f9ad5851ca
Co-authored-by: Peter Bengtsson <peterbe@github.com> Co-authored-by: Evan Bonsignori <ebonsignori@github.com>
503 lines
45 KiB
YAML
503 lines
45 KiB
YAML
date: '2023-03-07'
|
|
release_candidate: false
|
|
deprecated: false
|
|
intro: |
|
|
For upgrade instructions, see "[AUTOTITLE](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
|
|
|
|
sections:
|
|
features:
|
|
- heading: Projects beta
|
|
notes:
|
|
# https://github.com/github/docs-content/issues/8857
|
|
- |
|
|
Projects, the flexible tool for planning and tracking work on GitHub Enterprise Server, is now available as a beta. A project is an adaptable spreadsheet that integrates issues and pull requests to help users plan and track work effectively. Users can create and customize multiple views, and each view can filter, sort, and group issues and pull requests. Users can also define custom fields to track the unique metadata for a team or project, allowing customization for any needs or processes. This feature is subject to change. For more information, see "[AUTOTITLE](/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects)."
|
|
|
|
- heading: Instance administration
|
|
notes:
|
|
# https://github.com/github/releases/issues/2701
|
|
- |
|
|
Site administrators can improve the security of an instance by creating dedicated user accounts for the Management Console. Only the root site administrator can create user accounts. To control access for the user accounts, assign either the editor or operator role. Operators can manage administrative SSH access for the instance. For more information, see "[Managing access to the Management Console](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console)."
|
|
|
|
# https://github.com/github/releases/issues/2759
|
|
- |
|
|
To establish or comply with internal policies, site administrators can use the Management Console to configure an instance's policy for retention of data related to checks, including checks data generated by GitHub Actions and the Statuses API. Administrators can enable or disable retention, set a custom retention threshold, or set a custom hard-delete threshold.
|
|
For more information, see "[Configuring applications](/admin/configuration/configuring-your-enterprise/configuring-applications)" [Updated: 2023-03-02]
|
|
|
|
|
|
# https://github.com/github/releases/issues/2814
|
|
- |
|
|
When generating support bundles using the `ghe-support-bundle` command-line utility, site administrators can specify the exact duration to use for collection of data in the bundle. For more information, see "[Command-line utilities](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-support-bundle)."
|
|
|
|
- heading: Identity and access management
|
|
notes:
|
|
# https://github.com/github/releases/issues/2681
|
|
- |
|
|
Users can review and revoke both browser and GitHub Mobile sessions for a GitHub Enterprise Server instance. For more information, see "[Viewing and managing your sessions](/authentication/keeping-your-account-and-data-secure/viewing-and-managing-your-sessions)."
|
|
|
|
- heading: Policies
|
|
notes:
|
|
# https://github.com/github/docs-content/issues/7661
|
|
- |
|
|
Enterprise owners can configure whether repository administrators can enable or disable Dependabot alerts. On instances with a GitHub Advanced Security license, enterprise owners can also set policies to control whether repository administrators can enable GitHub Advanced Security features or secret scanning. For more information, see "[Enforcing policies for code security and analysis for your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)."
|
|
|
|
- heading: Audit logs
|
|
notes:
|
|
# https://github.com/github/releases/issues/2665
|
|
- |
|
|
Enterprise and organization owners can support adherance to the principle of least privilege by granting access to audit log endpoints without providing full administrative privileges. To provide this access, {% data variables.product.pat_generic_plural %} and OAuth apps now support the `read:audit_log` scope. For more information, see "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)."
|
|
|
|
# https://github.com/github/releases/issues/2676
|
|
- |
|
|
Enterprise owners can more easily detect and trace activity associated with authentication tokens by viewing token data in audit log events. For more information, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
|
|
|
|
# https://github.com/github/releases/issues/2587
|
|
- |
|
|
Enterprise owners can configure audit log streaming to a Datadog endpoint. For more information, see "[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-datadog)."
|
|
|
|
- heading: GitHub Advanced Security
|
|
notes:
|
|
# https://github.com/github/releases/issues/2644
|
|
- |
|
|
Enterprise owners on an instance with a GitHub Advanced Security license can view changes to GitHub Advanced Security, secret scanning, and push protection enablement in the audit log. Organization owners can view changes to custom messages for push protection in the audit log. For more information, see the following documentation.
