So, I am a software engineer and I want to download the company's codebase not for any bad reasons just to spend after working hours learning the code base and maybe finish tasks, so I can become better. Mainly because the job market is so tough these days and especially so in the software industry at least it has been for me.

I use my own personal laptop but login to my company using Microsoft windows app and open a new terminal.

I dont really want to login on weekend and learn the codebase as this could make me look bad or give unrealistic expectations in the future. The code is also huge has like 15 projects too so I dont think taking pics of each file would be good. Any tips on how to copy it?

I was thinking to maybe copy it on my external hardrive but maybe they would know about that.

Right now (3.29.2026 10:00 UTC+0), microsoft/WSL and many other repos are under heavy issue spam attack.

Attackers seems to be sending Chinese betting ads. They also add a section of text related to React, which probably means they are trying to do GEO(Generative engine optimization).

Many accounts used in the attack have no public repo and are created on Jan 19th. Some of the account have a dummy repo containing some dummy commit.

Searching for the same pattern reveals that there are exactly 100 bot accounts with similar commit. However, not all of them are sending issues in this incident.

EDIT: Here's a list of the attacked repos.

EDIT: Attack on WSL is now stopped. They started to attack .

Official mail from :

Hi there,

We’re updating how GitHub uses data to improve AI-powered coding tools. From April 24 onward, your interactions with GitHub Copilot—including inputs, outputs, code snippets, and associated context—may be used to train and enhance AI models unless you opt out.

If you previously opted out of the setting allowing GitHub to collect this data for product improvements, your preference has been retained— your choice is preserved, and your data will not be used for training unless you opt in.

This approach aligns with established industry practices and will enable our models to deliver more context-aware AI coding assistance. We have tested this with Microsoft interaction data and have seen meaningful improvements, including increased acceptance rates in multiple languages.

Please review your settings and choose whether your interactions with Copilot can be leveraged for training AI models before this update goes into effect on April 24. To opt out or adjust your settings:

• Go to GitHub Account Settings

• Select Copilot

• Choose whether to allow your data to be used for AI model training

To learn more, please refer to our  and .

Please reach out to our  if you have any questions about this update. Thank you for your continued use of GitHub Copilot.

Sincerely,
The GitHub Team

Edit, thanks to :

Easier steps to disable than their bullshit:

• Go here: 

• Disable it

(Little text fragment link, but if your language is not English, it might not work; in that case just Ctrl-F and search for "Privacy" section)

I was wondering if there is a kids video tutorial for GitHub? My thoughts are that kids could use a selfhosted Gitea to start using GitHub early for a mostly documentation and "social media" platform.

Like first example is creating a repo and readme.md file. Use it like journaling, get them use to markdown and do basic stuff like linking to thing.

From there it could move on to other concepts.

I followed the GitHub Pages custom domain setup guide for my domain, but the configuration is still failing. GitHub Pages shows a DNS check error and says the domain is improperly configured. I’m not sure whether the issue is with my DNS records, domain settings, or something else. Could anyone help me understand what I might be missing?

We recently got started with Github Enterprise Cloud and are trying to figure out what our options are for Authentication Security, particularly for git operations. We currently have an IP Allowlist, but some of the things we would like to use (AWS Code Connections, Github Codespaces, etc) are incompatible with IP Allowlists so we need to work towards removing that allowlist. Naturally, our security team wants adequate security in place of those IP Allowlists, and are concerned about various things including SSH Keys getting inadvertently leaked. I saw that we can set up an SSH Certificate Authority, but it seems as though setting up that SSH CA doesnt actually prevent you from using Unsigned SSH Keys. I see there is an option to Require SSH Certificates, but that limits authentication to signed ssh keys and nothing else (https, PATs, etc would all stop working).

I know there are some options like applying passphrases to SSH keys which helps with the leaked keys issue, but also i dont think that is something we can enforce.

I am curious if anyone else on Github Enterprise Cloud has run into similar issues or what you do to properly secure things.

Hey everyone,

I just noticed that GitHub achievements seem to have disappeared from profiles. I was trying to look at Linus Torvalds' profile, specifically his "Starstruck" achievement using this direct link:

But the achievements tab is just gone. Did I miss an announcement about GitHub deprecating this feature, or is this just a temporary UI bug? Are you guys still seeing achievements on your own profiles?

I'm fairly novice with Github and git, only been using it for a couple years for the most part, and this is first time this has ever happened to me.

Had a fairly popular repo, somebody posted an issue, and I submitted a PR to fix said issue, it was literally like 4 lines of code added and 1 removed. And the owner of this repo, instead of merging it, just closed my PR then shoved the code in himself passing it off as his own code.

I'm a bit disappointed by this but I get it's the reality of opensource.

What do you do in this scenario?

EDIT: I made a professional comment on the closed PR to the maintainer, he replied, but made an excuse with no retribution. It was 4 lines of code, I will go about my day.

I have a GitHub repository where my folders are organized by learning weeks, like week1-..., week2-..., week3-..., and so on. As I keep adding more weeks, I want the most recent week to appear at the top of the repository file list on GitHub, and the oldest week to move downward.

My ideal visible order would be something like:

week(current_week), ... week10, week9, week8, ... week1

I have a repo primarily focused on helping beginners learn Python and OOP. I open issues as tasks for them to complete, which take time to come up with and write. It's my first relatively-large project and I'm quite proud of it, since I set up the repo and wrote the docs almost completely on my own and put a considerable amount of effort into maintaining community health and providing support (I have only used AI to create a template for some docs since it was my first time writing the Contributing Guidelines, etc.). I have a very strong goal of helping beginners learn and guiding them through code -> PR -> review -> merge workflows.

I would get pull requests completing the tasks, and I always enjoy the process of reviewing the PR and communicating with the contributor. But there have been so many contributors relying so heavily on AI that it's honestly sickening. I understood the need to use AI due to language barriers, but I have had entire modules very clearly written by AI, judging by the language of the docstrings/comments and code format. And I don't really like the use of AI for communication either. I mean, I would rather talk to someone with horrible English than feel like I'm talking to ChatGPT.

And it's not that I just "don't like the feeling of talking to AI instead of a human". AI has so many flaws when used for development (which I'm sure is discussed in-depth in many other posts in different subs). I issue tasks with lots of space for creativity and expansion, but LLMs just don't do that. They do the absolute minimum possible. During code reviews, I would often leave comments ending with "let me know what you think", and those same people never respond to any of those. Absolutely no opinions or "I think this would be better if"s whatsoever.

Then those people would go and hog all the tasks I open and I have to go through the torture of kindly telling them to wait and let others have a chance like they're kindergarteners.

Because of this, I've added rules for AI use in the repo's README, Contrib Guidelines, and CoC, saying that using LLMs solely as a tool is okay, but PRs that rely heavily on AI will be closed. And of course that made absolutely not a sliver of a difference. I can't even be sure if a contributor is using AI to write code. And if so, how do I say it? How embarrassing would it be if they in fact wrote the code themselves?

I don't give a flying fk if you don't sound "professional" enough or if your code isn't correct on first try, I WANT TO WORK WITH A HUMAN. AND REVIEW A HUMAN'S WORK.

I would like to hear y'all's opinions on this and whether you've had the same experience. And also how you would enforce the "minimize AI" rule, or what you would do better in my position.

We use Github at our company. We have an Enterprise account. When we made the switch to Github from Bitbucket years ago, we only had the option to add licenses of packs of 10 and had to email a Github rep to add more licenses. Even if you wanted 1 or 2, they sad they could only do packs of 10 (screaming BS internally but ok fine). We ate it and that is what we did until we suddenly within the last year, we saw that we were able to to add licenses manually as we needed in the Enterprise dashboard. Awesome! We were blissfully adding licenses as we onboarded new hires as we need. It was like any other normal SaaS service licensing model. Amazingly easy.

BUT that option disappeared or was removed from our dashboard recently for no reason. It came and gone without any explanation whatsoever from anyone at Github. Maybe there was a memo we missed, i dunno.

So this last week we had two new hires that needed github licenses. I had forgotten to add the licenses (this is on me and i know my fault) and that is when i found out the option to manually add github enterprise licenses was no longer there and replaced with a "Contact Sales" button. Fine. I contacted our rep and asked for 2 licenses. One day passes, i follow up. He follows up end of day two asking me to approve the adding 2 licenses... arg. YESSS add the 2x licenses i had asked for! Day 3 still no news on the licenses so i follow up and still waiting...

Having to add 10 licenses was hard to swallow when you needed only 1-2 licenses and paying for 8-9 licenses sitting unused until your next hire. This feels like a penny pinching cash grab from a company owned by Microslop.

The practice of having to email someone to get licenses drives me crazy especially when the turn around time is unpredictable.

The fact that the ability to add licenses within the Github Enterprise dashboard existed and was taken away drives me up the wall. I opened a support ticket this this morning and of course; zero replies.

Is this just me or does everyone have to eat this from Github?

Every DevOps engineer knows this loop:

1. Edit workflow YAML

2. Push to GitHub

3. Wait 5 minutes

4. See a cryptic error

5. Repeat

`act` helps run workflows locally but it's missing the one thing that makes debugging useful: the ability to pause and inspect.

So I built ci-debugger.

What makes it different from act:

- `--step` — pause before every step, run them one by one

- `--break-before "step name"` — breakpoint at a specific step

- `--break-on-error` — automatically pause when something fails

- `[D] Shell` — drop into the container at any breakpoint with full env

When you hit a breakpoint:

◆ BREAKPOINT before step Run tests

[C] Continue [S] Skip [D] Shell [I] Inspect [Q] Quit

Press D → you're in bash inside the container. Run commands, inspect files, check env vars → exit → continue.

GitHub:

Still early (v0.1), `uses:` actions beyond `actions/checkout` aren't fully supported yet. Feedback welcome.

I only have one GitHub account that I use for personal projects and work (I know, now I see my mistake). I had a year-long subscription to GitHub Copilot Pro+ that I fully managed myself.

My company recently rolled out Copilot to everyone. As soon as I got access, GitHub automatically cancelled my personal subscription and initiated a prorated refund. No warning, no confirmation. Not even a notification!

