Enable or disable automated security fixes for a repository

Previously, you could only enable or disable automated security fixes from a repository's security alerts page. We understand that having to do this for a large amount of repositories is not an optimal user experience. We've heard your feedback and are pleased to announce that we have released a new set of endpoints to manage the automated security fixes setting for your repositories.

To access the new endpoints, you must provide a custom media type in the Accept header:

application/vnd.github.london-preview+json

The first endpoint allows you to enable the automated security fixes setting:

PUT /repos/:owner/:repo/automated-security-fixes

The second endpoint allows you to disable the automated security fixes setting:

DELETE /repos/:owner/:repo/automated-security-fixes

During the preview period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Perform an "Update branch" on a pull request via the REST API

We are pleased to announce a new API for updating the branch on a pull request, the Update Branch API. Rather than having to manually click a button to update the HEAD of a pull request branch with the latest changes from the base branch, you can now do so with one REST API endpoint call.

Why not just use the Merging API? Good question, and of course you can! The advantage of using this new API is that you only need the pull request number, not the base or head. This could potentially save a few roundtrips to the API and reduce the risk of getting rate limited.

To access the new endpoints, you must provide a custom media type in the Accept header:

application/vnd.github.lydian-preview+json

The update a pull request branch endpoint allows you to update the HEAD of the pull request branch for a pull request.

PUT /repos/:owner/:repo/pulls/:pull_number/update-branch

During the preview period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

Feedback welcomed!

Enable or disable vulnerability alerts for a repository

Previously, you could only enable or disable repository vulnerability alerts by checking a box in a repository's settings. We understand that having to do this for a large amount of repositories is not an optimal user experience. We've heard your feedback and are pleased to announce that we have released a new set of endpoints to manage the vulnerability alerts setting for your repositories.

To access the new endpoints, you must provide a custom media type in the Accept header:

application/vnd.github.dorian-preview+json

The first endpoint allows you to enable the vulnerability alerts setting:

PUT /repos/:owner/:repo/vulnerability-alerts

And the second endpoint allows you to disable the vulnerability alerts setting:

DELETE /repos/:owner/:repo/vulnerability-alerts

During the preview period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

[Updated 06-10-19] You can also check whether repository alerts are enabled or disabled for a repository using a new endpoint.

  GET /repos/:owner/:repo/vulnerability-alerts

New webhook events and actions

Our webhooks team is pleased to announce that we have added some long-awaited webhook events and actions to the list that we support and they will be available today. You'll automatically begin receiving these events if you have a webhook that is subscribed to wildcard events, otherwise you will be able to select the new events from the list in your webhook settings. As always, we continue to recommend listening for the actions in order to future-proof your code.

Here are the new events and actions that we've added:

Event Action Description
DeployKeyEvent created Triggered when a deploy key is added to a repository.
DeployKeyEvent deleted Triggered when a deploy key is removed from a repository.
IssueEvent locked Triggered when an issue is locked.
IssueEvent unlocked Triggered when an issue is unlocked.
MetaEvent deleted Triggered when the hook itself is deleted.
OrganizationEvent renamed Triggered when the organization is renamed.
OrganizationEvent deleted Triggered when the organization is deleted.
PullRequestEvent locked Triggered when a pull request is locked.
PullRequestEvent unlocked Triggered when a pull request is unlocked.
ReleaseEvent created Triggered when a release is created.
ReleaseEvent edited Triggered when a release is edited.
ReleaseEvent deleted Triggered when a release is deleted.
ReleaseEvent prereleased Triggered when a release is prereleased.
ReleaseEvent unpublished Triggered when a release is unpublished.
RepositoryEvent edited Triggered when attributes on a repository (e.g. description, default branch, homepage) are changed.
RepositoryEvent renamed Triggered when a repository is renamed.
RepositoryEvent transferred Triggered when a repository is transferred to a new owner.
StarEvent created Triggered when a star is added to a repository.
StarEvent deleted Triggered when a star is removed from a repository.

