Merge branch 'main' into repo-sync

.github/workflows/repo-sync-stalls.yml

@@ -2,7 +2,7 @@ name: Repo Sync Stalls
 on:
   workflow_dispatch:
   schedule:
-    - cron: '*/30 * * * *'
+    - cron: '0 */2 * * *'
 jobs:
   check-freezer:
     name: Check for deployment freezes

content/actions/learn-github-actions/security-hardening-for-github-actions.md

@@ -54,6 +54,8 @@ This means that a compromise of a single action within a workflow can be very si
   **Warning:** The short version of the commit SHA is insecure and should never be used for specifying an action's Git reference. Because of how repository networks work, any user can fork the repository and push a crafted commit to it that collides with the short SHA. This causes subsequent clones at that SHA to fail because it becomes an ambiguous commit. As a result, any workflows that use the shortened SHA will immediately fail.
 
   {% endwarning %}
+
+
 * **Audit the source code of the action**
 
   Ensure that the action is handling the content of your repository and secrets as expected. For example, check that secrets are not sent to unintended hosts, or are not inadvertently logged.
@@ -92,10 +94,14 @@ This list describes the recommended approaches for accessing repository data wit
 
 As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be cautious when using self-hosted runners on private repositories, as anyone who can fork the repository and open a PR (generally those with read-access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the more privileged `GITHUB_TOKEN` which grants write-access permissions on the repository.
 
+When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. For more information, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups)."
+
 You should also consider the environment of the self-hosted runner machines:
 - What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others. 
 - Does the machine have network access to sensitive services? For example, Azure or AWS metadata services. The amount of sensitive information in this environment should be kept to a minimum, and you should always be mindful that any user capable of invoking workflows has access to this environment.
 
+Some customers might attempt to partially mitigate these risks by implementing systems that automatically destroy the self-hosted runner after each job execution. However, this approach might not be as effective as intended, as there is no way to guarantee that a self-hosted runner only runs one job.
+
 ### Auditing {% data variables.product.prodname_actions %} events
 
 You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account performed the action.
@@ -132,5 +138,3 @@ The following tables describe the {% data variables.product.prodname_actions %}
 | `action:org.runner_group_renamed` | Triggered when an organization admin renames a self-hosted runner group. 
 | `action:org.runner_group_runners_added` | Triggered when an organization admin [adds a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group). 
 | `action:org.runner_group_runners_removed` | Triggered when an organization admin removes a self-hosted runner from a group. 
-
-

data/ui.yml

@@ -66,6 +66,14 @@ contribution_cta:
   button: Make a contribution
   or: Or,
   to_guidelines: learn how to contribute.
+enterprise_releases_list:
+  title: Enterprise Server Releases
+  currently_supported: Currently supported
+  currently_supported_message: See <a href="https://github.com/enterprise">GitHub Enterprise</a> for information about the latest release.
+  deprecated: Deprecated
+  deprecated_message: 'These docs remain available but are no longer maintained:'
+  deprecated_developer: Deprecated on developer.github.com
+  deprecated_developer_message: 'These docs remain available on the legacy <a href="https://developer.github.com">developer site</a> but are no longer maintained:'
 products:
   graphql:
     reference:

includes/article-version-switcher.html

@@ -1,5 +1,5 @@
 {% if page.permalinks and page.permalinks.length > 1 %}
-  <details class="dropdown-withArrow d-inline-block details details-reset mb-4 position-relative close-when-clicked-outside article-versions">
+  <details class="dropdown-withArrow d-inline-block details details-reset mb-1 position-relative close-when-clicked-outside article-versions">
     <summary class="d-flex flex-items-center flex-justify-between f4 h5-mktg btn-outline-mktg btn-mktg p-2">
       <!-- GitHub.com, Enterprise Server 2.16, etc -->
       <span class="d-md-none d-xl-inline-block mr-1">{% data ui.pages.article_version %}</span> {{ allVersions[currentVersion].versionTitle }}
@@ -14,6 +14,7 @@
       >
       {{ allVersions[permalink.pageVersion].versionTitle }}</a>
       {% endfor %}
+      <a class="f6 no-underline text-gray-light pt-1" href="/enterprise-server-releases">See all Enterprise releases</a>
     </div>
   </details>
 {% endif %}

includes/head.html

@@ -1,6 +1,6 @@
 <head>
   <meta charset="utf-8" />
-  <title>{% if error == '404' %}{% data ui.errors.oops %}{% elsif currentVersion == 'homepage' %}GitHub Documentation{% else %}{{ page.fullTitle }}{% endif %}</title>
+  <title>{% if error == '404' %}{% data ui.errors.oops %}{% elsif currentVersion == 'homepage' %}GitHub Documentation{% elsif page.fullTitle %}{{ page.fullTitle }}{% else %}GitHub Documentation{% endif %}</title>
   <meta name="viewport" content="width=device-width, initial-scale=1">{% if page.hidden %}
   <meta name="robots" content="noindex" />{% endif %}
   <meta name="google-site-verification" content="OgdQc0GZfjDI52wDv1bkMT-SLpBUo_h5nn9mI9L22xQ" />

