3.1 Release notes
May 06, 2021
If your GitHub Enterprise Server instance is running a release candidate build, you can't upgrade with a hotpatch. We recommend only running release candidates on test environments.
-
GitHub Advanced Security Secret Scanning
Secret Scanning is now generally available on GitHub Enterprise Server 3.1+. Scan public and private repositories for committed credentials, find secrets, and notify the secret provider or admin the moment they are committed into a repository.
This release includes several improvements from the beta of Secret Scanning on GitHub Enterprise Server:
- Expanded our pattern coverage from 24 partners to 37
- Added an API and webhooks
- Added notifications for commit authors when they commit secrets
- Updated the index view to made it easy to triage secrets in bulk
- Reduced the false positive rate on many patterns
Administrators using GitHub Advanced Security can enable and configure GitHub Advanced Security secret scanning. You can review the updated minimum requirements for your platform before you turn on GitHub Advanced Security secret scanning.
-
GitHub Advanced Security billing improvements
This release includes several improvements to GitHub Advanced Security billing in GitHub Enterprise Server:
- GitHub Advanced Security customers can now view their active committer count and the remaining number of unused committer seats on their organization or enterprise account’s Billing page. If Advanced Security is purchased for an enterprise, administrators can also view the active committer seats which are being used by other organizations within their enterprise. For more information, see "About GitHub Advanced Security licensing" and "Viewing your GitHub Advanced Security usage."
- GitHub Advanced Security customers can now view their active committer count for any Advanced Security enabled repositories on their organization or enterprise account's Billing page. These changes help billing administrators track their usage against how many committer licenses they purchased. For more information see "Managing security and analysis settings for your organization."
-
Dependabot improvements
This release includes improvements to Dependabot alerts in GitHub Enterprise Server:
- Users with Dependabot alerts enabled can see which of their repositories are impacted by a given vulnerability by navigating to its entry in the GitHub Advisory Database. This feature is available in public beta. For more information, see "Viewing and updating vulnerable dependencies in your repository."
- When a vulnerability is added to GitHub Advisory Database, you will no longer receive email and web notifications for Dependabot alerts on low and moderate severity vulnerabilities. These alerts are still accessible from the repository's Security tab. For more information, see Viewing and updating vulnerable dependencies in your repository.
- 'You can now give people instructions on how to responsibly report security vulnerabilities in your project by adding a
SECURITY.mdfile to your repository'sroot,docs, or.githubfolder. When someone creates an issue in your repository, they will see a link to your project's security policy. For more information, see "Adding a security policy to your repository."'
-
GitHub Actions Workflow Visualization beta
GitHub Actions can now generate a visual graph of your workflow on every run. With workflow visualization, you can:
- View and understand complex workflows
- Track progress of workflows in real-time
- Troubleshoot runs quickly by easily accessing logs and jobs metadata
- Monitor progress of deployment jobs and easily access deployment targets
For more information, see "Using the visualization graph."
-
OAuth 2.0 Device Authorization Grant
OAuth 2.0 Device Authorization Grant allows any CLI client or developer tool to authenticate using a secondary system with a browser.
Administrators using OAuth Apps and GitHub Apps can enable and configure OAuth 2.0 Device Authorization Flow, in addition to the existing Web Application Flow. You can review the updated minimum requirements for your platform before you enable OAuth 2.0 Device Authorization Flow.
-
Pull request auto-merge
With auto-merge, pull requests can be set to merge automatically when all merge requirements have been satisfied. This saves users from needing to constantly check the state of their pull requests just to merge them. Auto-merge can be enabled by a user with permission to merge and on pull requests that have unsatisfied merge requirements. For more information, see "Automatically merging a pull request."
-
Custom notifications
You can customize the types of notifications you want to receive from individual repositories. For more information, see "Configuring notifications."
-
Administration Changes
By precomputing checksums, the amount of time a repository is under the lock has reduced dramatically, allowing more write operations to succeed immediately and improving monorepo performance.
The latest release of the CodeQL CLI supports uploading analysis results to GitHub. This makes it easier to run code analysis for customers who wish to use CI/CD systems other than GitHub Actions. Previously, such users had to use the separate CodeQL runner, which will continue to be available. For more information, see "About CodeQL code scanning in your CI system."
GitHub Actions now supports skipping
pushandpull_requestworkflows by looking for some common keywords in your commit message.Check annotations older than four months will be archived.
-
Security Changes
Display of Code Scanning results on a pull request without submitting with a pull request ID is no longer supported. For more information, see "Configuring code scanning" and "Configuring CodeQL code scanning in your CI system.
SARIF upload support increased to a maximum of 5000 results per upload.
-
Developer Changes
You can specify multiple callback URLs while configuring a GitHub App. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
The GitHub App file permission has been updated to allow an app developer to specify up to 10 files for read-only or read-write access that their app can request access to.
CodeQL now supports more libraries and frameworks for a variety of languages (C++, JavaScript, Python,Java, Go). The CodeQL engine can now detect more sources of untrusted user data, which improves the quality and depth of the code scanning alerts. For more information, see "About CodeQL."
When configuring a GitHub App, the authorization callback URL is a required field. Now, we allow the developer to specify multiple callback URLs. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
Delete an entire directory of files, including subdirectories, from your web browser. For more information, see "Deleting a file or directory."
Include multiple words after the
#in an issue, discussion, or pull request comment to further narrow your search.When you’re writing an issue, pull request, or discussion comment the list syntax for bullets, numbers, and tasks autocompletes after you press
returnorenter.
-
API Changes
The code scanning API allows users to upload data about static analysis security testing results, or export data about alerts. For more information, see the code scanning API reference.
The GitHub Apps API for managing installations has now graduated from an API preview to a generally available API. The preview header is no longer required to access these endpoints.
-
The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
-
A scheduled cleanup job can cause performance to degrade on an instance with a very large
check_annotationstable. -
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
-
Deprecation of GitHub Enterprise Server 2.20
GitHub Enterprise Server 2.20 was discontinued on March 2, 2021. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
-
Deprecation of GitHub Enterprise Server 2.21
GitHub Enterprise Server 2.21 will be discontinued on June 9, 2021. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
-
Deprecation of Legacy GitHub App Webhook Events
Starting with GitHub Enterprise Server 2.21.0 two legacy GitHub Apps-related webhook events have been deprecated and will be removed in GitHub Enterprise Server 3.2.0. The deprecated events
integration_installationandintegration_installation_repositorieshave equivalent events which will be supported. More information is available in the deprecation announcement blog post.
-
Deprecation of Legacy GitHub Apps Endpoint
Starting with GitHub Enterprise Server 2.21.0 the legacy GitHub Apps endpoint for creating installation access tokens was deprecated and will be removed in GitHub Enterprise Server 3.2.0. More information is available in the deprecation announcement blog post.
-
Deprecation of OAuth Application API
GitHub no longer supports the OAuth application endpoints that contain
access_tokenas a path parameter. We have introduced new endpoints that allow you to securely manage tokens for OAuth Apps by movingaccess_tokento the request body. While deprecated, the endpoints are still accessible in this version. We intend to remove these endpoints on GitHub Enterprise Server 3.4. For more information, see the deprecation announcement blog post.
-
Deprecation of GitHub Actions short SHA support
GitHub Actions will remove support for referencing actions using the shortened version of a git commit SHA. This may cause some workflows in your repository to break. To fix these workflows, you will need to update the action reference to use the full commit SHA. For more information, see "Security hardening for GitHub Actions."
-
GitHub Enterprise Server 3.1 requires at least GitHub Enterprise Backup Utilities 3.1.0 for Backups and Disaster Recovery.