Merge branch 'main' into unwatch-repo

.devcontainer/devcontainer.json

@@ -32,12 +32,6 @@
 	"postCreateCommand": "npm ci && npm run build",
 		 
 	// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
-	"remoteUser": "node",
-	
-	// Test restricting low-spec machines
-	"hostRequirements": {
-		"cpus": 8,
-		"memory": "8gb",
-		"storage": "32gb" 
-	}
+	"remoteUser": "node"
+
 }

.github/actions-scripts/fr-add-docs-reviewers-requests.js

@@ -8,88 +8,83 @@ import {
   generateUpdateProjectNextItemFieldMutation,
 } from './projects.js'
 
-async function run() {
-  // Get info about the docs-content review board project
-  // and about open github/github PRs
-  const data = await graphql(
-    `
-      query ($organization: String!, $repo: String!, $projectNumber: Int!, $num_prs: Int!) {
-        organization(login: $organization) {
-          projectNext(number: $projectNumber) {
-            id
-            items(last: 100) {
+async function getAllOpenPRs() {
+  let prsRemaining = true
+  let cursor
+  let prData = []
+  while (prsRemaining) {
+    const data = await graphql(
+      `
+        query ($organization: String!, $repo: String!) {
+          repository(name: $repo, owner: $organization) {
+            pullRequests(last: 100, states: OPEN${cursor ? ` before:"${cursor}"` : ''}) {
+              pageInfo{startCursor, hasPreviousPage},
               nodes {
                 id
-              }
-            }
-            fields(first: 20) {
-              nodes {
-                id
-                name
-                settings
-              }
-            }
-          }
-        }
-        repository(name: $repo, owner: $organization) {
-          pullRequests(last: $num_prs, states: OPEN) {
-            nodes {
-              id
-              isDraft
-              reviewRequests(first: 10) {
-                nodes {
-                  requestedReviewer {
-                    ... on Team {
-                      name
-                    }
-                  }
-                }
-              }
-              labels(first: 5) {
-                nodes {
-                  name
-                }
-              }
-              reviews(first: 10) {
-                nodes {
-                  onBehalfOf(first: 1) {
-                    nodes {
-                      name
-                    }
-                  }
-                }
-              }
-              author {
-                login
+                isDraft
+                reviewRequests(first: 10) {
+                  nodes {
+                    requestedReviewer {
+                      ... on Team {
+                        name
+                      }
+                    }
+                  }
+                }
+                labels(first: 5) {
+                  nodes {
+                    name
+                  }
+                }
+                reviews(first: 10) {
+                  nodes {
+                    onBehalfOf(first: 1) {
+                      nodes {
+                        name
+                      }
+                    }
+                  }
+                }
+                author {
+                  login
+                }
               }
             }
           }
         }
+      `,
+      {
+        organization: process.env.ORGANIZATION,
+        repo: process.env.REPO,
+        headers: {
+          authorization: `token ${process.env.TOKEN}`,
+        },
       }
-    `,
-    {
-      organization: process.env.ORGANIZATION,
-      repo: process.env.REPO,
-      projectNumber: parseInt(process.env.PROJECT_NUMBER),
-      num_prs: parseInt(process.env.NUM_PRS),
-      headers: {
-        authorization: `token ${process.env.TOKEN}`,
-        'GraphQL-Features': 'projects_next_graphql',
-      },
-    }
-  )
+    )
+
+    prsRemaining = data.repository.pullRequests.pageInfo.hasPreviousPage
+    cursor = data.repository.pullRequests.pageInfo.startCursor
+    prData = [...prData, ...data.repository.pullRequests.nodes]
+  }
+
+  return prData
+}
+
+async function run() {
+  // Get info about open github/github PRs
+  const prData = await getAllOpenPRs()
 
   // Get the PRs that are:
   // - not draft
   // - not a train
   // - are requesting a review by docs-reviewers
   // - have not already been reviewed on behalf of docs-reviewers
-  const prs = data.repository.pullRequests.nodes.filter(
+  const prs = prData.filter(
     (pr) =>
       !pr.isDraft &&
       !pr.labels.nodes.find((label) => label.name === 'Deploy train 🚂') &&
       pr.reviewRequests.nodes.find(
-        (requestedReviewers) => requestedReviewers.requestedReviewer.name === process.env.REVIEWER
+        (requestedReviewers) => requestedReviewers.requestedReviewer?.name === process.env.REVIEWER
       ) &&
       !pr.reviews.nodes
         .flatMap((review) => review.onBehalfOf.nodes)
@@ -104,28 +99,60 @@ async function run() {
   const prAuthors = prs.map((pr) => pr.author.login)
   console.log(`PRs found: ${prIDs}`)
 