That immediately broke my setup. I can’t use the company Copilot license for personal projects because of IP concerns, so now my personal work is blocked until I split accounts, reconfigure everything, and resubscribe.

Had my employer not made an announcement, I could have unknowingly used the company plan in personal projects, which raises some uncomfortable questions about data boundaries. They would have had all sorts of metrics on my personal data.

Now I understand that mixing work and personal accounts isn’t ideal. That’s on me. Lesson learned. But overriding a paid personal subscription without any input feels like a major oversight in how GitHub handles personal plans.

Hello guys,

I seek your support. I've received all the finetuned file for a new project and want to upload them to my repository. Though I can't upload an entire folder on my repo and I have too many files to upload them one by one. How do you usually upload an app with all its corresponding folders all within one drag and drop or is there another way to perform what I need.

Thanks in advance!

Regards,

Vincent

Hey everyone,

I’ve been trying to get into open-source contributions, mainly by picking up beginner-friendly issues. The problem is that by the time I take the time to understand the codebase and how things work, the issue often gets closed or taken by someone else.

I’m wondering:

1. How do you deal with this when you're just starting out?

2. Are there better ways to approach contributing instead of chasing small issues?

3. Is it okay to use AI tools (like Claude or Codex) to help understand the codebase and review what I’m doing?

Any advice or tips would be really appreciated

So there's an automated campaign called HackerBot-Claw that's been actively exploiting misconfigured GitHub Actions across public repos. Its been in operation since late February.

The way it works is almost embarrassingly simple. It scans repos for workflows using pull_request_target with write permissions. Then it opens a PR. Your CI runs their code with elevated tokens. They steal the token, bingo they got your repo

Microsoft, DataDog, and Aqua Security's Trivy were all targeted. Trivy itself got fully taken over, releases deleted, malicious artifacts published. Yeah, that’s a security scanning tool compromised through its own CI pipeline!!

The whole thing went from new GitHub account to exploiting Microsoft repos in seven days, all fully automated.

I checked our org's workflows after reading about this and found several doing the exact same pattern. pull_request_target, contents: write, checking out untrusted PR code. Nobody ever reviewed these. They were copy pasted from a tutorial two years ago and no one ever bothered to touch it again.

How are you guys auditing your CI configurations? Because manual review clearly isn't cutting it when the attackers are automated.

ByteTok is a simple byte-level BPE tokenizer implemented in Rust with Python bindings. It provides:

• UTF-8–safe byte-level tokenization

• Trainable BPE with configurable vocabulary size (not all popular tokenizers provide this)

• Parallelized encode/decode pipeline

• Support for user-defined special tokens

• Lightweight, minimal API surface

It is designed for fast preprocessing in NLP and LLM workflows while remaining simple enough for experimentation and research.

I built this because I needed something lightweight and performant for research/experiments without the complexity of large tokenizer frameworks. Reading though the convoluted documentation of sentencepiece with its 100 arguments per function design was especially daunting. I often forget to set a particular argument and end up re-encoding large texts over and over again.

Repository:

Target Audience:

• Researchers experimenting with custom tokenization schemes

• Developers building LLM training pipelines

• People who want a lightweight alternative to large tokenizer frameworks

• Anyone interested in understanding or modifying a BPE implementation

It is suitable for research and small-to-medium production pipelines for developers who want to focus on the byte level without the extra baggage from popular large tokenizer frameworks like sentencepiece ,tiktoken or \HF``.

for some reason my GitHub is fully accessible through browsers, not the GitHub mobile app. is there something I'm missing? is it a common problem? or is it behind. almost 85 commits and people keep telling me it's empty

Hello
I have a problem
I need to run github action on many branches across one repo. Actions must start autmaticly. Unfortunately github allows to cron action only on default branch. So I trigger action on other branches form default branch using api. And it works. Branches use same submodules(other repos) and make some changes on them. So I need to execute actions one by one. I solve that using concurency. But I hit next problem, because github allows to queue only one action, so any other with same label will be cancelled. How can I solve that problem? How can i trigger actions one by one and wait for action finish before execute next. I want to avoid making one big action with multiple jobs.

This is my current action which i run on default branch

name: Azure subscriptions backup


env:
  DEFAULT_BRANCH: 'dev-1.00.1,ppr-1.00.1'


on:
  schedule:
    - cron: "0 13 */3 * *"
  workflow_dispatch:    
    inputs:
      branches:
        description: "List of branches, separeted by comma \",\". e.g. \"dev-1.00.1\". Leave empty for default."
        default: ""


jobs:
  prepare_branches_json:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.prepare-branch-json.outputs.matrix }}
    steps:
      - id: prepare-branch-json
        env:
          BRANCHES_INPUT: ${{ github.event.inputs.branches || env.DEFAULT_BRANCH }}
        run: |
          BRANCHES="$BRANCHES_INPUT"
          JSON_ARRAY=$(echo "$BRANCHES" | jq -R -c 'split(",")| map(gsub("^\\s+|\\s+$";""))')
          echo "matrix=$JSON_ARRAY" >> $GITHUB_OUTPUT


  dispatch:
    needs: prepare_branches_json
    runs-on: ubuntu-latest


    strategy:
      matrix:
        branch: ${{ fromJSON(needs.prepare_branches_json.outputs.matrix) }}
    steps:


