GitHub Products
All GitHub Release Notes (310)
- Apr 17, 2026
- Date parsed from source:Apr 17, 2026
- First seen by Releasebot:Apr 18, 2026
GitHub Copilot CLI now supports Copilot auto model selection
GitHub releases Copilot auto model selection in GitHub Copilot CLI for all Copilot plans, letting Auto pick efficient models, show the model used, respect admin policies, and switch anytime. It also adds premium request billing based on the selected model with a 10% discount for paid subscribers.
Copilot auto model selection is now generally available in GitHub Copilot CLI for all Copilot plans. With auto, Copilot chooses the most efficient model on your behalf.
How it works
Auto is dynamic, giving you reliable access to your favorite models while mitigating rate limits. It routes to models like GPT-5.4, GPT-5.3-Codex, Sonnet 4.6, and Haiku 4.5 based on your plan and policies. The models auto will route to will change over time.
Transparency: See which model was used directly in the Copilot CLI.
Stay in control: Switch between auto and any specific model at any time.
Respects your policies: Auto honors all administrator model settings.
Premium request use
Premium request use for auto is billed based on the model it selects, which is currently limited to models with 0x to 1x multipliers like those listed above. All paid subscribers get a 10% discount on the model multiplier when using auto. For example, when auto uses a model that has a 1x multiplier, you’ll draw down 0.9 premium requests instead of 1.
Join the discussion within GitHub Community.
The post GitHub Copilot CLI now supports Copilot auto model selection appeared first on The GitHub Blog.
Original source - Apr 17, 2026
- Date parsed from source:Apr 17, 2026
- First seen by Releasebot:Apr 17, 2026
1.0.32-1
Copilot CLI fixes /feedback bundle saving by writing to TEMP when the working directory isn’t writable.
All of your release notes in one feed
Join Releasebot and get updates from GitHub and hundreds of other software products.
- Apr 17, 2026
- Date parsed from source:Apr 17, 2026
- First seen by Releasebot:Apr 17, 2026
- Modified by Releasebot:Apr 18, 2026
1.0.32
Copilot CLI adds smarter session and prompt workflows, including short resume IDs, remote session connect, auto model selection, document attachments, usage warnings, better terminal rendering, and fixes for retries, login, and navigation.
2026-04-17
- Allow short session ID prefixes (7+ hex chars) with --resume and /resume instead of the full ID
- /feedback saves the bundle to TEMP when the working directory is not writable
- Select auto as your model to let Copilot automatically pick the best available model for each session
- Add --print-debug-info flag to display version, terminal capabilities, and environment variables
- Show warnings when approaching 75% and 90% of your weekly usage limit
- Attach supported document files to prompts for the agent to read and reason about
- Add --connect flag to directly connect to a remote session by ID
- copilot login --host now correctly authenticates with GitHub Enterprise Cloud (GHE) instances
- Current date and time in agent context now includes local timezone offset
- Terminal progress indicator stays visible while the agent is thinking
- Status line no longer shows stray Unicode glyphs in terminals like Neovim after /clear
- Rewind works correctly after using /cd to change directories
- Multiline input is preserved when using /plan and plan mode
- Backspace correctly exits shell mode only when the input is empty
- Mouse wheel scrolling works correctly in the /ask dialog
- Rate-limited sessions now pause queued messages and automatically retry instead of dropping them
- Tables render with correct column widths, emoji support, and stable borders during terminal resize
- Rate limit error messages now show specific context based on the type of limit reached
- Session idle timeout is now configurable via --session-idle-timeout; disabled by default
- Skills that exceed the token limit are still discoverable and invocable by name
- Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
1.0.31
Copilot CLI fixes prompt frame rendering issues on Windows and Ubuntu terminals.
2026-04-16
Prompt frame no longer causes rendering issues on Windows and Ubuntu terminals
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
1.0.30
Copilot CLI improves with a new /statusline command for customizing the status bar, better plugin and skill discovery, fixed image paste support, and clearer /undo feedback when rewind is unavailable.
2026-04-16
- Feedback form links to the correct GitHub repository
- /undo shows an explanatory message when rewind is unavailable (e.g., not in a git repository or no commits yet)
- Plugin skills and commands are correctly discovered when using skills.discover
- Add /statusline command (with /footer alias) to customize which items appear in the status bar (directory, branch, effort, context window, quota)
- Remove --list-env flag that logged loaded plugins, agents, skills, and MCP servers in prompt mode
- Image paste from clipboard works again after regression in bracketed paste handling
- Both Ctrl+V and Meta+V trigger image paste on all platforms
- Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
1.0.29
Copilot CLI adds Remote MCP server config defaults, a new --list-env flag for prompt mode, and support for Claude Opus 4.7. It also improves terminal behavior, session env handling, repo owner detection, and Windows crash recovery.
