection %}", ensure that push protection is enabled for the repository.{% else %}
1. Under "{% data variables.product.prodname_secret_protection %}," ensure that push protection is enabled for the repository.{% else %}
{% data reusables.repositories.navigate-to-ghas-settings %}{% endif %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
1. Under "Push protection," to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}," select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list," click **Add role or team**.
> [!NOTE]
> When you add roles or teams to the "bypass list", these users will be granted the ability to bypass push protection, and they can also review and manage the requests from all other contributors to bypass push protection.
> When you add roles or teams to the "bypass list," these users will be granted the ability to bypass push protection, and they can also review and manage the requests from all other contributors to bypass push protection.
>
> You can't add secret teams to the bypass list.
@@ -51,8 +53,8 @@ When you enable this feature, you will create a bypass list of roles and teams w
You must configure delegated bypass for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that {% ifversion ghas-products %}"Push protection" is set to **Enabled**{% else %}the dropdown menus for "Alerts" and "Push protection" are set to **Enabled**{% endif %}.
1. Under "Push protection", to the right of "Bypass privileges", select the dropdown menu, then click **Specific actors**.
1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}," ensure that {% ifversion ghas-products %}"Push protection" is set to **Enabled**{% else %}the dropdown menus for "Alerts" and "Push protection" are set to **Enabled**{% endif %}.
1. Under "Push protection," to the right of "Bypass privileges," select the dropdown menu, then click **Specific actors**.
> [!NOTE]
> When you assign bypass privileges to selected actors, these organization members are granted the ability to bypass push protection, and they also review and manage the requests from all other contributors to bypass push protection.
@@ -79,8 +81,8 @@ To learn more about security configurations, see [AUTOTITLE](/code-security/secu
{% data reusables.organizations.security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% endif %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
1. Under "Push protection," to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}," select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list," click **Add role or team**.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
{% endif %}

4
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md
View File

@@ -3,7 +3,9 @@ title: Managing requests to bypass push protection
intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.'
permissions: '{% data reusables.permissions.delegated-bypass-list %}'
versions:
feature: push-protection-delegated-bypass
fpt: '*'
ghec: '*'
ghes: '*'
type: how_to
topics:
- Secret scanning

10
content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md
View File

@@ -24,7 +24,7 @@ When you attempt to push a supported secret from the command line to a repositor
You should either:
* **Remove** the secret from your branch. For more information, see [Resolving a blocked push](#resolving-a-blocked-push).
* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see [Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %} and [Requesting bypass privileges](#requesting-bypass-privileges){% endif %}.
* **Follow a provided URL** to see what options are available to you to allow the push. For more information, see [Bypassing push protection](#bypassing-push-protection) and [Requesting bypass privileges](#requesting-bypass-privileges).
Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
@@ -119,13 +119,13 @@ You can also remove the secret if the secret appears in an earlier commit in the
## Bypassing push protection
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed.
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you may be able to bypass the block by specifying a reason for allowing the secret to be pushed.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
{% data reusables.secret-scanning.push-protection-allow-email %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit{% ifversion push-protection-delegated-bypass %}, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges){% endif %}.
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges).
{% data reusables.secret-scanning.push-protection-visit-URL %}
{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
@@ -133,8 +133,6 @@ If you don't see the option to bypass the block, the repository administrator or
1. Click **Allow me to push this secret**.
1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.
{% ifversion push-protection-delegated-bypass %}
## Requesting bypass privileges
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
@@ -154,8 +152,6 @@ If your request is approved, you can push the commit (or commits) containing the
If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see [Resolving a blocked push](#resolving-a-blocked-push).
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui){% ifversion secret-scanning-push-protection-content-endpoints %}

16
content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md
View File

@@ -19,18 +19,14 @@ topics:
When you {% ifversion push-protection-delegated-bypass-file-upload-support %}upload, create, {% else %}create {% endif %}or edit files from the {% data variables.product.prodname_dotcom %} UI, push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets.
{% ifversion push-protection-block-uploads %}
{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets.
{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %}
{% endif %}
You should either:
* **Remove** the secret from the commit. For more information, see [Resolving a blocked commit](#resolving-a-blocked-commit).
* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see [Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %} and [Requesting bypass privileges](#requesting-bypass-privileges){% endif %}.
* **Review** the instructions in the dialog box to see what options are available to you to allow the push. For more information, see [Bypassing push protection](#bypassing-push-protection) and [Requesting bypass privileges](#requesting-bypass-privileges).
{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
@@ -46,7 +42,7 @@ To resolve a blocked commit in the web UI, you need to remove the secret from th
## Bypassing push protection
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret.
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you may be able to bypass the block by specifying a reason for allowing the secret.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
@@ -57,14 +53,8 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe
{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
1. Click **Allow secret**.
{% ifversion push-protection-delegated-bypass %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges).
{% endif %}
{% ifversion push-protection-delegated-bypass %}
## Requesting bypass privileges
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
@@ -85,8 +75,6 @@ If your request is approved, you can commit the changes containing the secret to
If your request is denied, you will need to remove the secret from the file before you can commit your changes.
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line){% ifversion secret-scanning-push-protection-content-endpoints %}

12
content/code-security/security-overview/assessing-adoption-code-security.md
View File

@@ -36,7 +36,7 @@ You can use security overview to see which repositories and teams have already e
You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview).
{% endif %}
You can use the "Enablement trends" view to see enablement status and enablement status trends over time for {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %}, or {% data variables.product.prodname_secret_scanning %} for repositories in an organization{% ifversion security-overview-enterprise-enablement-report %}, or across organizations in an enterprise{% endif %}. For each of these features, you can view a graph visualizing the percentage of repositories that have the feature enabled, as well as a detailed table with enablement percentages for different points in time. For more information, see [Viewing enablement trends for an organization](#viewing-enablement-trends-for-an-organization){% ifversion security-overview-enterprise-enablement-report %} and [Viewing enablement trends for an enterprise](#viewing-enablement-trends-for-an-enterprise){% endif %}.
You can use the "Enablement trends" view to see enablement status and enablement status trends over time for {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %}, or {% data variables.product.prodname_secret_scanning %} for repositories in an organization, or across organizations in an enterprise. For each of these features, you can view a graph visualizing the percentage of repositories that have the feature enabled, as well as a detailed table with enablement percentages for different points in time. For more information, see [Viewing enablement trends for an organization](#viewing-enablement-trends-for-an-organization) and [Viewing enablement trends for an enterprise](#viewing-enablement-trends-for-an-enterprise).
## Viewing the enablement of security features for an organization
@@ -86,16 +86,14 @@ You can view data to assess the enablement status and enablement status trends o
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.security-overview %}
1. In the sidebar, under "Metrics", click **{% octicon "meter" aria-hidden="true" aria-label="meter" %} Enablement trends**.
1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}", "{% data variables.product.prodname_code_scanning_caps %}", or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories in your organization with that feature enabled. This data is displayed as a graph and a detailed table.
1. In the sidebar, under "Metrics," click **{% octicon "meter" aria-hidden="true" aria-label="meter" %} Enablement trends**.
1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}," "{% data variables.product.prodname_code_scanning_caps %}," or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories in your organization with that feature enabled. This data is displayed as a graph and a detailed table.
1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for.
* Use the date picker to set the time range that you want to view enablement trends for.
* Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview).
![Screenshot of the "Enablement trends" view for an organization, showing Dependabot status and trends over 30 days, with a filter applied.](/assets/images/help/security-overview/security-overview-enablement-trends.png)
{% ifversion security-overview-enterprise-enablement-report %}
## Viewing enablement trends for an enterprise
{% ifversion ghes < 3.15 %}
@@ -109,15 +107,13 @@ You can view data to assess the enablement status and enablement status trends o
{% ifversion ghes %}{% data reusables.enterprise-accounts.access-enterprise-ghes %}{% else %}{% data reusables.enterprise-accounts.access-enterprise-on-dotcom %}{% endif %}
{% data reusables.code-scanning.click-code-security-enterprise %}
1. To display the "Enablement trends" view, in the sidebar, click **Enablement trends**.
1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}", "{% data variables.product.prodname_code_scanning_caps %}", or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories across organizations in your enterprise with that feature enabled. This data is displayed as a graph and a detailed table.
1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}," "{% data variables.product.prodname_code_scanning_caps %}," or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories across organizations in your enterprise with that feature enabled. This data is displayed as a graph and a detailed table.
1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for.
* Use the date picker to set the time range that you want to view enablement trends for.
* Click in the search box to add further filters on the enablement trends displayed. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview).
>[!TIP] You can use the `owner:` filter in the search field to filter the data by organization. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview).
{% endif %}
## Interpreting and acting on the enablement data
Some security features can and should be enabled on all repositories. For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization){% else %}[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization){% endif %}.

12
content/code-security/security-overview/filtering-alerts-in-security-overview.md
View File

@@ -43,7 +43,7 @@ All security views have features to help you define filters. These provide an ea
* **Interactive search text box.** When you click in the search box and press the keyboard "Space" key, a pop-up text box shows the filter options available in that view. You can use the mouse or keyboard arrow keys to select the options you want in the text box before pressing the keyboard "Return" key to add the filter. Supported for all views.
* **Dropdown selectors and toggles.** Shown at the end of the "Search text box" or in the header of the data table. As you choose the data to view, the filters shown in the search text box are updated accordingly. Supported on the alert views.
* **Advanced filters dialog.** When you click the **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter** button, you can use dropdown lists to select the "Qualifier", "Operator", and "Values" for each filter. Supported on the "Overview" and metric views.
* **Advanced filters dialog.** When you click the **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter** button, you can use dropdown lists to select the "Qualifier," "Operator," and "Values" for each filter. Supported on the "Overview" and metric views.
## Repository name, visibility, and status filters
@@ -135,15 +135,13 @@ In the "Risk" view, you can filter repositories by the number of alerts they hav
## Alert type and property filters
You can filter the "Overview" view by the type{% ifversion security-overview-3-14-overview %} and property{% endif %} of alerts. Use the `tool` qualifier to display only data for alerts generated by a specific tool{% ifversion security-overview-3-14-overview %} or type of tool{% endif %}.
You can filter the "Overview" view by the type and property of alerts. Use the `tool` qualifier to display only data for alerts generated by a specific tool or type of tool.
* `tool:codeql` to show data only for {% data variables.product.prodname_code_scanning %} alerts generated using {% data variables.product.prodname_codeql %}.
* `tool:dependabot` to show data only for {% data variables.product.prodname_dependabot_alerts %}.
* `tool:secret-scanning` to show data only for {% data variables.secret-scanning.alerts %}.{% ifversion security-overview-3-14-overview %}
* `tool:secret-scanning` to show data only for {% data variables.secret-scanning.alerts %}.
* `tool:github` or `tool:third-party` to show data for all types of alerts generated by {% data variables.product.prodname_dotcom %} tools or by third-party tools.
* `tool:TOOL-NAME` to show data for all alerts generated by a third-party tool for {% data variables.product.prodname_code_scanning %}.{% endif %}
{% ifversion security-overview-3-14-overview %}
* `tool:TOOL-NAME` to show data for all alerts generated by a third-party tool for {% data variables.product.prodname_code_scanning %}.
You can also filter the "Overview" view by properties of alerts.
@@ -160,8 +158,6 @@ You can also filter the "Overview" view by properties of alerts.
| `severity` | Display data only for alerts of a specific severity (`critical`, `high`, `medium`, or `low`).
| `third-party.rule`| Display data only for {% data variables.product.prodname_code_scanning %} identified by a specific rule for a tool developed by a third party. For example, `third-party.rule:CVE-2021-26291-maven-artifact` shows only results for the `CVE-2021-26291-maven-artifact` rule of a third-party {% data variables.product.prodname_code_scanning %} tool.
{% endif %}
### {% data variables.product.prodname_dependabot %} alert view filters
You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.

