The GitHub Blog

Ever found yourself in a situation where your working directory contains a mix of changes that don't quite fit together? It would be easy to commit it all at once and move on; however, small, focused commits are great for making it easy to review and discuss a branch of work - especially when working on a complex codebase.

But how can you choose which changes to use in a commit?

The newest release of GitHub for Windows supports selecting lines or blocks of changes when creating a commit. Simply click the desired lines in the gutter, create the commit, and leave the other changes for you to continue working on.

For people familiar with the command line, this change is similar to interactive staging using git add -i or git add -p.

Providing well-written documentation helps people understand, make use of, and contribute back to your project, but it's only half of the documentation equation. The underlying system used to serve documentation can make life easier for the people writing it—whether that's just you or the team you work with.

The hardest part about documentation should be deciding which words to use, not configuring tools or figuring out how to deploy updates. Members of the GitHub Documentation Team come from backgrounds where crude XML-based authoring tools and complicated CMSs are the norm. We didn't want to use those tools here so we've spent a good deal of time configuring our own documentation workflow and set-up.

We've talked before about how we use GitHub to build GitHub; here's a look at how we use GitHub Pages to serve our GitHub Help documentation to millions of readers each month.

Our previous setup

A few months ago, we migrated our Help site from a custom-built Rails app to a static Jekyll site hosted on GitHub Pages. Our previous Help site consisted of two separate repositories:

• A Rails application, which was responsible for managing the site, the assets, and the search implementation.
• The actual content, which was just a grouping of Markdown files.

Our Rails app was hosted on a third-party service; as updates were made to the code, we deployed them with Hubot and Chatops, as we do with the rest of GitHub.

Our typical writing workflow looked like this:

• The Documentation Team took note when a new feature was shipping.
• We'd create a new issue to track the feature.
• When we were ready, we'd open a pull request to start iterating on the content.
• When the content was in a good place, we'd @mention the team (@github/docs) and have a peer editor review our words.
• When the feature was ready to ship, we'd merge the pull request. A webhook would fire from the content repository to our hosted Rails app; the webhook's payload updated a database row containing the article's raw Markdown.

Here's an example conversation from @neveret and @bernars showing a bit of our normal editing workflow:

Working with pull requests was fantastic, because it directly matched the GitHub flow we use across the company. And we liked writing in Markdown, because its syntax enabled us to effectively describe new features in no time.

However, our Rails implementation was a fairly complicated setup:

• Our reliance on an external host required dedicated employees on our Engineering, Ops, and Security teams to monitor the site and respond to incidents as they arose.
• Our Documentation team couldn't easily view local changes to the content. Even though we wrote in Markdown, we'd still need to set up a local instance of the Rails app and run a script to import the content into a database, just to see how it would look on the site.
• We were constantly tweaking the Rails server, but noticed that each request a reader made to the site was still slow. The HTML was being generated on-the-fly, requiring calls to the database and constantly iterating on stronger caching strategies.

We knew we could do much better.

Our new setup

When Jekyll 2.0 was released, we saw an opportunity to replace our existing setup with a static site. The new Collections document type lets you define a file structure that matches your needs. In addition, Jekyll 2.0 introduced support for Sass and CoffeeScript assets, which simplifies writing front-end code.

Open source is great because it's, well, open. As we migrated to Jekyll, we made several pull requests to components of Jekyll, making it a better tool for users of GitHub Pages.

Very little of our original workflow has changed. We still write in Markdown and we still open pull requests for an editorial review. When the pull request is merged, the GitHub Pages site is automatically built and deployed within seconds.

Here's a quick rundown on how we're using core Jekyll features and a handful of plugins to implement the help site.

Gems we use

We intentionally rely on core Jekyll code as much as possible, to minimize our reliance on maintaining custom plugins.

Jekyll 2.0 introduced a new plugin type called a Converter that transforms any markup into HTML. This frees the writer up to compose content however she chooses, and Jekyll will just serve the final HTML. For example, you can write your posts in AsciiDoc, if that's your thing.

