GitHub Upgrade – 3.4.1

GitHub version 3.4.0 is a feature release which includes a number of qualify-of-life changes. The 3.4.1 patch addresses some bug fixes and security fixes. The dependabot automatic updates feature via GitHub Actions is available in a public beta; however, due to compatibility conflicts with the Global Runners, the feature will not be enabled in the NC State GitHub service until it reaches General Availability.


GitHub Actions reusable workflows in public beta

You can now reuse entire workflows as if they were an action. This feature is available in public beta. Instead of copying and pasting workflow definitions across repositories, you can now reference an existing workflow with a single line of configuration. For more information, see the “GitHub changelog.”

Security Fixes

  • MEDIUM: A path traversal vulnerability was identified in GitHub Enterprise Server Management Console that allowed the bypass of CSRF protections. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23732.
  • MEDIUM: An integer overflow vulnerability was identified in the 1.x branch and the 2.x branch of yajil which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. This vulnerability was reported internally and has been assigned CVE-2022-24795.
  • Support bundles could include sensitive files if GitHub Actions was enabled.
  • Packages have been updated to the latest security versions.


Administration Changes

  • Users can now choose the number of spaces a tab is equal to, by setting their preferred tab size in the “Appearance” settings of their user account. All code with a tab indent will render using the preferred tab size.
  • The GitHub Connect data connection record now includes a count of the number of active and dormant users and the configured dormancy period.

Notification Changes

  • Organization owners can now unsubscribe from email notifications when new deploy keys are added to repositories belonging to their organizations. For more information, see “Configuring notifications.”
  • Notification emails from newly created issues and pull requests now include (Issue #xx) or (PR #xx) in the email subject, so you can recognize and filter emails that reference these types of issues.

Organization Changes

  • Organizations can now display a file on their profile Overview. For more information, see the “GitHub changelog.”

Repositories changes

  • A “Manage Access” section is now shown on the “Collaborators and teams” page in your repository settings. The new section makes it easier for repository administrators to see and manage who has access to their repository, and the level of access granted to each user. Administrators can now:
    • Search all members, teams and collaborators who have access to the repository.
    • View when members have mixed role assignments, granted to them directly as individuals or indirectly via a team. This is visualized through a new “mixed roles” warning, which displays the highest level role the user is granted if their permission level is higher than their assigned role.
    • Manage access to popular repositories reliably, with page pagination and fewer timeouts when large groups of users have access.
  • GitHub Enterprise Server 3.4 includes improvements to the repository invitation experience, such as notifications for private repository invites, a UI prompt when visiting a private repository you have a pending invitation for, and a banner on a public repository overview page when there is an pending invitation.
  • You can now use single-character prefixes for custom autolinks. Autolink prefixes also now allow .-_+=:/, and # characters, as well as alphanumerics. For more information about custom autolinks, see “Configuring autolinks to reference external resources.”
  • file in the root of a repository is now highlighted in the “About” sidebar on the repository overview page.

Releases changes

  • GitHub Enterprise Server 3.4 includes improvements to the Releases UI, such as automatically generated release notes which display a summary of all the pull requests for a given release. For more information, see the “GitHub changelog.”
  • When a release is published, an avatar list is now displayed at the bottom of the release. Avatars for all user accounts mentioned in the release notes are shown. For more information, see “Managing releases in a repository.”

Markdown changes

  • You can now use the new “Accessibility” settings page to manage your keyboard shortcuts. You can choose to disable keyboard shortcuts that only use single characters like SG C, and . (the period key). For more information, see the “GitHub changelog.”
  • You can now choose to use a fixed-width font in Markdown-enabled fields, like issue comments and pull request descriptions. For more information, see the “GitHub changelog.”
  • You can now paste a URL on selected text to quickly create a Markdown link. This works in all Markdown-enabled fields, such as issue comments and pull request descriptions. For more information, see the “GitHub changelog.”
  • An image URL can now be appended with a theme context, such as #gh-dark-mode-only, to define how the Markdown image is displayed to a viewer. For more information, see the “GitHub changelog.”
  • When creating or editing a gist file with the Markdown (.md) file extension, you can now use the “Preview” or “Preview Changes” tab to display a Markdown rendering of the file contents. For more information, see the “GitHub changelog.”
  • When typing the name of a GitHub user in issues, pull requests and discussions, the @mention suggester now ranks existing participants higher than other GitHub users, so that it’s more likely the user you’re looking for will be listed.
  • Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.

Issues and pull requests changes

  • The diff setting to hide whitespace changes in the pull request “Files changed” tab is now retained for your user account for that pull request. The setting you have chosen is automatically reapplied if you navigate away from the page and then revisit the “Files changed” tab of the same pull request.
  • When using auto assignment for pull request code reviews, you can now choose to only notify requested team members independently of your auto assignment settings. This setting is useful in scenarios where many users are auto assigned but not all users require notification. For more information, see the “GitHub changelog.”

