Merge branch 'main' into patch-1

.github/workflows/codeowners-legal.yml

@@ -20,6 +20,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  repository-projects: read
 
 jobs:
   codeowners-legal:
@@ -33,7 +34,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Picking this number is a "best guess". If we make it too large,
-          # the checkout will take potentially unnecessariily long.
+          # the checkout will take potentially unnecessarily long.
           # This reduces the chance that tj-actions/changed-files has to
           # fetch deeper history. But if it needs to, it will.
           fetch-depth: 10
@@ -58,19 +59,14 @@ jobs:
           CHANGED_FILE_PATHS: ${{ steps.changed-files.outputs.all_changed_files }}
           CONTENT_TYPE: 'rai'
 
-      - name: Add Legal team as a reviewer
+      - name: Check for reviewers-legal label, add if missing and request review
         if: steps.checkContentType.outputs.containsContentType == 'true'
         env:
-          # The GH CLI uses a slightly different env name for
-          # the token than the GITHUB_TOKEN used by actions
-          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR: ${{ github.event.pull_request.html_url }}
         run: |
-          has_reviewer=$(
-            gh pr view $PR --json reviews |
-            jq 'any(.reviews[]; select(length > 0))'
-          )
-          if ! $has_reviewer
-          then
+          labels=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name')
+          if ! echo "$labels" | grep -q 'reviewers-legal'; then
             gh pr edit $PR --add-reviewer github/legal-product
+            gh pr edit $PR --add-label reviewers-legal
           fi

Dockerfile

@@ -5,22 +5,30 @@
 # --------------------------------------------------------------------------------
 # BASE IMAGE
 # --------------------------------------------------------------------------------
-# To update the sha, run `docker pull node:$VERSION-alpine`
-# look for something like: `Digest: sha256:0123456789abcdef`
-FROM node:22-alpine@sha256:c13b26e7e602ef2f1074aef304ce6e9b7dd284c419b35d89fcf3cc8e44a8def9 AS base
+# To update the sha:
+# https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20250108-185521-gcd4825276 AS base
+
+# Install git for cloning docs-early-access & translations repos
+# Install curl for determining the early access branch
+RUN apt-get -qq update && apt-get -qq install --no-install-recommends git curl
+
+# Install Node.js latest LTS
+# https://github.com/nodejs/release#release-schedule
+# Ubuntu's apt-get install nodejs is _very_ outdated
+RUN curl -sL https://deb.nodesource.com/setup_22.x | bash -
+RUN apt-get install -y nodejs
+RUN node --version
 
 # This directory is owned by the node user
+RUN useradd -ms /bin/bash node
 ARG APP_HOME=/home/node/app
 RUN mkdir -p $APP_HOME && chown -R node:node $APP_HOME
 WORKDIR $APP_HOME
 
 # Switch to root to ensure we have permissions to copy, chmod, and install
 USER root
 
-# Install git for cloning docs-early-access & translations repos
-# Install curl for determining the early access branch
-RUN apk add --no-cache git curl
-
 # Copy in build scripts
 COPY src/deployments/production/build-scripts/*.sh ./build-scripts/
 
@@ -39,12 +47,12 @@ COPY data ./data
 # We use --mount-type=secret to avoid the secret being copied into the image layers for security
 # The secret passed via --secret can only be used in this RUN command
 RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY \
-    # We don't cache because Docker can't know if we need to fetch new content from remote repos
-    echo "Don't cache this step by printing date: $(date)" && \
-    . ./build-scripts/fetch-repos.sh
+  # We don't cache because Docker can't know if we need to fetch new content from remote repos
+  echo "Don't cache this step by printing date: $(date)" && \
+  . ./build-scripts/fetch-repos.sh
 
 # Give node user access to the copied content since we cloned as root
-RUN chown -R node:node $APP_HOME/content 
+RUN chown -R node:node $APP_HOME/content
 RUN chown -R node:node $APP_HOME/assets
 RUN chown -R node:node $APP_HOME/data
 # Give node user access to translations repos
@@ -105,7 +113,7 @@ RUN npm run precompute-pageinfo -- --max-versions 2
 RUN npm prune --production
 
 # --------------------------------------------------------------------------------
-# PRODUCTION IMAGE 
+# PRODUCTION IMAGE
 # --------------------------------------------------------------------------------
 FROM base AS production
 
@@ -140,7 +148,7 @@ COPY --chown=node:node --from=builder $APP_HOME/next.config.js ./
 COPY --chown=node:node --from=builder $APP_HOME/tsconfig.json ./
 
 # - - -
-# Environment variables are set in the Moda 
+# Environment variables are set in the Moda
 # configuration: config/moda/configuration/*/env.yaml
 # - - -
 

content/actions/administering-github-actions/usage-limits-billing-and-administration.md

@@ -45,7 +45,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
 * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
 {% data reusables.actions.usage-api-requests %}
-* **Webhook rate limit** - Each repository is limited to 1500 triggered events every 10 seconds.
+* **Webhook rate limit** - Each repository is limited to 1500 events triggering a workflow run every 10 seconds. When the limit is reached, the workflow runs that were supposed to be triggered by the webhook events will be blocked and will not be queued.
 * **Concurrent jobs** - The number of concurrent jobs you can run in your account depends on your {% data variables.product.prodname_dotcom %} plan, as well as the type of runner used. If exceeded, any additional jobs are queued.
 
