Rotating credentials for GitHub.com and new GHES patches

GitHub addressed a security vulnerability reported on December 26, 2023, through its Bug Bounty Program, which could have allowed unauthorized access to credentials within a production container. The vulnerability was promptly fixed, and all potentially exposed credentials were rotated as a precaution, despite high confidence that the issue hadn't been exploited beyond the bug bounty researcher. This vulnerability also affected GitHub Enterprise Server (GHES), but exploitation required an authenticated organization owner role, making it difficult to exploit. A patch for affected GHES versions was released on January 16, 2024, and customers are advised to apply it promptly. Credential rotations led to some service disruptions between December 27 and 29, prompting GitHub to enhance its procedures to minimize future downtime. Additionally, GitHub rotated its GPG commit signing key and other encryption keys used in GitHub Actions, Codespaces, and Dependabot, necessitating changes for users who verify commits outside of GitHub or have cached old keys. Users are encouraged to import the new public keys and push any unverified commits created before January 16, 2024, to their repositories by January 23, 2024. GitHub acknowledged the contributions of security researcher Ngo Wei Lin and encouraged continued participation in its Bug Bounty Program.