Branches changes

  • Organization and repository administrators can now trigger webhooks to listen for changes to branch protection rules on their repositories. For more information, see the “branch_protection_rule” event in the webhooks events and payloads documentation.
  • When configuring protected branches, you can now enforce that a required status check is provided by a specific GitHub App. If a status is then provided by a different application, or by a user via a commit status, merging is prevented. This ensures all changes are validated by the intended application. For more information, see the “GitHub changelog.”
  • Only users with administrator permissions are now able to rename protected branches and modify branch protection rules. Previously, with the exception of the default branch, a collaborator could rename a branch and consequently any non-wildcard branch protection rules that applied to that branch were also renamed. For more information, see “Renaming a branch” and “Managing a branch protection rule.”
  • Administrators can now allow only specific users and teams to bypass pull request requirements. For more information, see the “GitHub changelog.”
  • Administrators can now allow only specific users and teams to force push to a repository. For more information, see the “GitHub changelog.”
  • When requiring pull requests for all changes to a protected branch, administrators can now choose if approved reviews are also a requirement. For more information, see the “GitHub changelog.”

GitHub Actions changes

  • GitHub Actions workflows triggered by Dependabot for the createdeployment, and deployment_status events now always receive a read-only token and no secrets. Similarly, workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot, now always receive a read-only token and no secrets. These changes are designed to prevent potentially malicious code from executing in a privileged workflow. For more information, see “Automating Dependabot with GitHub Actions.”
  • Workflow runs on push and pull_request events triggered by Dependabot will now respect the permissions specified in your workflows, allowing you to control how you manage automatic dependency updates. The default token permissions will remain read-only. For more information, see the “GitHub changelog.”
  • GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets. You can now pull from private package registries in your CI using the same secrets you have configured for Dependabot to use, improving how GitHub Actions and Dependabot work together. For more information, see “Automating Dependabot with GitHub Actions.”
  • You can now manage runner groups and see the status of your self-hosted runners using new Runners and Runner Groups pages in the UI. The Actions settings page for your repository or organization now shows a summary view of your runners, and allows you to deep dive into a specific runner to edit it or see what job it may be currently running. For more information, see the “GitHub changelog.”
  • Actions authors can now have their action run in Node.js 16 by specifying runs.using as node16 in the action’s action.yml. This is in addition to the existing Node.js 12 support; actions can continue to specify runs.using: node12 to use the Node.js 12 runtime.
  • For manually triggered workflows, GitHub Actions now supports the choiceboolean, and environment input types in addition to the default string type. For more information, see “on.workflow_dispatch.inputs.”
  • Actions written in YAML, also known as composite actions, now support if conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.
  • The search order behavior for self-hosted runners has now changed, so that the first available matching runner at any level will run the job in all cases. This allows jobs to be sent to self-hosted runners much faster, especially for organizations and enterprises with lots of self-hosted runners. Previously, when running a job that required a self-hosted runner, GitHub Actions would look for self-hosted runners in the repository, organization, and enterprise, in that order.
  • Runner labels for GitHub Actions self-hosted runners can now be listed, added and removed using the REST API. For more information about using the new APIs at a repository, organization, or enterprise level, see “Repositories“, “Organizations“, and “Enterprises” in the REST API documentation.

Dependabot and Dependency graph changes

  • Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml and poetry.lock manifest files.
  • Dependabot alerts alerts can now be dismissed using the GraphQL API. For more information, see the “dismissRepositoryVulnerabilityAlert” mutation in the GraphQL API documentation.

Mobile changes

Support for GitHub Mobile is now enabled by default for new GitHub Enterprise Server instances. If you have not explicitly disabled or enabled GitHub Mobile, GitHub Mobile will be enabled when you upgrade to GitHub Enterprise Server 3.4.0 or later. If you previously disabled or enabled GitHub Mobile for your instance, your preference will be preserved upon upgrade. For more information, see “Managing GitHub Mobile for your enterprise.”

Bug Fixes

  • A workflow run may not complete if it uses composite-actions.
  • When enabling Dependabot, an error caused some security advisories to temporarily read as no-longer applicable.
  • The GitHub Actions deployment graph would display an error when rendering a pending job.
  • Repositories would display a non-functional Discussions tab in the web UI.
  • Organizations created as a result of a user transforming their user account into an organization were not added to the global enterprise account.
  • Links to inaccessible pages were removed.
  • Some instances experienced high CPU usage due to large amounts unnecessary background jobs being queued.
  • Adding a team as a reviewer to a pull request would sometimes show the incorrect number of members on that team.
  • A large number of dormant users could cause a GitHub Connect configuration to fail.

The update will be applied Monday April 18, 2022 at 5:30 PM.

See the complete upgrade notes on the GitHub Enterprise site: