Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub Actions token integration now generally available in GitHub Models

You can now use the built-in GITHUB_TOKEN from GitHub Actions to authenticate requests to GitHub Models. This simplifies your workflows by integrating AI capabilities directly into your actions, eliminating the need to generate and manage Personal Access Tokens (PATs).

With this update, creating and sharing AI-driven GitHub Actions has never been easier. Add AI to your workflows effortlessly, whether it’s generating issue comments or reviewing pull requests.

Try it out today and streamline your automation with integrated AI.

GitHub Models empowers every developer to effortlessly incorporate AI into their GitHub workflows.

For more details, check out our documentation or join our community discussions.

See more

Secret scanning expands default pattern and push protection support

GitHub regularly updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.

The following new patterns were added over the last few months. Secret scanning automatically detects any secrets matching these patterns in your repositories. See the full list of supported secrets in the documentation.

Provider Token Partner User Push protection
Bitrise bitrise_personal_access_token
Bitrise bitrise_workspace_api_token
Buildkite buildkite_user_access_token
LinkedIn linkedin_client_secret
Mailersend mailersend_smtp_password
Naver Cloud navercloud_gov_access_key
Naver Cloud navercloud_gov_access_key_secret
Naver Cloud navercloud_gov_sts
Naver Cloud navercloud_gov_sts_secret
Naver Cloud navercloud_pub_access_key
Naver Cloud navercloud_pub_access_key_secret
Naver Cloud navercloud_pub_sts
Naver Cloud navercloud_pub_sts_secret
Neon neon_api_key
Neon neon_connection_uri
Pangea pangea_token
Planning Center planning_center_oauth_access_token
Planning Center planning_center_oauth_app_secret
Planning Center planning_center_personal_access_token
Ramp ramp_client_id
Ramp ramp_client_secret
Ramp ramp_oauth_token
RunPod runpod_api_key
Sourcegraph sourcegraph_access_token
Sourcegraph sourcegraph_dotcom_user_gateway
Sourcegraph sourcegraph_instance_identifier_access_token
Sourcegraph sourcegraph_license_key_token
Sourcegraph sourcegraph_product_subscription_token

The following existing patterns were upgraded to be included in push protection. When push protection is enabled, secret scanning automatically blocks any pushes that contain a secret matching these patterns.

Provider Token
Atlassian atlassian_jwt
Azure azure_web_pub_sub_connection_string
Azure microsoft_corporate_network_user_credential
Azure azure_app_configuration_connection_string
Beamer API Key beamer_api_key
Checkout.com checkout_test_secret_key
Duffel duffel_test_access_token
Dynatrace dynatrace_internal_token
eBay ebay_sandbox_client_id ebay_sandbox_client_secret
Frame.io frameio_jwt
Google google_oauth_refresh_token
Google google_oauth_access_token
Lob lob_test_api_key
Mailgun mailgun_api_key
Notion notion_oauth_client_secret
Pulumi pulumi_access_token
RubyGems rubygems_api_key
Sentry sentry_integration_token
Sentry sentry_org_auth_token
Sentry sentry_user_app_auth_token
Sentry sentry_user_auth_token
Shopee shopee_open_platform_partner_key
Shopify shopify_app_client_credentials
Shopify shopify_custom_app_access_token
Shopify shopify_partner_api_token
Shopify shopify_private_app_password
Square square_access_token
Square square_production_application_secret
Square square_sandbox_application_secret
SSLMate sslmate_api_key
SSLMate sslmate_cluster_secret
Stripe stripe_test_secret_key
Tableau tableau_personal_access_token
WorkOS workos_staging_api_key
Yandex yandex_dictionary_api_key
Yandex yandex_cloud_api_key

Learn more about securing your repositories with secret scanning.

See more

Copilot extension for GitHub Models now requires updated permissions

The Copilot extension for GitHub Models now requires the models:read permission in order to access GitHub Models APIs. Users will need to reauthorize the extension by accepting the new permission via the email notification sent from GitHub.

