Merge branch 'main' into clarify-push-event-sha

.github/actions/slack-alert/action.yml

@@ -8,6 +8,14 @@ inputs:
   slack_token:
     description: Slack token
     required: true
+  message:
+    description: The message to send to Slack
+    default: The last '${{ github.workflow }}' run failed. See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    required: false
+  color:
+    description: The color of the Slack message
+    default: failure
+    required: false
 
 runs:
   using: composite
@@ -17,5 +25,5 @@ runs:
       with:
         channel: ${{ inputs.slack_channel_id }}
         bot-token: ${{ inputs.slack_token }}
-        color: failure
-        text: The last '${{ github.workflow }}' run failed. See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        color: ${{ inputs.color }}
+        text: ${{ inputs.message }}

.github/branch_protection_settings/main.json

@@ -39,7 +39,8 @@
       "frame",
       "products",
       "workflows",
-      "lint-code"
+      "lint-code",
+      "secret-scanning",
     ],
     "contexts_url": "https://github.com/gitapi/repos/github/docs-internal/branches/main/protection/required_status_checks/contexts",
     "checks": [
@@ -81,7 +82,8 @@
       { "context": "frame", "app_id": 15368 },
       { "context": "products", "app_id": 15368 },
       { "context": "workflows", "app_id": 15368 },
-      { "context": "lint-code", "app_id": 15368 }
+      { "context": "lint-code", "app_id": 15368 },
+      { "context": "secret-scanning", "app_id": 15368 }
     ]
   },
   "restrictions": {

.github/workflows/alert-changed-branch-protections.yml

@@ -38,10 +38,19 @@ jobs:
         id: compare
         run: |
           # Compare the fetched branch protections with the committed ones
-          git diff --no-index .github/branch_protection_settings/${{ matrix.branch }}.json ${{ matrix.branch }}-actual.json
+          git diff --no-index .github/branch_protection_settings/${{ matrix.branch }}.json ${{ matrix.branch }}-actual.json || echo "diff_failed=true" >> $GITHUB_ENV
+
+      - name: Set failure message
+        if: env.diff_failed == 'true'
+        run: |
+          message="Alert due to changes in branch protections for ${{ matrix.branch }}. Please review the changes and ensure they are intentional. If valid, update the branch protection settings in .github/branch_protection_settings/${{ matrix.branch }}.json to match the diff in this workflow."
+          echo "failure_message=$message" >> $GITHUB_ENV
+          echo "$message"
 
       - uses: ./.github/actions/slack-alert
-        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        if: ${{ env.diff_failed == 'true' && github.event_name != 'workflow_dispatch' }}
         with:
           slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
           slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          message: ${{ env.failure_message }}
+          color: purple

.github/workflows/enterprise-dates.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # pin @v6.1.0
+        uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # pin @v7.0.3
         env:
           # Disable pre-commit hooks; they don't play nicely here
           HUSKY: '0'

.github/workflows/sme-review-tracking-issue.yml

@@ -40,6 +40,10 @@ jobs:
 
             ${process.env.URL}
 
+            ### Reason for SME review
+
+            @${context.payload.sender.login} (Optional) _Insert short answer regarding why SME assistance is required to review this contribution_
+
             ### Location SME review was requested
 
             _Insert link to the location SME review was initially requested_

.github/workflows/sync-graphql.yml

@@ -29,7 +29,7 @@ jobs:
           src/graphql/scripts/sync.js
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # pin @v6.1.0
+        uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # pin @v7.0.3
         env:
           # Disable pre-commit hooks; they don't play nicely here
           HUSKY: '0'

.github/workflows/test.yml

@@ -45,6 +45,7 @@ jobs:
           - automated-pipelines
           # - bookmarklets
           - changelogs
+          # - code-scanning
           # - codeql-cli
           - color-schemes
           - content-linter
@@ -65,16 +66,18 @@ jobs:
           - observability
           # - open-source
           - pageinfo
+          - pagelist
           # - pages
           - products
           - redirects
           - release-notes
           - rest
           - search
+          - secret-scanning
           - shielding
-          - tracking
           # - tests
           # - tools
+          - tracking
           - versions
           - webhooks
           - workflows

content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-access-to-your-personal-accounts-project-boards.md

@@ -10,9 +10,7 @@ redirect_from:
   - /account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-access-to-your-user-accounts-project-boards
   - /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-access-to-your-personal-accounts-project-boards
 versions:
-  fpt: '*'
-  ghes: '*'
-  ghec: '*'
+  feature: projects-v1
 topics:
   - Accounts
 shortTitle: 'Manage {% data variables.projects.projects_v1_boards %} access'

content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/permission-levels-for-a-project-board-owned-by-a-personal-account.md

@@ -8,9 +8,7 @@ redirect_from:
   - /account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards
   - /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/permission-levels-for-a-project-board-owned-by-a-personal-account
 versions:
-  fpt: '*'
-  ghes: '*'
-  ghec: '*'
+  feature: projects-v1
 topics:
   - Accounts
 shortTitle: '{% data variables.projects.projects_v1_board_caps %} permissions'

content/actions/about-github-actions/understanding-github-actions.md

@@ -9,14 +9,14 @@ redirect_from:
   - /actions/learn-github-actions/introduction-to-github-actions
   - /actions/learn-github-actions/understanding-github-actions
   - /actions/learn-github-actions/essential-features-of-github-actions
+  - /articles/getting-started-with-github-actions
 versions:
   fpt: '*'
   ghes: '*'
   ghec: '*'
 type: overview
 topics:
   - Fundamentals
-layout: inline
 ---
 
 {% data reusables.actions.enterprise-github-hosted-runners %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners.md

@@ -17,7 +17,7 @@ For information on how to use labels to route jobs to specific types of self-hos
 
 {% data reusables.actions.self-hosted-runner-management-permissions-required %}
 
->[!NOTE]Action Runner Controller does not support multiple labels, to find our more please read our [Action Runner Controller documentation](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#using-arc-runners-in-a-workflow)
+>[!NOTE]Actions Runner Controller does not support multiple labels, to find out more please read our [Actions Runner Controller documentation](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#using-arc-runners-in-a-workflow)
 
 ## Creating a custom label
 

content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md

@@ -17,7 +17,7 @@ shortTitle: Use runners in a workflow
 
 You can target self-hosted runners for use in a workflow based on the labels assigned to the runners{% ifversion target-runner-groups %}, or their group membership, or a combination of these{% endif %}.
 
->[!NOTE]Action Runner Controller does not support multiple labels, only the name of the runner can be used in place of a label
+>[!NOTE]Actions Runner Controller does not support multiple labels, only the name of the runner can be used in place of a label
 
 ## About self-hosted runner labels
 

content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks.md

@@ -4,6 +4,7 @@ intro: 'When an outside contributor submits a pull request to a public repositor
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '*'
 shortTitle: Approve public fork runs
 redirect_from:
   - /actions/managing-workflow-runs/approving-workflow-runs-from-public-forks

content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions.md

@@ -125,7 +125,7 @@ Below is an example of the syntax for each system.
 
 ```yaml
 my_job:
-  image: node:10.16-jessie
+  image: node:20-bookworm-slim
 ```
 
 {% endraw %}
@@ -137,7 +137,7 @@ my_job:
 ```yaml
 jobs:
   my_job:
-    container: node:10.16-jessie
+    container: node:20-bookworm-slim
 ```
 
