Deprecate GHES 3.11
This commit is contained in:
Rachael Sewell
@@ -151,15 +151,8 @@ If you select the "Busy" option, when people @mention your username, assign you
|
||||
|
||||
1. In the top right corner of {% data variables.product.prodname_dotcom %}, select your profile photo, then click **{% octicon "smiley" aria-hidden="true" %} Set status** or, if you already have a status set, click your current status.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. In the "What's happening" field, type a status message.
|
||||
1. Optionally, to set an emoji status, click {% octicon "smiley" aria-label="Choose an emoji" %}, then click an emoji from the list.
|
||||
1. Optionally, if you'd like to share that you have limited availability, select "Busy."
|
||||
|
||||
@@ -32,15 +32,10 @@ In the "Recent activity" section of your news feed, you can quickly find and fol
|
||||
|
||||
## Finding your top repositories and teams
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
In the global navigation menu, you can access the top repositories and teams you use. To open the menu, select {% octicon "three-bars" aria-label="Open global navigation menu" %} at the top left of any page.
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
In the left sidebar of your dashboard, you can access the top repositories and teams you use.
|
||||
{% endif %}
|
||||
|
||||
The list of top repositories is automatically generated, and can include any repository you have interacted with, whether it's owned directly by your account or not. Interactions include making commits and opening or commenting on issues and pull requests. The list of top repositories cannot be edited, but repositories will drop off the list 1 year after you last interacted with them.
|
||||
|
||||
You can also find a list of your recently visited repositories, teams, and projects when you click into the search bar at the top of any page on {% data variables.product.github %}.
|
||||
|
||||
@@ -73,30 +73,22 @@ Use a wait timer to delay a job for a specific amount of time after the job is i
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}
|
||||
### Deployment branches and tags
|
||||
|
||||
Use deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} to restrict which branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} can deploy to the environment. Below are the options for deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} for an environment:
|
||||
Use deployment branches and tags to restrict which branches and tags can deploy to the environment. Below are the options for deployment branches and tags for an environment:
|
||||
|
||||
{% ifversion deployment-protections-tag-patterns %}
|
||||
* **No restriction:** No restriction on which branch or tag can deploy to the environment.
|
||||
{%- else %}
|
||||
* **All branches:** All branches in the repository can deploy to the environment.
|
||||
{%- endif %}
|
||||
* **Protected branches{% ifversion deployment-protections-tag-patterns %} only{% endif %}:** Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy. For more information about branch protection rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches).
|
||||
* **Protected branches only:** Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy. For more information about branch protection rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches).
|
||||
|
||||
> [!NOTE]
|
||||
> Deployment workflow runs triggered by tags with the same name as a protected branch and forks with branches that match the protected branch name cannot deploy to the environment.
|
||||
|
||||
* **Selected branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}:** Only branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} that match your specified name patterns can deploy to the environment.
|
||||
* **Selected branches and tags:** Only branches and tags that match your specified name patterns can deploy to the environment.
|
||||
|
||||
If you specify `releases/*` as a deployment branch{% ifversion deployment-protections-tag-patterns %} or tag{% endif %} rule, only a branch{% ifversion deployment-protections-tag-patterns %} or tag{% endif %} whose name begins with `releases/` can deploy to the environment. (Wildcard characters will not match `/`. To match branches{% ifversion deployment-protections-tag-patterns %} or tags{% endif %} that begin with `release/` and contain an additional single slash, use `release/*/*`.) If you add `main` as a branch rule, a branch named `main` can also deploy to the environment. For more information about syntax options for deployment branches, see the [Ruby `File.fnmatch` documentation](https://ruby-doc.org/core-2.5.1/File.html#method-c-fnmatch).
|
||||
|
||||
{% ifversion deployment-protections-tag-patterns %}
|
||||
If you specify `releases/*` as a deployment branch or tag rule, only a branch or tag whose name begins with `releases/` can deploy to the environment. (Wildcard characters will not match `/`. To match branches or tags that begin with `release/` and contain an additional single slash, use `release/*/*`.) If you add `main` as a branch rule, a branch named `main` can also deploy to the environment. For more information about syntax options for deployment branches, see the [Ruby `File.fnmatch` documentation](https://ruby-doc.org/core-2.5.1/File.html#method-c-fnmatch).
|
||||
|
||||
{% data reusables.actions.branch-and-tag-deployment-rules-configuration %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt %}
|
||||
|
||||
> [!NOTE]
|
||||
@@ -191,16 +183,14 @@ Variables stored in an environment are only available to workflow jobs that refe
|
||||
1. Optionally, enable any custom deployment protection rules that have been created with {% data variables.product.prodname_github_apps %}. For more information, see [Custom deployment protection rules](#custom-deployment-protection-rules).
|
||||
1. Select the custom protection rule you want to enable.
|
||||
1. Click **Save protection rules**.
|
||||
1. Optionally, specify what branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} can deploy to this environment. For more information, see [Deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#deployment-branches{% ifversion deployment-protections-tag-patterns %}-and-tags{% endif %}).
|
||||
1. Optionally, specify what branches and tags can deploy to this environment. For more information, see [Deployment branches and tags](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#deployment-branches-and-tags).
|
||||
1. Select the desired option in the **Deployment branches** dropdown.
|
||||
1. If you chose **Selected branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}**, to add a new rule, click **Add deployment branch{% ifversion deployment-protections-tag-patterns %} or tag{% endif %} rule**
|
||||
{% ifversion deployment-protections-tag-patterns %}1. In the "Ref type" dropdown menu, depending on what rule you want to apply, click **{% octicon "git-branch" aria-hidden="true" %} Branch** or **{% octicon "tag" aria-hidden="true" %} Tag**.{% endif %}
|
||||
1. Enter the name pattern for the branch{% ifversion deployment-protections-tag-patterns %} or tag{% endif %} that you want to allow.
|
||||
{% ifversion deployment-protections-tag-patterns %}
|
||||
1. If you chose **Selected branches and tags**, to add a new rule, click **Add deployment branch or tag rule**
|
||||
1. In the "Ref type" dropdown menu, depending on what rule you want to apply, click **{% octicon "git-branch" aria-hidden="true" %} Branch** or **{% octicon "tag" aria-hidden="true" %} Tag**.
|
||||
1. Enter the name pattern for the branch or tag that you want to allow.
|
||||
|
||||
{% data reusables.actions.branch-and-tag-deployment-rules-configuration %}
|
||||
|
||||
{% endif %}
|
||||
1. Click **Add rule**.
|
||||
1. Optionally, add environment secrets. These secrets are only available to workflow jobs that use the environment. Additionally, workflow jobs that use this environment can only access these secrets after any configured rules (for example, required reviewers) pass. For more information, see [Environment secrets](#environment-secrets).
|
||||
1. Under **Environment secrets**, click **Add Secret**.
|
||||
|
||||
@@ -20,7 +20,6 @@ children:
|
||||
- /sharing-actions-and-workflows-from-your-private-repository
|
||||
- /sharing-actions-and-workflows-with-your-organization
|
||||
- /sharing-actions-and-workflows-with-your-enterprise
|
||||
- /required-workflows
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
@@ -1,53 +0,0 @@
|
||||
---
|
||||
title: Required workflows
|
||||
shortTitle: Required workflows
|
||||
intro: You can specify which workflows will run as required status checks in all repositories or selected repositories in your organization.
|
||||
versions:
|
||||
feature: required-workflows-deprecation
|
||||
permissions: 'Because {% data variables.product.company_short %} no longer supports this feature, this article is only relevant if you are already using required workflows for {% data variables.product.prodname_actions %}.'
|
||||
type: how_to
|
||||
topics:
|
||||
- Workflows
|
||||
redirect_from:
|
||||
- /actions/using-workflows/required-workflows
|
||||
---
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-beta %}
|
||||
|
||||
## Overview
|
||||
|
||||
You can configure a workflow that must run in repositories in an organization for all pull requests opened against any target branch. Required workflows allow you to implement organization-wide CI/CD policies that apply to current and future repositories. A required workflow is triggered by `pull_request` and `pull_request_target` default events and appears as a required status check, which blocks the ability to merge the pull request until the required workflow succeeds.
|
||||
|
||||
Required workflows are not the same as reusable workflows. Reusable workflows can be called by another workflow. Required workflows are enforced on repositories by an organization owner.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before configuring a required workflow, note the following prerequisites:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-prerequisites %}
|
||||
|
||||
## Restrictions and behaviors for the source repository
|
||||
|
||||
Note the following restrictions and behaviors for the source repository and workflow:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-source-notes %}
|
||||
|
||||
## Restrictions and behaviors for the target repository
|
||||
|
||||
Note the following restrictions and behaviors for the target repositories:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-target-notes %}
|
||||
|
||||
## Viewing workflow runs for required workflows
|
||||
|
||||
After a required workflow has run at least once in a repository, you can view its workflow runs in that repository's "Actions" tab. To make changes to what workflows are configured as required in an organization, you must contact an organization owner. To make changes to a required workflow itself, anyone with write permissions for the repository that contains the required workflow can make changes to it.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.actions-tab %}
|
||||
1. In the left sidebar, you can view workflow runs for required workflows under "Required workflows."
|
||||
|
||||
|
||||
|
||||
## Adding a required workflow to an organization
|
||||
|
||||
Organization owners can configure required workflows in their organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#adding-a-required-workflow-to-an-organization).
|
||||
@@ -339,8 +339,6 @@ on:
|
||||
types: [created, deleted]
|
||||
```
|
||||
|
||||
{% ifversion merge-queue %}
|
||||
|
||||
## `merge_group`
|
||||
|
||||
| Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
|
||||
@@ -363,8 +361,6 @@ on:
|
||||
types: [checks_requested]
|
||||
```
|
||||
|
||||
{% endif %}
|
||||
|
||||
## `milestone`
|
||||
|
||||
| Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
|
||||
|
||||
@@ -1297,13 +1297,6 @@ In this example, `ghe-repl-status -vv` sends verbose status information from a r
|
||||
|
||||
During an upgrade to a feature release, this utility displays the status of background jobs on {% data variables.location.product_location %}. If you're running back-to-back upgrades, you should use this utility to check that all background jobs are complete before proceeding with the next upgrade.
|
||||
|
||||
{% ifversion ghes < 3.12 %}
|
||||
|
||||
> [!NOTE]
|
||||
> To use `ghe-check-background-upgrade-jobs` with {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}, your instance must run version {{ allVersions[currentVersion].currentRelease }}.1 or later.
|
||||
|
||||
{% endif %}
|
||||
|
||||
```shell
|
||||
ghe-check-background-upgrade-jobs
|
||||
```
|
||||
|
||||
@@ -31,9 +31,9 @@ Some administrative ports are required to configure {% data variables.location.p
|
||||
| 1194/UDP | VPN | Secure replication network tunnel in high availability configuration. Required to be open for communication between all nodes in the configuration.|
|
||||
| 123/UDP| NTP | Required for time protocol operation. |
|
||||
| 161/UDP | SNMP | Required for network monitoring protocol operation. |
|
||||
| {% ifversion ghes > 3.11 %} |
|
||||
| |
|
||||
| 9103/TCP | HTTP | Required for future support of Prometheus scraping. |
|
||||
| {% endif %} |
|
||||
| |
|
||||
|
||||
## Application ports for end users
|
||||
|
||||
|
||||
@@ -21,40 +21,20 @@ To enable interactive maps, you must provide authentication credentials for Azur
|
||||
{% ifversion ghes < 3.13 %}
|
||||
|
||||
> [!WARNING]
|
||||
> Authentication with Azure Maps using an API token is {% data variables.release-phases.retired %} in {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.{% ifversion ghes = 3.11 %}1{% endif %} and later. If you upgrade to the latest release of {% data variables.product.prodname_ghe_server %} on an instance already configured to authenticate with an API token, interactive maps will be disabled. You must reconfigure authentication using role-based access control (RBAC) for an application on a Microsoft Entra ID (previously known as Azure AD) tenant. {% data reusables.enterprise.azure-maps-auth-deprecation-link %}
|
||||
> Authentication with Azure Maps using an API token is {% data variables.release-phases.retired %} in {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}. and later. If you upgrade to the latest release of {% data variables.product.prodname_ghe_server %} on an instance already configured to authenticate with an API token, interactive maps will be disabled. You must reconfigure authentication using role-based access control (RBAC) for an application on a Microsoft Entra ID (previously known as Azure AD) tenant. {% data reusables.enterprise.azure-maps-auth-deprecation-link %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Prerequisites
|
||||
|
||||
{% ifversion ghes < 3.12 %}
|
||||
|
||||
The following prerequisites apply if your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.1 or later.
|
||||
|
||||
{% endif %}
|
||||
|
||||
* To configure interactive maps for your instance, you must have administrative access to a tenant in Microsoft Entra ID. For more information, contact the administrator for Microsoft resources at your company, or see [Quickstart: Create a new tenant in Microsoft Entra ID](https://learn.microsoft.com/entra/fundamentals/create-new-tenant) on Microsoft Learn.
|
||||
|
||||
* You must know the tenant ID for your tenant in Entra ID. For more information, see [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant) on Microsoft Learn.
|
||||
|
||||
* Your instance must be able to access https://login.microsoftonline.com.
|
||||
|
||||
{% ifversion ghes < 3.12 %}
|
||||
|
||||
If your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.0, you must provide an API token for Azure Maps instead.
|
||||
|
||||
{% data reusables.enterprise.azure-maps-auth-warning %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Generating credentials for Azure Maps
|
||||
|
||||
{% ifversion ghes < 3.12 %}
|
||||
|
||||
To configure authentication for Azure Maps using RBAC, your instance must run {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.1 or later.
|
||||
|
||||
{% endif %}
|
||||
|
||||
To generate credentials for Azure Maps, you must create an application for your tenant in Entra ID, provide the application access to an Azure Maps account, and configure role-based access control (RBAC).
|
||||
|
||||
1. Register a new application on your Entra ID tenant. For more information, see [Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/entra/identity-platform/quickstart-register-app#register-an-application) on Microsoft Learn.
|
||||
@@ -90,11 +70,11 @@ After you create an application on your Entra ID tenant and generate a secret fo
|
||||
```
|
||||
|
||||
Store the string in a secure location that you can reference in the next step.
|
||||
1. {% ifversion ghes > 3.11 %}Below the headings, type or paste{% else %}Enter{% endif %} your authentication details for Azure Maps.
|
||||
1. Below the headings, type or paste your authentication details for Azure Maps.
|
||||
|
||||
* If your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.{% ifversion ghes = 3.11 %}0{% endif %}, below "Azure Maps API Token", type or paste your token.
|
||||
* If your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}., below "Azure Maps API Token", type or paste your token.
|
||||
%}
|
||||
* If your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}.{% ifversion ghes = 3.11 %}1{% endif %} or later, below the headings, type or paste the following information.
|
||||
* If your instance runs {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}. or later, below the headings, type or paste the following information.
|
||||
|
||||
* Optionally, to change the style of rendered maps, under "Basemap ID", type the ID for the style you'd like to use.
|
||||
* Under the headings, type or paste your authentication details.
|
||||
|
||||
@@ -29,7 +29,7 @@ To restore a backup of {% data variables.location.product_location %} with {% da
|
||||
1. In the {% data variables.enterprise.management_console %}, configure network settings and external storage for {% data variables.product.prodname_actions %} on the destination instance. See [AUTOTITLE](/admin/configuring-settings).
|
||||
1. After {% data variables.product.prodname_actions %} is configured and enabled, to restore the rest of the data from the backup, use the `ghe-restore` command. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance#restoring-a-backup).
|
||||
1. Re-register your self-hosted runners on the destination instance. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
|
||||
1. {% ifversion ghes < 3.12 %}Optionally, to{% else %}To{% endif %} ensure that the bundled actions that are pre-installed on your new instance are up to date, enter the following command.
|
||||
1. To ensure that the bundled actions that are pre-installed on your new instance are up to date, enter the following command.
|
||||
|
||||
```shell copy
|
||||
ghe-config --unset 'app.actions.actions-repos-sha1sum'
|
||||
|
||||
@@ -28,15 +28,9 @@ The Activity dashboard provides weekly, monthly, and yearly graphs of the number
|
||||
|
||||
## Accessing the Activity dashboard
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
1. In the top-left corner of any page, select {% octicon "three-bars" aria-label="Open global navigation menu" %}, then click **{% octicon "telescope" aria-hidden="true" %} Explore**.
|
||||
|
||||
|
||||
{% else %}
|
||||
1. At the top of any page, click **Explore**.
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. In the upper-right corner of the page, click **{% octicon "pulse" aria-hidden="true" %} Activity**.
|
||||
1. To view activity over different periods, click **This week**, **This month**, or **This year**.
|
||||
|
||||
|
||||
@@ -16,8 +16,7 @@ redirect_from:
|
||||
|
||||
>[!NOTE]
|
||||
>The ability to defer database seeding{% ifversion ghes < 3.13 %} was added in patch release
|
||||
{%- ifversion ghes = 3.12 %} 3.12.1{%- endif %}
|
||||
{%- ifversion ghes = 3.11 %} 3.11.7{%- endif %}
|
||||
3.12.1
|
||||
|
||||
and{% endif %} is available as a {% data variables.release-phases.public_preview %}.
|
||||
|
||||
|
||||
@@ -1,133 +0,0 @@
|
||||
---
|
||||
title: Evacuating a cluster node running data services
|
||||
shortTitle: Evacuating a data node
|
||||
intro: 'If a node in your {% data variables.product.prodname_ghe_server %} cluster runs services that store distributed data, you can ensure redundancy as you prepare to replace the node by evacuating the node''s data.'
|
||||
product: '{% data reusables.gated-features.cluster %}'
|
||||
redirect_from:
|
||||
- /enterprise/admin/clustering/evacuating-a-cluster-node
|
||||
- /enterprise/admin/enterprise-management/evacuating-a-cluster-node
|
||||
- /admin/enterprise-management/evacuating-a-cluster-node
|
||||
- /admin/enterprise-management/configuring-clustering/evacuating-a-cluster-node
|
||||
- /admin/enterprise-management/configuring-clustering/evacuating-a-cluster-node-running-data-services
|
||||
- /admin/monitoring-managing-and-updating-your-instance/configuring-clustering/evacuating-a-cluster-node-running-data-services
|
||||
versions:
|
||||
ghes: <=3.11
|
||||
type: how_to
|
||||
topics:
|
||||
- Clustering
|
||||
- Enterprise
|
||||
---
|
||||
|
||||
## About evacuation of cluster nodes running data services
|
||||
|
||||
In a cluster configuration for {% data variables.product.prodname_ghe_server %}, you may need to take an individual node offline. For example, you may need to replace the node's virtual machine (VM). If the node you want to replace operates in the storage tier, {% data variables.product.company_short %} recommends that you first evacuate the node's data services. Evacuation ensures that the remaining nodes contain the minimum expected copies of the data.
|
||||
|
||||
For more information about nodes and service tiers for {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/enterprise-management/configuring-clustering/about-cluster-nodes).
|
||||
|
||||
> [!WARNING]
|
||||
> * To avoid data loss during replacement of a node, {% data variables.product.company_short %} strongly recommends evacuation of the applicable data services on the node before you take the node offline.
|
||||
> * To ensure redundancy for any data service on your cluster, copies of data should exist on at least three nodes. For example, when four or more nodes store Git data, during evacuation, evacuated repository data will move from the node you're evacuating to the other three nodes. If you only have three nodes that store data for a service, evacuation of one node could fail and result in under-replicated data.
|
||||
|
||||
## Evacuating a cluster node running data services
|
||||
|
||||
If you plan to take a node offline and the node runs any of the following roles, evacuate each applicable service before taking the node offline.
