--- name: GitHub Changelog slug: github-changelog type: feed source_url: https://github.blog/changelog/ organization: GitHub organization_slug: github total_releases: 33 latest_date: 2026-04-17 last_updated: 2026-04-18 tracking_since: 2026-04-08 canonical: https://releases.sh/github/github-changelog organization_url: https://releases.sh/github ---

GitHub shipped broad investments across security workflows, Copilot integrations, and developer experience. Security took center stage with new Code Security risk assessments for organizations, contextual Copilot assistance directly in assessment results, and expanded secret scanning APIs to support delegated workflows. Beyond security, the platform deepened Copilot's reach—the cloud agent graduated from pull request work to research and coding tasks on Mobile, while new merge metrics landed in the usage API. Moderation and navigation received polish too: a Low Quality comment classification option, sortable notifications, and release information now accessible from issue sidebars.

## GitHub Copilot CLI now supports Copilot auto model selection [Copilot auto model selection](https://docs.github.com/copilot/concepts/auto-model-selection) is now generally available in GitHub Copilot CLI for all Copilot plans. With auto, Copilot chooses the most efficient model on your behalf. ## How it works Auto is dynamic, giving you reliable access to your favorite models while mitigating rate limits. It routes to models like GPT-5.4, GPT-5.3-Codex, Sonnet 4.6, and Haiku 4.5 based on your plan and policies. The models auto will route to will change over time. - **Transparency**: See which model was used directly in the Copilot CLI. - **Stay in control**: Switch between auto and any specific model at any time. - **Respects your policies**: Auto honors all administrator model settings. ## Premium request use Premium request use for auto is billed based on the model it selects, which is currently limited to [models with 0x to 1x multipliers](https://docs.github.com/copilot/concepts/billing/copilot-requests#model-multipliers) like those listed above. All paid subscribers get a 10% discount on the model multiplier when using auto. For example, when auto uses a model that has a 1x multiplier, you’ll draw down 0.9 premium requests instead of 1. Join the discussion within [GitHub Community](https://github.com/orgs/community/discussions/categories/announcements). The post [GitHub Copilot CLI now supports Copilot auto model selection](https://github.blog/changelog/2026-04-17-github-copilot-cli-now-supports-copilot-auto-model-selection) appeared first on [The GitHub Blog](https://github.blog). ## Manage agent skills with GitHub CLI Agent skills are reshaping how developers work with AI coding agents. Today we’re launching `gh skill`, a new command in the GitHub CLI that makes it easy to discover, install, manage, and publish agent skills from GitHub repositories. ### What are agent skills? Agent skills are portable sets of instructions, scripts, and resources that teach AI agents how to perform specific tasks. They follow the open [Agent Skills specification](https://agentskills.io), and work across multiple agent hosts including GitHub Copilot, Claude Code, Cursor, Codex, and Gemini CLI among others. With the new `gh skill` command, you can now install agent skills in a single command, right from the GitHub CLI. ### Get started Update the GitHub CLI to version v2.90.0 or later. Then discover and install skills interactively: ``` # Browse skills in a repository and install them interactively gh skill install github/awesome-copilot # Or install a specific skill directly gh skill install github/awesome-copilot documentation-writer # Install a specific version using @tag gh skill install github/awesome-copilot documentation-writer@v1.2.0 # Install at a specific commit SHA gh skill install github/awesome-copilot documentation-writer@abc123def # Discover skills gh skill search mcp-apps ``` Skills are automatically installed to the correct directory for your agent host. You can target a specific agent and scope with flags: ``` gh skill install github/awesome-copilot documentation-writer --agent claude-code --scope user ``` ### Version pinning and supply chain integrity Agent skills are executable instructions that shape how AI agents behave. A skill that changes silently between installs is a supply chain risk. `gh skill` brings the same guarantees you expect from package managers to the skills ecosystem, using primitives GitHub already provides. - **Tags and releases:** Every published release is tied to a git tag. `gh skill publish` offers to enable [immutable