To that end, we wrote jekyll-html-pipeline, an implementation of our own open-source html-pipeline. This ensures that the content on our Help site looks the same as content everywhere on GitHub. We also wrote our own Markdown filter to provide some syntax extensions that make writing documentation much easier.

Search

With the previous Rails site, we were using an ElasticSearch provider that indexed our database and implemented a search system for our Help site.

Now, we use lunr-js to provide a faster client-side search experience. In sifting through our analytics, we found that the vast majority of our users relied on an external search provider to get to our documentation. It didn't make sense, during or after the migration, to expend much energy on a server-side search solution.

Content references

The Docs team really wanted to use "content references," or conrefs, when writing documentation. A conref allows you to write a chunk of text once and reuse it throughout the site. (The idea was borrowed from the DITA standard.)

The old Rails app wouldn't permit us to write reusable content, but now we can with the power of Jekyll's data files. For example, we've defined a file called conrefs.yml, and have a set of key-value strings that look something like this:

repositories:
  create_new:
    1. In the upper-right corner of any page, click {{ octicon-plus Plus symbol }}, and then click **New repository**.
      ![New repository menu](/assets/images/help/repository/repo-create.png)

Our keys are grouped by specificity (repositories.create_new); the values they contain are just plain Markdown ("In the upper-right corner..."). We can now reuse this single step across several pages of content that refer to creating a new repository by writing the appropriate Liquid syntax:

To start the process:

{{ site.data.conrefs.repositories.create_new }}
2. Do something else.
3. You're done!

As GitHub's UI evolves, we might need to change the image or rewrite the directional pointer. With a conref, we only have to make the change in one location, rather than a dozen.

Versioned documentation

Another goal of the move was to be able to provide versioned Help documentation. With the release of Enterprise 2.0.0, we began to provide different content sets for the previous 11.10.340 and the current 2.0 releases. In order to do that, we build the Jekyll site with a special audience flag, and check in the generated HTML as part of our Pages repository.

For example, in our config.yml file, we set a key called audience to 11.10.340. If a feature exists that's available in Enterprise 2.0 but not 11.10.340, we demarcate the section using Liquid tags like this:

{% if site.audience != '11.10.340' %}

This new feature...

{% endif %}

Again, this is just taking advantage of core features in Jekyll; we didn't need to build or maintain any aspect of this.

Testing our site

Just because the site is static doesn't mean that we should avoid test-driven development writing.

Our first line of defense for testing content has always been html-proofer. This tool helps verify that none of our links and images are broken by quickly validating every URL in our built site.

Rubyists are familiar with using Capybara to simulate website interactions in their tests. Would it be crazy to implement a similar idea with our static site? Nope! Our own @bkeepers wrote a blog post four years ago talking about this very problem. With that, we were able to write stronger tests that covered our content and our site behavior. For example, we check that a referenced conref is valid (by looking up the key in the YAML file) or that our JavaScript is functioning properly.

Our Help documentation runs with CI to ensure that nothing broken ever gets in front of our readers:

Speed

As mentioned above, our new Pages implementation is significantly faster than the old Rails app. This is partly because the site is a bunch of static HTML files—nothing is fetched from a database. More significantly, we've already spent a lot of time configuring our Pages servers to be blazing fast for everyone. The same advantages we have, like serving assets off of a CDN, are also available to every GitHub user.

Making GitHub Pages work for you

Documentation teams across GitHub can take advantage of the GitHub Flow, Jekyll 2.0, and GitHub Pages to produce high-quality documentation. The benefits that GitHub Pages provides to our Documentation team is already available to any user running a GitHub Pages site.

With our move to Pages, we didn't rebuild any new components. We spent far less time building anything and more time discussing a workflow that made sense for our team and company. By committing to using the same hosting features we provide to every GitHub user, we were able to provide better documentation, faster. Our internal workflow has made us more productive, and enabled us to provide features we never could before, such as versioned content.