|
||||
|
||||
| Service | Data |
|
||||
| :- | :- |
|
||||
| `git-server` | Repositories |
|
||||
| `pages-server` | Site builds for {% data variables.product.prodname_pages %} |
|
||||
| `storage-server` | <ul><li>Data stored in repositories using {% data variables.large_files.product_name_long %}</li><li>Avatar images</li><li>File attachments from comments in the web UI</li><li>Release archives</li></ul> |
|
||||
|
||||
{% data reusables.enterprise_clustering.ssh-to-a-node %}
|
||||
1. To find the UUID of the node to evacuate, run the following command. Replace HOSTNAME with the node's hostname. You'll use the UUID in subsequent commands.
|
||||
|
||||
```shell
|
||||
ghe-config cluster.HOSTNAME.uuid
|
||||
```
|
||||
|
||||
1. For each applicable service on the node, to determine the initial data counts, run the following commands. For each command, replace UUID with the UUID from the previous step.
|
||||
|
||||
* `git-server`:
|
||||
|
||||
* Command:
|
||||
|
||||
```shell
|
||||
ghe-spokesctl server status git-server-UUID
|
||||
```
|
||||
|
||||
* Relevant output: `NETWORKS`, `GISTS`
|
||||
|
||||
* `pages-server`:
|
||||
|
||||
* Command:
|
||||
|
||||
```shell
|
||||
echo "select count(*) from pages_replicas where host = 'pages-server-UUID'" | ghe-dbconsole -y
|
||||
```
|
||||
|
||||
* `storage-server`:
|
||||
|
||||
* Command:
|
||||
|
||||
```shell
|
||||
ghe-storage evacuation-status storage-server-UUID
|
||||
```
|
||||
|
||||
* Relevant output: `Remaining item(s)`
|
||||
|
||||
1. To evacuate an applicable service on the node, run the following commands. For each command, replace UUID with the UUID from the earlier step.
|
||||
|
||||
* `git-server`:
|
||||
|
||||
* Command (replace REASON FOR EVACUATION with the reason for evacuation):
|
||||
|
||||
```shell
|
||||
ghe-spokesctl server set evacuating git-server-UUID 'REASON FOR EVACUATION'
|
||||
```
|
||||
|
||||
* `pages-server`:
|
||||
|
||||
* Command:
|
||||
|
||||
```shell
|
||||
ghe-dpages evacuate pages-server-UUID
|
||||
```
|
||||
|
||||
* `storage-server`:
|
||||
|
||||
1. Take the node's service offline by running the following command.
|
||||
|
||||
```shell
|
||||
ghe-storage offline storage-server-UUID
|
||||
```
|
||||
|
||||
1. Evacuate the node by running the following command.
|
||||
|
||||
```shell
|
||||
ghe-storage evacuate storage-server-UUID
|
||||
```
|
||||
|
||||
1. To monitor evacuation of a service while {% data variables.product.prodname_ghe_server %} copies the data, run the following commands. For each command, replace UUID with the UUID from the earlier step.
|
||||
|
||||
> [!WARNING]
|
||||
> Do not shut down the node until evacuation is complete. Evacuation is complete when the data counts reach zero, which means that all data is safely stored on other nodes.
|
||||
|
||||
* `git-server`:
|
||||
|
||||
```shell
|
||||
ghe-spokesctl server evac-status git-server-UUID
|
||||
```
|
||||
|
||||
* `pages-server`:
|
||||
|
||||
```shell
|
||||
echo "select count(*) from pages_replicas where host = 'pages-server-UUID'" | ghe-dbconsole -y
|
||||
```
|
||||
|
||||
* `storage-server`:
|
||||
|
||||
```shell
|
||||
ghe-storage evacuation-status storage-server-UUID
|
||||
```
|
||||
|
||||
1. After evacuation completes for the service, shut down the node.
|
||||
@@ -24,7 +24,6 @@ children:
|
||||
- /monitoring-the-health-of-your-cluster
|
||||
- /monitoring-the-health-of-your-cluster-nodes-with-node-eligibility-service
|
||||
- /rebalancing-cluster-workloads
|
||||
- /evacuating-a-cluster-node-running-data-services
|
||||
- /replacing-a-cluster-node
|
||||
- /configuring-high-availability-replication-for-a-cluster
|
||||
- /initiating-a-failover-to-your-replica-cluster
|
||||
|
||||
@@ -52,7 +52,7 @@ While you can use a hotpatch to upgrade to the latest patch release within a fea
|
||||
|
||||
To check the status of background jobs, use the `ghe-check-background-upgrade-jobs` utility. If you're running back-to-back upgrades, you must ensure background jobs are complete before proceeding with the following upgrade to a feature release.
|
||||
|
||||
{%- ifversion ghes < 3.12 %} To use this utility with {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}, your instance must run version {{ allVersions[currentVersion].currentRelease }}.1 or later.{% endif %} See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-check-background-upgrade-jobs).
|
||||
See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-check-background-upgrade-jobs).
|
||||
|
||||
To monitor progress of the configuration run, read the output in `/data/user/common/ghe-config.log`. For example, you can tail the log by running the following command:
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@ topics:
|
||||
* If you’re several versions behind, upgrade {% data variables.location.product_location %} as far forward as possible with each step of your upgrade process. Using the latest version possible on each upgrade allows you to take advantage of performance improvements and bug fixes. For example, you could upgrade from {% data variables.product.prodname_enterprise %} 2.7 to 2.8 to 2.10, but upgrading from {% data variables.product.prodname_enterprise %} 2.7 to 2.9 to 2.10 uses a later version in the second step.
|
||||
* Use the latest patch release when upgrading. {% data reusables.enterprise_installation.enterprise-download-upgrade-pkg %}
|
||||
* Use a staging instance to test the upgrade steps. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance).
|
||||
* When running multiple upgrades, ensure data migrations and upgrade tasks running in the background are fully complete before proceeding to the next feature upgrade. To check the status of these processes, you can use the `ghe-migrations` and `ghe-check-background-upgrade-jobs` command-line utilities. {% ifversion ghes < 3.12 %} To use `ghe-check-background-upgrade-jobs` with {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }}, your instance must run version {{ allVersions[currentVersion].currentRelease }}.1 or later. {% endif %}For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#upgrading-github-enterprise-server).
|
||||
* When running multiple upgrades, ensure data migrations and upgrade tasks running in the background are fully complete before proceeding to the next feature upgrade. To check the status of these processes, you can use the `ghe-migrations` and `ghe-check-background-upgrade-jobs` command-line utilities. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#upgrading-github-enterprise-server).
|
||||
* Take a snapshot before upgrading your virtual machine. For more information, see [AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/taking-a-snapshot).
|
||||
* Ensure you have a recent, successful backup of your instance. For more information, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README.md file](https://github.com/github/backup-utils#readme).
|
||||
|
||||
|
||||
@@ -28,18 +28,13 @@ In order to use a {% data variables.product.prodname_github_app %} to make authe
|
||||
1. Install the {% data variables.product.prodname_github_app %} on your user account or organization and grant it access to any repositories that you want your workflow to access. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps#installing-your-private-github-app-on-your-repository).
|
||||
1. In your {% data variables.product.prodname_actions %} workflow, create an installation access token, which you can use to make API requests.
|
||||
|
||||
{% ifversion ghes < 3.12 %}To do this, you can use a pre-made action as demonstrated in the following example. If you prefer to not use a third party action, you can fork and modify the `tibdex/github-app-token` action, or you can write a script to make your workflow create an installation token manually. For more information, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation).{% else %}To do this, you can use a {% data variables.product.company_short %}-owned action as demonstrated in the following example. If you prefer to not use this action, you can fork and modify the [`actions/create-github-app-token` action](https://github.com/actions/create-github-app-token), or you can write a script to make your workflow create an installation token manually. For more information, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation).{% endif %}
|
||||
To do this, you can use a {% data variables.product.company_short %}-owned action as demonstrated in the following example. If you prefer to not use this action, you can fork and modify the [`actions/create-github-app-token` action](https://github.com/actions/create-github-app-token), or you can write a script to make your workflow create an installation token manually. For more information, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation).
|
||||
|
||||
The following example workflow uses the {% ifversion ghes < 3.12 %}`tibdex/github-app-token`{% else %}`actions/create-github-app-token`{% endif %} action to generate an installation access token. Then, the workflow uses the token to make an API request via the {% data variables.product.prodname_cli %}.
|
||||
The following example workflow uses the `actions/create-github-app-token` action to generate an installation access token. Then, the workflow uses the token to make an API request via the {% data variables.product.prodname_cli %}.
|
||||
|
||||
In the following workflow, replace `APP_ID` with the name of the configuration variable where you stored your app ID. Replace `APP_PRIVATE_KEY` with the name of the secret where you stored your app private key.
|
||||
|
||||
```yaml copy
|
||||
{% ifversion ghes < 3.12 %}
|
||||
{% data reusables.actions.actions-not-certified-by-github-comment %}
|
||||
|
||||
{% data reusables.actions.actions-use-sha-pinning-comment %}
|
||||
{% endif %}
|
||||
on:
|
||||
workflow_dispatch:
|
||||
jobs:
|
||||
@@ -48,10 +43,10 @@ jobs:
|
||||
steps:
|
||||
- name: Generate a token
|
||||
id: generate-token
|
||||
uses: {% ifversion ghes < 3.12 %}tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1.9.0{% else %}actions/create-github-app-token@v1{% endif %}
|
||||
uses: actions/create-github-app-token@v1
|
||||
with:
|
||||
{% ifversion ghes < 3.12 %}app_id{% else %}app-id{% endif %}: {% raw %}${{ vars.APP_ID }}{% endraw %}
|
||||
{% ifversion ghes < 3.12 %}private_key{% else %}private-key{% endif %}: {% raw %}${{ secrets.APP_PRIVATE_KEY }}{% endraw %}
|
||||
app-id: {% raw %}${{ vars.APP_ID }}{% endraw %}
|
||||
private-key: {% raw %}${{ secrets.APP_PRIVATE_KEY }}{% endraw %}
|
||||
|
||||
- name: Use the token
|
||||
env:
|
||||
|
||||
@@ -97,7 +97,7 @@ You can download a CSV file with {% data variables.product.prodname_GH_advanced_
|
||||
* The username of the person using the license
|
||||
* The {% data variables.product.prodname_advanced_security %}-enabled repositories where commits were made
|
||||
* The organizations{% ifversion secret-scanning-user-owned-repos %}{% ifversion ghec %} and user namespaces for {% data variables.product.prodname_emus %}{% endif %}{% endif %} that people using licenses belong to
|
||||
* The most recent commit dates{% ifversion ghec or ghes > 3.11 %} and associated email addresses{% endif %}
|
||||
* The most recent commit dates and associated email addresses
|
||||
|
||||
You can use this information for insights into your {% data variables.product.prodname_advanced_security %} usage, such as which members of your enterprise are using an {% data variables.product.prodname_advanced_security %} license or how {% data variables.product.prodname_advanced_security %} licenses are being consumed across your organizations.
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Connecting an Azure subscription
|
||||
intro: "You can enable and pay for usage-based billing on {% data variables.location.product_location %} by connecting an Azure subscription."
|
||||
intro: 'You can enable and pay for usage-based billing on {% data variables.location.product_location %} by connecting an Azure subscription.'
|
||||
redirect_from:
|
||||
- /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-account/connecting-an-azure-subscription-to-your-enterprise
|
||||
- /github/setting-up-and-managing-billing-and-payments-on-github/connecting-an-azure-subscription-to-your-enterprise
|
||||
@@ -10,7 +10,7 @@ redirect_from:
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>= 3.12'
|
||||
ghes: '*'
|
||||
shortTitle: Connect an Azure subscription
|
||||
---
|
||||
|
||||
|
||||
@@ -196,7 +196,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [{% ifversion codeql-language-identifiers-311 %}'javascript-typescript'{% else %}'javascript'{% endif %}, 'python']
|
||||
language: ['javascript-typescript', 'python']
|
||||
```
|
||||
|
||||
If your workflow does not contain a matrix called `language`, then {% data variables.product.prodname_codeql %} is configured to run analysis sequentially. If you don't specify languages in the workflow, {% data variables.product.prodname_codeql %} automatically detects, and attempts to analyze, any supported languages in the repository. If you want to choose which languages to analyze, without using a matrix, you can use the `languages` parameter under the `init` action.
|
||||
@@ -204,7 +204,7 @@ If your workflow does not contain a matrix called `language`, then {% data varia
|
||||
```yaml copy
|
||||
- uses: {% data reusables.actions.action-codeql-action-init %}
|
||||
with:
|
||||
languages: {% ifversion codeql-language-identifiers-311 %}c-cpp{% else %}cpp{% endif %}, csharp, python
|
||||
languages: c-cpp, csharp, python
|
||||
```
|
||||
|
||||
## Defining the alert severities that cause a check failure for a pull request
|
||||
@@ -243,7 +243,7 @@ This parameter is particularly useful if you work with monorepos and have multip
|
||||
|
||||
If you don't specify a `category` parameter in your workflow, {% data variables.product.github %} will generate a category name for you, based on the name of the workflow file triggering the action, the action name, and any matrix variables. For example:
|
||||
* The `.github/workflows/codeql-analysis.yml` workflow and the `analyze` action will produce the category `.github/workflows/codeql.yml:analyze`.
|
||||
* The `.github/workflows/codeql-analysis.yml` workflow, the `analyze` action, and the `{language: {% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}, os: linux}` matrix variables will produce the category `.github/workflows/codeql-analysis.yml:analyze/language:{% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}/os:linux`.
|
||||
* The `.github/workflows/codeql-analysis.yml` workflow, the `analyze` action, and the `{language: javascript-typescript, os: linux}` matrix variables will produce the category `.github/workflows/codeql-analysis.yml:analyze/language:javascript-typescript/os:linux`.
|
||||
|
||||
The `category` value will appear as the `<run>.automationDetails.id` property in SARIF v2.1.0. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object).
|
||||
|
||||
|
||||
@@ -69,7 +69,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [{% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %}]
|
||||
language: [java-kotlin]
|
||||
|
||||
# Specify the container in which actions will run
|
||||
container:
|
||||
|
||||
@@ -45,7 +45,7 @@ For repositories that are not eligible for default setup, you can configure adva
|
||||
A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.
|
||||
|
||||
* {% ifversion fpt %}{% data variables.product.prodname_code_scanning_caps %}{% else %}Advanced setup for {% data variables.product.prodname_code_scanning %}{% endif %} is not already enabled.
|
||||
* {% data variables.product.prodname_actions %} are enabled.{% ifversion default-setup-pre-enablement %}{% elsif code-scanning-default-setup-recommended-languages %}
|
||||
* {% data variables.product.prodname_actions %} are enabled.{% ifversion default-setup-pre-enablement %}
|
||||
* Uses Go, JavaScript/TypeScript, Python, or Ruby.{% endif %}{% ifversion fpt %}
|
||||
* Publicly visible.{%- elsif ghec %}
|
||||
* Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes %}
|
||||
@@ -63,7 +63,7 @@ A repository must meet all the following criteria to be eligible for default set
|
||||
|
||||
### About adding languages to an existing default setup configuration
|
||||
|
||||
If the code in a repository changes to include {% ifversion code-scanning-default-setup-recommended-languages %}Go, JavaScript/TypeScript, Python, or Ruby,{% else %}a {% data variables.product.prodname_codeql %}-supported language,{% endif %} {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage.
|
||||
If the code in a repository changes to include a {% data variables.product.prodname_codeql %}-supported language, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage.
|
||||
|
||||
{% ifversion org-private-registry %}
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ Your workflow will need to use the `upload-sarif` action, which is part of the `
|
||||
* `sarif-file`, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository.
|
||||
* `category` (optional), which assigns a category for results in the SARIF file. This enables you to analyze the same commit in multiple ways and review the results using the {% data variables.product.prodname_code_scanning %} views in {% data variables.product.prodname_dotcom %}. For example, you can analyze using multiple tools, and in mono-repos, you can analyze different slices of the repository based on the subset of changed files.
|
||||
|
||||
For more information, see the {% ifversion codeql-action-node16-deprecated %}[`upload-sarif` action](https://github.com/github/codeql-action/tree/v3/upload-sarif){% else %}[`upload-sarif` action](https://github.com/github/codeql-action/tree/v2/upload-sarif){% endif %}.
|
||||
For more information, see the [`upload-sarif` action](https://github.com/github/codeql-action/tree/v3/upload-sarif).
|
||||
|
||||
The `upload-sarif` action can be configured to run when the `push` and `scheduled` event occur. For more information about {% data variables.product.prodname_actions %} events, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows).
|
||||
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
---
|
||||
title: A particular language is causing default setup to fail
|
||||
shortTitle: Default setup fails with a language
|
||||
intro: 'When you enable default setup, all languages selected for analysis must be successfully analyzed, or the configuration of default setup will fail.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: code-scanning-default-setup-recommended-languages
|
||||
redirect_from:
|
||||
- /code-security/code-scanning/troubleshooting-code-scanning/a-particular-language-is-causing-default-setup-to-fail
|
||||
---
|
||||
|
||||
To enable default setup when a language previously failed, you must reconfigure default setup, deselecting all failing languages for analysis.
|
||||
|
||||
1. If default setup fails, navigate to the main page of your repository, then click **{% octicon "gear" aria-hidden="true" %} Settings**.
|
||||
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security and analysis**.
|
||||
1. Navigate to the "{% data variables.product.prodname_code_scanning_caps %}" section. Then, in the error message reading "{% data variables.product.prodname_codeql %} default configuration **failed**", click **failed**.
|
||||
1. In the "Jobs" section of the workflow run summary for default setup, identify any failing jobs associated with specific languages. These jobs will be labeled **{% octicon "x-circle-fill" aria-hidden="true" %} Analyze (LANGUAGE)**.
|
||||
1. Once you have determined which language-specific jobs are failing, configure default setup once more and deselect the failing languages for analysis. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
|
||||
|
||||
Alternatively, if you would like to analyze every language in your repository, you can configure advanced setup for {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning).
|
||||
@@ -21,7 +21,6 @@ children:
|
||||
- /automatic-build-failed
|
||||
- /c-sharp-compiler-unexpectedly-failing
|
||||
- /cannot-enable-codeql-in-a-private-repository
|
||||
- /default-setup-fails-with-a-language
|
||||
- /enabling-default-setup-takes-too-long
|
||||
- /extraction-errors-in-the-database
|
||||
- /fewer-lines-scanned-than-expected
|
||||
@@ -38,3 +37,4 @@ children:
|
||||
- /unnecessary-step-found
|
||||
- /kotlin-detected-in-no-build
|
||||
---
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ If your workflow fails with `Error: "No source code was seen during the build"`
|
||||
matrix:
|
||||
# Override automatic language detection by changing the list below.
|
||||
# Supported options are listed in a comment in the default workflow.
|
||||
language: ['go', {% ifversion codeql-language-identifiers-311 %}'javascript-typescript'{% else %}'javascript' {% endif %}]
|
||||
language: ['go', 'javascript-typescript']
|
||||
```
|
||||
|
||||
For more information, see the workflow extract in [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed).
|
||||
|
||||
@@ -26,9 +26,9 @@ If you're using advanced setup and your workflow doesn't explicitly specify the
|
||||
# ...
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix: {% ifversion codeql-language-identifiers-311 %}
|
||||
language: ['csharp', 'c-cpp', 'javascript-typescript'] {% else %}
|
||||
language: ['csharp', 'cpp', 'javascript'] {% endif %}
|
||||
matrix:
|
||||
language: ['csharp', 'c-cpp', 'javascript-typescript']
|
||||
language: ['csharp', 'cpp', 'javascript']
|
||||
|
||||
steps:
|
||||
# ...
|
||||
|
||||
@@ -90,7 +90,7 @@ This example analyzes a {% data variables.product.prodname_codeql %} database st
|
||||
|
||||
```shell
|
||||
$ codeql database analyze /codeql-dbs/example-repo \
|
||||
javascript-code-scanning.qls --sarif-category={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} \
|
||||
javascript-code-scanning.qls --sarif-category=javascript-typescript \
|
||||
--format={% ifversion fpt or ghec %}sarif-latest{% else %}sarifv2.1.0{% endif %} --output=/temp/example-repo-js.sarif
|
||||
|
||||
> Running queries.