layouts/enterprise-server-releases.html

@@ -0,0 +1,64 @@
+<!doctype html>
+<html lang="{{currentLanguage}}">
+  {% include head %}
+
+  <body class="d-lg-flex">
+    {% include sidebar %}
+
+    <main class="width-full">
+      <main class="container-xl px-3 px-md-6 my-4 my-lg-4 d-xl-flex">
+        <article class="markdown-body width-full">
+          <div class="d-lg-flex flex-justify-between"></div>
+
+          <div class="mt-2 article-grid-container">
+
+          <div class="article-grid-head">
+            <div class="d-flex flex-items-baseline flex-justify-between mt-3">
+              <h1 class="border-bottom-0">{% data ui.enterprise_releases_list.title %}</h1>
+            </div>
+          </div>
+          <div class="article-grid-toc border-bottom border-xl-0 pb-4 mb-5 pb-xl-0 mb-xl-0">
+            <div class="article-grid-toc-content">
+              {% if miniTocItems.size > 1 %}
+              <h3 id="in-this-article" class="f5 mb-2"><a class="link-gray-dark" href="#in-this-article">{% data ui.pages.miniToc %}</a></h3>
+              <ul class="list-style-none pl-0 f5 mb-0">
+                {% for item in miniTocItems %}
+                <li class="ml-{{ item.indentationLevel | times: 3 }} mb-2 lh-condensed">{{ item.contents }}</li>
+                {% endfor %}
+              </ul>
+              {% endif %}
+            </div>
+          </div>
+          <div id="article-contents" class="article-grid-body">
+            <h2 id="currently-supported"><a href="#currently-supported">{% data ui.enterprise_releases_list.currently_supported %}</a></h2>
+            <p>{% data ui.enterprise_releases_list.currently_supported_message %}</p>
+            <ul>
+            {% for version in enterpriseServerReleases.supported %}
+            <li><a href="/{{currentLanguage}}/enterprise-server@{{version}}">Enterprise Server {{version}}</a></li>
+            {% endfor %}
+            </ul>
+            <h2 id="deprecated"><a href="#deprecated">{% data ui.enterprise_releases_list.deprecated %}</a></h2>
+            <p>{% data ui.enterprise_releases_list.deprecated_message %}</p>
+            <ul>
+            {% for version in enterpriseServerReleases.deprecatedReleasesWithNewFormat %}
+            <li><a href="/{{currentLanguage}}/enterprise-server@{{version}}">Enterprise Server {{version}}</a></li>
+            {% endfor %}
+            {% for version in enterpriseServerReleases.deprecatedReleasesWithLegacyFormat %}
+            <li><a href="/{{currentLanguage}}/enterprise/{{version}}">Enterprise Server {{version}}</a></li>
+            {% endfor %}
+            </ul>
+            <h2 id="deprecated-on-developer.github.com"><a href="#deprecated-on-developer.github.com">{% data ui.enterprise_releases_list.deprecated_developer %}</a></h2>
+            <p>{% data ui.enterprise_releases_list.deprecated_developer_message %}</p>
+            {% for version in enterpriseServerReleases.deprecatedReleasesOnDeveloperSite %}
+            <li><a href="https://developer.github.com/enterprise/{{version}}">Enterprise Server {{version}}</a></li>
+            {% endfor %}
+            {% include support %}
+            {% include small-footer %}
+          </div>
+          </div>
+        </article>
+      </main>
+
+    </main>
+  </body>
+</html>

lib/enterprise-server-releases.js

@@ -44,6 +44,9 @@ const lastVersionWithoutStubbedRedirectFiles = '2.17'
 // last version using paths like /enterprise/<release>/<user>/<product>/<category>/<article>
 // instead of /enterprise-server@<release>/<product>/<category>/<article>
 const lastReleaseWithLegacyFormat = '2.18'
+const deprecatedReleasesWithLegacyFormat = deprecated.filter(version => versionSatisfiesRange(version, '<=2.18'))
+const deprecatedReleasesWithNewFormat = deprecated.filter(version => versionSatisfiesRange(version, '>2.18'))
+const deprecatedReleasesOnDeveloperSite = deprecated.filter(version => versionSatisfiesRange(version, '<=2.16'))
 
 module.exports = {
   supported,
@@ -57,5 +60,8 @@ module.exports = {
   dates,
   firstVersionDeprecatedOnNewSite,
   lastVersionWithoutStubbedRedirectFiles,
-  lastReleaseWithLegacyFormat
+  lastReleaseWithLegacyFormat,
+  deprecatedReleasesWithLegacyFormat,
+  deprecatedReleasesWithNewFormat,
+  deprecatedReleasesOnDeveloperSite
 }

middleware/enterprise-server-releases.js

@@ -0,0 +1,13 @@
+const { liquid } = require('../lib/render-content')
+const layouts = require('../lib/layouts')
+const getMiniTocItems = require('../lib/get-mini-toc-items')
+
+module.exports = async (req, res, next) => {
+  if (!req.path.endsWith('/enterprise-server-releases')) return next()
+
+  const html = await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context)
+
+  req.context.miniTocItems = getMiniTocItems(html)
+
+  return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))
+}

middleware/index.js

@@ -74,6 +74,7 @@ module.exports = function (app) {
   app.use(require('./contextualizers/webhooks'))
   app.use(require('./breadcrumbs'))
   app.use(require('./early-access-breadcrumbs'))
+  app.use(require('./enterprise-server-releases'))
   app.use(require('./dev-toc'))
   app.use(require('./featured-links'))