UPDATE: The 3.1.1 patch has released, so we will be upgrading to 3.1.1 instead of 3.1.0. The 3.1.1 upgrade is a bugfix patch. See the bugfixes section for more details on what this patch fixes.
The 3.1.0 upgrade is a Feature release, with improvements to the Dependabot alerts, Pull Request Auto Merge, and more!
Additionally, this patch appears to have fixed the permissions bug with GitHub Actions, and so we will be enabling Actions for those who have requested access to pilot the feature. If you’d like to have your organization included in the pilot program, please send the organization name in a request to firstname.lastname@example.org.
- Dependabot Improvements
- Users with Dependabot alerts enabled can see which of their repositories are impacted by a given vulnerability by navigating to its entry in the GitHub Advisory Database. This feature is available in public beta. For more information, see “Viewing and updating vulnerable dependencies in your repository.”
- When a vulnerability is added to GitHub Advisory Database, you will no longer receive email and web notifications for Dependabot alerts on low and moderate severity vulnerabilities. These alerts are still accessible from the repository’s Security tab. For more information, see “Viewing and updating vulnerable dependencies in your repository.”
- You can now give people instructions on how to responsibly report security vulnerabilities in your project by adding a
SECURITY.mdfile to your repository’s
.githubfolder. When someone creates an issue in your repository, they will see a link to your project’s security policy. For more information, see “Adding a security policy to your repository.”
- Workflow Visualizations for GitHub Actions
- View and understand complex workflows
- Track progress of workflows in real-time
- Troubleshoot runs quickly by easily accessing logs and jobs metadata
- Monitor progress of deployment jobs and easily access deployment targets
- For more information, see “Using the visualization graph.”
- OAuth 2.0 Device Authorization Grants
- OAuth 2.0 Device Authorization Grant allows any CLI client or developer tool to authenticate using a secondary system with a browser.
- Administrators using OAuth Apps and GitHub Apps can enable and configure OAuth 2.0 Device Authorization Flow, in addition to the existing Web Application Flow.
- Pull Request Automerge
- With auto-merge, pull requests can be set to merge automatically when all merge requirements have been satisfied. This saves users from needing to constantly check the state of their pull requests just to merge them. Auto-merge can be enabled by a user with permission to merge and on pull requests that have unsatisfied merge requirements. For more information, see “Automatically merging a pull request.”
- Filtering for GitHub Mobile
- GitHub for mobile filtering allows you to search for and find issues, pull requests, and discussions from your device. New metadata for issues and pull request list items allow you to filter by assignees, checks status, review states, and comment counts.
- By precomputing checksums, the amount of time a repository is under the lock has reduced dramatically, allowing more write operations to succeed immediately and improving monorepo performance.
- GitHub Actions now supports skipping
pull_requestworkflows by looking for some common keywords in your commit message.
- Check annotations older than four months will be archived.
- SARIF upload support increased to a maximum of 5000 results per upload.
- You can specify multiple callback URLs while configuring a GitHub App. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
- The GitHub App file permission has been updated to allow an app developer to specify up to 10 files for read-only or read-write access that their app can request access to.
- When configuring a GitHub App, the authorization callback URL is a required field. Now, we allow the developer to specify multiple callback URLs. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
- Delete an entire directory of files, including subdirectories, from your web browser. For more information, see “Deleting a file or directory.”
- Include multiple words after the
#in an issue, discussion, or pull request comment to further narrow your search.
- When you’re writing an issue, pull request, or discussion comment the list syntax for bullets, numbers, and tasks autocompletes after you press
- After upgrading, a mismatch of internal and external timeout values created service unavailability.
- References to the “Dependency graph” and “Dependabot alerts” features were not shown as disabled on some repositories.
- Setting an announcement in the enterprise account settings could result in a 500 Internal Server Error.
- HTTP POST requests to the
/hooksendpoint could fail with a 401 response due to an incorrectly configured
Bug Fixes (3.1.1)
- SVN 1.7 and older clients showed an error when using the
- After upgrading, users experienced reduced availability during heavy usage, because services restarted too frequently. This would occur due to timeout mismatches between the nomad configuration and that of the internal services.
The update will be applied Monday June 14th , 2021 at 5:00PM.
See the complete upgrade notes at GitHub Enterprise: