GitHub: Difference between revisions

Line 11:

==Consumer impact summary==

*'''Privacy:''' GH is owned by [[Microsoft]], raising questions about data usage. GH has recently engaged in aggressive Copilot integration.<ref>https://github.com/features/copilot ([https://megalodon.jp/2026-0326-0304-56/https://github.com:443/features/copilot ~~Archived])~~</ref> Many projects such as the Gentoo Linux project, have left GH due to the privacy and security concerns associated with [[Artificial intelligence|AI]].<ref> https://itsfoss.com/news/gentoo-github-switch-begins/ ([https://megalodon.jp/2026-0326-0305-45/https://itsfoss.com:443/news/gentoo-github-switch-begins/ ~~Archived])~~</ref><ref> https://www.linuxjournal.com/content/gentoo-charts-new-path-moving-away-github-toward-codeberg ([https://megalodon.jp/2026-0326-0306-04/https://www.linuxjournal.com:443/content/gentoo-charts-new-path-moving-away-github-toward-codeberg ~~Archived])~~</ref><ref>{{Cite web |last=Kelley |first=Andrew |date=2025-11-26 |title=Migrating from GitHub to Codeberg |url=https://ziglang.org/news/migrating-from-github-to-codeberg/ |url-status=live |archive-url=https://web.archive.org/web/20260303052544/https://ziglang.org/news/migrating-from-github-to-codeberg |archive-date=2026-03-03 |access-date=2026-03-16 |website=⚡ Zig Programming Language}}</ref>

*'''Privacy:''' GH is owned by [[Microsoft]], raising questions about data usage. GH has recently engaged in aggressive Copilot integration.<ref>{{cite web |title=GitHub Copilot |url=https://github.com/features/copilot |url-status=live |archive-url=https://megalodon.jp/2026-0326-0304-56/https://github.com:443/features/copilot |archive-date=2026-03-26}}</ref> Many projects such as the Gentoo Linux project, have left GH due to the privacy and security concerns associated with [[Artificial intelligence|AI]].<ref>{{cite web |first=Sourav |last=Rudra |url=https://itsfoss.com/news/gentoo-github-switch-begins/ |date=17 Feb 2026 |url-status=live |title=Gentoo Takes the First Step to Ditch Microsoft Copilot-Infested GitHub |archive-url=https://megalodon.jp/2026-0326-0305-45/https://itsfoss.com:443/news/gentoo-github-switch-begins/ |archive-date=2026-03-26}}</ref><ref>{{cite web |first=George |last=Whittaker |date=19 Feb 2026 |title=Gentoo Charts a New Path: Moving Away from GitHub Toward Codeberg |url=https://www.linuxjournal.com/content/gentoo-charts-new-path-moving-away-github-toward-codeberg |url-status=live |archive-url=https://megalodon.jp/2026-0326-0306-04/https://www.linuxjournal.com:443/content/gentoo-charts-new-path-moving-away-github-toward-codeberg |archive-date=2026-03-26}}</ref><ref>{{Cite web |last=Kelley |first=Andrew |date=2025-11-26 |title=Migrating from GitHub to Codeberg |url=https://ziglang.org/news/migrating-from-github-to-codeberg/ |url-status=live |archive-url=https://web.archive.org/web/20260303052544/https://ziglang.org/news/migrating-from-github-to-codeberg |archive-date=2026-03-03 |access-date=2026-03-16 |website=⚡ Zig Programming Language}}</ref>

*'''Transparency:''' While some tools like [https://cli.github.com/ the <code>gh</code> CLI] are open-source,<ref>{{Cite web |date=3 Oct 2019 |title=GitHub’s official command line tool (source Git repository) |url=https://github.com/cli/cli |url-status=live |access-date=16 Sep 2025 |website=GitHub |archive-url=http://web.archive.org/web/20260128035607/https://github.com/cli/cli |archive-date=28 Jan 2026}}</ref> the platform itself is closed-source.

*'''Market control:''' GH is the platform that hosts the most important repositories in the world.{{Citation needed|reason=or is it?|date=2026-05-11}} It's the standard-de-facto for hosting and managing source-code, often overshadowing platforms such as [[wikipedia:Codeberg|Codeberg]] and [[wikipedia:GitLab|GitLab]].