16
content/code-security/security-overview/viewing-security-insights.md
View File

@@ -20,11 +20,7 @@ redirect_from:
allowTitleToDifferFromFilename: true
---
{% ifversion ghes < 3.14 %}
{% data reusables.security-overview.beta-overview-dashboard %}
{% endif %}
## {% ifversion security-overview-dashboard-enterprise %}About security insights{% else %} About organization-level security insights{% endif %}
@@ -106,7 +102,7 @@ Keep in mind that the overview page tracks changes over time for security alert
Some metrics in the security overview dashboard include a trend indicator, which shows the percentage gain or loss for the chosen time period relative to previous period. For example, when you select a week with 10 alerts, if the previous week had 20 alerts, the trend indicator reports that the metric has dropped by 50%. If the average age of the open alerts is 15 days, and for the previous period it was 5 days, the trend indicator reports that the metric has risen by 200%.
>[!NOTE]
> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security landscape of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce non-security alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels).
> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security landscape of your organization, and only includes alerts with a security severity ("Critical," "High," "Medium," or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce non-security alerts with a level of "Error," "Warning," or "Note." For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels).
### Detection tab
@@ -148,7 +144,7 @@ For more information on {% data variables.product.prodname_secret_scanning %} pu
#### Impact analysis table
The impact analysis table has separate tabs showing data for: "Repositories", "Advisories", and "SAST vulnerabilities".
The impact analysis table has separate tabs showing data for: "Repositories," "Advisories," and "SAST vulnerabilities."
* The "Repositories" tab shows the top 10 repositories with the most open alerts at the end of the chosen time period, ranked by the total number of open alerts. For each repository, the total number of open alerts is shown alongside a breakdown by severity.
@@ -177,7 +173,7 @@ The age of each closed alert is calculated by subtracting the date the alert was
#### Net resolve rate
The "Net resolve rate" metric is the rate at which alerts are being closed. This metric is similar to measuring "developer velocity", reflecting the speed and efficiency with which alerts are resolved.
The "Net resolve rate" metric is the rate at which alerts are being closed. This metric is similar to measuring "developer velocity," reflecting the speed and efficiency with which alerts are resolved.
The rate is calculated by dividing the number of alerts that were closed and remained closed during the chosen time period, by the number of alerts created during the time period.
@@ -235,7 +231,7 @@ The "Pull request alerts fixed with autofix suggestions" metric shows the ratio
Some metrics in the security overview dashboard include a trend indicator, which shows the percentage gain or loss for the chosen time period relative to previous period. For example, when you select a week with 10 alerts, if the previous week had 20 alerts, the trend indicator reports that the metric has dropped by 50%. If the average age of the open alerts is 15 days, and for the previous period it was 5 days, the trend indicator reports that the metric has risen by 200%.
>[!NOTE]
> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security posture of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels).
> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security posture of your organization, and only includes alerts with a security severity ("Critical," "High," "Medium," or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce alerts with a level of "Error," "Warning," or "Note." For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels).
### Alert trends graph
@@ -277,7 +273,7 @@ The age of each closed alert is calculated by subtracting the date the alert was
### Net resolve rate
The "Net resolve rate" metric is the rate at which alerts are being closed. This metric is similar to measuring "developer velocity", reflecting the speed and efficiency with which alerts are resolved.
The "Net resolve rate" metric is the rate at which alerts are being closed. This metric is similar to measuring "developer velocity," reflecting the speed and efficiency with which alerts are resolved.
The rate is calculated by dividing the number of alerts that were closed and remained closed during the chosen time period, by the number of alerts created during the time period.
@@ -303,7 +299,7 @@ Green bars represent the number of new alerts created during the segmented time
### Impact analysis table
The impact analysis table has separate tabs showing data for: "Repositories" and "Advisories".
The impact analysis table has separate tabs showing data for: "Repositories" and "Advisories."
* The "Repositories" tab shows the top 10 repositories with the most open alerts at the end of the chosen time period, ranked by the total number of open alerts. For each repository, the total number of open alerts is shown alongside a breakdown by severity.

2
content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md
View File

@@ -57,7 +57,7 @@ The best way to improve the security of {% ifversion fpt %}your personal account
As a best practice, to ensure both security and reliable access to your account, you should always have at least two second-factor credentials registered on your account. Extra credentials ensures that even if you lose access to one credential, you won't be locked out of your account.{% ifversion fpt or ghec %}
Additionally, you should prefer{% ifversion passkeys %} passkeys and{% endif %} security keys over authenticator apps (called TOTP apps) and avoid use of SMS whenever possible. Both SMS-based 2FA and TOTP apps are vulnerable to phishing, and do not provide the same level of protection as {% ifversion passkeys %}passkeys and {% endif %}security keys. SMS is no longer recommended under the [NIST 800-63B](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf) digital identity guidelines.
Additionally, you should prefer passkeys and security keys over authenticator apps (called TOTP apps) and avoid use of SMS whenever possible. Both SMS-based 2FA and TOTP apps are vulnerable to phishing, and do not provide the same level of protection as passkeys and security keys. SMS is no longer recommended under the [NIST 800-63B](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf) digital identity guidelines.
{% endif %}{% ifversion mandatory-2fa-dotcom-contributors %}{% ifversion ghec %}
If service accounts in your organization have been selected for 2FA enrollment by {% data variables.product.prodname_dotcom %}, their tokens and keys will continue to work after the deadline without interruption. Only access to {% data variables.product.prodname_dotcom %} through the website UI will be blocked until the account has enabled 2FA. We recommend setting up TOTP as the second factor for service accounts, and storing the TOTP secret exposed during setup in your company's shared password manager, with access to the secrets controlled through SSO.

2
content/get-started/learning-about-github/about-github-advanced-security.md
View File

@@ -99,9 +99,7 @@ The table below summarizes the availability of {% data variables.product.prodnam
| Copilot secret scanning | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|{% endif %}|
| Custom patterns | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|{% ifversion push-protection-delegated-bypass %}|
| Delegated bypass for push protection | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|{% endif %}|
| Security overview | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
{% endrowheaders %}

2
content/get-started/learning-about-github/github-language-support.md
View File

@@ -21,7 +21,7 @@ Some {% data variables.product.prodname_dotcom %} products have features that ar
## Core languages supported by {% data variables.product.prodname_dotcom %} features
Core languages for {% data variables.product.prodname_dotcom %} features include C, C++, C#, Go, Java, JavaScript,{% ifversion kotlin-supported-language %} Kotlin,{% endif %} PHP, Python, Ruby,{% ifversion dependabot-updates-cargo-private-registry-support %} Rust,{% endif %} Scala, and TypeScript. For features that support package managers, the currently supported package managers are included in the table with their relevant languages.
Core languages for {% data variables.product.prodname_dotcom %} features include C, C++, C#, Go, Java, JavaScript,{% ifversion kotlin-supported-language %} Kotlin,{% endif %} PHP, Python, Ruby, Rust, Scala, and TypeScript. For features that support package managers, the currently supported package managers are included in the table with their relevant languages.
Some features are supported for additional languages or package managers. If you want to know whether another language is supported for a feature or to request support for a language, visit {% data variables.contact.community_support_forum %}.

2
content/get-started/onboarding/getting-started-with-your-github-account.md
View File

@@ -52,7 +52,7 @@ The administrator of your {% data variables.product.prodname_ghe_server %} insta
Two-factor authentication, or 2FA, is an extra layer of security used when logging into websites or apps. We strongly urge you to configure 2FA for the safety of your account. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication).
{% ifversion passkeys %}Optionally, after you have configured 2FA, add a passkey to your account to enable a secure, passwordless login. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/managing-your-passkeys).{% endif %}
Optionally, after you have configured 2FA, add a passkey to your account to enable a secure, passwordless login. See [AUTOTITLE](/authentication/authenticating-with-a-passkey/managing-your-passkeys).
### {% ifversion fpt or ghec %}5.{% elsif ghes %}3.{% endif %} Viewing your {% data variables.product.github %} profile and contribution graph

4
content/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations.md
View File

@@ -18,7 +18,7 @@ topics:
{% endif %}
{% data variables.product.prodname_projects_v2 %} includes built-in workflows that you can use to update the **Status** of items based on certain events. For example, you can automatically set the status to **Todo** when an item is added to your project{% ifversion projects-v2-auto-close %}, close issues when the issue's status in your project is changed,{% endif %} or set the status to **Done** when an issue is closed.
{% data variables.product.prodname_projects_v2 %} includes built-in workflows that you can use to update the **Status** of items based on certain events. For example, you can automatically set the status to **Todo** when an item is added to your project, close issues when the issue's status in your project is changed, or set the status to **Done** when an issue is closed.
When your project initializes, two workflows are enabled by default: When issues or pull requests in your project are closed, their status is set to **Done**, and when pull requests in your project are merged, their status is set to **Done**.
@@ -29,7 +29,7 @@ You can also configure workflows to automatically archive items when they meet s
You can enable or disable the built-in workflows for your project.
{% data reusables.projects.access-workflows %}
1. Under "Default workflows", click on the workflow that you want to edit.
1. Under "Default workflows," click on the workflow that you want to edit.
1. In the top right, click **Edit**.
![Screenshot showing a project's menu bar. The "Edit" button is highlighted with an orange rectangle.](/assets/images/help/projects-v2/workflow-start-editing.png)

6
content/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization.md
View File

