Filtering jobs for a workflow run

We are introducing a breaking change to the List jobs for a workflow run endpoint.

The new default behavior will list jobs from the most recent execution of the workflow run. You can specify all with the filter parameter when you want to see all jobs for a particular workflow run, including from old executions of the workflow run.

Please update your code accordingly, and let us know if you have any questions.

Replacing the "Delete reactions" endpoint

We are announcing a new set of "Deleting reactions" endpoints in the Reactions API to replace the existing "Delete reactions" endpoint DELETE /reactions/:reaction_id.

The new endpoints will allow us to scale and support the Reactions API long-term.

Deprecation timeline

The existing "Delete reaction" endpoint deleting a reaction will be disabled a year from now at the earliest on February 1st 2021.

Replacement endpoints

These are the new replacement Reaction API endpoints for deleting reactions:

Deprecating OAuth Application API

As mentioned in this previous blog post, GitHub no longer supports the OAuth application endpoints and have replaced them with a version that moves the access token to the request body for improved security.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have the OAuth Application API removed.

As an alternative to authorizing your app, you can use the web application flow or the device flow. The device flow doesn't require using the client_secret and can be used by headless apps. For more information, see "Authorizing OAuth Apps."

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

  • March 17, 2021

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC
  • April 14, 2021

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

  • May 5, 2021 at 16:00 UTC

Changes to make

Using calls to OAuth Application API

If you're using the version of the OAuth Application API that includes :access_token in the path like:

curl -u my_client_id:my_client_secret -X POST "https://api.github.com/applications/123/tokens/my_access_token"

Instead, you'll need to call the new version that moves :access_token in the request body:

curl -u my_client_id:my_client_secret -X PATCH "https://api.github.com/applications/123/token -d {"access_token": "my_access_token"}"

See the list of OAuth application endpoints below that you'll need to replace with the new endpoints.

Endpoints affected

The following list of OAuth Application endpoints are deprecated and should be replaced with the new corresponding endpoints.

Deprecated Endpoint Deprecated Path New Endpoint New Path
Check an authorization GET /applications/:client_id/tokens/:access_token Check a token POST /applications/:client_id/token
Reset an authorization POST /applications/:client_id/tokens/:access_token Reset a token PATCH /applications/:client_id/token
Revoke app authorization DELETE /applications/:client_id/tokens/:access_token Delete app token DELETE /applications/:client_id/token
Revoke app grant DELETE /applications/:client_id/grants/:access_token Delete app authorization DELETE /applications/:client_id/grant

If you have any questions or feedback, please let us know!

Deprecating OAuth Authorization API

As mentioned in this previous blog post, GitHub has deprecated the OAuth authorization endpoints and recommends that integrators switch to the web application flow to generate access tokens.

Since the OAuth Authorization API requires password authentication, this API will not work once password authentication has been deprecated.

This deprecation has not been applied to GitHub Enterprise offerings, yet. Though, we still recommend GHES customers to make the changes in their applications, if possible. Please check the latest Enterprise release notes to learn when deprecation is initiated and on which GHES version OAuth Authorization API will be removed.

Deprecation timeline

Removal date

All calls to the OAuth authorization endpoints will return a status code of 404 starting on:

  • November 13, 2020 at 16:00 UTC

Brownouts

During a brownout, calls to the old version of the OAuth Authorization API will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC
  • October 28, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC

Changes to make

Calls to OAuth Authorizations API

If you're making OAuth Authorization API calls to manage your OAuth app's authorizations or to create personal access or OAuth tokens like:

curl -u my_username:my_password -X POST "https://api.github.com/authorizations" -d '{"scopes":["public_repo"], "note":"my token", "client_id":"my_client_id", "client_secret":"my_client_secret"}'

Then you must switch to the web application flow to generate access tokens.

Endpoints affected

The following list of OAuth authorization endpoints are deprecated:

If you have any questions or feedback, please let us know!

Deprecating password authentication

As mentioned in this previous blog post, GitHub no longer supports basic authentication using a username and password. Instead, we recommend using personal access tokens or the web application flow.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have password authentication removed.

Deprecation timeline

Brownouts

During a brownout, password authentication will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

  • September 30, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC
  • October 28, 2020

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC

Removal

All password authentication will return a status code of 401 starting:

  • November 13, 2020 at 16:00 UTC

Changes to make

Using username/password for basic auth

If you're using username and password to make API calls like:

curl -u my_user:my_password https://api.github.com/user/repos

Instead, use a personal access token when testing endpoints or doing local development:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For OAuth Apps, you should use the web application flow to generate an OAuth token that's also used in the header:

curl -H 'Authorization: token my-oauth-token' https://api.github.com/user/repos

Endpoints affected

All endpoints called using password authentication are affected.

If you have any questions or feedback, please let us know!