|
||||
@@ -108,7 +108,7 @@ To include file coverage information with your {% data variables.product.prodnam
|
||||
|
||||
```shell
|
||||
$ codeql database analyze /codeql-dbs/example-repo \
|
||||
javascript-code-scanning.qls --sarif-category={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} \
|
||||
javascript-code-scanning.qls --sarif-category=javascript-typescript \
|
||||
--sarif-add-baseline-file-info \ --format={% ifversion fpt or ghec %}sarif-latest{% else %}sarifv2.1.0{% endif %} \
|
||||
--output=/temp/example-repo-js.sarif
|
||||
```
|
||||
@@ -260,8 +260,6 @@ For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanc
|
||||
|
||||
For information about creating custom query suites, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites).
|
||||
|
||||
{% ifversion codeql-cli-threat-models %}
|
||||
|
||||
### Including model packs to add potential sources of tainted data
|
||||
|
||||
{% data reusables.code-scanning.beta-threat-models-cli %}
|
||||
@@ -276,8 +274,6 @@ $ codeql database analyze /codeql-dbs/my-company --format=sarif-latest \
|
||||
|
||||
In this example, the relevant queries in the standard query pack `codeql/java-queries` will use the `local` threat model as well as the default threat model for `remote` dataflow sources. You should use the `local` threat model if you consider data from local sources (for example: file systems, command-line arguments, databases, and environment variables) to be potential sources of tainted data for your codebase.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Results
|
||||
|
||||
You can save analysis results in a number of different formats, including SARIF and CSV.
|
||||
|
||||
@@ -71,11 +71,11 @@ You can specify additional options depending on the location of your source file
|
||||
| Option | Required | Usage |
|
||||
|--------|:--------:|-----|
|
||||
| `<database>` | {% octicon "check" aria-label="Required" %} | Specify the name and location of a directory to create for the {% data variables.product.prodname_codeql %} database. The command will fail if you try to overwrite an existing directory. If you also specify `--db-cluster`, this is the parent directory and a subdirectory is created for each language analyzed. |
|
||||
| {% ifversion codeql-language-identifiers-311 %} |
|
||||
| |
|
||||
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
|
||||
| {% else %} |
|
||||
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %} (use `javascript` to analyze TypeScript code and `java` to analyze Kotlin code). When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
|
||||
| {% endif %} |
|
||||
|
|
||||
|
|
||||
| |
|
||||
| <code><span style="white-space: nowrap;">--command</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from <code><span style="white-space: nowrap;">--source-root</span></code>. Not needed for Python and JavaScript/TypeScript analysis. |
|
||||
| {% ifversion codeql-no-build %} |
|
||||
| <code><span style="white-space: nowrap;">--build-mode</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). |
|
||||
@@ -95,7 +95,7 @@ For full details of all the options you can use when creating databases, see [AU
|
||||
This example creates a single {% data variables.product.prodname_codeql %} database for the repository checked out at `/checkouts/example-repo`. It uses the JavaScript extractor to create a hierarchical representation of the JavaScript and TypeScript code in the repository. The resulting database is stored in `/codeql-dbs/example-repo`.
|
||||
|
||||
```shell
|
||||
$ codeql database create /codeql-dbs/example-repo --language={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} \
|
||||
$ codeql database create /codeql-dbs/example-repo --language=javascript-typescript \
|
||||
--source-root /checkouts/example-repo
|
||||
|
||||
> Initializing database at /codeql-dbs/example-repo.
|
||||
@@ -121,7 +121,7 @@ The resulting databases are stored in `python` and `cpp` subdirectories of `/cod
|
||||
|
||||
```shell
|
||||
$ codeql database create /codeql-dbs/example-repo-multi \
|
||||
--db-cluster --language python,{% ifversion codeql-language-identifiers-311 %}c-cpp{% else %}cpp{% endif %} \
|
||||
--db-cluster --language python,c-cpp \
|
||||
--command make --no-run-unnecessary-builds \
|
||||
--source-root /checkouts/example-repo-multi
|
||||
Initializing databases at /codeql-dbs/example-repo-multi.
|
||||
@@ -154,10 +154,10 @@ The {% data variables.product.prodname_codeql_cli %} includes extractors to crea
|
||||
|
||||
### JavaScript and TypeScript
|
||||
|
||||
Creating databases for JavaScript requires no additional dependencies, but if the project includes TypeScript files, Node.js 14 or higher must be installed and available on the `PATH` as `node`. In the command line you can specify `--language={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}` to extract both JavaScript and TypeScript files:
|
||||
Creating databases for JavaScript requires no additional dependencies, but if the project includes TypeScript files, Node.js 14 or higher must be installed and available on the `PATH` as `node`. In the command line you can specify `--language=javascript-typescript` to extract both JavaScript and TypeScript files:
|
||||
|
||||
```shell
|
||||
codeql database create --language={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} --source-root <folder-to-extract> <output-folder>/javascript-database
|
||||
codeql database create --language=javascript-typescript --source-root <folder-to-extract> <output-folder>/javascript-database
|
||||
```
|
||||
|
||||
Here, we have specified a `--source-root` path, which is the location where database creation is executed, but is not necessarily the checkout root of the codebase.
|
||||
@@ -228,7 +228,7 @@ The following examples are designed to give you an idea of some of the build com
|
||||
|
||||
```shell
|
||||
# Disable parallel execution via `-j1` or other techniques: https://www.gnu.org/software/make/manual/make.html#Parallel-Execution
|
||||
codeql database create cpp-database --language={% ifversion codeql-language-identifiers-311 %}c-cpp{% else %}cpp{% endif %} --command=make
|
||||
codeql database create cpp-database --language=c-cpp --command=make
|
||||
```
|
||||
|
||||
* C# project built using `dotnet build`:
|
||||
@@ -256,19 +256,19 @@ The following examples are designed to give you an idea of some of the build com
|
||||
```shell
|
||||
# Use `--no-daemon` because a build delegated to an existing daemon cannot be detected by CodeQL.
|
||||
# To ensure isolated builds without caching, add `--no-build-cache` on persistent machines.
|
||||
codeql database create java-database --language={% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %} --command='gradle --no-daemon clean test'
|
||||
codeql database create java-database --language=java-kotlin --command='gradle --no-daemon clean test'
|
||||
```
|
||||
|
||||
* Java project built using Maven:
|
||||
|
||||
```shell
|
||||
codeql database create java-database --language={% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %} --command='mvn clean install'
|
||||
codeql database create java-database --language=java-kotlin --command='mvn clean install'
|
||||
```
|
||||
|
||||
* Java project built using Ant:
|
||||
|
||||
```shell
|
||||
codeql database create java-database --language={% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %} --command='ant -f build.xml'
|
||||
codeql database create java-database --language=java-kotlin --command='ant -f build.xml'
|
||||
```
|
||||
|
||||
* Swift project built from an Xcode project or workspace. By default, the largest Swift target is built:
|
||||
|
||||
@@ -107,7 +107,7 @@ You can create a SARIF file for the failed analysis using [AUTOTITLE](/code-secu
|
||||
|
||||
```shell
|
||||
$ codeql database export-diagnostics codeql-dbs/example-repo \
|
||||
--sarif-category={% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} --format={% ifversion fpt or ghec %}sarif-latest{% else %}sarifv2.1.0{% endif %} \
|
||||
--sarif-category=javascript-typescript --format={% ifversion fpt or ghec %}sarif-latest{% else %}sarifv2.1.0{% endif %} \
|
||||
--output=/temp/example-repo-js.sarif
|
||||
```
|
||||
|
||||
|
||||
@@ -320,7 +320,7 @@ The following properties are supported in `qlpack.yml` files.
|
||||
* Defines the {% data variables.product.prodname_codeql %} language extractor to use when running the {% data variables.product.prodname_codeql %} tests in the pack. For more information about testing queries, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries). For example:
|
||||
|
||||
```yaml
|
||||
extractor: {% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}
|
||||
extractor: javascript-typescript
|
||||
```
|
||||
|
||||
#### `authors`
|
||||
|
||||
@@ -76,12 +76,8 @@ When {% data variables.product.github %} identifies a vulnerable dependency, we
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-create-PR %}
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
> [!WARNING]
|
||||
> {% data variables.product.github %}'s security features do not claim to catch all vulnerabilities. We actively maintain {% data variables.product.prodname_advisory_database %} and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary.
|
||||
|
||||
|
||||
@@ -31,12 +31,8 @@ You can enable or disable {% data variables.product.prodname_dependabot_alerts %
|
||||
* Your organization{% ifversion dependabot-alerts-enterprise-enablement or ghes %}
|
||||
* Your enterprise{% endif %}
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Managing {% data variables.product.prodname_dependabot_alerts %} for your personal account
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
@@ -43,9 +43,7 @@ You can also audit actions taken in response to {% data variables.product.prodna
|
||||
## Prioritizing {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
You can also use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).”
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alerts-filters %}
|
||||
|
||||
|
||||
@@ -36,15 +36,4 @@ After you've enabled version updates, you can confirm that your configuration is
|
||||
|
||||
If any dependencies are missing, check the log files for errors. If any package managers are missing, review the configuration file.
|
||||
|
||||
{% ifversion dependabot-job-log %}
|
||||
|
||||
For information about {% data variables.product.prodname_dependabot %} job logs, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
|
||||
|
||||
{% else %}
|
||||
|
||||
## Viewing {% data variables.product.prodname_dependabot %} log files
|
||||
|
||||
1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked _TIME_ ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates.
|
||||
1. Optionally, to rerun the version check, click **Check for updates**.
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -56,9 +56,7 @@ If an error blocked {% data variables.product.prodname_dependabot %} from creati
|
||||
|
||||
## Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}
|
||||
|
||||
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to update a dependency in an ecosystem, {% ifversion dependabot-job-log %} you can view the job logs list to find out more about the error {% else %} it posts the error icon on the manifest file{% endif %}.
|
||||
|
||||
{% ifversion dependabot-job-log %}
|
||||
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to update a dependency in an ecosystem, you can view the job logs list to find out more about the error .
|
||||
|
||||
{% data reusables.dependabot.dependabot-jobs-log-access %}
|
||||
|
||||
@@ -68,16 +66,6 @@ To view the full logs files for a particular job, to the right of the log entry
|
||||
|
||||
For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
|
||||
|
||||
{% else %}
|
||||
|
||||
The manifest files that are managed by {% data variables.product.prodname_dependabot %} are listed on the {% data variables.product.prodname_dependabot %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot %}** tab.
|
||||
|
||||
|
||||
|
||||
To see the logs for any manifest file, click the **Last checked TIME ago** link, and then click **View logs**.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Understanding {% data variables.product.prodname_dependabot %} errors
|
||||
|
||||
Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot %} configuration files. Consequently, some errors are specific to one type of update.
|
||||
|
||||
@@ -63,7 +63,7 @@ If {% data variables.product.prodname_dependabot_alerts %} are enabled for a rep
|
||||
|
||||
|
||||
|
||||
You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts).{% ifversion dependabot-auto-triage-rules %} You can also use {% data variables.dependabot.auto_triage_rules %} to filter out false positive alerts or alerts you're not interested in. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).{% endif %}
|
||||
You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts). You can also use {% data variables.dependabot.auto_triage_rules %} to filter out false positive alerts or alerts you're not interested in. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).
|
||||
|
||||
1. Click the "Command Injection in lodash" alert on the `javascript/package-lock.json` file. The details page for the alert will show the following information (note that some information may not apply to all alerts):
|
||||
* Whether {% data variables.product.prodname_dependabot %} created a pull request that will fix the vulnerability. You can review the suggested security update by clicking **Review security update**.
|
||||
|
||||
@@ -30,12 +30,8 @@ Make it easy for your users to confidentially report security vulnerabilities th
|
||||
View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
|
||||
and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
You can use default {% data variables.dependabot.auto_triage_rules %} curated by {% data variables.product.prodname_dotcom %} to automatically filter out a substantial amount of false positives. {% data reusables.dependabot.dismiss-low-impact-rule %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dependabot.quickstart-link %}
|
||||
|
||||
### {% data variables.product.prodname_dependabot_version_updates %}
|
||||
@@ -122,14 +118,10 @@ Automatically detect security vulnerabilities and coding errors in new or modifi
|
||||
|
||||
Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %}
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
### {% data variables.dependabot.custom_rules_caps %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-custom-rules-ghas %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Dependency review
|
||||
|
||||
Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
|
||||
|
||||
@@ -54,12 +54,8 @@ For more information, see [AUTOTITLE](/code-security/supply-chain-security/under
|
||||
|
||||
{% data variables.product.prodname_dependabot_alerts %} are generated when {% data variables.product.prodname_dotcom %} identifies a dependency in the dependency graph with a vulnerability. {% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for any repository.{% endif %}
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-rules %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dependabot.quickstart-link %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
@@ -12,17 +12,10 @@ redirect_from:
|
||||
|
||||
## Finding discussions
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
1. In the top-left corner of {% data variables.product.prodname_dotcom %}, select {% octicon "three-bars" aria-label="Open global navigation menu" %}, then click **{% octicon "comment-discussion" aria-hidden="true" %} Discussions**.
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
1. In the top-right corner of {% data variables.product.prodname_dotcom %}, click your profile photo, then click **Your discussions**.
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. Toggle between **Created** and **Commented** to see the discussions you've created or participated in.
|
||||
|
||||
## Further reading
|
||||
|
||||
@@ -26,16 +26,8 @@ When you first enable {% data variables.product.prodname_discussions %}, you wil
|
||||
1. Under your repository name, click {% octicon "gear" aria-label="The gear icon" %}
|
||||
**Settings**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
1. Scroll down to the "Features" section and click **Set up discussions**.
|
||||
|
||||
|
||||
|
||||
@@ -35,12 +35,8 @@ A {% data variables.product.prodname_GH_advanced_security %} license provides th
|
||||
|
||||
* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} See [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) and [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).
|
||||
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
* **{% data variables.dependabot.custom_rules_caps %}** - {% data reusables.dependabot.dependabot-custom-rules-ghas %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
* **Dependency review** - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
|
||||
|
||||
{% ifversion copilot-chat-ghas-alerts %}
|
||||
|
||||
@@ -70,16 +70,8 @@ This diagram shows:
|
||||
1. Click the **Code** tab of your `hello-world` repository.
|
||||
1. Above the file list, click the dropdown menu that says **main**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
1. Type a branch name, `readme-edits`, into the text box.
|
||||
1. Click **Create branch: readme-edits from main**.
|
||||
|
||||
|
||||
@@ -28,16 +28,8 @@ $ git clone https://{% data variables.product.product_url %}/USERNAME/REPOSITORY
|
||||
|
||||
You can choose from [several different URLs](/get-started/getting-started-with-git/about-remote-repositories) when cloning a repository. While logged in to {% data variables.product.prodname_dotcom %}, these URLs are available on the main page of the repository when you click **{% octicon "code" aria-hidden="true" %} Code**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
When you run `git clone`, the following actions occur:
|
||||
* A new folder called `repo` is made
|
||||
* It is initialized as a Git repository
|
||||
|
||||
@@ -74,16 +74,8 @@ $ svn commit -m 'Added more_awesome topic branch'
|
||||
|
||||
You can confirm that the new branch exists in the repository's branch dropdown:
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
You can also confirm the new branch via the command line:
|
||||
|
||||
```shell
|
||||
|
||||
@@ -411,8 +411,6 @@ The footnote will render like this:
|
||||
> [!NOTE]
|
||||
> The position of a footnote in your Markdown does not influence where the footnote will be rendered. You can write a footnote right after your reference to the footnote, and the footnote will still render at the bottom of the Markdown. Footnotes are not supported in wikis.
|
||||
|
||||
{% ifversion markdown-alerts %}
|
||||
|
||||
## Alerts
|
||||
|
||||
Alerts are a Markdown extension based on the blockquote syntax that you can use to emphasize critical information. On {% data variables.product.github %}, they are displayed with distinctive colors and icons to indicate the significance of the content.
|
||||
@@ -442,8 +440,6 @@ Here are the rendered alerts:
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Hiding content with comments
|
||||
|
||||
You can tell {% data variables.product.github %} to hide content from the rendered Markdown by placing the content in an HTML comment.
|
||||
|
||||
@@ -30,18 +30,10 @@ topics:
|
||||
|
||||
{% endif %}
|
||||
|
||||
To attach a file to an issue or pull request conversation, drag and drop it into the comment box. Alternatively, you can click {% ifversion attach-to-comment-icon %} {% octicon "paperclip" aria-label="Attach files" %} in the formatting bar above the comment box {% else %}the bar at the bottom of the comment box{% endif %} to browse, select, and add a file from your computer.
|
||||
|
||||
{% ifversion attach-to-comment-icon %}
|
||||
To attach a file to an issue or pull request conversation, drag and drop it into the comment box. Alternatively, you can click {% octicon "paperclip" aria-label="Attach files" %} in the formatting bar above the comment box to browse, select, and add a file from your computer.
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
When you attach a file, it is uploaded immediately to {% data variables.product.github %} and the text field is updated to show the anonymized URL for the file. {% ifversion fpt or ghec %}For more information on anonymized URLs see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/about-anonymized-urls).{% endif %}
|
||||
|
||||
> [!NOTE]
|
||||
|
||||
@@ -16,7 +16,7 @@ This API is available for authenticated users, {% data variables.product.prodnam
|
||||
|
||||
### Repository.discussions
|
||||
|
||||
List the discussions within a repository. If `categoryId` is specified, only results within that category will be returned. {% ifversion answered-fields-for-discussions %}If `answered` is not specified, both answered and unanswered discussions will be returned.{% endif %}
|
||||
List the discussions within a repository. If `categoryId` is specified, only results within that category will be returned. If `answered` is not specified, both answered and unanswered discussions will be returned.
|
||||
|
||||
_Signature:_
|
||||
|
||||
@@ -27,9 +27,9 @@ discussions(
|
||||
first: Int,
|
||||
last: Int,
|
||||
categoryId: ID = null,
|
||||
{%- ifversion answered-fields-for-discussions %}
|
||||
|
||||
answered: Boolean = null,
|
||||
{%- endif %}
|
||||
|
||||
orderBy: DiscussionOrder = {field: UPDATED_AT, direction: DESC}
|
||||
) : Discussion
|
||||
```
|
||||
@@ -162,12 +162,12 @@ type Discussion implements Comment & Deletable & Lockable & Node & Reactable & R
|
||||
"""
|
||||
activeLockReason: LockReason
|
||||
|
||||
{%- ifversion answered-fields-for-discussions %}
|
||||
|
||||
"""
|
||||
Check if this discussion has been answered
|
||||
"""
|
||||
isAnswered: Boolean!
|
||||
{%- endif %}
|
||||
|
||||
|
||||
"""
|
||||
The comment chosen as this discussion's answer, if any.
|
||||
|
||||
@@ -13,13 +13,13 @@ topics:
|
||||
allowTitleToDifferFromFilename: true
|
||||
---
|
||||
|
||||
{% data reusables.projects.org-templates-release-stage %}
|
||||
|
||||
|
||||
## About templates
|
||||
|
||||
You can create a template, or set a project as a template, to share a pre-configured project with other people in your organization which they can then use as the base for their projects.
|
||||
|
||||
The projects you mark as templates are shown in the "Create a project" dialog when anyone creates a project in your organization. {% ifversion projects-v2-org-templates-GA-updates %}You can also configure up to six templates to recommend to your organization's members.{% endif %}
|
||||
The projects you mark as templates are shown in the "Create a project" dialog when anyone creates a project in your organization. You can also configure up to six templates to recommend to your organization's members.
|
||||
|
||||
When someone creates a project from a template, the {% data reusables.projects.what-gets-copied %} are copied from the template to the new project. You can find the template that a project used from the project's settings page, under the "Templates" section.
|
||||
|
||||
@@ -56,8 +56,6 @@ If you have write or admin permissions for a project in your organization, you c
|
||||
{% data reusables.projects.project-settings %}
|
||||
1. In the "Templates" section, click **{% octicon "duplicate" aria-hidden="true" %} Copy as template**.
|
||||
|
||||
{% ifversion projects-v2-org-templates-GA-updates %}
|
||||
|
||||
## Configuring recommended templates
|
||||
|
||||
If you are an organization owner, you can select up to six templates to recommend to your organization's members. These recommended templates are suggested first when an organization member creates a new project.
|
||||
@@ -87,8 +85,6 @@ You can change the display order of your recommended templates in the "Create pr
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/issues/planning-and-tracking-with-projects/creating-projects/creating-a-project)
|
||||
|
||||
@@ -154,7 +154,7 @@ Query parameter | Example
|
||||
`labels` | `https://github.com/octo-org/octo-repo/issues/new?labels=help+wanted,bug` creates an issue with the labels "help wanted" and "bug".
|
||||
`milestone` | `https://github.com/octo-org/octo-repo/issues/new?milestone=testing+milestones` creates an issue with the milestone "testing milestones."
|
||||
`assignees` | `https://github.com/octo-org/octo-repo/issues/new?assignees=octocat` creates an issue and assigns it to @octocat.
|
||||
`projects` | `https://github.com/octo-org/octo-repo/issues/new?title=Bug+fix&projects=octo-org/1` creates an issue with the title "Bug fix" and adds it to the organization's project 1. {% ifversion projects-v2 and projects-v1 %}{% ifversion projects-in-issue-forms %}{% else %}Only {% data variables.projects.projects_v1_boards %} can currently be specified in URL queries.{% endif %}{% endif %}
|
||||
`projects` | `https://github.com/octo-org/octo-repo/issues/new?title=Bug+fix&projects=octo-org/1` creates an issue with the title "Bug fix" and adds it to the organization's project 1. {% ifversion projects-v2 and projects-v1 %}{% endif %}
|
||||
`template` | `https://github.com/octo-org/octo-repo/issues/new?template=issue_template.md` creates an issue with a template in the issue body. The `template` query parameter works with templates stored in an `ISSUE_TEMPLATE` subdirectory within the root, `docs/` or `.github/` directory in a repository. For more information, see [AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests).