@@ -1,11 +1,11 @@
---
title: Creating rulesets for repositories in your organization
intro: 'You can create a ruleset to target multiple repositories in your organization.'
intro: You can create a ruleset to target multiple repositories in your organization.
versions:
fpt: '*'
ghec: '*'
ghes: '>= 3.13'
permissions: 'Organization owners can create rulesets at the organization level.'
ghes: '*'
permissions: Organization owners can create rulesets at the organization level.
topics:
- Organizations
shortTitle: Create rulesets

4
content/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization.md
View File

@@ -4,8 +4,8 @@ intro: 'You can edit, monitor, and delete existing rulesets to alter how people
versions:
fpt: '*'
ghec: '*'
ghes: '>= 3.13'
permissions: 'Organization owners and users with the "Manage organization ref update rules and rulesets" permission can manage rulesets at the organization level.'
ghes: '*'
permissions: Organization owners and users with the "Manage organization ref update rules and rulesets" permission can manage rulesets at the organization level.
topics:
- Organizations
shortTitle: Manage rulesets

4
content/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles.md
View File

@@ -1,10 +1,10 @@
---
title: Using organization roles
intro: "Learn how to{% ifversion org-pre-defined-roles %} view organization role permissions and{% endif %} manage organization role assignments."
intro: 'Learn how to{% ifversion org-pre-defined-roles %} view organization role permissions and{% endif %} manage organization role assignments.'
versions:
fpt: '*'
ghec: '*'
ghes: '>=3.14'
ghes: '*'
topics:
- Organizations
- Access management

6
content/pages/getting-started-with-github-pages/creating-a-github-pages-site.md
View File

@@ -18,7 +18,7 @@ topics:
shortTitle: Create a GitHub Pages site
---
{% data reusables.pages.org-owners-can-restrict-pages-creation %}
## Creating a repository for your site
@@ -51,11 +51,11 @@ shortTitle: Create a GitHub Pages site
{% data reusables.repositories.sidebar-settings %}
{% data reusables.pages.sidebar-pages %}
{%- ifversion ghec %}
1. Optionally, if you're publishing a project site from a private or internal repository, choose the visibility for your site. Under "{% data variables.product.prodname_pages %}", select the visibility dropdown menu, then select public or private.
1. Optionally, if you're publishing a project site from a private or internal repository, choose the visibility for your site. Under "{% data variables.product.prodname_pages %}," select the visibility dropdown menu, then select public or private.
![Screenshot of Pages settings for a repository. The visibility dropdown, currently set to "Private," is outlined in dark orange.](/assets/images/help/pages/public-or-private-visibility.png)
{% indented_data_reference reusables.pages.privately-publish-ghec-only spaces=3 %}
{%- endif %}
1. To see your published site, under "{% data variables.product.prodname_pages %}", click **{% octicon "link-external" aria-hidden="true" aria-label="link-external" %} Visit site**.
1. To see your published site, under "{% data variables.product.prodname_pages %}," click **{% octicon "link-external" aria-hidden="true" aria-label="link-external" %} Visit site**.
{% data reusables.pages.twenty-minutes-to-publish %}
{% data reusables.pages.admin-must-push %}

2
content/pages/setting-up-a-github-pages-site-with-jekyll/creating-a-github-pages-site-with-jekyll.md
View File

@@ -15,7 +15,7 @@ topics:
shortTitle: Create site with Jekyll
---
{% data reusables.pages.org-owners-can-restrict-pages-creation %}
## Prerequisites

4
content/pull-requests/collaborating-with-pull-requests/getting-started/managing-and-standardizing-pull-requests.md
View File

@@ -35,8 +35,8 @@ You can use protected branches to prevent pull requests from being merged into i
Working alongside protected branches, rulesets let you enforce policies across your repository, such as requiring status checks or workflows to pass before a pull request can be merged.
Rulesets are especially useful for maintaining repository security when combined with other automated security checks. For example:
* You can use rulesets to enforce the dependency review action, a workflow that blocks pull requests that are introducing vulnerable dependencies into your codebase. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization). {% ifversion code-scanning-merge-protection-rulesets %}
* If your repository is configured with {% data variables.product.prodname_code_scanning %}, you can use rulesets to set {% data variables.product.prodname_code_scanning %} merge protection, which prevents pull requests from being merged if there is a {% data variables.product.prodname_code_scanning %} alert of a certain severity, or if a {% data variables.product.prodname_code_scanning %} analysis is still in progress. See [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection).{% endif %}
* You can use rulesets to enforce the dependency review action, a workflow that blocks pull requests that are introducing vulnerable dependencies into your codebase. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization).
* If your repository is configured with {% data variables.product.prodname_code_scanning %}, you can use rulesets to set {% data variables.product.prodname_code_scanning %} merge protection, which prevents pull requests from being merged if there is a {% data variables.product.prodname_code_scanning %} alert of a certain severity, or if a {% data variables.product.prodname_code_scanning %} analysis is still in progress. See [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection).
{% ifversion push-rulesets %}

2
content/pull-requests/committing-changes-to-your-project/troubleshooting-commits/my-commit-is-blocked-by-push-protection.md
View File

@@ -15,7 +15,7 @@ Leaked secrets can pose serious security risks to your repository and your suppl
If the repository you're contributing to on {% data variables.product.github %} is secured by push protection, you'll encounter a push protection block whenever you:
* **Push commits** containing recognized secrets **from the command line** to the remote repository.
* **Commit changes** {% ifversion push-protection-block-uploads %}or upload files {% endif %}containing recognized secrets to a repository in the **{% data variables.product.github %} UI**. {% ifversion secret-scanning-push-protection-content-endpoints %}
* **Commit changes** or upload files containing recognized secrets to a repository in the **{% data variables.product.github %} UI**. {% ifversion secret-scanning-push-protection-content-endpoints %}
* **Make certain requests** containing recognized secrets in **the REST API**.{% endif %}
## Resolving a push protection block

6
content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
View File

@@ -142,7 +142,7 @@ You can use the commit status API to allow external services to mark commits wit
After enabling required status checks, all required status checks must pass before collaborators can merge changes into the branch or tag. {% ifversion repo-rules-ignorecheck %} Optionally, you can select "Do not require status checks on creation" if you wish to allow branch creation regardless of the status check result. {% endif %}
Any person or integration with write permissions to a repository can set the state of any status check in the repository, but in some cases you may only want to accept a status check from a specific {% data variables.product.prodname_github_app %}. When you add a required status check rule, you can select an app as the expected source of status updates. The app must be installed in the repository with the `statuses:write` permission, must have recently submitted a check run, and must be associated with a pre-existing required status check in the ruleset. If the status is set by any other person or integration, merging won't be allowed. If you select "any source", you can still manually verify the author of each status, listed in the merge box.
Any person or integration with write permissions to a repository can set the state of any status check in the repository, but in some cases you may only want to accept a status check from a specific {% data variables.product.prodname_github_app %}. When you add a required status check rule, you can select an app as the expected source of status updates. The app must be installed in the repository with the `statuses:write` permission, must have recently submitted a check run, and must be associated with a pre-existing required status check in the ruleset. If the status is set by any other person or integration, merging won't be allowed. If you select "any source," you can still manually verify the author of each status, listed in the merge box.
To troubleshoot issues with configuring status checks in rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/troubleshooting-rules#troubleshooting-required-status-checks).
@@ -162,8 +162,6 @@ You can think of required status checks as being either "loose" or "strict." The
For status check troubleshooting information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks).
{% ifversion code-scanning-merge-protection-rulesets %}
## Set {% data variables.product.prodname_code_scanning %} merge protection
If your repositories are configured with {% data variables.product.prodname_code_scanning %}, you can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
@@ -172,8 +170,6 @@ If your repositories are configured with {% data variables.product.prodname_code
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning).
{% endif %}
## Block force pushes
You can prevent users from force pushing to the targeted branches or tags. This rule is enabled by default.

4
content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md
View File

@@ -33,14 +33,10 @@ You can upload multiple files to {% data variables.product.github %} at the same
{% endif %}
{% ifversion push-protection-block-uploads %}
Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui) and [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit).
{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %}
{% endif %}
> [!WARNING]
> Use Git to push files to your repository if you need to apply the logic in your `.gitattributes` file. For example, automatic conversion of line endings. Uploading a file through the {% data variables.product.github %} web interface will ignore `.gitattributes`.

2
content/rest/orgs/organization-roles.md
View File

@@ -5,7 +5,7 @@ intro: Use the REST API to interact with organization roles.
versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
fpt: '*'
ghec: '*'
ghes: '>=3.14'
ghes: '*'
topics:
- API
autogenerated: rest