      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5
        id: generate-token
        with:
          app-id: ${{ secrets.INFRA_BOT_ID }}
          private-key: ${{ secrets.INFRA_BOT_PRIVATE_KEY }}


      - name: Trigger workflow for branch ${{ matrix.branch }}
        run: |
          curl -X POST \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${{ steps.generate-token.outputs.token }}" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/subscription_settings_backup.yml/dispatches \
            -d "{\"ref\":\"${{ matrix.branch }}\"}"
        env: 
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

I cancelled my CoPilot Pro+ subscription (39.99 per month) Reason being, I found better value for money switching to Claude Code Max a few weeks ago. More than double the cost of CoPilot Pro but lasts the full month of intensive Opus 4.6 usage - which is very important.

In fact I find with about 50% capacity to spare... You get that much. Whereas I could burn through a month's use of Claude Opus 4.6 on CoPilot Pro in about 5 days and don't even get me started on OpenRouter or the API costs - just insane compared to the Claude Max plan.

Anyway, just as I was about the cancel Copilot the sub unfortunately renewed the same day and not only that, they took an extra $50 up front for premium budgeted use I hadn't even made yet. $90 in total down the toilet, so I got in touch with support - the signs had not been good so far - I asked a tech support question 7 weeks ago and to this day they have given me nothing but total silence.

So I reminded them of the statutory rights in Europe - full subscription refunds (not pro-rata) have to be given within a window, it's the law, they owe me - simple as that. Guess what - weeks of silence again.

Seems they are completely ignoring their users and flouting the law. What's the comeback?

I noticed just recently they had added a tiny, flaky button for automated refund processing - but it only gives you a pro-rata refund, tricks you into accepting less than what the consumer statutory protection gives you... and still no sign of that $50 coming back any time soon.

If you're a heavy Opus 4.6 user (it really is head and shoulders above GPT 5.4 for coding) I would urge you to vote with your feet and go with a Claude Max plan. Kicking Microsoft and their terrible treatment of Github customers where it hurts.

Worst support I have ever experienced from a major company, ever.

I'm currently interning. Does anyone know if on my last day at my company, I manually delete my work github account, then verify the work email on my personal account whilst I still have access to the email, would it attribute the PRs to the open source repos on my personal account?

I'd think it be quite nice to pin those repos on my personal account profile. (Edit: to pin the repos with the star count!)

I believe that I'm a pretty technically capable person. Working on hardware, reading documentation, navigating most UI designs pretty smoothly.

But there's something about how Github is designed that just makes my brain shut off. So often I will go to a page for a project and immediately think "what the hell am I looking at? Where are the download files for this project? What parts do I need?"

Granted I can and do eventually figure it out, but it feels like I go through that whole process every time.

Anybody else?

I've been receiving over one email per second for the last 16 hours from GitHub.com.

Just under 60,000 issues were created on a repo I watch, and GitHub is dutifully pushing out the back log of email notifications to my inbox.

Updating settings in GitHub has no effect, so it seems these issue notifications have been queued and there's nothing I can do to stop it. Awesome.

Anyone else experience this?

The emails are just walls of Chinese text.

I cannot believe how poor GitHub spam prevention is.

Turned on GitHub Advanced Security for our repos last month. Seemed like the responsible grown up move at the time.

Now every PR looks like a Christmas tree. 89 critical CVEs lighting up everywhere. Red badges all over the place. Builds getting blocked. Managers suddenly discovering the word vulnerability and asking questions.

Spent most of last week actually digging through them instead of just panic bumping versions.

And yeah… the breakdown was kinda weird.

47 are buried in dev dependencies that never even make it near production.
24 are in packages we import but the vulnerable code path never gets touched.
12 are sitting in container base layers we inherit but don’t really use.
6 are real problems we actually have to deal with.

So basically 83 out of 89 screaming critical alerts that don’t change anything in reality. Still shows up the same though. Same scary label. Same red badge.

Now I’m stuck in meetings trying to explain why getting to zero CVEs isn’t actually a thing when most of these aren’t exploitable in our setup. Which somehow makes it sound like I’m defending vulnerabilities or something.

I mean maybe I’m missing something. Maybe this is just how security scanning works and everyone quietly deals with the noise. But right now it kinda feels like we turned on a siren that never stops going off.

My coworker and I have encountered this preinstall file in several projects uploaded to GitHub. Upon checking locally, we discovered that we didn't have these files; they were uploaded to GitHub by cloning the latest update and adding the preinstall to the package.json file. We checked the file's contents, and it's an encrypted script. Has anyone else experienced this? Is there a solution?

I’ve always thought of GitHub Actions as harmless build glue, but I recently looked at our workflows more like an attacker would, and it changed how I see them. A workflow isn’t just running tests, it’s also where tokens, permissions, PR context, and sometimes secrets all meet.

The timing for this hit home after StepSecurity wrote up an active campaign where an automated bot hackerbot-claw scanned and exploited GitHub Actions setups in popular repos, getting remote code execution in multiple targets and even pulling a write-scoped GitHub token in at least one case.

