GitHub Engineering

Why it matters: Legal and policy shifts regarding copyright liability and age assurance directly impact how engineers build, share, and secure software. These updates ensure that neutral infrastructure and security research remain protected from broad regulations that could stifle open-source innovation.

The U.S. Supreme Court's Cox v. Sony decision reinforces that service providers are not automatically liable for user copyright infringement without evidence of intent.
DMCA Section 1201 exemptions remain critical for developers performing security research, interoperability work, and AI safety analysis.
GitHub's 2025 Transparency Report recorded the highest number of DMCA circumvention claims to date, reflecting increased copyright enforcement pressure.
Proposed age assurance laws in the US, Brazil, and Europe may unintentionally impact open-source infrastructure like package managers and operating systems.
GitHub is actively seeking developer input for the 2027 DMCA triennial review to address emerging challenges in AI model inspection and safety research.

#culture #security

Read original

GitHub EngineeringApr 14, 2026

Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game

Why it matters: As AI agents move from prototypes to production, they introduce new attack vectors like goal hijacking and tool misuse. This game provides hands-on experience in identifying and mitigating these risks, helping engineers bridge the gap between AI adoption and security readiness.

GitHub launched Season 4 of the Secure Code Game, focusing on the security of autonomous agentic AI systems.
The game features ProdBot, a deliberately vulnerable AI assistant that uses natural language to execute bash commands and browse the web.
Challenges cover critical risks identified in the OWASP Top 10 for Agentic Applications, including goal hijacking and tool misuse.
Players explore vulnerabilities in the Model Context Protocol (MCP), persistent memory poisoning, and multi-agent orchestration.
The curriculum progresses through five levels, teaching engineers how to exploit and then harden AI agents against malicious prompts.

#security #mlp

Read original

GitHub EngineeringApr 14, 2026

How exposed is your code? Find out in minutes—for free

Why it matters: This tool provides immediate visibility into hidden security risks without financial or setup barriers. By identifying vulnerabilities and AI-driven remediation opportunities, engineers can proactively reduce technical debt and secure their codebase before exploits occur.

GitHub has launched a free Code Security Risk Assessment tool that performs a one-click scan on up to 20 active repositories.
The assessment utilizes the CodeQL static analysis engine to identify vulnerabilities without requiring manual configuration or licenses.
A centralized dashboard summarizes findings by severity, language, and specific security rules to help teams prioritize remediation.
The tool integrates with Secret Risk Assessment to provide a unified view of both code vulnerabilities and credential exposure.
Results highlight vulnerabilities eligible for Copilot Autofix, which GitHub claims can resolve security issues nearly twice as fast as manual efforts.

#security #culture

Read original

GitHub EngineeringApr 13, 2026

GitHub for Beginners: Getting started with GitHub Pages

Why it matters: GitHub Pages offers engineers a zero-cost, integrated solution for hosting documentation, portfolios, and static web apps. It simplifies the deployment pipeline by leveraging existing Git workflows and GitHub Actions, removing the overhead of managing external hosting infrastructure.

GitHub Pages provides free, secure hosting for static websites directly from any GitHub repository.
Users can deploy sites using two primary methods: the simple 'Deploy from a branch' option or automated GitHub Actions workflows.
The platform supports modern frameworks like Next.js through pre-configured GitHub Actions templates.
Custom domains can be integrated by configuring DNS records and verifying domain ownership at the profile or organization level.
Security is managed through an 'Enforce HTTPS' setting that provides free SSL certificates for all hosted sites.
Even if a repository is private, the published GitHub Pages site remains public, allowing for easy project sharing.

#frontend #security

Read original

GitHub EngineeringApr 10, 2026

GitHub Copilot CLI for Beginners: Getting started with GitHub Copilot CLI

Why it matters: GitHub Copilot CLI streamlines development by bringing AI-powered code generation and autonomous agents directly into the terminal. This reduces context switching, enabling faster iterative building and automated error correction within the local environment.

GitHub Copilot CLI integrates agentic AI directly into the terminal, allowing for autonomous task execution like building code and running tests.
Installation is performed via npm using 'npm install -g @github/copilot', with support for Homebrew and WinGet package managers.
Users must authenticate using the '/login' command, which connects the client to their Copilot account and the GitHub MCP server.
The CLI requires explicit folder permissions to explore repositories and modify files, which can be granted per session or permanently.
It supports high-level prompts such as requesting project overviews or generating new API endpoints based on existing codebase patterns.
The tool features self-correction capabilities, enabling it to fix errors without manual intervention during iterative development.

#mlp #culture

Read original

GitHub EngineeringApr 9, 2026

GitHub availability report: March 2026

Why it matters: This report highlights how minor configuration errors, cache stampedes, and credential management issues can cause massive service disruptions. It provides a blueprint for improving resilience through killswitches, infrastructure isolation, and automated monitoring of dependencies.