2026-04-16
- Remote MCP server config now allows omitting the type field, defaulting to http
- Blinking cursor maintains stable width so text does not shift during blink
- Add --list-env flag to log loaded plugins, agents, skills, and MCP servers when running in prompt mode, helping verify environment configuration in CI pipelines
- Add support for Claude Opus 4.7
- Shell commands and MCP servers now receive COPILOT_AGENT_SESSION_ID as an environment variable
- Agent correctly identifies repository owner from git remote URL rather than local username
- Terminal state correctly restored after a crash exit on Windows
- Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 16, 2026
- Modified by Releasebot:Apr 18, 2026
Manage agent skills with GitHub CLI
GitHub launches gh skill in GitHub CLI, making it easier to discover, install, manage, update, and publish agent skills from repositories. It adds version pinning, provenance tracking, and supply chain safeguards for skills across major AI agent hosts.
What are agent skills?
Agent skills are reshaping how developers work with AI coding agents. Today we’re launching gh skill, a new command in the GitHub CLI that makes it easy to discover, install, manage, and publish agent skills from GitHub repositories.
Agent skills are portable sets of instructions, scripts, and resources that teach AI agents how to perform specific tasks. They follow the open Agent Skills specification, and work across multiple agent hosts including GitHub Copilot, Claude Code, Cursor, Codex, and Gemini CLI among others.
With the new gh skill command, you can now install agent skills in a single command, right from the GitHub CLI.
Get started
Update the GitHub CLI to version v2.90.0 or later.
Then discover and install skills interactively:
# Browse skills in a repository and install them interactively gh skill install github/awesome-copilot # Or install a specific skill directly gh skill install github/awesome-copilot documentation-writer # Install a specific version using @tag gh skill install github/awesome-copilot [email protected] # Install at a specific commit SHA gh skill install github/awesome-copilot documentation-writer@abc123def # Discover skills gh skill search mcp-appsSkills are automatically installed to the correct directory for your agent host. You can target a specific agent and scope with flags:
gh skill install github/awesome-copilot documentation-writer --agent claude-code --scope userVersion pinning and supply chain integrity
Agent skills are executable instructions that shape how AI agents behave. A skill that changes silently between installs is a supply chain risk. gh skill brings the same guarantees you expect from package managers to the skills ecosystem, using primitives GitHub already provides.
Tags and releases: Every published release is tied to a git tag. gh skill publish offers to enable immutable releases, so release content cannot be altered after publication, even by admins.
Content-addressed change detection: Each installed skill records the git tree SHA of its source directory. gh skill update compares local SHAs against the remote to detect real content changes, not just version bumps. By storing this information in skills front-matter, versioning and pinning are portable too, so you (or your agent) can copy and paste the skill to different projects without losing the ability to track changes and update it.
Version pinning: Lock a skill to a specific tag or commit SHA with --pin. Pinned skills are skipped during updates, so you upgrade deliberately, not accidentally.
Portable provenance via frontmatter: When gh skill installs a skill, it writes tracking metadata (repository, ref, tree SHA) directly into the SKILL.md frontmatter. Because provenance data lives inside the skill file itself, it travels with the skill no matter where it ends up. Skills get moved, copied, and reorganized by users, agents, and scripts.
# Pin to a release tag gh skill install github/awesome-copilot documentation-writer --pin v1.2.0 # Pin to a commit for maximum reproducibility gh skill install github/awesome-copilot documentation-writer --pin abc123defPublish your own skills
If you maintain a skills repository, gh skill publish validates your skills against the agentskills.io spec and checks remote settings like tag protection, secret scanning, and code scanning. These settings are not required, but strongly recommended to improve the supply chain security of your repo.
Enabling immutable releases, for example, means even if someone gets control of your repository they cannot change existing releases, so users installing via tag pinning are fully protected. The publish command makes it trivial to enable these features.
# Validate all skills gh skill publish # Auto-fix metadata issues gh skill publish --fixKeep skills up to date
gh skill update scans all known agent host directories, reads provenance metadata from each installed skill, and checks for upstream changes:
# Check for updates interactively gh skill update # Update a specific skill gh skill update git-commit # Update everything without prompting gh skill update --allSupported agent hosts
Host
Install command exampleGitHub Copilot
gh skill install OWNER/REPOSITORY SKILLClaude Code
gh skill install OWNER/REPOSITORY SKILL --agent claude-codeCursor
gh skill install OWNER/REPOSITORY SKILL --agent cursorCodex
gh skill install OWNER/REPOSITORY SKILL --agent codexGemini CLI
gh skill install OWNER/REPOSITORY SKILL --agent geminiAntigravity
gh skill install OWNER/REPOSITORY SKILL --agent antigravityLearn more
Check out the Agent Skills specification.
Join the discussion in GitHub Community.
Visit the gh_skill documentation.
Run gh skill --help to see all available commands.
gh skill is launching in public preview and it’s subject to change without notice.
Editor’s note (April 17, 2026): Added additional options for learning more.
Skills are installed at your own discretion. They are not verified by GitHub and may contain prompt injections, hidden instructions, or malicious scripts. We strongly recommend inspecting the content of skills before installation, which can be done via the gh skill preview command.
Join the GitHub Community.
The post Manage agent skills with GitHub CLI appeared first on The GitHub Blog.
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 16, 2026
Rule insights dashboard and unified filter bar
GitHub adds a new rule insights dashboard and a unified filter bar for alert dismissal and bypass request pages, giving repository admins a clearer view of rule activity, trends, and consistent filtering across security workflows in public preview.
Rule insights dashboard
GitHub repository rulesets are powerful, but it hasn’t been easy to spot trends like spikes in blocked pushes during an incident or patterns in bypass activity without digging through data in the rule insights page.
The new rule insights dashboard is now available in your repository’s Settings > Rules tab. It gives you a visual, high-level view of rule evaluation activity, including:
- Successes, failures, and bypasses over time
- The most active bypassers for your rulesets
Each chart links back to the rule insights page with filters prefilled, so you can quickly drill into specific statuses, bypassers, or time ranges.
Whether you’re responding to an incident or auditing bypass activity, the dashboard helps you spot trends at a glance and jump to the details when you need them.
Unified filter bar for alert dismissal and bypass request pages
Building on the filter bar improvements shipped in February, we’ve replaced custom dropdowns on several alert management pages with the same unified filter bar component. This affects:
- GitHub code scanning alert dismissal requests at the enterprise and organization levels.
- GitHub Dependabot alert dismissal requests at the enterprise and organization levels.
- GitHub secret scanning alert dismissals at the enterprise and organization levels.
- GitHub secret scanning push protection bypass requests at the enterprise, organization, and repository levels.
You now get a consistent filtering experience, including support for custom properties, across all of these pages.
Learn more about GitHub repository rulesets.
These experiences are available in public preview.
The post Rule insights dashboard and unified filter bar appeared first on The GitHub Blog.
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 16, 2026
Claude Opus 4.7 is generally available
GitHub adds Claude Opus 4.7 to GitHub Copilot, bringing stronger multi-step task performance, better agentic execution, and improved long-horizon reasoning for complex workflows. It rolls out gradually to Pro+, Business, and Enterprise users across major Copilot surfaces.
Claude Opus 4.7, Anthropic’s latest Opus model, is now rolling out on GitHub Copilot. In our early testing, Opus 4.7 delivers stronger multi-step task performance and more reliable agentic execution, building on the coding strategy strengths of its predecessor. It also shows meaningful improvement in long-horizon reasoning and complex, tool-dependent workflows.
As part of our efforts to improve service reliability, we are streamlining our model offerings. Over the coming weeks, Opus 4.7 will replace Opus 4.5 and Opus 4.6 in the model picker for Copilot Pro+. We’ve seen strong improvements across our benchmarks, and we’re committed to providing individual users with state-of-the-art models while ensuring a fast, reliable Copilot experience.
This model is launching with a 7.5× premium request multiplier as part of promotional pricing until April 30th.
Availability in GitHub Copilot
Claude Opus 4.7 will be available to Copilot Pro+, Business, and Enterprise users.
You’ll be able to select the model in the model picker in:
- Visual Studio Code
- Visual Studio
- Copilot CLI
- GitHub Copilot Cloud Agent
- github.com
- GitHub Mobile IOS and Android
- JetBrains
- Xcode
- Eclipse
Rollout will be gradual. Check back soon if you don’t see it yet.
Enabling access
Copilot Enterprise and Copilot Business plan administrators must enable the Claude Opus 4.7 policy in Copilot settings.
Learn more
To explore all models available in GitHub Copilot, see our documentation on models and get started with Copilot.
Share your feedback
Join the GitHub Community to share your feedback.
The post Claude Opus 4.7 is generally available appeared first on The GitHub Blog.