|
|
|
|
- "[`business_secret_scanning` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning-category-actions)," "[`business_secret_scanning_push_protection` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning_push_protection-category-actions)," and "[`business_secret_scanning_push_protection_custom_message` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning_push_protection_custom_message-category-actions)" in "Audit log events for your enterprise"
|
|
- "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#org-category-actions)"
|
|
|
|
# https://github.com/github/releases/issues/2647
|
|
- |
|
|
Enterprise owners on an instance with a GitHub Advanced Security license can ensure compliance and simplify the rollout of secret scanning and push protection to all organizations on the instance using the REST API. This endpoint supplements the existing web UI, as well as the endpoints for repositories and organizations. For more information, see "[Code security and analysis](/rest/enterprise-admin/code-security-and-analysis?apiVersion=2022-11-28)" in the REST API documentation.
|
|
|
|
# https://github.com/github/releases/issues/2647
|
|
# https://github.com/github/releases/issues/2669
|
|
- |
|
|
Enterprise and organization owners who use secret scanning on an instance with a GitHub Advanced Security license can use the REST API to specify a custom link to display when push protection blocks a push containing a secret. For more information, see "[Code security and analysis](/rest/enterprise-admin/code-security-and-analysis?apiVersion=2022-11-28)" or "[Organizations](/rest/orgs/orgs?apiVersion=2022-11-28#update-an-organization)" in the REST API documentation.
|
|
|
|
# https://github.com/github/releases/issues/2386
|
|
- |
|
|
Users on an instance with a GitHub Advanced Security license who dismiss a secret scanning alert can help other users understand the reason for dismissal by providing an optional comment using the web UI or REST API. For more information, see the following documentation.
|
|
|
|
- "[Managing alerts from secret scanning](/code-security/secret-scanning/managing-alerts-from-secret-scanning)"
|
|
- "[Secret scanning](/rest/secret-scanning?apiVersion=2022-11-28#update-a-secret-scanning-alert)" in the REST API documentation
|
|
|
|
# https://github.com/github/releases/issues/2777
|
|
- |
|
|
Users on an instance with a GitHub Advanced Security license can filter results from the Code Scanning API based on alert severity at either the repository or organization levels. Use the `severity` parameter to return only code scanning alerts with a specific severity. For more information, see "[Code Scanning](/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-a-repository)" in the REST API documentation.
|
|
|
|
# https://github.com/github/releases/issues/2509
|
|
# https://github.com/github/releases/issues/2703
|
|
- |
|
|
Users on an instance with a GitHub Advanced Security license can analyze two additional languages for vulnerabilities and errors using CodeQL code scanning. Support for Ruby is generally available, and support for Kotlin is in beta and subject to change.
|
|
|
|
- Ruby analysis can detect more than twice the number of common weaknesses (CWEs) it could detect during beta. A total of 30 rules can identify a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. GitHub Enterprise Server supports all common Ruby versions, up to and including 3.1.
|
|
- Kotlin support is an extension of existing Java support, and benefits from the [existing CodeQL queries for Java](https://codeql.github.com/codeql-query-help/java/), which apply to both mobile and server-side applications. GitHub has also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection, and more.
|
|
|
|
For more information about code scanning, see "[About code scanning with CodeQL](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)."
|
|
|
|
# https://github.com/github/docs-content/issues/8424
|
|
- |
|
|
Users on an instance with a GitHub Advanced Security license who use CodeQL code scanning can customize the build configuration for Go analysis within the GitHub Actions workflow file. Existing CodeQL workflows for Go analysis require no changes, and will continue to be supported. For more information, see "[Configuring the CodeQL workflow for compiled languages](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
|
|
|
|
- heading: Dependabot
|
|
notes:
|
|
# https://github.com/github/releases/issues/2738
|
|
# https://github.com/github/releases/issues/2739
|
|
- |
|
|
To improve code security and simplify the process of updating vulnerable dependencies, more users can receive automatic pull requests with dependency updates.
|
|
|
|
- GitHub Actions authors can automatically update dependencies within workflow files.
|
|
- Dart or Flutter developers who use Pub can automatically update dependencies within their projects.
|
|
|
|
For more information, see "[About Dependabot security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
|
|
|
|
# https://github.com/github/releases/issues/2438
|
|
# https://github.com/github/releases/issues/2553
|
|
- |
|
|
Dart and JavaScript developers on an instance with the dependency graph enabled can receive Dependabot alerts for known vulnerabilities within a project's dependencies.
