GitHub Upgrade – 3.0.4

We are finally making the jump to GitHub 3.0! This upgrade will include all features and changes from 3.0.0 through 3.0.4.

This upgrade includes the long awaited Actions and Packages features!

We will initially be rolling out Actions to a limited number of organizations to pilot the feature. Please send a request to github@help.ncsu.edu if you would like your organization to be granted access to Actions. Be sure to include the name of your organization in your request, as well as a brief description of how you intend to use Actions.

The Packages feature will not be enabled during this upgrade. There are currently no administrative controls which prevent users from completely filling the allocated storage and causing service disruptions. We have asked GitHub to provide these controls so that we can enable the feature, but until such controls are provided we will not be able to enable the Packages feature.

The GitHub for Mobile feature will be available with this upgrade.

The default branch name for new repositories will be updated to main instead of master. Existing repositories will be unaffected by this change. Users and organizations may set their own preference for initial default branch names in the settings menu.

Security Fixes

• HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App’s web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the GitHub Bug Bounty Program.
• Packages have been updated to the latest security versions.

Features

• GitHub Actions is now generally available on GitHub Enterprise Server 3.0+.
• GitHub Packages is a package hosting service, natively integrated with GitHub APIs, Actions, and webhooks.
• GitHub for mobile beta allows you to triage notifications and manage issues and pull requests from your device.

Changes

• The webhook events delivery system has been rearchitected for higher throughput, faster deliveries, and fewer delayed messages. It also uses less CPU and memory in GitHub Enterprise Server 3.0+.
• Organization and Enterprise owners can now see when a team member has been promoted to or demoted from being a team maintainer in the audit log through the new team.promote_maintainer and team.demote_maintainer audit log events. For more information, see “Audited actions.”
• Repository maintainers with existing GitHub Pages sites can easily update their prior default branch name.
• Organization owners can now disable publication of GitHub Pages sites from repositories in the organization. Disabling GitHub Pages for the organization will prevent members from creating new Pages sites but will not unpublish existing sites. For more information, see “Disabling publication of GitHub Pages sites for your organization.”
• All usage of SSH fingerprints has been switched to use SHA256 fingerprints as they are used with OpenSSH since version 6.8 as well. This applies to the web interface and also the API where fingerprints are returned such as in GraphQL. The fingerprints follow the OpenSSH format.
• SHA-1 and SHA-256 signature headers (two headers) are sent on webhooks.
• A new API endpoint enables the exchange of a user to server token for a user to server token scoped to specific repositories. For more information, see “Apps” in the GitHub REST API documentation.
• Enterprise and organization administrators can now set the default branch name for new repositories. Enterprise administrators can also enforce their choice of default branch name across all organizations or allow individual organizations to choose their own.
• Satisfy requests concurrently when multiple users are downloading the same archive, resulting in improved performance.

Bug Fixes

• A PATCH request to the webhook configuration API no longer erases the webhook secret
• The HTTP headers were not compliant with HTTP RFC standards in specific responses like 304 status for archives.
• When editing a wiki page a user could experience a 500 error when clicking the Save button.
• An S/MIME signed commit using a certificate with multiple names in the subject alternative name would incorrectly show as “Unverified” in the commit badge.
• Webhooks configured with a content type of application/x-www-form-urlencoded did not receive query parameters in the POST request body.
• Resolving merge conflicts in the GUI would fail when custom pre-receive hooks are configured on the repository.
• Old GitHub Pages builds were not cleaned up leading to increased disk usage.
• The label on search results for internal repositories was shown as “Private” instead of “Internal”.

The update will be applied Tuesday April 13th , 2021 at 5:00PM.

See the complete upgrade notes at GitHub Enterprise:

• https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.4
• https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.3
• https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.2
• https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1
• https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.0