*'''Reliability:''' ever since Microsoft acquired it, GH's [[wikipedia:Uptime|uptime]] has degraded.<ref>https://damrnelson.github.io/github-historical-uptime/</ref> Projects such as [https://ghostty.org/ Ghostty] have left GH because of this.<ref>https://mitchellh.com/writing/ghostty-leaving-github</ref> There have been multiple incidents (elaborated in the next section), such as Git-history corruption and security vulnerabilities. GH has apologized and they plan to improve the situation.<ref>https://github.blog/news-insights/company-news/an-update-on-github-availability/</ref>

*'''Reliability:''' ever since Microsoft acquired it, GH's [[wikipedia:Uptime|uptime]] has degraded.<ref>{{cite web |title=GitHub's Historic Uptime |author=damrnelson |url=https://damrnelson.github.io/github-historical-uptime/ |website=[[GitHub]] |url-status=live}}</ref><ref>{{cite web |title=GitHub Uptime |url=https://www.githubstatus.com/uptime |website=GitHub Status |url-status=live}}</ref> Projects such as [https://ghostty.org/ Ghostty] have left GH because of this.<ref>{{cite web |title=Ghostty Is Leaving GitHub |first=Mitchell |last=Hashimoto |url=https://mitchellh.com/writing/ghostty-leaving-github |url-status=live |date=28 Apr 2026 |archive-url=https://web.archive.org/web/20260428194913/https://mitchellh.com/writing/ghostty-leaving-github |archive-date=2026-04-28}}</ref> There have been multiple incidents (elaborated in the next section), such as Git-history corruption and security vulnerabilities. GH has apologized and they plan to improve the situation.<ref>{{cite web |first=Vlad |last=Fedorov |title= An update on GitHub availability |url=https://github.blog/news-insights/company-news/an-update-on-github-availability/ |url-status=live |website=GitHub Blog |archive-url=https://web.archive.org/web/20260428105629/https://github.blog/news-insights/company-news/an-update-on-github-availability/ |archive-date=2026-04-28}}</ref>

==Incidents==

=== Restricting accounts of "foreign" users (2019) ===

Due to trade sanctions from U.S.A., GH began restricting and even suspending accounts of any user who logged in from an affected country.<ref>https://github.com/tkashkin/GameHub/issues/289</ref>

Due to trade sanctions from U.S.A., GH began restricting and even suspending accounts of any user who logged in from an affected country.<ref>{{cite web |author=tkashkin |title=Project status |url=https://github.com/tkashkin/GameHub/issues/289 |website=GitHub |archive-url=https://web.archive.org/web/20260522230237/https://github.com/tkashkin/GameHub/issues/289 |archive-date=2026-05-22}}</ref>

===Questions about data usage (2024-present)===

GH does not specifically tell you the data usage for AI with private repositories. This means that it might be using your data to train AI models by Microsoft like Copilot.<ref>{{Cite web |title=What specific data exactly will be send to Copilot? |url=https://github.com/orgs/community/discussions/59630 |access-date=7 September 2025 |website=GitHub |archive-url=http://web.archive.org/web/20250512172426/https://github.com/orgs/community/discussions/59630 |archive-date=12 ~~May 2025~~}}</ref> Previously, Copilot exposed vital private repositories from big companies, raising even more concerns.<ref>{{Cite web |title=Copilot AI Exposes Private GitHub Code From Top Companies |url=https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |website=~~digitalchew.com~~ |archive-url=http://web.archive.org/web/20250426141755/https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |archive-date=26 ~~Apr 2025~~}}</ref>

GH does not specifically tell you the data usage for AI with private repositories. This means that it might be using your data to train AI models by Microsoft like Copilot.<ref>{{Cite web |author=PeterH-euris |title=What specific data exactly will be send to Copilot? |url=https://github.com/orgs/community/discussions/59630 |access-date=7 September 2025 |website=[[GitHub]] |archive-url=http://web.archive.org/web/20250512172426/https://github.com/orgs/community/discussions/59630 |archive-date=2025-05-12}}</ref> Previously, Copilot exposed vital private repositories from big companies, raising even more concerns.<ref>{{Cite web |first=Antonio |last=Jonathan |title=Copilot AI Exposes Private GitHub Code From Top Companies |url=https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |website=Digital Chew |url-status=dead |date=28 Feb 2025 |archive-url=http://web.archive.org/web/20250426141755/https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |archive-date=2025-04-26}}</ref>

This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].