What surprised me in our own sweep wasn’t a single huge gotcha, it was how easy it is for risky stuff to accumulate quietly: workflows that never set explicit permissions, pull_request_target used without realizing the trust implications, comment-triggered “/run” workflows that assume people will behave, and secrets that are visible in more places than they need to be because nobody has a clean inventory.

How do others here handle this across an org? Do you mostly rely on repo maintainers and PR review, or something else?

hi every one i lost access to my authenticator app because i changed my mobile phone and i lost the codes text file because i changed my pc too and i want to login to my professional account and please i need help asap and if i cant login again will unlinking the account from the email give me the right again to have the student developer pack ?

and thanks a lot for your help

In the recent trivy incident we saw spammed with hundreds of comments, some of which were from seemingly legitimate GitHub accounts (e.g. having a public LinkedIn account linked to their GitHub profile etc). What should we make of this?

1. All of those accounts are fake accounts and malicious actors have just gone to great lengths to make them appear legitimate?

2. Those GitHub users have themselves been compromised through some prior phishing/trojan attack etc, so that malicious actors can post spam on their behalf and without their knowledge?

3. There is some kind of exploit in the GitHub API itself which allows malicious actors to post comments "as" someone else?

Hi everyone,

As a SysOps/DevOps, I've seen too many 'zip spoofing' and supply chain attacks lately. I spent the last few months building Wisec (wisec.io), a 1-line integration for GitHub Actions that adds immutable provenance to your builds.

Why I chose this stack:

• IPFS: To store build evidence and signatures in a decentralized, tamper-proof way. No more trusting a single SaaS database.

• ED25519: For lightweight, high-security cryptographic signatures of every artifact.

I'm looking for some 'brutal' technical feedback from this community.

It's free for solo devs/startups. What do you think about using IPFS for build integrity?"

While browsing around on GitHub, I occasionally stumble across repositories that are. completely unexpected. Not just unusual projects, but things that make you stop and wonder why someone built this in the first place. What is the weirdest repository you have ever come across on GitHub? What did it do?

Hey everyone, I'm in a bit of a loop here and need some help.

I recently formatted my PC, and when I tried to log back into GitHub, it asked for my 2FA. The problem is: my GitHub Mobile app (which I use for authentication) somehow logged me out spontaneously.

• I have my email access.

• I have my password.

• I do not have my recovery codes (lost them during the format).

I've tried everything in the official documentation, but it always leads me back to the 2FA prompt. I also couldn't find a direct support email. Is there any way to recover the account through email verification or a support ticket that actually works?

Any advice is appreciated. Thanks!

Hello, I have a project that is on GitHub and I want to deploy it but it's not really finished yet. I want to somehow have a branch that is tied to the server that updates when I push to it. Where should I start?

What is the best way (if it's possible) to from a basic backlog issue have a codebase conversation and create contextualized good plans?

My idea is to write better plans in visual interface, replicating features using copilot at .com + actions.

why don't do it with claude code/codex cli:
- separate enviroments, reduce the amount of docs in the repo, now my repos have more .md files than code
- have plans persiting in gh, and nurture the backlogs from different enviroments (mobile, web, etc)
- reduce dependency from openai/claude due their unstable tokens policies

I've created a working desktop app start for a program, but I need help getting the code on GitHub. I need a human to walk me through it, because google and YouTube isn't cutting it. I tried uploading from online, but dont know how to keep the format the same. I tried the desktop app, but it tells me the files are too big. I tried uploading from in my code editor, but it loads forever and cancels. Please help me.

Thanks!

Copilot Chat won't work, I can never interact with the chat. The chat bubble doesnt show up, I have options for the extension but not the chat request via >. And Control Shift I or what not doesnt do anything either. For all purposes it seems extensive is installed but never activates.

I've dug through a lot steps over several hours. I can use the agents and switch between them fine, but not Copilot itself. I see one of the two apps required is now obsolete and they tell you to use the just the one.

Andoird does not support Passkeys over NFC (only USB).
I'd like to keep using my Yubikeys as passkeys for github on PCs, but be able to use it "only" as second factor via NFC on other devices without USB.

I can't figure out a way to register a key as both on Github. I can register it for one but when I try the second then I get an error during registration. I tried on Windows and Android. The order also doesn't matter. There seems to be a check if any key for is already registered on the yubikey and if so then the process fails?

Is there a way around this? Or must I fall back to using it as 2FA only if I want to use it via NFC on some devices?

SportsFlux aggregates live sports data into one browser dashboard.

As the project grows, I’m reorganizing the repo to keep frontend, backend, and data layers clearly separated.

What repo structures have worked well for medium-sized web apps?

Is anyone using GitHub Issues + Actions to asynchronously build context and execution plans interactively (e.g. issue → context discovery → clarifying questions → plan generation), as an alternative to Linear or tools like Traycer?

what is going on.. can't find them on any account.

Action don't set env vars when running dependabot jobs. security reasons for sure.

From past hour face this error message:
Failed to queue workflow run. Please try again.

anyone have an idea?

I was commiting a change using the web frontend. I got the message "Copilot is thinking" and Microsofts Servers put some useless strings into the subject and as commit message.

