GitHub Changelog (original) (raw)
We’ve created a new section in the code scanning alerts page called Development that tracks critical information for alerts such as affected branches, fixes, and associated pull requests. This helps you and your team stay informed about the progress of fixing alerts.
You can now easily answer important questions when investigating alerts:
- If the alert is still present on a branch, is someone already working on fixing it?
- If the alert has been fixed on a particular branch, what was the PR or commit that resolved it?
This update empowers teams to streamline their alert resolution process by offering visibility into where and how fixes are being applied.
Learn more about code scanning and Copilot Autofix for CodeQL code scanning.
A warning is now displayed when a file’s contents include hidden Unicode text on github.com. Such text can be interpreted differently than it appears in a user interface. For example, hidden Unicode characters can hide text in a file. This can cause code to appear one way and be interpreted another way, especially by AI.
To review a file for which this warning is displayed, open it in an editor that will display the hidden Unicode characters, like Visual Studio Code which highlights the characters by default. Then, verify that the characters are necessary and not disguising text that will be interpreted or compiled differently than it appears.
For more information, refer to Pillar Security: Rules File Backdoor and Hiding and Finding Text with Unicode Tags.
We’ve introduced new accessibility updates to the GitHub CLI, designed to make terminal workflows more inclusive for all developers. These improvements focus on:
- Speech synthesis screen reader support: Enhanced prompting and progress indicators now provide better context and clarity for users relying on screen readers.
- Color and contrast customization: Optimized color palettes ensure compatibility with terminal preferences, maintaining readability for users with low vision or colorblindness. Alignment with ANSI 4-bit color standards allows users to tailor their color usage to their needs.
These updates are available in public preview. To start using these features, run gh a11y.
To learn more, check out the GitHub CLI release notes for version 2.72.0.
Have any questions, feedback, or other comments? Share them in our community discussion post.
Back in 2019, we launched draft pull requests, allowing you to clearly tag when a pull request is a work in progress.
Previously, GitHub Free users could only create draft pull requests in public repos. Today, we’re changing that. You can now create draft pull requests in any repository, public or private, completely free of charge, so you can share your work and start collaborating earlier. ⭐
Ready to try it? Just select Create draft pull request when creating a pull request:
And when your pull request is ready for review, click the Ready for review button at the bottom of your pull request:
The latest AI models from Microsoft, Phi-4-reasoning and Phi-4-mini-reasoning, are now available on GitHub Models.
Phi-4-reasoning is a model optimized for advanced reasoning in math, science, and coding. It is ideal for applications such as coding assistance, generative AI research, and knowledge-intensive problem-solving.
Phi-4-mini-reasoning is a lightweight model designed for multi-step mathematical reasoning and logic-intensive tasks, such as formal proof generation, symbolic computation, and advanced word problems. Its efficient design supports educational applications, embedded tutoring, and lightweight mobile systems.
Try, compare, and implement these models in your code for free in the playground (Phi-4-reasoning and Phi-4-mini-reasoning) or through the GitHub API.
To learn more, visit the GitHub Models documentation, and join the community discussions to share feedback and connect with other developers.
Actions Runner Controller (ARC) is a Kubernetes operator that automates the deployment, scaling, and lifecycle management of self-hosted actions runners within a Kubernetes cluster. It enables dynamic provisioning of runners based on workflow demand.
Now available in public preview, you can now execute Dependabot on self-hosted GitHub Actions runners managed within a Kubernetes cluster via ARC. This enables auto-scaling, workload isolation, and better resource management for Dependabot jobs, ensuring that dependency updates can run efficiently within an organization’s controlled infrastructure while integrating seamlessly with GitHub Actions.
If you’re running self-hosted runners on Kubernetes with ARC (cloud or on-prem), and you’re interested in trying out Dependabot PR creation, we’d love your feedback.
- To learn more about Dependabot with GitHub Actions, check out this blog post.
- To learn more about ARC, visit this repo.
- To join the discussion, visit the Community discussion.
- To get started, check out the docs.
We previously announced that GitHub tasklists will be retired on April 30th. At this point, the ability to reference code scanning alerts from tasklists will be deprecated as well. This means that code scanning alerts will no longer display “tracked by” information that refers to any tasklist referencing the alert.
To learn more about managing code scanning alerts, visit our documentation.
If you have any questions or feedback, please reach out through GitHub Support.
You can now revoke an exposed GitHub personal access token (PAT) you found outside of repositories, even if it’s not yours, to help quickly limit the impact of the exposure and improve the security of the software ecosystem.