===Planned fees for self-hosted Action runners (2025-present)===

In December 2025, GH announced a new $0.002 per minute "cloud platform charge" for developers using self-hosted GH Actions runners on private repositories. It was due to take effect on March 1 2026, but seems to be postponed indefinitely. <ref>{{Cite web |title=Coming soon: simpler pricing and a better experience for GitHub Actions |url=https://github.blog/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |url-status=live |archive-url=https://megalodon.jp/2026-0326-0307-06/https://github.blog:443/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |archive-date=25 Mar 2026 |website=GitHub}}</ref>

In December 2025, GH announced a new $0.002 per minute "cloud platform charge" for developers using self-hosted GH Actions runners on private repositories. It was due to take effect on March 1 2026, but seems to be postponed indefinitely. <ref>{{Cite web |title=Coming soon: simpler pricing and a better experience for GitHub Actions |date=16 Dec 2025 |url=https://github.blog/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |url-status=live |archive-url=https://megalodon.jp/2026-0326-0307-06/https://github.blog:443/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |archive-date=25 Mar 2026 |website=GitHub}}</ref>

===Whitelisting of email domains on new accounts===

Line 35:

===Buggy merge queue (2026, April)===

On April 23, 2026, [[wikipedia:Distributed_version_control#Pull_requests|pull-requests]] (PRs) merged via merge-queue using the squash merge method produced incorrect merge commits when the merge group contained more than one PR. In affected cases, changes from previously merged PRs and prior commits were inadvertently reverted by subsequent merges.<ref>https://www.githubstatus.com/incidents/zsg1lk7w13cf</ref><ref>https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit</ref>

On April 23, 2026, [[wikipedia:Distributed_version_control#Pull_requests|pull-requests]] (PRs) merged via merge-queue using the squash merge method produced incorrect merge commits when the merge group contained more than one PR. In affected cases, changes from previously merged PRs and prior commits were inadvertently reverted by subsequent merges.<ref>{{cite web |title=Incident with Pull Requests |url=https://www.githubstatus.com/incidents/zsg1lk7w13cf |url-status=live |date=23 Apr 2026 |website=GitHub Status |archive-url=http://web.archive.org/web/20260508093542/https://www.githubstatus.com/incidents/zsg1lk7w13cf |archive-date=2026-05-08}}</ref><ref>{{cite web |first=Phil |last=Vendola |date=24 Apr 2026 |title=What Happens If a Merge Queue Builds on the Wrong Commit |url=https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit |website=Trunk |url-status=live |archive-url=http://web.archive.org/web/20260510195306/https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit |archive-date=2026-05-10}}</ref>

===RCE via <code>git push</code>===

A [[wikipedia:Arbitrary_code_execution|remote code execution vulnerability]] was found that allowed abusing <code>git push</code> commands to read and write data to any  repository hosted by GH, including ''private'' ones.<ref>https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854</ref> GH fixed this bug quickly after it was reported to them.

A [[wikipedia:Arbitrary_code_execution|remote code execution vulnerability]] was found that allowed abusing <code>git push</code> commands to read and write data to any  repository hosted by GH, including ''private'' ones.<ref>{{cite web |title=Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) |first=Sagi |last=Tzadik |date=28 Apr 2026 |url=https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 |website=WIZ |archive-url=http://web.archive.org/web/20260519143954/https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 |archive-date=2026-05-19}}</ref> GH fixed this bug quickly after it was reported to them.

==Products==

@@ Line 11: / Line 11: @@
 ==Consumer impact summary==
-*'''Privacy:''' GH is owned by [[Microsoft]], raising questions about data usage. GH has recently engaged in aggressive Copilot integration.<ref>https://github.com/features/copilot ([https://megalodon.jp/2026-0326-0304-56/https://github.com:443/features/copilot Archived])</ref> Many projects such as the Gentoo Linux project, have left GH due to the privacy and security concerns associated with [[Artificial intelligence|AI]].<ref> https://itsfoss.com/news/gentoo-github-switch-begins/ ([https://megalodon.jp/2026-0326-0305-45/https://itsfoss.com:443/news/gentoo-github-switch-begins/ Archived])</ref><ref> https://www.linuxjournal.com/content/gentoo-charts-new-path-moving-away-github-toward-codeberg ([https://megalodon.jp/2026-0326-0306-04/https://www.linuxjournal.com:443/content/gentoo-charts-new-path-moving-away-github-toward-codeberg Archived])</ref><ref>{{Cite web |last=Kelley |first=Andrew |date=2025-11-26 |title=Migrating from GitHub to Codeberg |url=https://ziglang.org/news/migrating-from-github-to-codeberg/ |url-status=live |archive-url=https://web.archive.org/web/20260303052544/https://ziglang.org/news/migrating-from-github-to-codeberg |archive-date=2026-03-03 |access-date=2026-03-16 |website=⚡ Zig Programming Language}}</ref>
+*'''Privacy:''' GH is owned by [[Microsoft]], raising questions about data usage. GH has recently engaged in aggressive Copilot integration.<ref>{{cite web |title=GitHub Copilot |url=https://github.com/features/copilot |url-status=live |archive-url=https://megalodon.jp/2026-0326-0304-56/https://github.com:443/features/copilot |archive-date=2026-03-26}}</ref> Many projects such as the Gentoo Linux project, have left GH due to the privacy and security concerns associated with [[Artificial intelligence|AI]].<ref>{{cite web |first=Sourav |last=Rudra |url=https://itsfoss.com/news/gentoo-github-switch-begins/ |date=17 Feb 2026 |url-status=live |title=Gentoo Takes the First Step to Ditch Microsoft Copilot-Infested GitHub |archive-url=https://megalodon.jp/2026-0326-0305-45/https://itsfoss.com:443/news/gentoo-github-switch-begins/ |archive-date=2026-03-26}}</ref><ref>{{cite web |first=George |last=Whittaker |date=19 Feb 2026 |title=Gentoo Charts a New Path: Moving Away from GitHub Toward Codeberg |url=https://www.linuxjournal.com/content/gentoo-charts-new-path-moving-away-github-toward-codeberg |url-status=live |archive-url=https://megalodon.jp/2026-0326-0306-04/https://www.linuxjournal.com:443/content/gentoo-charts-new-path-moving-away-github-toward-codeberg |archive-date=2026-03-26}}</ref><ref>{{Cite web |last=Kelley |first=Andrew |date=2025-11-26 |title=Migrating from GitHub to Codeberg |url=https://ziglang.org/news/migrating-from-github-to-codeberg/ |url-status=live |archive-url=https://web.archive.org/web/20260303052544/https://ziglang.org/news/migrating-from-github-to-codeberg |archive-date=2026-03-03 |access-date=2026-03-16 |website=⚡ Zig Programming Language}}</ref>
 *'''Transparency:''' While some tools like [https://cli.github.com/ the <code>gh</code> CLI] are open-source,<ref>{{Cite web |date=3 Oct 2019 |title=GitHub’s official command line tool (source Git repository) |url=https://github.com/cli/cli |url-status=live |access-date=16 Sep 2025 |website=GitHub |archive-url=http://web.archive.org/web/20260128035607/https://github.com/cli/cli |archive-date=28 Jan 2026}}</ref> the platform itself is closed-source.
 *'''Market control:''' GH is the platform that hosts the most important repositories in the world.{{Citation needed|reason=or is it?|date=2026-05-11}} It's the standard-de-facto for hosting and managing source-code, often overshadowing platforms such as [[wikipedia:Codeberg|Codeberg]] and [[wikipedia:GitLab|GitLab]].
-*'''Reliability:''' ever since Microsoft acquired it, GH's [[wikipedia:Uptime|uptime]] has degraded.<ref>https://damrnelson.github.io/github-historical-uptime/</ref> Projects such as [https://ghostty.org/ Ghostty] have left GH because of this.<ref>https://mitchellh.com/writing/ghostty-leaving-github</ref> There have been multiple incidents (elaborated in the next section), such as Git-history corruption and security vulnerabilities. GH has apologized and they plan to improve the situation.<ref>https://github.blog/news-insights/company-news/an-update-on-github-availability/</ref>
