| Compatibility Matrix | |||||
|---|---|---|---|---|---|
| Supported GitHub and ADO Git Versions | Supported | Maintained | Deprecated | Support for Acrolinx AI Assistant and Suggestions | Notes |
| Latest versions of GitHub and ADO Git | 5.0.0 | 4.2.7 | 4.2.6 and earlier | -- | JRE 11 or later is required for Acrolinx for GitHub and ADO Git versions 4.2.3 and later. |
Version 5.0.0 (04 August 2025)
With version 5.0.0, we've transitioned from long-lived Personal Access Tokens (PATs) to a more secure GitHub App-based authentication method. This new approach leverages OAuth 2.0, fine-grained permissions, and short-lived tokens.
For github.com users, Acrolinx handles the GitHub App registration process. Simply using the provided third-party install link and enabling the app for your chosen repositories is enough to enable Acrolinx.
This update focuses on improving security and authentication. No functional changes or new use case features are included in this release.
What changed
We've replaced Personal Access Tokens with a secure GitHub App, shifted webhook configuration to the GitHub App level, and added a few essential configuration keys. Here’s what’s new and why it matters:
-
Brand-new GitHub App integration - We've transitioned to a more secure GitHub App-based authentication method. Classic PATs and Fine-Grained PATs are no longer needed.
-
PAT option removed - With the new GitHub App-based authentication leveraging OAuth 2.0, Personal Access Tokens (PATs) and the
gh-tokensetting are no longer needed or supported. PATs won’t work after the upgrade. -
Install the app via a dedicated third-party install link - We've simplified the setup with a unique URL from Acrolinx. Follow it, pick repositories, and start checking.
-
Multi-Organization and User Account Support - The GitHub App can be installed and used across multiple GitHub organizations and user accounts, allowing the Baseline operation and Pull Request checks to run on all enabled repositories.
-
Java 17 baseline - For transparency, note that Acrolinx now requires JRE 17 as the minimum runtime. This is for awareness only, since Acrolinx will host the app in our private cloud.
The table below shows each change and the steps that you need to take to keep everything running smoothly.
Table 1. What changed
|
Change |
Action required |
|---|---|
|
Webhook configuration now at the GitHub App level |
Disable existing Acrolinx webhooks before enabling the GitHubApp. |
|
Baseline mode requirements |
To run the app in baseline mode, ensure that the |
|
Webhook configuration now at the GitHub App level |
Disable existing Acrolinx webhooks before enabling the GitHub App. |
|
Baseline rule |
Install the app in the repo set by |
New configuration
To ensure transparency, the following section provides awareness of what Acrolinx does to host the single-tenant app in our own cloud infrastructure. The Acrolinx SRE team will be in charge of registering the app to work in our cloud.
Note: Customers must provide the allowed-github-logins list to Acrolinx for proper app configuration
Table 2. New configuration
|
Key |
Purpose |
Example |
|---|---|---|
|
|
Path to PEM private key (PKCS #1) downloadedduring app setup. |
|
|
|
Numeric GitHub App ID. |
|
|
|
Required: List of GitHub organizations and user accounts authorized to use the Acrolinx-hosted app instance. Acrolinx must have this list to properly configure your cloud-hosted app for your specific customer environment (case-insensitive). |
|
Installation flow
-
Open the install link from Acrolinx.
-
Click Install and select the repositories you want.
-
Manage or uninstall anytime under Settings › Applications › Installed GitHub Apps › Configure.
Who can install (Customer-Side Only)
The instructions in this section can’t be completed by Acrolinx staff. Only customer-side GitHub administrators with the appropriate permissions can install the app:
-
Organization owners – always.
-
Repository admins – if requested permissions stay within their repos.
-
Other members – GitHub notifies owners for approval.
-
Personal accounts – any GitHub user.
Permissions
Here are the scopes the app touches and why. We've kept access to the bare minimum — just enough to post results, update commit checks, and keep your content safe.