Please visit our webhooks documentation to view all of the events and actions that we support, and to get more information on these new ones.

If you have any questions or feedback, please get in touch!

List branches or pull requests for a commit (preview)

We're releasing a couple of REST endpoints that enable you to retrieve additional information from an existing commit.

To access the new endpoints you must provide a custom media type in the Accept header:

application/vnd.github.groot-preview+json

The first endpoint allows you to get the list of branches where the given commit is the HEAD:

GET /repos/:owner/:repo/commits/:commit_sha/branches-where-head

The second one enables you to get a list of pull requests associated with the commit:

GET /repos/:owner/:repo/commits/:commit_sha/pulls

During the preview period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Webhook IP addresses are changing

On April 9th, GitHub will begin sending webhooks from the 140.82.112.0/20 range of IP addresses in addition to the older 192.30.252.0/22 range.

We use a large pool of IP's to reach our customers, and we are adding further netblocks to help serve webhooks more reliably. If you have rules in place that only allow GitHub webhooks from our trusted addresses, you will need to update them.

This block of IPs has been in the /meta API endpoint since May 2018, but we wanted to announce this update in case you missed it.

Please contact us if you have any questions.

New response code for notifications marked as "read" in bulk

You can use the /PUT notifications endpoint to mark all notifcations as "read." Similarly, you can use the PUT /repos/:owner/:repo/notifications endpoint to mark all notifications as "read" for a specific repository.

Sometimes, GitHub would time out and return an error when there were too many unread notifications to process in a single request. We've changed both endpoints to trigger a background job that will mark the notifications as "read" asynchronously. If the operation is too expensive for a single request, the endpoint returns a 202 status code with the following response:

{
  "message": "Unread notifications couldn't be marked in a single request. Notifications are being marked as read in the background."
}

After analyzing recent request data and we expect very few requests to trigger a background job. Most requests should return a 205 status code as usual. If you do receive a 202 status code, it will take a short amount of time for all notifications to be marked as "read" in the background job. There is currently no way to check if the job has completed. Instead, we recommend checking the number of unread notifications in separate requests using one of these endpoints:

GET https://api.github.com/notifications?all=false

or

GET https://api.github.com/repos/:owner/:repo/notifications?all=false

Preview enable and disable Pages API endpoints

We're releasing a new Pages API preview that allows you to enable and disable GitHub Pages from the REST v3 API. These add to our existing Pages APIs which allow you to access & update Pages configuration as well as access & create new builds.

To access the enable API or disable API during the preview period, you must provide a custom media type in the Accept header:

   application/vnd.github.switcheroo-preview+json

During the preview period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Preview the new Draft Pull Requests API

Draft pull requests are available in public repositories with GitHub Free and GitHub Pro, and in public and private repositories with GitHub Team and GitHub Enterprise Cloud. For more information, see GitHub's billing plans in the GitHub Help documentation.

We're releasing new GraphQL mutations and fields that allow you to handle draft pull requests. We're also showing the draft boolean in REST API responses. When this boolean is true, the pull request is in a draft state, and cannot be merged. For more information about draft pull requests, see "About pull requests" in the GitHub Help documentation.

[Updated 03-22-19] You can also create draft pull requests using a new draft field in the Create a pull request endpoint.

Changes

To access these new API endpoints during the preview period, you must provide a custom media type in the Accept header:

application/vnd.github.shadow-cat-preview+json

During the preview period, we may change aspects of these API endpoints based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Removing the strict validation preview

As part of our plans for stricter validation in our REST API, we introduced a preview header to test out the changes before the rollout. Stricter validation has been postponed and beginning January 31, 2019, we will no longer support this header:

application/vnd.github.speedy-preview+json

We still believe that stricter validation would have a positive impact on our REST API overall and are looking for alternative ways to introduce it. Stay tuned for future updates.

If you have any questions, please reach out!