The fine folks at GitHub are back from their holiday break, and they want you to know about it. Last week they released 11 updates to their system, and I suspect one or two of them will catch your eye. Actions had three updates, Advanced Security had two, along with updates to Dependabot, 2FA, Mobile, Issues, Packages, and a feature for enterprise orgs.
Five updates caught my eye, two of which have been on my wishlist for a while.
No Code CodeQL Scanning Config
The first update that caught my eye is a no-code setup for CodeQL scanning of repos that can use GitHub Advanced Security. Currently, the no-code setup works for repos using Javascript/Typescript, Python, and Ruby. They say more language support is on the way, too, so don’t worry if those aren’t the languages you use.
If you have a public repo, this is free, and you should turn this on and start checking out the scan results. If you have a private repo, this functionality is only available as an add-on if you are an enterprise org. Also, GitHub Advanced Security costs “call for pricing.”
2FA validation after setup
Next up is Second-factor validation after 2FA setup. 2023 will be the year of 2FA at GitHub, “GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.” I think we can all learn a lot from how they handle and change 2FA over the next year. Checking in with folks a few weeks after they enable 2FA and making sure they still can use the 2FA method they selected when they have access to the account will probably reduce the number of account lockouts and eventual support tickets.
Dependabot pause if not used for 90 days
Moving on to a change to Dependabot. Dependabot is a great tool available to public and private repos and will help you keep your dependencies up to date or alert you to vulnerabilities in your dependencies, if you let it. Unfortunately, updating dependencies in projects is often feared and put off. Dependabot will now pause after 90 days of not interacting with it. I suspect that many of the PRs opened by Dependabot were not being used, and GitHub is trying to reduce the cost of running Dependabot in places where it wasn’t getting used.
The next two features have been on my wishlist for a while.
Variables in GitHub Actions
GitHub made it easy to store secrets for your actions at a repository or organization level, which is a critical step to keeping things like passwords and tokens out of plain text in repos. Unfortunately, there was no good way to store less sensitive information like a username or an S3 bucket name. Now GitHub supports variables for Actions as a public beta. The section for managing variables is in a tab next to where you edit secrets. If you didn’t see it at first, don’t worry, it took me a few minutes to find it.
Organization-wide Required workflows
Finally, we come to the feature I have longed for ever since my company moved over to GitHub, organization-wide required workflows. It is a public beta, but I can’t wait to use it. The first workflow I will require across multiple repos ensures the team checks all checkboxes on a PR before merging. Also, if anyone from GitHub is reading this, I would love that as an improvement to PRs. Over the past year, there have been a few workflows that I have wanted to add to the repos for the team at work, but I would need to add them in dozens of repos, and that was never going to happen. Are there any workflows you will require across any or all repos?
There were a lot of other items GitHub released last week, but those are five that caught my attention. I hope you found this list helpful, and if there are more features from GitHub you’d like to learn more about, let me know in the comments.
Dan Cook 
You must be logged in to post a comment.