Deprecating API authentication through query parameters

As mentioned in this previous blog post, GitHub no longer supports authentication through query parameters. Instead, we recommend users move the authentication in the header.

This deprecation has not been applied to GitHub Enterprise offerings yet. We still recommend GitHub Enterprise customers make changes in their applications if possible. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have authorization through query parameters removed.

Deprecation timeline

Brownouts

During a brownout, authentication using query parameters will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help them find unmigrated authentication calls.

The brownouts are scheduled for:

  • March 17, 2021

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC
  • April 14, 2021

    • From 07:00 UTC to 10:00 UTC
    • From 16:00 UTC to 19:00 UTC

Removal date

All authentication using query parameters will return a status code of 401 like all other auth failures starting on:

  • May 5, 2021 at 16:00 UTC

Changes to make

Starting on November 13th, using access_token as a query parameter to access the API (as a user or as a GitHub App) or using client_id/client_secret to make OAuth app unauthenticated calls will be disabled. For examples, see below.

Common uses of access_token as a query param include:

Using access_token as a query param

If you're currently making an API call similar to

curl "https://api.github.com/user/repos?access_token=my_access_token"

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token' https://api.github.com/user/repos

For details on how to generate a token, see "Creating a personal access token."

For details on how to set the token, see these guidelines.

Using client_id/client_secret as a query param

If you're using an OAuth app's client_id and client_secret to make unauthenticated calls with a higher rate limit similar to

curl "https://api.github.com/user/repos?client_id=my_client_id&client_secret=my_secret_id"

Instead, you should use the following format:

curl -u my_client_id:my_client_secret https://api.github.com/user/repos

Endpoints affected

All requests to endpoints that use the above style of authentication are affected.

If you have any questions or feedback, please let us know!

Automatically marking old incomplete check runs as `stale`

If a check run is in an incomplete state for more than 14 days, GitHub will automatically change the check run's conclusion to stale. The new stale state will be denoted with the symbol and behaves similarly to the timed_out and canceled conclusions. When GitHub marks a check run as stale, a check run webhook event is triggered.

This will prevent old incomplete check runs from stopping apps that rely on the completed check suite event to trigger a flow.

Only GitHub can mark check runs as stale. For more information about possible conclusions of a check run, see the conclusion parameter.

This new behavior will go into effect after February 26th, 2020. All incomplete check runs older than 14 days will be marked stale. This feature will roll out slowly over a couple of days.

Actions API

GitHub Actions is available with GitHub Free, GitHub Pro, GitHub Free for organizations, GitHub Team, GitHub Enterprise Cloud, and GitHub One. GitHub Actions is not available for private repositories owned by accounts using legacy per-repository plans. For more information, see GitHub's products in the GitHub Help documentation.

UPDATE (2020-02-19): The Actions API now includes the new List artifacts for a repository endpoint.

UPDATE (2020-02-18): The Actions API for workflow runs will replace check_suite_id with check_suite_url in responses to better adhere to API conventions.

The Actions API enables you to manage GitHub Actions using the REST API. This includes the management of Secrets and Self-hosted runners.

The following endpoints in the Actions API are available for you to use:

During the public beta period, we may change aspects of these APIs based on developer feedback. If we do, we will announce the changes here on the developer blog, but we will not provide any advance notice.

If you have any questions or feedback, please let us know!

Creating a repository dispatch event now official part of GitHub API

The "Creating a repository dispatch event" endpoint no longer requires the everest preview.

 application/vnd.github.everest-preview+json

For more information about this endpoint, see the "Create a repository dispatch event."

Thanks again to everyone that tried out these API features during the preview period.

Moving the teams API

We are announcing a new set of endpoints in the Teams API. The new endpoints will allow us to scale and support the Teams API long-term.

The Team APIs will be moving from a top-level path under /teams/:team_id to a scoped path under the organization that owns the team with a path like /organizations/:org_id/team/:team_id. In this move we also are adding support to making these APIs available under a named path as well with /orgs/:org/teams/:team_slug.

Deprecation timeline

The existing API endpoints will be disabled a year from now at the earliest on February 1st 2021.

What changes to make

If you're already using an API endpoint under /teams/:team_id, the easiest way to update your code is to switch to the /organizations/:org_id/team/:team_id endpoint. If you're unsure what org_id to use, you can find it by retrieving the current team under /teams/:team_id. You'll find the org_id inside the organization hash as the id field in the response.

Note: The endpoint routes using organization and team id use the singular team. The plural form of the route already exists. For example, /organizations/:org_id/teams/:team_slug.

Endpoints affected

These endpoints are being deprecated:

These are the new replacement team API endpoints:

As mentioned, these new replacement team API endpoints are available both as /orgs/:org/teams/:team_slug for name based access, and as /organizations/:org_id/team/:team_id for id based access.

If you have any questions or feedback, please let us know!