188
data/release-notes/enterprise-server/3-13/0-rc1.yml
View File

@@ -1,188 +0,0 @@
date: '2024-05-16'
release_candidate: true
deprecated: true
intro: |
> [!NOTE] Release candidate (RC) builds are intended solely for use in a test environment. Do not install an RC in a production environment.
>
> Do not upgrade to an RC from a supported, earlier version.
>
> If {% data variables.location.product_location %} is running an RC, you cannot upgrade to the general availability (GA) release. You also cannot upgrade with a hotpatch.
For upgrade instructions, see [Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server).
sections:
# Remove section heading if the section contains no notes.
features:
# Remove a sub-section heading if the heading contains no notes. If sections
# that regularly recur are missing, add placeholders to this template.
- heading: Instance administration
notes:
# https://github.com/github/releases/issues/3816
- |
The root navigational experience for enterprise accounts lands all users on an "Enterprise Overview". From this page, enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The "Organization" page still exists and can be accessed from the left sidebar of the enterprise account.
# https://github.com/github/releases/issues/3842
- |
To improve the pre-flight checks experience, all pre-flight checks run even if one check fails. A consolidated report of the results is shown in the UI.
# https://github.com/github/releases/issues/3870
- |
The editor role for a Management Console user has been deprecated in the Manage GitHub Enterprise Server API.
# https://github.com/github/releases/issues/3765
- |
People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).
# https://github.com/github/releases/issues/3887
- |
As part of the upgrade to GitHub Enterprise Server 3.13, Elasticsearch (ES) is upgraded from version 5.6.16 to 8.7.0. Upgrading platform components improves performance and security posture. For important upgrade considerations, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/preparing-for-the-elasticsearch-upgrade).
# https://github.com/github/releases/issues/3776
- |
To improve existing tooling for license handling, the `ghe-license` script handles all operations regarding the active license. Commands can be performed on new licenses without importing them first. The script allows direct application of the license without a full configuration run and avoids restarting the instance to reduce downtime. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-license).
Administrators can upload the license to their instance using multiple interfaces, including the Management Console, Manage GHES API, CLI, or SSH. See [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/uploading-a-new-license-to-github-enterprise-server).
- heading: Audit logs
notes:
# https://github.com/github/releases/issues/3724
- |
Enterprise and organization audit log events include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information displays in the `external_identity_nameid` field and the SCIM identity data displays in the `external_identity_username` field within the audit log payloads. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization).
- heading: GitHub Actions
notes:
# Required Actions Runner version
- |
{% data reusables.actions.actions-runner-release-note %}
# https://github.com/github/releases/issues/3822
- |
To ensure Actions runners are truly ephemeral and more secure, execution timeouts on self-hosted jobs are limited to 5 days. If a job reaches this limit, the job is terminated and fails to complete. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits).
- heading: Repositories
notes:
# https://github.com/github/releases/issues/2992
- |
Users can use repository properties to add meaningful metadata to repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
# https://github.com/github/releases/issues/3849
- |
Users can browse and view code in a revamped experience for GitHub repositories, providing a tree pane for browsing files, fuzzy search for files, sticky code headers, and more.
# https://github.com/github/releases/issues/3550
- |
Users can migrate existing tag protection rules into repository rules. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules#importing-tag-protection-rules-to-repository-rulesets).
- heading: Projects
notes:
# https://github.com/github/releases/issues/3606
- |
Users can post status updates on their projects to share the current status, start date, and target date of the project itself. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/learning-about-projects/sharing-project-updates).
# https://github.com/github/releases/issues/3878
- |
Users can migrate their projects (classic) to the new Projects experience. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/creating-projects/migrating-from-projects-classic).
- heading: Pull requests
notes:
# https://github.com/github/releases/issues/3867
- |
Rebase commits are now created using the merge-ort strategy.
- heading: Secret scanning
notes:
# https://github.com/github/releases/issues/3566
- |
In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning).
# https://github.com/github/releases/issues/3180
- |
To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise).
- heading: Code scanning
notes:
# https://github.com/github/releases/issues/3526
- |
Users can enable code scanning on repositories even if they don't contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
# https://github.com/github/releases/issues/3545
- |
Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).
# https://github.com/github/releases/issues/3771
# https://github.com/github/releases/issues/3807
# https://github.com/github/releases/issues/3818
# https://github.com/github/releases/issues/3864
# https://github.com/github/releases/issues/3894
- |
The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.5 of the {% data variables.product.prodname_codeql_cli %} by default, an upgrade from 2.15.5 compared to the previous {% data variables.product.prodname_ghe_server %} feature release. For a detailed list of changes included in each version, see the [{% data variables.product.prodname_codeql %} change logs](https://codeql.github.com/docs/codeql-overview/codeql-changelog/).
Significant changes include:
* Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
* Installation of Python dependencies is disabled for all Python scans by default. See the [GitHub Blog post](https://github.blog/changelog/2023-07-12-code-scanning-with-codeql-no-longer-installs-python-dependencies-automatically-for-new-users/).
* A new `python_executable_name` option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as `py.exe` on Windows machines). See the [changelog in the CodeQL documentation](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.3/#new-features).
* A fix for [CVE-2024-25129](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph), a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
* The code scanning UI now includes partially extracted files. See the [GitHub Blog post](https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/#:~:text=The%20measure%20of,the%20near%20future.).
* 2 new C/C++ queries: `cpp/use-of-unique-pointer-after-lifetime-ends` and `cpp/incorrectly-checked-scanf`
* 6 new Java queries: `java/insecure-randomness` , `java/exec-tainted-environment` , `java/android/sensitive-text`, `java/android/sensitive-notification`, `java/android/insecure-local-authentication`, and `java/android/insecure-local-key-gen`
* 2 new Swift queries: `swift/weak-password-hashing` and `swift/unsafe-unpacking`
- heading: Code security
notes:
# https://github.com/github/releases/issues/3333
# https://github.com/github/releases/issues/3778
# https://github.com/github/releases/issues/3779
- |
On the security overview dashboard, users can find detailed insights for the security alerts in an organization or enterprise, including trending data that tracks alert counts and activity over time and snapshot data that reflects the current state of the security landscape. Alerts are displayed for both GitHub's security features and third-party tools. Filters are available for the type and visibility of alerts, date range, repository custom properties, and more. The overview dashboard is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).
# https://github.com/github/releases/issues/3782
- |
Users can view trending data for the enablement of security features in an organization. In security overview for an organization, the "Enablement trends" view shows historical data for the activation of security features including Dependabot updates, code scanning alerts, and secret scanning alerts. This feature is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security#viewing-enablement-trends-for-an-organization-beta).
# https://github.com/github/releases/issues/3712
- |
For users who use `devcontainer.json` files to define development containers for repositories, Dependabot version updates can keep "features" defined for the dev container up to date. Once configured in `dependabot.yml`, Dependabot will open pull requests on a specified schedule to update the listed features to the latest version. Dependabot security updates for dev containers are not currently supported. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#dev-containers).
- heading: Authentication
notes:
# https://github.com/github/releases/issues/2473
- |
For enterprises or organizations that use an SSH certificate authority (CA) to provide SSH certificates to members, to protect against a security risk involving user renames, new SSH CAs that are uploaded to a GitHub Enterprise Server 3.13 instance can only be used to sign certificates that are set to expire. For new CAs, you must use the `-V` parameter with `ssh-keygen` to generate a certificate with a `valid-after` claim.
The `valid-after` claim allows GitHub to validate that the user named in the SSH certificate hasn't been renamed since the certificate was signed. CAs uploaded prior to version 3.13 are exempt from this requirement and can be used to sign certificates that do not expire. However, when you've ensured that your certificate signing process uses the `-V` flag, GitHub encourages you to upgrade existing certificates to enforce the expiration requirement. For more information, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities#upgrading-an-ssh-certificate-authority) or [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#upgrading-an-ssh-certificate-authority).
changes:
# https://github.com/github/releases/issues/3971
- |
TCP port 9103 is opened for future administrative features related to support for Prometheus scraping. The port has been open since GitHub Enterprise Server 3.12, but this change wasn't communicated at the time release notes for version 3.12 were first published.
# https://github.com/github/releases/issues/3940
- |
**Upcoming change:** In version 3.14 and later of GitHub Enterprise Server, for instances with GitHub Actions and GitHub Connect enabled, self-hosted runners that download actions from GitHub.com via GitHub Connect will need to allow access to the following new hosts.
* `ghcr.io`
* `*.actions.githubusercontent.com`
You can make this change to your firewall rules on version 3.13, or on a previous version of GitHub Enterprise Server. For a smooth upgrade to version 3.14, we recommend you make changes to your firewall rules now, as failing to do so will result in your runners being unable to download certain actions in version 3.14 and later.
# https://github.com/github/releases/issues/3443
- |
The "Create a reference" REST API endpoint is restricted from accepting POSTs from users and apps that only have permission to read and write packages. Previously, this endpoint accepted updates to both tags and branches.
# https://github.com/github/releases/issues/3850
- |
To ensure security updates are applied correctly regardless of your repository's configuration settings, Dependabot uses private registry configurations specified in the `dependabot.yml` file as expected, even if there is a configuration with `target-branch`. Security updates still do not support `target-branch` configuration. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).
known_issues:
# INCLUDE NOTES FOR RELEASE FROM "GHES Release Note Tracking" PROJECT'S "Known Issues" TAB
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
When enabling log forwarding, specific service logs, including babeld, are duplicated. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding).
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
deprecations:
# https://github.com/github/releases/issues/2732
- |
As part of sunsetting Subversion compatibility, Subversion support is now disabled by default. Subversion can be re-enabled in the 3.13 release series by setting `app.svnbridge.enabled = true`. In 3.14, subversion support will be permanently removed. For more information, see [Sunsetting Subversion support](https://github.blog/2023-01-20-sunsetting-subversion-support/) on the GitHub blog.
# https://github.com/github/releases/issues/3859
- |
The Manage GHES API reached feature parity with the Management Console API in GHES 3.12. As a result, we will deprecate the Management Console API in GitHub Enterprise Server 3.15. For information about updating tooling that relies on the Management Console API, see [AUTOTITLE](/rest/enterprise-admin/management-console).

