The GitHub Blog

The Git developers have just released a major new version of the Git command-line utility, Git 2.3.0.

As usual, this release contains many improvements, performance enhancements, and bug fixes. Full details about what's included can be found in the Git 2.3.0 release notes, but here's a look at what we consider to be the coolest new features in this release.

Push to deploy

One way to deploy a Git-based web project is to keep a checked-out working copy on your server. When a new version is ready, you log into the server and run git pull to fetch and deploy the new changes. While this technique has some disadvantages (see below), it is very easy to set up and use, especially if your project consists mostly of static content.

With Git 2.3, this technique has become even more convenient. Now you can push changes directly to the repository on your server. Provided no local modifications have been made on the server, any changes to the server's current branch will be checked out automatically. Instant deploy!

To use this feature, you have to first enable it in the Git repository on your server by running

$ git config receive.denyCurrentBranch updateInstead

When shouldn't you use push-to-deploy?

Deploying by pushing to a Git repository is quick and convenient, but it is not for everybody. For example:

• Your server will contain a .git directory containing the entire history of your project. You probably want to make extra sure that it cannot be served to users!
• During deploys, it will be possible for users momentarily to encounter the site in an inconsistent state, with some files at the old version and others at the new version, or even half-written files. If this is a problem for your project, push-to-deploy is probably not for you.
• If your project needs a "build" step, then you will have to set that up explicitly, perhaps via githooks.

See how this feature was implemented

Faster cloning by borrowing objects from existing clones

Cloning a remote repository can involve transferring a lot of data over the network. But if you already have another local clone of the same repository, it probably already has most of the history that the new clone will need. Now it is easy to use those local objects rather than transferring them again:

$ git clone --reference ../oldclone --dissociate https://github.com/gitster/git.git

The new --dissociate option tells Git to copy any objects it can from local repository ../oldclone, retrieving the remainder from the remote repository. Afterwards, the two clones remain independent; either one can be deleted without impacting the other (unlike when --reference is used without --dissociate).

See how this feature was implemented

More conservative default behavior for git push

If you run git push without arguments, Git now uses the more conservative simple behavior as the default. This means that Git refuses to push anything unless you have defined an "upstream" branch for your current branch and the upstream branch has the same name as your current branch. For example:

$ git config branch.autosetupmerge true
$ git checkout -b experimental origin/master
Branch experimental set up to track remote branch master from origin.
Switched to a new branch 'experimental'
$ git commit -a -m 'Experimental changes'
[experimental 43ca356] Experimental changes
$ git push
fatal: The upstream branch of your current branch does not match
the name of your current branch.  To push to the upstream branch
on the remote, use

    git push origin HEAD:master

To push to the branch of the same name on the remote, use

    git push origin experimental

$

The new default behavior is meant to help users avoid pushing changes to the wrong branch by accident. In the case above, the experimental branch started out tracking master, but the user probably wanted to push the experimental branch to a new remote branch called experimental. So the correct command would be git push origin experimental.

The default behavior can be changed by configuring push.default. If you want to go back to the version 1.x behavior, set it to matching:

$ git config --global push.default matching

See how this feature was implemented

More flexible ssh invocation

Git knows how to connect to a remote host via the SSH protocol, but sometimes you need to tweak exactly how it makes the connection. If so, you can now use a new shell variable, GIT_SSH_COMMAND, to specify the command (including arguments) or even an arbitrary snippet of Shell code that Git should use to connect to the remote host. For example, if you need to use a different SSH identity file when connecting to a Git server, you could enter

$ GIT_SSH_COMMAND='ssh -i git_id' git clone host:repo.git

See how this feature was implemented

The credential subsystem is now friendlier to scripting

When Git needs a password (e.g., to connect to a remote repository over http), it uses the credential subsystem to query any helpers (like the OS X Keychain helper), and then finally prompts the user on the terminal. When Git is run from an automated process like a cron job, there is usually no terminal available and Git will skip the prompt. However, if there is a terminal available, Git may hang forever, waiting for the user to type something. Scripts which do not expect user input can now set GIT_TERMINAL_PROMPT=0 in the environment to avoid this behavior.

