google · maxffarrell · Mar 12, 2026 · Mar 12, 2026 · Mar 13, 2026 · Mar 13, 2026
diff --git a/example/verifyartifact/main.go b/example/verifyartifact/main.go
@@ -15,7 +15,9 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io"
 	"log"
+	"net/http"
 	"os"
 
 	"github.com/google/go-github/v84/github"
@@ -102,16 +104,25 @@ func main() {
 		log.Fatal(err)
 	}
 
-	var b *bundle.Bundle
 	for _, attestation := range attestations.Attestations {
-		if err := json.Unmarshal(attestation.Bundle, &b); err != nil {
+		resp, err := http.Get(attestation.GetBundleURL())
+		if err != nil {
 			log.Fatal(err)
 		}
-
-		err := runVerification(sev, pb, b)
+		body, err := io.ReadAll(resp.Body)
+		resp.Body.Close()
 		if err != nil {
 			log.Fatal(err)
 		}
+
+		var b *bundle.Bundle
+		if err := json.Unmarshal(body, &b); err != nil {
+			log.Fatal(err)
+		}
+
+		if err := runVerification(sev, pb, b); err != nil {
+			log.Fatal(err)
+		}
 	}
 }
 

diff --git a/github/apps.go b/github/apps.go
@@ -7,6 +7,7 @@ package github
 
 import (
 	"context"
+	"errors"
 	"fmt"
 )
 
@@ -375,7 +376,13 @@ func (s *AppsService) DeleteInstallation(ctx context.Context, id int64) (*Respon
 		return nil, err
 	}
 
-	return s.client.Do(ctx, req, nil)
+	resp, err := s.client.Do(ctx, req, nil)
+	// GitHub returns 202 Accepted for this endpoint; treat it as success.
+	var aerr *AcceptedError
+	if errors.As(err, &aerr) {
+		return resp, nil
+	}
+	return resp, err
 }
 
 // CreateInstallationToken creates a new installation token.

diff --git a/github/apps_test.go b/github/apps_test.go
@@ -381,7 +381,7 @@ func TestAppsService_DeleteInstallation(t *testing.T) {
 
 	mux.HandleFunc("/app/installations/1", func(w http.ResponseWriter, r *http.Request) {
 		testMethod(t, r, "DELETE")
-		w.WriteHeader(http.StatusNoContent)
+		w.WriteHeader(http.StatusAccepted)
 	})
 
 	ctx := t.Context()

diff --git a/github/attestations.go b/github/attestations.go
@@ -5,20 +5,16 @@
 
 package github
 
-import (
-	"encoding/json"
-)
-
 // Attestation represents an artifact attestation associated with a repository.
-// The provided bundle can be used to verify the provenance of artifacts.
+// The provided bundle URL can be used to verify the provenance of artifacts.
 //
 // https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
 type Attestation struct {
-	// The attestation's Sigstore Bundle.
+	// BundleURL is the URL to retrieve the attestation's Sigstore Bundle.
 	// Refer to the sigstore bundle specification for more info:
 	// https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-	Bundle       json.RawMessage `json:"bundle"`
-	RepositoryID int64           `json:"repository_id"`
+	BundleURL    *string `json:"bundle_url,omitempty"`
+	RepositoryID int64   `json:"repository_id"`
 }
 
 // AttestationsResponse represents a collection of artifact attestations.

diff --git a/github/dependabot_alerts.go b/github/dependabot_alerts.go
@@ -23,6 +23,12 @@ type AdvisoryCVSS struct {
 	VectorString *string  `json:"vector_string,omitempty"`
 }
 
+// AdvisoryCvssSeverities contains CVSS v3 and v4 severity information for a security advisory.
+type AdvisoryCvssSeverities struct {
+	CVSSV3 *AdvisoryCVSS `json:"cvss_v3,omitempty"`
+	CVSSV4 *AdvisoryCVSS `json:"cvss_v4,omitempty"`
+}
+
 // AdvisoryCWEs represent the advisory pertaining to Common Weakness Enumeration.
 type AdvisoryCWEs struct {
 	CWEID *string `json:"cwe_id,omitempty"`
@@ -47,6 +53,7 @@ type DependabotSecurityAdvisory struct {
 	Vulnerabilities []*AdvisoryVulnerability `json:"vulnerabilities,omitempty"`
 	Severity        *string                  `json:"severity,omitempty"`
 	CVSS            *AdvisoryCVSS            `json:"cvss,omitempty"`
+	CVSSSeverities  *AdvisoryCvssSeverities  `json:"cvss_severities,omitempty"`
 	CWEs            []*AdvisoryCWEs          `json:"cwes,omitempty"`
 	EPSS            *AdvisoryEPSS            `json:"epss,omitempty"`
 	Identifiers     []*AdvisoryIdentifier    `json:"identifiers,omitempty"`

diff --git a/github/event_types.go b/github/event_types.go
@@ -120,10 +120,9 @@ type ContentReferenceEvent struct {
 type CreateEvent struct {
 	Ref *string `json:"ref,omitempty"`
 	// RefType is the object that was created. Possible values are: "repository", "branch", "tag".
-	RefType      *string `json:"ref_type,omitempty"`
-	MasterBranch *string `json:"master_branch,omitempty"`
-	Description  *string `json:"description,omitempty"`
-	PusherType   *string `json:"pusher_type,omitempty"`
+	RefType     *string `json:"ref_type,omitempty"`
+	Description *string `json:"description,omitempty"`
+	PusherType  *string `json:"pusher_type,omitempty"`
 
