Changelog

Subscribe to all Changelog posts via Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Delegated alert dismissal for code scanning and secret scanning now available in public preview

Keep control over the security posture of your organization with delegated alert dismissal. With this feature, you can require a review process before alerts are dismissed in code scanning and secret scanning. This helps you manage security risk better, as well as meet audit and compliance requirements.

While this feature adds oversight and control, organizations should carefully balance security needs with development velocity. Things to consider include:

  • Who can close alerts
  • When and how alerts should be closed
  • Who should review and approve dismissal requests.

This feature can be configured and managed at scale using security configurations or at the repository level.

Each dismissal request requires a mandatory comment explaining the rationale, with email notifications sent to both approvers and requesters throughout the process. If rejected, the alert remains open.

People with the organization owner or security manager role can review and approve dismissal requests by default. The state of previously dismissed alerts does not change when enabling this feature.

The dismissal and approval process is visible on the alert timeline, included on the audit log, and accessible through both the REST API and webhooks.

You can enable this feature today for secret scanning in GitHub Enterprise Cloud. It will also be available in version 3.17 of GitHub Enterprise Server.

See more

Introducing GitHub Secret Protection and GitHub Code Security

GitHub Advanced Security: Introducing GitHub Secret Protection and Code Security

At GitHub, we believe that investing in the security of your codebases should be straightforward, cost-effective, and accessible for everyone. Today, we’re announcing changes to pricing plans and availability of GitHub Advanced Security (GHAS), aligning with our ongoing mission to help organizations of all sizes secure their code with the flexibility they seek.

Announcing new pricing plans for GitHub Advanced Security

Starting April 1, 2025, GitHub Advanced Security will be available as two standalone security products: GitHub Secret Protection and GitHub Code Security. In addition, these products will become available to GitHub Team plan customers for the first time.

GitHub Secret Protection

New customers can purchase GitHub Secret Protection, which includes features that help detect and prevent secret leaks (e.g. secret scanning, AI-detected passwords, and push protection for secrets). Secret Protection will be available for $19 per month per active committer, with features including:

  • Push protection, to prevent secret leaks before they happen
  • AI detection with a low rate of false positives, so you can focus on what matters
  • Secret scanning alerts with notifications, to help you catch exposures before they become a problem
  • Custom patterns for secrets, so you can search for sensitive organization-specific information
  • Security overview, which provides insight into distribution of risk across your organization
  • Push protection and alert dismissal enforcement for secrets, which supports governance at enterprise scale

In addition, we’re launching a new scanning feature to help organizations understand their secret leak footprint across their GitHub perimeter. This feature will be free for GitHub Team and Enterprise organizations.

GitHub Code Security

New customers will also be able to purchase Code Security, which detects and fixes vulnerabilities in your code before it reaches production. Code Security will be available for $30 per month per active committer with features including:

  • Copilot Autofix for vulnerabilities in existing code and pull requests for developer-first security management
  • Security campaigns to address security debt at scale
  • Dependabot features for protection against dependency-based vulnerabilities
  • Security overview, which provides insight into distribution of risk across your organization
  • Security findings for third-party tools

Availability for GitHub Team customers

Starting April 1, 2025, customers on the GitHub Team plan can purchase Secret Protection and Code Security. These products will be available through a consumption-based, pay-as-you-go model (i.e., metered billing) to ensure security remains affordable, scalable, and accessible for all customers on GitHub.

Get started today

Existing customers with plans managed with a GitHub or Microsoft sales account team can transition to the new GitHub Advanced Security plans at start time of renewal for renewal dates after April 1, 2025. Please contact your account team for further details. For existing self-serve customers, instructions on how to transition to the new GitHub Advanced Security plans will be announced over the coming months through GitHub’s roadmap and changelog.

GitHub Team customers can choose to purchase Secret Protection or Code Security from their organization settings pages starting April 1, 2025.