This change follows our March 18th changelog, which announced that GitHub Apps and fine-grained PATs accessing GitHub Models would require the models:read permission.

If the updated permission is not granted, functionality like @models in chat may stop working.

To learn more about GitHub Models, check out the docs. You can also join our Community discussions.

See more

Windows arm64 hosted runners now available in public preview

Now in public preview, Windows arm64 hosted runners are available for free in public repositories. This runner comes with a Windows 11 Desktop image, fully equipped with all the tooling you need to quickly get started running your workflows. Following the release of linux arm64 hosted runners in January, this now extends to Windows support for the open source-community. These four vCPU runners provide a power-efficient compute layer for your Windows workloads. Arm-native developers can now build, test, and deploy entirely within the arm64 architecture without the need for virtualization on your actions runs.

How to use the runners

To leverage the arm64 hosted runners, add the following labels in your public repository workflow runs:

  • windows-11-arm

Please note that this label will not work in private repositories—the workflow will fail if you add it. All runs in public repositories will adhere to our standard runners usage limits, with maximum concurrencies based on your plan type. While the arm64 runners are in public preview, you may experience longer queue times during peak usage hours.

Images for arm64 larger runners

In partnership with Arm, there is now a Windows 11 desktop arm64 image with preinstalled tools available for all GitHub runner sizes, including both the new free offering and our existing arm64 larger runners. To use the new image on larger runners, you can create a new runner and select the Microsoft Windows 11 Desktop by Arm Limited image in the Images console.

To view the list of installed software, give feedback on the image, or report issues, visit the partner-runner-images repository.

Get started today!

To get started building windows on arm64 for free, simply add the new label to the runs-on syntax in your public actions workflow file. For more information on arm64 runners and how to use them, see our documentation and join the conversation in the Community discussion.

See more

OpenAI GPT-4.1 now available in public preview for GitHub Copilot and GitHub Models

GPT-4.1 release in GitHub Copilot and GitHub Models

OpenAI’s latest model, GPT-4.1, is now available in GitHub Copilot and GitHub Models, bringing OpenAI’s newest model to your coding workflow. This model outperforms GPT-4o across the board, with major gains in coding, instruction following, and long-context understanding. It has a larger context window and features a refreshed knowledge cutoff of June 2024.

OAI has optimized GPT-4.1 for real-world use based on direct developer feedback about: frontend coding, making fewer extraneous edits, following formats reliably, adhering to response structure and ordering, consistent tool usage, and more. This model is a strong default choice for common development tasks that benefit from speed, responsiveness, and general-purpose reasoning.

Copilot

OpenAI GPT-4.1 is rolling out for all Copilot Plans, including Copilot Free. You can access it through the model picker in Visual Studio Code and on github.com chat. To accelerate your workflow, whether you’re debugging, refactoring, modernizing, testing, or just getting started, select “GPT-4.1 (Preview)” to begin using it.

Enabling access

Copilot Enterprise administrators will need to enable access to GPT-4.1 through a new policy in Copilot settings. As an administrator, you can verify availability by checking your individual Copilot settings and confirming the policy for GPT-4.1 is set to enabled. Once enabled, users will see GPT-4.1 in the Copilot Chat model selector in VS Code and on github.com.

To learn more about the models available in Copilot, see our documentation on models and get started with Copilot today.

GitHub Models

GitHub Models users can now harness the power of GPT-4.1 to enhance their AI applications and projects. In the GitHub Models playground, you can experiment with sample prompts, refine your ideas, and iterate as you build. You can also try it alongside other models including those from Cohere, DeepSeek, Meta, and Microsoft.

To learn more about GitHub Models, check out the GitHub Models documentation.

Share your feedback

Join the Community discussion to share feedback and tips.