See how this feature was implemented

Other

Some other useful tidbits:

• Now Git is cleverer about not rewriting paths in the working tree unnecessarily when checking out particular commits. This will help reduce the amount of redundant work done during software builds and reduce the time that incomplete files are present on the filesystem (especially helpful if you are using push-to-deploy). See how this feature was implemented
• Now git branch -d supports a --force/-f option, which can be used to delete a branch even if it hasn't been merged yet. Similarly, git branch -m supports --force/-f, which allows a branch to be renamed even if the new name is already in use. This change makes these commands more consistent with the many other Git commands that support --force/-f. See how these features were implemented

Additional resources

• The main Git website
• The book Pro Git (available online); including its chapter about installing Git
• GitHub's Guide to setting up Git and other help articles

Don't forget: an important Git security vulnerability was fixed last December. If you haven't upgraded your Git client since then, we recommend that you do so as soon as possible. The new release, 2.3.0, includes the security fix, as do the maintenance releases 1.8.5.6, 1.9.5, 2.0.5, and 2.1.4, which were released in December.

While making your source code available in a public GitHub repository is awesome, it's important to be sure you don't accidentally commit your passwords, secrets, or anything else that other people shouldn't know.

Starting today you can commit more confidently, knowing that we will email you if you push one of your OAuth Access Tokens to any public repository with a git push command. As an extra bonus, we'll also revoke your token so it can't be used to perform any unauthorized actions on your behalf.

For more tips on keeping your account secure, see "Keeping your SSH keys and application access tokens safe" in GitHub Help.

GitHub is planning a conference like we've never planned before. Get ready for GitHub Universe – part festival, part conference, all for anyone who cares about making great software. From independent developers to large teams, open source to commercial apps and services: we're bringing together every part of the community to discuss how to design, build, and ship software.

Join us and over a thousand GitHub fans for two days of amazing community, industry-leading speakers, in-depth training, immersive activities, and the latest GitHub announcements.

Mark your calendar!

• When: October 1-2, 2015
• Where: Pier 70, San Francisco, CA

Stay in the know!

Between now and October, we'll be rolling out updates here on the GitHub blog and over on the GitHub Universe conference website. You can also sign up to get updates about the conference, including notifications when tickets go on sale and ongoing news about speakers and activities.

We're excited to announce a Patchwork hack night on Tuesday, February 10th 2015, co-hosted with our friends at Xero in Melbourne.

No coding experience needed

Patchwork is a hands-on workshop for learning Git and GitHub. Join us for a night of hacking and snacking and make some new friends while you're at it!

Forks you don't eat with? Branches not made of wood?

Newcomers to Git and GitHub: you'll leave with a merged Pull Request, a square on your contributions graph, and confidence to get more involved in the open source community.

Mentors: if you've ever had a Pull Request merged, now is your chance to share the love and help someone else create magic.

Learning is better together

@michaeltwofish, @rachelmyers, @Foggybtmgirl, and I, along with other GitHub staff and local community mentors, will be on hand to walk you through the Hello World tutorial, answer your questions, help you create your first open source project and achieve your first merged Pull Request.

We'll begin with a story about getting started in programming, spend time on the tutorial in small groups, and then close things out with lightning talks from some people in the community.

Details:

• For: Git and GitHub beginners.
• When? Tuesday, February 10th 2015, 6pm to 9pm
• Where? Xero, 1/6 Elizabeth Street, Hawthorn VIC 3122, Australia
• RSVP:
  • Want to learn Git and Github? RSVP as an attendee.
  • Want to help guide future open source maintainers and contributors? RSVP as a mentor.

Once registered, you'll receive an email the day before the event with details about the tutorial.

This is a free event. Food and refreshments will be provided.

The GitHub Charity Dodgeball tournament is back, and better than ever.

Details

Where? SoMa Recreaton Center 270 6th Street San Francisco, CA

When? Sunday, March 22, 1:00pm until 6:30pm

• 1:00 to 1:30 - Sign in and warm up
• 1:30 to 4:30 - Round Robin Tournament play
• 4:45 to 6:00 - Single Elimination Round
• 6:00 to 6:30 - Awards ceremony
• 7:00 to 10:00 - After-party at GitHub HQ (88 Colin P Kelly Jr. Street, San Francisco).

Why? In 2013, 20 teams joined us to compete on the dodgeball court, all in the name of charity. Heroku prevailed for the second time and brought home the Octotrophy, but the real champions are those who received some of the $58,000 we raised!

We're headed back to SoMa Recreation Center and we're devoted to making this year's tournament the best yet. The buy-in to enter is $3,000, and all funds will be split among the charities.