Table 3. Permissions
|
Scope |
Access |
|---|---|
|
Issues |
Read and Write |
|
Commit statuses |
Read and Write |
|
Contents |
Read and Write |
|
Pull requests |
Read and Write |
Behind the scenes
Under the hood, we've re-engineered the plumbing that powers every check — smarter tokens, tighter access, cleaner PR handling, and built-in rate-limit smarts. Here's a peek at what's humming behind the scenes.
-
Central auth middleware - We've implemented token generation, caching, and auto-refresh, so credentials stay current without manual renewal.
-
Baseline install lookup - We've added a pre-baseline routine that finds the right installation ID for every repo in your list.
-
Refactored PR flow - We've switched pull request processing to authenticate with the repo’s installation ID. We removed static tokens.
-
Stricter access checks - We've wired the app to verify
:allowed-github-loginson every install and PR event, then auto-uninstall on mismatch. -
Rate-limit handler - We’ve added logic that handles GitHub's primary rate limits.
Upgrade to Git Hosting 5.0.0 for stronger security, faster setup, and smoother multi-repository coverage across GitHub.
Previous Versions
Version 4.2.7 (7 March 2025)
Summary
Released 7 March 2027
-
Dropped support for push events - We've dropped support for push events. If you've enabled the processing of push eve, Acrolinx would post a comment on each commit. As of this release version 4.2.7, there’s no need to include “push“ in the
:allowed-event-typesconfiguration option. The integration only processes pull request events. -
Display of Analysis dashboard directly from check results - We've stopped to use a deprecated endpoint to retrieve the Content Analysis dashboard. The integration now retrieves the data directly from the check results.
-
Dependency updates - We've included needed dependence updates to this release.
-
Security vulnerability fixes - We've fixed some security vulnerabilities,
Version 4.2.6 (11 November 2024)
Summary
Released 11 November 2024
This service release comes with dependency updates and vulnerability fixes.
Version 4.2.5 (29 August 2024)
Summary
Released 29 August 2024
This service release gives you access to sample JSON configuration files via the Command Line Interface (CLI) options --sample-json-config and --sample-files. We've also made some dependency updates, fixed some security vulnerabilities, and improved the log messages.
For more information on how to configure the Git Hosting integration using JSON configuration files, visit Format Migration for Configuration Files and Repository Registry.
Version 4.2.4 (22 April 2024)
Summary
Released 22 April 2024
This release, we've made the :file-size-limit configuration option available for pull requests. We've also done some routine maintenance and security fixes.
Learn more about how to use :file-size-limit in Configurations Explained.
Version 4.2.3 (3 November 2023)
Summary
Released 3 November 2023
This service release fixes a bug that affected pull request status information. If an unsupported pull request activity came through, the pull request status would change to `succeeded`.
The GitHub pull request activities that we currently support are:
-
opened -
reopened -
synchronize
Because of the security updates included in this release, you'll need to update to Java 11 in your hosting environment for the webhook.
We've also added more information to the log entries for better monitoring.
Version 4.2.2 (6 July 2023)
Summary
Released 6 July 2023
This service release fixes a bug that popped up when the first file in a pull request wasn't successfully checked. If this was the case, you couldn't see the link to the Content Analysis dashboard in your results. We've also made some security updates.
Version 4.2.1 (12 June 2023)
Summary
Released 12 June 2023
Improvements and fixes to log entries to make it easier to monitor the private beta feature flag within the Acrolinx for GitHub integration.
Version 4.2.0 (15 May 2023)
Summary
Released 15 May 2023
This release, we've added a feature flag that enables Batch Map Style Guides for Markdown files that have been annotated with metadata. As usual, we've also provided security vulnerability fixes as usual.
This feature is currently available as a private beta, so it’s subject to change in future versions.
Platform Support
This release requires:
-
Acrolinx Platform version 2022.02 or later (Private Cloud only)
Improvements
-
Target Batch Mapping Feature Flag - We've added a private beta feature flag that enables Target Batch Mapping for Markdown files via document custom fields. Learn more about how it works.
Version 4.1.x and subsequent service releases
Version 4.1.3
Released 28 April 2023
This version fixes a bug in parallel processing that could cause both the baseline and webhook workers to stop processing.