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
@@ -20,17 +20,10 @@ type: how_to
|
||||
|
||||
Your issue and pull request dashboards are available at the top of any page. On each dashboard, you can filter the list to find issues or pull requests you created, that are assigned to you, or in which you're mentioned. You can also find pull requests that you've been asked to review.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
1. At the top of any page, click {% octicon "issue-opened" aria-label="Issues" %} to see your issues or {% octicon "git-pull-request" aria-label="Pull requests" %} to see your pull requests.
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
1. At the top of any page, click **Pull requests** or **Issues**.
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. Optionally, choose a filter or use the search bar to filter for more specific results. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/filtering-and-searching-issues-and-pull-requests).
|
||||
|
||||
## Further reading
|
||||
|
||||
@@ -30,12 +30,4 @@ An organization's news feed shows other people's activity on repositories owned
|
||||
1. Open your {% data reusables.user-settings.personal_dashboard %}.
|
||||
1. In the upper-left corner of the page, select the dropdown menu that switches account context, then select an organization.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -82,9 +82,9 @@ To search for specific events, use the `action` qualifier in your query. Actions
|
||||
| {% ifversion ghec %} |
|
||||
| `org_credential_authorization` | Contains all activities related to authorizing credentials for use with SAML single sign-on. |
|
||||
| {% endif %} |
|
||||
| {% ifversion secret-scanning-validity-check-audit-log %} |
|
||||
| |
|
||||
| `org_secret_scanning_automatic_validity_checks` | Contains organization-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization).
|
||||
| {% endif %} |
|
||||
| |
|
||||
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
|
||||
| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).
|
||||
| {% endif %} |
|
||||
@@ -107,9 +107,9 @@ To search for specific events, use the `action` qualifier in your query. Actions
|
||||
| {% ifversion ghes or ghec %} |
|
||||
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).
|
||||
| {% endif %} |
|
||||
| {% ifversion secret-scanning-validity-check-audit-log %} |
|
||||
| |
|
||||
| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository).
|
||||
| {% endif %} |
|
||||
| |
|
||||
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
|
||||
| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). |
|
||||
| {% endif %} |
|
||||
|
||||
@@ -92,49 +92,6 @@ You can configure this behavior for an organization using the procedure below. M
|
||||
{% data reusables.actions.workflow-run-approve-link %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion required-workflows-deprecation %}
|
||||
|
||||
## Adding a required workflow to an organization
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-beta %}
|
||||
|
||||
You can configure required workflows to run in all or selected repositories in an organization where you are an owner. Required workflows are triggered by `pull_request` and `pull_request_target` default events and must pass before a pull request can be merged. For more information, see [AUTOTITLE](/actions/using-workflows/required-workflows).
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Before configuring a required workflow, note the following prerequisites:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-prerequisites %}
|
||||
|
||||
### Restrictions and behaviors for the source repository
|
||||
|
||||
Note the following restrictions and behaviors for the source repository and workflow:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-source-notes %}
|
||||
|
||||
### Restrictions and behaviors for the target repository
|
||||
|
||||
Note the following restrictions and behaviors for the target repositories:
|
||||
|
||||
{% data reusables.actions.workflows.required-workflow-target-notes %}
|
||||
|
||||
### Configuring a required workflow for your organization
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.settings-sidebar-actions-general %}
|
||||
1. To the right of "Required Workflows", click **Add workflow**.
|
||||
|
||||
1. Under "Required workflow", use the drop-down menu to select the repository that contains the workflow. Then, enter the path to the workflow in the text field. You can reference any branch, tag, or commit SHA from the repository containing the workflow file using the `{path}@{ref}` syntax.
|
||||
|
||||
1. Under "Apply to repositories...", use the drop-down menu to select which repositories the required workflow applies to. Select **All repositories** to apply the required workflow to all repositories in your organization, or **Selected repositories** to choose which repositories it will apply to.
|
||||
|
||||
1. Optionally, if you chose "Selected repositories", click {% octicon "gear" aria-label="The Gear icon" %} to open the repository selection modal, then use the checkboxes to select the repositories, and click **Apply selection**. You can use filters to narrow down your search.
|
||||
|
||||
1. To add the required workflow, click **Add workflow**.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Enabling workflows for private repository forks
|
||||
|
||||
{% data reusables.actions.private-repository-forks-overview %}
|
||||
|
||||
@@ -26,15 +26,8 @@ If you're an organization owner or you have team maintainer permissions in both
|
||||
1. In the list of teams, click the name of the team where you'd like to add the child team.
|
||||
1. At the top of the team page, click **{% octicon "people" aria-hidden="true" %} Teams**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. Click **Add a team**.
|
||||
1. Type the name of the team you'd like to add as a child team, and click the team in the results.
|
||||
{% data reusables.repositories.changed-repository-access-permissions %}
|
||||
|
||||
@@ -87,8 +87,6 @@ Due to [path filtering](/actions/using-workflows/workflow-syntax-for-github-acti
|
||||
|
||||
{% data reusables.pull_requests.path-filtering-required-workflows %}
|
||||
|
||||
{% ifversion merge-queue %}
|
||||
|
||||
### Status checks with {% data variables.product.prodname_actions %} and a Merge queue
|
||||
|
||||
You **must** use the `merge_group` event to trigger your {% data variables.product.prodname_actions %} workflow when a pull request is added to a merge queue.
|
||||
@@ -106,8 +104,6 @@ on:
|
||||
|
||||
For more information on the `merge_group` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#merge_group).
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Required status checks from unexpected sources
|
||||
|
||||
It's also possible for a protected branch to require a status check from a specific {% data variables.product.prodname_github_app %}. If you see a message similar to the following, then you should verify that the check listed in the merge box was set by the expected app.
|
||||
|
||||
@@ -25,15 +25,9 @@ You can set commit permissions when you first create a pull request from a fork.
|
||||
|
||||
1. On {% data variables.product.github %}, navigate to the main page of the upstream repository of your pull request.
|
||||
1. Under the upstream repository name, click **{% octicon "git-pull-request" aria-hidden="true" %} Pull requests**.
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
1. In the list of pull requests, navigate to the pull request that you'd like to allow commits on.
|
||||
{% data reusables.repositories.allow-maintainers-user-forks %}
|
||||
|
||||
|
||||
@@ -15,8 +15,6 @@ shortTitle: About merge methods
|
||||
---
|
||||
{% data reusables.pull_requests.configure_pull_request_merges_intro %} You can enforce one type of merge method, such as commit squashing or rebasing, by only enabling the desired method for your repository.
|
||||
|
||||
{% ifversion merge-queue %}
|
||||
|
||||
> [!NOTE]
|
||||
> When using the merge queue, you no longer get to choose the merge method, as this is controlled by the queue. {% data reusables.pull_requests.merge-queue-references %}
|
||||
{% ifversion repo-rules-merge-type -%}
|
||||
@@ -24,8 +22,6 @@ shortTitle: About merge methods
|
||||
> Merge methods set on the repository that conflict with the merge method rule will prevent merging. For example if you do not allow rebase merging for the repository, and the merge rule only allows rebase on a branch, that merge will not be possible. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-a-pull-request-before-merging).
|
||||
{%- endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.pull_requests.default_merge_option %}
|
||||
|
||||
The default merge method creates a merge commit. You can prevent anyone from pushing merge commits to a protected branch by enforcing a linear commit history. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-linear-history).
|
||||
|
||||
@@ -48,9 +48,7 @@ For each branch protection rule, you can choose to enable or disable the followi
|
||||
* [Require conversation resolution before merging](#require-conversation-resolution-before-merging)
|
||||
* [Require signed commits](#require-signed-commits)
|
||||
* [Require linear history](#require-linear-history)
|
||||
{% ifversion merge-queue %}
|
||||
* [Require merge queue](#require-merge-queue)
|
||||
{% endif %}
|
||||
* [Require deployments to succeed before merging](#require-deployments-to-succeed-before-merging)
|
||||
* [Lock branch](#lock-branch)
|
||||
* [Do not allow bypassing the above settings](#do-not-allow-bypassing-the-above-settings)
|
||||
@@ -135,8 +133,6 @@ Enforcing a linear commit history prevents collaborators from pushing merge comm
|
||||
|
||||
Before you can require a linear commit history, your repository must allow squash merging or rebase merging. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges).
|
||||
|
||||
{% ifversion merge-queue %}
|
||||
|
||||
### Require merge queue
|
||||
|
||||
{% data reusables.pull_requests.merge-queue-overview %}
|
||||
@@ -144,8 +140,6 @@ Before you can require a linear commit history, your repository must allow squas
|
||||
{% data reusables.pull_requests.merge-queue-merging-method %}
|
||||
{% data reusables.pull_requests.merge-queue-references %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Require deployments to succeed before merging
|
||||
|
||||
You can require that changes are successfully deployed to specific environments before a branch can be merged. For example, you can use this rule to ensure that changes are successfully deployed to a staging environment before the changes merge to your default branch.
|
||||
|
||||
@@ -74,9 +74,7 @@ When you create a branch rule, the branch you specify doesn't have to exist yet
|
||||
1. Optionally, select **Require conversation resolution before merging**.
|
||||
1. Optionally, select **Require signed commits**.
|
||||
1. Optionally, select **Require linear history**.
|
||||
{%- ifversion merge-queue %}
|
||||
1. Optionally, to merge pull requests using a merge queue, select **Require merge queue**. {% data reusables.pull_requests.merge-queue-references %}
|
||||
{%- endif %}
|
||||
1. Optionally, to choose which environments the changes must be successfully deployed to before merging, select **Require deployments to succeed before merging**, then select the environments.
|
||||
1. Optionally, make the branch read-only.
|
||||
* Select **Lock branch**.
|
||||
|
||||
@@ -27,14 +27,7 @@ An enterprise owner for {% data variables.product.prodname_ghe_server %} must en
|
||||
1. Sign in to both your user account on {% data variables.product.prodname_ghe_server %} **and** your user account on {% data variables.product.prodname_ghe_cloud %} ({% data variables.product.prodname_dotcom_the_website %}{% ifversion ghecom-github-connect %} or {% data variables.enterprise.data_residency_site %}{% endif %}).
|
||||
1. On {% data variables.product.prodname_ghe_server %}, in the upper-right corner of any page, click your profile photo, then click **Settings**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
{% data reusables.github-connect.github-connect-tab-user-settings %}
|
||||
{% data reusables.github-connect.connect-dotcom-and-enterprise %}
|
||||
|
||||
@@ -68,8 +68,6 @@ You can filter issues and pull requests based on whether they're open or closed
|
||||
| `is:open` | [**performance is:open is:issue**](https://github.com/search?q=performance+is%3Aopen+is%3Aissue&type=Issues) matches open issues with the word "performance."
|
||||
| `is:closed` | [**android is:closed**](https://github.com/search?utf8=%E2%9C%93&q=android+is%3Aclosed&type=) matches closed issues and pull requests with the word "android."
|
||||
|
||||
{% ifversion merge-queue %}
|
||||
|
||||
## Search for pull requests in the merge queue
|
||||
|
||||
You can also use the `is` qualifier to find pull requests that are queued to merge.
|
||||
@@ -78,8 +76,6 @@ You can also use the `is` qualifier to find pull requests that are queued to mer
|
||||
| --- | --- |
|
||||
| `is:queued` | [**is:queued**](https://github.com/search?q=is%3Aqueued&type=pullrequests) matches pull requests that are currently queued to merge.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Search by the reason an issue was closed
|
||||
|
||||
You can filter issues based on the reason given when the issue was closed, using the `reason` qualifier.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
# Eliminate the notion of recommended languages in default setup
|
||||
# Reference: #11523
|
||||
|
||||
versions:
|
||||
ghes: '>3.8 <3.12'
|
||||
@@ -1,4 +0,0 @@
|
||||
# Issue 10754
|
||||
# Versioning for deprecating the GitHub Actions required workflows docs
|
||||
versions:
|
||||
ghes: '< 3.12'
|
||||
@@ -1,338 +0,0 @@
|
||||
date: '2023-11-14'
|
||||
release_candidate: true
|
||||
deprecated: true
|
||||
intro: |
|
||||
{% note %}
|
||||
|
||||
**Note:** Release candidate (RC) builds are intended solely for use in a test environment. If {% data variables.location.product_location %} is running an RC, you cannot upgrade to the general availability (GA) release. You also cannot upgrade with a hotpatch.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
For upgrade instructions, see [Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server).
|
||||
|
||||
sections:
|
||||
features:
|
||||
- heading: Instance administration
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3439
|
||||
- |
|
||||
Instance administrators can perform administrative tasks using the `gh es` extension for the GitHub CLI. The extension communicates with your instance's management API, so you don't need to SSH into the instance or write a custom application. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/administering-your-instance-using-the-github-cli).
|
||||
|
||||
- heading: Authentication
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3320
|
||||
- |
|
||||
To help users discover the required permissions for calls to a REST API endpoint, GitHub Enterprise Server returns the `X-Accepted-GitHub-Permissions` header for requests to endpoints that use fine-grained permissions, including requests from GitHub Apps. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/rest/overview/troubleshooting#insufficient-permissions-errors)
|
||||
- [AUTOTITLE](/rest/overview/permissions-required-for-fine-grained-personal-access-tokens)
|
||||
- [AUTOTITLE](/rest/overview/permissions-required-for-github-apps)
|
||||
|
||||
- heading: Audit logs
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3263
|
||||
- |
|
||||
The web interface for enterprise, organization, and user audit logs include an expandable view that displays the full audit log payload for each event. Administrators and users can see the same event metadata when searching the audit log in the web interface or via streaming. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise)
|
||||
- [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)
|
||||
- [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)
|
||||
|
||||
- heading: GitHub Advanced Security
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3066
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, in repositories that use default setup for code scanning, the default setup configuration updates automatically if GitHub detects new languages. Users can view a repository's language configuration for default setup from the repository's "Code security and analysis" settings page. Additionally, users can view information about setup and debug failed languages from the tools status page. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#about-adding-languages-to-an-existing-default-setup-configuration)
|
||||
- [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
|
||||
- [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)
|
||||
|
||||
# https://github.com/github/releases/issues/3258
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, default setup for code scanning at the organization level is now generally available. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale) and [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#enable-or-disable-a-security-feature-for-an-organization) in the REST API documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/3214
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, during configuration of default setup for code scanning, users can select either the "Extended" or "Default" query suite for eligible repositories in an organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites) and [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2841
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, to better protect active and inactive repositories, GitHub Enterprise Server automatically analyzes repositories that use a default setup for code scanning. The analysis runs on a weekly schedule and uses the most recent version of CodeQL. When configuring code scanning, the fixed time for the weekly scan is randomly chosen. The scan will take place at the same time every week, and the schedule is displayed after the setup is completed, so users can easily see when the next scheduled analysis will occur. The scheduled analysis will be automatically disabled if a repository has no activity for six months. Creation of a pull request or pushes to the repository will re-enable scheduled analysis.
|
||||
|
||||
# https://github.com/github/releases/issues/3283
|
||||
- |
|
||||
Code scanning default setup is available for Swift analysis with CodeQL. For more information, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
|
||||
|
||||
# https://github.com/github/releases/issues/3355
|
||||
- |
|
||||
CodeQL 2.14.6 and later supports analysis of code written in Go 1.21. For more information, see [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/) in the CodeQL documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/3289
|
||||
- |
|
||||
With CodeQL model packs for Java, users can improve code scanning results by ensuring that any custom Java libraries and frameworks used by their codebase are recognized by CodeQL. For more information, see the following documentation.
|
||||
|
||||
- [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)
|
||||
- [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs)
|
||||
- [Using the CodeQL model editor](https://codeql.github.com/docs/codeql-for-visual-studio-code/using-the-codeql-model-editor) in the CodeQL documentation
|
||||
|
||||
# https://github.com/github/releases/issues/3110
|
||||
- |
|
||||
For instances with GitHub Connect configured, code scanning with CodeQL supports Java codebases that use [Project Lombok](https://projectlombok.org/). Previously, code scanning users were able to scan Java applications that contained Lombok code, but all the contents of files containing Lombok code were either skipped or users had to apply a workaround to prepare the applications for scanning. Lombok features will now be automatically scanned without requiring any workaround.
|
||||
|
||||
For more information about syncing the required GitHub Actions workflow to scan Lombok code, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions).
|
||||
|
||||
# https://github.com/github/releases/issues/2920
|
||||
- |
|
||||
Push protection for secret scanning is now generally available. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2649
|
||||
# https://github.com/github/releases/issues/2866
|
||||
# https://github.com/github/releases/issues/3196
|
||||
- |
|
||||
To prevent the leak of tokens where users work outside of code, secret scanning detects tokens in both new and historical issue titles, descriptions, and comments. When a new token type is added to secret scanning, GitHub Enterprise Server scans for matches automatically. This expanded coverage also detects and surfaces secrets that match any custom pattern defined at the repository, organization, or enterprise level. These secrets appear both in the web interface and in queries to the REST API. For more information, see [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) and [AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2868
|
||||
- |
|
||||
Users can view metrics associated with push protection usage across an organization. The overview shows a summary of blocks and bypasses, as well as more granular metrics. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk).
|
||||
|
||||
# https://github.com/github/releases/issues/3291
|
||||
- |
|
||||
A new REST API endpoint is available for dataflow analysis using custom CodeQL queries. The new endpoint offers additional flexibility, includes improvements that prevent common pitfalls with the old API, and improves the performance of query evaluation by five percent. For more information, see [New dataflow API for writing custom CodeQL queries](https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries/) in the GitHub Changelog.
|
||||
|
||||
- heading: Dependabot
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/2919
|
||||
- |
|
||||
For developers who manage Node.js dependencies using the pnpm package manager, pnpm is fully supported by dependency graph, Dependabot alerts, and Dependabot security updates. For more information about securing your supply chain with Dependabot, see [AUTOTITLE](/code-security/dependabot).