How? We'll be using the World Dodgeball Society's rules for our 2015 tournament. Teams will need 10 players on court during gameplay, but can have up to 15 members per team to allow for player substitutions. Teams must have at most a 3:1 ratio of men to women.

Who? We will all be playing for four local charities. Donations are managed by Bright Funds.

• Build BUILD's mission is to use entrepreneurship to excite and propel disengaged, low-income students through high school to college success. In 2002, BUILD became a key player in school districts when it went into local high schools and began offering its entrepreneurship curriculum as a daily, credited class. By working closely with the partner schools and their teachers, BUILD began supplementing students' traditional education with the real-life experience of running their own small businesses.

• SF Public Library The SF Library system is pretty amazing. Not only are they one mega, open source of information and learning in the sense of lending books, music, etc., but they also have all kinds of others programs to support the community. It is also one of the few places people can go and use computers for free. Finally, it often doubles as safe space for at risk youth and the homeless population.

• Second Harvest Food Bank Collects and distributes more than 1 million pounds of food throughout the Bay Area EACH WEEK. They are feeding thousands of families, many of which are struggling to pay high local rents, etc.

• Glide Glide provides many kinds of services to anyone who needs them, from shelter, to healthcare, to overcoming violence.

Sign up here!

Questions? Send them to dodgeball@github.com

Young and future coders rejoice! We've just merged a pull request for new baby one-pieces and kid tees.

Grab yours in the GitHub Shop

It's already been a year since we launched the GitHub Security Bug Bounty, and, thanks to bug reports from researchers across the globe, 73 previously unknown security vulnerabilities in our applications have been identified and fixed.

Bugs squashed

Of 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications. 33 unique researchers earned a cumulative $50,100 for the 57 medium to high risk vulnerabilities they reported.

We also saw some incredibly involved and creative vulnerabilities reported.

Our top submitter, @adob, reported a persistent DOM based cross-site scripting vulnerability, relying on a previously unknown Chrome browser bug that allowed our Content Security Policy to be bypassed.

Our second most prolific submitter, @joernchen, reported a complex vulnerability in the communication between two of our backend services that could allow an attacker to set arbitrary environment variables. He followed that up by finding a way to achieve arbitrary remote command execution by setting the right environment variables.

New year, higher payouts

To kick off our Bug Bounty Program's second year, we're doubling the maximum bounty payout, from $5000 to $10000. If you've found a vulnerability that you'd like to submit to the GitHub security team for review, send us the details, including the steps required to reproduce the bug. You can also follow @GitHubSecurity for ongoing updates about the program.

Thanks to everyone who made the first year of our Bug Bounty a success. Happy hunting in 2015!

We're excited to let you know that the next installment of our Patchwork hack night will be happening on Wednesday, February 4, 2015 at iXperience.

No coding experience needed

Patchwork is a hands-on workshop for learning Git and GitHub. Join us for a night of hacking and snacking, and make some new friends while you're at it!

Forks you don't eat with? Branches not made of wood?

Newcomers to Git and GitHub, you'll be creating your own open source project. You will leave with a merged Pull Request, a square on your contributions graph, and confidence to get more involved in the open source community.

Mentors, if you've ever had a Pull Request merged, now's your chance to share those warm fuzzies and help someone else get started on their journey.

Learning is better together

GitHubbers @alysonla, @sachinr, and @shayfrendt, as well as local community mentors, will be on hand to answer your questions and help you create your first open source project and achieve your first merged Pull Request.

We'll kick the event off with a GitHubber talking about how they got started in programming, then we'll break into small groups and work on the Hello World tutorial guide, and a community member will close things out with a lightning talk on their experience in open source.

If you have questions about the command line, GUIs, or anything Git and GitHub-related, we're here to help.

Details:

• For: Git and GitHub beginners.
• When: Wednesday, February 4, 6:30-9:00pm.
• Where: iXperience, 19 Park Road, Gardens, Cape Town, 8001
• RSVP:
  • Want to learn Git and GitHub? RSVP as an attendee.
  • Want to help guide future open source maintainers and contributors? RSVP as a mentor.

Food and refreshments will be available.

Mentors, you'll receive an email a few days before the event with details about what to expect and the curriculum. We'll be teaching Git concepts and making a Pull Request using the GitHub Flow and Hello World tutorial guide.

Next week we're hosting another GitHub Town Hall on academia and open source in partnership with the eScience Institute at University of Washington.