|
|
|
|
- For Dart, the dependency graph detects `pubspec.lock` and `pubspec.yaml` files.
|
|
- JavaScript developers who use Node.js and npm can receive alerts for known vulnerabilities within Yarn v2 and v3 manifests. This supplements the existing support for v1 manifests. The dependency graph detects `package.json`, and `yarn.lock` files.
|
|
|
|
For more information, see the following articles.
|
|
|
|
- "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)"
|
|
- "[Browsing security advisories in the GitHub Advisory Database](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database#about-the-github-advisory-database)"
|
|
- "[About Dependabot alerts](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)"
|
|
|
|
# https://github.com/github/releases/issues/2554
|
|
- |
|
|
Python developers who use supported package managers on an instance with the dependency graph enabled can receive Dependabot alerts for dependencies within `pyproject.toml` files that follow the [PEP 621 standard](https://peps.python.org/pep-0621/). For more information, see "[About Dependabot version updates](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems)."
|
|
|
|
# https://github.com/github/releases/issues/2645
|
|
- |
|
|
Python developers who receive Dependabot alerts can reduce the number of version updates when a current dependency requirement is already satisfied by a new version. To configure this behavior, use the `increase-if-necessary` versioning strategy. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy)."
|
|
|
|
# https://github.com/github/releases/issues/2591
|
|
- |
|
|
Enterprise owners can retrieve Dependabot alerts for the instance using the REST API. This endpoint is in beta and subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)" in the REST API documentation.
|
|
|
|
# https://github.com/github/releases/issues/2590
|
|
- |
|
|
Organization owners can retrieve Dependabot alerts for the organization using the REST API. This endpoint is in beta and subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)."
|
|
|
|
# https://github.com/github/releases/issues/2323
|
|
- |
|
|
Users can programmatically view and act on Dependabot alerts using the REST API. New endpoints to view, list, and update Dependabot alerts are available in beta. These endpoints are subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)" in the REST API documentation.
|
|
|
|
- heading: Code security
|
|
notes:
|
|
# https://github.com/github/releases/issues/2706
|
|
# https://github.com/github/releases/issues/2768
|
|
# https://github.com/github/releases/issues/2770
|
|
- |
|
|
To increase visibility into security posture and improve risk analysis, users can access coverage and risk views within the security overview. The coverage view shows enablement across repositories, while the risk view surfaces alerts across repositories. Organization owners, security managers, and repository administrators on an instance with a GitHub Advanced Security license can enable security features from the security overview's coverage view. The views replace the "Overview" page, and are in public beta and subject to change. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)."
|
|
|
|
# https://github.com/github/releases/issues/2713
|
|
- |
|
|
Contributors can define a repository's security policy by creating a `SECURITY.md` file. To increase the policy's visibility, GitHub Enterprise Server will link to the policy from the repository's {% octicon "code" aria-label="The code icon" %} **Code** tab. For more information, see "[Adding a security policy to your repository](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
|
|
|
|
# https://github.com/github/releases/issues/2440
|
|
- |
|
|
The Dependency review API is generally available, and the associated GitHub Action now allows users to reference a local or external configuration file. For more information, see the following documentation.
|
|
|
|
- "[Dependency review](/rest/dependency-graph/dependency-review?apiVersion=2022-11-28)" in the REST API documentation
|
|
- "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#about-configuring-the-dependency-review-action)"
|
|
|
|
# https://github.com/github/releases/issues/2787
|
|
- |
|
|
The GraphQL API provides access to a repository's dependency graph. This feature is in preview and subject to change. For more information, see "[Objects](/graphql/reference/objects#dependencygraphdependency)" in the GraphQL API documentation.
|
|
|
|
- heading: GitHub Actions
|
|
notes:
|
|
# https://github.com/github/releases/issues/2730
|
|
- |
|
|
During configuration of storage for GitHub Actions, site administrators can avoid risks associated with the input of sensitive secrets and access keys by using OIDC to connect to object storage providers. GitHub Actions on GitHub Enterprise Server supports OIDC for connections to AWS, Azure, and Google Cloud Platform. This feature is in beta and subject to change. For more information, see "[Enabling GitHub Actions for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server)."