213
data/release-notes/enterprise-server/3-13/0.yml
View File

@@ -1,213 +0,0 @@
date: '2024-06-18'
release_candidate: false
deprecated: false
intro: |
>[!NOTE] An upgrade to Elasticsearch in version 3.13 may affect performance on your instance. See [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/preparing-for-the-elasticsearch-upgrade).
For upgrade instructions, see [Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server).
sections:
# Remove section heading if the section contains no notes.
features:
# Remove a sub-section heading if the heading contains no notes. If sections
# that regularly recur are missing, add placeholders to this template.
- heading: Instance administration
notes:
# https://github.com/github/releases/issues/3816
- |
The root navigational experience for enterprise accounts lands all users on an "Enterprise Overview". From this page, enterprise owners can create a README for their enterprise, which will be visible internally to all enterprise members. The "Organization" page still exists and can be accessed from the left sidebar of the enterprise account.
# https://github.com/github/releases/issues/3842
- |
To improve the pre-flight checks experience, all pre-flight checks run even if one check fails. A consolidated report of the results is shown in the UI.
# https://github.com/github/releases/issues/3870
- |
The editor role for a Management Console user has been deprecated in the Manage GitHub Enterprise Server API.
# https://github.com/github/releases/issues/3765
- |
People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).
# https://github.com/github/releases/issues/3887
- |
As part of the upgrade to GitHub Enterprise Server 3.13, Elasticsearch (ES) is upgraded from version 5.6.16 to 8.7.0. Upgrading platform components improves performance and security posture. For important upgrade considerations, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/updating-the-virtual-machine-and-physical-resources/preparing-for-the-elasticsearch-upgrade).
# https://github.com/github/releases/issues/3776
- |
To improve existing tooling for license handling, the `ghe-license` script handles all operations regarding the active license. Commands can be performed on new licenses without importing them first. The script allows direct application of the license without a full configuration run and avoids restarting the instance to reduce downtime. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-license).
Administrators can upload the license to their instance using multiple interfaces, including the Management Console, Manage GHES API, CLI, or SSH. See [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/uploading-a-new-license-to-github-enterprise-server).
- heading: Audit logs
notes:
# https://github.com/github/releases/issues/3724
- |
Enterprise and organization audit log events include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information displays in the `external_identity_nameid` field and the SCIM identity data displays in the `external_identity_username` field within the audit log payloads. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization).
- heading: GitHub Actions
notes:
# Required Actions Runner version
- |
{% data reusables.actions.actions-runner-release-note %}
# https://github.com/github/releases/issues/3822
- |
To ensure Actions runners are truly ephemeral and more secure, execution timeouts on self-hosted jobs are limited to 5 days. If a job reaches this limit, the job is terminated and fails to complete. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits).
- heading: Repositories
notes:
# https://github.com/github/releases/issues/2992
- |
Users can use repository properties to add meaningful metadata to repositories that simplifies repository classification, enhances discoverability, and seamlessly integrates with rulesets. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
# https://github.com/github/releases/issues/3849
- |
Users can browse and view code in a revamped experience for GitHub repositories, providing a tree pane for browsing files, fuzzy search for files, sticky code headers, and more.
# https://github.com/github/releases/issues/3550
- |
Users can migrate existing tag protection rules into repository rules. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules#importing-tag-protection-rules-to-repository-rulesets).
- heading: Projects
notes:
# https://github.com/github/releases/issues/3606
- |
Users can post status updates on their projects to share the current status, start date, and target date of the project itself. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/learning-about-projects/sharing-project-updates).
# https://github.com/github/releases/issues/3878
- |
Users can migrate their projects (classic) to the new Projects experience. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/creating-projects/migrating-from-projects-classic).
- heading: Pull requests
notes:
# https://github.com/github/releases/issues/3867
- |
Rebase commits are now created using the merge-ort strategy.
- heading: Secret scanning
notes:
# https://github.com/github/releases/issues/3566
- |
In the secret scanning list view, users can apply a filter to display alerts that are the result of having bypassed push protection. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning).
# https://github.com/github/releases/issues/3180
- |
To increase coverage of secret scanning across an instance, users can enable secret scanning in repositories owned by their personal account. Enterprise owners can disable this feature, or automatically enable it for all new user-owned repositories, in the enterprise settings. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise).
- heading: Code scanning
notes:
# https://github.com/github/releases/issues/3526
- |
Users can enable code scanning on repositories even if they dont contain any code written in the [languages currently supported by CodeQL](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/). Default setup will automatically trigger the first scan when a supported language is detected on the default branch. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
# https://github.com/github/releases/issues/3545
- |
Users can use CodeQL threat model settings for Java to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in their code. This feature is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).
# https://github.com/github/releases/issues/3771
- |
The {% data variables.product.prodname_codeql %} action for code scanning analysis uses version 2.16.5 of the {% data variables.product.prodname_codeql_cli %} by default, an upgrade from 2.15.5 compared to the previous {% data variables.product.prodname_ghe_server %} feature release. For a detailed list of changes included in each version, see the [{% data variables.product.prodname_codeql %} change logs](https://codeql.github.com/docs/codeql-overview/codeql-changelog/).
Significant changes include:
* Support for Swift 5.9.2, C# 12 / .NET 8, and Go 1.22.
* Installation of Python dependencies is disabled for all Python scans by default. See the [GitHub Blog post](https://github.blog/changelog/2023-07-12-code-scanning-with-codeql-no-longer-installs-python-dependencies-automatically-for-new-users/).
* A new `python_executable_name` option for the Python extractor. This allows you to select a non-default Python executable installed on the system running the scan (such as `py.exe` on Windows machines). See the [changelog in the CodeQL documentation](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.3/#new-features).
* A fix for [CVE-2024-25129](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph), a low-severity data exfiltration vulnerability that could be triggered by processing untrusted databases or CodeQL packs.
* The code scanning UI now includes partially extracted files. See the [GitHub Blog post](https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/#:~:text=The%20measure%20of,the%20near%20future.).
* 2 new C/C++ queries: `cpp/use-of-unique-pointer-after-lifetime-ends` and `cpp/incorrectly-checked-scanf`
* 6 new Java queries: `java/insecure-randomness` , `java/exec-tainted-environment` , `java/android/sensitive-text`, `java/android/sensitive-notification`, `java/android/insecure-local-authentication`, and `java/android/insecure-local-key-gen`
* 2 new Swift queries: `swift/weak-password-hashing` and `swift/unsafe-unpacking`
- heading: Code security
notes:
# https://github.com/github/releases/issues/3333
# https://github.com/github/releases/issues/3778
# https://github.com/github/releases/issues/3779
- |
On the security overview dashboard, users can find detailed insights for the security alerts in an organization or enterprise, including trending data that tracks alert counts and activity over time and snapshot data that reflects the current state of the security landscape. Alerts are displayed for both GitHub's security features and third-party tools. Filters are available for the type and visibility of alerts, date range, repository custom properties, and more. The overview dashboard is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).
# https://github.com/github/releases/issues/3782
- |
Users can view trending data for the enablement of security features in an organization. In security overview for an organization, the "Enablement trends" view shows historical data for the activation of security features including Dependabot updates, code scanning alerts, and secret scanning alerts. This feature is in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security#viewing-enablement-trends-for-an-organization-beta).
# https://github.com/github/releases/issues/3712
- |
For users who use `devcontainer.json` files to define development containers for repositories, Dependabot version updates can keep "features" defined for the dev container up to date. Once configured in `dependabot.yml`, Dependabot will open pull requests on a specified schedule to update the listed features to the latest version. Dependabot security updates for dev containers are not currently supported. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#dev-containers).
- heading: Authentication
notes:
# https://github.com/github/releases/issues/2473
- |
For enterprises or organizations that use an SSH certificate authority (CA) to provide SSH certificates to members, to protect against a security risk involving user renames, new SSH CAs that are uploaded to a GitHub Enterprise Server 3.13 instance can only be used to sign certificates that are set to expire. For new CAs, you must use the `-V` parameter with `ssh-keygen` to generate a certificate with a `valid-after` claim.
The `valid-after` claim allows GitHub to validate that the user named in the SSH certificate hasn't been renamed since the certificate was signed. CAs uploaded prior to version 3.13 are exempt from this requirement and can be used to sign certificates that do not expire. However, when you've ensured that your certificate signing process uses the `-V` flag, GitHub encourages you to upgrade existing certificates to enforce the expiration requirement. For more information, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities#upgrading-an-ssh-certificate-authority) or [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#upgrading-an-ssh-certificate-authority).
changes:
# https://github.com/github/releases/issues/3971
- |
TCP port 9103 is opened for future administrative features related to support for Prometheus scraping. The port has been open since GitHub Enterprise Server 3.12, but this change wasn't communicated at the time release notes for version 3.12 were first published.
# https://github.com/github/releases/issues/3940
- |
**Upcoming change:** In version 3.14 and later of GitHub Enterprise Server, for instances with GitHub Actions and GitHub Connect enabled, self-hosted runners that download actions from GitHub.com via GitHub Connect will need to allow access to the following new hosts.
* `ghcr.io`
* `*.actions.githubusercontent.com`
Please update the outbound firewall rules on your self-hosted runners to allow requests to these services. You can make this change on version 3.13, or on a previous version of GitHub Enterprise Server. For a smooth upgrade to version 3.14, we recommend you make changes to your firewall rules now, as failing to do so will result in your runners being unable to download certain actions in version 3.14 and later.
# https://github.com/github/releases/issues/3443
- |
The "Create a reference" REST API endpoint is restricted from accepting POSTs from users and apps that only have permission to read and write packages. Previously, this endpoint accepted updates to both tags and branches.
# https://github.com/github/releases/issues/3850
- |
To ensure security updates are applied correctly regardless of your repository's configuration settings, Dependabot uses private registry configurations specified in the `dependabot.yml` file as expected, even if there is a configuration with `target-branch`. Security updates still do not support `target-branch` configuration. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).
known_issues:
# INCLUDE NOTES FOR RELEASE FROM "GHES Release Note Tracking" PROJECT'S "Known Issues" TAB
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
When enabling log forwarding, specific service logs, including babeld, are duplicated. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding).
- |
Repositories originally imported using `ghe-migrator` do not correctly track committers for GitHub Advanced Security billing.
- |
When log forwarding is enabled, some forwarded log entries may be duplicated.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
`TokenScanningServiceMetricsApiError` errors may appear after the upgrade.
- |
The log entry `irb: warn: can't alias delete from irb_delete` may appear during creation and upload of support bundles.
- |
The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running `ghe-cluster-config-apply` as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) might fail with errors if the node being replaced has not first been turned off. If this occurs, turn the node off and repeat the steps.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.
- |
Following an upgrade, Elasticsearch search migrations are sometimes incorrectly reported as failing in the audit log, even though the migrations completed successfully. [Updated: 2024-08-02]
- |
Images embedded in wiki pages may stop rendering shortly after being published. [Updated: 2024-10-16]
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
deprecations:
# https://github.com/github/releases/issues/2732
- |
As part of sunsetting Subversion compatibility, Subversion support is now disabled by default. Subversion can be re-enabled in the 3.13 release series by setting `app.svnbridge.enabled = true`. In 3.14, subversion support will be permanently removed. For more information, see [Sunsetting Subversion support](https://github.blog/2023-01-20-sunsetting-subversion-support/) on the GitHub blog.
# https://github.com/github/releases/issues/3859
- |
The Manage GHES API reached feature parity with the Management Console API in GHES 3.12. As a result, we will remove the Management Console API in GitHub Enterprise Server 3.15. For information about updating tooling that relies on the Management Console API, see [AUTOTITLE](/rest/enterprise-admin/management-console).
# https://github.com/github/releases/issues/3794
- |
From November 19, 2024, references to v1 and v2 of artifacts actions in GitHub Actions will not resolve. GitHub deprecated v1 and v2 of actions/upload-artifact, actions/download-artifact, and related npm packages on June 30, 2024. You can read more about this deprecation on the [GitHub Blog](https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/). GitHub Enterprise Server instances configured to use GitHub Connect to download these actions will need to store cached copies locally for workflows to continue working. If your local copy of these actions has been removed, use [GitHub Actions Sync](https://github.com/actions/actions-sync) to manually re-download the actions. [Updated: 2024-18-20]
# https://github.com/github/releases/issues/3794
- |
The deprecated v1 and v2 versions of artifacts actions will be removed from GitHub Enterprise Server 3.15 onwards. Users should update their workflows to use v3 or later versions of artifacts actions. [Updated: 2024-18-20]
errata:
- 'The [Deprecations](/admin/release-notes#3.13.0-deprecations) section previously indicated that the Management Console API would be deprecated in GitHub Enterprise Server 3.14. Instead, the Management Console API will be removed in GitHub Enterprise Server 3.15. [Updated: 2024-07-08]'