+*'''Reliability:''' ever since Microsoft acquired it, GH's [[wikipedia:Uptime|uptime]] has degraded.<ref>{{cite web |title=GitHub's Historic Uptime |author=damrnelson |url=https://damrnelson.github.io/github-historical-uptime/ |website=[[GitHub]] |url-status=live}}</ref><ref>{{cite web |title=GitHub Uptime |url=https://www.githubstatus.com/uptime |website=GitHub Status |url-status=live}}</ref> Projects such as [https://ghostty.org/ Ghostty] have left GH because of this.<ref>{{cite web |title=Ghostty Is Leaving GitHub |first=Mitchell |last=Hashimoto |url=https://mitchellh.com/writing/ghostty-leaving-github |url-status=live |date=28 Apr 2026 |archive-url=https://web.archive.org/web/20260428194913/https://mitchellh.com/writing/ghostty-leaving-github |archive-date=2026-04-28}}</ref> There have been multiple incidents (elaborated in the next section), such as Git-history corruption and security vulnerabilities. GH has apologized and they plan to improve the situation.<ref>{{cite web |first=Vlad |last=Fedorov |title= An update on GitHub availability |url=https://github.blog/news-insights/company-news/an-update-on-github-availability/ |url-status=live |website=GitHub Blog |archive-url=https://web.archive.org/web/20260428105629/https://github.blog/news-insights/company-news/an-update-on-github-availability/ |archive-date=2026-04-28}}</ref>
 ==Incidents==
 === Restricting accounts of "foreign" users (2019) ===
-Due to trade sanctions from U.S.A., GH began restricting and even suspending accounts of any user who logged in from an affected country.<ref>https://github.com/tkashkin/GameHub/issues/289</ref>
+Due to trade sanctions from U.S.A., GH began restricting and even suspending accounts of any user who logged in from an affected country.<ref>{{cite web |author=tkashkin |title=Project status |url=https://github.com/tkashkin/GameHub/issues/289 |website=GitHub |archive-url=https://web.archive.org/web/20260522230237/https://github.com/tkashkin/GameHub/issues/289 |archive-date=2026-05-22}}</ref>
 ===Questions about data usage (2024-present)===
-GH does not specifically tell you the data usage for AI with private repositories. This means that it might be using your data to train AI models by Microsoft like Copilot.<ref>{{Cite web |title=What specific data exactly will be send to Copilot? |url=https://github.com/orgs/community/discussions/59630 |access-date=7 September 2025 |website=GitHub |archive-url=http://web.archive.org/web/20250512172426/https://github.com/orgs/community/discussions/59630 |archive-date=12 May 2025}}</ref> Previously, Copilot exposed vital private repositories from big companies, raising even more concerns.<ref>{{Cite web |title=Copilot AI Exposes Private GitHub Code From Top Companies |url=https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |website=digitalchew.com |archive-url=http://web.archive.org/web/20250426141755/https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |archive-date=26 Apr 2025}}</ref>
+GH does not specifically tell you the data usage for AI with private repositories. This means that it might be using your data to train AI models by Microsoft like Copilot.<ref>{{Cite web |author=PeterH-euris |title=What specific data exactly will be send to Copilot? |url=https://github.com/orgs/community/discussions/59630 |access-date=7 September 2025 |website=[[GitHub]] |archive-url=http://web.archive.org/web/20250512172426/https://github.com/orgs/community/discussions/59630 |archive-date=2025-05-12}}</ref> Previously, Copilot exposed vital private repositories from big companies, raising even more concerns.<ref>{{Cite web |first=Antonio |last=Jonathan |title=Copilot AI Exposes Private GitHub Code From Top Companies |url=https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |website=Digital Chew |url-status=dead |date=28 Feb 2025 |archive-url=http://web.archive.org/web/20250426141755/https://digitalchew.com/2025/02/28/copilot-ai-exposes-private-github-code-from-top-companies/ |archive-date=2025-04-26}}</ref>
