At GitHub Universe in San Francisco, GitHub announced a number of new tools to help developers make their workflows more effective, including Actions, Suggested Changes, Security Alerts for .NET and Java, and more.
GitHub Actions, announced in limited public beta, allow developers to build sophisticated workflows by connecting basic steps that are packaged in Docker containers and run on GitHub’s servers. For example, an action workflow could build a Node project, run its tests, then package and publish it on NPM, or deploy it somewhere. Actions can be shared with the GitHub community, thus enabling the creation of an Action library that developers will be hopefully reuse easily.
(Image from GitHub blog)
Suggested Changes make it possible for a project’s collaborators to suggest code changes to pull requests. PR authors can then easily accept those suggestions, as well as amend them if necessary. Code suggestions are created as inline comments, which are not a new feature, of course; what is new is the possibility for those inline comments to include code that can be merged into the PR with one click. Suggested Changes are available in public beta.
A number of other new features focus on improving security code. Those include Token Scanning for public repositories, aiming to prevent developers from inadvertently sharing their token and cryptographic keys when pushing to a public repo. GitHub will now scan your repos every time you push a commit looking for tokens issued by the major service providers, including AWS, Azure, Google, GitHub, and others. In case a token or key is found, GitHub will notify the issuing service provider so they can revoke the token or get in touch with the developer. On a related note, GitHub Actions seem to provide a solution to the problem of how to store a token for CI integration or automated testing in a public repository without it becoming public. In conversation with InfoQ, a GitHub spokesperson confirmed this is the case.
Another security related feature is security vulnerability for .NET and Java. GitHub Security Vulnerability Alerts notify repo admins when vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. Security alerts were previously available for Ruby, JavaScript, and Python and now supports .NET and Java.
Related to this, GitHub now provides a new Security Advisory API, which gives developers access to the database of security vulnerabilities that GitHub aggregated from various web sources and that powers all of their security related features. The GitHub Security Advisory API is available in preview through the GitHub GraphQL API.
As a final note, GitHub is now introducing a new unified business identity, which allows developers to take credit for their work under different Business Cloud accounts.