See more

Find secrets in your organization with the secret risk assessment

Find secrets in your organization with the secret risk assessment

GitHub is committed to empowering the developer community by helping organizations recognize and address the risks of secret leaks. That’s why we’re launching a new free tool next month which will provide clear insights into their exposure, along with actionable steps to strengthen their security and protect their code.

Scan your organization for aggregate insights on public leaks, private exposures, and token types.

The secret risk assessment provides insights about secret leak exposures

When will this feature be available?

The secret risk assessment will be available on April 1, 2025 as part of the launch of Secret Protection for GitHub Team and Enterprise plans.

What will this dashboard include?

Available in the ‘Security’ tab, organization and security admins will be able to run a scan in order to understand how their organization is affected by secret leaks and exposures. Once a scan is initiated, GitHub will look for secret leaks and exposures across your organization, returning a collection of insights including:

  • Number of secrets leaked per type
  • Number of publicly visible secrets in your public repositories
  • Number of repositories affected per secret type

No specific secrets will be stored or shared. The scan will be a point-in-time assessment across all public and private repositories. For organizations ready to adopt a continuous monitoring tool, we recommend enabling secret scanning for detection and incident management of specific secrets.

Why are we doing this?

We’re launching this feature to help organizations understand their secret leak footprint across their GitHub perimeter.

GitHub is committed to making a meaningful impact on the developer community by helping organizations recognize their risk from secret leaks. Our goal is to provide clear insights into their exposure and a clear path to stronger security.

Who can use this feature?

This feature will be available for free to organizations with a GitHub Team or Enterprise plan. Organization admins and security managers will be able to run the report and review any results.

To learn more about the launch of GitHub Secret Protection, please refer to GitHub Community — we’re listening.

See more

Improved pull request merge experience is now generally available

The improved merge experience on the pull request page is now generally available! This update is designed to help you better understand the state of your pull request and get it merged faster.

Screenshot of the updated merge box page on the pull request page showing it is approved, a list of status checks (some failing), and a message about not having any merge conflicts.

This experience supports all the usual ways of merging: direct, bypass and merge, auto-merge, and merge queue, and works with rulesets to ensure pull requests meet all the requirements to merge.

What’s new

The new experience is designed to feel familiar, but also improves on the previous experience. Here are some highlights:

  • Checks grouped by status: checks are now grouped by status with failing checks prioritized at the top of the list, making it easier to identify problems that need attention
  • Checks ordered logically: status checks are now ordered using natural ordering to make it easier to find a specific check, especially when the list gets long
  • Improved rule enforcement: errors resulting from failing commit metadata rules (like invalid commit messages) are now reported at the point of merging so they can be corrected
  • Improved accessibility: consistent keyboard navigation, focus management, and landmarks help make the experience more accessible to everyone

Get help

Learn more about merging a pull request.

To suggest a feature, report a problem, or discuss this improved experience, visit the GitHub Community.

See more

Easily distinguish between direct and transitive dependencies for npm packages

npm’s massive ecosystem of open source packages is one of its greatest strengths. But as a security-conscious developer, it can be tough to keep up with vulnerability reporting and updates once your project has more than a handful of dependencies, each of which has its own set of dependent packages. Dependabot notifies you of vulnerabilities and their fixes as they come in. Unfortunately, it’s hard to distinguish actionable alerts about direct dependencies you’ve added to your manifests from those transitive dependencies that were pulled in along the way… until now, that is.

GitHub’s dependency graph now tracks direct and transitive dependencies for npm packages. This helps you triage, prioritize, and remediate your Dependabot alerts. This capability shows up in user-facing features across the site:

  • Dependabot alerts will now contain a direct label if they are associated with a package you’ve directly included in a manifest. You can filter the list of alerts down to only these direct ones with the relationship:direct filter in the search bar.
  • Alerts for transitive dependencies now show transitive path information – the chain of packages which led from your direct dependency to the transitive one which has the vulnerability.
  • A repository’s dependency graph now distinguishes between direct and transitive relationships. Direct dependencies will have a label in the table UI, whereas indirect dependencies have a disclosure menu that shows the transitive path which led to their inclusion.
  • A repository’s SBOM will contain a relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Tools like guac.sh can help explore and visualize this tree.
  • The GraphQL API will now return a relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object. See the API documentation for details.