releases](https://docs.github.com/repositories/releasing-projects-on-github/about-releases), so release content cannot be altered after publication, even by admins. - **Content-addressed change detection:** Each installed skill records the git tree SHA of its source directory. `gh skill update` compares local SHAs against the remote to detect real content changes, not just version bumps. By storing this information in skills [front-matter](https://agentskills.io/specification#frontmatter), versioning and pinning are portable too, so you (or your agent) can copy and paste the skill to different projects without losing the ability to track changes and update it. - **Version pinning:** Lock a skill to a specific tag or commit SHA with `--pin`. Pinned skills are skipped during updates, so you upgrade deliberately, not accidentally. - **Portable provenance via frontmatter:** When `gh skill` installs a skill, it writes tracking metadata (repository, ref, tree SHA) directly into the `SKILL.md` frontmatter. Because provenance data lives inside the skill file itself, it travels with the skill no matter where it ends up. Skills get moved, copied, and reorganized by users, agents, and scripts. ``` # Pin to a release tag gh skill install github/awesome-copilot documentation-writer --pin v1.2.0 # Pin to a commit for maximum reproducibility gh skill install github/awesome-copilot documentation-writer --pin abc123def ``` ### Publish your own skills If you maintain a skills repository, `gh skill publish` validates your skills against the [agentskills.io spec](https://agentskills.io/specification) and checks remote settings like tag protection, secret scanning, and code scanning. These settings are not required, but strongly recommended to improve the supply chain security of your repo. Enabling immutable releases, for example, means even if someone gets control of your repository they cannot change existing releases, so users installing via tag pinning are fully protected. The `publish` command makes it trivial to enable these features. ``` # Validate all skills gh skill publish # Auto-fix metadata issues gh skill publish --fix ``` ## Keep skills up to date `gh skill update` scans all known agent host directories, reads provenance metadata from each installed skill, and checks for upstream changes: ``` # Check for updates interactively gh skill update # Update a specific skill gh skill update git-commit # Update everything without prompting gh skill update --all ``` ## Supported agent hosts Host Install command example GitHub Copilot `gh skill install OWNER/REPOSITORY SKILL` Claude Code `gh skill install OWNER/REPOSITORY SKILL --agent claude-code` Cursor `gh skill install OWNER/REPOSITORY SKILL --agent cursor` Codex `gh skill install OWNER/REPOSITORY SKILL --agent codex` Gemini CLI `gh skill install OWNER/REPOSITORY SKILL --agent gemini` Antigravity `gh skill install OWNER/REPOSITORY SKILL --agent antigravity` ### Learn more - Check out the [Agent Skills specification](https://agentskills.io). - Join the discussion in [GitHub Community](https://github.com/orgs/community/discussions). `gh skill` is launching in public preview and it’s subject to change without notice. Skills are installed at your own discretion. They are not verified by GitHub and may contain prompt injections, hidden instructions, or malicious scripts. We strongly recommend inspecting the content of skills before installation, which can be done via the `gh skill preview` command. Join the [GitHub Community](https://github.com/orgs/community/discussions/categories/announcements). The post [Manage agent skills with GitHub CLI](https://github.blog/changelog/2026-04-16-manage-agent-skills-with-github-cli) appeared first on [The GitHub Blog](https://github.blog). ## Rule insights dashboard and unified filter bar ### Rule insights dashboard GitHub repository rulesets are powerful, but it hasn’t been easy to spot trends like spikes in blocked pushes during an incident or patterns in bypass activity without digging through data in the rule insights page. The new **rule insights dashboard** is now available in your repository’s **Settings > Rules** tab. It gives you a visual, high-level view of rule evaluation activity, including: - Successes, failures, and bypasses over time - The most active bypassers for your rulesets ![GitHub Rule Insights Dashboard screenshot showing rule suites performance with charts and counts for allowed, failed, and bypassed evaluations.](https://github.com/user-attachments/assets/9befa788-af48-4a9c-965f-96264697f4de) Each chart links back to the rule insights page with filters prefilled, so you can quickly drill into specific statuses, bypassers, or time ranges. Whether you’re