|
||||
|
||||
# https://github.com/github/releases/issues/3171
|
||||
- |
|
||||
Developers can enforce policies related to vulnerabilities and licenses in pull requests for complex ecosystems with transitive dependencies like Gradle and Scala. Dependency review supports dependencies from the dependency submission API. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together)
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)
|
||||
|
||||
# https://github.com/github/releases/issues/3268
|
||||
# https://github.com/github/releases/issues/3362
|
||||
# https://github.com/github/releases/issues/3363
|
||||
# https://github.com/github/releases/issues/3364
|
||||
- |
|
||||
To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands).
|
||||
|
||||
# https://github.com/github/releases/issues/3270
|
||||
# https://github.com/github/releases/issues/3271
|
||||
- |
|
||||
Dependabot can open pull requests for Swift and Gradle dependencies.
|
||||
|
||||
- Users can also configure scheduled updates for Swift dependencies using `dependabot.yml`.
|
||||
- If users have used the REST API for dependency submission to upload Gradle dependencies to the dependency graph and receive Dependabot alerts for those dependencies, Dependabot will try to open a pull request to resolve security updates enabled for the repository.
|
||||
|
||||
For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates).
|
||||
|
||||
# https://github.com/github/releases/issues/3287
|
||||
- |
|
||||
Responses from REST API endpoints for repositories display whether Dependabot security updates are enabled or disabled. Users can also enable or disable security updates for a repository using the REST API. For more information, see [AUTOTITLE](/rest/repos/repos) in the REST API documentation.
|
||||
|
||||
- heading: Code security
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3259
|
||||
- |
|
||||
To assess risks to code security and ensure adoption of features to improve code security, the "Security risk" and "Security coverage" pages for organizations and the entire instance are generally available. Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available. For more information, see [Assessing your code security risk](/code-security/security-overview/assessing-code-security-risk) and [Assessing adoption of code security features](/code-security/security-overview/assessing-adoption-code-security).
|
||||
|
||||
# https://github.com/github/releases/issues/3126
|
||||
- |
|
||||
Users can take advantage of the [GitHub Advisory Database](https://github.com/advisories) using the REST API. The Advisory Database is a free, open-source list of actionable security advisories and CVEs. API responses include machine-readable mappings to the ecosystem, package name, and affected versions of impacted software. For more information, see [AUTOTITLE](/rest/security-advisories/global-advisories) in the REST API documentation.
|
||||
|
||||
- heading: GitHub Actions
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3247
|
||||
- |
|
||||
To better navigate, trace, understand, and monitor deployments, users can view and track the full history of deployments in a repository or filter across environments. For more information, see [AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history).
|
||||
|
||||
# https://github.com/github/releases/issues/3402
|
||||
- |
|
||||
Users can improve the security of deployment environments by configuring a branch protection policy to only allow specific branches to deploy to an environment. Additionally, the following security improvements apply to environments.
|
||||
|
||||
- GitHub Enterprise Server blocks runs triggered from forks with branch names that match the protected branch's name.
|
||||
- Tags with the same name as a protected branch cannot deploy to the environments with a branch protection configuration.
|
||||
|
||||
For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches).
|
||||
|
||||
# https://github.com/github/releases/issues/3489
|
||||
- |
|
||||
On an instance with GitHub Actions enabled and a configuration for deployment environments, administrators for environments can improve the security of deployments by enforcing a review by someone other than the person who triggered the run. This option prevents required reviewers from self-reviewing to trigger workflows. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers).
|
||||
|
||||
- heading: Organizations
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3465
|
||||
- |
|
||||
Organization owners can signal that an organization is no longer actively maintained by archiving the organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/archiving-an-organization).
|
||||
|
||||
- heading: Repositories
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/2926
|
||||
- |
|
||||
Users can govern protections for branches and tags in a repository using repository rules. To govern the protections for all of an organization's repositories, users can also enable rulesets for an organization. Contributors to a repository can see which rules apply via the web interface, Git, or the GitHub CLI. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
|
||||
|
||||
# https://github.com/github/releases/issues/3081
|
||||
- |
|
||||
Users can create new repositories with predefined attributes using query parameters. For example, a user can create a URL that prepopulates information about the repository like the name, description, visibility, and more. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository#creating-a-new-repository-from-a-url-query).
|
||||
|
||||
# https://github.com/github/releases/issues/2741
|
||||
- |
|
||||
Users can more easily understand changes to a repository using the activity view. For more information, see [AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/using-the-activity-view-to-see-changes-to-a-repository).
|
||||
|
||||
- heading: Issues
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3324
|
||||
- |
|
||||
Users can automatically add a new issue to projects using a custom issue form by defining `projects` in the issue template. For more information, see [AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms).
|
||||
|
||||
- heading: Projects
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can review items in a project view broken down by a certain field value. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/customizing-the-table-layout#slicing-by-field-values).
|
||||
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can create charts to visualize current project items, or visualize project items over time. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/about-insights-for-projects).
|
||||
|
||||
- heading: Accessibility
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3340
|
||||
- |
|
||||
To improve the visibility of links with blocks of text in the web interface for GitHub Enterprise Server, users can apply underline styling. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-accessibility-settings#managing-the-appearance-of-links).
|
||||
|
||||
changes:
|
||||
# https://github.com/github/releases/issues/3319
|
||||
- |
|
||||
The speed of restoration operations with GitHub Enterprise Server Backup Utilities has increased.
|
||||
|
||||
# https://github.com/github/releases/issues/3403
|
||||
- |
|
||||
Field names for some service logs on GitHub Enterprise Server have changed as part of GitHub's gradual migration to internal semantic conventions for [OpenTelemetry](https://opentelemetry.io/). Additional field names were changed in GitHub Enterprise Server 3.9 and 3.10. If any tooling or processes in your environment rely on specific field names within logs, or log entries in specific files, the following changes may affect you.
|
||||
|
||||
- `level` is now `SeverityText`.
|
||||
- `log_message`, `msg`, or `message` is now `Body`.
|
||||
- `now` is now `Timestamp`.
|
||||
- Custom field names such as `gh.repo.id` or `graphql.operation.name` use semantic names.
|
||||
- Log statements that the instance would previously write to `auth.log`, `ldap.log`, or `ldap-sync.log` now appear in containerized logs for `github-unicorn` if the statement originated from a web request, or in logs for `github-resqued` if the statement originated from a background job. For more information about containerized logs, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/monitoring-your-appliance/about-system-logs#system-logs-in-the-systemd-journal).
|
||||
|
||||
For a full list of mappings, download the OpenTelemetry attribute mapping CSV for GitHub Enterprise Server [3.9](/assets/ghes-3.9-opentelemetry-attribute-mappings.csv), [3.10](/assets/ghes-3.10-opentelemetry-attribute-mappings.csv), and [3.11](/assets/ghes-3.11-opentelemetry-attribute-mappings.csv).
|
||||
|
||||
# https://github.com/github/releases/issues/3281
|
||||
- |
|
||||
On an instance that uses built-in authentication or LDAP, if two-factor authentication (2FA) is configured for an organization, a user could use a TOTP code multiple times within the code's window of validity during authentication or when entering sudo mode for sensitive actions. To improve security, this reuse is no longer allowed. External systems with a scripted login flow across multiple parallel jobs may stop working as a result of this change.
|
||||
|
||||
For more information about 2FA, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization)
|
||||
- [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/sudo-mode)
|
||||
- [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-totp-mobile-app)
|
||||
|
||||
# https://github.com/github/releases/issues/3327
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, during analysis of Python projects with code scanning using CodeQL and an advanced setup, GitHub Enterprise Server would automatically install dependencies for the project. Due to improvements to CodeQL, GitHub Enterprise Server no longer needs to fetch these dependencies to analyze a codebase. To improve scan times for Python projects, automatic dependency installation is disabled.
|
||||
|
||||
If you configured code scanning with CodeQL via advanced setup to disable dependency installation, GitHub recommends setting `setup-python-dependencies` to `false` for the configuration. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#analyzing-python-dependencies).
|
||||
|
||||
# https://github.com/github/releases/issues/3172
|
||||
- |
|
||||
On an instance with Dependabot enabled, due to misconfiguration or incompatible versions, Dependabot jobs for a repository can fail. After 30 failed runs, subsequent scheduled jobs will fail immediately until you trigger a check for updates from the dependency graph, or until you update a manifest file. Jobs for Dependabot security updates will still trigger normally.
|
||||
|
||||
# https://github.com/github/releases/issues/3284
|
||||
- |
|
||||
On an instance with GitHub Advanced Security, to help users more efficiently review and filter code scanning alerts at scale using the REST API, the `updated_at` field in API responses is improved. The `updated_at` timestamp now represents an alert's most recent state change on the branch that you requested. State changes include an alert being introduced, fixed, dismissed, reopened, or reintroduced. Previously, the `updated_at` timestamp changed frequently, whenever an alert was found in an analysis or the alert state changed. For more information about using the REST API to retrieve code scanning alerts, see [AUTOTITLE](/rest/code-scanning/code-scanning?apiVersion=2022-11-28) in the REST API documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/2874
|
||||
- |
|
||||
On an instance with Dependabot enabled, the following improvements apply to the repository view for dependency graph, available from the repository's "Insights" tab.
|
||||
|
||||
- Users can search by package name from a paginated list of all dependencies.
|
||||
- Dependency licenses are displayed.
|
||||
- Dependabot alerts appear for dependencies, sorted by severity, and link to the Dependabot alerts and the Dependabot update pull request where applicable.
|
||||
|
||||
For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
|
||||
|
||||
# https://github.com/github/releases/issues/3253
|
||||
- |
|
||||
After first enabling Dependabot on an instance, GitHub Enterprise Server will no longer send web or email notifications for repositories that are initially populated with Dependabot alerts. This allows you to review the new Dependabot alerts for a repository, organization, or the entire instance without immediately notifying other users of existing alerts.
|
||||
|
||||
# https://github.com/github/releases/issues/2603
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, workflows that use Node.js 12 will log a warning. Node.js 12 has been end-of-life since [April 2022](https://github.com/nodejs/Release/#end-of-life-releases).
|
||||
|
||||
- Workflow authors should update actions to run on Node.js 16 instead of 12. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions).
|
||||
- Users with workflows that use Node.js should specify Node.js 16 or later in the workflows using versioned actions. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#example-using-versioned-actions).
|
||||
|
||||
# https://github.com/github/releases/issues/3500
|
||||
- |
|
||||
On an instance with GitHub Actions enabled and runners using GitHub Actions Runner 2.309.0 or later, users can no longer use `GITHUB_ENV` to set the `NODE_OPTIONS` environment variable in workflows. Workflows that set `NODE_OPTIONS` as an environment variable will now log the following error. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable) and the [v2.309.0 release](https://github.com/actions/runner/releases/tag/v2.309.0) in the actions/runner repository on GitHub.com.
|
||||
|
||||
```shell
|
||||
Can't store NODE_OPTIONS output parameter using '$GITHUB_ENV' command.
|
||||
```
|
||||
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can quickly take action on multiple items in a group, or the group itself, using the `•••` button in a table, board, or roadmap.
|
||||
|
||||
# https://github.com/github/releases/issues/3219
|
||||
- |
|
||||
Users can break out items in a project by workstreams, team members, priorities, or other groupings using a swimlane view. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/customizing-the-board-layout#grouping-by-field-values).
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
Users can view view the template used to create a project from a project's settings.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
When scrolling through a project, group headers are now sticky.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
The colors for single-select fields in a project have been updated, so users see the same colors within the field picker and within project views.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
Users create can create issues in a project view that's grouped by repository in the board layout by clicking "Create new issue", or by starting to type the issue's title.
|
||||
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
|
||||
deprecations:
|
||||
# https://github.com/github/releases/issues/2605
|
||||
- heading: Dependabot updates no longer support Python 3.6 or 3.7
|
||||
notes:
|
||||
- |
|
||||
Dependabot updates no longer support Python 3.6 or 3.7, which have reached end-of-life. If a user's code uses these versions, Dependabot will no longer be able to open pull requests in your repository and will log errors. Update to Python 3.8 or later to ensure your code is secure and Dependabot can still run.
|
||||
|
||||
Users will continue to receive Dependabot alerts for dependencies with known vulnerabilities. To resolve these alerts, users can manually upgrade the affected package.
|
||||
|
||||
For more information about Python releases, see [Status of Python versions](https://devguide.python.org/versions) on the Python website. For more information about supported package managers for Dependabot, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems).
|
||||
@@ -1,374 +0,0 @@
|
||||
date: '2023-12-05'
|
||||
release_candidate: false
|
||||
deprecated: false
|
||||
intro: |
|
||||
For upgrade instructions, see [Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server).
|
||||
|
||||
sections:
|
||||
features:
|
||||
- heading: Instance administration
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3439
|
||||
- |
|
||||
Instance administrators can perform administrative tasks using the `gh es` extension for the GitHub CLI. The extension communicates with your instance's management API, so you don't need to SSH into the instance or write a custom application. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/administering-your-instance-using-the-github-cli).
|
||||
|
||||
- heading: Authentication
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3320
|
||||
- |
|
||||
To help users discover the required permissions for calls to a REST API endpoint, GitHub Enterprise Server returns the `X-Accepted-GitHub-Permissions` header for requests to endpoints that use fine-grained permissions, including requests from GitHub Apps. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/rest/overview/troubleshooting#insufficient-permissions-errors)
|
||||
- [AUTOTITLE](/rest/overview/permissions-required-for-fine-grained-personal-access-tokens)
|
||||
- [AUTOTITLE](/rest/overview/permissions-required-for-github-apps)
|
||||
|
||||
- heading: Audit logs
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3263
|
||||
- |
|
||||
The web interface for enterprise, organization, and user audit logs include an expandable view that displays the full audit log payload for each event. Administrators and users can see the same event metadata when searching the audit log in the web interface or via streaming. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise)
|
||||
- [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)
|
||||
- [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)
|
||||
|
||||
- heading: GitHub Advanced Security
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3066
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, in repositories that use default setup for code scanning, the default setup configuration updates automatically if GitHub detects new languages. Users can view a repository's language configuration for default setup from the repository's "Code security and analysis" settings page. Additionally, users can view information about setup and debug failed languages from the tools status page. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#about-adding-languages-to-an-existing-default-setup-configuration)
|
||||
- [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
|
||||
- [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)
|
||||
|
||||
# https://github.com/github/releases/issues/3258
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, default setup for code scanning at the organization level is now generally available. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale) and [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#enable-or-disable-a-security-feature-for-an-organization) in the REST API documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/3214
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, during configuration of default setup for code scanning, users can select either the "Extended" or "Default" query suite for eligible repositories in an organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites) and [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2841
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, to better protect active and inactive repositories, GitHub Enterprise Server automatically analyzes repositories that use a default setup for code scanning. The analysis runs on a weekly schedule and uses the most recent version of CodeQL. When configuring code scanning, the fixed time for the weekly scan is randomly chosen. The scan will take place at the same time every week, and the schedule is displayed after the setup is completed, so users can easily see when the next scheduled analysis will occur. The scheduled analysis will be automatically disabled if a repository has no activity for six months. Creation of a pull request or pushes to the repository will re-enable scheduled analysis.
|
||||
|
||||
# https://github.com/github/releases/issues/3283
|
||||
- |
|
||||
Code scanning default setup is available for Swift analysis with CodeQL. For more information, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically).
|
||||
|
||||
# https://github.com/github/releases/issues/3355
|
||||
- |
|
||||
CodeQL 2.14.6 and later supports analysis of code written in Go 1.21. For more information, see [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/) in the CodeQL documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/3289
|
||||
- |
|
||||
With CodeQL model packs for Java, users can improve code scanning results by ensuring that any custom Java libraries and frameworks used by their codebase are recognized by CodeQL. For more information, see the following documentation.
|
||||
|
||||
- [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)
|
||||
- [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs)
|
||||
- [Using the CodeQL model editor](https://codeql.github.com/docs/codeql-for-visual-studio-code/using-the-codeql-model-editor) in the CodeQL documentation
|
||||
|
||||
# https://github.com/github/releases/issues/3110
|
||||
- |
|
||||
For instances with GitHub Connect configured, code scanning with CodeQL supports Java codebases that use [Project Lombok](https://projectlombok.org/). Previously, code scanning users were able to scan Java applications that contained Lombok code, but all the contents of files containing Lombok code were either skipped or users had to apply a workaround to prepare the applications for scanning. Lombok features will now be automatically scanned without requiring any workaround.
|
||||
|
||||
For more information about syncing the required GitHub Actions workflow to scan Lombok code, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions).
|
||||
|
||||
# https://github.com/github/releases/issues/2920
|
||||
- |
|
||||
Push protection for secret scanning is now generally available. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2649
|
||||
# https://github.com/github/releases/issues/2866
|
||||
# https://github.com/github/releases/issues/3196
|
||||
- |
|
||||
To prevent the leak of tokens where users work outside of code, secret scanning detects tokens in both new and historical issue titles, descriptions, and comments. When a new token type is added to secret scanning, GitHub Enterprise Server scans for matches automatically. This expanded coverage also detects and surfaces secrets that match any custom pattern defined at the repository, organization, or enterprise level. These secrets appear both in the web interface and in queries to the REST API. For more information, see [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) and [AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning).
|
||||
|
||||
# https://github.com/github/releases/issues/2868
|
||||
- |
|
||||
Users can view metrics associated with push protection usage across an organization. The overview shows a summary of blocks and bypasses, as well as more granular metrics. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk).
|
||||
|
||||
# https://github.com/github/releases/issues/3291
|
||||
- |
|
||||
A new REST API endpoint is available for dataflow analysis using custom CodeQL queries. The new endpoint offers additional flexibility, includes improvements that prevent common pitfalls with the old API, and improves the performance of query evaluation by five percent. For more information, see [New dataflow API for writing custom CodeQL queries](https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries/) in the GitHub Changelog.
|
||||
|
||||
- heading: Dependabot
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/2919
|
||||
- |
|
||||
For developers who manage Node.js dependencies using the pnpm package manager, pnpm is fully supported by dependency graph, Dependabot alerts, and Dependabot security updates. For more information about securing your supply chain with Dependabot, see [AUTOTITLE](/code-security/dependabot).
|
||||
|
||||
# https://github.com/github/releases/issues/3171
|
||||
- |
|
||||
Developers can enforce policies related to vulnerabilities and licenses in pull requests for complex ecosystems with transitive dependencies like Gradle and Scala. Dependency review supports dependencies from the dependency submission API. For more information, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together)
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)
|
||||
- [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)
|
||||
|
||||
# https://github.com/github/releases/issues/3268
|
||||
# https://github.com/github/releases/issues/3362
|
||||
# https://github.com/github/releases/issues/3363
|
||||
# https://github.com/github/releases/issues/3364
|
||||
- |
|
||||
To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands).
|
||||
|
||||
# https://github.com/github/releases/issues/3270
|
||||
# https://github.com/github/releases/issues/3271
|
||||
- |
|
||||
Dependabot can open pull requests for Swift and Gradle dependencies.
|
||||
|
||||
- Users can also configure scheduled updates for Swift dependencies using `dependabot.yml`.
|
||||
- If users have used the REST API for dependency submission to upload Gradle dependencies to the dependency graph and receive Dependabot alerts for those dependencies, Dependabot will try to open a pull request to resolve security updates enabled for the repository.
|
||||
|
||||
For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates).
|
||||
|
||||
# https://github.com/github/releases/issues/3287
|
||||
- |
|
||||
Responses from REST API endpoints for repositories display whether Dependabot security updates are enabled or disabled. Users can also enable or disable security updates for a repository using the REST API. For more information, see [AUTOTITLE](/rest/repos/repos) in the REST API documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/3253
|
||||
- |
|
||||
When Dependabot is first enabled, GitHub will not send notifications for all vulnerable dependencies found in the repository, only for new vulnerable dependencies ifentified after Dependabot is enabled. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts).