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 16, 2026
- Modified by Releasebot:Apr 17, 2026
1.0.28
Copilot CLI adds a set of usability and reliability improvements, including clearer permission prompts, cleaner editor errors, simpler picker navigation, terminal title opt-out support, refreshed instructions and skills, and fixes for Azure, submodules, and agent notifications.
2026-04-16
- Permission prompts show correct repository path when working inside git submodules
- Background agent completion notifications are not sent redundantly when read_agent is already waiting for the result
- MCP migration hint now links to documentation with platform-specific instructions instead of embedding shell commands inline
- Azure resource IDs no longer trigger false path security warnings when running az CLI commands
- Rewind picker navigation simplified to arrow keys and Enter, removing the confusing 1-9 quick-select shortcut
- A clear error message is displayed when the configured editor cannot be launched
- Mascot plays a short blink sequence on startup instead of blinking continuously
- Connect to CLI remote control sessions from the —resume picker
- Support COPILOT_DISABLE_TERMINAL_TITLE environment variable to opt out of terminal title updates
- Custom instructions and skills refresh from disk after /clear or /new
- Apr 15, 2026
- Date parsed from source:Apr 15, 2026
- First seen by Releasebot:Apr 16, 2026
CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates
GitHub releases CodeQL 2.25.2 with Kotlin 2.3.20 support, accuracy improvements that reduce false positives, and security severity score updates across multiple languages to better reflect log injection and XSS impact.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.25.2, which brings a new Kotlin version update, various accuracy improvements, and a set of security severity score adjustments across multiple languages.
Language and framework support
Java/Kotlin
Kotlin versions up to 2.3.20 are now supported for analysis.
The java/tainted-arithmetic query no longer flags arithmetic expressions used directly as an operand of a comparison in if-condition bounds-checking patterns, reducing false positives.
The java/potentially-weak-cryptographic-algorithm query no longer flags Elliptic Curve algorithms, HMAC-based algorithms, or PBKDF2 key derivation as potentially insecure, reducing false positives for this query.
C/C++
Reduced false positives in the cpp/suspicious-add-sizeof, cpp/wrong-type-format-argument, and cpp/integer-multiplication-cast-to-long queries.
Query changes
C#
The cs/constant-condition query has been simplified to produce fewer false positives. As a result, the cs/constant-comparison query has been removed, since cs/constant-condition now covers those results.
Security severity updates
We’ve updated @security-severity scores across several languages to better align log injection and XSS queries with their actual impact:
C/C++: cpp/cgi-xss increased from medium (6.1) to high (7.8).
C#: cs/log-forging reduced from high (7.8) to medium (6.1); cs/web/xss increased from medium (6.1) to high (7.8).
Go: go/log-injection reduced from high (7.8) to medium (6.1); go/html-template-escaping-bypass-xss, go/reflected-xss, and go/stored-xss increased from medium (6.1) to high (7.8).
Java/Kotlin: java/log-injection reduced from high (7.8) to medium (6.1); java/android/webview-addjavascriptinterface, java/android/websettings-javascript-enabled, and java/xss increased from medium (6.1) to high (7.8).
Python: py/log-injection reduced from high (7.8) to medium (6.1); py/jinja2/autoescape-false and py/reflective-xss increased from medium (6.1) to high (7.8).
Ruby: rb/log-injection reduced from high (7.8) to medium (6.1); rb/reflected-xss, rb/stored-xss, and rb/html-constructed-from-input increased from medium (6.1) to high (7.8).
Swift: swift/unsafe-webview-fetch increased from medium (6.1) to high (7.8).
Rust: rust/log-injection increased from low (2.6) to medium (6.1); rust/xss increased from medium (6.1) to high (7.8).
For a full list of changes, please refer to the complete changelog for version 2.25.2. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.25.2 will also be included in a future GitHub Enterprise Server (GHES) release. If you use an older version of GHES, you can manually upgrade your CodeQL version.
The post CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates appeared first on The GitHub Blog.
Original source - Apr 15, 2026
- Date parsed from source:Apr 15, 2026
- First seen by Releasebot:Apr 16, 2026
Enable Copilot cloud agent via custom properties
GitHub adds per-organization control for Copilot cloud agent access, letting enterprise admins selectively enable CCA for chosen organizations through custom properties, new API endpoints, or the AI Controls page to pilot and expand access more flexibly.
You can now selectively enable GitHub Copilot cloud agent (CCA) access on a per-organization basis. Previously, enterprise admins and AI managers could only enable the agent everywhere, disable it everywhere, or let each organization decide. With this release, you can selectively enable CCA for specific organizations, individually or by using organization custom properties. You can manage this policy setting using the new API endpoints or directly in the AI Controls page.