I never activated that thing.

How can I turn it off? Beside I don't need it, it waste energy and CO2.

So I have this website and never used GitHub, I run the site by myself and don’t even have users yet, but how would I know if I need GitHub? Just asking because someone said I should use it…. My site is a social network platform for users and AI agents for helping each other make a living online. Any help would….. help lol

Hi everyone,

I’m currently unable to sign in to my GitHub account because I lost access to my authenticator app and I also don’t have my recovery codes anymore, passkey as well.

I still know my account password and I am the legitimate owner of the account. I have already submitted an account recovery request to GitHub support, but I wanted to ask here if anyone has experienced something similar and how long the recovery process usually takes.

If anyone has gone through this situation before or has any advice on what else I can do to recover my account, I would really appreciate your help.

Thanks in advance!

GitHub quietly lets Copilot train on your code. Here's how to turn it off.

Most people don't know this setting exists.

By default, GitHub can use your code activity and data to improve their AI models. That includes Copilot suggestions, your editor interactions, and potentially more depending on how they interpret "data."

It's opt-out, not opt-in.

Here's how to disable it:

1. Go to

2. Look for "Allow GitHub to use my data for AI model training"

3. Turn it off

Takes 10 seconds. Probably worth doing before you forget.

Not saying GitHub is doing anything malicious with it. But if you're working on client code, proprietary projects, or anything you'd rather keep private, it's a reasonable thing to turn off. You probably didn't agree to this knowingly, and most people have no idea it's on by default.

Pass it along if you think others should know.

Hello!
I'm facing a problem with my GitHub Actions workflow. I have two steps at the end that are not being executed properly: one fails, and the other depends on it. Here's the failing part of my workflow:

     - name: Deploy docker-compose to VPS
        if: github.event_name != 'pull_request'
        uses: appleboy/scp-action@master
        with:
          host: ${{ secrets.VPS_HOST }}
          username: ${{ secrets.VPS_USER }}
          key: ${{ secrets.VPS_DEPLOY_USER_KEY }}
          port: ${{ secrets.VPS_SSH_PORT }}
          source: "docker-compose.yml"
          target: "${{ secrets.VPS_DEPLOY_PATH }}/"

      - name: Run deploy commands on VPS
        if: github.event_name != 'pull_request'
        uses: appleboy/ssh-action@v0.1.7
        with:
          host: ${{ secrets.VPS_HOST }}
          username: ${{ secrets.VPS_USER }}
          key: ${{ secrets.VPS_DEPLOY_USER_KEY }}
          port: ${{ secrets.VPS_SSH_PORT }}
          script: |
            set -e
            cd ${{ secrets.VPS_DEPLOY_PATH }}

            echo "${{ secrets.GITHUB_VPS_PAT }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

            docker pull ghcr.io/${{ github.repository }}:latest

            docker compose down
            docker compose up -d

The workflow is triggered on push to main and the rest of the workflow is working as expected:

name: Build, Push and Deploy

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read
  packages: write

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: |
            ghcr.io/${{ github.repository }}:latest
            ghcr.io/${{ github.repository }}:${{ github.sha }}
        
      - name: Sanity check Docker image
        run: |
          docker rm -f sanity-test || true
          docker run --name sanity-test --env-file .env.dev -d \
            ghcr.io/${{ github.repository }}:latest
          sleep 5
          docker logs sanity-test
          docker rm -f sanity-test

I have set the following secrets:

I checked their values, the key is set with the private SSH key, and it is complete (with the "-----BEGIN OPENSSH PRIVATE KEY-----" and "-----END OPENSSH PRIVATE KEY-----"), in fact, I copied the key to a file and it worked locally:

The error is the following:

I made sure to have defined the same user, host, ssh key and port. Locally, it works, but in the workflow, the step "Deploy docker-compose to VPS" fails. What can I do to solve this?

Notes:

• I'm using Hostinger's VPS

• The SSH key does not have a password

Hello guys! Hope you're doing well. We configure and run our GitHub runners on a VM that is accessible to anyone on our team. The command used by our team includes a PAT token. One of my teammates has set it up as an environment variable, but it could still be accessed. Since PAT tokens are very sensitive, I would like to know how this can be handled securely. I would really appreciate advice from someone experienced. Thanks!

I made my repo public as it needed to be for my teachers to view it, and after changing that and nothing else, i cant make commits any longer. the changes appear in the GUI, but the "commit to mybranch" is always greyed out, despite making both a title for the commit and a description.

Cant find anything online, please help

This came up when I was searching about my product on ChatGPT, trying to understand what it thinks about my platform. So the part where it formed a doubtful or negative opinion about my product included insights from GitHub. Out of which two specific points were:

1. One of the repositories that we archived around two years ago was showing up as technical debt.

2. We have a lot of open Dependabot alerts or PRs which are created automatically, which we try to resolve probably once every couple of months since it is mostly related to upgrading of libraries.

In general, my question is: how frequently should I resolve the Dependabot PRs considering the frontend of my product is open sourced?

Like I have 3 stars on my projects but how do I get tons like other projects?