|
||||
|
||||
- heading: Code security
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3259
|
||||
- |
|
||||
To assess risks to code security and ensure adoption of features to improve code security, the "Security risk" and "Security coverage" pages for organizations and the entire instance are generally available. Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available. For more information, see [Assessing your code security risk](/code-security/security-overview/assessing-code-security-risk) and [Assessing adoption of code security features](/code-security/security-overview/assessing-adoption-code-security).
|
||||
|
||||
# https://github.com/github/releases/issues/3126
|
||||
- |
|
||||
Users can take advantage of the [GitHub Advisory Database](https://github.com/advisories) using the REST API. The Advisory Database is a free, open-source list of actionable security advisories and CVEs. API responses include machine-readable mappings to the ecosystem, package name, and affected versions of impacted software. For more information, see [AUTOTITLE](/rest/security-advisories/global-advisories) in the REST API documentation.
|
||||
|
||||
- heading: GitHub Actions
|
||||
notes:
|
||||
# Required Actions Runner version
|
||||
- |
|
||||
{% data reusables.actions.actions-runner-release-note %} [Updated: 2024-04-25]
|
||||
# https://github.com/github/releases/issues/3247
|
||||
- |
|
||||
To better navigate, trace, understand, and monitor deployments, users can view and track the full history of deployments in a repository or filter across environments. For more information, see [AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history).
|
||||
|
||||
# https://github.com/github/releases/issues/3402
|
||||
- |
|
||||
Users can improve the security of deployment environments by configuring a branch protection policy to only allow specific branches to deploy to an environment. Additionally, the following security improvements apply to environments.
|
||||
|
||||
- GitHub Enterprise Server blocks runs triggered from forks with branch names that match the protected branch's name.
|
||||
- Tags with the same name as a protected branch cannot deploy to the environments with a branch protection configuration.
|
||||
|
||||
For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches).
|
||||
|
||||
# https://github.com/github/releases/issues/3489
|
||||
- |
|
||||
On an instance with GitHub Actions enabled and a configuration for deployment environments, administrators for environments can improve the security of deployments by enforcing a review by someone other than the person who triggered the run. This option prevents required reviewers from self-reviewing to trigger workflows. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers).
|
||||
|
||||
- heading: Organizations
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3465
|
||||
- |
|
||||
Organization owners can signal that an organization is no longer actively maintained by archiving the organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/archiving-an-organization).
|
||||
|
||||
- heading: Repositories
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/2926
|
||||
- |
|
||||
Users can govern protections for branches and tags in a repository using repository rules. To govern the protections for all of an organization's repositories, users can also enable rulesets for an organization. Contributors to a repository can see which rules apply via the web interface, Git, or the GitHub CLI. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
|
||||
|
||||
# https://github.com/github/releases/issues/3081
|
||||
- |
|
||||
Users can create new repositories with predefined attributes using query parameters. For example, a user can create a URL that prepopulates information about the repository like the name, description, visibility, and more. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository#creating-a-new-repository-from-a-url-query).
|
||||
|
||||
# https://github.com/github/releases/issues/2741
|
||||
- |
|
||||
Users can more easily understand changes to a repository using the activity view. For more information, see [AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/using-the-activity-view-to-see-changes-to-a-repository).
|
||||
|
||||
- heading: Issues
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3324
|
||||
- |
|
||||
Users can automatically add a new issue to projects using a custom issue form by defining `projects` in the issue template. For more information, see [AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms).
|
||||
|
||||
- heading: Projects
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can review items in a project view broken down by a certain field value. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/customizing-the-table-layout#slicing-by-field-values).
|
||||
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can create charts to visualize current project items, or visualize project items over time. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/about-insights-for-projects).
|
||||
|
||||
- heading: Accessibility
|
||||
notes:
|
||||
# https://github.com/github/releases/issues/3340
|
||||
- |
|
||||
To improve the visibility of links with blocks of text in the web interface for GitHub Enterprise Server, users can apply underline styling. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-accessibility-settings#managing-the-appearance-of-links).
|
||||
|
||||
changes:
|
||||
# https://github.com/github/releases/issues/3319
|
||||
- |
|
||||
The speed of restoration operations with GitHub Enterprise Server Backup Utilities has increased.
|
||||
|
||||
# https://github.com/github/ghes/issues/6613
|
||||
- |
|
||||
Configuration runs now correspond with a unique ID. During the run, the log remains at `/data/user/common/ghe-config.log`. After the run, the instance rotates the log's contents into `/data/user/config-apply/logs/YYYYMMDD/ghe-config.HOSTNAME.ID.log`, where YYYYMMDD is the date of the run, HOSTNAME is the hostname of the node, and ID is the ID of the run. For more information, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/monitoring-your-instance/about-system-logs#log-files-for-instance-configuration).
|
||||
|
||||
# https://github.com/github/releases/issues/3403
|
||||
- |
|
||||
Field names for some service logs on GitHub Enterprise Server have changed as part of GitHub's gradual migration to internal semantic conventions for [OpenTelemetry](https://opentelemetry.io/). Additional field names were changed in GitHub Enterprise Server 3.9 and 3.10. If any tooling or processes in your environment rely on specific field names within logs, or log entries in specific files, the following changes may affect you.
|
||||
|
||||
- `level` is now `SeverityText`.
|
||||
- `log_message`, `msg`, or `message` is now `Body`.
|
||||
- `now` is now `Timestamp`.
|
||||
- Custom field names such as `gh.repo.id` or `graphql.operation.name` use semantic names.
|
||||
- Log statements that the instance would previously write to `auth.log`, `ldap.log`, or `ldap-sync.log` now appear in containerized logs for `github-unicorn` if the statement originated from a web request, or in logs for `github-resqued` if the statement originated from a background job. For more information about containerized logs, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/monitoring-your-appliance/about-system-logs#system-logs-in-the-systemd-journal).
|
||||
|
||||
For a full list of mappings, download the OpenTelemetry attribute mapping CSV for GitHub Enterprise Server [3.9](/assets/ghes-3.9-opentelemetry-attribute-mappings.csv), [3.10](/assets/ghes-3.10-opentelemetry-attribute-mappings.csv), and [3.11](/assets/ghes-3.11-opentelemetry-attribute-mappings.csv).
|
||||
|
||||
# https://github.com/github/releases/issues/3281
|
||||
- |
|
||||
On an instance that uses built-in authentication or LDAP, if two-factor authentication (2FA) is configured for an organization, a user could use a TOTP code multiple times within the code's window of validity during authentication or when entering sudo mode for sensitive actions. To improve security, this reuse is no longer allowed. External systems with a scripted login flow across multiple parallel jobs may stop working as a result of this change.
|
||||
|
||||
For more information about 2FA, see the following articles.
|
||||
|
||||
- [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/requiring-two-factor-authentication-for-an-organization)
|
||||
- [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/sudo-mode)
|
||||
- [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-totp-mobile-app)
|
||||
|
||||
# https://github.com/github/releases/issues/3327
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, during analysis of Python projects with code scanning using CodeQL and an advanced setup, GitHub Enterprise Server would automatically install dependencies for the project. Due to improvements to CodeQL, GitHub Enterprise Server no longer needs to fetch these dependencies to analyze a codebase. To improve scan times for Python projects, automatic dependency installation is disabled.
|
||||
|
||||
If you configured code scanning with CodeQL via advanced setup to disable dependency installation, GitHub recommends setting `setup-python-dependencies` to `false` for the configuration. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#analyzing-python-dependencies).
|
||||
|
||||
# https://github.com/github/releases/issues/3172
|
||||
- |
|
||||
On an instance with Dependabot enabled, due to misconfiguration or incompatible versions, Dependabot jobs for a repository can fail. After 30 failed runs, subsequent scheduled jobs will fail immediately until you trigger a check for updates from the dependency graph, or until you update a manifest file. Jobs for Dependabot security updates will still trigger normally.
|
||||
|
||||
# https://github.com/github/releases/issues/3284
|
||||
- |
|
||||
On an instance with GitHub Advanced Security, to help users more efficiently review and filter code scanning alerts at scale using the REST API, the `updated_at` field in API responses is improved. The `updated_at` timestamp now represents an alert's most recent state change on the branch that you requested. State changes include an alert being introduced, fixed, dismissed, reopened, or reintroduced. Previously, the `updated_at` timestamp changed frequently, whenever an alert was found in an analysis or the alert state changed. For more information about using the REST API to retrieve code scanning alerts, see [AUTOTITLE](/rest/code-scanning/code-scanning?apiVersion=2022-11-28) in the REST API documentation.
|
||||
|
||||
# https://github.com/github/releases/issues/2874
|
||||
- |
|
||||
On an instance with Dependabot enabled, the following improvements apply to the repository view for dependency graph, available from the repository's "Insights" tab.
|
||||
|
||||
- Users can search by package name from a paginated list of all dependencies.
|
||||
- Dependency licenses are displayed.
|
||||
- Dependabot alerts appear for dependencies, sorted by severity, and link to the Dependabot alerts and the Dependabot update pull request where applicable.
|
||||
|
||||
For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
|
||||
|
||||
# https://github.com/github/releases/issues/3253
|
||||
- |
|
||||
After first enabling Dependabot on an instance, GitHub Enterprise Server will no longer send web or email notifications for repositories that are initially populated with Dependabot alerts. This allows you to review the new Dependabot alerts for a repository, organization, or the entire instance without immediately notifying other users of existing alerts.
|
||||
|
||||
# https://github.com/github/releases/issues/2603
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, workflows that use Node.js 16 or earlier will log a warning. Node.js 16 has been end-of-life since [September 2023](https://github.com/nodejs/Release/#end-of-life-releases).
|
||||
|
||||
- Workflow authors should update actions to run on Node.js 20. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions).
|
||||
- Users with workflows that use Node.js should specify Node.js 20 or later in the workflows using versioned actions. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#example-using-versioned-actions).
|
||||
|
||||
[Updated: 2024-03-05]
|
||||
|
||||
# https://github.com/github/releases/issues/3500
|
||||
- |
|
||||
On an instance with GitHub Actions enabled and runners using GitHub Actions Runner 2.309.0 or later, users can no longer use `GITHUB_ENV` to set the `NODE_OPTIONS` environment variable in workflows. Workflows that set `NODE_OPTIONS` as an environment variable will now log the following error. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable) and the [v2.309.0 release](https://github.com/actions/runner/releases/tag/v2.309.0) in the actions/runner repository on GitHub.com.
|
||||
|
||||
```shell
|
||||
Can't store NODE_OPTIONS output parameter using '$GITHUB_ENV' command.
|
||||
```
|
||||
|
||||
# https://github.com/github/releases/issues/3205
|
||||
- |
|
||||
Users can quickly take action on multiple items in a group, or the group itself, using the `•••` button in a table, board, or roadmap.
|
||||
|
||||
# https://github.com/github/releases/issues/3219
|
||||
- |
|
||||
Users can break out items in a project by workstreams, team members, priorities, or other groupings using a swimlane view. For more information, see [AUTOTITLE](/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/customizing-the-board-layout#grouping-by-field-values).
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
Users can view view the template used to create a project from a project's settings.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
When scrolling through a project, group headers are now sticky.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
The colors for single-select fields in a project have been updated, so users see the same colors within the field picker and within project views.
|
||||
|
||||
# https://github.com/github/releases/issues/3262
|
||||
- |
|
||||
Users create can create issues in a project view that's grouped by repository in the board layout by clicking "Create new issue", or by starting to type the issue's title.
|
||||
|
||||
known_issues:
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-ghes-3-11-upgrade-reloading-system-services-error %} [Updated 2023-12-21]
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-client-ip-addresses-incorrect-in-audit-log %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-ha-proxy-out-of-memory %} [Updated 2024-01-23]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
|
||||
deprecations:
|
||||
# https://github.com/github/releases/issues/3259
|
||||
- heading: Enterprise-level security overview is deprecated
|
||||
notes:
|
||||
- |
|
||||
The enterprise-level "Security overview" page is deprecated in favor of the new "Security risk" and "Security coverage" pages. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk) and [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security).
|
||||
|
||||
# https://github.com/github/releases/issues/2605
|
||||
- heading: Dependabot updates no longer support Python 3.6 or 3.7
|
||||
notes:
|
||||
- |
|
||||
Dependabot updates no longer support Python 3.6 or 3.7, which have reached end-of-life. If a user's code uses these versions, Dependabot will no longer be able to open pull requests in your repository and will log errors. Update to Python 3.8 or later to ensure your code is secure and Dependabot can still run.
|
||||
|
||||
Users will continue to receive Dependabot alerts for dependencies with known vulnerabilities. To resolve these alerts, users can manually upgrade the affected package.
|
||||
|
||||
For more information about Python releases, see [Status of Python versions](https://devguide.python.org/versions) on the Python website. For more information about supported package managers for Dependabot, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems).
|
||||
|
||||
# https://github.com/github/releases/issues/2605
|
||||
- heading: Upcoming deprecation of team discussions
|
||||
notes:
|
||||
- |
|
||||
GitHub will deprecate team discussions for users in GitHub Enterprise Server 3.13. In GitHub Enterprise Server 3.11, a banner appears atop teams' discussions with information about the deprecation, including a link to tooling to migrate existing team discussions to GitHub Discussions. For more information, see [AUTOTITLE](/organizations/collaborating-with-your-team/about-team-discussions) and [AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions). [Updated: 2024-03-04]
|
||||
|
||||
# https://github.com/github/docs-content/issues/14995
|
||||
- heading: Elasticsearch index `repository-stack` is no longer in use
|
||||
notes:
|
||||
- |
|
||||
The Elasticsearch index `repository-stacks` is no longer in use. [Updated: 2024-06-24]
|
||||
|
||||
errata:
|
||||
- 'The [Changes](/admin/release-notes#3.11.0-changes) section previously indicated that users should update GitHub Actions workflows and actions to run on Node.js 16. Node.js 16 has reached end of life, and users should instead update actions and workflows to run on Node.js 20 or later. [Updated: 2024-03-05]'
|
||||
@@ -1,125 +0,0 @@
|
||||
date: '2023-12-21'
|
||||
intro: |
|
||||
{% warning %}
|
||||
|
||||
**Warning**: Hotpatch upgrades from GitHub Enterprise Server version `3.11.0` to `3.11.1` will result in the instance losing network connectivity after a reboot. We have removed the hotpatch upgrade package for the `3.11.1` version of GitHub Enterprise Server to ensure this upgrade path is not executed accidentally. Before you upgrade, please make sure you have read the [Known issues](#3.11.1-known-issues) section of these release notes.
|
||||
|
||||
{% endwarning %}
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of private mode by using a specially crafted API request. Private mode is the mechanism that enforces authentication for publicly-scoped resources. For more information, see [AUTOTITLE](/admin/configuration/hardening-security-for-your-enterprise/enabling-private-mode).
|
||||
|
||||
This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847).
|
||||
- |
|
||||
**HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645).
|
||||
- |
|
||||
**MEDIUM**: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID [CVE-2023-46649](https://www.cve.org/cverecord?id=CVE-2023-46649) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM**: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6802](https://www.cve.org/CVERecord?id=CVE-2023-6802) for this vulnerability.
|
||||
- |
|
||||
**MEDIUM**: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID [CVE-2023-6803](https://www.cve.org/cverecord?id=CVE-2023-6803) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648).
|
||||
- |
|
||||
**MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/CVERecord?id=CVE-2023-6746) for this vulnerability.
|
||||
- |
|
||||
**MEDIUM:** An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://www.cve.org/CVERecord?id=CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped {% data variables.product.pat_generic %}. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://www.cve.org/CVERecord?id=CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379).
|
||||
- |
|
||||
**MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380).
|
||||
- |
|
||||
**LOW:** To render interactive maps in an instance's web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see [AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps).
|
||||
- |
|
||||
To address scenarios that could lead to denial of service, HAProxy has been upgraded to version 2.8.4.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
In rare cases, on an instance with GitHub Actions enabled, a failed check on a deleted repository could cause upgrades to a new version of GitHub Enterprise Server to fail.
|
||||
- |
|
||||
Error messages were not shown when `ghe-config-apply` encountered specific kinds of errors.
|
||||
- |
|
||||
In some environments, stale `.backup` log files could accumulate in the system.
|
||||
- |
|
||||
On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation.
|
||||
- |
|
||||
In some cases, when an administrator uploaded a custom TLS certificate, the certificate was not correctly installed on the instance.
|
||||
- |
|
||||
Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service.
|
||||
- |
|
||||
In some cases, upgrades to GitHub Enterprise Server 3.11 could fail due to the Consul server failing to start.
|
||||
- |
|
||||
Endpoints for the REST API's Manage GitHub Enterprise Server operation returned `internal service error` if `cluster.conf` was not found on the instance.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, an issue with `GH_TOKEN` sometimes prevented GitHub Pages sites from building successfully in workflows.
|
||||
- |
|
||||
An administrator could enable GitHub Connect on an instance with a license that does not support GitHub Connect.
|
||||
- |
|
||||
On an instance with GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync.
|
||||
- |
|
||||
A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository.
|
||||
- |
|
||||
When using `ghe-migrator` to import repositories into GitHub Enterprise Server, the `conflicts` and `audit` subcommands produced an invalid CSV file due to an extra log line appended to the file.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license and secret scanning enabled, webhooks for alert locations did not contain information about push protection bypasses.
|
||||
changes:
|
||||
- |
|
||||
On an instance with Dependabot updates enabled, Dependabot relies on the node installation provided by the actions runner instead of dynamically downloading.
|
||||
- |
|
||||
To avoid negative effects on disk utilization, `babeld` log files have a maximum size of 15 GB.
|
||||
- |
|
||||
When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error.
|
||||
- |
|
||||
The audit log now tracks all failed password attempts individually. Previously, duplicate failed password attempts in sequence within the same day would be grouped into one failed password attempt, with a `count` field.
|
||||
- |
|
||||
On an instance in a cluster configuration, administrators can identify the repository networks or gists that are common across a specified set of storage nodes using the `spokesctl find-on-replicas` command.
|
||||
known_issues:
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-networking-issue-in-ghes-3-11-1 %} [Updated 2023-12-27]
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} [Updated 2024-01-03]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-ha-proxy-out-of-memory %} [Updated 2024-01-23]
|
||||
- |
|
||||
{% data reusables.release-notes.scheduled-reminders-unintentional %} [Updated: 2024-02-22]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
deprecations:
|
||||
- heading: Interactive maps in the web UI no longer allow authentication using an Azure Maps API key
|
||||
notes:
|
||||
- |
|
||||
To allow users to render interactive maps in an instance's web UI by writing GeoJSON or TopoJSON syntax, GitHub Enterprise Server previously required a potentially unsecure API key for authentication with Azure Maps. If an administrator previously enabled interactive maps on an instance, the feature is disabled upon upgrade to this release.
|
||||
|
||||
To re-enable interactive maps for your instance, you must configure an application on an Entra ID tenant that has access to Azure Maps using role-based access control (RBAC). For more information, see [AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps) and the security fixes for this release.
|
||||
@@ -1,36 +0,0 @@
|
||||
date: '2024-05-20'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**CRITICAL**: On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.
|
||||
|
||||
Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. GitHub has requested CVE ID [CVE-2024-4985](https://nvd.nist.gov/vuln/detail/CVE-2024-4985) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
|
||||
For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) and [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions).
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,51 +0,0 @@
|
||||
date: '2024-06-19'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
|
||||
- |
|
||||
Users would see an error message from the server while pushing to a gist (the push would still complete).
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
`ghe-migrations` visualizer is not working due to a known regression. As a results, users will not be able to use `ghe-migrations` to view the status of migrations during an upgrade. Instead you can inspect the log files in `/var/log/dbmigration` to get the status/progress of migrations.
|
||||
- |
|
||||
When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
|
||||
- |
|
||||
The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
|
||||
- |
|
||||
When log forwarding is enabled, some forwarded log entries may be duplicated.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
|
||||
@@ -1,163 +0,0 @@
|
||||
date: '2024-07-19'
|
||||
intro: |
|
||||
|
||||
>[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.11.12**) is not available for download. The following release notes include the updates introduced in that release.