responding to an incident or auditing bypass activity, the dashboard helps you spot trends at a glance and jump to the details when you need them. ### Unified filter bar for alert dismissal and bypass request pages Building on [the filter bar improvements shipped in February](https://github.blog/changelog/2026-02-17-custom-properties-and-rule-insights-improvements/), we’ve replaced custom dropdowns on several alert management pages with the same unified filter bar component. This affects: - GitHub code scanning alert dismissal requests at the enterprise and organization levels. - GitHub Dependabot alert dismissal requests at the enterprise and organization levels. - GitHub secret scanning alert dismissals at the enterprise and organization levels. - GitHub secret scanning push protection bypass requests at the enterprise, organization, and repository levels. You now get a consistent filtering experience, including support for custom properties, across all of these pages. [Learn more about GitHub repository rulesets](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). These experiences are available in public preview. The post [Rule insights dashboard and unified filter bar](https://github.blog/changelog/2026-04-16-rule-insights-dashboard-and-unified-filter-bar) appeared first on [The GitHub Blog](https://github.blog). ## Claude Opus 4.7 is generally available **Claude Opus 4.7**, Anthropic’s latest Opus model, is now rolling out on GitHub Copilot. In our early testing, Opus 4.7 delivers stronger multi-step task performance and more reliable agentic execution, building on the coding strategy strengths of its predecessor. It also shows meaningful improvement in long-horizon reasoning and complex, tool-dependent workflows. As part of our efforts to improve service reliability, we are streamlining our model offerings. Over the coming weeks, Opus 4.7 will replace Opus 4.5 and Opus 4.6 in the model picker for Copilot Pro+. We’ve seen strong improvements across our benchmarks, and we’re committed to providing individual users with state-of-the-art models while ensuring a fast, reliable Copilot experience. This model is launching with a **7.5× premium request multiplier** as part of promotional pricing until April 30th. [Video](https://github.com/user-attachments/assets/084e2555-c07b-40d5-841e-9afac5ac823f) ### Availability in GitHub Copilot Claude Opus 4.7 will be available to **Copilot Pro+**, **Business**, and **Enterprise** users. You’ll be able to select the model in the model picker in: - Visual Studio Code - Visual Studio - Copilot CLI - GitHub Copilot Coding Agent - github.com - GitHub Mobile IOS and Android - JetBrains - Xcode - Eclipse Rollout will be gradual. Check back soon if you don’t see it yet. ### Enabling access Copilot Enterprise and Copilot Business plan administrators must enable the Claude Opus 4.7 policy in Copilot settings. ### Learn more To explore all models available in GitHub Copilot, see our [documentation on models](https://docs.github.com/copilot/reference/ai-models/supported-models) and get started with Copilot. ### Share your feedback Join the [GitHub Community](https://github.com/orgs/community/discussions/categories/copilot-conversations) to share your feedback. The post [Claude Opus 4.7 is generally available](https://github.blog/changelog/2026-04-16-claude-opus-4-7-is-generally-available) appeared first on [The GitHub Blog](https://github.blog). ## CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates CodeQL is the static analysis engine behind [GitHub code scanning](https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql), which finds and remediates security issues in your code. We’ve recently released [CodeQL 2.25.2](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.25.2/), which brings a new Kotlin version update, various accuracy improvements, and a set of security severity score adjustments across multiple languages. ## Language and framework support **Java/Kotlin** - Kotlin versions up to 2.3.20 are now supported for analysis. - The `java/tainted-arithmetic` query no longer flags arithmetic expressions used directly as an operand of a comparison in `if`-condition bounds-checking patterns, reducing false positives. - The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms, HMAC-based algorithms, or PBKDF2 key derivation as potentially insecure, reducing false positives for this query. **C/C++** - Reduced false positives in the `cpp/suspicious-add-sizeof`, `cpp/wrong-type-format-argument`, and `cpp/integer-multiplication-cast-to-long` queries. ## Query changes **C#** - The `cs/constant-condition` query has been simplified to produce fewer false positives. As a