See more

The Llama 4 herd is now generally available in GitHub Models

Llama 4 release on GitHub Models

The latest AI models from Meta, Llama-4-Scout-17B-16E-Instruct and Llama-4-Maverick-17B-128E-Instruct-FP8, are now available on GitHub Models.

Llama-4-Scout-17B is a 17B parameter Mixture-of-Experts (MOE) model optimized for tasks like summarization, personalization, and reasoning. Its ability to handle extensive context makes it well-suited for tasks that require complex and detailed reasoning.

Llama-4-Maverick-17B is a 17B parameter Mixture-of-Experts (MOE) model designed for high-quality chat, creative writing, and precise image analysis. With its conversational fine-tuning and support for text and image understanding, Maverick is ideal for creating AI assitants and applications.

Try, compare, and implement these models in your code for free in the playground (Llama-4-Scout-17B-16E-Instruct and Llama-4-Maverick-17B-128E-Instruct-FP8) or through the GitHub API.

To learn more about GitHub Models, check out the docs. You can also join our community discussions.

See more

VSCode Copilot agent mode in Codespaces

GitHub Codespaces has introduced a new Agentic AI feature—you can now open a Codespace running VSCode’s Copilot agent mode, directly from a GitHub issue. With a single click, you can go from issue to implementation!

When you’re in a GitHub issue, the right-hand side of the view now displays a Code with Copilot Agent Mode button in the Development section. Clicking this button initializes a new Codespace, opens the Codespace in a new tab, and enables VSCode’s Copilot agent mode, using the issue body as context. Copilot will then get to work on the issue, thoroughly analyzing the codebase and considering dependencies to suggest appropriate file changes. You can then work with Copilot to fine tune your code and make modifications as required.

VSCode Agent Mode in Codespaces is in public preview, and we’ll be iterating on the experience over the upcoming months. Stay tuned for updates!

See more

Copilot Chat users can use the Gemini 2.5 Pro model in public preview

Gemini 2.5 Pro is now available to all GitHub Copilot customers. The latest Gemini model from Google is their most advanced model for complex tasks. It shows strong reasoning and code capabilities. It also leads on common coding, math, and science benchmarks.

Google Gemini 2.5 Pro announcement

Get started today!

Copilot Pro/Pro+ users

You can start using the new Gemini 2.5 Pro model today through the model selectors in Copilot Chat in VS Code and immersive chat on github.com.

Copilot Business or Enterprise users

Copilot Business and Enterprise organization administrators will need to grant access to Gemini 2.5 Pro in Copilot through a new policy in Copilot settings. Once enabled, users will see the model selector in VS Code and chat on github.com. You can confirm the model’s availability by checking individual Copilot settings and confirming the policy for Gemini 2.5 Pro is set to enabled.

Share your feedback

Join the Community discussion to share feedback and tips.

For additional information, check out the docs on Gemini 2.5 Pro in Copilot.

Learn more about the models available in Copilot in our documentation on models and get started with Copilot today.

See more

Removing hardcoded secrets detection from CodeQL

Starting May 30, 2025, CodeQL will no longer generate code scanning alerts for hardcoded secrets. Instead, we recommend using secret scanning to detect hardcoded secrets in your repositories, which has greater precision and recall than CodeQL. Secret scanning is a feature of GitHub Secret Protection.

Learn more about secret scanning, which scans your repositories for over 300 hardcoded secrets and uses Copilot to detect generic passwords. By using this detection instead of CodeQL, all your alerts for hardcoded secrets can be managed in one place.

What’s changing?

We’re disabling CodeQL detection of hardcoded secrets on May 30, 2025. This aligns with the release of CodeQL 2.21.4. We’ll post a follow-up notice to the GitHub changelog when this is complete. Once these checks are disabled, the next time your repository is analyzed using CodeQL, any code scanning alerts for hardcoded secrets will close. These alerts will stay in your historical security alert backlog.

These changes will also be included with GHES 3.18.

