Skip to content

Commit b587ce0

Browse files
authored
Merge pull request #44980 from github/repo-sync
Repo sync
2 parents 4fa5aed + ded7bec commit b587ce0

84 files changed

Lines changed: 224075 additions & 134964 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/line-endings.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
name: Line endings
2+
3+
# **What it does**: Fails if any committed file violates the repo's `.gitattributes`
4+
# line-ending rules (for example, CRLF in a file declared `eol=lf`).
5+
# **Why we have it**: `.gitattributes` (`*.md text eol=lf`, `* text=auto`) only
6+
# normalizes line endings during a local `git add`/checkout. A server-side
7+
# squash-merge can commit CRLF blobs that bypass it. A file with mixed line endings
8+
# then shows as permanently "modified" on Linux runners, which breaks PR-creating
9+
# sync workflows that use peter-evans/create-pull-request. See
10+
# github/docs-engineering#6657 and github/docs-engineering#6656.
11+
# **Who does it impact**: Docs engineering, open-source engineering contributors.
12+
13+
on:
14+
workflow_dispatch:
15+
merge_group:
16+
pull_request:
17+
18+
permissions:
19+
contents: read
20+
21+
# This allows a subsequently queued workflow run to interrupt previous runs
22+
concurrency:
23+
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
24+
cancel-in-progress: true
25+
26+
jobs:
27+
line-endings:
28+
if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
29+
runs-on: ubuntu-latest
30+
steps:
31+
- name: Check out repo
32+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
33+
34+
- name: Check line endings
35+
# Re-stage every file through the `.gitattributes` filters and fail if any
36+
# committed blob disagrees with them (usually CRLF where LF is required).
37+
run: |
38+
git add --renormalize .
39+
if ! git diff --cached --quiet; then
40+
echo "::error::These files violate .gitattributes line-ending rules (usually CRLF that should be LF):"
41+
git diff --cached --name-only
42+
echo ""
43+
echo "Fix locally with: git add --renormalize . && git commit"
44+
exit 1
45+
fi

.github/workflows/sync-sdk-docs.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ on:
2424
types: [opened, synchronize, reopened]
2525
paths:
2626
- '.github/workflows/sync-sdk-docs.yml'
27-
- 'src/scripts/sync-sdk-docs/**'
27+
- 'src/workflows/sync-sdk-docs/**'
2828

2929
concurrency:
3030
group: sync-sdk-docs-${{ github.event_name }}
@@ -88,7 +88,7 @@ jobs:
8888
8989
- name: Normalize content
9090
run: |
91-
npx tsx src/scripts/sync-sdk-docs/normalize-sdk-docs.ts \
91+
npx tsx src/workflows/sync-sdk-docs/normalize-sdk-docs.ts \
9292
--content-dir content \
9393
--sdk-docs-dir "$SDK_DOCS_TARGET"
9494
@@ -98,7 +98,7 @@ jobs:
9898
run: |
9999
# Puppeteer needs --no-sandbox on GitHub Actions runners
100100
echo '{ "args": ["--no-sandbox", "--disable-setuid-sandbox"] }' > /tmp/puppeteer-config.json
101-
npx tsx src/scripts/sync-sdk-docs/convert-mermaid.ts \
101+
npx tsx src/workflows/sync-sdk-docs/convert-mermaid.ts \
102102
--sdk-docs-dir "$SDK_DOCS_TARGET" \
103103
--assets-dir "$ASSETS_TARGET" \
104104
--repo-root . \

config/moda/secrets/production/secrets.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ secrets:
1414
type: salt
1515
owner: '@github/docs-engineering'
1616
externally_usable: true
17+
DOCS_BOT_APP_CLIENT_ID:
18+
kind: latest_at_deployment_start
19+
type: github_app
20+
owner: '@github/docs-engineering'
21+
externally_usable: true
1722
DOCS_BOT_APP_ID:
1823
kind: latest_at_deployment_start
1924
type: github_app

content/actions/how-tos/manage-runners/use-proxy-servers.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ On Windows machines, the proxy environment variable names are case-insensitive.
3333
{% data reusables.actions.self-hosted-runner-ports-protocols %}
3434

3535
> [!WARNING]
36-
> Self-hosted runners do not support using IP addresses in the `no_proxy` environment variable. If your {% data variables.product.prodname_ghe_server %} instance uses an IP address and you configure `no_proxy` to bypass the proxy for that address, the runner will still fail to connect.
36+
> Self-hosted runners do not support using IP addresses and CIDR ranges in the `no_proxy` environment variable. If your {% data variables.product.prodname_ghe_server %} instance uses an IP address and you configure `no_proxy` to bypass the proxy for that address, the runner will still fail to connect.
3737
> If your {% data variables.product.prodname_ghe_server %} instance is accessed using an IP address and the connection must bypass the proxy, the runner will fail to connect, even if that IP address is listed in `no_proxy`.
3838
3939
### Example configurations

content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/migrating-github-actions-external-storage.md