 This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].
 ===Planned fees for self-hosted Action runners (2025-present)===
-In December 2025, GH announced a new $0.002 per minute "cloud platform charge" for developers using self-hosted GH Actions runners on private repositories. It was due to take effect on March 1 2026, but seems to be postponed indefinitely. <ref>{{Cite web |title=Coming soon: simpler pricing and a better experience for GitHub Actions |url=https://github.blog/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |url-status=live |archive-url=https://megalodon.jp/2026-0326-0307-06/https://github.blog:443/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |archive-date=25 Mar 2026 |website=GitHub}}</ref>
+In December 2025, GH announced a new $0.002 per minute "cloud platform charge" for developers using self-hosted GH Actions runners on private repositories. It was due to take effect on March 1 2026, but seems to be postponed indefinitely. <ref>{{Cite web |title=Coming soon: simpler pricing and a better experience for GitHub Actions |date=16 Dec 2025 |url=https://github.blog/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |url-status=live |archive-url=https://megalodon.jp/2026-0326-0307-06/https://github.blog:443/changelog/2025-12-16-coming-soon-simpler-pricing-and-a-better-experience-for-github-actions/ |archive-date=25 Mar 2026 |website=GitHub}}</ref>
 ===Whitelisting of email domains on new accounts===
@@ Line 35: / Line 35: @@
 ===Buggy merge queue (2026, April)===
-On April 23, 2026, [[wikipedia:Distributed_version_control#Pull_requests|pull-requests]] (PRs) merged via merge-queue using the squash merge method produced incorrect merge commits when the merge group contained more than one PR. In affected cases, changes from previously merged PRs and prior commits were inadvertently reverted by subsequent merges.<ref>https://www.githubstatus.com/incidents/zsg1lk7w13cf</ref><ref>https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit</ref>
+On April 23, 2026, [[wikipedia:Distributed_version_control#Pull_requests|pull-requests]] (PRs) merged via merge-queue using the squash merge method produced incorrect merge commits when the merge group contained more than one PR. In affected cases, changes from previously merged PRs and prior commits were inadvertently reverted by subsequent merges.<ref>{{cite web |title=Incident with Pull Requests |url=https://www.githubstatus.com/incidents/zsg1lk7w13cf |url-status=live |date=23 Apr 2026 |website=GitHub Status |archive-url=http://web.archive.org/web/20260508093542/https://www.githubstatus.com/incidents/zsg1lk7w13cf |archive-date=2026-05-08}}</ref><ref>{{cite web |first=Phil |last=Vendola |date=24 Apr 2026 |title=What Happens If a Merge Queue Builds on the Wrong Commit |url=https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit |website=Trunk |url-status=live |archive-url=http://web.archive.org/web/20260510195306/https://trunk.io/blog/what-happens-if-a-merge-queue-builds-on-the-wrong-commit |archive-date=2026-05-10}}</ref>
 ===RCE via <code>git push</code>===
-A [[wikipedia:Arbitrary_code_execution|remote code execution vulnerability]] was found that allowed abusing <code>git push</code> commands to read and write data to any <!-- not quite "any", it's more nuanced --> repository hosted by GH, including ''private'' ones.<ref>https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854</ref> GH fixed this bug quickly after it was reported to them.
+A [[wikipedia:Arbitrary_code_execution|remote code execution vulnerability]] was found that allowed abusing <code>git push</code> commands to read and write data to any <!-- not quite "any", it's more nuanced --> repository hosted by GH, including ''private'' ones.<ref>{{cite web |title=Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) |first=Sagi |last=Tzadik |date=28 Apr 2026 |url=https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 |website=WIZ |archive-url=http://web.archive.org/web/20260519143954/https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 |archive-date=2026-05-19}}</ref> GH fixed this bug quickly after it was reported to them.
 ==Products==