I'm trying to use LFS to store a game project I'm working on, but (from what I can understand) LFS needs an existing repo with the file type already in it in order to start tracking the file type. Is there some way to save it as a local repo just for the sake of reference, so I can actually track the larger file size?

Hey,

Wanted to get some feedback from other githubers.

I decided to try out github copilot for a relatively straightforward issue I was having on a blazor server page.

We have a drop down of courses that an instructor is qualified to teach, we ask them to pick a date when they ran a course. We do some simple logic to make sure the date is within the time frame of their certificate, if it is they can proceed.

The problem is some people are complaining that even after selecting a course and date within their qualification time, the guard is still showing and not allowing them to proceed.

I asked the github agent to examine why it might be happening.

Well after a short novella (16,000 word discussion with itself), it has diagnosed an early return. I think the blazor page in total only has 300-400 lines of code.

Is this level of verbosity normal? It would actually encourage me not to use the agent service again, cause ain't nobody got time to be reading all that rambling....

Is this a common experience?

Hey please forgive me if this is an obvious or stupid question, I don't know a ton about all the inner workings here

I have a project I'm working on solo but between two machines. I use Github desktop to push all my changes at the end of a session, then pull em to the other computer next session. Easy, works great, very simple.

I'M LOOKING for a way to do the same on my phone - pull the files to my phone, edit in whatever app (a lot of the project is just text based), and then push back directly from my phone. I have the Github android app but cannot see any way to get the files onto my device. Does anyone have tips here?

(PS - anyone know of a good python editor for android? I'm using a zfold so i have a lot of screen real estate to work with)

so i built DevTrack. it's basically a personal operating system for developers.

it does this:

1. dashboard with your total coding hours, active skills, projects, and a 30-day chart

2. skills tracker : add what you're learning, set a target level, log hours, see progress

3. project board: track stuff from planning to done, add notes, link github repos

4. daily activity logs what you worked on, how long, tags

5. Github integration: connects your username, shows repos, commit chart, recent activity

6. streaks and badges keeps you consistent

i built it because i wanted something like this for myself and couldn't find anything that wasn't overengineered or behind a paywall.

it's free.

link:

If you have any ideas to add feel free to contribute -

Is the feed not loading for anyone else aswell?

This feels like a temporary band-aid or worse. As a maintainer, I am fed up with AI slop PRs.  might be good for a project in the short term but will hurt the community long term.

1. If every major repo requires you to be "vouched", how do beginners start? We’re forcing people to contribute to "starter repos" they don't care about just to earn "cred" for the projects they actually want to contribute. Bad actors will find ways to farm "vouch" status, while serious contributors who just don’t want to jump through hoops will simply walk away. This is doing reverse filtering.

2. The Filter is at the wrong level. Vouching should be at the PR level, not the User level. I thought this was obvious?

If a project has enough traction to be drowning in PRs, it has enough of a community to scale its review process. If a mojaority of your contributers are not willing to contribute to the review pipeline, then its also a good thing because clearly these are the ones that are low effort slop coders and these PRs can be filtered out.

But moving towards an identity-based scoring system like vouch feels like a massive step backward and very dangerous. Am I missing something? Has anyone actually used Vouch and gotten good results?

Edit: using github's student pack

It used to be right next to the add co-authors button. Where did it go?

Issue: Repository History Diverged After git filter-repo and Partial Force Push

What Happened

I accidentally committed a .npmrc file containing secrets and pushed it via a PR. To remove the secret from the repository history, I used git filter-repo to completely strip the file from all commits.

Commands Used

git filter-repo --path .npmrc --invert-paths
git push origin --force --all
git push origin --force --tags
What Went Wrong
git filter-repo rewrote the entire commit history, since each commit depends on its parent SHA.
I then force-pushed all branches to the remote.

However:

The main branch has branch protection enabled, so the force push to main was rejected.
As a result:
main retains the original commit history.
All other branches were rewritten with new commit SHAs.

This caused main and all other branches to diverge completely, with Git only recognizing the initial commit as a common ancestor.

Current Impact

All branches (except main) now show:

“This branch is ~5k+commits ahead and ~5k+ commits behind main.”

This is not actual work difference — it’s due to rewritten history.
Active PRs now show thousands of commits in the diff, making them unusable.
Important Notes
main and other importatn branches are intact and working correctly.
No actual code is lost:
Changes already merged into main are safe.
Other changes can be recovered from rewritten branches if needed.
What I Need Help With
What is the best way to recover from this situation?

### Guidelines

- [X] I have read the above statement and can confirm my post is relevant to the GitHub feature areas [Issues](https://docs.github.com/en/issues/tracking-your-work-with-issues/about-issues) and/or [Projects](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects).

Hi ,

I'm facing a frustrating situation: the username I wanted on GitHub is already taken by an account that appears to have been inactive for almost 5 years.

I was wondering what options are available in this kind of case. Is there an official procedure to request a username from an inactive account, or any acceptable strategies for reclaiming it?

I've considered contacting GitHub support or leaving a polite message on one of their old repositories, but I'm not sure if that's recommended.

Has anyone dealt with a similar situation? Any advice or experiences would be greatly appreciated.

Thank you in advance for your help.

