GitHub Engineering

Why it matters: This feature addresses self-reflection bias in AI agents by using heterogeneous model families for peer review. It significantly improves accuracy in complex, multi-file coding tasks, helping engineers catch architectural flaws and silent bugs before they compound into major technical debt.

GitHub Copilot CLI's 'Rubber Duck' uses a second, independent model family to review the primary agent's work.
Cross-family review mitigates training biases and blind spots inherent when a single model reviews its own output.
Performance testing on SWE-Bench Pro shows that pairing Claude Sonnet with GPT-5.4 closes nearly 75% of the gap to Claude Opus.
The system activates at high-leverage checkpoints: initial planning, complex code implementation, and test suite creation.
It excels at identifying architectural flaws, silent logic errors, and cross-file dependency conflicts in large repositories.

#mlp #culture

Read original

GitHub EngineeringApr 3, 2026

The uphill climb of making diff lines performant

Why it matters: Optimizing diff rendering is critical for developer productivity at scale. This engineering deep dive shows how reducing per-unit overhead in React components can prevent browser crashes and high input lag when handling massive datasets in the DOM.

GitHub optimized its React-based 'Files changed' tab to handle extreme pull request sizes, targeting high memory usage and interaction latency.
The v1 architecture suffered from excessive overhead, requiring up to 15 DOM elements and 20+ event handlers per single diff line.
Performance bottlenecks included JavaScript heaps exceeding 1GB and DOM node counts surpassing 400,000 in large-scale reviews.
Optimization strategies focused on reducing React component depth, minimizing event handlers, and removing redundant HTML tags like <code>.
The team implemented virtualization to gracefully degrade performance for massive PRs while maintaining native browser behaviors for smaller ones.
Key metrics improved include Interaction to Next Paint (INP) and overall memory pressure across the p95 and p99 percentiles.

#frontend

Read original

GitHub EngineeringApr 1, 2026

Securing the open source supply chain across GitHub

Why it matters: Supply chain attacks are evolving to target CI/CD pipelines. By adopting OIDC-based trusted publishing and rigorous workflow scanning, engineers can eliminate long-lived secrets and protect their projects from automated credential exfiltration and malware propagation.

Attackers are increasingly targeting GitHub Actions workflows to exfiltrate secrets and propagate malicious packages across the open source ecosystem.
Engineers should use CodeQL to review workflow implementations and pin third-party Actions to full-length commit SHAs to prevent unauthorized code execution.
Avoid using pull_request_target triggers and implement strict checks against script injection when referencing user-submitted content.
Replace long-lived secrets with OpenID Connect (OIDC) tokens for 'trusted publishing' to cloud providers and package repositories like npm, PyPI, and RubyGems.
GitHub is scaling automated malware detection for npm, scanning over 30,000 daily package versions to identify and remove malicious code before propagation.
A revamped security roadmap for GitHub Actions and npm is underway to accelerate the rollout of mandatory security features and hardened publishing workflows.

#security

Read original

GitHub EngineeringApr 1, 2026

Run multiple agents at once with /fleet in Copilot CLI

Why it matters: /fleet significantly boosts productivity by moving from sequential to parallel AI-assisted coding. It allows engineers to automate complex, multi-file refactors and documentation tasks simultaneously, drastically reducing the time spent waiting for AI responses on large-scale changes.

The /fleet command introduces an orchestrator that decomposes complex tasks into independent work items for parallel execution by multiple subagents.
The orchestrator manages task dependencies, polling for completion of prerequisite items before dispatching subsequent waves of agents.
Users can optimize parallelization by providing structured prompts that map tasks to specific files, modules, or deliverables.
Supports custom agents defined in .github/agents/, allowing specific models and instructions for different task types like documentation or refactoring.
Includes a non-interactive mode via the --no-ask-user flag for terminal-based automation and CI/CD integration.
Real-time monitoring of background subagent activity is available through the /tasks command.

#mlp #culture

Read original

GitHub EngineeringMar 31, 2026

Agent-driven development in Copilot Applied Science

Why it matters: This article demonstrates how AI agents can automate high-level intellectual toil, not just boilerplate code. It provides a blueprint for agent-first repositories where maintaining clean architecture and documentation becomes the primary driver for massive, automated development velocity.

Automated the analysis of agent trajectories—complex JSON logs of thought processes—using a custom tool called eval-agents.
Leveraged the Copilot SDK and Model Context Protocol (MCP) servers to build agents with access to specialized tools and skills.
Adopted a 'planning before acting' prompting strategy, treating agents like senior engineers through verbose, conversational guidance.
Prioritized architectural health, including frequent refactoring and documentation, as a prerequisite for effective agent-driven contributions.
Shifted from 'trust but verify' to 'blame the process,' focusing on improving system guardrails rather than individual agent outputs.
Achieved high development velocity, creating 11 new agents and 4 skills in three days with a team of five contributors.