The following CodeQL queries will be disabled:

  • js/hardcoded-credentials
  • swift/hardcoded-key
  • swift/constant-password
  • cs/password-in-configuration
  • cs/hardcoded-credentials
  • js/password-in-configuration-file
  • py/hardcoded-credentials
  • go/hardcoded-credentials
  • rb/hardcoded-credentials
  • cs/hardcoded-connection-string-credentials
  • java/password-in-configuration

Why are we doing this?

The hardcoded secrets queries in CodeQL are redundant to the capabilities of secret scanning, which can result in duplicate alerts for the same secret. This creates unnecessary effort spent on manual deduplication of secret scanning and code scanning alerts. Secret scanning has superior accuracy and recall for detecting hardcoded secrets and provides additional metadata that’s helpful for remediation.

How do I get started?

Check out this introduction to getting started with GitHub Secret Protection:

Watch this video to learn more about deploying and managing Secret Protection at scale:

See more

GitHub Actions: macOS 15 and Windows 2025 images are now generally available

macOS 15 and Windows 2025 images are now generally available for all GitHub-hosted runners. You can use these images in your workflows on GitHub-hosted standard or larger runners.

Get started today

To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.

jobs:
  build:
    runs-on: macos-15
    steps:
      - uses: actions/checkout@v4
      - name: Build
        run: swift build
      - name: Run tests
        run: swift test

To use Windows 2025, you can target the image directly on standard runners using runs-on: windows-2025. For larger runners, create a runner and select Windows Server 2025 in the Images UI console.

The latest tag will migrate to these images later in the year.

Need support?

Keep in mind that the new runner images have different tools and tool versions than previous versions. To view the full list of software or report issues with your workflows when using the images, visit the runner-images repository.

See more

Copilot Chat now supports pasting GitHub URLs as explicit references

An illustration of a GitHub issue link with a purple and blue background. A URL is displayed in a browser bar at the top, with a dark notification box shows below it, all next to the Copilot logo.

Issues, discussions, and pull requests – these are all important pieces of context when building in GitHub. Now, you can reference these within Copilot Chat. Simply paste a link into the chat and Copilot will do the rest!

How it helps you

  • 📂 Multi-repository support: want to compare a pull request from one project with a discussion from another? No problem!
  • 🏷️ Intuitive navigation: maybe you pasted a link, got up to make a coffee, and forgot what you were doing. With chips in the chat context, you don’t need to worry – it will always be clear what you’ve added.
  • ⌨️ Context-building at your fingertips: let Copilot support you and integrate your work by focusing on the specific problems you want to address.

We like to think that GitHub files and Copilot are both great, and they’re even better when they come together. The power of Copilot and the fountain of knowledge in your repositories will collectively help you do amazing things. We know it.

💬 Let us know what you think using the in-product feedback option or pop it into the GitHub Community at any time.

See more

GitHub Actions hosted runner fleet now includes 96 vCPU larger runner

GitHub Actions 96 vCPU larger runners are now generally available. Customers in need of bigger, more powerful machines to run their workloads can use this runner to reduce runtime on their longer GitHub Actions builds.

This runner is an x64 machine and you can use any of our existing GitHub-owned Linux and Windows images on these runners. Our entire advanced feature set works with the new runner: static IPs, network configurations, autoscaling, and runner groups.

What are the machine specs?

  • vCPU: 96
  • RAM: 384 GB
  • SSD: 2040 GiB

Get started today

To get started, create a new, larger runner and choose the 96-core option in the Size console in the UI. Learn more about how to set up larger runners in our documentation. For pricing information on these larger runners see the billing for GitHub Actions page.

See more

Dependabot version updates now support Helm

Developers can now use Dependabot to automatically keep their Helm dependencies up to date. For projects that use Helm as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.

See more

Evolving GitHub Issues and Projects

Announcement of the new issues experience with a screenshot

We continue to improve how teams can plan, track, and manage their work on GitHub. Following our public preview in January, we’re thrilled to announce the general availability of sub-issues, issue types, advanced search, and increased item limits in GitHub Projects 🎉. Here’s a detailed look at how these new capabilities can help transform your workflow.