62
data/release-notes/enterprise-server/3-13/10.yml
View File

@@ -1,62 +0,0 @@
date: '2025-01-21'
sections:
security_fixes:
- |
**HIGH:** An attacker could forge a SAML response to provision and/or gain access to an account with administrator privileges for GitHub Enterprise Server instances that use SAML single sign-on authentication. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user are not impacted. Exploitation of this vulnerability would allow for signature spoofing by improper validation. GitHub has requested CVE ID [CVE-2025-23369](https://www.cve.org/cverecord?id=CVE-2025-23369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
Restore failed silently on incremental MySQL backups.
- |
On an instance with GitHub Actions enabled, a configuration run could hang if the blob storage was inaccessible.
- |
Site administrators using `ghe-config-apply` saw `rm cannot remove DIRECTORY` errors. Old log directories are now removed without reporting errors.
- |
After an initial reboot, the appliance sometimes altered the ownership permissions of `gitmon` directories. As a result, the Management Console could hang at the "Starting" phase.
- |
The view for a repository's "top contributors" failed to render when when it received invalid parameters.
- |
Repository archive exports failed when the archive was more than 5 GiB.
- |
The SAML SSO and SCIM identity of the user (actor) who performed the action, `external_identity_nameid`, was omitted from the metadata for audit log entries.
- |
If you unarchived a repository with secret scanning enabled and then enabled GitHub Advanced Security, the feature settings were incorrectly reported by security overview. Secret scanning was shown as disabled.
- |
`ghe-migrator` imports could fail due to attachments with invalid model types.
changes:
- |
To avoid service disruption, the bundled action `actions/setup-dotnet` uses new .NET CDN URLs. See https://github.com/dotnet/core/issues/9671.
- |
To avoid unnecessary error messages when users attempt to create a ruleset in evaluate mode in a repository that is user owned, we removed the evaluate mode option on the ruleset.
- |
Log output for git maintenance now includes the time taken to complete the maintenance process.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/enterprise-server@3.12/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.10, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

74
data/release-notes/enterprise-server/3-13/11.yml
View File

@@ -1,74 +0,0 @@
date: '2025-02-18'
intro: |
{% warning %}
**Warning**: For instances installed on Google Cloud Platform (GCP), hotpatches to GitHub Enterprise Server version `3.13.11` will result in errors being reported in the upgrade log. We recommend hotpatching to a newer 3.13 version instead. [Updated: 2025-03-11]
{% endwarning %}
sections:
security_fixes:
- |
**HIGH**: An attacker could access environment variables in the debug artifacts uploaded by the CodeQL action after a failed code scanning workflow run. This includes any secrets that were exposed to the workflow as environment variables. The attacker requires read access to the repository to access the debug artifact. Users who do not have debug logging enabled are unaffected. The impact to GitHub Enterprise Server users is limited to internal actors. To mitigate this issue, GitHub no longer logs the complete environment by default. GitHub has requested [CVE-2025-24362](https://www.cve.org/CVERecord?id=CVE-2025-24362) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
In some cluster configurations, it was not possible to enable GitHub Advanced Security in bulk.
- |
In certain cases, on an instance in a cluster configuration, secret scanning would fail to run due to misconfiguration of a Kafka service.
- |
In an instance in a high-availability or cluster configuration, administrators who updated the instance's license did not see the change reflected on the "Licenses" page in the UI.
- |
Audit log indices from 2018 could occasionally fail to be created when migrating to Elasticsearch 8.
- |
Attachment records were not created when JWT tokens were included in user asset URLs on issues.
- |
The relative date for commits was sometimes incorrectly displayed in the web UI.
- |
In cluster environments, API rate limits were calculated using the cluster node IP address instead of the client IP address. This could lead to incorrect rate limiting and the wrong IP address being recorded in audit log entries.
- |
Users were unable to open issues where the events timeline contained references to projects that were not moved over during a migration. Instead, the `500` error page was displayed.
- |
Certain search terms for repositories and wikis did not return all valid results.
- |
In some cluster configurations, secret scanning failed to run normally due to connection failures.
changes:
- |
Log files on the appliance root disk are compressed immediately upon daily rotation instead of after a 24 hour delay. You can revert to the previous `delaycompress` behavior by signing in as an SSH admin user, setting `ghe-config logrotate.delaycompress true` and then running `ghe-config-apply`.
- |
The CodeQL action has been updated to v3.28.6 to enable uploading artifacts in debug mode without logging the complete environment when running CodeQL CLI v2.20.3+.
- |
The `ghe-live-migrations --init-target` command fails with a descriptive error message if the specified upgrade path is not supported.
known_issues:
- |
{% data reusables.release-notes.2025-02-gcp-hotpatch-bug %} [Updated: 2025-03-11]
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
The warning and known issues section have been updated to accurately reflect that instances installed on GCP will face issues while hotpatching to 3.13.11. Previously, the warning and known issue indicated that customers would face issues either while upgrading or hotpatching to version 3.13.11. [Updated: 2025-03-11]
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.11, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

60
data/release-notes/enterprise-server/3-13/12.yml
View File

@@ -1,60 +0,0 @@
date: '2025-03-04'
sections:
features:
- |
Running {% data variables.product.prodname_ghe_server %} on the VMware ESXi 8.0 hypervisor is supported. If your installation is on VMware ESXi 7.x or earlier versions, you can now use the ESXi 8.0 hypervisor. [Updated: 2025-04-03]
security_fixes:
- |
Permissions and ownership of `/etc/ssh/sshd_config` are enforced so that the `root` identity is the only one able to read or write to the file.
- |
Packages have been updated to the latest security versions.
bugs:
- |
Some instances with self-signed certificates encountered duplicated IP and DNS entries in their certificate.
- |
During an upgrade, encrypted record diagnostics would incorrectly flag 2FA records without associated users as undecryptable, causing misleading or unactionable error messages. In addition, in a high-availability or cluster configuration, encrypted record diagnostics were run unnecessarily on nodes other than the MySQL primary, and the resulting prompt from these diagnostics did not honor the `-y` flag.
- |
An issue with the webhook delivery system could cause missing commits on pull requests and stop GitHub Actions workflows from running reliably on certain triggers. A database replication delay in the webhook delivery system has been removed.
- |
When a pre-receive hook blocked users from making a commit in the UI, the error message did not display any `echo` messages specified in the pre-receive hook script.
- |
When users requested large amounts of data from certain API endpoints, such as [List organization repositories](/rest/repos/repos#list-organization-repositories), they sometimes received a `500` error.
- |
Domain entries could fail to load in the "Verified & Approves Domains" section of the site admin dashboard if one or more authoritative nameservers for the affected domain was unreachable or unresponsive.
- |
Some packages failed to install when a hotpatch was applied to instances hosted on Google Cloud Platform.
changes:
- |
The `ghe-check-disk-usage` command has been updated to provide more valuable insights into troubleshooting disk space issues on the root and data disks.
- |
A graph for visualizing the status of repository maintenance has been added to the management console.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 or greater appliance version, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-19]
- |
After a restore, existing outside collaborators are unable to be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
- |
After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
errata:
- |
The release notes previously did not mention VMware ESXi 8.0 support. [Updated: 2025-04-02]

48
data/release-notes/enterprise-server/3-13/13.yml
View File

@@ -1,48 +0,0 @@
date: '2025-03-25'
sections:
security_fixes:
- |
Packages have been updated to the latest security versions.
bugs:
- |
The `ghe-upgrade` command returned a zero exit code despite encountering errors.
- |
When performing an upgrade with an upgrade package, the process did not terminate when an invalid target partition was provided with the `-t` flag.
- |
Users could not use the `/manage/v1/config/apply` API endpoint to trigger the first configuration run on an instance.
- |
Restoring from a backup did not always apply the latest data from GitHub Actions. All GitHub Actions data is now restored with a backup.
- |
For instances in a high availability configuration, Elasticsearch indices were deleted on failover and when `ghe-repl-teardown REPLICA_HOSTNAME` was run from the primary instance. All indices are recoverable except audit log indices, whose source of truth is Elasticsearch itself.
- |
In Azure environments, running `ghe-single-config-apply` or `ghe-repl-setup` resulted in "Permission denied" errors during the pre-flight check.
- |
For appliances in a high availability configuration, Elasticsearch indices were deleted either on failover, or when running `ghe-repl-teardown <REPLICA_HOSTNAME>` from the primary instance.
changes:
- |
Elasticsearch shards are excluded from the replica node when stopping replication via `ghe-repl-stop`. To prevent Elasticsearch from being stopped before all shards have been removed, Elasticsearch is polled until the shard count on the replica node is zero instead of waiting for a maximum timeout of 30 seconds.
- |
Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
- |
After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.

42
data/release-notes/enterprise-server/3-13/14.yml
View File

@@ -1,42 +0,0 @@
date: '2025-04-17'
sections:
security_fixes:
- |
**MEDIUM:** An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview. This was due to a missing authorization check and occurred when filtering with _only_ `archived:`. GitHub has requested CVE ID [CVE-2025-3124](https://www.cve.org/CVERecord?id=CVE-2025-3124) for this vulnerability.
bugs:
- |
In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as `foo`) if their search query had already returned a similar username (such as `foobar`).
- |
Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering `500 Internal Server Error` responses.
- |
The "Get allowed actions and reusable workflows" APIs for enterprises, organizations, and repositories did not include the `verified_allowed` response field.
changes:
- |
Upgrading using a hot patch package will fail if the Elasticsearch status is not green. To help prevent post-upgrade problems when the Elasticsearch status is red, usually in a high-availability configuration, a check has been added.
- |
Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you need to either create a merge commit, or squash and merge, or split the commits up into multiple pull requests.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
- |
After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
- |
After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.