result, the `cs/constant-comparison` query has been removed, since `cs/constant-condition` now covers those results. ## Security severity updates We’ve updated `@security-severity` scores across several languages to better align log injection and XSS queries with their actual impact: - **C/C++**: `cpp/cgi-xss` increased from medium (6.1) to high (7.8). - **C#**: `cs/log-forging` reduced from high (7.8) to medium (6.1); `cs/web/xss` increased from medium (6.1) to high (7.8). - **Go**: `go/log-injection` reduced from high (7.8) to medium (6.1); `go/html-template-escaping-bypass-xss`, `go/reflected-xss`, and `go/stored-xss` increased from medium (6.1) to high (7.8). - **Java/Kotlin**: `java/log-injection` reduced from high (7.8) to medium (6.1); `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled`, and `java/xss` increased from medium (6.1) to high (7.8). - **Python**: `py/log-injection` reduced from high (7.8) to medium (6.1); `py/jinja2/autoescape-false` and `py/reflective-xss` increased from medium (6.1) to high (7.8). - **Ruby**: `rb/log-injection` reduced from high (7.8) to medium (6.1); `rb/reflected-xss`, `rb/stored-xss`, and `rb/html-constructed-from-input` increased from medium (6.1) to high (7.8). - **Swift**: `swift/unsafe-webview-fetch` increased from medium (6.1) to high (7.8). - **Rust**: `rust/log-injection` increased from low (2.6) to medium (6.1); `rust/xss` increased from medium (6.1) to high (7.8). For a full list of changes, please refer to the complete [changelog for version 2.25.2](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.25.2/). Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.25.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can [manually upgrade your CodeQL version](https://docs.github.com/enterprise-server@3.20/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access). The post [CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates](https://github.blog/changelog/2026-04-15-codeql-2-25-2-adds-kotlin-2-3-20-support-and-other-updates) appeared first on [The GitHub Blog](https://github.blog). ## Enable Copilot cloud agent via custom properties You can now selectively enable GitHub Copilot cloud agent (CCA) access on a per-organization basis. Previously, enterprise admins and AI managers could only enable the agent everywhere, disable it everywhere,… The post [Enable Copilot cloud agent via custom properties](https://github.blog/changelog/2026-04-15-enable-copilot-cloud-agent-via-custom-properties) appeared first on [The GitHub Blog](https://github.blog). ## OIDC support for Dependabot and code scanning Dependabot and code scanning now support OpenID Connect (OIDC) authentication for private registries configured at the organization level, eliminating the need to store long-lived credentials as repository secrets. What’s new… The post [OIDC support for Dependabot and code scanning](https://github.blog/changelog/2026-04-14-oidc-support-for-dependabot-and-code-scanning) appeared first on [The GitHub Blog](https://github.blog). ## Deployment context in repository properties and alerts Artifact and deployment context now appears in two new places: repository properties and security alert pages. Repository properties: deployable and deployed Two new built-in repository properties—deployable and deployed—are now available.… The post [Deployment context in repository properties and alerts](https://github.blog/changelog/2026-04-14-deployment-context-in-repository-properties-and-alerts) appeared first on [The GitHub Blog](https://github.blog). ## Link code scanning alerts to GitHub Issues You can now link code scanning alerts to GitHub Issues, bringing security remediation into your existing planning and tracking workflows. This functionality is in public preview. With this update, you… The post [Link code scanning alerts to GitHub Issues](https://github.blog/changelog/2026-04-14-link-code-scanning-alerts-to-github-issues) appeared first on [The GitHub Blog](https://github.blog). ## Dependabot and code scanning: Org-level private registries It’s now easier to configure Dependabot and code scanning for organizations that rely on multiple internal package feeds. Previously, organization-level settings only allowed a single private registry configuration per ecosystem… The post [Dependabot and code scanning: Org-level private registries](https://github.blog/changelog/2026-04-14-dependabot-and-code-scanning-org-level-private-registries) appeared first on [The GitHub Blog](https://github.blog). ## Secret scanning pattern updates and product improvements This week, we’re rolling out several improvements to our detection coverage, APIs, and workflows. These improvements strengthen