GitHub Upgrade – 3.11.6

On Monday, March 4th at 5PM EST, the GitHub Service Team will take the GitHub Enterprise service offline to apply a high security fix.

The upgrade is expected to take no longer than 1.5 hours to complete. Please follow the NC State Service Portal for any updates or changes related to this maintenance period.

Questions related to this upgrade should be sent to

Security fixes

  • HIGH: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID CVE-2024-1908 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Some changes have been omitted for brevity. For an exhaustive list of updates related to this upgrade, please see the GitHub Enterprise Release Notes.