One of the things that I am constantly amazed by at GitHub is just how much they release stuff. Now I know that GitHub has many engineers and different product areas to work on, but last week they announced 13 changes. And they didn’t release anything on Monday!
Looking at this with my engineer hat on, GitHub gives us a great view of what ship then iterate looks like. They tend to release public betas of new features to get feedback from actual system users and eventually promote them to GA or Generally Available. A lot of their changes are also minor changes.
I remain fascinated with their work on improving 2FA as they move to require it for anyone who contributes code. I remember working at a company with quarterly releases where we would batch together 3-4 months’ worth of changes from devs and release them all at once. This release cadence was jarring for the user and also prone to bugs. Instead, GitHub is releasing a bunch of small stand-alone features as they are ready. This approach gives them faster feedback on each feature, makes the whole rollback process a lot easier, and is easier for most users to adapt to the changes.
But enough talk about their engineering process; let’s look at those 13 changes.
Dependabot just got even easier to enable across your enterprise. Enterprises exist as an entity over multiple organizations. A pattern I’ve seen some companies do is to have an organization dedicated to their open source/public repositories and another to their closed source/private repos. This segregation offers a ton of value and peace of mind. Previously you could enable dependabot at the repo and organization level, but just doing this at the enterprise level is nice, especially if you ever roll out a new organization.
Secret Scanning is now generally available on all public repos. You can also enable this for all your public repos from your account’s code security and analysis settings. This functionality already existed for organizations, but seeing this as an easy feature for individuals is terrific.
The GitHub profile now allows you to specify your pronouns. When you hover over a user’s profile picture and sometimes their name, you see their profile details which now include their pronouns if they specified them.
As a paid team or enterprise, you can now enroll in a public beta for access to a 12-core x64 macOS runner for GitHub Actions. At the moment, the per-minute runner cost is
- $0.32 per minute for the 12-core macOS
- $0.08 for a 3-core macOS
- $0.256 for a 64-core Linux
- $0.512 for a 64-core Windows
GitHub Actions Importer is now Generally Available. The importer is an extension for the GitHub CLI. It supports importing workflows from
- Azure DevOps
- CircleCI
- GitLab
- Jenkins
- Travis CI
Initially, I was intrigued by the ability to create extensions forgh, but this is the first one I’ve seen that looks truly useful. I hope we start seeing more extensions like this from the community and GitHub. In fact, GitHub released another extension forghthis week, but I’ll get to that in a moment.
You can now try rich diffs for Jupyter Notebooks in PRs. You can enable this under Feature preview, one of the few places you can’t deep link to in GitHub. This feature is another excellent example of how GitHub ships than iterates. There was a private beta for this feature; if you were part of it, you might need to re-enable it. Also, it does not allow you to make comments in the rich preview for the moment. I know that in the past, many places I’ve worked would have held back a feature until it was “perfect,” but this way, GitHub is getting it out faster to those who care about it.
GitHub admins can now bypass environment protection rules in GitHub Actions. It is possible to disable this, but by default, admins can skip those rules. This bypass is for a break-glass scenario when the normal approver is unavailable. I was initially skeptical about this, but then I realized I had previously added the admin group to environments to create this very option. I haven’t looked at the audit logs, but I’m betting this will make it easier to check when an admin bypassed the standard process rather than my current strategy, which looks like a normal approval.
The Projects team seems to take a slightly different approach from the other teams and gives weekly updates on what they release. It is great to see an example of a company providing a team the autonomy to do what works for them rather than trying to force every team into the same pattern. The new GitHub Projects has more improvements. Also, continuing the theme of extensions to the GitHub CLI, projects now has an extension.
I’m sure at some point, you’ve heard someone go on a moralistic rant about the importance of accessibility in what we create. GitHub is walking the talk and has made many accessibility improvements to the contribution graph. It is now keyboard navigable and more screen reader friendly.
The 2FA improvements keep coming. You can now enable both SMS and TOTP as a second factor at the same time. This has removed SMS as a fallback method since it is now a first-class second factor.
GitHub Desktop got some love, and you can now preview PRs. I’ve been using GitKraken for years, but I’ll give GitHub Desktop another try.
And last but not least, there were some changes to GitHub Advanced Security. You can now control code scanning for all repos in an organization from the Security Coverage page. This is a public beta, and currently, it only supports JavaScript, Python, and Ruby but more languages will come. Also, notifications for secret scanning are moving to an opt-in model; you’ll need to make changes before March 16th if you wish to continue receiving notifications.
There was certainly a lot of stuff released last week by GitHub. What feature are you most excited about?
Dan Cook 