Enterprise Server 3.3 release notes

MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.

MEDIUM: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface.

Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.

Packages have been updated to the latest security versions.

Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com.

In some cases, the collectd daemon could consume excess memory.

In some cases, backups of rotated log files could accumulate and consume excess storage.

After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.

In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.

On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.

MEDIUM: Ensures that github.company.com and github-company.com are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack.

LOW: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access.

包已更新到最新的安全版本。

In some cases, site administrators were not automatically added as enterprise owners.

After merging a branch into the default branch, the "History" link for a file would still link to the previous branch instead of the target branch.

Creating or updating check runs or check suites could return 500 Internal Server Error if the value for certain fields, like the name, was too long.

包已更新到最新的安全版本。

An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).

In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured

The --gateway argument was added to the ghe-setup-network command, to allow passing the gateway address when configuring network settings using the command line.

Image attachments that were deleted would return a 500 Internal Server Error instead of a 404 Not Found error.

The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.

An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server 备份实用程序.

Optimised the inclusion of metrics when generating a cluster support bundle.

In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the ghe-repl-stop command and not allow replication to be stopped. Using ghe-repo-stop --force will now force Elasticsearch to stop when the service is in a normal or valid yellow status.

When using ghe-migrator or exporting from GitHub.com, migrations would fail to export pull request attachments.

MEDIUM: A security issue in nginx resolver was identified, where an attacker who could forge UDP packets from the DNS server could cause 1-byte memory overwrite, resulting in worker process crashes or other potentially damaging impacts. The vulnerability has been assigned CVE-2021-23017.

Updated the actions/checkout@v2 and actions/checkout@v3 actions to address new vulnerabilities announced in the Git security enforcement blog post.

包已更新到最新的安全版本。

In some cluster topologies, the ghe-cluster-status command left behind empty directories in /tmp.

SNMP incorrectly logged a high number of Cannot statfs error messages to syslog

For instances configured with SAML authentication and built-in fallback enabled, built-in users would get stuck in a “login” loop when attempting to sign in from the page generated after logging out.

Attempts to view the git fsck output from the /stafftools/repositories/:owner/:repo/disk page would fail with a 500 Internal Server Error.

When using SAML encrypted assertions, some assertions were not correctly marking SSH keys as verified.

Videos uploaded to issue comments would not be rendered properly.

When using the file finder on a repository page, typing the backspace key within the search field would result in search results being listed multiple times and cause rendering problems.

When using GitHub Enterprise Importer to import a repository, some issues would fail to import due to incorrectly configured project timeline events.

When using ghe-migrator, a migration would fail to import video file attachments in issues and pull requests.

The Releases page would return a 500 error when the repository has tags that contain non-ASCII characters. [Updated: 2022-06-10]

In high availability configurations, clarify that the replication overview page in the Management Console only displays the current replication configuration, not the current replication status.

When enabling GitHub Packages, clarify that using a Shared Access Signature (SAS) token as connection string is not currently supported.

Support bundles now include the row count of tables stored in MySQL.

When determining which repository networks to schedule maintenance on, we no longer count the size of unreachable objects.

The run_started_at response field is now included in the Workflow runs API and the workflow_run event webhook payload.

包已更新到最新的安全版本。

从存储库中删除清单文件时，清单不会从存储库的“依赖项关系图”页面中删除。

解决了可能导致检索构件和下载 GitHub Actions 日志存档时出现一致故障的回归问题。在某些情况下，我们停止解析使用“localhost”的内部通信的 URL，而是错误地使用了实例主机名。

在某些情况下，使用升级包升级高可用性对中的节点可能会导致 Elasticsearch 进入不一致的状态。

扩展名为“.backup”的旋转日志文件将累积在包含系统日志的目录中。

在某些群集拓扑中，命令行实用程序“ghe-spokesctl”和“ghe-btop”无法运行。

Elasticsearch 索引可能会在包升级期间复制，因为“elasticsearch-upgrade”服务并行运行多次。

在拉取请求和提交视图中，对于 Git LFS 跟踪的某些文件，将无法加载多差异。

将用户帐户转换为组织时，如果用户帐户是 GitHub Enterprise Server 企业帐户的所有者，则转换后的组织将错误地显示在企业所有者列表中。

当已存在与 OAuth 应用程序 ID 匹配的集成时，使用企业管理 REST API 创建模拟 OAuth 令牌会导致错误。

当检测到的密钥中存在 UTF8 字符时，机密扫描 REST API 将返回“500”响应代码。

存储库缓存服务器可以从非缓存位置提供数据，即使数据在本地缓存位置中可用也是如此。

现在，除了配置日志之外，停止配置应用运行的配置错误也会输出到终端。

尝试缓存大于 Memcached 中允许的最大值的值时，会引发错误，但未报告密钥。

如果您的实例上启用了 GitHub Advanced Security 功能，则在处理存储库贡献的批处理时，后台作业的性能已得到提高。

中：在 GitHub Enterprise Server 管理控制台中发现了一个路径遍历漏洞，该漏洞允许绕过 CSRF 保护。此漏洞影响了 3.5 之前的所有版本的 GitHub Enterprise Server ，并在版本 3.1.19、3.2.11、3.3.6、3.4.1 中得到修复。此漏洞是通过 GitHub Bug Bounty 程序报告的，并已分配 CVE-2022-23732。

中：在 1.x 分支和 'yajil' 的 2.x 分支中发现了一个整数溢出漏洞，该漏洞导致在处理大型 (~2GB) 输入时导致后续堆内存损坏。此漏洞已在内部报告，并已分配 CVE-2022-24795。

如果启用了 GitHub Actions ，则支持包可能包含敏感文件。

包已更新到最新的安全版本。

启用 Dependabot 时，一个错误导致一些安全公告暂时读作不再适用。

如果在升级 GitHub Enterprise Server 后存在旧的配置选项，Minio 进程将具有高 CPU 使用率。

显示了管理控制台的隐私设置中启用“TLS 1.0”和“TLS 1.1”的选项，尽管在早期版本中删除了这些协议版本。

在 HA 环境中，首次启用 GitHub Actions msSQL 复制后，配置 MSSQL 复制可能需要额外的手动步骤。

内部配置文件子集在热补丁后更可靠地更新。

“ghe-run-migrations”脚本有时无法正确生成临时证书名称。

在群集环境中，Git LFS 操作可能会因跨多个 Web 节点的内部 API 调用失败而失败。

由于syscall权限不足，使用 gpg --import 的预接收挂钩超时。

在某些群集拓扑中，web 挂钩传递信息不可用。

Elasticsearch 运行状况检查不允许在运行迁移时出现黄色集群状态。

存储库将在 Web UI 中显示一个不起作用的 Discussions（讨论）选项卡。

由于用户将其用户帐户转换为组织而创建的组织不会添加到全局企业帐户中。

删除了指向无法访问的页面的链接。

GitHub Actions 部署图将在呈现挂起的作业时显示错误。

由于大量不必要的后台作业排队，某些实例的 CPU 使用率过高。

尝试同步以前同步的 GPG 密钥时，LDAP 用户同步作业将失败。

从用户拉取请求仪表板跟踪指向拉取请求的链接将导致存储库标头无法加载。

将团队作为审阅者添加到拉取请求中有时会显示该团队中不正确的成员数。

删除团队成员身份 API 端点在尝试删除通过 SCIM 组进行外部管理的成员时将响应错误。

大量休眠用户可能会导致 GitHub Connect 配置失败。

站点管理员 Web UI 中的“功能和测试版注册”页面不可用。

单击站点页脚中的“站点管理模式”链接不会改变状态。

“spokesctl cache-policy rm”命令不再失败，并显示消息“error: failed to delete cache policy（错误：无法删除缓存策略）”。

增加了 Memcached 连接限制，以更好地适应大型集群拓扑。

依赖关系图 API 以前使用静态定义的端口运行。

与集群相关的 Elasticsearch 分片设置的默认分片计数已更新。

在“People（人员）”页面上按组织角色筛选企业成员时，改进了下拉菜单项的文本。

“分类”和“维护”团队角色在存储库迁移期间保留。

改进了企业所有者发出的 Web 请求的性能。

高：在 GitHub 的 markdown 解析器中发现了一个整数溢出漏洞，该漏洞可能导致信息泄漏和 RCE。此漏洞由 Google Project Zero 的 Felix Wilhelm 通过GitHub Bug Bounty 计划报告，并已分配 CVE-2022-24724。

如果高可用性副本的时钟与主副本不同步，则升级有时可能会失败。

2020 年 9 月 1 日之后创建的 OAuth 应用程序无法使用 检查授权 API 端点。

用户可以注册名为“saml”的用户或组织。

包已更新到最新的安全版本。

使用 Azure Blob 存储时，无法验证 GitHub 包存储设置并将其保存在管理控制台中。

Mssql.backup.cadence 配置选项未通过 ghe-config-check，并显示无效的字符集警告。

修复了从 memcached 获取超过 2 个^{^16} 密钥时的 SystemStackError（堆栈太深）。

整个站点中的许多选择菜单呈现不正确且不起作用。

现在可以在没有漏洞数据的情况下启用依赖关系图，从而允许客户查看正在使用的依赖项以及版本。在不启用 GitHub Connect 的情况下启用依赖关系图将不提供漏洞信息。

机密扫描将跳过扫描 ZIP 和其他存档文件的机密。

中：机密扫描 API 调用可能会返回请求范围之外的存储库的警报。

包已更新到最新的安全版本。

在 MySQL 机密轮换后，页面将变得不可用，直到“nginx”被手动重新启动。

启用 GitHub Actions 时，迁移可能会失败。

使用 ISO 8601 日期设置维护计划时，由于时区未转换为 UTC，因此实际计划时间将不匹配。

有关“cloud-config.service”的虚假错误消息将输出到控制台。

使用“ghe-cluster-each”安装热补丁后，版本号将无法正确更新。

Web 挂钩表清理作业可以同时运行，从而导致资源争用并增加作业运行时间。

从主数据库运行时，副本上的“ghe-repl-teardown”不会从 MSSQL 可用性组中删除副本。

将基于电子邮件的通知限制为在已验证或已批准的域上具有电子邮件的用户的功能无法正常工作。

使用 CAS 身份验证并启用“Reactivate suspended users（重新激活挂起的用户）”选项时，不会自动重新激活挂起的用户。

与安全警报设置相关的长时间运行的数据库迁移可能会延迟升级完成。

GitHub Connect 数据连接记录现在包括活动用户数和休眠用户数以及配置的休眠期的计数。

程序包已更新到最新的安全版本。在这些更新中，Log4j 已更新到版本 2.17.1。注意：3.3.1、3.2.6、3.1.14 和 3.0.22 中发布的先前缓解措施足以解决这些版本的 GitHub 企业服务器中 CVE-2021-44228、CVE-2021-45046、CVE-2021-45105 和 CVE-2021-44832 的影响。

清理生成的支持包中的更多机密

现在，具有安全经理角色的团队中的用户将收到有关其监控的存储库的安全警报通知。

一旦达到最大团队数，安全管理器组件将显示不太激进的警告。

当尝试从存储库中删除安全经理团队时，存储库管理访问页面应返回 403。

包已更新到最新的安全版本。

操作自托管运行器在从较旧的 GHES 安装升级后将无法自行更新或运行新作业。

将 MinIO 配置为 GitHub 包的 Blob 存储时，无法验证存储设置。

选择“Force Path Style（强制路径样式）”时，无法验证 GitHub Actions 存储设置并将其保存在管理控制台中。

在设置了维护模式的更新后，操作将保持停止状态。

运行“ghe-config-apply”有时可能会因为“/data/user/tmp/pages”中的权限问题而失败。

管理控制台中的保存按钮无法在较低分辨率的浏览器中滚动访问。

收集的版本升级后，IOPS 和存储流量监控图表未更新。

一些与 web 挂钩相关的作业可能会生成大量日志。

帐单导航项在网站管理页面中可见。

多个文档链接导致“404 未找到”错误。

严重： Log4j 库中的远程执行代码漏洞（标识为 CVE-2021-44228）影响了 3.3.1 之前所有版本的 GitHub Enterprise Server 。Log4j 库用于在 GitHub Enterprise Server 实例上运行的开源服务中。此漏洞已在 GitHub Enterprise Server 版本 3.0.22、3.1.14、3.2.6 和 3.3.1 中修复。更多信息请参阅 GitHub博客上的这篇文章。

2021 年 12 月 17 日更新：此版本的现有修补程序还缓解了在此版本之后发布的 CVE-2021-45046。无需对 GitHub Enterprise Server 进行额外升级即可缓解 CVE-2021-44228 和 CVE-2021-45046。

Organization owners can now grant teams the access to manage security alerts and settings on their repositories. The "security manager" role can be applied to any team and grants the team's members the following access:

• Read access on all repositories in the organization.
• Write access on all security alerts in the organization.
• Access to the organization-level security tab.
• Write access on security settings at the organization level.
• Write access on security settings at the repository level.

For more information, see "Managing security managers in your organization."

GitHub Actions now supports ephemeral (single job) self-hosted runners and a new workflow_job webhook to make autoscaling runners easier.

Ephemeral runners are good for self-managed environments where each job is required to run on a clean image. After a job is run, ephemeral runners are automatically unregistered from 您的 GitHub Enterprise Server 实例, allowing you to perform any post-job management.

You can combine ephemeral runners with the new workflow_job webhook to automatically scale self-hosted runners in response to GitHub Actions job requests.

For more information, see "Autoscaling with self-hosted runners" and "Webhook events and payloads."

A dark high contrast theme, with greater contrast between foreground and background elements, is now available on GitHub Enterprise Server 3.3. This release also includes improvements to the color system across all GitHub themes.

For more information about changing your theme, see "Managing your theme settings."

GitHub Enterprise Server 3.3 includes improvements to the maintenance of repositories, especially for repositories that contain many unreachable objects. Note that the first maintenance cycle after upgrading to GitHub Enterprise Server 3.3 may take longer than usual to complete.

GitHub Enterprise Server 3.3 includes the public beta of a repository cache for geographically-distributed teams and CI infrastructure. The repository cache keeps a read-only copy of your repositories available in additional geographies, which prevents clients from downloading duplicate Git content from your primary instance. For more information, see "About repository caching."

GitHub Enterprise Server 3.3 includes improvements to the user impersonation process. An impersonation session now requires a justification for the impersonation, actions are recorded in the audit log as being performed as an impersonated user, and the user who is impersonated will receive an email notification that they have been impersonated by an enterprise administrator. For more information, see "Impersonating a user."

A new stream processing service has been added to facilitate the growing set of events that are published to the audit log, including events associated with Git and GitHub Actions activity.

The GitHub Connect data connection record now includes a list of enabled GitHub Connect features. [Updated 2021-12-09]

An expiration date can now be set for new and existing personal access tokens. Setting an expiration date on personal access tokens is highly recommended to prevent older tokens from leaking and compromising security. Token owners will receive an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving users a duplicate token with the same properties as the original.

When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token."

Notification emails from discussions now include (Discussion #xx) in the subject, so you can recognize and filter emails that reference discussions.

Public repositories now have a Public label next to their names like private and internal repositories. This change makes it easier to identify public repositories and avoid accidentally committing private code.

If you specify the exact name of a branch when using the branch selector menu, the result now appears at the top of the list of matching branches. Previously, exact branch name matches could appear at the bottom of the list.

When viewing a branch that has a corresponding open pull request, GitHub Enterprise Server now links directly to the pull request. Previously, there would be a prompt to contribute using branch comparison or to open a new pull request.

You can now click a button to copy the full raw contents of a file to the clipboard. Previously, you would need to open the raw file, select all, and then copy. To copy the contents of a file, navigate to the file and click in the toolbar. Note that this feature is currently only available in some browsers.

When creating a new release, you can now select or create the tag using a dropdown selector, rather than specifying the tag in a text field. For more information, see "Managing releases in a repository."

A warning is now displayed when viewing a file that contains bidirectional Unicode text. Bidirectional Unicode text can be interpreted or compiled differently than it appears in a user interface. For example, hidden bidirectional Unicode characters can be used to swap segments of text in a file. For more information about replacing these characters, see the GitHub changelog.

You can now use CITATION.cff files to let others know how you would like them to cite your work. CITATION.cff files are plain text files with human- and machine-readable citation information. GitHub Enterprise Server parses this information into common citation formats such as APA and BibTeX. For more information, see "About CITATION files."

You can use new keyboard shortcuts for quotes and lists in Markdown files, issues, pull requests, and comments.

• To add quotes, use cmd shift . on Mac, or ctrl shift . on Windows and Linux.
• To add an ordered list, use cmd shift 7 on Mac, or ctrl shift 7 on Windows and Linux.
• To add an unordered list, use cmd shift 8 on Mac, or ctrl shift 8 on Windows and Linux.

See "Keyboard shortcuts" for a full list of available shortcuts.

You can now use footnote syntax in any Markdown field. Footnotes are displayed as superscript links that you can click to jump to the referenced information, which is displayed in a new section at the bottom of the document. For more information about the syntax, see "Basic writing and formatting syntax."

When viewing Markdown files, you can now click in the toolbar to view the source of a Markdown file. Previously, you needed to use the blame view to link to specific line numbers in the source of a Markdown file.

You can now add images and videos to Markdown files in gists by pasting them into the Markdown body or selecting them from the dialog at the bottom of the Markdown file. For information about supported file types, see "Attaching files."

GitHub Enterprise Server now automatically generates a table of contents for Wikis, based on headings.

When dragging and dropping files into a Markdown editor, such as images and videos, GitHub Enterprise Server now uses the mouse pointer location instead of the cursor location when placing the file.

You can now search issues by label using a logical OR operator. To filter issues using logical OR, use the comma syntax. For example, label:"good first issue","bug" will list all issues with a label of good first issue or bug. For more information, see "Filtering and searching issues and pull requests."

Improvements have been made to help teams manage code review assignments. You can now:

• Limit assignment to only direct members of the team.
• Continue with automatic assignment even if one or more members of the team are already requested.
• Keep a team assigned to review even if one or more members is newly assigned.

The timeline and reviewers sidebar on the pull request page now indicate if a review request was automatically assigned to one or more team members.

For more information, see the GitHub changelog.

You can now filter pull request searches to only include pull requests you are directly requested to review.

Filtered files in pull requests are now completely hidden from view, and are no longer shown as collapsed in the "Files Changed" tab. The "File Filter" menu has also been simplified. For more information, see "Filtering files in a pull request."

You can now create "composite actions" which combine multiple workflow steps into one action, and includes the ability to reference other actions. This makes it easier to reduce duplication in workflows. Previously, an action could only use scripts in its YAML definition. For more information, see "Creating a composite action."

Managing self-hosted runners at the enterprise level no longer requires using personal access tokens with the admin:enterprise scope. You can instead use the new manage_runners:enterprise scope to restrict the permissions on your tokens. Tokens with this scope can authenticate to many REST API endpoints to manage your enterprise's self-hosted runners.

The audit log now includes additional events for GitHub Actions. Audit log entries are now recorded for the following events:

• A self-hosted runner is registered or removed.
• A self-hosted runner is added to a runner group, or removed from a runner group.
• A runner group is created or removed.
• A workflow run is created or completed.
• A workflow job is prepared. Importantly, this log includes the list of secrets that were provided to the runner.

For more information, see "Security hardening for GitHub Actions."

GitHub Enterprise Server 3.3 contains performance improvements for job concurrency with GitHub Actions. For more information about the new performance targets for a range of CPU and memory configurations, see "Getting started with GitHub Actions for GitHub Enterprise Server."

To mitigate insider man in the middle attacks when using actions resolved through GitHub Connect to GitHub.com from GitHub Enterprise Server, the actions namespace (owner/name) is retired on use. Retiring the namespace prevents that namespace from being created on your GitHub Enterprise Server instance, and ensures all workflows referencing the action will download it from GitHub.com.

When a repository is deleted, any associated package files are now immediately deleted from your GitHub Packages external storage.

Dependency review is out of beta and is now generally available for GitHub Advanced Security customers. Dependency review provides an easy-to-understand view of dependency changes and their security impact in the "Files changed" tab of pull requests. It informs you of which dependencies were added, removed, or updated, along with vulnerability information. For more information, see "Reviewing dependency changes in a pull request."

Dependabot is now available as a private beta, offering both version updates and security updates for several popular ecosystems. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted runners configured for Dependabot use. Dependabot on GitHub Enterprise Server also requires GitHub Connect to be enabled. To learn more and sign up for the beta, contact the GitHub Sales team.

The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models. JavaScript analysis now supports most common templating languages, and Java now covers more than three times the endpoints of previous CodeQL versions. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of 代码扫描 alerts.

CodeQL now supports scanning standard language features in Java 16, such as records and pattern matching. CodeQL is able to analyze code written in Java version 7 through 16. For more information about supported languages and frameworks, see the CodeQL documentation.

Improvements have been made to the 代码扫描 on:push trigger when code is pushed to a pull request. If an on:push scan returns results that are associated with a pull request, 代码扫描 will now show these alerts on the pull request.

Some other CI/CD systems can be exclusively configured to trigger a pipeline when code is pushed to a branch, or even exclusively for every commit. Whenever such an analysis pipeline is triggered and results are uploaded to the SARIF API, 代码扫描 will also try to match the analysis results to an open pull request. If an open pull request is found, the results will be published as described above. For more information, see the GitHub changelog.

You can now use the new pull request filter on the 代码扫描 alerts page to find all the 代码扫描 alerts associated with a pull request. A new "View all branch alerts" link on the pull request "Checks" tab allows you to directly view 代码扫描 alerts with the specific pull request filter already applied. For more information, see the GitHub changelog.

User defined patterns for 秘密扫描 is out of beta and is now generally available for GitHub Advanced Security customers. Also new in this release is the ability to edit custom patterns defined at the repository, organization, and enterprise levels. After editing and saving a pattern, 秘密扫描 searches for matches both in a repository's entire Git history and in any new commits. Editing a pattern will close alerts previously associated with the pattern if they no longer match the updated version. Other improvements, such as dry-runs, are planned in future releases. For more information, see "Defining custom patterns for secret scanning."

Most REST API previews have graduated and are now an official part of the API. Preview headers are no longer required for most REST API endpoints, but will still function as expected if you specify a graduated preview in the Accept header of a request. For previews that still require specifying the preview in the Accept header of a request, see "API previews."

You can now use the REST API to configure custom autolinks to external resources. The REST API now provides beta GET/POST/DELETE endpoints which you can use to view, add, or delete custom autolinks associated with a repository. For more information, see "Autolinks."

You can now use the REST API to sync a forked repository with its upstream repository. For more information, see "Branches" in the REST API documentation.

Enterprise administrators on GitHub Enterprise Server can now use the REST API to enable or disable Git LFS for a repository. For more information, see "Repositories."

You can now use the REST API to query the audit log for an enterprise. While audit log forwarding provides the ability to retain and analyze data with your own toolkit and determine patterns over time, the new endpoint can help you perform limited analysis on recent events. For more information, see "GitHub Enterprise administration" in the REST API documentation.

GitHub App user-to-server API requests can now read public resources using the REST API. This includes, for example, the ability to list a public repository's issues and pull requests, and to access a public repository's comments and content.

When creating or updating a repository, you can now configure whether forking is allowed using the REST and GraphQL APIs. Previously, APIs for creating and updating repositories didn't include the fields allow_forking (REST) or forkingAllowed (GraphQL). For more information, see "Repositories" in the REST API documentation and "Repositories" in the GraphQL API documentation.

A new GraphQL mutation createCommitOnBranch makes it easier to add, update, and delete files in a branch of a repository. Compared to the REST API, you do not need to manually create blobs and trees before creating the commit. This allows you to add, update, or delete multiple files in a single API call.

Commits authored using the new API are automatically GPG signed and are marked as verified in the GitHub Enterprise Server UI. GitHub Apps can use the mutation to author commits directly or on behalf of users.

When a new tag is created, the push webhook payload now always includes a head_commit object that contains the data of the commit that the new tag points to. As a result, the head_commit object will always contain the commit data of the payload's after commit.

Page loads and jobs are now significantly faster for repositories with many Git refs.

After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

Custom firewall rules are removed during the upgrade process.

Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

GitHub Actions storage settings cannot be validated and saved in the 管理控制台 when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

GitHub Enterprise Server 2.22 was discontinued on September 23, 2021. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

GitHub Enterprise Server 3.0 will be discontinued on February 16, 2022. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Starting with GitHub Enterprise Server 3.3, GitHub Enterprise Server on XenServer is deprecated and is no longer supported. Please contact GitHub Support with questions or concerns.

To prevent accidental logging or exposure of access_tokens, we discourage the use of OAuth Application API endpoints and the use of API authentication using query parameters. View the following posts to see the proposed replacements:

• Replacement OAuth Application API endpoints
• Replacement authentication using headers instead of query param

These endpoints and authentication route are planned to be removed from GitHub Enterprise Server in GitHub Enterprise Server 3.4.

The CodeQL runner is being deprecated. GitHub Enterprise Server 3.3 will be the final release series that supports the CodeQL runner. Starting with GitHub Enterprise Server 3.4, the CodeQL runner will be removed and no longer supported. The CodeQL CLI version 2.6.2 or greater is a feature-complete replacement for the CodeQL runner. For more information, see the GitHub changelog.

Starting in GitHub Enterprise Server 3.1, support for GitHub's proprietary bit-cache extensions began to be phased out. These extensions are now deprecated in GitHub Enterprise Server 3.3.

Any repositories that were already present and active on 您的 GitHub Enterprise Server 实例 running version 3.1 or 3.2 will have been automatically updated.

Repositories which were not present and active before upgrading to GitHub Enterprise Server 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed.

To start a repository maintenance task manually, browse to https://<hostname>/stafftools/repositories/<owner>/<repository>/network for each affected repository and click the Schedule button.

GitHub Connect will no longer work after June 3rd for instances running GitHub Enterprise Server 3.1 or older, due to the format of GitHub authentication tokens changing. To continue using GitHub Connect, upgrade to GitHub Enterprise Server 3.2 or later. For more information, see the GitHub Blog. [Updated: 2022-06-14]