|
|
|
|
# https://github.com/github/releases/issues/2618
|
|
- |
|
|
To prevent untrusted logging of data from the `set-state` and `set-output` workflow commands, action authors can use environment files for the management of state and output.
|
|
|
|
- To use this feature, the runner application must be version 2.297.0 or later. Versions 2.298.2 and later will warn users who use the `save-state` or `set-output` commands. These commands will be fully disabled in a future release.
|
|
- To use the updated `saveState` and `setOutput` functions, workflows using the GitHub Actions Toolkit must call `@actions/core` v1.10.0 or later.
|
|
|
|
For more information, see "[Workflow commands for GitHub Actions](/actions/using-workflows/workflow-commands-for-github-actions#environment-files)."
|
|
|
|
# https://github.com/github/releases/issues/2293
|
|
- |
|
|
The ability to share actions and reusable workflows from private repositories is generally available. Users can share workflows in a private repository with other private repositories owned by the same organization or user account, or with all private repositories on the instance. For more information, see the following documentation.
|
|
|
|
- "[Managing GitHub Actions settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)"
|
|
- "[GitHub Actions Permissions](/rest/actions/permissions?apiVersion=2022-11-28#get-the-level-of-access-for-workflows-outside-of-the-repository)" in the REST API documentation
|
|
|
|
# https://github.com/github/releases/issues/2694
|
|
- |
|
|
Users can improve workflow readability and avoid the need to store non-sensitive configuration data as encrypted secrets by defining configuration variables, which allow reuse across workflows in a repository or organization. This feature is in beta and subject to change. For more information, see "[Variables](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)."
|
|
|
|
# https://github.com/github/releases/issues/2517
|
|
- |
|
|
Users can dynamically name workflow runs. `run-name` accepts expressions, and the dynamic name appears in the list of workflow runs. For more information, see "[Workflow syntax for GitHub Actions](/actions/using-workflows/workflow-syntax-for-github-actions#run-name)."
|
|
|
|
# https://github.com/github/releases/issues/2616
|
|
- |
|
|
Users can prevent a job from running on a runner outside the intended group by defining the names of the intended runner groups for a workflow within the `runs-on` key.
|
|
|
|
```yaml
|
|
runs-on:
|
|
group: my-group
|
|
labels: [ self-hosted, label-1 ]
|
|
```
|
|
|
|
Additionally, GitHub Enterprise Server will no longer allow the creation of runner groups with identical names at the organization and enterprise level. A warning banner will appear for any runner groups within an organization that share a name with a runner group for the enterprise.
|
|
|
|
# https://github.com/github/releases/issues/2693
|
|
- |
|
|
Users can enforce standard CI/CD practices across all of an organization's repositories by defining required workflows. These workflows are triggered as required status checks for all pull requests that target repositories' default branch, which blocks merging until the check passes. This feature is in beta and subject to change. For more information, see "[Required workflows](/actions/using-workflows/required-workflows)."
|
|
|
|
# https://github.com/github/releases/issues/2655
|
|
- |
|
|
To enable standardization of OIDC configurations across cloud deployment workflows, organization owners and repository administrators can configure the `subject` claim format within OIDC tokens by defining a custom template. For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-subject-claims-for-an-organization-or-repository)."
|
|
|
|
# https://github.com/github/releases/issues/2571
|
|
- |
|
|
To enable more transparency and control over cache usage within repositories, users who cache dependencies and other reused files with `actions/cache` can manage caches from the instance's web UI. For more information, see "[Caching dependencies to speed up workflows](/actions/using-workflows/caching-dependencies-to-speed-up-workflows#managing-caches)."
|
|
|
|
- heading: Community experience
|
|
notes:
|
|
# https://github.com/github/releases/issues/2536
|
|
- |
|
|
Users can set expectations surrounding availability by displaying a local timezone within their profiles. People who view the user's profile or hovercard will see the timezone, as well as how many hours behind or ahead they are of the user's local time. For more information, see "[Personalizing your profile](/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-your-location-and-time-zone)."
|
|
|
|
- heading: GitHub Discussions
|
|
notes:
|
|
# https://github.com/github/releases/issues/2672
|
|
- |
|
|
To improve discoverability, GitHub Discussions features the following improvements.
|
|
|
|
- Repository owners can pin discussions to a specific category.
|
|
- Category titles and descriptions are displayed on the category's page.