our continued investment in the developer experience of our secret scanning features. Built… The post [Secret scanning pattern updates and product improvements](https://github.blog/changelog/2026-04-14-secret-scanning-pattern-updates-and-product-improvements) appeared first on [The GitHub Blog](https://github.blog). ## SBOM exports are now computed asynchronously Software Bill of Materials (SBOM) exports from repository pages and new API endpoints are now asynchronous operations. Previously, navigating to a repository’s dependency graph page and clicking the Export SBOM… The post [SBOM exports are now computed asynchronously](https://github.blog/changelog/2026-04-14-sbom-exports-are-now-computed-asynchronously) appeared first on [The GitHub Blog](https://github.blog). ## Model selection for Claude and Codex agents on github.com Model selection is now available for the Claude and Codex third-party coding agents on github.com. Just like Copilot cloud agent, you can now select a model when kicking off a… The post [Model selection for Claude and Codex agents on github.com](https://github.blog/changelog/2026-04-14-model-selection-for-claude-and-codex-agents-on-github-com) appeared first on [The GitHub Blog](https://github.blog). ## GitHub Code Quality: Improvements to standard findings in public preview We’ve updated the GitHub Code Quality experience to make it easier to navigate and triage findings across your repository. GitHub Code Quality standard findings help you detect potential reliability and… The post [GitHub Code Quality: Improvements to standard findings in public preview](https://github.blog/changelog/2026-04-14-github-code-quality-improvements-to-standard-findings-in-public-preview) appeared first on [The GitHub Blog](https://github.blog). ## Copilot data residency in US + EU and FedRAMP compliance now available GitHub Copilot now supports data residency for US and EU regions, ensuring all inference processing and associated data stay within your designated geography. For US government customers, all model hosts… The post [Copilot data residency in US + EU and FedRAMP compliance now available](https://github.blog/changelog/2026-04-13-copilot-data-residency-in-us-eu-and-fedramp-compliance-now-available) appeared first on [The GitHub Blog](https://github.blog). ## Fix merge conflicts in three clicks with Copilot cloud agent You can now fix merge conflicts in three clicks with the new Fix with Copilot button on github.com, powered by Copilot cloud agent. Click the button, and a comment is… The post [Fix merge conflicts in three clicks with Copilot cloud agent](https://github.blog/changelog/2026-04-13-fix-merge-conflicts-in-three-clicks-with-copilot-cloud-agent) appeared first on [The GitHub Blog](https://github.blog). ## Remote control CLI sessions on web and mobile in public preview The Copilot CLI is no longer a purely local experience. Today we’re launching copilot --remote: With remote capabilities, you can now monitor and steer a running CLI session directly from… The post [Remote control CLI sessions on web and mobile in public preview](https://github.blog/changelog/2026-04-13-remote-control-cli-sessions-on-web-and-mobile-in-public-preview) appeared first on [The GitHub Blog](https://github.blog). ## Enforcing new limits and retiring Opus 4.6 Fast from Copilot Pro+ As GitHub Copilot continues to rapidly grow, we continue to observe an increase in patterns of high concurrency and intense usage. While we understand this can be driven by legitimate… The post [Enforcing new limits and retiring Opus 4.6 Fast from Copilot Pro+](https://github.blog/changelog/2026-04-10-enforcing-new-limits-and-retiring-opus-4-6-fast-from-copilot-pro) appeared first on [The GitHub Blog](https://github.blog). ## Copilot usage metrics now aggregate Copilot cloud agent active user counts Note: We’ve recently renamed Copilot coding agent to Copilot cloud agent. We will be updating our data schema for all existing coding agent fields to reflect this change in the… The post [Copilot usage metrics now aggregate Copilot cloud agent active user counts](https://github.blog/changelog/2026-04-10-copilot-usage-metrics-now-aggregate-copilot-cloud-agent-active-user-counts) appeared first on [The GitHub Blog](https://github.blog). ## Pausing new GitHub Copilot Pro trials As GitHub Copilot continues to grow, we’ve seen a significant rise in abuse of our free trial system. To protect the experience and integrity of the platform for legitimate developers,… The post [Pausing new GitHub Copilot Pro trials](https://github.blog/changelog/2026-04-10-pausing-new-github-copilot-pro-trials) appeared first on [The GitHub Blog](https://github.blog).