Last week there was an announcement of false alerts flagged in security logs, a prolonged outage, sunset announcements, and a few other updates that mainly impact folks using GitHub Issues, using Advanced Security, or managing enterprise organizations.
Along with all that, Git released 2.39.1 to address a couple of CVEs. The best thing to do is update your version of Git, but if you can’t, GitHub offers some remediation steps until you can upgrade.
GitHub also announced that some audit logs for branch protection rules were flagged as false alerts. The window for false alerts was between January 6th and 11th, and the logs were for protected_branch.policy_override and protected_branch.rejected_ref_update entries. Flagging the logs is an elegant solution to a problem around audit logs. GitHub never deletes audit logs but sometimes writes incorrect logs.
There was also a widespread outage on Thursday, January 19th, that lasted about 5 hours. I felt the impact of that outage as it impacted general Git operations and Actions. What frustrated me about this outage was less the breadth of the outage or the length of it, but rather GitHub posting the same status three times. I have a lot of empathy for the folks who worked this incident, and I know how much this is Monday morning quarterbacking, but seriously change up the status update.
I look forward to reading about this incident next month when GitHub releases its availability report.
Did you know that GitHub supported SVN endpoints? I did not, but don’t start using them now since GitHub will remove SVN support on January 8th, 2024. Feature debt is real, and I am always excited to hear about companies that decide to sunset a product, except Google. I’m still bitter about Google Reader. GitHub says that less than 0.02% of requests to their Git backend came through the SVN endpoints. I don’t know how much effort went into maintaining SVN support but take note of this approach. GitHub used data to determine how much a feature was being used and reached out to those who used it to find out what they needed to switch. Removing SVN support was a far longer road than we can see from the outside, but it resulted in new features to help those last few folks migrate all the way to git.
GitHub also deprecated CodeQL Action v1. They aren’t deleting the action, but I suspect if there is any security vulnerability found for that version, they will. One of the coolest parts of this announcement was that Depenabot could upgrade the workflows to v2 for you. If you haven’t checked out using Dependabot to update your dependencies on a schedule, it’s worth checking out.
Which announcement from GitHub caught your eye this week?
Dan Cook 