If you have any questions on our setup, past or present, we're happy to help!

To keep GitHub as secure as possible for every user, we will remove RC4 support in our SSL configuration on github.com and in the GitHub API on January 5th 2015.

RC4 has a number of cryptographic weaknesses that may be exploited, impacting the security of your data. More details about these vulnerabilities are listed in the current IETF draft.

If you are using Internet Explorer on Windows XP, you will no longer be able to access github.com once this change takes place. Windows XP only supports outdated SSL ciphers, is no longer supported by Microsoft, and contains a known critical security problem in its SSL implementation.

We strongly recommend that Windows XP users upgrade to a newer version of Windows. If this is not possible, you will need to use Chrome or Firefox to access GitHub on Windows XP. The git client available at git-scm.com still works on Windows XP.

A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected.

The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.

We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.

Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.

Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.

In addition, the following updated versions of Git address this vulnerability:

• The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).

• Git for Windows (also known as MSysGit) has released maintenance version 1.9.5.

• The two major Git libraries, libgit2 and JGit, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.

More details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog.

Whether you're reviewing project issues from your phone while traveling for business, or trying to find a specific Node.js repository to show a friend at lunch, we want the GitHub.com mobile experience to serve you well.

That's why we've enabled search on mobile devices, making it easier for you to find repositories, developers, and issues all from the palm of your hand using GitHub's powerful search syntax.

Happy searching!

GitHub is joining the LOT Network, an open patent-licensing program designed to reduce patent litigation.

The rising threat of patent trolls

Some claim that software patents are essential to motivate us to innovate. In reality, the patent system suffers from a negative side effect—the patent troll. Patent trolls, or Patent Assertion Entities (PAEs), abuse patents to threaten your projects to the point that you either shut them down or pay the PAE to move along (if you can afford to do so).

As the data shows, trolls have been filing lawsuits in record numbers, and open-source software is far from immune: The Linux Kernel, Git, and many other open source projects have all been accused of patent infringement.

Because of the economics of patent trolling, trolls usually target the most successful and innovative projects, which means those that many in our community contribute to. While we support the public initiatives to change patent policy at a legislative level, many of them have suffered roadblocks. So, while GitHub continues to support those initiatives, we are joining our peers to work together to shield our community from the threat of trolls and offer our users more immediate protection.

How the LOT Network works

LOT ("License on Transfer") is an important step towards incapacitating patent trolls. Here’s how LOT works: when any member of the LOT network sells a patent to a troll, or when a patent troll grabs hold of any member's patent by any other way, every other LOT member immediately receives a license to that patent. As LOT grows and more patents enter its network, fewer will remain for trolls to loot, which will ultimately result with trolls scratching their heads and rethinking the viability of their business model.

Open sourcing the LOT agreement

In addition to joining the network, we are now hosting the LOT agreement as an open source, CC-BY project. This means you can now access the LOT agreement, gain inspiration, and replicate it for use in similar efforts to fight patent trolls. Most importantly, you can make LOT even better and stronger by submitting issues, forking, and creating pull requests with your ideas for modifications.

Join us!

How?

1. Become a LOT project contributor and help us make the agreement tighter and better.
2. Become a LOT member yourself, or lobby to get your company to be one. As more and more of us join, the space for trolls will get narrower and narrower.

So long, Trolls!

Unified and split diffs now feature syntax highlighting, which adds colors to your code to make its meaning and structure clearer. Now you can more easily understand the code that was changed in a commit, pull request, or review comment.

See it in action at dotnet/corefx or your favorite repository.

Since we introduced the Status API, you've been able to improve the quality of your code by including the status of a pull request within the conversation timeline, for every push. Before today, you've only been able to see results from one service. Now you can see all your results at once, from multiple CI systems that test your code against different platforms to simultaneous security testing and code coverage analysis.