 {% endraw %}
@@ -369,7 +369,7 @@ container-job:
     POSTGRES_HOST: postgres
     # The default PostgreSQL port
     POSTGRES_PORT: 5432
-  image: node:10.18-jessie
+  image: node:20-bookworm-slim
   services:
     - postgres
   script:
@@ -391,7 +391,7 @@ container-job:
 jobs:
   container-job:
     runs-on: ubuntu-latest
-    container: node:10.18-jessie
+    container: node:20-bookworm-slim
 
     services:
       postgres:

content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md

@@ -182,7 +182,7 @@ The subject claim includes the environment name when the job references an envir
 
 You can configure a subject that filters for a specific [environment](/actions/deployment/targeting-different-environments/managing-environments-for-deployment) name. In this example, the workflow run must have originated from a job that has an environment named `Production`, in a repository named `octo-repo` that is owned by the `octo-org` organization:
 
-* Syntax: `repo:<orgName/repoName>:environment:<environmentName>`
+* Syntax: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`
 * Example: `repo:octo-org/octo-repo:environment:Production`
 
 #### Filtering for `pull_request` events
@@ -191,7 +191,7 @@ The subject claim includes the `pull_request` string when the workflow is trigge
 
 You can configure a subject that filters for the [`pull_request`](/actions/using-workflows/events-that-trigger-workflows#pull_request) event. In this example, the workflow run must have been triggered by a `pull_request` event in a repository named `octo-repo` that is owned by the `octo-org` organization:
 
-* Syntax: `repo:<orgName/repoName>:pull_request`
+* Syntax: `repo:ORG-NAME/REPO-NAME:pull_request`
 * Example: `repo:octo-org/octo-repo:pull_request`
 
 #### Filtering for a specific branch
@@ -200,7 +200,7 @@ The subject claim includes the branch name of the workflow, but only if the job
 
 You can configure a subject that filters for a specific branch name. In this example, the workflow run must have originated from a branch named `demo-branch`, in a repository named `octo-repo` that is owned by the `octo-org` organization:
 
-* Syntax:  `repo:<orgName/repoName>:ref:refs/heads/branchName`
+* Syntax:  `repo:ORG-NAME/REPO-NAME:ref:refs/heads/BRANCH-NAME`
 * Example: `repo:octo-org/octo-repo:ref:refs/heads/demo-branch`
 
 #### Filtering for a specific tag
@@ -209,7 +209,7 @@ The subject claim includes the tag name of the workflow, but only if the job doe
 
 You can create a subject that filters for specific tag. In this example, the workflow run must have originated with a tag named `demo-tag`, in a repository named `octo-repo` that is owned by the `octo-org` organization:
 
-* Syntax: `repo:<orgName/repoName>:ref:refs/tags/<tagName>`
+* Syntax: `repo:ORG-NAME/REPO-NAME:ref:refs/tags/TAG-NAME`
 * Example: `repo:octo-org/octo-repo:ref:refs/tags/demo-tag`
 
 ### Configuring the subject in your cloud provider
@@ -304,7 +304,7 @@ Customizing the claims results in a new format for the entire `sub` claim, which
 
 {% note %}
 
-**Note**: The `sub` claim uses the shortened form `repo` (for example, `repo:<orgName/repoName>`) instead of `repository` to reference the repository.
+**Note**: The `sub` claim uses the shortened form `repo` (for example, `repo:ORG-NAME/REPO-NAME`) instead of `repository` to reference the repository.
 
 {% endnote %}
 
@@ -368,7 +368,7 @@ The following example template combines the requirement of a specific reusable w
 