A table of Dependabot alerts can now be filtered to show only direct dependencies

We started with npm because it’s the most popular package ecosystem in the known universe, but it’s just the beginning. Over the next few months, package types for other programming languages will also get the transitivity treatment. Up next: Maven packages for Java.

To try this out, you’ll need to make sure the enable Dependabot alerts. If the “Direct” labels aren’t showing up for you immediately, push a commit that updates one of your manifest files, which will trigger an update of the dependency graph.

Join the discussion within GitHub Community.

See more

Introducing metered billing for GitHub Enterprise and GitHub Advanced Security server usage

Scaling your GitHub usage just got easier! We are expanding our pay-as-you-go usage-based billing and licensing reporting interface to include GitHub Enterprise (GHE) and GitHub Advanced Security (GHAS) Server-only usage.

We announced pay-as-you-go billing for GHE and GHAS on August 1, 2024 to give customers flexible self-provisioning and pricing. Since then, enterprise accounts on github.com created on or after that date could generate a GitHub Enterprise Server key for the appropriate license count when license adjustments were needed. This required all users, including Server-only users, to be represented in the enterprise account’s user list on GitHub Enterprise Cloud.

Now, you can track and monitor your Server-only license usage for both Enterprise and Advanced Security as a separate line item on the Billing & Licensing > Licensing page.

Note that it will still be required to add all Server-only users to your GitHub Enterprise Cloud enterprise user list to account for their license usage and generate a license key with the appropriate license count. This update does not change this compliance requirement.

Enterprise Server summary in licensing

For existing customers who already have GHE or GHAS, your plan and existing billing method will remain as-is.

If you are interested in pay-as-you-go usage-based billing and have a GitHub account team, please connect with them to discuss whether switching to this model is an option for you.

Check out our documentation to learn more about usage-based billing for licenses.

See more

JetBrains Copilot code referencing support is generally available

The GitHub Copilot plugin for JetBrains IDEs now includes the ability to view code references, designed to enhance your coding experience and improve productivity.

What’s new ✨

Viewing code references: When GitHub Copilot suggests code that matches public code, you will be notified of this match. Click “View matches” at the end of the response to access the reference information.

Benefits for developers ⚡️

Informed decisions with code suggestions: code referencing allows you to make more informed decisions about whether to use the suggested code.

Get involved 🛠

We encourage you to try out the latest version of the GitHub Copilot plugin and share your feedback. Your input is invaluable in helping us refine and improve the product.

Join the discussion 🚀

Connect with us and other developers in the GitHub Community to share your experiences, ask questions, and provide feedback.

See more

Copilot Workspace: Showing quota limits, issues in dashboard, and UX improvements

Copilot Workspace header

This week, we’ve added an indicator for your daily or hourly quotas, allocated a section of the dashboard to issues assigned to you, and introduced several UX improvements and bug fixes to ensure a smooth development process with Copilot Workspace.

Showing approaching quota limits

As you’re nearing your quota limit, Copilot Workspace will now display a counter so you can keep track of how many tokens you have left, and prioritize your usage accordingly.

quota limits

Issues listed in homepage dashboard

Your recently assigned issues are now listed in the homepage dashboard, providing another jumping point to start developing from!

recently assigned issues in homepage dashboard

UX improvements and bug fixes

  • The session list has been refactored to link directly to pull requests created from a session.
    Screenshot shows list of recent sessions with linked pull requests

  • The sessions index page now maintains scroll position when navigating across sessions.

  • When viewing a new file’s diff, the diff is now highlighted in green.

  • We’ve added an arrow to the current branch name, indicating that it is clickable.

  • You can now select file names in the Plan stage, allowing you to copy them as needed.

  • We fixed the “live preview” button on the run command.

  • We fixed the overlay of the file tree view on small viewports.