You can also see how the status of a pull request has changed over its history by clicking the icons listed next to individual commits.

If you're interested in how to set up your own statuses, take a look at our Status API docs along with this guide to building your own CI service. You can also check out some the services that use the Status API to help you keep your code clean, confirm your tests are passing, and make sure contributors have agreed to your CLA.

Webhooks are now available at the organization level on GitHub.com. Organization webhooks send events for all repositories in an organization. They also include new events for repository creation, team membership, and more.

If you're extending GitHub into your internal systems, organization webhooks save you time by helping you configure integrations across multiple repositories in one place. The addition of organizational-level events, like team membership, open up new possibilties for integrators building applications that work with GitHub.

For all the details, check out our updated webhook developer guide.

We're open-sourcing the components that power task lists on GitHub, including the HTML rendering pipeline filter packaged as a Gem and the JavaScript update behaviors published as a Bower package.

Since the introduction of task lists, we've expanded support to Gist and Markdown files in your repositories, helped the White House move code into the public domain, and enabled waffle.io to integrate seamlessly with your GitHub Issues' task lists.

We can't wait to see what the community builds with them next.

Last month, we released the Octocat figurine, finally taking our mascot into the third dimension. For years, we’ve illustrated her in different themes—from human culture to pop culture—so a figurine seemed like the next logical step.

We all wanted Octocats on our desks, but we were new to the vinyl figurine world. Here’s a look into the journey we took to make this idea a reality.

Sculpting the facial structure

We began with her profile. The Octocat is the sum of two merged animals, but where does one animal begin and the other end? Her tentacles clearly originate from an octopus, but we had to decide which animal traits would define her head shape. She also needed some human characteristics to help round out the feline and cephalopod.

Anthropomorphizing animals is nothing new to character design. It helps us relate to a character through traits we find in our own species. Eyes are common elements to anthropomorphize because of their importance for visual communication. They help to emote and give personality, which is why we felt they would be important to emphasize, considering the size of her eyes in relation to her head.

To make the Octocat relatable, we extended her nose and mouth off her face giving the slight impression of a snout. Her ears and whiskers are important elements of her silhouette so we didn’t alter them. We choose to stretch the Octopus epidermis from her tentacles to her head giving her that smooth texture commonly found in sea creatures. This helps to reduce surface friction while swimming and helps to alleviate the unseemly byproduct of cat fur: hair balls. Here is one of our early concepts:

Solving the tentacle debate

Our next challenge was the tentacle count. Does she have eight tentacles or four legs and a tail? This particular dilemma has long been a point of contention and debate among GitHubbers. In the two dimensional world it was easy to leave this question ambiguously unanswered, but in three dimensions we were finally forced to choose.

Part of the beauty of the Octocat is her paradoxical nature, being a mixture of creatures stuck between worlds. She has been represented as a quadruped, a biped, and a pentaped, but never an octoped. While we absolutely respect the opinion of our eight tentacles favoring friends, with eight she would feel inauthentic, so we chose to stick with five.

With the tentacle count question settled, we focused next on her stance. With any mascot, recognition is paramount. Our goal was to design the figurine so the front view would look as close to the original image as possible. The Octocat is both a land and sea creature. She is quick and limber. Gravity and balance are less challenging under water but when she moves onto dry land these elements prove to be much more difficult. You’ll notice her original stance does not take this into consideration. If we were to keep the exact same tentacle pose from the front but in a position that would support her giant head, it would have to be one of these two choices:

We were not happy of these two options considering how unnatural they felt, so we decided to make a compromise. In the interest of creating a cartoony yet believable organic creature we had to do some repositioning. The end result was a pentagon configuration which would serve as the base of her tentacles. This meant the elasticity of the tentacles would absorb the weight of her large head, giving them a more round organic shape.

Perfecting the final product

With our design in place, we received our first samples. From here, it took a series of small adjustments to get us to production.