|
|
|
|
- heading: Organizations
|
|
notes:
|
|
# https://github.com/github/releases/issues/2418
|
|
- |
|
|
To manage how organization members fork repositories, organization owners can set a dedicated forking policy for any organization. This policy must be stricter than an a forking policy set for the enterprise. For more information, see "[Managing the forking policy for your organization](/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization)."
|
|
|
|
# https://github.com/github/releases/issues/2539
|
|
- |
|
|
Organization owners can improve organization security by preventing outside collaborators from requesting the installation of GitHub and OAuth apps. For more information, see "[Limiting OAuth App and GitHub App access requests](/organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests)."
|
|
|
|
- heading: Repositories
|
|
notes:
|
|
# https://github.com/github/releases/issues/2175
|
|
- |
|
|
To avoid providing full administrative access to a repository when unnecessary, repository administrators can create a custom role that allows users to bypass branch protections. To enforce branch protections for all users with administrative access or bypass permissions, administrators can enable **Do not allow bypassing the above settings**. For more information, see "[Managing custom repository roles for an organization](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization#repository)" and "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings)."
|
|
|
|
# https://github.com/github/releases/issues/2626
|
|
- |
|
|
Repository administrators can ensure the security and stability of branches by locking the branch. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch)."
|
|
|
|
# https://github.com/github/releases/issues/2666
|
|
- |
|
|
In scenarios where someone should review code within a GitHub Actions workflow before the workflow runs, repository administrators can require approval from a user with write access to the repository before a workflow run can be triggered from a private fork. For more information, see "[Managing GitHub Actions settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories)."
|
|
|
|
- heading: Issues
|
|
notes:
|
|
# https://github.com/github/releases/issues/2018
|
|
- |
|
|
The GraphQL API supports creation and removal of the link between a branch and an issue. For more information, see the following documentation.
|
|
|
|
- "[Creating a branch to work on an issue](/issues/tracking-your-work-with-issues/creating-a-branch-for-an-issue)"
|
|
- "[createLinkedBranch](/graphql/reference/mutations#createlinkedbranch)" and "[deleteLinkedBranch](/graphql/reference/mutations#deletelinkedbranch)" in the "Mutations" GraphQL API documentation
|
|
- "[Objects](/graphql/reference/objects#issue)" in the GraphQL API documentation
|
|
|
|
- heading: Releases
|
|
notes:
|
|
# https://github.com/github/releases/issues/2584
|
|
- |
|
|
Users can mark a specific release within a repository as the latest release using the web UI, REST API, or GraphQL API. For more information, see the following documentation.
|
|
|
|
- "[Managing releases in a repository](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)"
|
|
- "[Releases](/rest/releases/releases?apiVersion=2022-11-28#create-a-release)" in the REST API documentation
|
|
- "[Objects](/graphql/reference/objects#release)" in the GraphQL API documentation
|
|
|
|
- heading: Integrations
|
|
notes:
|
|
# https://github.com/github/releases/issues/2625
|
|
- |
|
|
Users can save time and switch context less often by receiving and acting on real-time updates about GitHub Enterprise Server activity directly within Slack or Microsoft Teams. GitHub's integrations for these services are now generally available. For more information, see "[GitHub extensions and integrations](/get-started/customizing-your-github-workflow/exploring-integrations/github-extensions-and-integrations)."
|
|
|
|
changes:
|
|
# https://github.com/github/releases/issues/2702
|
|
- |
|
|
When a site administrator runs a command using administrative SSH access, the command is now logged. To help GitHub Support troubleshoot and debug, support bundles include a log containing these commands.
|
|
|
|
# https://github.com/github/releases/issues/2538
|
|
- |
|
|
To simplify the discovery of events within enterprise, organization, or user audit logs, the search bar now displays a list of available filters.
|
|
|
|
# https://github.com/github/releases/issues/2815
|
|
- |
|
|
Before a site administrator can migrate away from GitHub Enterprise Server using the [GitHub Enterprise Importer CLI](https://github.com/github/gh-gei), the [startRepositoryMigration](/graphql/reference/mutations#startrepositorymigration) GraphQL API, or the [Start an organization migration](/rest/migrations/orgs?apiVersion=2022-11-28#start-an-organization-migration) REST API, the administrator must use the Management Console to configure a blob storage provider for the storage of migration archives. Supported provides include Amazon S3 and Azure Blob Storage. Previously, blob storage was not required and could optionally be configured using `gh gei`. This change adds support for migrations where the Git source or metadata is larger than 1 GB.