There's something missing from all of the instructions that I've found. When I push to my own repo, I get a message that passwords are no longer accepted. Apparently I have to create a PAT (through GitHub) or an SSH (ssh-keygen) and use that in place of the password. I still get the password error message when I try to do git push. (Side Note: The bureaucrats they've put in charge of vetting StackOverflow questions deemed this 'too vague' to allowed. I guess I won't be using StackOverflow much any more.)

The instructions are missing something. I have no idea what I'm looking for. Does anyone know the correct instructions?

Thank you in advance.

For several years, Baserow was one of the top 10 most-starred open-source projects on .

When we started building Baserow, GitLab felt like the natural choice. It aligned well with our values, GitLab itself is open source, and our team already had experience with it, so it became our main platform for issues, merge requests, CI pipelines, and releases.

In November 2025, we moved our primary development to . The GitLab repository still exists, but now is a read-only mirror.

We didn’t move because GitLab was missing features. It worked well for us for years. The main reason was discoverability.

GitHub is where most development happens today. Most developers already have GitHub accounts, their tooling is built around GitHub, and their workflows assume GitHub. We felt that not being there as our main platform could limit how easily developers discover Baserow or contribute to the project.

The scale difference between the platforms is huge:

• The most starred project on GitLab (GitLab itself) has around 7k stars

• The most starred project on GitHub (freeCodeCamp) has 438k+ stars

We noticed this ourselves after the move. Baserow received more than 1,000 stars on GitHub in about three months. On GitLab, reaching the same number usually took us well over a year.

Even our community and suggested the move in our forum. That discussion continued for almost two years and eventually led us to make the switch.

In November 2025, we moved Baserow’s primary development from GitLab to GitHub. The migration itself took a lot more work than just flipping a switch.

The first step was moving our existing GitHub mirror repository. For a long time, it lived under my personal account as bram2w/baserow, because it originally existed only as a mirror of the GitLab project. As part of the migration, we moved it to baserow/baserow so it could become the project’s official home.

We also had to rebuild our CI pipeline from scratch. This ended up being by far the biggest part of the migration work. GitHub Actions works differently enough that there wasn’t a simple one-to-one migration path. We had to rethink and rebuild it in a way that fit GitHub’s actions model. That took quite a bit of time, but it also gave us the opportunity to clean things up along the way.

• Before:

• After:

For issues and open merge requests, we used a slightly modified version of to handle the migration. Before doing that on the real repository, we first tested the whole process on an empty repository to make sure everything behaved as expected. That gave us more confidence before making the final move.

Once everything was ready, we were able to officially switch the project over. On GitLab, we updated the repository wherever possible to clearly explain that it had become a read-only mirror and that primary development now happens on GitHub.

After the migration was complete, we still had to figure out how to collaborate on GitHub. On GitLab, we had labels like: “In progress”, “Ready for review”, etc. After a brainstorm session with the development team we decided to adopt the native features from GitHub ().

What we like about GitHub so far:

1. We’ve already seen more community contributions since the move, although some of them look AI-generated and don’t include much explanation.

2. GitHub Actions are flexible. Several developers on the team mentioned this quickly. The workers tend to have better specs than what we previously used, and pipelines run noticeably faster.

3. The ecosystem. We also noticed that third-party integrations usually support GitHub first. Tools like GitLens work well with GitHub, and we have access to tools like Copilot during reviews.

4. GitHub feels faster. Pages load quickly, navigation is responsive, and large repositories are easy to browse. Developers often jump between many issues and pull requests, and that speed actually makes a difference in day-to-day work.

Things we don’t like about GitHub:

1. The code review experience on GitHub can feel clunky:

   • you can’t complete a review (approve, request changes, etc.) without switching back to the main code view of the pull request

   • it’s harder to start conversations based on comments in a pull request

   • it’s not always obvious who is currently reviewing a pull request

   • if you follow a strict code review process, GitHub doesn’t give a clear overview of the review progress

2. UI organization. GitHub is fast, but the interface can feel disorganized at times:

   • comments in pull requests can be collapsed together, which makes searching for a specific comment difficult

   • reversed commit order compared to GitLab

Some small but useful GitLab features we are especially missing:

• GitLab allowed “merge when CI passes”, while in GitHub we often have to come back and merge manually

• easier conversation threads during code reviews

• GitLab had a clear indicator showing how far a branch was behind the target branch

• in GitLab, naming a branch with an issue number automatically links them

If we were starting today, we would probably begin on GitHub. At the same time, after working with GitLab for many years, we clearly see that both platforms still have things that could be improved, and there are areas where they could learn from each other.

We hope this post helps if you’re deciding where to start an open-source project, or if you’re considering a similar move.

Today, community reach is often a stronger factor than functionality or values. That’s something we realized along the way.

If you’re curious, you can now find Baserow on GitHub:

Hey so I have been using Copilot for a couple of months from the education package, but with GH removing access to Anthropics models I wanted to see what claude did. First I thought I would need an Antrhopic account, but it turns out claude just works without one? Even in agent sessions. Does anyone understand the differences?

Also I would be curious if someone understands which models are available in copilot pro teacher, as I should have been upgraded to teacher status, but can still only see outdated codex models.