Designing the right package

Packaging was just as important to us as the figurine itself; we wanted the box to be emblematic of its precious cargo. We tried our a wide variety of concepts from shipping containers to Octocat head shaped boxes:

In the end, we found that simplicity was the best option:

The end result

The final product is an Octocat figurine we’re really excited about. Huge thanks to all the amazing people at Dead Zebra who helped us along the way.

We hope you enjoy her as much as we do.

Microsoft announced at their Connect event last week that they will be open sourcing much of the .NET technology stack, as well as moving development of these technologies over to GitHub.

And within hours of the announcement contributions were already being accepted!

You can browse and search the projects that Microsoft has made public on GitHub over on their landing page.

This isn't the first team from Microsoft to join us on GitHub - the Microsoft Azure, Microsoft Open Tech, TypeScript and ASP.NET teams are already on GitHub, collaborating in the open with the community.

If you're one of the 6 million developers building applications using .NET, this is your chance to contribute to the future direction of your development stack. Check out the GitHub help site or GitHub Guides to learn more about contributing to open source.

After we introduced the merge button on mobile, we heard from many of you that you'd love to be able to delete merged branches on your phone too. Now you can!

Happy branching!

This week we will be conducting a "brownout" of all misconfigured GitHub Pages sites. If your GitHub Pages site's DNS is pointed at an out-of-date IP address, we will intermittently serve a warning page in place of your site's content. We will update our status site before we do so, and normal functionality will resume at the conclusion of the brownout.

If you use a custom domain with GitHub Pages, please verify that your domain's DNS settings are properly configured to point to the most up-to-date GitHub IP addresses. This will ensure that your site remains available this week and continues to remain available after December 1st, 2014.

For information on how to tell if your site is affected and what to do to fix it, see the original GitHub Pages Legacy IP Deprecation announcement or the setting up a custom domain with GitHub Pages documentation.

Of course, if you have any questions, we're here to help.

Today we're releasing the fastest and most flexible version of GitHub Enterprise ever, including high availability and disaster recovery options, dramatically improved LDAP and SAML integration, major improvements to features like code review and project management, and support for deploying on Amazon Web Services.

We're proud to share this release with you not just because it's our finest work yet, but because it represents a major milestone in our mission to change the way the world builds software together.

Over seven million people and hundreds of thousands of organizations are working together on over 17 million repositories on github.com, but that only begins to scratch the surface. With this release of GitHub Enterprise we're making social coding available to anyone who wants to host code in their AWS-powered cloud, while also shipping a better product experience for the thousands of administrators and developers already using GitHub Enterprise daily.

When GitHub launched in 2008, it was all about sharing. You could quickly sign up for an account and share your open source with the world, or, purchase private repositories and control precisely who has access to your source code. But our goal wasn't workflow or collaboration - it was making it easy to share your git repositories with others.

As GitHub grew we saw the power in working together. This led us to create Organizations in 2010: group accounts which allow open source projects, non-profits, schools, governments, companies, and teams of all kinds to create a presence on GitHub and more easily build software together. Our focus expanded from simply publishing git repositories to helping people build software together.

People quickly created thousands of Organization accounts, but the feedback from larger organizations was resounding: they loved features like Pull Requests, yet many wanted data isolation for their code and support for enterprise-level features such as integration with their authentication system. This led us to create GitHub Enterprise, a VM-based on-premises version of GitHub we released in November 2011.

In the three years since that release, we've seen GitHub Enterprise change the way entire companies build software together. We've witnessed cultures evolve, companies thrive, and developers rave about how GitHub has changed their workflow. But we've also spent countless hours talking to our customers about how we can improve, and we've taken that feedback seriously.

Today's release is the culmination of months of hard work to make GitHub Enterprise more accessible to more people and even better for our current customers. Whether you're hacking on open source on github.com or coding the next version of your company's Android app using GitHub Enterprise, our goal is to help you build better software.

We hope you love this release as much as we do.