|
|
|
|
# https://github.com/github/releases/issues/2705
|
|
- |
|
|
To help users on an instance with a GitHub Advanced Security license better understand detected secrets and take action, secret scanning alerts concerning third-party API keys now include a link to the provider's documentation. For more information, see "[About secret scanning](/code-security/secret-scanning/about-secret-scanning)."
|
|
|
|
# https://github.com/github/releases/issues/2386
|
|
- |
|
|
Users on an instance with a GitHub Advanced Security license will now see the actions that users took on a secret scanning alert directly within the alert's timeline, including when a contributor bypassed push protection for a secret.
|
|
|
|
# https://github.com/github/releases/issues/2387
|
|
- |
|
|
Instances with a GitHub Advanced Security license will regularly run a historical scan to detect newly added secret types on repositories with GitHub Advanced Security and secret scanning enabled. Previously, users needed to manually run a historical scan.
|
|
|
|
# https://github.com/github/releases/issues/2640
|
|
- |
|
|
On instances with a GitHub Advanced Security license, to ensure that future releases of GitHub Enterprise Server can always display a preview of a detected secret in the APIs or web UI, the detected secrets are now stored separately from source code. Detected secrets are stored using symmetric encryption. [Updated: 2023-02-15]
|
|
|
|
# https://github.com/github/releases/issues/2696
|
|
- |
|
|
When using private registries for Dependabot updates, GitHub Enterprise Server behaves more securely. If a private registry is configured for any of the following ecosystems, the instance will no longer make any package requests to public registries.
|
|
|
|
- Bundler
|
|
- Docker
|
|
- Gradle
|
|
- Maven
|
|
- npm
|
|
- Nuget
|
|
- Python
|
|
- Yarn
|
|
|
|
For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."
|
|
|
|
# https://github.com/github/releases/issues/2750
|
|
- |
|
|
Elixir developers who use [self-hosted Hex repositories](https://hex.pm/docs/self_hosting) can configure a private registry for Dependabot version updates on GitHub Enterprise Server. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."
|
|
|
|
# https://github.com/github/releases/issues/2598
|
|
- |
|
|
Dependabot alerts features the following usability improvements.
|
|
|
|
- The page for an alert refreshes automatically after Dependabot attempts to create a pull request for an update.
|
|
- Alerts are more accurately mapped to pull requests from Dependabot updates.
|
|
- To improve the alert for the community, users can suggest improvements to alerts directly in the GitHub Advisory Database.
|
|
|
|
# https://github.com/github/releases/issues/2744
|
|
- |
|
|
Users can more easily mention **@dependabot**. When mentioning users, the Dependabot user account now appears as an autocomplete suggestion.
|
|
|
|
# https://github.com/github/releases/issues/2631
|
|
- |
|
|
In repositories with vulnerable dependencies, Dependabot will no longer display a yellow banner. To notify contributors of vulnerable dependencies, the **Security** tab displays an alert counter.
|
|
|
|
# https://github.com/github/releases/issues/2602
|
|
- |
|
|
If a user forks a repository with an existing Dependabot configuration in `dependabot.yml`, Dependabot updates will be disabled in the fork by default. To enable updates in the fork, the user must visit the repository's code security and analysis settings. For more information, see "[Configuring Dependabot version updates](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)."
|
|
|
|
# https://github.com/github/releases/issues/2621
|
|
- |
|
|
Integrators who wish to receive a webhook for Dependabot alerts must use the new `dependabot_alert` webhook. This webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."
|
|
|
|
# https://github.com/github/releases/issues/2704
|
|
- |
|
|
To improve readability of GitHub Actions workflows that reference other actions by commit SHA, action authors often write a comment including the corresponding semantic version on the line that calls the action. To save time, pull requests for Dependabot version updates will now automatically update the semantic version in these comments.
|
|
|
|
# https://github.com/github/releases/issues/2294
|
|
- |
|
|
JavaScript developers who use Node.js, npm, and Dependabot security updates can save time when updating npm projects with transitive dependencies.
|
|
|
|
- Dependabot can update both parent and child dependencies together. Previously, Dependabot would not update transitive dependencies when the parent required an incompatible specific version range, requiring manual upgrades.