Version 4.1.2
Released 20 March 2023
This small service release fixes a bug that caused the baseline to enter an infinite loop.
Version 4.1.1
Released 6 March 2023
Small release for maintenance and code refactoring.
Version 4.1.0
Released 16 February 2023
This is an important release with two new features that reduce errors in checks and in configuring files. We also updated our libraries to resolve a couple of high CVEs.
Platform Support
This release requires the following:
-
Acrolinx Platform version 2021.12 or later (Private Cloud only)
Improvements
Retry Mechanism for All HTTP Calls Made Towards Acrolinx, GitHub, and Azure DevOps GitThis release extends the implementation of retry mechanisms consistently for all HTTP calls. Previously, this was implemented only for those calls that often fail according to your observations.
The mechanism is used in all calls made to the Acrolinx API and the respective APIs of the Git Hosting providers that we support, namely GitHub and Azure DevOps Git. The mechanism performs retries upon receiving HTTP responses with status codes that indicate temporary unavailability of the servers and thus it increases the likelihood of successful responses. This results in reduced impact of the unavailability of the servers and increased reliability in the communication between the integration and the above mentioned platforms.
EDN to JSON Format Migration for Configuration Files and Repository RegistryThe Acrolinx for Git Hosting integration is now able to read its configuration and remote repository registry from JSON files. All three types of configuration files: the user-specific local configuration file, the global configuration file, and the repository level configuration file and the repository registry can be specified in both EDN and JSON, with JSON being the format that takes precedence.
How the remote configuration files and the repository registry are read
If the integration detects a JSON file, it reads the remote configuration from that file and it ignores the EDN configuration file. The remote EDN configuration is read if and only if there’s no JSON file present in the repository.
The above reading rules and format precedence apply to the repository registry file as well. We have provided support for both reading and writing of the repo state from and to the JSON repository registry file.
Support for JSON comments
The JSON format doesn’t support comments, however, we have provided support for comments as objects and key value pairs where the comment object name or key name starts with two forward slashes (//).
For example:
{ "//comment001": "A comment",
":foo0": [{"//comment0001": "A comment inside an array"},
"foo"],
":foo1": {
"//comment001": "Yet another comment",
":foo2": "foo2"
}
}
When the files are read, the comments are ignored. For future compatibility, we recommend the comment keys to be unique.
Naming convention for the configuration options
Note that the naming convention for the configuration options hasn’t changed, so when you specify the configuration options in your JSON files, make sure they start with a colon (:).
Naming convention for the configuration files
You need to make sure that the user-specific local configuration file ends in a .json extension. The file names are as follows:
-
Global configuration file name:
global-config.json -
Repository-level configuration file name:
acrolinx-config.json -
Repository registry file name:
repositories.json.
Bug Fixes
The Following Security Vulnerabilities Were Resolved|
Dependency (version) |
CVSS Rating |
CVE |
Found in |
|---|---|---|---|
|
org.eclipse.jetty/jetty-client ( 9.4.44.v20210927) |
LOW HIGH |
CVE-2022-2047 CVE-2022-2048 |
o.github.atomisthq/jibbit > com.cognitect.aws/api > com.cognitect/http-client |
|
com.github.jnr:jnr-posix (3.0.53) |
HIGH |
CVE-2014-4043 |
com.unbounce:clojure-dogstatsd-client@0.7.0 > com.datadoghq:java-dogstatsd-client@2.11.0 > com.github.jnr:jnr-unixsocket@0.27 > com.github.jnr:jnr-posix@3.0.53 |
Version 4.0.0 (28 December 2022)
Summary
Released 28 December 2022
This is a huge release jam packed with new features and bug fixes. Oh, and you might have noticed the new name! Read on to see all the exciting things we’ve added in this release.
Platform Support
This release requires the following:
-
Acrolinx Platform version 2021.12 or later (Private Cloud only)
We have dropped support for the following:
-
GitHub 2.0.x, 3.1.1, 3.2.0, 3.3.0, 3.4.0, and 3.5.0.