 	// The following fields are only populated by Webhook events.
 	Repo         *Repository   `json:"repository,omitempty"`
@@ -1416,15 +1415,13 @@ type PushEventRepository struct {
 	WatchersCount    *int           `json:"watchers_count,omitempty"`
 	Language         *string        `json:"language,omitempty"`
 	HasIssues        *bool          `json:"has_issues,omitempty"`
-	HasDownloads     *bool          `json:"has_downloads,omitempty"`
 	HasWiki          *bool          `json:"has_wiki,omitempty"`
 	HasPages         *bool          `json:"has_pages,omitempty"`
 	ForksCount       *int           `json:"forks_count,omitempty"`
 	Archived         *bool          `json:"archived,omitempty"`
 	Disabled         *bool          `json:"disabled,omitempty"`
 	OpenIssuesCount  *int           `json:"open_issues_count,omitempty"`
 	DefaultBranch    *string        `json:"default_branch,omitempty"`
-	MasterBranch     *string        `json:"master_branch,omitempty"`
 	Organization     *string        `json:"organization,omitempty"`
 	URL              *string        `json:"url,omitempty"`
 	ArchiveURL       *string        `json:"archive_url,omitempty"`
@@ -1887,6 +1884,7 @@ type WorkflowRunEvent struct {
 // GitHub API docs: https://docs.github.com/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory
 type SecurityAdvisory struct {
 	CVSS               *AdvisoryCVSS                 `json:"cvss,omitempty"`
+	CVSSSeverities     *AdvisoryCvssSeverities       `json:"cvss_severities,omitempty"`
 	CWEs               []*AdvisoryCWEs               `json:"cwes,omitempty"`
 	GHSAID             *string                       `json:"ghsa_id,omitempty"`
 	Summary            *string                       `json:"summary,omitempty"`

diff --git a/github/event_types_test.go b/github/event_types_test.go
@@ -13482,11 +13482,10 @@ func TestCreateEvent_Marshal(t *testing.T) {
 	testJSONMarshal(t, &CreateEvent{}, "{}")
 
 	r := &CreateEvent{
-		Ref:          Ptr("r"),
-		RefType:      Ptr("rt"),
-		MasterBranch: Ptr("mb"),
-		Description:  Ptr("d"),
-		PusherType:   Ptr("pt"),
+		Ref:         Ptr("r"),
+		RefType:     Ptr("rt"),
+		Description: Ptr("d"),
+		PusherType:  Ptr("pt"),
 		Repo: &Repository{
 			ID:   Ptr(int64(1)),
 			URL:  Ptr("s"),
@@ -13600,7 +13599,6 @@ func TestCreateEvent_Marshal(t *testing.T) {
 	want := `{
 		"ref": "r",
 		"ref_type": "rt",
-		"master_branch": "mb",
 		"description": "d",
 		"pusher_type": "pt",
 		"repository": {
@@ -15533,15 +15531,13 @@ func TestPushEventRepository_Marshal(t *testing.T) {
 		WatchersCount:   Ptr(1),
 		Language:        Ptr("l"),
 		HasIssues:       Ptr(true),
-		HasDownloads:    Ptr(true),
 		HasWiki:         Ptr(true),
 		HasPages:        Ptr(true),
 		ForksCount:      Ptr(1),
 		Archived:        Ptr(true),
 		Disabled:        Ptr(true),
 		OpenIssuesCount: Ptr(1),
 		DefaultBranch:   Ptr("d"),
-		MasterBranch:    Ptr("m"),
 		Organization:    Ptr("o"),
 		URL:             Ptr("u"),
 		ArchiveURL:      Ptr("a"),
@@ -15589,15 +15585,13 @@ func TestPushEventRepository_Marshal(t *testing.T) {
 		"watchers_count": 1,
 		"language": "l",
 		"has_issues": true,
-		"has_downloads": true,
 		"has_wiki": true,
 		"has_pages": true,
 		"forks_count": 1,
 		"archived": true,
 		"disabled": true,
 		"open_issues_count": 1,
 		"default_branch": "d",
-		"master_branch": "m",
 		"organization": "o",
 		"url": "u",
 		"archive_url": "a",
@@ -18627,7 +18621,6 @@ func TestCodeScanningAlertEvent_Marshal(t *testing.T) {
 			HasWiki:          Ptr(true),
 			HasPages:         Ptr(true),
 			HasProjects:      Ptr(true),
-			HasDownloads:     Ptr(true),
 			URL:              Ptr("a"),
 			ArchiveURL:       Ptr("a"),
 			AssigneesURL:     Ptr("a"),
@@ -18812,7 +18805,6 @@ func TestCodeScanningAlertEvent_Marshal(t *testing.T) {
 		  "watchers_count": 0,
 		  "has_issues": true,
 		  "has_projects": true,
-		  "has_downloads": true,
 		  "has_wiki": true,
 		  "has_pages": true,
 		  "forks_count": 0,