|
|
- Dependabot can create pull requests that resolve alerts where an update to a direct dependency would remove the vulnerable transitive dependency from the tree.
|
|
|
|
For more information, see "[About Dependabot security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
|
|
|
|
# https://github.com/github/releases/issues/2700
|
|
- |
|
|
For people who use Dependabot for version updates in the Docker ecosystem, Dependabot will proactively update Docker image tags in Kubernetes manifests. For more information, see "[Configuring Dependabot version updates](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)" and "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)."
|
|
|
|
# https://github.com/github/releases/issues/2461
|
|
- |
|
|
A number of improvements are available to users who contribute to security advisories on GitHub.com, including the following changes.
|
|
|
|
- To ensure faster review, GitHub prompts users to add a reason for the change.
|
|
- To ensure that the contribution matches the user's intent, GitHub will not reorder reference links in the diff.
|
|
|
|
# https://github.com/github/releases/issues/2492
|
|
- |
|
|
GitHub Actions features the following discoverability and accessibility improvements.
|
|
|
|
- The navigation experience for searching workflows and workflow runs is improved.
|
|
- Added structure better represents the hierarchy between caller and called reusable workflows.
|
|
- The mobile browsing experience is more consistent, and supports multiple viewport sizes.
|
|
|
|
# https://github.com/github/releases/issues/2524
|
|
- |
|
|
GitHub Actions workflows will no longer trigger endlessly when using `GITHUB_TOKEN` with `workflow_dispatch` and `repository_dispatch` events. Prior to this change, events triggered by `GITHUB_TOKEN` would not create a new workflow run. For more information, see "[Triggering a workflow](/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow)."
|
|
|
|
# https://github.com/github/releases/issues/2543
|
|
- |
|
|
For scheduled runs of GitHub Actions workflows, users will see additional information about the repository, organization, and enterprise within the payload for `github.event`.
|
|
|
|
# https://github.com/github/releases/issues/2727
|
|
- |
|
|
Users of GitHub Actions have better insight into the progress of a job when using environment protection rules. The `workflow_job` webhook supports a new `waiting` state whenever a job is awaiting an environment protection rule. Also, when a job refers to an `environment` key in its YAML definition, the `workflow_job` webhook payload will also include a new property, `deployment`. `deployment` contains metadata about the deployment that the check run created. For more information, see "[Using environments for deployment](/actions/deployment/targeting-different-environments/using-environments-for-deployment)."
|
|
|
|
# https://github.com/github/releases/issues/2515
|
|
# https://github.com/github/releases/issues/2743
|
|
- |
|
|
Organization owners can find more meaningful context within audit log events.
|
|
|
|
- `business.sso_response` and `org.sso_response` events appear in the REST API and payloads for audit log streaming.
|
|
- `repo.rename`, `project.rename`, and `protected_branch.update_name` events include the current and past names for these renamed within the `old_name` field.
|
|
- Events for Dependabot alerts contain `alert_number`, `ghsa_id`, `dismiss_reason`, and `dismiss_comment` fields, in addition to a link back to the alert and an accurate timestamp.
|
|
|
|
# https://github.com/github/releases/issues/2537
|
|
- |
|
|
Users can view a list that contains all of an organization's followers from the organization's profile.
|
|
|
|
# https://github.com/github/releases/issues/2717
|
|
- |
|
|
The banner displayed atop an archived repository in the web UI now includes the repository's archival date.
|
|
|
|
# https://github.com/github/releases/issues/2286
|
|
- |
|
|
The **Conversations** and **Files** tabs in pull requests now load more quickly due to deferred syntax highlighting.
|
|
|
|
# https://github.com/github/releases/issues/2561
|
|
- |
|
|
To provide a more consistent experience between the web UI and users' workstations, and to speed up the process of checking whether users can merge a pull request automatically, GitHub Enterprise Server now uses the `merge-ort` strategy. For more information, see [Merge strategies](https://git-scm.com/docs/merge-strategies#Documentation/merge-strategies.txt-ort) in the Git documentation.
|
|
|
|
# https://github.com/github/releases/issues/2496
|
|
- |
|
|
To improve the display of the initial comment in pull requests that contain one commit, GitHub Enterprise Server now automatically reformats detailed commit messages to adhere to GitHub's Markdown conventions.