  • Light/dark mode is now fixed to match your settings theme.

  • Terminal commands are now correctly disposed of when exiting the command dialogue without saving.

  • There’s improved file name generation to remove excess backtick characters.

  • We fixed a bug where the plan was not being shown in mobile view.

  • The “Revise” button on file headers is now represented by a sparkling pencil icon instead of crosshairs.

  • There’s a new square circle button for stop buttons.

Providing feedback

Please give your feedback in our GitHub Discussion. We’d love to hear your thoughts!

See more

Mobile monthly: February’s general availability and more

What's new in Github Mobile, February update

January and February brought a number of improvements to GitHub Mobile, making it more powerful and flexible. We’re rolling out exciting new features designed to make coding and collaboration easier on the go. From third-party integrations that extend GitHub Copilot’s capabilities to in-chat coding assistance, sub-issues, and refined notification preferences, these updates are designed to boost productivity and keep you connected wherever you are.

What’s new:

Copilot Chat is now available for Free on GitHub Mobile

  • Introducing GitHub Copilot Chat to all users on GitHub Mobile for free. Just tap the Copilot button to start getting answers for coding questions, or chat about issues, pull requests, and repositories wherever you are.
  • Copilot Extensions on GitHub Mobile are generally available. Developers can extend Copilot’s capabilities on the go, integrating third-party tools, automating tasks, and receiving personalized code suggestions.
  • Introducing sub-issues on GitHub Mobile. Track progress and understand remaining work within a parent-child hierarchy on the go.
  • Review your notification preferences: from time to time, we’ll ask that you check in on your notification preferences to ensure that you’re receiving the kinds of notifications you want, at times you want to receive them.
Copilot Extensions Sub-issues
Copilot extensions.png sub-issues.png

iOS bug fixes:

  • Widgets reflect the accent color when tinted.
  • Add reactions to the latest release in the Releases view.
  • Inbox swipe actions get dismissed before entering batch selection mode.
  • In the Explore view, avatars load correctly with transparent background.
  • In the Issue view, remove an extra animation when data loads.
  • Navigate content in the Explore view’s “For You” feed using assistive technologies.
  • Pull request reviews from Copilot code review show the “Copilot” brand name.
  • Clearing a field used for a grouping within a project re-groups content without duplicate group titles.
  • Fixed an issue where the search bar was improperly updated during text input with marked text in Japanese or Chinese input methods.
  • Fixed an issue where pull-to-refresh in discussions failed to refresh data and the loading indicator remained stuck.
  • The pull request widget responds to user specified tints.
  • Issues in archived repositories no longer show update actions.
  • Code vulnerability alerts in Copilot chat are no longer duplicated.
  • Indented code blocks in Copilot chat display within a chat response.
  • Nested lists in markdown content display with less indentation when viewed with larger text sizes.
  • Issue and pull requests display their issue or pull request number when scoped to a single repository.
  • Shortcuts scoped to a single repository will no longer list the repository name for each issue or pull request.

Android bug fixes:

  • Improved scrolling performance for lists where list items contains web views.
  • The correct default commit message now appears when creating a new file in a repository.
  • Improved line wrapping in the Code view.
  • Various sub-issues design tweaks and improvements.
  • Fixed file header appearance in pull request reviews.
  • Pull request reviews now display the correct submission date.
  • Anchor links in markdown files will now scroll to the correct position.
  • The delete branch button will now be shown after closing a pull request.
  • Bots are now mentionable in pull request reviews if they are the author.

Learn more about share your feedback to help us improve.

Join the discussion within GitHub Community.

See more

Java CSRF, Go 1.24 and C# 13 language features support available in CodeQL 2.20.5

CodeQL version 2.20.5 has been released and includes a host of coverage improvements, including extended support for C# 13 and new detection capabilities for Java and GitHub Actions workflow files.

CodeQL is the static analysis engine that powers GitHub code scanning, which finds and remediates security issues in your code.