+  // Get info about the docs-content review board project
+  const projectData = await graphql(
+    `
+      query ($organization: String!, $projectNumber: Int!) {
+        organization(login: $organization) {
+          projectNext(number: $projectNumber) {
+            id
+            items(last: 100) {
+              nodes {
+                id
+              }
+            }
+            fields(first: 100) {
+              nodes {
+                id
+                name
+                settings
+              }
+            }
+          }
+        }
+      }
+    `,
+    {
+      organization: process.env.ORGANIZATION,
+      projectNumber: parseInt(process.env.PROJECT_NUMBER),
+      headers: {
+        authorization: `token ${process.env.TOKEN}`,
+      },
+    }
+  )
+
   // Get the project ID
-  const projectID = data.organization.projectNext.id
+  const projectID = projectData.organization.projectNext.id
 
   // Get the IDs of the last 100 items on the board.
   // Until we have a way to check from a PR whether the PR is in a project,
   // this is how we (roughly) avoid overwriting PRs that are already on the board.
   // If we are overwriting items, query for more items.
-  const existingItemIDs = data.organization.projectNext.items.nodes.map((node) => node.id)
+  const existingItemIDs = projectData.organization.projectNext.items.nodes.map((node) => node.id)
 
   // Get the ID of the fields that we want to populate
-  const datePostedID = findFieldID('Date posted', data)
-  const reviewDueDateID = findFieldID('Review due date', data)
-  const statusID = findFieldID('Status', data)
-  const featureID = findFieldID('Feature', data)
-  const contributorTypeID = findFieldID('Contributor type', data)
-  const sizeTypeID = findFieldID('Size', data)
-  const authorID = findFieldID('Contributor', data)
+  const datePostedID = findFieldID('Date posted', projectData)
+  const reviewDueDateID = findFieldID('Review due date', projectData)
+  const statusID = findFieldID('Status', projectData)
+  const featureID = findFieldID('Feature', projectData)
+  const contributorTypeID = findFieldID('Contributor type', projectData)
+  const sizeTypeID = findFieldID('Size', projectData)
+  const authorID = findFieldID('Contributor', projectData)
 
   // Get the ID of the single select values that we want to set
-  const readyForReviewID = findSingleSelectID('Ready for review', 'Status', data)
-  const hubberTypeID = findSingleSelectID('Hubber or partner', 'Contributor type', data)
-  const docsMemberTypeID = findSingleSelectID('Docs team', 'Contributor type', data)
+  const readyForReviewID = findSingleSelectID('Ready for review', 'Status', projectData)
+  const hubberTypeID = findSingleSelectID('Hubber or partner', 'Contributor type', projectData)
+  const docsMemberTypeID = findSingleSelectID('Docs team', 'Contributor type', projectData)
 
   // Add the PRs to the project
   const itemIDs = await addItemsToProject(prIDs, projectID)

.github/actions-scripts/projects.js

@@ -114,6 +114,29 @@ export async function isDocsTeamMember(login) {
   return teamMembers.includes(login)
 }
 
+// Given a GitHub login, returns a bool indicating
+// whether the login is part of the GitHub org
+export async function isGitHubOrgMember(login) {
+  const data = await graphql(
+    `
+      query {
+        user(login: "${login}") {
+          organization(login: "github"){
+            name
+          }
+        }
+      }
+    `,
+    {
+      headers: {
+        authorization: `token ${process.env.TOKEN}`,
+      },
+    }
+  )
+
+  return Boolean(data.user.organization)
+}
+
 // Formats a date object into the required format for projects
 export function formatDateForProject(date) {
   return date.getFullYear() + '-' + (date.getMonth() + 1) + '-' + date.getDate()
@@ -246,6 +269,7 @@ export default {
   addItemsToProject,
   addItemToProject,
   isDocsTeamMember,
+  isGitHubOrgMember,
   findFieldID,
   findSingleSelectID,
   formatDateForProject,

.github/actions-scripts/ready-for-docs-review.js

@@ -3,6 +3,7 @@ import { graphql } from '@octokit/graphql'
 import {
   addItemToProject,
   isDocsTeamMember,
+  isGitHubOrgMember,
   findFieldID,
   findSingleSelectID,
   generateUpdateProjectNextItemFieldMutation,
@@ -178,9 +179,12 @@ async function run() {
   let contributorType
   if (await isDocsTeamMember(process.env.AUTHOR_LOGIN)) {
     contributorType = docsMemberTypeID
+  } else if (await isGitHubOrgMember(process.env.AUTHOR_LOGIN)) {
+    contributorType = hubberTypeID
   } else if (process.env.REPO === 'github/docs') {
     contributorType = osContributorTypeID
   } else {
+    // use hubber as the fallback so that the PR doesn't get lost on the board
     contributorType = hubberTypeID
   }
 