A bug in a cache-reduction deployment triggered a global cache recalculation, causing replication delays and high failure rates for API and Git operations.
Misconfigured Redis load balancers during infrastructure updates led to significant delays and failures in GitHub Actions workflow runs.
Authentication failures between the Copilot Coding Agent and its datastore caused near-total service outages, requiring manual credential rotation.
An upstream dependency failure disrupted GitHub event notifications for Microsoft Teams integrations.
GitHub is implementing architectural changes, including moving caching to dedicated hosts and adding killswitches to prevent cascading failures.
Improved automation and alerting are being developed to catch load balancer misconfigurations and credential lifecycle events before user impact.

#sre #dist

Read original

GitHub EngineeringApr 8, 2026

GitHub Universe is back: We want you to take the stage

Why it matters: GitHub Universe is a premier event for engineers to showcase technical achievements and learn about the latest in AI-driven development and security. It offers a unique opportunity to influence the community and discover tools that accelerate the software development lifecycle.

GitHub Universe returns to San Francisco on October 28–29, focusing on developer learning and technical innovation.
The Call for Sessions is open until May 1, inviting engineers to submit proposals on their builds and lessons learned.
Past highlights include deep dives into advanced Git features like sparse checkouts, partial clones, and reflog rescues.
Technical themes emphasize CI/CD automation using GitHub Actions and AI-assisted security with Copilot.
The event showcases creative ways to teach complex topics, such as using roleplay to explain Kubernetes security and clusters.
A major focus remains on improving Developer Experience (DevEx) and accelerating the path from idea to shipped product.

#culture #security #frontend

Read original

GitHub EngineeringApr 6, 2026

GitHub Copilot CLI combines model families for a second opinion

Why it matters: This feature addresses self-reflection bias in AI agents by using heterogeneous model families for peer review. It significantly improves accuracy in complex, multi-file coding tasks, helping engineers catch architectural flaws and silent bugs before they compound into major technical debt.

GitHub Copilot CLI's 'Rubber Duck' uses a second, independent model family to review the primary agent's work.
Cross-family review mitigates training biases and blind spots inherent when a single model reviews its own output.
Performance testing on SWE-Bench Pro shows that pairing Claude Sonnet with GPT-5.4 closes nearly 75% of the gap to Claude Opus.
The system activates at high-leverage checkpoints: initial planning, complex code implementation, and test suite creation.
It excels at identifying architectural flaws, silent logic errors, and cross-file dependency conflicts in large repositories.

#mlp #culture

Read original

GitHub EngineeringApr 3, 2026

The uphill climb of making diff lines performant

Why it matters: Optimizing diff rendering is critical for developer productivity at scale. This engineering deep dive shows how reducing per-unit overhead in React components can prevent browser crashes and high input lag when handling massive datasets in the DOM.

GitHub optimized its React-based 'Files changed' tab to handle extreme pull request sizes, targeting high memory usage and interaction latency.
The v1 architecture suffered from excessive overhead, requiring up to 15 DOM elements and 20+ event handlers per single diff line.
Performance bottlenecks included JavaScript heaps exceeding 1GB and DOM node counts surpassing 400,000 in large-scale reviews.
Optimization strategies focused on reducing React component depth, minimizing event handlers, and removing redundant HTML tags like <code>.
The team implemented virtualization to gracefully degrade performance for massive PRs while maintaining native browser behaviors for smaller ones.
Key metrics improved include Interaction to Next Paint (INP) and overall memory pressure across the p95 and p99 percentiles.

#frontend

Read original

GitHub EngineeringApr 1, 2026

Securing the open source supply chain across GitHub

Why it matters: Supply chain attacks are evolving to target CI/CD pipelines. By adopting OIDC-based trusted publishing and rigorous workflow scanning, engineers can eliminate long-lived secrets and protect their projects from automated credential exfiltration and malware propagation.

Attackers are increasingly targeting GitHub Actions workflows to exfiltrate secrets and propagate malicious packages across the open source ecosystem.
Engineers should use CodeQL to review workflow implementations and pin third-party Actions to full-length commit SHAs to prevent unauthorized code execution.
Avoid using pull_request_target triggers and implement strict checks against script injection when referencing user-submitted content.
Replace long-lived secrets with OpenID Connect (OIDC) tokens for 'trusted publishing' to cloud providers and package repositories like npm, PyPI, and RubyGems.
GitHub is scaling automated malware detection for npm, scanning over 30,000 daily package versions to identify and remove malicious code before propagation.
A revamped security roadmap for GitHub Actions and npm is underway to accelerate the rollout of mandatory security features and hardened publishing workflows.

#security

Read original

Page 2 of 11

Prev 1 2 3 4...11 Next