CodeQL 2.20.5 adds full support for new language features introduced in C# 13 / .NET 9, as well improved coverage for .NET 9. This will improve the detection of alerts and reduce the chance of false negative results.

CodeQL Java analysis is improved with additional support for new analysis capability detects vulnerabilities that occur when using HTTP request types that are not protected against cross site requests by default.

Go analysis has been updated to support Go 1.24, which includes new language features and improvements. This will improve the detection of alerts and reduce the chance of false negative results.

For a full list of changes, please refer to the complete changelog for version manually upgrade your CodeQL version.

See more

Improved code scanning coverage for GitHub Actions (Public Preview)

We recently launched analysis capabilities for GitHub Actions workflow files in public preview.

With the release of CodeQL 2.20.5, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.

The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:

  • actions/envpath-injection/medium detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate the PATH environment variable. This could allow an attacker to alter the execution of system commands.
  • actions/envvar-injection/medium detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or {delimiters}.
  • actions/code-injection/medium– detects situation where user-controlled input can end up in contexts like run: or script:, leading to malicious code being executed and secrets being leaked.
  • actions/artifact-poisoning/medium detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.
  • actions/untrusted-checkout/medium detects situations where workflows triggered by events like pull_request_target or issue_comment can execute arbitrary code from untrusted sources, if followed by an explicit checkout.

Because of its lower precision and the large number of alerts it generates, the query default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.

Three queries have been removed from the security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.

These changes are now available with the release of CodeQL 2.20.5. For a full list of changes, please refer to the complete changelog for version manually upgrade your CodeQL version.

See more

OpenAI GPT-4.5 in GitHub Copilot now available in public preview

GitHub Copilot GPT-4.5

OpenAI’s latest model, GPT-4.5, is now available in GitHub Copilot Chat to Copilot Enterprise users. GPT-4.5 is a large language model designed with advanced capabilities in intuition, writing style, and broad knowledge. It performs effectively with creative prompts and provides reliable responses to obscure knowledge queries. GPT-4.5 will launch in Visual Studio Code and on github.com for Copilot Enterprise users with a limit of 10 requests every 12 hours per user. In the coming weeks, we’ll be scaling rate limits and extending support to Visual Studio and JetBrains.

GPT 4.5 in the VS Code Model Picker

As model releases have continued to accelerate, we’ve been thinking about how we can sustainably offer advanced AI models like GPT-4.5 to more GitHub users. This includes individual developers who want the most advanced capabilities from day one. Stay tuned for updates.

Enabling access

Copilot Enterprise administrators will need to enable access to GPT-4.5 via a new policy in Copilot settings. As an administrator, you can confirm availability by checking your individual Copilot settings and confirming the policy for GPT-4.5 is set to “enabled”. Once enabled, users will see GPT-4.5 in the Copilot Chat model selector in VS Code and on github.com.

See more

Scheduled Codespaces maintenance

Codespaces will be undergoing maintenance in Europe and Southeast Asia from 17:00 UTC on Friday, February 28 to 02:00 UTC on Saturday, March 1. Maintenance will begin in North Europe at 17:00 UTC on Friday, February 28. Once it is complete, maintenance will start in Southeast Asia, followed by UK South. Each region will take approximately two to three hours to complete.

During this time period, users may experience connectivity issues with new and existing Codespaces.

If you have uncommitted changes you may need during the maintenance window, you should verify they are committed and pushed before maintenance starts. Codespaces with any uncommitted changes will be accessible as usual once maintenance is complete.

See more

Changes and deprecation notice for npm replication APIs

We are making changes to npm replication APIs to optimize performance and availability. As part of this update, certain endpoints will be deprecated as of Thursday, May 29, 2025.

To facilitate a seamless transition, the new endpoints will be available starting Tuesday, March 18, 2025, operating in parallel with the existing endpoints. The existing endpoints will be fully deprecated on Thursday, May 29, 2025.