🏗️ Bring structure to your issues with issue types

Imagine your team is beginning a new feature. The first step is to create a new issue and assign it a Feature issue type to designate it as a larger piece of work.

Consistency is key when managing multiple repositories within an organization. Issue types provide a standardized way to classify and manage your issues. With a shared language across all repositories, you can quickly gauge the progress of your bug backlog, identify high-level initiatives, and understand the breakdown of work in any project. Imagine you’re viewing the index page of a repository, and all issues are clearly categorized by type. Or you’re using project insights, and it’s easy to understand the type of work your team’s been spending their time on. This clarity makes it easier to prioritize tasks and effectively allocate effort.

Want to implement issue types in your organization? Learn more about issue types.

🔨 Break it down with sub-issues

Once you’ve created your feature issue, it’s time to break it down into smaller, manageable pieces of work using sub-issues. This lets you traverse the hierarchy of issues, helping you track progress and understand the remaining work at a glance.

Sub-issues provide a nested structure that integrates seamlessly with your projects, giving you a visual representation of progress. Whether you’re coordinating a team or working solo, sub-issues ensure nothing falls through the cracks.

Curious to see how sub-issues can help streamline your workflow? Learn more about sub-issues.

As work progresses, finding the exact issues you need can be simplified with advanced search.

Using AND, OR, and parentheses for nested searches, you can build complex filters to pinpoint the exact set of issues you’re looking for from the repository or the global issues dashboard. For example, you can search for issues related to your feature with the query is:issue type:Bug OR type:Feature. This helps you quickly and efficiently find the next issue to pick up.

Ready to refine your searches? Learn more about advanced search.

📈 Expanding project limits

All your issues can also be laid out in a GitHub Project. We’ve listened to your feedback that you want space for more issues in your projects, so we’ve expanded the limits from 1,200 to a huge 50,000 items per project! 🎉

With today’s general availability announcement, we’ll be removing the opt-out option in the coming weeks. Moving forward, we’ll also make increased limits your default mode.

✨ Enhancements to the GitHub Issues UI

We’ve also updated the GitHub Issues UI to make it faster and more intuitive. These updates are designed to enhance your experience without introducing new patterns that could slow you down. Some key improvements include:

  • A new filter bar with autocomplete and syntax highlighting on the repository and issues dashboard pages.
  • A create more option for faster issue creation, allowing you to quickly return to the creation screen.
  • An alphabetical ordering of issue forms and templates based on file name, helping you find and set the right order.
  • A copy link button for easily sharing the URL of an issue.
  • An increased load more event count from 50 to 150 on long issues.

👀 Your feedback matters

We value your thoughts and feedback. Join the conversation to share your experiences and suggestions.

Explore how GitHub Issues and Projects can enhance your project planning, check out our roadmap, and dive deeper into the features in our documentation.

Thank you for being a part of our journey to improve GitHub Issues and Projects. We can’t wait to see what you build next! 🎉

See more

Push rule delegated bypass and custom property regex support are generally available and repository policy delegated bypass is in preview

Push rules are great for maintaining the integrity of your codebase by preventing unauthorized changes to critical files such as actions workflows. However, they can sometimes slow down the development process. With delegated bypass, developers can easily request exceptions to these push rules. This process is reviewed and audited within GitHub, helping to ensure that every exception is properly documented and approved.

We are also bringing a preview of the delegated bypass flow to repository policies. This provides additional reviews when deleting repositories as well as visibility changes to prevent accidents and help ensure good governance.

Finally we’re also introducing regex support for custom properties.

Push rule delegated bypass

Unlock efficiency with our push rule delegated bypass. Now, developers can:

  • Request push rule exceptions directly within GitHub.
  • Ensure every request is reviewed and audited for maximum transparency.
  • Receive notifications via email for real-time updates on approval status.