   **Standard {% data variables.product.prodname_dotcom %}-hosted runners**

content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md

@@ -55,7 +55,7 @@ First, install the Helm chart that deploys the Sigstore Policy Controller:
 helm upgrade policy-controller --install --atomic \
   --create-namespace --namespace artifact-attestations \
   oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \
-  --version v0.10.0-github9
+  --version v0.12.0-github10
 ```
 
 This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations.
@@ -139,7 +139,7 @@ To see the full set of options you may configure with the Helm chart, you can ru
 For policy controller options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github9
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.12.0-github10
 ```
 
 For trust policy options:

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md

@@ -0,0 +1,149 @@
+---
+title: Enforcing code governance in your enterprise with rulesets
+allowTitleToDifferFromFilename: true
+intro: 'You can create a ruleset to target multiple repositories in your enterprise.'
+versions:
+  feature: enterprise-code-rulesets
+permissions: 'Enterprise owners'
+shortTitle: Create rulesets
+type: how_to
+topics:
+  - Enterprise
+  - Policies
+  - Repositories
+  - Security
+---
+
+## Introduction
+
+>[!NOTE] Enterprise code rulesets are currently in public preview and subject to change.
+
+You can create rulesets to control how users can interact with code in repositories across your enterprise. You can:
+
+* Create a **branch or tag ruleset** to control things like who can push commits to a certain branch, how commits must be formatted, or who can delete or rename a tag.
+* Create a **push ruleset** to block pushes to a private or internal repository and the repository's entire fork network. Push rulesets allow you to block pushes based on file extensions, file path lengths, file and folder paths, and file sizes.
+
+To learn more, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
+
+## Importing prebuilt rulesets
+
+To import a prebuilt ruleset created by {% data variables.product.company_short %}, see [`github/ruleset-recipes`](https://github.com/github/ruleset-recipes).
+
+{% ifversion repo-rules-management %}
+{% data reusables.repositories.import-a-ruleset-conceptual %} For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history)."
+{% endif %}
+
+## How will I define where my ruleset applies?
+
+Rulesets allow you to flexibly target the organizations, repositories, and branches where you want rules to apply.
+
+* To target **organizations**, you can select all, choose from a list, or define a dynamic pattern for organization names using `fnmatch` syntax. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax).
+* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+* Within the repositories, you can target certain **branches or tags**: all branches, the default branch, or a dynamic list using `fnmatch` syntax.
+
+When you create a ruleset that targets branches in a repository, repository administrators can no longer rename branches or change the default branch in the targeted repository. They can still create and delete branches if they have the appropriate permissions.
+
+## How can I control the format of commits?
+
+In branch or tag rulesets, you can add a rule that restricts the format of commit metadata such as commit message or author email.
+
+If you select **Must match a given regex pattern restriction**, you can use regular expression syntax to define patterns that the metadata must or must not match. For syntax details and examples, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-regular-expressions-for-commit-metadata).
+
+## Using ruleset enforcement statuses
+
+{% data reusables.repositories.rulesets-about-enforcement-statuses %}
+
+## Creating a branch or tag ruleset
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+1. Under "Policies", click **Code**.
+{% data reusables.repositories.create-ruleset-step %}
+{% data reusables.repositories.rulesets-general-step %}
+
+### Granting bypass permissions for your branch or tag ruleset
+
+You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset.
+
+The following are eligible for bypass access:
+* Repository admins, organization owners, and enterprise owners
+* The maintain or write role, or deploy keys.
+
+1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**.
+
+1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected.
+
+{% data reusables.repositories.rulesets-branch-tag-bypass-optional-step %}
+
+### Choosing which organizations to target in your enterprise
+
+Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise.
+
+If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)."
+
+### Choosing which repositories to target in your enterprise
+
+Within the selected organizations, you can target all repositories or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+
+### Choosing which branches or tags to target
+
+{% data reusables.repositories.rulesets-target-branches %}
+
+### Selecting branch or tag protections
+
+In the "Branch protections" or "Tag protections" section, select the rules you want to include in the ruleset. When you select a rule, you may be able to enter additional settings for the rule. For more information on the rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)"
+
+### Adding metadata restrictions
+
+{% data reusables.repositories.rulesets-metadata-step %}
+
+### Finalizing your branch or tag ruleset and next steps
+
+{% data reusables.repositories.rulesets-create-and-insights-step %}
+
+{% ifversion push-rulesets %}
+
+## Creating a push ruleset
+
+{% data reusables.repositories.push-rules-fork-network-note %}
+
+You can create a push ruleset for private or internal repositories in your enterprise.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**.
+1. Click **New ruleset**.
+1. Click **New push ruleset**.
+1. Under "Ruleset name," type a name for the ruleset.
+1. Optionally, to change the default enforcement status, click **Disabled** and select an enforcement status. For more information about enforcement statuses, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)
+
+### Granting bypass permissions for your push ruleset
+
+>[!NOTE] Bypass permissions for push rulesets that target a repository will be inherited by the entire fork network for this repository. {% data reusables.repositories.rulesets-push-rulesets-bypass-permissions %}
+
+You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset. The following are eligible for bypass access:
+
+* Repository admins, organization owners, and enterprise owners
+* The maintain or write role, or deploy keys
+
+1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**.
+1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected.
+
+### Choosing which organizations to target in your enterprise
+
+Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise.
+
+If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)."
+
+### Choosing which repositories to target in your enterprise
+
+Within your chosen organizations, you can target all repositories, or target a dynamic list using custom properties. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+
+### Selecting push protections
+
+{% data reusables.repositories.rulesets-push-rules-step %}
+
+### Finalizing your push ruleset and next steps
+
+{% data reusables.repositories.rulesets-create-and-insights-step %}
+
+{% endif %}

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md

@@ -25,6 +25,8 @@ children:
   - /enforcing-policies-for-github-codespaces-in-your-enterprise
   - /enforcing-policies-for-code-security-and-analysis-for-your-enterprise
   - /enforcing-policies-for-personal-access-tokens-in-your-enterprise
+  - /enforcing-policies-for-code-governance
+  - /managing-policies-for-code-governance
 shortTitle: Enforce policies
 ---