Major Features in GHES 3.20 Release Candidate

Immutable Releases & Supply Chain Protection

GitHub releases now support immutability, preventing release assets from being added, modified, or deleted after publication. The release tag is also protected from being moved or deleted. This new capability helps organizations protect distributed artifacts from supply chain attacks, an increasingly critical concern in software delivery.

Enhanced Secret Scanning at Enterprise Scale

Secret scanning receives multiple improvements:

• Validity checks indicate whether secrets are still active, helping teams prioritize remediation efforts
• Delegated bypass controls can now be managed at the enterprise level, giving admins fine-grained control over push protection policies
• Default coverage expansion blocks additional secret types by default, reducing credential leak risks during pushes
• Alert assignment support enables collaboration on secret remediation
• New and improved detectors for various secret types

Enterprise Governance & Team Management

Enterprise owners can now create and manage enterprise teams to simplify governance across their organization. This includes:

• Assignment of enterprise teams to organizations via API or UI
• Creation and assignment of custom enterprise roles
• Enterprise teams can be added to ruleset bypass lists
• Organization and repository owners can assign roles to enterprise teams within their scope

Backup Service Now Generally Available

The backup service, previously in public preview, reaches general availability. This managed, built-in service provides organizations with an alternative to traditional GHES backup utilities and eliminates the need for a separate backup host. Note that the separate backup-utils utility will be retired starting in version 3.22.

New Enterprise Security Manager Role

GitHub Advanced Security users gain access to the Enterprise Security Manager role, designed for simplified security policy and alert management across enterprises. This role is supported for enterprises with up to 15,000 organizations and is currently in public preview.

Improved Pull Request Merge Experience

The enhanced merge experience is now generally available, featuring grouped and naturally sorted status checks, with failing checks listed first. Merge-time errors provide clearer guidance on what needs fixing, and improved accessibility includes consistent keyboard navigation and landmarks.

Action Items

• Download and test the 3.20 release candidate in your environment
• Review updated release notes for complete feature details
• Plan for backup-utils migration to the new backup service before version 3.22
• Contact GitHub support with feedback on the RC