During the transition period, you may access the new endpoints by including the npm-replication-opt-in header with the value true in your requests. This option will be available from Tuesday, March 18, 2025 until the deprecation date, after which only the new endpoints will be available. Effective Thursday, May 29, 2025, the header will be ignored, and all requests will be directed to the new endpoints by default.

This notice is provided to ensure adequate time for necessary updates to replication implementations. We strongly encourage developers to migrate to the new endpoints as early as possible.

How to migrate?

To assist with migration, we have detailed documentation in our replication API migration community discussion, outlining alternative approaches for deprecated endpoints when available. This is the go-to place for questions and discussions.

Additional support for migration

If you have further questions or need additional assistance, please reach out to our support team.

See more

Manage push protection bypass requests for secret scanning with the REST API

Push protection for secret scanning blocks any push that contains a secret. By default, this block can be bypassed, which results in a secret scanning alert in the repository. Delegated bypass controls let you choose who is allowed to bypass push protection, and contributors without permissions to bypass must submit a request for approval by the listed reviewers. These controls can reduce the risk of secrets being accidentally exposed in your codebase.

Managing bypass requests is now available with the REST API, offering flexibility for triaging and reviewing by integrating with your existing workflows.

Reviewers can retrieve bypass requests for an organization or repository with the following endpoints:

See more

It is easier to track your progress with fixed code scanning CodeQL security alerts on the Security Overview page

Now it is easier to see how many of your historical CodeQL alerts received autofix suggestions and how many of those alerts were resolved across all the repositories in your organization.

Historical alerts are those found in your default and protected branches, indicating potential existing security issues in your code. You can stay informed about the progress of historical alert resolution and expediting this process as it is essential for accurately assessing your security risks.

The new “Alerts fixed with autofix suggestions” tile on the Security Overview provides you with the total number of fixed vulnerabilities compared to the total suggested autofixes for existing alerts. This will help you stay informed about the security trends in your organization.

Learn more about security overview.

To leave feedback for Copilot Autofix for code scanning, join the discussion.

See more

Phi-4-mini-instruct and Phi-4-multimodal-instruct are now available in GitHub Models (GA)

Phi-4-mini-instruct and Phi-4-multimodal-instruct models release
The latest AI models from Phi, 4-mini-instruct and 4-multimodal-instruct, are now available in GitHub Models.

Phi-4-mini-instruct is a 3.8B parameter lightweight model designed for chat-completion prompts and strong reasoning, particularly in math and logic. Its efficiency makes it well-suited for memory- and compute-constrained environments.

Phi-4-multimodal-instruct is a 5.6B parameter multimodal model that excels at generating text outputs from various inputs including text, images, and audio. This model demonstrates strength in reasoning across multiple modalities.

GitHub Models makes it easy for every developer to build AI features and products on GitHub.

Try, compare, and implement these models in your code for free in the playground (API.

To learn more about GitHub Models, community discussions.

See more

Increased items in GitHub Projects now in public preview

Following our opt-in preview last October, we’re excited to expand item limits for all projects — increasing from 1,200 to 50,000 items per project.

Since the last release, we’ve added support for project insights and mobile, addressed your top bug reports, and delivered key performance improvements.

We’re rolling out increased limits incrementally over the next week. If you see the Increased items preview pill in your project, you’re now in the preview.

Insights for all

With this release, we’re also making project insights fully accessible to all plans—removing paid gating entirely. All plans now have access to both current state and historical charts in public and private repositories, with no feature restrictions. Learn more about insights for projects.

For questions and feedback, join the discussion within the GitHub Community.

See more

Copilot secret scanning can be enabled through code security configurations

Copilot secret scanning, which scans for passwords using AI, offers greater precision for detecting unstructured credentials that can cause security breaches if exposed.

You can now use code security configurations to enable Copilot secret scanning across your enterprise or organization, allowing you to control which repositories are detecting passwords at scale.

Copilot secret scanning is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license. To give you control over how AI is used across your repositories, Copilot secret scanning is not included in the GitHub Recommended configuration.

Learn more about protecting your repositories with generic secret detection.

See more
View more changes

Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant