We are glad to have you here with us. As the pulse of the open-source community, GitHub is full of new projects, groundbreaking features, and daily collaborative efforts.
We are pleased to have you back for the second edition of our newsletter. Thank you for subscribing and joining us on this exciting journey through the world of GitHub.
This month, we continue to bring you the latest news, updates, and inspiring stories from the GitHub community. Whether you're a beginner or an expert, there's always something new to discover.
As we strive to find the perfect timing for our monthly editions, we appreciate your patience and support. In the meantime, we have a wealth of interesting GitHub news to share.
Remember to share this newsletter with your colleagues and friends, who might benefit from the insights, tips, and inspiration it contains.
Stay tuned, and let's dive into the incredible world of GitHub together!
Sponsors now supports Polar and Buy Me a Coffee as funding platform options
GitHub sponsors is a way to give back to all the open-source repositories you and your applications depend upon. You can see the tools and open source packages they are using from the Insights tab on their organization. For maintainers it is always helpful to support as many different platforms as possible to receive the support, so now having even more choice about where to receive that support is genuinely nice! Read more about in sponsors in the GitHub Sponsorsdocumentation.
GitHub secret scanning and push protection enabled by default
Accidentally adding secrets into a repository is amazingly easy and it happens to the best of us (we have been there!). With the tools in GitHub Advanced Security, you can keep your repositories from creating new security issues. These tools have been available for free on open-source repos from the start, but not everyone has been using them. In an effort to help the community and keeping them safe, GitHub has now enabled secret scanning and push protection by default.
Very nice blogpost on using GitHub Actions to parse Power Usage Effectiveness (PUE) data for the different Azure Regions, which are published as PDF’s. In the example the author scrapes the data out of the PDF and stores it as JSON in their repo for other people to use for free.Very good to see an end-to-end example of the moving parts here!
Great end to end blogpost on Managing GitHub Branch Protections, starting from branch protection rules and moving over to the new ruleset functionality to manage those rules on the organization level which makes it easier to have a single location for multiple repos! The post even includes the use of a GitHub App (and why) to work correctly with certain checks and changes.
It appears there is a new vulnerability found, this time in the attachments you can add to an issue.
When you create an issue in a repository that you do not own, for example a Microsoft owner repository, and you attach a file, it gets a filename that starts with the repo name. You do not even need to submit the issue, the file will still be found on the previously published url.
Therefore, whenever you share this url, it looks like it originated from a Microsoft owner repository, but it is actually an attachment anybody can add. Be on the lookout for these type of attachments!
The new rulesets allow for fine grained control of what is possible on your branches. An interesting addition is that you can now disallow certain file extensions. If you do not want PowerPoints polluting your repository, then you can enforce this with new push rules. Another addition is the ability to block certain file paths, so for example, not allowing changes to workflow files.
There is now even less of an excuse for not looking at a pull request when you are not behind a PC; the GitHub mobile application allows you to do code reviews on the go!
When you operate in a closed down environment, so everything behind networks, it is difficult to use the GitHub hosted runners. Instead, you will need to roll your own agents, which adds additional maintenance tasks.
An interesting solution is to use the Azure private networking support, which allows you to host a GitHub managed runner in your subnet.
That is not the only change; larger MacOS runners and runners with GPU’s are also in beta.
The Advanced Security suite has gotten several updates over the last month, the biggest highlights are a new “Enablement Trend” dashboard at the organization level, which is very helpful during the getting started phase with GHAS.
Next to that there is a new security configuration option for GHAS that helps during the rollout. Up to now there where only three options during the rollout:
Enable features for new repos only (organization level setting)
Enable GHAS for ALL repos in one go (rather intrusive and needs extensive training up front of all developers)
Enable features on a per repo basis (slower and fits a team-by-team onboarding plan)
Read more information on the push rules beta in the blog post.
Dependabot scans on GitHub Actions (optional for now)
Dependency scanning has always been a background process that runs on GitHub servers and was hard to find (Insights à Dependency Graph à Dependabot for the version update runs). Maintaining a separate background process at GitHub’s scale is also very hard to do. With GitHub Actions being a service that scales massively, and Dependabot already running on Action runners on Enterprise Server, it makes sense to bring Dependabot to GitHub Actions. This will be an opt-in initially, and in the future every Dependabot run (checking for updates for example), will be executed on GitHub Actions, making it easier to find for users, and offering faster runs. The runs on Actions will NOT count against your action minutes, so no extra billing. The blogpost for this new way of executing can be found via the link.
To enable these scans, go to the repository settings, Code security and analysis, Dependabot on Actions runners.
GitHub Copilot Metrics API now available in public beta
We have been using the metrics API for Copilot for a while now from the private beta, and this is now available for everyone in a Public Beta! Using this API you can get information about when users last used their Copilot license (to help with billing and potentially revoking the license if needed. Next to that you can retrieve number of suggestions, number of lines suggested and their accepted counterparts. With this you can build up some reporting to indicate usage of GitHub Copilot. This is only informative (and anonymized data as it sums up to either a team or the entire organization level), and can at least give you hints of how Copilot is being used. Chat sessions and ‘turns’ (how many questions did users ask) is available as well. It has some specifics to be aware of, as for example in the suggestion accepted counts it only shows full suggestions that where accepted. So if you accept things word by word, it might not be counted. Again, use this information as an indication about usage and to see if that is growing or slowing down.
Thanks for reading this edition of the OctoInsider newsletter! If you didn't already, subscribe here to get the next edition straight into your inbox. If you have interesting news for us, let us know! We are always looking for things that are happening on the GitHub ecosystem.
Rob Bos
Rob Bos is a passionate software engineer and open-source enthusiast with a strong focus on GitHub-related projects. With a background in computer science, he has contributed significantly to various repositories and demonstrated expertise in several programming languages.
Michiel van Oudheusden
Michiel van Oudheusden is a seasoned Microsoft .NET developer, consultant, architect, and manager. His passion lies in web applications, cloud systems, and backend development. With a strong focus on Agile methodologies, he has successfully coached Scrum teams and managed product and technology teams.
