releases.shpreview
GitHub

GitHub

github.comDeveloper Tools
$npx @buildinternet/releases get github

Copilot app usage metrics join API

This release1 featureNew capabilitiesAI-tallied from the release notes

The Copilot usage metrics API now reports GitHub Copilot app activity in enterprise and organization 1-day and 28-day reports, including daily active users, session count, request count, and token usage breakdown.

Read more →

Firewall, setup steps, head-branch instructions for Copilot review

Breaking (minor)This release4 featuresNew capabilitiesAI-tallied from the release notes

Copilot code review now runs behind a configurable firewall by default, reads custom instructions from the head branch of pull requests, and supports custom setup steps via a dedicated copilot-code-review.yml workflow. Also added support for REVIEW.md, GEMINI.md, and CLAUDE.md files, and split organization runner configurations from Copilot cloud agent.

Read more →

Projects filter bar now supports AND/OR

Breaking (minor)This release3 featuresNew capabilitiesAI-tallied from the release notes

GitHub Projects views now support logical AND and OR operators in the filter bar. Pull request items can be filtered by review state using reviews: search filter, and a new 90-day retention policy for deployment statuses is in effect.

Read more →

Copilot on Windows fixed; worktree repos no longer appear missing

This release1 enhancementImprovements to existing features8 fixesBug fixesAI-tallied from the release notes
GitHub Desktop · release-3.6.3

Fixed a Copilot error on Windows, a crash from infinite re-render loop on truncated repo paths, and a worktree bug where repos appeared missing after deleting the linked worktree folder. Also fixed commit message autocomplete, Copilot sessions leaking into VS Code, and repository list scroll jitter.

Read more →

Xcode 27 runner image now in public preview

This release1 featureNew capabilitiesAI-tallied from the release notes

GitHub-hosted macOS runners now support Xcode 27 in public preview, with a new support model where each image is based on a major Xcode version rather than the underlying OS. Only available on arm64 runners; not supported on Intel.

Read more →

VolcEngine keys blocked by default push protection; Resend partnership added

Breaking (minor)This release3 featuresNew capabilities2 enhancementsImprovements to existing featuresAI-tallied from the release notes

Secret scanning now blocks VolcEngine secrets by default with push protection and adds Resend as a secret scanning partner alongside new APIclub and Resend detector types. The secret_scanning_alert webhook now includes a secret_category field, and the public monitoring alert list surfaces insight cards with attribution breakdowns.

Read more →

Copilot usage tracking, MCP trust validation, C++ modernization agent GA

This release4 featuresNew capabilities2 enhancementsImprovements to existing featuresAI-tallied from the release notes

Copilot usage tracking with real-time updates and proactive alerts is now available in Visual Studio, along with trust validation for MCP servers that detects configuration changes at startup. The C++ modernization agent reaches general availability, and next edit suggestions can now propose changes anywhere in the active file.

Read more →

BYOK custom endpoints; plugin management; Claude agent customizations

This release5 featuresNew capabilities1 enhancementImprovements to existing featuresAI-tallied from the release notes

Custom endpoints with API keys are now supported for BYOK, plugin management for customizations is available through the marketplace or source repository, and Claude agent provider customizations are in public preview. Also added local sandboxing, a built-in debugger skill for Copilot CLI, and message re-edit support.

Read more →

AI security detections now appear on PRs

This release1 featureNew capabilitiesAI-tallied from the release notes

GitHub code scanning now surfaces AI-powered security detections directly on pull requests, expanding vulnerability coverage to languages and frameworks beyond those supported by CodeQL. Findings appear labeled with AI, require a GitHub Copilot license, and draw down AI credits during public preview.

Read more →

Version updates now wait 3 days before opening PRs

BreakingThis release1 featureNew capabilitiesAI-tallied from the release notes

Dependabot now waits three days after a new release appears on its registry before opening a version update pull request, protecting against supply chain attacks. Security updates are exempt and still open immediately. Admins can set a different window or opt out entirely via the cooldown option in dependabot.yml.

Read more →

Security review slash command ships in Copilot app

This release1 featureNew capabilitiesAI-tallied from the release notes

The /security-review slash command, now in public preview in the GitHub Copilot app, scans in-flight code changes for vulnerabilities like injection flaws, XSS, and insecure data handling. It returns scored findings and actionable suggestions without leaving the editor, available to all Copilot users during preview.

Read more →

Kotlin 2.4.0 support; JS/TS system prompt injection query

This release4 featuresNew capabilities5 enhancementsImprovements to existing featuresAI-tallied from the release notes
GitHub Changelog · v2.26.0

CodeQL now supports Kotlin up to 2.4.0 and introduces a JavaScript/TypeScript query for system prompt injection targeting untrusted values flowing into AI model system prompts. Also adds Razor page handler parameters as remote flow sources for C# security queries, models for Go log/slog, and prompt injection sinks for additional OpenAI, Anthropic, and Google GenAI SDK APIs.

Read more →

Secret scanning detector types renamed for clarity

This release2 enhancementsImprovements to existing featuresAI-tallied from the release notes

Non-provider patterns are now called generic patterns, and Copilot secret scanning is now AI-detected secrets. Detection behavior is unchanged; all existing documentation links, webhook events, and REST API endpoints continue to work.

Read more →