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
|
||||
- |
|
||||
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
|
||||
- |
|
||||
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
|
||||
- |
|
||||
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
|
||||
- |
|
||||
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
|
||||
- |
|
||||
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
**MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
|
||||
- |
|
||||
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
|
||||
- |
|
||||
The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
|
||||
- |
|
||||
In some cases, commands run in an administrative SSH shell were not written to the audit log.
|
||||
- |
|
||||
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
|
||||
- |
|
||||
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
|
||||
- |
|
||||
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
|
||||
- |
|
||||
In a high availablity configuration, running `ghe-repl-node` multiple times from a node that did not have replication running had the potential to overwrite the configuration on the primary node.
|
||||
- |
|
||||
Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
|
||||
- |
|
||||
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
|
||||
- |
|
||||
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
|
||||
- |
|
||||
The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
|
||||
- |
|
||||
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
|
||||
- |
|
||||
Establishing a new GitHub Connect connection could fail with a 500 error.
|
||||
- |
|
||||
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
|
||||
- |
|
||||
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
|
||||
- |
|
||||
On certain branch names, the branch info bar was causing frozen string errors.
|
||||
- |
|
||||
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
|
||||
- |
|
||||
On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
|
||||
- |
|
||||
On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
|
||||
- |
|
||||
Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
|
||||
- |
|
||||
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
|
||||
- |
|
||||
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
|
||||
- |
|
||||
Some organizations were not recognized as part of an instance's enterprise account.
|
||||
- |
|
||||
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
|
||||
- |
|
||||
The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
|
||||
- |
|
||||
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
|
||||
- |
|
||||
When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
|
||||
- |
|
||||
Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
|
||||
- |
|
||||
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
|
||||
- |
|
||||
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
|
||||
- |
|
||||
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
|
||||
- |
|
||||
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a Git repository.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, the "adjust configuration" step failed when enabling code scanning with the default setup on self-hosted Windows runners.
|
||||
- |
|
||||
Migration of the `issue_edits` table caused intermittent failures during the upgrade to GitHub Enterprise Server version 3.11, resulting in the error message `ActiveRecord::ConcurrentMigrationError: Failed to release advisory lock.` [Updated: 2024-08-14]
|
||||
changes:
|
||||
- |
|
||||
In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
|
||||
- |
|
||||
Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
|
||||
- |
|
||||
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
|
||||
- |
|
||||
A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
|
||||
- |
|
||||
When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
|
||||
- |
|
||||
A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
|
||||
- |
|
||||
In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
|
||||
- |
|
||||
The system logs provide more context for authentication failures related to multi-factor authentication.
|
||||
- |
|
||||
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
|
||||
- |
|
||||
To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
|
||||
- |
|
||||
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
|
||||
- |
|
||||
_Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
|
||||
- |
|
||||
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
|
||||
@@ -1,109 +0,0 @@
|
||||
date: '2024-08-20'
|
||||
sections:
|
||||
features:
|
||||
- |
|
||||
Users can view the app state of gists, networks, and wikis in the `spokesctl info` output, enhancing visibility into the status of these elements. Additionally, `spokesctl check` can diagnose and, in most cases, fix empty repository networks, improving network management.
|
||||
security_fixes:
|
||||
- |
|
||||
**CRITICAL:** On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges. GitHub has requested CVE ID [CVE-2024-6800](https://www.cve.org/cverecord?id=CVE-2024-6800) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could update the `title`, `assignees`, and `labels` of any issue inside a public repository. This was only exploitable inside a public repository, and private/internal repositories were not affected. GitHub has requested CVE ID [CVE-2024-7711](https://www.cve.org/cverecord?id=CVE-2024-7711) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could disclose the issue contents from a private repository using a GitHub App with only `contents: read` and `pull requests: write` permissions. This was only exploitable via user access token, and installation access tokens were not impacted. GitHub has requested CVE ID [CVE-2024-6337](https://www.cve.org/cverecord?id=CVE-2024-6337) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
During hotpatching and sometimes when applying configuration changes, a configuration run to upgrade the GitHub Actions service was unnecessarily triggered. The GitHub Actions service will only be upgraded in GitHub Enterprise Server feature releases.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, during a hotpatch upgrade, a race condition could block various upgrade activities.
|
||||
- |
|
||||
The `ghe-config-apply` process made an unnecessary number of connections to Redis.
|
||||
- |
|
||||
Restarting the `resolvconf` service would not correctly update the contents of `/etc/resolv.conf`.
|
||||
- |
|
||||
Instances installed on Google Cloud Platform (GCP) could have their hostname overwritten by GCP when a hotpatch was applied.
|
||||
- |
|
||||
The minimum password requirements for Management Console users and the root site administrator required an upper case character when providing a password with a minimum of 8 characters, contradicting the documentation and password hint.
|
||||
- |
|
||||
The `ghe-migrations` utility for visualizing migrations did not work due to a regression. Administrators can now run `ghe-migrations` to view the progress and status of `github` migrations, or run `ghe-migrations --all` to view progress on all services.
|
||||
- |
|
||||
On an instance with subdomain isolation enabled, configuration runs created subdomains for ChatOps services, such as `slack.HOSTNAME` and `teams.HOSTNAME`, regardless of whether the service was enabled.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, due to an insufficient wait time, MS SQL and MySQL replication could fail with the error message `Failed to start nomad service!`.
|
||||
- |
|
||||
Site administrators could not switch maintenance mode directly from "scheduled" to "on," or vice versa.
|
||||
- |
|
||||
Some users were unable to delete project views.
|
||||
- |
|
||||
When importing using `ghe-migrator`, team URLs containing dots were imported as-is, leading to 404s when attempting to view the imported teams. Dots in imported team URLs are now escaped to dashes.
|
||||
- |
|
||||
Due to a regression introduced in a previous patch, for enterprises that use encrypted SAML assertions, SSO attempts failed with a digest mismatch error if the entire SAML response was signed, rather than just the assertions.
|
||||
- |
|
||||
Running `go get` for a Golang repository with a directory structure that overlaps with GitHub UI routes failed
|
||||
- |
|
||||
The `github-stream-processor` service could get into a state where it would continually fail to process messages with a `TRILOGY_CLOSED_CONNECTION` error.
|
||||
- |
|
||||
The wrong help link was displayed when push protection blocked a secret from the CLI.
|
||||
- |
|
||||
For repositories with issues disabled, issue links were redirected to pull requests.
|
||||
- |
|
||||
In custom pre-receive hooks, the paths stored in environment variables that allow for newly pushed objects to be in a quarantine directory could be incorrectly interpreted as relative to a worktree instead of the Git directory, causing certain commands to fail to read from the repository. The variables now use absolute paths.
|
||||
- |
|
||||
A corrupted entry in the Git audit log could cause out of memory errors.
|
||||
- |
|
||||
Fixes and improvements for the git core module.
|
||||
changes:
|
||||
- |
|
||||
Actions KPI logs are disabled by default to reduce log size.
|
||||
- |
|
||||
Users can set their styling preference for link underlines in the web interface, on their "Accessibility" settings page.
|
||||
- |
|
||||
Audit log events related to audit log streaming are available in the enterprise audit log page, and via audit log streaming.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
|
||||
- |
|
||||
The `reply.HOSTNAME` subdomain is falsely displayed as having no SSL and DNS record, when testing the domain settings via the Management Console without subdomain isolation.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-08-resolvconf-wont-start %}
|
||||
|
||||
[Updated: 2024-08-26]
|
||||
errata:
|
||||
- |
|
||||
These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.11.14 when log forwarding is enabled, some forwarded log entries may be duplicated.
|
||||
The fix for this problem was already included in GitHub Enterprise Server [3.11.13](/admin/release-notes#3.11.13-bugs). [Updated: 2024-09-16]
|
||||
@@ -1,70 +0,0 @@
|
||||
date: '2024-09-23'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. GitHub has requested [CVE ID CVE-2024-8810](https://www.cve.org/cverecord?id=CVE-2024-8810) for this vulnerability, which was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/). [Updated: 2024-11-07]
|
||||
bugs:
|
||||
- |
|
||||
For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful.
|
||||
- |
|
||||
A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file.
|
||||
- |
|
||||
`ghe-storage-find` was sometimes unable to identify a data disk.
|
||||
- |
|
||||
After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory.
|
||||
- |
|
||||
When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed.
|
||||
- |
|
||||
Placing Nomad jobs would not allow retries in cases when Nomad wasn't available yet.
|
||||
- |
|
||||
On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch.
|
||||
- |
|
||||
Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions.
|
||||
- |
|
||||
Fixes and improvements for the git core module.
|
||||
- |
|
||||
The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access.
|
||||
- |
|
||||
Custom links to other repositories displayed incorrect breadcrumbs.
|
||||
- |
|
||||
When a GitHub App installation had all repositories installed individually, it was not possible to remove the repositories from the selection.
|
||||
- |
|
||||
Some custom pattern matches were incorrectly filtered during post-scan filtering. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`. Outdated alerts caused by edits during custom pattern backfills have been fixed in version 3.13 and above.
|
||||
changes:
|
||||
- |
|
||||
For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
|
||||
@@ -1,56 +0,0 @@
|
||||
date: '2024-10-10'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. GitHub has requested CVE ID [CVE-2024-9539](https://www.cve.org/cverecord?id=CVE-2024-9539). This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
**HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
bugs:
|
||||
- |
|
||||
HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process.
|
||||
- |
|
||||
An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error.
|
||||
- |
|
||||
On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository.
|
||||
- |
|
||||
The "List teams" API endpoint returned duplicate results when paginating.
|
||||
- |
|
||||
A model with no URL could cause a `ghe-migrator` import to fail.
|
||||
- |
|
||||
Restore could fail when restoring MySQL using backup-utils.
|
||||
changes:
|
||||
- |
|
||||
Pre-receive hook environments can use the `clone3()` system call.
|
||||
- |
|
||||
The creation, deletion, or change in visibility of a gist has been added to the audit log.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
The `reply.[hostname]` subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console **without subdomain isolation**.
|
||||
- |
|
||||
The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
|
||||
@@ -1,62 +0,0 @@
|
||||
date: '2024-11-07'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An attacker could leak sensitive data from the DOM by injecting malicious input through the `identity` parameter in `querySelector` handling. This allows the attacker to dynamically embed a hidden iframe on the page and exfiltrate data from DOM attributes. To execute the attack, the victim must be logged into GitHub and interact with the attacker controlled malicious webpage containing the hidden iframe. GitHub has requested CVE ID [CVE-2024-10001](https://www.cve.org/cverecord?id=CVE-2024-10001) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2025-01-27]
|
||||
- |
|
||||
**HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This is a follow up fix for [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487) to further harden the encrypted assertions feature against this type of attack. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document to exploit this vulnerability.
|
||||
- |
|
||||
**HIGH**: An attacker with Enterprise Administrator access to the GitHub Enterprise Server instance could escalate privileges to SSH root access. This is achieved by exploiting the pre-receive hook environment to bypass symlink checks in the `ghe-firejail` path and execute malicious scripts. GitHub has requested CVE ID [CVE-2024-10007](https://www.cve.org/cverecord?id=CVE-2024-10007) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2024-11-07]
|
||||
bugs:
|
||||
- |
|
||||
This error message `mbind: Operation not permitted` was repeatedly showing in the `/var/log/mysql/mysql.err` MySQL logs.
|
||||
- |
|
||||
When saving settings in the Management Console, the configuration run would stop if the `enterprise-manage` process was restarted.
|
||||
- |
|
||||
A missing configuration value prevented Dependabot from creating group update pull requests.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server.
|
||||
- |
|
||||
The initial setup certificate generation in AWS took longer than expected due to fallback to private IPs. The time for this fallback has been reduced.
|
||||
- |
|
||||
If the primary instance was unreachable, running `ghe-repl-stop --force` on a replica would fail during the config apply run.
|
||||
- |
|
||||
When restoring from a backup, repositories that had been deleted in the last 90 days were not completely restored.
|
||||
- |
|
||||
Restoring Git repositories using `backup-utils` occasionally failed.
|
||||
- |
|
||||
Some customers upgrading from 3.11 to 3.13 may experience issues with undecryptable records during the upgrade. This issue has now been resolved. We recommend you read [Undecryptable records](/enterprise-server@3.13/admin/upgrading-your-instance/troubleshooting-upgrades/known-issues-with-upgrades-to-your-instance#undecryptable-records).
|
||||
changes:
|
||||
- |
|
||||
For instances deployed on AWS, the default settings for Chrony NTP synchronization have been aligned with AWS's suggested default configurations.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using `ghe-migrator` will not correctly track GitHub Advanced Security contributions.
|
||||
- |
|
||||
The `reply.[HOSTNAME]` subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via the Management Console without subdomain isolation.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
|
||||
@@ -1,45 +0,0 @@
|
||||
date: '2024-12-03'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
Creating a new comment on a pull request could incorrectly emit a `pull_request_review_comment.edited` webhook event.
|
||||
- |
|
||||
In some cases, ambiguous commit OIDs within a repository caused errors when selecting commits to view in a pull request.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. When regenerating the certificates with management console, the `subdomain reply.[hostname]` is missing from the ssl certification.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
|
||||
- |
|
||||
Attempting to stop replications after stopping GitHub Actions on a GitHub Enterprise Server instance would fail, reporting that MSSQL was not responding. The can be avoided by start MSSQL prior to stopping replication `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`
|
||||
- |
|
||||
Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature [Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks) in the management console.
|
||||
@@ -1,52 +0,0 @@
|
||||
date: '2024-12-17'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
The audit log cluster rebalance script incorrectly proceeded before all shards were ready. This caused the script to exit before the necessary data was available, potentially leading to issues with the audit log migration.
|
||||
- |
|
||||
For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error.
|
||||
- |
|
||||
Pull request synchronization—the process keeping pull requests up to date with the latest commits to a branch—sometimes failed to retry if the initial synchronization process failed.
|
||||
- |
|
||||
When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts.
|
||||
- |
|
||||
Performing a browser back navigation to a pull request now displays up-to-date status checks.
|
||||
- |
|
||||
Subversion services were non-functional in some cases.
|
||||
changes:
|
||||
- |
|
||||
Pull request merges are handled more efficiently, allowing more Git objects to be created before timeout. Additionally, loose objects created by merges that time out are now discarded, limiting the accumulation of these objects.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. When regenerating the certificates with management console, the `subdomain reply.[hostname]` is missing from the ssl certification.
|
||||
- |
|
||||
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
|
||||
- |
|
||||
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
|
||||
- |
|
||||
Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature [Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks) in the management console.
|
||||
@@ -1,40 +0,0 @@
|
||||
date: '2023-12-27'
|
||||
sections:
|
||||
bugs:
|
||||
- When an instance is upgraded with a hotpatch, the instance may lose network connectivity after a reboot.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} [Updated 2024-01-03]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-ha-proxy-out-of-memory %} [Updated 2024-01-23]
|
||||
- |
|
||||
{% data reusables.release-notes.scheduled-reminders-unintentional %} [Updated: 2024-02-22]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
errata:
|
||||
- |
|
||||
[Known issues](/admin/release-notes#3.11.2-known-issues) incorrectly indicated that an upgrade to GitHub Enterprise Server 3.11 may fail. This issue does not impact GitHub Enterprise Server instances when upgrading to version 3.11.1 or later. [Updated: 2024-01-26]
|
||||
@@ -1,60 +0,0 @@
|
||||
date: '2024-01-16'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID [CVE-2024-0507](https://www.cve.org/cverecord?id=CVE-2024-0507) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH**: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the [organization owner role](/enterprise-server@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners). GitHub has requested CVE ID [CVE-2024-0200](https://www.cve.org/cverecord?id=CVE-2024-0200) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled.
|
||||
- During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks.
|
||||
- On an instance in a high availability configuration, site administrators using the Manage GitHub Enterprise Server API may have seen a status of `UNKNOWN` for the MSSQL service.
|
||||
- Hotpatch upgrades from GitHub Enterprise Server version `3.11.0` to `3.11.1` resulted in the instance losing network connectivity after a reboot.
|
||||
- On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server.
|
||||
- Deleting a repository would enqueue unnecessary background jobs that would never complete.
|
||||
- When creating a new custom pattern for secret scanning, the "More options" section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements).
|
||||
- On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a `500` error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found.
|
||||
- Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing.
|
||||
- On an instance that uses SAML for authentication, an upgrade from GitHub Enterprise Server 3.7 to 3.9 could result in user login failures due to an outdated gem dependency.
|
||||
- Under rare circumstances, a repository could become unavailable due to a temporary file being left behind after a Git process was unexpectedly interrupted (for example, due to a power outage).
|
||||
- On an instance with GitHub Advanced Security enabled, a suspended user would consume a license for GitHub Advanced Security.
|
||||
changes:
|
||||
- To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs.
|
||||
- The branch protection setting to require PR approval of the most recent reviewable push is included in exports from `ghe-migrator` or the Organization Migrations API.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Pre-receive hooks which utilize `git rev-list` fail with an `fatal: Invalid revision range` error message.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-ha-proxy-out-of-memory %} [Updated 2024-01-23]
|
||||
- |
|
||||
{% data reusables.release-notes.scheduled-reminders-unintentional %} [Updated: 2024-02-22]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,42 +0,0 @@
|
||||
date: '2024-01-30'
|
||||
sections:
|
||||
bugs:
|
||||
- |
|
||||
The instance incorrectly wrote the output for multiple workloads to `/var/log/syslog.log`.
|
||||
- |
|
||||
During periods of high traffic, interruptions in service occurred due to insufficient resource allocations for internal components.
|
||||
- |
|
||||
When starting up an instance using NVME storage in a cloud other than AWS, the attached data disk was not properly detected.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Pre-receive hooks which utilize `git rev-list` fail with an `fatal: Invalid revision range` error message.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-02-pages-deployment-error %} [Updated: 2024-03-07]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,76 +0,0 @@
|
||||
date: '2024-02-13'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1082](https://www.cve.org/cverecord?id=CVE-2024-1082) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker could create new branches in public repositories, and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. GitHub has requested CVE ID [CVE-2024-1482](https://www.cve.org/cverecord?id=CVE-2024-1482) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2024-1084](https://www.cve.org/cverecord?id=CVE-2024-1084) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**LOW:** An attacker could decrypt the user section of the enterprise user license list JSON file by using an exposed private key. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
- |
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, the code scanning "Tools" status page incorrectly displayed an **Add tool** button when Actions was disabled.
|
||||
- |
|
||||
When using `ghe-migrator` to import repositories, issue and pull request attachments imported but failed to render in the UI.
|
||||
- |
|
||||
A change to the way GitHub handles pushes caused custom pre-receive hooks to fail when inspecting the newly-pushed content.
|
||||
- |
|
||||
When restoring a deleted repository, some metadata associated with the repository, such as packages or project items, did not properly restore.
|
||||
- |
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
changes:
|
||||
- |
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-02-pages-deployment-error %} [Updated: 2024-03-07]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-03-increased-log-volume-in-syslog %} [Updated: 2024-03-08]
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,42 +0,0 @@
|
||||
date: '2024-02-29'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID [CVE-2024-1908](https://www.cve.org/cverecord?id=CVE-2024-1908) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
Redundant messages caused increased log volumes in `/var/log/syslog`.
|
||||
changes:
|
||||
- |
|
||||
For instances deployed on Google Cloud Platform, GitHubs public images include support for Google Virtual NIC (gVNIC) by default. Previously, to use gVNIC, an administrator needed to use the `--guest-os-features=gvnic` flag when creating the instance.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-02-pages-deployment-error %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,94 +0,0 @@
|
||||
date: '2024-03-20'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. GitHub has requested CVE ID [CVE-2024-2469](https://www.cve.org/cverecord?id=CVE-2024-2469) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain SSH access to the instance by command injection when configuring GeoJSON settings. GitHub has requested CVE ID [CVE-2024-2443](https://www.cve.org/cverecord?id=CVE-2024-2443) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
In some cases, storage initialization on a new instance launch could cause EBS-backed data volumes to not be detected correctly.
