GitHub-hosted runner images deprecation notice: Docker Compose v1

Docker Compose v1 has been deprecated as of July 2023. All customers utilizing Compose v1 on GitHub-hosted runners are encouraged to migrate to Compose v2. Per GitHub’s support policy we will remove this tool from our GitHub managed runner images effective July 9, 2024.

To avoid breaking changes, customers will need to update their Actions workflow files from using docker-compose to docker compose. After July 9, workflows will begin to fail that are using the previous syntax. Customers are advised to review the migration instructions to ensure they are making all the changes required.

For more information on GitHub managed images, see the runner-images repository.

Use CodeQL threat model settings for C# (beta) to adapt CodeQL’s code scanning analysis to detect the most relevant security vulnerabilities in your code.

CodeQL’s default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. We previously released CodeQL threat model settings for Java to allow you to optionally mark local sources of data (such as data from local files, command-line arguments, environment variables, and databases) as tainted in order to help security teams and developers uncover and fix more potential security vulnerabilities in their code. CodeQL threat model settings are now available for C#, meaning that you can now enable similar local sources of taint in your code scanning analysis of code wriitten in C#.

If your repository is running code scanning default setup on C# or Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.

Threat model setting in CodeQL default configuration

If your repository is running code scanning advanced setup on C# or Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a --threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.

As part of this work, we made changes to some of the queries included in the default code scanning suite for C# to better align with local and remote threat model settings. As a result you may see slightly fewer alerts when using the default threat model for remote sources. For more information about which queries are impacted, see the changelog for CodeQL 2.17.0.

CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java and C# code. Support for configuring threat model settings for C# will be shipped in GitHub Enterprise Server 3.14. Users of GHES 3.12 or older can also upgrade the version of CodeQL used in code scanning.

See more

PR review improvements

We’ve got some exciting news to share! We’ve been closely listening to your feedback, and one common challenge many of you faced was reviewing, and submitting your pull request reviews on GitHub Mobile. We heard you loud and clear, and today, we’re thrilled to announce that approving PRs is now easier than ever before!

With our latest update, we made it easier to start, continue, and submit your code reviews on the go.

Now, whether you’re on the train, grabbing a coffee, or simply away from your desk, you can effortlessly contribute to your projects and keep the momentum going.

Download or update GitHub Mobile today from the Apple App Store or Google Play Store to get started.


Learn more about GitHub Mobile and share your feedback to help us improve.

See more