Please note that using custom properties to enable CCA is evaluated once at the time of configuration. Organizations will not be automatically enabled or disabled for CCA if the custom property is added, removed, or modified later.
This new capability provides the flexibility to pilot CCA with select teams, progressively expand access, and manage adoption at your own pace.
New API endpoints to manage CCA
You can use three new API endpoints to manage CCA:
- PUT: Set the policy state: decided by organization, enabled everywhere, disabled everywhere, or enabled for selected organizations.
- POST: Add organizations to the CCA enabled list.
- DELETE: Disable CCA for organizations.
To learn more, visit our REST API documentation.
Manage CCA for organizations from the AI controls page
In the AI Controls settings page, you can now create policies that selectively enable CCA for a subset of your organizations. No action is required to preserve your current policy.
You’ll find the new policy management on the AI Controls page under “Agent” → “Copilot Cloud Agent” → “Enabled for selected organizations”.
To learn more, visit our documentation about managing CCA in an enterprise.
Join the discussion within GitHub Community.
The post Enable Copilot cloud agent via custom properties appeared first on The GitHub Blog.
Original source - Apr 15, 2026
- Date parsed from source:Apr 15, 2026
- First seen by Releasebot:Apr 15, 2026
1.0.27
Copilot CLI adds clearer trial pause messages, helpful typing hints, clipboard fixes, /ask, and plugin catalog refresh updates.
2026-04-15
Show a clear message when Copilot Pro trial is paused instead of a generic policy error
Status bar shows @files and #issues hints while typing, and /help hint when the slash command picker is open
Clipboard copy on WSL no longer leaks an invisible BOM character into pasted text
Add /ask command to ask a quick question without affecting conversation history
Add copilot plugin marketplace update command to refresh plugin catalogs
Original source - Apr 14, 2026
- Date parsed from source:Apr 14, 2026
- First seen by Releasebot:Apr 15, 2026
OIDC support for Dependabot and code scanning
GitHub adds organization-level OIDC support for Dependabot and code scanning, making private registry access easier to manage with short-lived credentials instead of long-lived secrets. The feature is generally available on github.com and ships in GitHub Enterprise Server 3.22.
Dependabot and code scanning now support OpenID Connect (OIDC) authentication for private registries configured at the organization level, eliminating the need to store long-lived credentials as repository secrets.
What’s new
Organization administrators can configure OIDC-based credentials for private registries across their organization. With OIDC-based authentication, you can dynamically obtain short-lived credentials from your cloud identity provider, just like GitHub Actions workflows using OIDC federation. This builds on earlier support for OIDC authentication in repository-level dependabot.yml configuration files and extends it to the organization level, so you can centrally manage registry access for all repositories in your org.
Supported registries
- AWS CodeArtifact
- Azure DevOps Artifacts
- JFrog Artifactory
Within the next four weeks, we will add support for Cloudsmith and Google Artifact Registry.
This feature is now generally available on github.com and will ship in GitHub Enterprise Server 3.22.
Learn more about configuring OIDC for Dependabot and code scanning at the organization level. You can also join the community discussion.
The post OIDC support for Dependabot and code scanning appeared first on The GitHub Blog.
Original source - Apr 14, 2026
- Date parsed from source:Apr 14, 2026
- First seen by Releasebot:Apr 15, 2026
Deployment context in repository properties and alerts
GitHub adds deployment context to repository properties and security alerts, with new built-in deployable and deployed properties plus runtime risk context in Dependabot and code scanning alerts to improve filtering, policy enforcement, and alert triage.
Artifact and deployment context now appears in two new places: repository properties and security alert pages.
Repository properties: deployable and deployed
Two new built-in repository properties—deployable and deployed—are now available. These properties reflect existing artifact and deployment metadata, so you don’t need to manually maintain lists of which repositories are actively deployed.
You can use these properties to:
- Filter repositories in your organization based on deployment context.
- Apply rulesets, branch protections, and compliance policies automatically to repositories based on deployment context.
- Keep policy enforcement accurate as deployment state changes over time.
Runtime risk context in security alerts
Dependabot and GitHub code scanning alert pages now show runtime risk context directly on the alert. When you open an alert, you’ll see additional runtime context for the affected artifact.
This context helps your security team:
- Triage alerts based on actual runtime context, rather than treating every alert as equally urgent.
- Quickly identify which vulnerabilities exist in services that are at higher risk.
- Reduce time spent manually cross-referencing environment and exposure data.
Both features are now generally available. To learn more, see:
- Associate artifacts with production context.
- Search repositories based on deployment context.
The post Deployment context in repository properties and alerts appeared first on The GitHub Blog.
Original source