|
||||
- |
|
||||
Administrators could initiate an SSH audit that unknowingly unverified all SSH keys.
|
||||
- |
|
||||
Attributes used to debug LDAP issues were not included in system logs.
|
||||
- |
|
||||
On an instance in a high availability or cluster configuration, configuring `fluent-bit` on a primary node returned an empty `primary_host` value.
|
||||
- |
|
||||
On an instance in a cluster configuration with many nodes, requests to the REST API for managing GitHub Enterprise Server would exceed the instances HTTP timeouts.
|
||||
- |
|
||||
Redundant messages caused an increase in the volume of events logged in `/var/log/syslog`.
|
||||
- |
|
||||
On an instance in a cluster configuration with high availability enabled, the `ghe-spokesctl` command failed when run on a replica node.
|
||||
- |
|
||||
If an administrator lost SSH access to an instance, authentication from the hypervisor console using the password for the root site administrator would fail.
|
||||
- |
|
||||
On an instance with GitHub Actions enabled, GitHub Actions workflows that deployed GitHub Pages sites failed with the following error: `Error: Deployment failed, try again later.`
|
||||
- |
|
||||
On an instance in a cluster configuration, Jupyter notebooks did not render correctly.
|
||||
- |
|
||||
Some API endpoints for projects did not properly filter target repositories based on the users access.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, some searches for secret scanning alerts resulted in a `500` error.
|
||||
- |
|
||||
When an administrator set a policy to require two-factor authentication (2FA) for an enterprise, a message incorrectly indicated that users without 2FA enabled on their account would be removed from the enterprise. These users will be removed from repositories and organizations in the enterprise, but not from the enterprise itself.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, viewing a secret scanning alert as a user without the security manager role would return a `500` error if the alert was generated from a Git tag instead of a normal commit.
|
||||
- |
|
||||
When using GitHub Enterprise Importer to import repositories, `ghost` users in archive metadata files would cause an error when generating a list of migration conflicts using `ghe-migrator conflicts`.
|
||||
- |
|
||||
After an administrator ran `ghe-saml-mapping-csv`, the output did not include the corresponding SQL query.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, the security overview did not display updated alert counts for code scanning immediately after the completion of analysis.
|
||||
- |
|
||||
During a configuration run prompted by the delayed restart of the `notebooks` service, a container validation warning appeared in system logs.
|
||||
- |
|
||||
On an instance in a cluster configuration, rebuilds of GitHub Pages sites failed if no replicas of the GitHub Pages data were available (for example, on a newly restored cluster).
|
||||
- |
|
||||
In some cases, manual repository maintenance using `ghe-spokesctl` would fail with the following error: `panic: runtime error: invalid memory address or nil pointer dereference`.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, the speed of migration for code scanning analyses is increased during an upgrade from GitHub Enterprise Server 3.10 or earlier.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, in some cases, weekly scheduled runs for code scanning's default setup might not occur.
|
||||
changes:
|
||||
- |
|
||||
Gists can be deleted using the **Purge Gist** button on the Deleted Gists page in Staff Tools.
|
||||
- |
|
||||
People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, in some cases, when a user deleted a custom pattern for secret scanning, GitHub Enterprise Server failed to close or delete the patterns alerts.
|
||||
- |
|
||||
On an instance in a cluster configuration, MySQL replica nodes can be configured to skip database seeding. For more information, see [AUTOTITLE](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/deferring-database-seeding).
|
||||
- |
|
||||
The payload for the `push` webhook event is now limited to 2,048 commits. If there are more than 2,048 commits in a push, the payload for the push webhook will not contain serialized diff information for each commit. If you need to fetch commit information, you can use the Commits endpoints of the REST API. For more information, see [AUTOTITLE](/webhooks/webhook-events-and-payloads#push) and [AUTOTITLE](/rest/commits).
|
||||
- |
|
||||
Organizations using projects (classic) returned an error log about a soon-to-be deprecated MySQL feature when viewing a project.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,88 +0,0 @@
|
||||
date: '2024-04-18'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH**: An attacker with the editor role in the Management Console could gain administrative SSH access to the appliance by command injection when configuring the chat integration. GitHub has requested CVE ID [CVE-2024-3646](https://www.cve.org/cverecord?id=CVE-2024-3646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). The editor role has been deprecated. For more information, see the "Changes" section of these release notes.
|
||||
- |
|
||||
**HIGH**: An attacker with an editor role in the Management Console could gain SSH access to the instance by command injection when configuring Artifact & Logs and Migrations Storage. GitHub has requested CVE ID [CVE-2024-3684](https://nvd.nist.gov/vuln/detail/CVE-2024-3684) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM**: An attacker with a deploy key for an organization-owned repository could bypass a ruleset that specified organization administrators as bypass actors. Exploitation would require an attacker to already have access to a valid deploy key for a repository. GitHub has requested CVE ID [CVE-2024-3470](https://nvd.nist.gov/vuln/detail/CVE-2023-3470) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM**: An attacker could maintain admin access to a detached repository in a race condition by making a GraphQL mutation to alter repository permissions while the repository is detached. GitHub has requested CVE ID [CVE-2024-2440](https://nvd.nist.gov/vuln/detail/CVE-2024-2440) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
A GraphQL endpoint was disabled as part of a previous security fix, causing projects auto-add workflow and inline issue creation errors. To resolve these errors, a security patch was applied that allows for the affected GraphQL endpoint to be re-enabled.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
When configuring audit log streaming to Datadog or Splunk on an instance with custom CA certificates, the connection failed with the error `There was an error trying to connect`.
|
||||
- |
|
||||
Disk usage, utilization, and latency for data devices could render incorrectly in Grafana.
|
||||
- |
|
||||
On an instance in a cluster configuration with high availability replication enabled, Git operations for existing repositories would fail after failover to the replica cluster.
|
||||
- |
|
||||
On an instance in a cluster configuration, former primary nodes were able to access the newly promoted nodes after failover. The `ghe-cluster-failover` command has been updated to block access from the old cluster, and four new command-line utilities have been introduced to manually block IP addresses: `ghe-cluster-block-ips`, `ghe-cluster-block-ip`, `ghe-cluster-unblock-ips`, and `ghe-cluster-unblock-ip`. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-cluster-failover). [Updated: 2024-05-01]
|
||||
- |
|
||||
A Redis job had a memory limit that was too low in some cases, leading the process to run out of memory.
|
||||
- |
|
||||
The `ghe-update-check` command did not clean up .tmp files in `/var/lib/ghe-updates/`, which could lead to full disk issues.
|
||||
- |
|
||||
On an instance that failed a configuration run, when attempting to repeat the restore step of a backup, the audit log restore step returned error lines even though audit logs were being fully restored.
|
||||
- |
|
||||
In some cases, Treelights timeouts caused pull requests to return a 500 error.
|
||||
- |
|
||||
Some search indices in Stafftools failed to load.
|
||||
- |
|
||||
The web UI presented inapplicable fine-grained permissions for assignment to custom repository roles. The permissions were also displayed as implicitly included in certain base roles.
|
||||
- |
|
||||
Unauthenticated requests to the REST APIs `/search/code` endpoint returned erroneous rate-limit values.
|
||||
- |
|
||||
The profile settings for organizations displayed a warning about profile images that does not apply to organizations on a GitHub Enterprise Server instance.
|
||||
- |
|
||||
On some pages that listed users on an instance, the web UI erroneously rendered checkboxes to the right of users details.
|
||||
- |
|
||||
Administrators could get a 500 error when trying to access the "File storage" section of the site admin dashboard.
|
||||
- |
|
||||
Setting a maintenance message failed if the message contained a multibyte character.
|
||||
- |
|
||||
On an instance where user avatars had been deleted directly from the database, an identicon avatar was not correctly displayed for affected users, and administrators may have observed a relatively high number of application exceptions.
|
||||
- |
|
||||
On an instance with repository caching configured, adding new repositories to a cache node sometimes failed.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, after enabling secret scanning for the first time for an organization or the instance, the historical backfills for alerts in existing repositories issues did not appear.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, metrics for custom patterns alerts incorrectly included tokens in ignored locations.
|
||||
- |
|
||||
On an instance with code scanning enabled, on the tool status page for code scanning, outdated upload errors were still displayed after a successful upload.
|
||||
changes:
|
||||
- |
|
||||
On an instance hosted on Azure, administrators can set and reset SSH keys and passwords via the Azure Agent.
|
||||
- |
|
||||
As a result of a security vulnerability, the editor role for a Management Console user has been deprecated. For details, see the "Security fixes" section of these release notes. Existing users with the editor role will be unable to log in to the Management Console, and should contact their site administrator requesting that access be reinstated by updating the user to the operator role if appropriate.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1,60 +0,0 @@
|
||||
date: '2024-05-08'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
Firewall port 9199, which linked to a static maintenance page used when enabling maintenance mode with an IP exception list, was opened unnecessarily.
|
||||
- |
|
||||
As a result of a security vulnerability, the editor role for a Management Console user has been deprecated in the Manage GitHub Enterprise Server API.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
Running `ghe-repl-node -d` did not validate value length in order to prevent values longer than 20 characters.
|
||||
- |
|
||||
On an instance in a cluster configuration with high availability enabled, `ghe-repl-setup` did not successfully complete on a replica due to a missing key.
|
||||
- |
|
||||
For an instance in a cluster configuration, during the migration phase of a configuration run, the process of copying configuration updates to all nodes would fail.
|
||||
- |
|
||||
An LDAP-related error message was incorrectly displayed at the enterprise and organization levels.
|
||||
- |
|
||||
On an instance with Dependabot enabled, a misconfiguration caused jobs to be added to the `hydro_update_rule_override_for_repository_visibility_change_event` queue but not processed.
|
||||
- |
|
||||
An incorrect job queue mapping caused the `hydro_advanced_security_archived_status_changed` queue to constantly grow.
|
||||
- |
|
||||
External collaborators with read-only access were able to run workflows on their pull requests from private forks without approval.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, custom pattern matches were incorrectly filtered during post-scan filtering.
|
||||
changes:
|
||||
- |
|
||||
To aid in understanding the CPU/memory utilization of secret scanning processes, the binary names of nomad workers were updated to differentiate between the different types of secret scanning jobs.
|
||||
- |
|
||||
A more specific error message is shown when the `ghe-repl-node` command is run on an instance not configured for high availability.
|
||||
- |
|
||||
The SCIM private beta has resumed with support from GitHub engineering in GitHub Enterprise Server version 3.11 and later. Site administrators can provision users and groups on a GitHub Enterprise Server instance automatically with SCIM. SCIM for GitHub Enterprise Server is in private beta and subject to change. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise) and [AUTOTITLE](/rest/enterprise-admin/scim) in the REST API documentation.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
- |
|
||||
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
||||
- |
|
||||
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
|
||||
- |
|
||||
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
||||
- |
|
||||
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-11-aws-system-time %}
|
||||
- |
|
||||
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
||||
- |
|
||||
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
||||
- |
|
||||
{% data reusables.release-notes.large-adoc-files-issue %}
|
||||
- |
|
||||
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
||||
- |
|
||||
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
||||
- |
|
||||
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
|
||||
- |
|
||||
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|
||||
@@ -1 +1 @@
|
||||
github/codeql-action/analyze{% ifversion codeql-action-node16-deprecated %}@v3{% else %}@v2{% endif %}
|
||||
github/codeql-action/analyze@v3
|
||||
|
||||
@@ -1 +1 @@
|
||||
github/codeql-action/autobuild{% ifversion codeql-action-node16-deprecated %}@v3{% else %}@v2{% endif %}
|
||||
github/codeql-action/autobuild@v3
|
||||
|
||||
@@ -1 +1 @@
|
||||
github/codeql-action/init{% ifversion codeql-action-node16-deprecated %}@v3{% else %}@v2{% endif %}
|
||||
github/codeql-action/init@v3
|
||||
|
||||
@@ -1 +1 @@
|
||||
github/codeql-action/upload-sarif{% ifversion codeql-action-node16-deprecated %}@v3{% else %}@v2{% endif %}
|
||||
github/codeql-action/upload-sarif@v3
|
||||
|
||||
@@ -14,9 +14,9 @@
|
||||
| {% endif %} |
|
||||
| `business_advanced_security` | Contains activities related to {% data variables.product.prodname_GH_advanced_security %} in an enterprise. |
|
||||
| `business_secret_scanning` | Contains activities related to {% data variables.product.prodname_secret_scanning %} in an enterprise. |
|
||||
| {% ifversion secret-scanning-validity-check-audit-log %} |
|
||||
| |
|
||||
| `business_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in an enterprise. |
|
||||
| {% endif %} |
|
||||
| |
|
||||
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
|
||||
| `business_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an enterprise. |
|
||||
| {% endif %} |
|
||||
@@ -85,9 +85,9 @@
|
||||
| {% ifversion ghec or ghes %} |
|
||||
| `org_credential_authorization` | Contains activities related to authorizing credentials for use with SAML single sign-on. |
|
||||
| {% endif %} |
|
||||
| {% ifversion secret-scanning-validity-check-audit-log %} |
|
||||
| |
|
||||
| `org_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization). |
|
||||
| {% endif %} |
|
||||
| |
|
||||
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
|
||||
| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). |
|
||||
| {% endif %} |
|
||||
@@ -130,9 +130,9 @@
|
||||
| {% ifversion ghec or ghes %} |
|
||||
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning). |
|
||||
| {% endif %} |
|
||||
| {% ifversion secret-scanning-validity-check-audit-log %} |
|
||||
| |
|
||||
| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). |
|
||||
| {% endif %} |
|
||||
| |
|
||||
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
|
||||
| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). |
|
||||
| {% endif %} |
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
{% ifversion codeql-cli-threat-models %}
|
||||
|
||||
> [!NOTE]
|
||||
> Threat models are currently in {% data variables.release-phases.public_preview %} and subject to change. During the {% data variables.release-phases.public_preview %}, threat models are supported only by analysis for {% data variables.code-scanning.code_scanning_threat_model_support %}.
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
{% ifversion codeql-language-identifiers-311 %}
|
||||
|
||||
| Language | Identifier | Optional alternative identifiers (if any)
|
||||
|------------------|------------------- | ---------------
|
||||
@@ -18,18 +17,3 @@
|
||||
|
||||
> [!NOTE]
|
||||
> If you specify one of the alternative identifiers, this is equivalent to using the standard language identifier. For example, specifying `javascript` instead of `javascript-typescript` will not exclude analysis of TypeScript code. You can do this in an advanced setup workflow with the `--paths-ignore` option. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan).
|
||||
|
||||
{% else %}
|
||||
|
||||
| Language | Identifier
|
||||
|------------------|-------------------
|
||||
| C/C++ | `cpp`
|
||||
| C# | `csharp`
|
||||
| Go | `go`
|
||||
| Java/Kotlin | `java`
|
||||
| JavaScript/TypeScript | `javascript`
|
||||
| Python | `python`
|
||||
| Ruby | `ruby`
|
||||
| Swift | `swift`
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
> [!NOTE]
|
||||
>
|
||||
> * Use {% ifversion codeql-language-identifiers-311 %}`java-kotlin`{% else %}`java`{% endif %} to analyze code written in Java, Kotlin or both.
|
||||
> * Use {% ifversion codeql-language-identifiers-311 %}`javascript-typescript`{% else %}`javascript`{% endif %} to analyze code written in JavaScript, TypeScript or both.
|
||||
> * Use `java-kotlin` to analyze code written in Java, Kotlin or both.
|
||||
> * Use `javascript-typescript` to analyze code written in JavaScript, TypeScript or both.
|
||||
|
||||
For more information, see the documentation on the {% data variables.product.prodname_codeql %} website: [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/).
|
||||
|
||||
@@ -1 +1 @@
|
||||
{% ifversion codeql-language-identifiers-311 %}`c-cpp`, `csharp`, `go`, `java-kotlin`, `javascript-typescript`, `python`, `ruby`, and `swift`{% else %}`cpp`, `csharp`, `go`, `java`, `javascript`, `python`, `ruby`, and `swift`{% endif %}
|
||||
`c-cpp`, `csharp`, `go`, `java-kotlin`, `javascript-typescript`, `python`, `ruby`, and `swift`
|
||||
|
||||
@@ -4,6 +4,6 @@ The following `qlpack.yml` file states that `my-github-user/my-query-tests` depe
|
||||
name: my-github-user/my-query-tests
|
||||
dependencies:
|
||||
my-github-user/my-custom-queries: ^1.2.3
|
||||
extractor: {% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %}
|
||||
extractor: java-kotlin
|
||||
tests: .
|
||||
```
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
{% ifversion dependabot-auto-triage-rules %}
|
||||
|
||||
> [!NOTE]
|
||||
> When {% data variables.product.prodname_dependabot_security_updates %} are enabled for a repository, {% data variables.product.prodname_dependabot %} will automatically try to open pull requests to resolve **every** open {% data variables.product.prodname_dependabot %} alert that has an available patch. If you prefer to customize which alerts {% data variables.product.prodname_dependabot %} opens pull requests for, you should leave {% data variables.product.prodname_dependabot_security_updates %} **disabled** and create an auto-triage rule. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts).
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -1 +1 @@
|
||||
Sometimes, due to a misconfiguration or an incompatible version, you might see that a {% data variables.product.prodname_dependabot %} run has failed. After {% ifversion dependabot-updates-failure-15-skip-schedule %}15 {% elsif ghes < 3.13 %}30 {% endif %}failed runs, {% data variables.product.prodname_dependabot_version_updates %} will skip subsequent scheduled runs until you manually trigger a check for updates from the dependency graph{% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}, or you update the manifest file{% endif %}. {% data variables.product.prodname_dependabot_security_updates %} will still run as usual.
|
||||
Sometimes, due to a misconfiguration or an incompatible version, you might see that a {% data variables.product.prodname_dependabot %} run has failed. After {% ifversion dependabot-updates-failure-15-skip-schedule %}15 {% elsif ghes < 3.13 %}30 {% endif %}failed runs, {% data variables.product.prodname_dependabot_version_updates %} will skip subsequent scheduled runs until you manually trigger a check for updates from the dependency graph. {% data variables.product.prodname_dependabot_security_updates %} will still run as usual.
|
||||
|
||||
@@ -1,11 +1,3 @@
|
||||
1. Under your repository or organization name, click **{% octicon "comment-discussion" aria-hidden="true" %} Discussions**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -2,16 +2,8 @@
|
||||
1. Under your organization name, click {% octicon "gear" aria-label="The gear icon" %}
|
||||
**Settings**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
1. Under "Discussions", select **Enable discussions for this organization**.
|
||||
1. Use the dropdown menu to select a repository to use as the source repository for your organization discussions.
|
||||
1. Click **Save**.
|
||||
|
||||
@@ -4,14 +4,6 @@ You can enable or disable {% data variables.product.prodname_discussions %} for
|
||||
1. Under your repository name, click {% octicon "gear" aria-label="The gear icon" %}
|
||||
**Settings**.
|
||||
|
||||
{% ifversion global-nav-update %}
|
||||
|
||||
|
||||
|
||||
{% else %}
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
1. Scroll down to the "Features" section and select **Discussions**.
|
||||
|
||||
@@ -1 +1 @@
|
||||
For more information, see the [Deprecations](/admin/release-notes#{{ allVersions[currentVersion].currentRelease }}.{% ifversion ghes = 3.10 %}4{% elsif ghes = 3.11 %}1{% endif %}-deprecations) section in the release notes.
|
||||
For more information, see the [Deprecations](/admin/release-notes#{{ allVersions[currentVersion].currentRelease }}.-deprecations) section in the release notes.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user