Learn more about push rule delegated bypass in the documentation.

Repository policy delegated bypass in preview

Extend the delegated bypass functionality to your repository policies. This feature is designed to:

  • Offer additional reviews for critical actions such as deleting repositories or changing visibility settings.
  • Prevent accidental changes that could compromise your project.
  • Submit bypass requests directly from the repository’s danger zone.

Learn more about repository policy delegated bypass in the documentation.

Custom properties regular expression matching

When using Text types for custom properties you can require new values to match a regular expression pattern, like an email address.

  • Test your regex pattern against sample values from the new property creation screen.
  • Supports the RE2 syntax, for more information see the syntax guide.

Join the discussion and share your feedback, questions, and thoughts within our GitHub Community discussion.

See more

DeepSeek-V3-0324 is now generally available in GitHub Models

DeepSeek-V3-0324 release on GitHub Models

DeepSeek-V3-0324 is now available on GitHub Models.

DeepSeek-V3-0324 is a 671B parameter Mixture-of-Experts (MoE) model that builds notable updates on top of its predecessor, DeepSeek-V3. These include enhanced reasoning capabilities and improved function calling accuracy. This model also excels in Chinese writing proficiency and includes advanced search capabilities for Chinese.

Note: DeepSeek-V3 will be deprecated on Friday, April 11th, 2025. We recommend transitioning to DeepSeek-V3-0324 to take full advantage of its enhanced features.

Try, compare, and implement this model in your code for free in the playground or through the GitHub API. Compare it to other models using side-by-side comparisons in GitHub Models.

To learn more about GitHub Models, check out the docs. You can also join our community discussions.

See more

Reload responses with other Copilot models on github.com

Image of Copilot next to a model selection menu

The immersive mode of Copilot Chat now gives you more choices when reloading your responses.

What’s new?

You can now easily regenerate Copilot responses using a different model. Simply click the retry button underneath Copilot’s response. Copilot will process the same prompt by your chosen model while maintaining all previous conversation context. You can also view previous responses and compare model output.

How it helps you

  • 🧩 Stuck on a complex problem? Switch to a more powerful model for deeper reasoning.
  • Need a quick response? Reload with a faster model when speed matters.
  • 💻 Working with code? Switch to a model optimized for programming.
  • 🎨 Fine-tuning creative work? Try different models to explore alternative approaches.

This feature is perfect for when you need a different perspective or more specialized capabilities. Seamlessly blend the strengths of various models into a single conversation. Enjoy more intelligence, more flexibility, and more control – all while staying in the flow.

💬 Let us know what you think using the in-product feedback option or pop it into the GitHub Community at any time.

See more

Security campaigns are now generally available to help address security debt at scale

Security campaigns are now generally available

Security campaigns with Copilot Autofix are now generally available. As part of GitHub Code Security, you can use security campaigns to prioritize and rapidly reduce your backlog of application security debt. Copilot Autofix generates contextual explanations and fixes for historical code scanning alerts in a security campaign, which help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

With the help of GitHub’s CodeQL and Copilot Autofix, it has never been easier to prevent new vulnerabilities from being added to your code. However, if you don’t address vulnerabilities discovered in already-merged code, security debt can build up and pose a serious risk to deployed applications.

A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate security debt. Security teams can monitor the progress of the campaign and track the number of fixed alerts. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.

Starting today, you can also access these new features to plan and manage security campaigns more effectively:

  • Draft security campaigns: Security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
  • Automated GitHub issues: Security managers can optionally create GitHub issues in repositories that have alerts included in the campaign. These issues are created and automatically updated as the campaign progresses and can be used by teams to track, manage, and discuss campaign-related work.
  • Organization-level security campaign statistics: Security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.

Security campaigns are available for users of GitHub Code Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.

If you have any feedback on security campaigns, join the discussion in GitHub Community.

See more
View more changes