If you find classic or fine grained PATs on GitHub or elsewhere, you can submit a bulk revocation request using the new Credential Revocation REST API. If the API receives a valid token, it automatically revokes the token and logs the revocation in the token owner’s audit log. If the exposed token was granted access to a GitHub organization, it will no longer have access to the organization.
It also notifies the token owner of the revocation through an email sent to the primary email address associated with the owner’s GitHub user account:
This is an unauthenticated API and is available for all users on github.com. To prevent abuse, this API is limited to only 60 unauthenticated requests per hour and a max of 1000 tokens per API request.
Learn more in our documentation on best practices for revoking exposed tokens.
To improve reliability and reduce review assignment conflicts, we’re removing the Dependabot reviewers configuration option on Tuesday, May 27, 2025.
We’re retiring this dependabot.yml configuration option because the functionality overlaps with GitHub code owners. This has caused issues in the past, and it’s duplicated effort to maintain the same functionality.
Moving forward, we recommend relying solely on code owners for assigning pull request reviewers. You can use a CODEOWNERS file to define individuals or teams responsible for code in a repository. GitHub natively supports code owners, ensuring more consistent and streamlined behavior. This change simplifies your configuration by having all your review requests come from one configuration file.
To get started using code owners today, check out these steps to set up a CODEOWNERS file.
Copilot Edits is now generally available in JetBrains IDEs. This powerful feature lets you refactor, optimize, and iterate on your code faster—across one or multiple files—all from within Copilot Chat.
✨ What’s new
Use Copilot Edits to smoothly make changes in one or multiple files directly from Copilot Chat. To use Copilot Edits, click the Copilot Chat icon in the JetBrains IDE and start a new Edit session.
⚡️ Benefits for developers
- Enhanced clarity: See a summary of the affected files and proposed changes.
- Ability to preview changes: View code diffs directly in your editor and decide whether to accept or discard these changes individually or collectively.
- Increased productivity: Save time and effort with the help of Copilot Edits, enabling you to focus on more complex tasks.
🛠 Get involved
We encourage you to try out the latest version of the GitHub Copilot plugin and share your feedback. Your input is invaluable in helping us refine and improve the product.
Encounter a bug or have a feature request? Submit an issue here, we’d love to hear from you!
You can now use the user prompt improvement feature in the GitHub Models playground. This new feature helps transform vague or broad prompts into clearer, more specific, and optimized ones for better model outputs. With just a few clicks, you can refine prompts to improve clarity, add focus, or adjust tone and style to match your needs. By providing specific suggestions—like requesting a particular format or style—you can save time and achieve high-quality, actionable results.
Try it out today and unlock more potential in your AI experimentation!
To learn more about GitHub Models, check out the docs. You can also join our community discussions.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released version 2.21.1 of CodeQL. Here’s what’s new and improved in this release.
GitHub Actions
- This CodeQL release coincides with the general availability of support for analyzing GitHub Actions workflows. Learn more in the dedicated changelog post.
- We’ve improved alert fix suggestions for the
actions/missing-workflow-permissionsquery, making it easier for you to resolve alerts.
JavaScript/TypeScript
- We’ve added new detections of sources and sinks in Next.js and DOM element references, improving the detection of XSS issues.
- We’ve enhanced path injection detection for several additional methods.
- We’ve fixed an issue where
tsconfig.jsonfiles containing array literals and trailing commas weren’t correctly extracted.
Ruby
- We’ve improved the
rb/useless-assignment-to-localquery, so you’ll see fewer false positives and will get helpful documentation for alerts. - The
rb/uninitialized-local-variablequery now only generates an alert when a variable is used as a method call receiver. This should reduce noise. In addition, new help content is available for this query. - Calls to
superwithout explicit arguments now have their implicit arguments generated, resulting in more accurate analysis.
For a full list of changes, check out the complete changelog for version 2.21.1. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.1 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you’re using an older version of GHES, you can manually upgrade your CodeQL version.
Linking a pull request to an issue makes it easy for collaborators to see that work for the issue is underway. Today, when a linked pull request is merged, the associated issue is automatically closed.
But for many teams, merging a PR doesn’t mean the work is done. There might be QA, validation, or follow-up steps before an issue is truly resolved. With this new repository setting, you can choose whether merging a pull request should automatically close its linked issues.
Repository admins and maintainers can manage this setting under Repository settings → General → Issues. It’s enabled by default to preserve existing behavior.
For questions and feedback, join the discussion in GitHub Community.
GitHub Copilot code review now supports C, C++, Kotlin, Swift, and several other popular languages.