|
|
|
|
# https://github.com/github/releases/issues/2511
|
|
- |
|
|
Before squash-merging a pull request, the web UI displays the email address of the commit's author. Previously, the commit author was only displayed when merging with a merge commit.
|
|
|
|
known_issues:
|
|
- |
|
|
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %} [Updated: 2023-08-11]
|
|
- |
|
|
{% data reusables.release-notes.enterprise-backup-utils-encryption-keys %} [Updated: 2023-07-31]
|
|
- |
|
|
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} [Updated: 2023-10-26]
|
|
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
|
|
- Custom firewall rules are removed during the upgrade process.
|
|
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
|
|
|
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
|
|
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
|
|
- During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
|
- '{% data reusables.release-notes.stuck-discussion-conversion-issue %}'
|
|
- |
|
|
If the root site administrator is locked out of the Management Console after failed login attempts, the account will not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
|
|
- '{% data reusables.release-notes.ghe-cluster-config-apply-error %}'
|
|
- |
|
|
After upgrading to GitHub Enterprise Server 3.8.0, commands run via SSH on any of the instance's nodes will not be logged in `/var/log/ssh-console-audit.log`. To resolve this issue, SSH into the affected node and run the following command.
|
|
|
|
```shell
|
|
source /etc/bash.bashrc
|
|
```
|
|
- '{% data reusables.release-notes.git-push-known-issue %} [Updated: 2023-03-17]'
|
|
- '{% data reusables.release-notes.replication-commands-in-maintenance-mode-known-issue %} [Updated: 2023-03-17]'
|
|
- |
|
|
Use of the search API may cause subsequent requests to other interfaces to fail. When this issue occurs, impacted API or web UI users will receive HTTP 5xx responses and this `NoMethodError` exception will be logged:
|
|
|
|
```shell
|
|
NoMethodError (undefined method `starts_with?' for [:ok, "refs/heads/main"]:Array):
|
|
```
|
|
- |
|
|
On an instance with a GitHub Advanced Security license where secret scanning is enabled, excessive logging in `/var/log` may cause user-facing errors and degraded system performance if logs consume all free space on the volume. To prevent this issue from impacting users, monitor free space on your instance's root volume. For more information, see "[Configuring secret scanning for your appliance](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)" and "[Monitoring your appliance](/admin/enterprise-management/monitoring-your-appliance)." If you suspect that this issue is affecting your instance and you need help, [contact GitHub Support](https://support.github.com/contact). [Updated: 2023-05-03]
|
|
- |
|
|
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %} [Updated: 2023-08-24]
|
|
- |
|
|
{% data reusables.release-notes.2023-10-support-bundle-p-flag-not-working %} [Updated: 2023-10-13]
|
|
- |
|
|
{% data reusables.release-notes.scheduled-reminders-unintentional %} [Updated: 2023-10-17]
|
|
- |
|
|
{% data reusables.release-notes.2023-11-aws-system-time %} [Updated 2023-11-10]
|
|
- |
|
|
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %} [Updated 2023-12-05]
|
|
- |
|
|
{% data reusables.release-notes.2023-12-client-ip-addresses-incorrect-in-audit-log %} [Updated 2023-12-13]
|
|
|
|
deprecations:
|
|
- heading: Unsecure algorithms disabled for administrative SSH connections
|
|
notes:
|
|
# https://github.com/github/enterprise-releases/issues/3217
|
|
- |
|
|
GitHub has disabled the use of unsecure algorithms for SSH connections to the administrative shell.
|
|
|
|
- heading: Deprecation of the repository_vulnerability_alert webhook
|
|
notes:
|
|
# https://github.com/github/releases/issues/2621
|
|
- |
|
|
For integrators who wish to receive webhooks for Dependabot alerts activity, the `dependabot_alert` webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."
|
|
|
|
errata:
|
|
- '{% data reusables.release-notes.github-actions-secrets-encryption-docs %} [Updated: 2023-06-01]'
|
|
|
|
# https://github.com/github/releases/issues/2626
|
|
- |
|
|
"[Repositories](#3.8.0-repositories)" incorrectly indicated that repository administrators can require pull request approval by someone other than the last pusher. This feature is unavailable in GitHub Enterprise Server 3.8, and is available in GitHub Enterprise Server 3.10. For more information, see "[AUTOTITLE](/enterprise-server@3.10/admin/release-notes#repositories)." [Updated 2023-08-07]
|