Upgrades

GitHub Upgrade – 3.5.2

By dcdeaton

This upgrade will include all features, changes, bug and security fixes in the 3.5.0 release and forward. This version brings more than 60 new features with an emphasis on new capabilities for GitHub Advanced Security

Release 3.5 also includes GitHub Container Registry and Dependabot updates, but both require additional testing and setup before they can be rolled out to campus.

These release notes are not exhaustive. To view all of the changes happening during this update, view the official release notes for 3.5.0-3.5.2.

This update will be applied on July 11th at 5 PM EST, during which time the GitHub Enterprise service will be unavailable. Downtime is expected to be no more than an hour. Future updates regarding this maintenance period will be made on the NC State Service Portal.

Security Fixes

  • MEDIUM: Prevents an attack where an org query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization’s active committers.
  • MEDIUM: Ensures that github.company.com and github-company.com are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.
  • LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.
  • Packages have been updated to the latest security versions.

Features

  • GitHub Actions
    • Reusable workflows are now generally available. Reusable workflows help you reduce duplication by enabling you to reuse an entire workflow as if it were an action.
    • GitHub Actions enables customers to cache intermediate outputs and dependencies for their workflows, which is an effective way to make jobs faster.
    • Restrict self-hosted runner groups to specific workflows
    • Self-hosted runners can now disable automatic updates
  • GitHub Advanced Security
    • Prevent secret leaks with secret scanning push protection
    • Quantify your security risk with security overview org-level view (Generally Available) and enterprise-level view (Public Beta)
    • Secret scanning supports organization-level and repository-level dry runs
    • CodeQL detects more security issues, supports new language versions

Changes

  • To use the device authorization flow for OAuth and GitHub Apps, you must manually enable the feature. This change reduces the likelihood of apps being used in phishing attacks against GitHub Enterprise Server users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication. If you own or manage an OAuth App or GitHub App and you want to use the device flow, you can enable it for your app via the app’s settings page. The device flow API endpoints will respond with status code 400 to apps that have not enabled this feature. For more information, see “Authorizing OAuth Apps.”
  • The code scanning alert page now always shows the alert status and information for the default branch. There is a new “Affected branches” panel in the sidebar where you can see the status of the alert in other branches. If the alert does not exist in your default branch, the alert page will show the status as “In branch” or “In pull request” for the location where the alert was last seen. This improvement makes it easier to understand the status of alerts which have been introduced into your code base. For more information, see “About code scanning alerts.”The alert list page is not changed and can be filtered by branch. You can use the code scanning API to retrieve more detailed branch information for alerts. For more information, see “Code Scanning” in the REST API documentation.
  • Code scanning now shows the details of the analysis origin of an alert. If an alert has more than one analysis origin, it is shown in the “Affected branches” sidebar and in the alert timeline. You can hover over the analysis origin icon in the “Affected branches” sidebar to see the alert status in each analysis origin. If an alert only has a single analysis origin, no information about analysis origins is displayed on the alert page. These improvements will make it easier to understand your alerts. In particular, it will help you understand those that have multiple analysis origins. This is especially useful for setups with multiple analysis configurations, such as monorepos. For more information, see “About code scanning alerts.”
  • Lists of repositories owned by a user or organization now have an additional filter option, “Templates”, making it easier to find template repositories.
  • GitHub Enterprise Server can display several common image formats, including PNG, JPG, GIF, PSD, and SVG, and provides several ways to compare differences between versions. Now when reviewing added or changed images in a pull request, previews of those images are shown by default. Previously, you would see a message indicating that binary files could not be shown and you would need to toggle the “Display rich diff” option. For more information, see “Working with non-code files.”
  • New gists are now created with a default branch name of either main or the alternative default branch name defined in your user settings. This matches how other repositories are created on GitHub Enterprise Server. For more information, see “About branches” and “Managing the default branch name for your repositories.”
  • Gists now only show the 30 most recent comments when first displayed. You can click Load earlier comments… to view more. This allows gists that have many comments to appear more quickly. For more information, see “Editing and sharing content with gists.”
  • Settings pages for users, organizations, repositories, and teams have been redesigned, grouping similar settings pages into sections for improved information architecture and discoverability. For more information, see the GitHub changelog.
  • Focusing or hovering over a label now displays the label description in a tooltip.
  • Creating and removing repository invitations, whether done through the API or web interface, are now subject to rate limits that may be enabled on your GitHub Enterprise Server instance. For more information about rate limits, see “Configuring rate limits.”
  • MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see “Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository.”

Bug Fixes

  • Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.
  • In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server’s web UI.
  • Actions workflows calling other reusable workflows failed to run on a schedule.
  • Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.