 {% data reusables.actions.use-request-body-api %}
 
-This example also demonstrates how to use `"context"` to define your conditions. This is the part that follows the repository in the [default `sub` format](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims). For example, when the job references an environment, the context contains: `environment:<environmentName>`.
+This example also demonstrates how to use `"context"` to define your conditions. This is the part that follows the repository in the [default `sub` format](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims). For example, when the job references an environment, the context contains: `environment:ENVIRONMENT-NAME`.
 
 ```json
 {
@@ -382,7 +382,7 @@ This example also demonstrates how to use `"context"` to define your conditions.
 
 In your cloud provider's OIDC configuration, configure the `sub` condition to require that claims must include specific values for `repo`, `context`, and `job_workflow_ref`.
 
-This customization template requires that the `sub` uses the following format: `repo:<orgName/repoName>:environment:<environmentName>:job_workflow_ref:<reusableWorkflowPath>`.
+This customization template requires that the `sub` uses the following format: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME:job_workflow_ref:REUSABLE-WORKFLOW-PATH`.
 For example: `"sub": "repo:octo-org/octo-repo:environment:prod:job_workflow_ref:octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main"`
 
 #### Example: Granting access to a specific repository

content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md

@@ -72,7 +72,7 @@ Edit the trust policy, adding the `sub` field to the validation conditions. For
 }
 ```
 
-If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:OWNER/REPOSITORY:environment:NAME`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)."
+If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)."
 
 {% data reusables.actions.oidc-deployment-protection-rules %}
 
@@ -124,9 +124,9 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 The `aws-actions/configure-aws-credentials` action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from AWS. For more information, see the AWS [documentation](https://github.com/aws-actions/configure-aws-credentials).
 
-* `<example-bucket-name>`: Add the name of your S3 bucket here.
-* `<role-to-assume>`: Replace the example with your AWS role.
-* `<example-aws-region>`: Add the name of your AWS region here.
+* `BUCKET-NAME`: Replace this with the name of your S3 bucket.
+* `AWS-REGION`: Replace this with the name of your AWS region.
+* `ROLE-TO-ASSUME`: Replace this with your AWS role. For example, `arn:aws:iam::1234567890:role/example-role`
 
 ```yaml copy
 # Sample workflow to access AWS resources when workflow is tied to branch
@@ -135,8 +135,8 @@ name: AWS example workflow
 on:
   push
 env:
-  BUCKET_NAME : "<example-bucket-name>"
-  AWS_REGION : "<example-aws-region>"
+  BUCKET_NAME : "BUCKET-NAME"
+  AWS_REGION : "AWS-REGION"
 # permission can be added at job level or workflow level
 permissions:
   id-token: write   # This is required for requesting the JWT
@@ -150,7 +150,7 @@ jobs:
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@v3
         with:
-          role-to-assume: arn:aws:iam::1234567890:role/example-role
+          role-to-assume: ROLE-TO-ASSUME
           role-session-name: samplerolesession
           aws-region: {% raw %}${{ env.AWS_REGION }}{% endraw %}
       # Upload a file to AWS s3

content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md

@@ -59,9 +59,8 @@ The `google-github-actions/auth` action receives a JWT from the {% data variable
 
 This example has a job called `Get_OIDC_ID_token` that uses actions to request a list of services from GCP.
 
-* `<example-workload-identity-provider>`: Replace this with the path to your identity provider in GCP. For example, `projects/<example-project-id>/locations/global/workloadIdentityPools/<name-of-pool>/providers/<name-of-provider>`
-* `<example-service-account>`: Replace this with the name of your service account in GCP.
-* `<project-id>`: Replace this with the ID of your GCP project.
+* `WORKLOAD-IDENTITY-PROVIDER`: Replace this with the path to your identity provider in GCP. For example, `projects/example-project-id/locations/global/workloadIdentityPools/name-of-pool/providers/name-of-provider`
+* `SERVICE-ACCOUNT`: Replace this with the name of your service account in GCP.
 
 This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token for a Google Cloud access token, using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation).
 
@@ -86,8 +85,8 @@ jobs:
       uses: 'google-github-actions/auth@v0.3.1'
       with:
           create_credentials_file: 'true'
-          workload_identity_provider: '<example-workload-identity-provider>'
-          service_account: '<example-service-account>'
+          workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER'
+          service_account: 'SERVICE-ACCOUNT'
     - id: 'gcloud'
       name: 'gcloud'
       run: |-