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,11 @@ category:
1010
- Enable GitHub features for your enterprise
1111
---
1212

13-
## About migrating {% data variables.product.prodname_actions %} external storage
14-
15-
You can migrate {% data variables.product.prodname_actions %} external storage to a new bucket, account, or region on the same provider when consolidating cloud accounts, meeting residency requirements, or reorganizing storage tenancy.
16-
17-
The migration works because {% data variables.product.prodname_actions %} identifies stored objects by their key (path) within a bucket or container, not by the bucket or account name. As long as you preserve the internal key layout and update your configuration to point at the new location, existing workflow logs and artifacts remain accessible without interruption.
13+
## About migrating {% data variables.product.prodname_actions %} external storage
14+
15+
You can migrate {% data variables.product.prodname_actions %} external storage to a new bucket, account, or region on the same provider when consolidating cloud accounts, meeting residency requirements, or reorganizing storage tenancy.
16+
17+
The migration works because {% data variables.product.prodname_actions %} identifies stored objects by their key (path) within a bucket or container, not by the bucket or account name. As long as you preserve the internal key layout and update your configuration to point at the new location, existing workflow logs and artifacts remain accessible without interruption.
1818

1919
## Considerations
2020

@@ -43,12 +43,12 @@ Before you begin, review the following constraints. Each one shapes the migratio
4343

4444
Before performing the migration against production, rehearse the full procedure on a staging instance. Provision a staging {% data variables.product.prodname_ghe_server %} instance from a recent production backup, point it at a throwaway destination that mirrors the intended production destination, and run every step of this article end to end. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance) and [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/using-a-staging-environment).
4545

46-
A staging rehearsal validates that:
47-
48-
* Provider-side permissions, network access, and policies on the destination are correct.
49-
* The copy tool you have chosen completes successfully against representative data volumes.
50-
* The expected object count and total size match between source and destination.
51-
* Existing workflow run logs and artifacts are retrievable through the UI after cutover.
46+
A staging rehearsal validates that:
47+
48+
* Provider-side permissions, network access, and policies on the destination are correct.
49+
* The copy tool you have chosen completes successfully against representative data volumes.
50+
* The expected object count and total size match between source and destination.
51+
* Existing workflow run logs and artifacts are retrievable through the UI after cutover.
5252

5353
> [!WARNING]
5454
> Your staging instance must use different storage from your production instance. If you do not change the storage configuration, the staging instance may write into your production storage and cause data loss. For more information, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/using-a-staging-environment#configuring-storage).
@@ -135,23 +135,23 @@ Work through the following steps in order. {% data variables.product.prodname_ac
135135

136136
If validation fails or you encounter issues after cutover, roll back by pointing {% data variables.location.product_location %} back at the source storage location. The source storage is your known-good copy. Do not copy data from the destination back into the source as part of rollback, because data written to the destination during a failed cutover may be partial or inconsistent, and writing it back into the source risks corrupting your only good copy.
137137

138-
> [!WARNING]
139-
> Rolling back will discard any data written or deleted after the cutover. If validation fails, roll back immediately rather than attempting extended troubleshooting. The longer you wait, the more data is at risk.
140-
141-
If validation fails or you encounter issues:
142-
143-
1. Enable maintenance mode immediately.
144-
1. In the {% data variables.enterprise.management_console %}, restore the original storage configuration values and click **Test storage settings**, then **Save settings**.
145-
1. Disable maintenance mode and re-run the validation steps with the original storage.
146-
147-
After a successful rollback, investigate the failure and plan a new migration attempt.
138+
> [!WARNING]
139+
> Rolling back will discard any data written or deleted after the cutover. If validation fails, roll back immediately rather than attempting extended troubleshooting. The longer you wait, the more data is at risk.
140+
141+
If validation fails or you encounter issues:
142+
143+
1. Enable maintenance mode immediately.
144+
1. In the {% data variables.enterprise.management_console %}, restore the original storage configuration values and click **Test storage settings**, then **Save settings**.
145+
1. Disable maintenance mode and re-run the validation steps with the original storage.
146+
147+
After a successful rollback, investigate the failure and plan a new migration attempt.
148148

149149
## {% data variables.product.prodname_registry %} considerations
150150

151151
You can apply the same migration approach to {% data variables.product.prodname_registry %} external storage, with the following important differences. Read this section in full before migrating storage on an instance that has {% data variables.product.prodname_registry %} enabled.
152152