73
data/release-notes/enterprise-server/3-13/15.yml
View File

@@ -1,73 +0,0 @@
date: '2025-05-27'
sections:
security_fixes:
- |
**MEDIUM:** An attacker could inject HTML in the instances web UI because the web commit dialog did not properly sanitize repository rule violation messages. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
Ephemeral runner registrations for GitHub Actions were not fully cleaned up after deletion.
- |
For instances in a high availability configuration, because there was no Nomad job for the `aqueduct-lite` service on replica nodes, generating a support bundle from the command line on a replica would result in the error `ERROR: Failed to get elastomer index build progress` being incorrectly reported.
- |
A pre-receive hook could fail due to blocked system calls.
- |
After updating the TLS certificate from the Management Console, users encountered 502 errors when creating releases and uploading artifacts. Running `ghe-config-apply` did not resolve the issue, as the alambic service required a manual restart.
- |
The sidebar menu did not display on the "Retired namespaces" page on the site admin dashboard.
- |
Site administrators could encounter a failure to load domain entries in the "Verified & Approved Domains" section of the site admin dashboard when one or more authoritative nameservers for the affected domain were unreachable or unresponsive due to inefficient DNS queries.
- |
Images embedded in Markdown tables did not display correctly.
- |
Deleted discussions could potentially prevent a repository from being exported using the export API or `ghe-migrator`.
- |
During an import, missing assignee models caused incomplete imports of issues, pull requests, and their dependent models.
- |
When the GitHub Enterprise Server application attempted to create an Elasticsearch index that already existed but lacked a routing configuration, the operation failed. This resulted in a state where the index appeared to exist, but the application could not write documents to it.
- |
Enterprise customers in very large organizations experienced performance issues with the GitHub API when making multiple API requests to retrieve Dependabot alerts for their enterprise.
- |
In some cases, a file in the code view would appear as JSON instead of HTML.
- |
Instances using Azure for migration API storage without a proxy configured could not export migration archives because the system incorrectly attempted to route requests through a proxy.
- |
When administrators downloaded large Advanced Security committer CSV files, the operation would fail due to insufficient timeout settings. The timeout duration has been increased to ensure successful downloads.
- |
Actions workflows were not able to access up to 1,000 organization variables when the total size of all variables was under 10 MB.
- |
Secret scanning alerts would sometimes incorrectly identify the location of a secret in a file after a custom pattern was edited.
changes:
- |
Support tools now redact proxy credentials from their outputs in the admin terminal during connectivity checks.
- |
Live updates to the GitHub site were sometimes blocked by per-IP address rate limits, especially in environments where users accessed a GitHub Enterprise Server instance through a proxy.
- |
Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you can create a merge commit, or squash and merge, or split the commits into multiple pull requests.
closing_down:
- |
Microsoft Exchange Online is retiring SMTP basic authentication in September 2025. If your GitHub Enterprise Server instance uses this method to send email, delivery may fail after the retirement date. Microsoft recommends switching to a supported alternative. As another option, you may consider using an SMTP OAuth proxy such as [email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy), though this is not officially supported. For details and configuration guidance, see the [Microsoft announcement](https://techcommunity.microsoft.com/blog/exchange/exchange-online-to-retire-basic-auth-for-client-submission-smtp-auth/4114750) and the proxys [documentation](https://github.com/simonrob/email-oauth2-proxy/blob/main/emailproxy.config).
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following instructions for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), the step that includes running `ghe-cluster-config-apply` might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running `ghe-cluster-config-apply` as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. The reindexing can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
- |
After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.

46
data/release-notes/enterprise-server/3-13/16.yml
View File

@@ -1,46 +0,0 @@
date: '2025-06-18'
sections:
security_fixes:
- |
**HIGH:** An attacker could execute arbitrary code, potentially leading to privilege escalation and system compromise, by exploiting the pre-receive hook functionality to bind to dynamically allocated ports that become temporarily available (for example, during a hot patch upgrade). This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. The initial fix for this issue was found to be incomplete, leaving the vulnerability exploitable in some cases. GitHub has requested CVE ID: [CVE-2025-3509](https://www.cve.org/CVERecord?id=CVE-2025-3509) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions configured to connect to Azure OIDC storage through a proxy, Actions logs and artifacts would not be properly stored.
- |
Site administrators and auditors reviewing audit logs saw the `mc_actor` field was empty when a user signed out, because audit logging occurred after the user was removed from session state.
- |
During hotpatching, site administrators could encounter issues with the kernel partition table not updating correctly when running `ghe-partition-setup`. These users had to manually intervene in order to complete the upgrade process.
- |
Users of GitHub Actions could not view or manage Actions artifacts and logs if the global AWS STS endpoint was unavailable, because Actions did not use the configured regional STS endpoint.
- |
If an Enterprise Managed User (EMU) pushed to their personal repository with both secret scanning and push protection enabled, the custom patterns defined at enterprise level were not being applied during the push protection scan.
- |
In some situations, the kafka-lite service could cause client timeouts when processing consumer group membership sessions and expirations. [Updated: 2025-07-14]
changes:
- |
Site administrators can now set rate limits for the WebSockets controller used for live updates, with `ghe-config app.github.web-sockets-rate-limit`. For more information, see [Controlling the rate for the live update service](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-rate-limits#controlling-the-rate-for-the-live-update-service).
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
- |
After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.

181
data/release-notes/enterprise-server/3-13/2.yml
View File

@@ -1,181 +0,0 @@
date: '2024-07-19'
intro: |
>[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.13.1**) is not available for download. The following release notes include the updates introduced in that release.
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM**: An attacker could gain unauthorized access to secret scanning alert data because the [REST API secret scanning endpoint](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28) did not properly verify whether the user account has the business owner role. Only organization members can exploit this vulnerability, requiring a {% data variables.product.pat_generic %} (PAT) with `repo` or `security_events` scopes, limiting exposure to internal actors. Exploitation also required secret scanning to be enabled on user-owned repositories. GitHub has requested CVE ID [CVE-2024-10824](https://www.cve.org/CVERecord?id=CVE-2024-10824) for this vulnerability. [Updated: 2024-11-07]
- |
An attacker could access previously executed private required workflows by changing the repository visibility from private to public. This occurred despite the repositories with the required workflows remaining private. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
The `ghe-cluster-repl-status` command could be run on instance configurations other than high-availability clusters, resulting in an incorrect or incomplete status.
- |
The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
- |
On an instance in a cluster configuration, former primary nodes were able to access the newly promoted nodes after failover.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In a high availablity configuration, running `ghe-repl-node` multiple times from a node that didnt have replication running had the potential to overwrite the configuration on the primary node.
- |
Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
When analyzing a repository with code scanning, the extractor logs only contained warnings and errors for some languages.
- |
The `GitHub Desktop` option in the `Open with...` edit menu was not shown unless `github.dev` was also enabled.
- |
When transferring a repository, the required properties for one organization continued to be displayed even after a user chose a different owner.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
- |
On certain branch names, the branch info bar was causing frozen string errors.
- |
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
- |
On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
- |
On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
- |
Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
- |
The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
- |
In the sidebar menu that is displayed when a user clicks their profile picture, users who are not enterprise owners saw an "Enterprise settings" option, linking to the main page of an enterprise. This option is now labeled "Your enterprise".
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
The video player did not load a video that was uploaded to an issue.
- |
The warning message `irb: warn: cant alias delete from irb_delete` would appear during Support Bundle creation and upload.
- |
When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
- |
On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
- |
The global enterprise overview page contained a "Give feedback" link that was only intended for GitHub Enterprise Cloud.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
- |
Due to a regression, adding `../` when editing a files name did not result in the file being moved up a directory level.
- |
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a git repository.
- |
On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
- |
The "Adjust configuration" step failed when enabling code scanning with default setup on self-hosted Windows runners.
- |
Migration of the `issue_edits` table caused intermittent failures during the upgrade to GitHub Enterprise Server version 3.13, resulting in the error message `ActiveRecord::ConcurrentMigrationError: Failed to release advisory lock.` [Updated: 2024-08-14]
changes:
- |
In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
- |
Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
- |
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
- |
A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
- |
A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
- |
In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
- |
The system logs provide more context for authentication failures related to multi-factor authentication.
- |
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
- |
To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
known_issues:
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the Elasticsearch indices need to be reindexed before some data will appear. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
`TokenScanningServiceMetricsApiError` errors may appear after the upgrade.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
- |
Following an upgrade, Elasticsearch search migrations are sometimes incorrectly reported as failing in the audit log, even though the migrations completed successfully. [Updated: 2024-08-02]
- |
Images embedded in wiki pages may stop rendering shortly after being published. [Updated: 2024-10-16]
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]

142
data/release-notes/enterprise-server/3-13/3.yml
View File

@@ -1,142 +0,0 @@
date: '2024-08-20'
sections:
features:
- |
Users can view the app state of gists, networks, and wikis in the `spokesctl info` output, enhancing visibility into the status of these elements. Additionally, `spokesctl check` can diagnose and, in most cases, fix empty repository networks, improving network management.
security_fixes:
- |
**CRITICAL:** On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges. GitHub has requested CVE ID [CVE-2024-6800](https://www.cve.org/cverecord?id=CVE-2024-6800) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could update the `title`, `assignees`, and `labels` of any issue inside a public repository. This was only exploitable inside a public repository, and private/internal repositories were not affected. GitHub has requested CVE ID [CVE-2024-7711](https://www.cve.org/cverecord?id=CVE-2024-7711) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the issue contents from a private repository using a GitHub App with only `contents: read` and `pull requests: write` permissions. This was only exploitable via user access token, and installation access tokens were not impacted. GitHub has requested CVE ID [CVE-2024-6337](https://www.cve.org/cverecord?id=CVE-2024-6337) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
During hotpatching and sometimes when applying configuration changes, a configuration run to upgrade the GitHub Actions service was unnecessarily triggered. The GitHub Actions service will only be upgraded in GitHub Enterprise Server feature releases.
- |
On an instance with GitHub Actions enabled, during a hotpatch upgrade, a race condition could block various upgrade activities.
- |
The `ghe-config-apply` process made an unnecessary number of connections to Redis.
- |
Upgrading the Dependency Graph sometimes failed due to outdated data from `go.sum` manifests.
- |
Restarting the `resolvconf` service would not correctly update the contents of `/etc/resolv.conf`.
- |
The configuration log at `/data/user/common/ghe-config.log` was no longer rotated to `/data/user/config-apply/logs/` after each config apply run. This was because a regular expression failed to match after timestamps were added to the config apply log.
- |
Empty lines were inserted into the configuration log at `/data/user/common/ghe-config.log`.
- |
Instances installed on Google Cloud Platform (GCP) could have their hostname overwritten by GCP when a hotpatch was applied.
- |
The minimum password requirements for Management Console users and the root site administrator required an upper case character when providing a password with a minimum of 8 characters, contradicting the documentation and password hint.
- |
The `ghe-migrations` utility for visualizing migrations did not work due to a regression. Administrators can now run `ghe-migrations` to view the progress and status of `github` migrations, or run `ghe-migrations --all` to view progress on all services.
- |
On an instance with subdomain isolation enabled, configuration runs created subdomains for ChatOps services, such as `slack.HOSTNAME` and `teams.HOSTNAME`, regardless of whether the service was enabled.
- |
Audit log data migration failed on instances using a legacy Elasticsearch data directory.
- |
When clicking the help link under the Authentication header in enterprise-manage, the user would be redirected to `/admin/managing-accounts-and-repositories` instead of `/admin/managing-iam/understanding-iam-for-enterprises/about-identity-and-access-management`.
- |
During support bundle generation or when running `ghe-diagnostics`, filesystem usage for the Elasticsearch data directory was not be included.
- |
On an instance with GitHub Actions enabled, due to an insufficient wait time, MS SQL and MySQL replication could fail with the error message `Failed to start nomad service!`.
- |
Site administrators could not switch maintenance mode directly from "scheduled" to "on," or vice versa.
- |
Some users were unable to delete project views.
- |
On the repository settings page for GitHub Pages, users saw an option to upgrade to GitHub Enterprise to use GitHub Pages with private visibility.
- |
When importing using `ghe-migrator`, team URLs containing dots were imported as-is, leading to 404s when attempting to view the imported teams. Dots in imported team URLs are now escaped to dashes.
- |
In the file tree on the "Files changed" tab of a pull request, users could not collapse or expand directories.
- |
Due to a regression introduced in a previous patch, for enterprises that use encrypted SAML assertions, SSO attempts failed with a digest mismatch error if the entire SAML response was signed, rather than just the assertions.
- |
Administrators sometimes saw an error message when visiting the administrative search page.
- |
On an instance with subdomain isolation enabled, images served from a subdomain or external source did not render correctly in issues opened in the Projects side panel.
- |
Running `go get` for a Golang repository with a directory structure that overlaps with GitHub UI routes failed
- |
The wrong help link was displayed when push protection blocked a secret from the CLI.
- |
Embedded images in wiki pages were broken.
- |
For repositories with issues disabled, issue links were redirected to pull requests.
- |
In custom pre-receive hooks, the paths stored in environment variables that allow for newly pushed objects to be in a quarantine directory could be incorrectly interpreted as relative to a worktree instead of the Git directory, causing certain commands to fail to read from the repository. The variables now use absolute paths.
- |
A corrupted entry in the Git audit log could cause out of memory errors.
- |
Fixes and improvements for the git core module.
- |
When enabling GitHub Advanced Security for an organization, active committers in other organizations were not accounted for.
- |
Following an upgrade, Elasticsearch search migrations are sometimes incorrectly reported as failing in the audit log, even though the migrations completed successfully. [Updated: 2024-09-27]
changes:
- |
Actions KPI logs are disabled by default to reduce log size.
- |
When running `ghe-support-bundle`, the support bundle includes the Elasticsearch config.
- |
In the site admin dashboard, administrators have more granular options for the maximum object size in repositories.
- |
Users can set their styling preference for link underlines in the web interface, on their "Accessibility" settings page.
- |
Audit log events related to audit log streaming are available in the enterprise audit log page, and via audit log streaming.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
`TokenScanningServiceMetricsApiError` errors may appear after the upgrade.
- |
When following the steps for [Replacing the primary MySQL node](/enterprise-server@3.12/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.
- |
Running a `config apply` as part of the steps for [Replacing a node in an emergency](/enterprise-server@3.12/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
Including `../` when editing a file name does not move the file up a directory level.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
The global search bar does not have suggestions enabled due to the redesigned navigation and pending new search experience.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
- |
Instance setup in AWS with IMDSv2 enforced fails if no public IP is present.
- |
{% data reusables.release-notes.2024-08-resolvconf-wont-start %}
[Updated: 2024-08-26]
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.3 when log forwarding is enabled, some forwarded log entries may be duplicated.
The fix for this problem was already included in GitHub Enterprise Server [3.13.2](/admin/release-notes#3.13.2-bugs). [Updated: 2024-09-16]