Software plays a vital role in much of academic research and yet its development and maintenance is often not seen as a creditable research activity. In light of this challenge, our speakers will discuss the role of software in academia today, how institutions must adapt to support software tools and their producers, and what universities can learn from the open source community. We hope you'll join us!

The Facts:

• When: Monday, February 2nd, 6pm-9pm
• Where: Physics/Astronomy Auditorium (PAA 102), University of Washington, Seattle
• Space is limited: Please RSVP

If you're not able to attend the Town Hall in person, we will have a live stream available. We'll share the link here and on Twitter next week before the event starts.

UPDATE: Live stream at https://live-stream.github.com/

The Panelists:

• Daniel Halperin (University of Washington)
• Katy Huff (UC Berkeley)
• Dan Katz (National Science Foundation)
• Jamie Kinney (Amazon Web Services)
• Marina Meila (University of Washington)
• Fernando Perez (UC Berkeley)

Git will be 10 years old in April, and we're bringing back Git Merge to celebrate. Mark your calendars for April 8-9th to be a part of the only Git user conference of its kind.

Hosted at the La Gaîté lyrique in Paris' 3rd arrondissement, Git Merge will feature with sessions on using Git, scaling Git, and developing on Git from core Git maintainers.

Tickets, session details, and hotel information will be available soon. Follow @github on Twitter for updates, or add your email to the list at git-merge.com and we'll let you know as soon as tickets are on sale.

Et voilà!

As a company grows, people and projects change. To continue to nurture the culture we want at GitHub, we've found it useful to remind ourselves what we aim for when we communicate. We recently introduced these guidelines to help us be our best selves when we collaborate on pull requests.

Approach to writing a Pull Request

• Include the purpose of this Pull Request. For example:
  This is a spike to explore…
This simplifies the display of…
This fixes handling of…
  
• Consider providing an overview of why the work is taking place (with any relevant links); don’t assume familiarity with the history.
• Remember that anyone in the company could be reading this Pull Request, so the content and tone may inform people other than those taking part, now or later.
• Be explicit about what feedback you want, if any: a quick pair of on the code, discussion on the technical approach, critique on design, a review of copy.
• Be explicit about when you want feedback, if the Pull Request is work in progress, say so. A prefix of “[WIP]” in the title is a simple, common pattern to indicate that state.
• @mention individuals that you specifically want to involve in the discussion, and mention why. (“/cc @jesseplusplus for clarification on this logic”)
• @mention teams that you want to involve in the discussion, and mention why. (“/cc @github/security, any concerns with this approach?”)

Offering feedback

• Familiarize yourself with the context of the issue, and reasons why this Pull Request exists.
• If you disagree strongly, consider giving it a few minutes before responding; think before you react.
• Ask, don’t tell. (“What do you think about trying…?” rather than “Don’t do…”)
• Explain your reasons why code should be changed. (Not in line with the style guide? A personal preference?)
• Offer ways to simplify or improve code.
• Avoid using derogatory terms, like “stupid”, when referring to the work someone has produced.
• Be humble. (“I’m not sure, let’s try…”)
• Avoid hyperbole. (“NEVER do…”)
• Aim to develop professional skills, group knowledge and product quality, through group critique.
• Be aware of negative bias with online communication. (If content is neutral, we assume the tone is negative.) Can you use positive language as opposed to neutral?
• Use emoji to clarify tone. Compare “ Looks good ” to “Looks good.”

Responding to feedback

• Consider leading with an expression of appreciation, especially when feedback has been mixed.
• Ask for clarification. ("I don’t understand, can you clarify?")
• Offer clarification, explain the decisions you made to reach a solution in question.
• Try to respond to every comment.
• Link to any follow up commits or Pull Requests. (“Good call! Done in 1682851”)
• If there is growing confusion or debate, ask yourself if the written word is still the best form of communication. Talk (virtually) face-to-face, then mutually consider posting a follow-up to summarize any offline discussion (useful for others who be following along, now or later).

These guidelines were inspired partly by Thoughtbot's code review guide.

Our guidelines suit the way we work, and the culture we want to nurture. We hope you find them useful too.

Happy communicating!

It's a new year and we couldn't think of a better way to start it off than with a new release of GitHub Enterprise. We've included a number of highly-requested features, along with some of the best stuff recently shipped on GitHub.com - all to give developers and admins the best tools to build and ship software at work.

Let's talk about some of the features you'll find in this release.