153153
* **OpenID Connect is not available for {% data variables.product.prodname_registry %}.** {% data variables.product.prodname_registry %} only supports credentials-based authentication for external storage. The authentication-method constraint in this article still applies: keep the authentication method unchanged during migration.
154-
* **{% data variables.product.prodname_registry %} is more sensitive to timing mismatches.** When packages are published during the migration window, the system creates both new storage objects and database records. To prevent inconsistency, keep maintenance mode enabled continuously from the start of the final delta sync through successful validation of the new configuration.
154+
* **{% data variables.product.prodname_registry %} is more sensitive to timing mismatches.** When packages are published during the migration window, the system creates both new storage objects and database records. To prevent inconsistency, keep maintenance mode enabled continuously from the start of the final delta sync through successful validation of the new configuration.
155155
* **Update both configurations together if the same provider serves both products.** If you have configured {% data variables.product.prodname_actions %} and {% data variables.product.prodname_registry %} to use the same provider type and you are migrating both, plan the cutover as a single maintenance window and update both configurations before disabling maintenance mode.
156156
* **For cross-provider migrations of {% data variables.product.prodname_registry %} storage, contact {% data variables.contact.contact_ent_support %}.** Cross-provider moves are not covered here.
157157

content/code-security/concepts/supply-chain-security/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ redirect_from:
1010
- /code-security/supply-chain-security/understanding-your-software-supply-chain
1111
children:
1212
- supply-chain-security
13+
- open-source-license-compliance
1314
- best-practices-for-maintaining-dependencies
1415
- dependency-graph
1516
- dependency-graph-data
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
---
2+
title: About open source license compliance
3+
shortTitle: Open Source license compliance
4+
intro: Define and enforce license policy for dependencies in your repositories with open source license compliance.
5+
product: 'Organizations owned by an enterprise account with {% data variables.product.prodname_GH_code_security %} enabled'
6+
versions:
7+
feature: open-source-license-compliance
8+
contentType: concepts
9+
category:
10+
- Secure your dependencies
11+
---
12+
13+
{% data reusables.code-security.open-source-license-compliance-public-preview-note %}
14+
15+
## Overview
16+
17+
Open source license compliance helps you **track dependency licenses** and **enforce policy** for the open source software in your supply chain. You can use license compliance to reduce legal and operational risk, catching nonconforming dependencies **before** changes are merged.
18+
19+
## How license policy works
20+
21+
You can define an enterprise or organization policy that controls which licenses dependencies are allowed to use.
22+
23+
You can specify licenses from either a built-in list or, if a license is not listed, by manually adding a SPDX license identifier.
24+
25+
Your policy is applied at the enterprise, organization, and repository scope. You can also add package or license exceptions when an **Enterprise Open Source License Manager** approves requests.
26+
27+
License evaluation uses dependency data from your repositories, including transitive dependencies detected in the dependency graph.
28+
29+
## How pull request enforcement works
30+
31+
Open source license compliance is enforced through branch rulesets. When a pull request changes package manifests, {% data variables.product.github %} compares dependency changes between the base and pull request branches, evaluates detected licenses against policy, and reports violations.
32+
33+
If there is a ruleset in **Active** mode which uses the "Requires license compliance results before merging" condition, pull requests that introduce noncompliant dependencies are blocked until violations are resolved. An **Evaluate** mode ruleset with that condition will run license checks and annotate the pull request, but not block merges.
34+
35+
Additionally, a [branch protection rule](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) that requires comment resolution before merging will track annotations from license checks, so even alerts generated by **Evaluate** rulesets will be subject to the protection.
36+
37+
## Where results appear
38+
39+
If a dependency's license isn't in your policy, findings will appear in pull request annotations. The annotations do not automatically generate an exception request, because the developer could decide to modify their code to avoid the noncompliant dependency. If they do want to use the dependency, {% data variables.product.github %} will prompt the developer for more information, then send the closure request to the Enterprise Open Source License Managers, who have permission to modify the policy.
40+
41+
For Enterprise Open Source License Managers, pending exception requests are available in enterprise security views and sent as email notifications.
42+
43+
## Scope and governance model
44+
45+
You can create policy at enterprise scope for a common baseline, then layer repository-specific exceptions where needed.
46+
47+
For large enterprises, a common pattern is:
48+
49+
* Define broad policy centrally
50+
* Assign the Enterprise Open Source License Manager role to policy reviewers
51+
* Use a repository custom property to classify repositories as inactive, evaluate, or active
52+
* Use rulesets that target the custom property values to control enforcement mode by repository
53+
54+
Developers with write access can view the effective policy and exceptions for a repository from the repository's license policy settings page.
55+
56+
## Next steps
57+
58+
To get started, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies).
59+
60+
For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).

content/code-security/how-tos/secure-your-supply-chain/index.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,3 @@ children:
1717
- secure-your-dependencies
1818
- manage-your-dependency-security
1919
- establish-provenance-and-integrity
20-
---

0 commit comments

Comments
 (0)