Improvements
New Name, Same FunctionalityThe GitHub and the Azure DevOps Git integrations now have a common source code base. They’ll now be available as two different git service providers under one integration, the newly released Git Hosting 4.0 integration. Upon installing the integration, you can configure which integration you want installed.
Updated Configuration OptionThis is a breaking change.
The configuration option :secret is now called :gh-secret. Please change your main config file accordingly.
Most configuration options are now supported for Azure DevOps Git pull request processing. See the end of the release notes for more details.
Decreased the Event Queue Delay from 10 Seconds to 0.1 SecondsBecause of significant improvements of the GitHub cloud system (the git service itself), we’ve been able to drastically decrease the event queue delay from 10 to 0.1 seconds! In practice, it means that the comments and status are now posted to the git hosting service (GitHub or Azure DevOps) up to 10 seconds faster.
ACROLINX_LOGGING_TARGET Option RemovedThis is a breaking change.
The environment variable ACROLINX_LOGGING_TARGET that was used to redirect the log output to the standard output has been removed due to a change in the logback library.
We recommend the following approach:
Inside the JAR, the file logback-stdout.xml can be used to redirect the log output. It is on the classpath and can be used as follows:
java -Dlogback.configurationFile=logback-stdout.xml -jar JARFILE ...
This will redirect the log output to standard output.
The file logback-stdout.xml was already included in the JARs of the versions Acrolinx for GitHub 3.6.0 and Acrolinx for Azure DevOps 1.1.0. You don't need to synchronize any deployment script changes with the integration upgrade.
The user interface of the Git Hosting integration has been removed. The main reason is that all the information provided via the former user interface is now available via command line options and the log system. This means that we can spend more time on new features, rather than maintaining an old, unused one!
Bug Fixes
Sensitive Headers May Have Been Printed to the LogsWith Azure DevOps 1.1, the persistent session ID returned by the Azure DevOps system was printed in some log entries. This has been fixed at the level of the exception system (HTTP headers aren't anymore printed to the log output in those exceptional cases).
Acrolinx Ignored Files When Config Option:allowed-filename-matches Was a String
A bug has been fixed for the configuration option :allowed-filename-matches . Previously when the value of this configuration option was a string (not a vector of strings), the integration wouldn’t check any files. The configuration option now works as designed.
Important Information
Current differences between GitHub and Azure DevOps support:
-
The Azure DevOps Git mode supports only pull request events processing.
-
The configuration option
:ignored-senderscan mean different things based on differences in the APIs of those services:-
GitHub: username
-
Azure DevOps: email address
-
-
The configuration option
:use-skip-labelrefers to the pull request label in GitHub and to the pull request tag in Azure DevOps (different terminology between the git service providers). -
The configuration option
:allow-merges-from-defaultisn’t yet supported on Azure DevOps Git.
Version 3.6.0 (19 October 2022)
Summary
Released 19 October 2022
This release, we've improved the way that Acrolinx checks your files. We've also taken care of a couple of vulnerabilities in third-party libraries. That said, we recommend that you update to this version of Acrolinx for Git Hosting.
Platform Support
Acrolinx for Git Hosting version 3.6.0 requires the following:
-
Acrolinx Platform version 2021.03 or later.
Improvements
Improved Processing of Pull Request EventsIn the past, you could send pull requests to the Acrolinx Platform in parallel, but they were processed sequentially. This meant that the average number of files in each pull request affected the processing time. We've improved this!
Acrolinx now processes incoming pull requests as quickly as possible and in parallel. With this improvement, the Acrolinx can make full use of all active language servers. Acrolinx will send as many files to the Acrolinx Platform as possible, but no more than what you configure for :acrolinx-parallel-workers. Read more about this in Configurations.
You can now send the JAR log output to the standard output. To do this, set the environment variable ACROLINX_LOGGING_TARGET to the value stdout. Learn more in our article Logging and Monitoring.
We found a couple of vulnerabilities in the third-party libraries that we use. That's why we've updated the library to a version where the vulnerabilities no longer exist. Time to do your part – go ahead and update your Acrolinx integration!
For more details, see the National Vulnerability Database.