#mlp #culture

Read original

GitHub EngineeringMar 30, 2026

GitHub for Beginners: Getting started with GitHub security

Why it matters: Security is a shared responsibility; even small projects inherit risks from third-party dependencies. GitHub's integrated tools automate vulnerability detection and remediation, allowing developers to secure their supply chain without significant manual overhead.

GitHub Advanced Security (GHAS) provides a suite of tools including Dependabot, secret scanning, and CodeQL to automate vulnerability detection.
Secret scanning identifies leaked credentials in commits, prompting developers to revoke compromised keys and secure their infrastructure.
Dependabot monitors third-party libraries for known vulnerabilities and automatically generates pull requests for security updates.
Code scanning with CodeQL analyzes source code to find risky patterns and potential exploits during the development lifecycle.
These features are available by default for public repositories and can be enabled via the repository settings under the Security tab.

#security

Read original

GitHub EngineeringMar 26, 2026

What’s coming to our GitHub Actions 2026 security roadmap

Why it matters: CI/CD pipelines are prime targets for supply chain attacks. GitHub's roadmap moves to secure-by-design infrastructure, providing engineers with deterministic dependencies, granular policy controls, and real-time observability to protect sensitive code and credentials.

Introducing workflow-level dependency locking to ensure deterministic, auditable CI/CD runs with cryptographic commit SHA verification.
Transitioning to immutable releases for the Actions ecosystem to prevent malicious code propagation via mutable tags and branches.
Implementing policy-driven execution via GitHub rulesets to centrally manage workflow triggers and allowed event types.
Enhancing credential security with scoped, least-privileged tokens to limit the blast radius of compromised CI environments.
Deploying real-time observability through an optional agent on runners to detect suspicious processes and unauthorized network activity.
Enforcing network boundaries to restrict egress traffic, preventing data exfiltration from CI/CD runners during execution.

#security #sre

Read original

GitHub EngineeringMar 26, 2026

A year of open source vulnerability trends: CVEs, advisories, and malware

Why it matters: This report highlights that while historical vulnerability backlogs are shrinking, new security threats and malware in open source ecosystems are increasing. Engineers must remain vigilant as the volume of new advisories rises, particularly in popular ecosystems like Maven, Go, and npm.

GitHub reviewed 4,101 advisories in 2025, the lowest total since 2021, primarily due to the exhaustion of historical vulnerability backlogs.
Newly reported vulnerabilities actually increased by 19% year-over-year, showing that the rate of new security threats is still rising.
The GitHub Advisory Database now tracks over 24,000 reviewed advisories and has seen a significant surge in malware-related entries.
Maven, Composer, and Go were the most active ecosystems for security advisories in 2025, with Go seeing a 6% increase due to targeted audits.
Malware advisories have reached over 20,000 cumulative entries, highlighting a shift in the threat landscape toward malicious package injections.

#security #data

Read original

GitHub EngineeringMar 25, 2026

Updates to GitHub Copilot interaction data usage policy

Why it matters: This update changes how developer data is handled for AI training. Engineers using individual tiers must decide whether to contribute their code patterns to improve Copilot's accuracy or opt out to maintain privacy, while enterprise users remain protected by default.

Starting April 24, GitHub will use interaction data from Copilot Free, Pro, and Pro+ users for AI model training.
Copilot Business and Enterprise users are exempt from this policy change and their data will not be used for training.
Users can opt out through their GitHub privacy settings, and all previous opt-out preferences will be honored.
Collected data includes code snippets, context, repository structure, file names, and user feedback on suggestions.
Data may be shared with Microsoft but will not be shared with third-party AI model providers.
The initiative aims to improve model accuracy and security pattern suggestions using real-world developer workflows.

#mlp #data #security

Read original

GitHub EngineeringMar 24, 2026

Building AI-powered GitHub issue triage with the Copilot SDK

Why it matters: The Copilot SDK allows engineers to build custom AI tools for specific workflows. This server-side architecture pattern enables secure, scalable integration of LLMs into mobile and web apps, automating high-toil tasks like issue triage while protecting credentials.

The Copilot SDK requires a Node.js runtime and the Copilot CLI to be installed on the system PATH, necessitating a server-side integration for mobile apps.
The SDK follows a strict lifecycle of start, createSession, sendAndWait, disconnect, and stop; failing to clean up sessions causes resource leaks.
Server-side implementation ensures API tokens remain secure and allows for centralized logging and monitoring of AI requests.
The integration uses JSON-RPC to communicate between the SDK and the local Copilot CLI process.
Effective AI summaries are achieved through structured prompt engineering, feeding the model issue titles, descriptions, and labels for context.
Developers can configure specific models like GPT-4 and must handle permission requests using patterns such as approveAll.

#mobile #mlp #security

Read original

Page 6 of 15

Prev 1...4 5 6 7 8...15 Next