92
data/release-notes/enterprise-server/3-13/4.yml
View File

@@ -1,92 +0,0 @@
date: '2024-09-23'
sections:
security_fixes:
- |
**MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**HIGH:** A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. GitHub has requested [CVE ID CVE-2024-8810](https://www.cve.org/cverecord?id=CVE-2024-8810) for this vulnerability, which was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/). [Updated: 2024-11-07]
bugs:
- |
For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful.
- |
A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file.
- |
`ghe-storage-find` was sometimes unable to identify a data disk.
- |
Replication could be stuck in an loop running `ghe-repl-start` because `GHE_REPL_SSH_RETRY_COUNT` was set to 60 by default for the whole scope of `ghe-repl-start` which will retry config apply (up to 60 times).
- |
After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory.
- |
When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed.
- |
Some pre-receive hooks using the `faccessat2` system call, such as those using Alpine Linux as the base, failed unexpectedly.
- |
Placing Nomad jobs would not allow retries in cases when Nomad wasn't available yet.
- |
A repeated error message concerning connectivity to port 6002 was emitted to the system logs when Actions was enabled.
- |
On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch.
- |
Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions.
- |
In organizations with a large number of repositories, when an administrator used repository properties to target repositories in an organization ruleset, the ruleset index page timed out.
- |
After a user created a Projects Insights chart with time as the X-axis, the chart became hidden and inaccessible.
- |
The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access.
- |
A bug introduced in 3.12 which prevented the search input in the global navigation from displaying a dropdown of search suggestions has been fixed. The search input functionality prior to 3.12 has been restored, and users are once again able to see and submit suggested search queries, including scope suggestions.
- |
Custom links to other repositories displayed incorrect breadcrumbs.
- |
Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`.
- |
On an instance with secret scanning enabled, a banner indicated that secret scanning was running on pull request comments and discussions. This feature is not available in this version of GitHub Enterprise Server.
- |
Memory utilization would sometimes exceed levels comparable to GitHub Enterprise Server 3.12.
- |
Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?.`
changes:
- |
For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
- |
For customers using Secret Scanning, internal jobs were created and not worked that could contribute to performance issues.
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
The [Known issues](/admin/release-notes#3.13.4-known-issues) section previously indicated that `Instance setup in AWS with IMDSv2 enforced fails if no public IP is present` is still an issue. The issue is resolved and is documented in the [Bug fixes](/admin/release-notes#3.13.4-bugs) section. [Updated: 2024-09-30]
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.4, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

71
data/release-notes/enterprise-server/3-13/5.yml
View File

@@ -1,71 +0,0 @@
date: '2024-10-10'
sections:
security_fixes:
- |
**MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. GitHub has requested CVE ID [CVE-2024-9539](https://www.cve.org/cverecord?id=CVE-2024-9539). This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
bugs:
- |
HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process.
- |
On an instance with secret scanning enabled, internal jobs were created and not processed, which could contribute to performance issues.
- |
This error message `mbind: Operation not permitted` was repeatedly showing in the `/var/log/mysql/mysql.err` MySQL logs.
- |
The backup of audit log could take longer after upgrading to Elasticsearch 8.
- |
An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error.
- |
Users were unable to sign out from gist pages.
- |
On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository.
- |
The "List teams" API endpoint returning duplicate results when paginating.
- |
A model with no URL could cause a `ghe-migrator` import to fail.
- |
Restore could fail when restoring MySQL using backup-utils.
- |
The help documentation for the Actions Workflow editor was not loading correctly. [Updated: 2025-02-18]
changes:
- |
The `ghe-remove-node` command will display the log file location when running in quiet mode.
- |
Pre-receive hook environments can use the `clone3()` system call.
- |
The creation, deletion, or change in visibility of a gist has been added to the audit log.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.5, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

76
data/release-notes/enterprise-server/3-13/6.yml
View File

@@ -1,76 +0,0 @@
date: '2024-11-07'
sections:
security_fixes:
- |
Elasticsearch packages have been updated to the latest security versions.
- |
**HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This is a follow up fix for [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487) to further harden the encrypted assertions feature against this type of attack. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document to exploit this vulnerability.
- |
**HIGH**: An attacker with Enterprise Administrator access to the GitHub Enterprise Server instance could escalate privileges to SSH root access. This is achieved by exploiting the pre-receive hook environment to bypass symlink checks in the `ghe-firejail` path and execute malicious scripts. GitHub has requested CVE ID [CVE-2024-10007](https://www.cve.org/cverecord?id=CVE-2024-10007) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2024-11-07]
- |
**HIGH**: An attacker could leak sensitive data from the DOM by injecting malicious input through the `identity` parameter in `querySelector` handling. This allows the attacker to dynamically embed a hidden iframe on the page and exfiltrate data from DOM attributes. To execute the attack, the victim must be logged into GitHub and interact with the attacker controlled malicious webpage containing the hidden iframe. GitHub has requested CVE ID [CVE-2024-10001](https://www.cve.org/cverecord?id=CVE-2024-10001) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2025-01-27]
bugs:
- |
A missing configuration value prevented Dependabot from creating group update pull requests.
- |
When saving settings in the Management Console, the configuration run would stop if the `enterprise-manage` process was restarted.
- |
On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server.
- |
The initial setup certificate generation in AWS took longer than expected due to fallback to private IPs. The time for this fallback has been reduced.
- |
The `ghe-support-bundle` generation would fail when the `aqueduct-lite` service is down.
- |
If the primary instance was unreachable, running `ghe-repl-stop --force` on a replica would fail during the config apply run.
- |
For instances that use the mandatory message feature logging in to certain URLs may have caused a 500 error.
- |
When restoring from a backup, repositories that had been deleted in the last 90 days were not completely restored.
- |
Restoring Git repositories using backup-utils occasionally failed.
- |
Enterprise installations experienced unpredictable repository search results due to the default 4,000 repository limit. A relaxed repository filter mode, which includes all single-tenant organization repositories and bypasses the limit, has been introduced. Administrators can enable this mode using `ghe-config app.github.enterprise-repo-search-filter-enabled true && ghe-config-apply`.
- |
Organizations were limited to using 100 Actions organization variables instead of 1,000.
- |
Running `config-apply` became stuck under certain circumstances due to a misconfiguration with Packages and Elasticsearch.
- |
Some customers upgrading to 3.13 may experience issues with undecryptable records during the upgrade. This issue has now been resolved. We recommend you read [Undecryptable records](/admin/upgrading-your-instance/troubleshooting-upgrades/known-issues-with-upgrades-to-your-instance#undecryptable-records).
changes:
- |
When connecting to an appliance via SSH, a notification about upcoming root disk changes displays.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a `config apply` as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Customers doing feature version upgrade to 3.13.6 may experience issues with database migrations due to data issues during database conversions. [Added: 2024-11-08]
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.6, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

40
data/release-notes/enterprise-server/3-13/7.yml
View File

@@ -1,40 +0,0 @@
date: '2024-11-12'
sections:
bugs:
- |
Customers performing a feature version upgrade to 3.13.6 or 3.14.3 may experience issues with database migrations due to data issues during database conversions.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Attempting to stop replications after stopping GitHub Actions on a GHES instanstance would fail, reporting that MSSQL was not responding. The can be avoided by start MSSQL prior to stopping replication `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`.
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.6, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

41
data/release-notes/enterprise-server/3-13/8.yml
View File

@@ -1,41 +0,0 @@
date: '2024-12-03'
sections:
security_fixes:
- |
**LOW**: Instance administrators could see tokens used to authenticate against gitauth in plaintext in`/var/log/github-audit.log`.
- |
Packages have been updated to the latest security versions.
bugs:
- |
Pull request review requests for teams were sometimes not assigned to users correctly, because of a limit on manual review requests.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Attempting to stop replications after stopping GitHub Actions on a GitHub Enterprise Server instance would fail, reporting that MSSQL was not responding. The can be avoided by start MSSQL prior to stopping replication `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- |
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.8, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11]

Some files were not shown because too many files have changed in this diff Show More