With this update, you can receive AI-powered review suggestions for even more code in your pull requests. See the full list of supported languages in our documentation.
Copilot code review now covers over 90% of the file types typically found in pull requests, so more of your code benefits from intelligent insights.
We’ve also improved the quality of suggestions. Copilot code review now surfaces higher-quality, more actionable feedback by better handling of low-confidence and suppressed results. These improvements are especially noticeable in C#, where Copilot now provides more accurate and relevant suggestions with improved version awareness.
In addition, Copilot has improved its ability to understand context. Instead of primarily looking at the file diff in the pull request, it now considers the entire file. This leads to more holistic and relevant review suggestions.
For more details or to join the conversation, visit GitHub Community discussions.
For customers affected by ongoing grace periods, GitHub will automatically update the enable for new repositories security configuration setting for customers not opted out. This change helps you avoid unexpected billing charges without manual effort needed from your part.
Team and Enterprise customers with a configuration applied before April 1, 2025 enabling paid security features for newly created private repositories will see one of the following two changes applied:
- Configurations with enable for new repositories set to for all public and private repositories will be adjusted to for all public repositories only.
- Configurations with enable for new repositories set to for all private repositories will be adjusted to for no newly created repositories.
Customers who haven’t yet opted out with a representative from GitHub will see these settings enabled on the follow dates:
- Team customers will see this change on April 23, 2025.
- Enterprise customers will see this change on April 28, 2025.
Have questions? Reach out to GitHub for support.
GitHub code scanning now offers enhanced security protection for your GitHub Actions workflow files through CodeQL analysis, which is now generally available. This feature enables you to identify and remediate security vulnerabilities in your Actions workflows through automated code scanning, helping prevent potential security issues before they impact your CI/CD pipeline. CodeQL automatically analyzes your workflows to detect common security vulnerabilities, including missing required permissions, dangerous inputs without proper validation, and script injection vulnerabilities.
During the public preview period, we’ve helped secure over 158,000 repositories, detecting more than 800,000 potential vulnerabilities in Actions workflows, with approximately 15% of these issues being fixed by repository maintainers. This strong adoption demonstrates the value of automated security analysis for CI/CD workflows that use GitHub Actions.
For repositories using code scanning’s default setup, we will now automatically enable Actions workflow analysis when workflow files are detected in the default branch. For repositories using advanced setup, simply add the actions language to your existing configuration to enable this protection.
We’ve also added Copilot autofix functionality for the actions/missing-workflow-permissions query, one of the most frequent findings in Actions workflows. When this vulnerability is detected, you’ll receive automated fix suggestions to implement the principle of least privilege in your workflows, making remediation faster and easier.
To improve analysis quality, we’ve moved the actions/unversioned-immutable-action query to the extended query suite, allowing for more targeted and comprehensive analysis. If you’re using default setup, you can configure your scanning options to include extended queries. For repositories with advanced setup, you can specify this query suite in your CodeQL configuration. You can find more information about this change in the CodeQL release notes for 2.20.6.
Code scanning’s analysis of GitHub Actions workflow files will be available in GitHub Enterprise Server 3.18.
Learn more about configuring code scanning, securing your use of Actions, and vulnerabilities identified with CodeQL.
Dependabot users can now schedule custom update frequencies by using cron expressions in schedule.interval in the Dependabot configuration file. This enhances the predefined intervals (daily, weekly, and monthly) and provides a more generic and robust solution. This gives Dependabot users the ability to define custom schedules that meet their specific needs.
For help writing a cron expression, try this tool.
To learn more about using cron expressions to schedule Dependabot updates in the dependabot.yml file, check out GitHub’s Dependabot schedule.interval docs.
To engage with the Dependabot community on the topic of cron-based update scheduling, join the conversation.
This is a follow-up to our previous announcement about npm replication APIs.
The new replication feed APIs are now live. While the legacy feeds will remain available—with limitations and scheduled brownout periods—until May 29, 2025, we strongly encourage all users to begin transitioning to the new APIs as soon as possible.
To access the updated feeds ahead of the deprecation, include the npm-replication-opt-in header with a value of true in your requests. This will route your traffic to the new APIs, bypassing the legacy feeds and avoiding any disruptions during brownout phases.
Please note that starting May 29, 2025, the legacy feeds will be fully deprecated. After this date, all requests to the replication feeds will automatically be served by the new APIs, regardless of header usage.
This change is part of our ongoing efforts to improve the performance and reliability of our services. We appreciate your understanding and cooperation during this transition.
Check out the migration guide and join the discussion in GitHub Community.