Automate user and team management with LDAP Sync

Many of you have told us that you want it to be easier to use GitHub Enterprise with LDAP, especially for organizations managing lots of users. With this release, GitHub Enterprise integrates with your LDAP directory more deeply than ever before, automating identity and access management for your organization. This means you can provision and deprovision user accounts in GitHub Enterprise directly from LDAP with user sync, and automatically grant users access to repositories with team sync. While we were at it, we also improved LDAP performance across the board, increasing reliability and throughput.

Deploy GitHub Enterprise on OpenStack KVM

One of our goals with last year's rebuild of GitHub Enterprise was to make it available in more of the environments where you want to run it, whether you're managing your infrastructure on servers you own or on an internal cloud-based platform. That's why we're excited to announce that with this release, GitHub Enterprise is available on OpenStack KVM, in addition to Amazon Web Services and VMware. If your tech stack is built on KVM, you can now easily set up GitHub Enterprise and integrate with other parts of your internal system.

Audit all user actions across your instance

The Organization Audit Log that shipped with the November release of GitHub Enterprise has now been expanded to the instance level, giving administrators a skimmable and searchable record of every action performed across GitHub Enterprise in the past 90 days. Events like repository creation, team deletion, the addition of webhooks, and more are surfaced in a running log, along with information about who performed the action and when it occurred. These events can be filtered for deeper analysis, and you can create a wide range of custom search queries to make sure you're always aware of what's taking place on your instance.

Monitor the performance of GitHub Enterprise

If you're administering GitHub Enterprise, you should be able to identify whether your instance is performing correctly and quickly locate what's wrong when it isn't. With the new Instance Monitoring Dashboard, you now can. With data displayed for things like data disk usage, memory, CPUs, and more, you'll be able to answer questions like:

• Are my users experiencing errors?
• Are things fast or slow for my users?
• What is a typical traffic pattern? What is abnormal?
• Should I upgrade CPU, memory, or IO to improve the performance of my instance?
• When should I plan to increase my disk space given my current growth rate?

Even more betterness

GitHub Enterprise 2.1.0 also includes:

• Organization webhooks
• The pull requests UI to see results from multiple status checks
• SVG file viewing and diffing
• /pulls and /issues dashboard pages
• Syntax highlighted diffs
• Mobile search
• Deployments API

To see the full list of features and bug fixes, check out the release notes for GitHub Enterprise 2.1.0.

Take 2.1.0 for a spin

If you're an existing GitHub Enterprise customer, you can download the latest release from the GitHub Enterprise website. If you want to give GitHub Enterprise a try, start a 45-day free trial on OpenStack KVM, AWS, or VMware.

Applications integrate with GitHub to help you and your team build, test, and deploy software. But not all apps are created equal. By adopting a list of approved applications, organization admins can better manage which apps can be given access to their organization's data.

Approve trusted applications

If you're administering an organization on GitHub.com, you can set up a whitelist of trusted third-party applications.

With this protection in place, all applications need your explicit approval before they can access your organization's resources. You can grant access to your favorite continuous integration service (for example), while ignoring other applications that you may not trust or need.

Request your favorite tools

If you're a member of an organization and have a third-party application that you want to use, simply ask your organization's admins to approve access. They can then review the requested application to decide whether it should have access to your organization's data.

For more information on setting up a list of approved applications for your organization, be sure to check out the docs.

If you develop an app that integrates with GitHub, check out the Developer Blog for our latest recommendations on working with organizations and their data.

Pull requests are fantastic. We use them every day to review and discuss code, documentation, and designs. Now you can create pull requests without leaving the warm embrace of GitHub for Mac.

We've also made forks easier to work with. Forked repositories now automatically fetch their upstream repository, and its branches can be checked out or merged. No more futzing with the command line or multiple remotes!

Download GitHub for Mac and start sending pull requests!

Starting conversations around changes is what pull requests and GitHub Flow are all about, so we’re excited to introduce a powerful shortcut that gets you there even faster.

When using your browser to edit a file on GitHub.com, the web-based commit composer lets you quickly propose a change to a new branch and then immediately open a pull request for discussion and review:

Reducing the time it takes to open a pull request lowers the contribution barrier, and having this workflow available entirely within the browser makes collaboration more approachable for people with all technical skill levels.

To learn how GitHub Flow works, and whether it might be a good workflow to use on your projects, check out our guide on Understanding GitHub Flow.