.github/actions-scripts/staging-undeploy.js

@@ -1,50 +0,0 @@
-#!/usr/bin/env node
-
-import parsePrUrl from '../../script/deployment/parse-pr-url.js'
-import getOctokit from '../../script/helpers/github.js'
-import undeployFromStaging from '../../script/deployment/undeploy-from-staging.js'
-
-const { GITHUB_TOKEN, HEROKU_API_TOKEN } = process.env
-
-// Exit if GitHub Actions PAT is not found
-if (!GITHUB_TOKEN) {
-  throw new Error('You must supply a GITHUB_TOKEN environment variable!')
-}
-
-// Exit if Heroku API token is not found
-if (!HEROKU_API_TOKEN) {
-  throw new Error('You must supply a HEROKU_API_TOKEN environment variable!')
-}
-
-// This helper uses the `GITHUB_TOKEN` implicitly!
-// We're using our usual version of Octokit vs. the provided `github`
-// instance to avoid versioning discrepancies.
-const octokit = getOctokit()
-
-const { RUN_ID, PR_URL } = process.env
-
-if (!RUN_ID) {
-  throw new Error('$RUN_ID not set')
-}
-if (!PR_URL) {
-  throw new Error('$PR_URL not set')
-}
-
-const { owner, repo, pullNumber } = parsePrUrl(PR_URL)
-if (!owner || !repo || !pullNumber) {
-  throw new Error(
-    `'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`
-  )
-}
-
-const { data: pullRequest } = await octokit.pulls.get({
-  owner,
-  repo,
-  pull_number: pullNumber,
-})
-
-await undeployFromStaging({
-  octokit,
-  pullRequest: pullRequest,
-  runId: RUN_ID,
-})

.github/allowed-actions.js

@@ -1,38 +0,0 @@
-// This is an AllowList of GitHub Actions that are approved for use in this project.
-// If a new or existing workflow file is updated to use an action or action version not listed here,
-// CI will fail and the action will need to be audited by the docs engineering team before it
-// can be added it this list.
-
-export default [
-  'actions/cache@c64c572235d810460d0d6876e9c705ad5002b353', // v2.1.6
-  'actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579', // v2.4.0
-  'actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d', // v4.0.2
-  'actions/labeler@5f867a63be70efff62b767459b009290364495eb', // v2.2.0
-  'actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458', // v2.5.0
-  'actions/stale@cdf15f641adb27a71842045a94023bef6945e3aa', // v4.0.0
-  'actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074', // v2.2.4
-  'alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488', // v0.8.1
-  'andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90', // v1.0.4
-  'cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa', // uses github-actions-parser v0.23.0
-  'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911', // v3.0.2
-  'dawidd6/action-download-artifact@af92a8455a59214b7b932932f2662fdefbd78126', // v2.15.0
-  'dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58',
-  'trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b', // v1.2.4
-  'github/codeql-action/analyze@v1',
-  'github/codeql-action/init@v1',
-  'juliangruber/approve-pull-request-action@c530832d4d346c597332e20e03605aa94fa150a8',
-  'juliangruber/find-pull-request-action@db875662766249c049b2dcd85293892d61cb0b51', // v1.5.0
-  'juliangruber/read-file-action@e0a316da496006ffd19142f0fd594a1783f3b512',
-  'lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb',
-  'peter-evans/create-issue-from-file@b4f9ee0a9d4abbfc6986601d9b1a4f8f8e74c77e',
-  'peter-evans/create-or-update-comment@5221bf4aa615e5c6e95bb142f9673a9c791be2cd',
-  'peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad', // v3.10.1
-  'peter-evans/find-comment@d2dae40ed151c634e4189471272b57e76ec19ba8', // v1.3.0
-  'rachmari/actions-add-new-issue-to-column@1a459ef92308ba7c9c9dc2fcdd72f232495574a9',
-  'repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88',
-  'repo-sync/pull-request@65194d8015be7624d231796ddee1cd52a5023cb3', // v2.6
-  'someimportantcompany/github-actions-slack-message@f8d28715e7b8a4717047d23f48c39827cacad340', // v1.2.2
-  'tjenkinson/gh-action-auto-merge-dependency-updates@c47f6255e06f36e84201ee940466e731ffa6e885', // v1.1.1
-  'Bhacaz/checkout-files@c8f01756bfd894ba746d5bf48205e19000b0742b', // v1.0.0
-  'EndBug/add-and-commit@2bdc0a61a03738a1d1bda24d566ad0dbe3083d87',
-]

.github/workflows/autoupdate-branch.yml

@@ -27,6 +27,12 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to take priority over
+# previously queued runs but NOT interrupt currently executing runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: false
+
 jobs:
   autoupdate:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'

.github/workflows/browser-test.yml

@@ -22,16 +22,20 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      # Each of these ifs needs to be repeated at each step to make sure the required check still runs
-      # Even if if doesn't do anything
       - name: Checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           lfs: true
+
       - name: Checkout LFS objects
         run: git lfs checkout
 
@@ -50,13 +54,13 @@ jobs:
         run: npm ci --include=optional
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}
 
       - name: Cache lib/redirects/.redirects-cache_en_ja.json
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: lib/redirects/.redirects-cache_en_ja.json
           key: ${{ runner.os }}-redirects-cache-${{ hashFiles('.github/workflows/browser-test.yml') }}

.github/workflows/check-all-english-links.yml

@@ -35,7 +35,7 @@ jobs:
       - name: npm ci
         run: npm ci
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/code-lint.yml

@@ -6,9 +6,6 @@ name: Lint code
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - main
   pull_request:
     paths:
       - '**.js'
@@ -27,6 +24,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -20,14 +20,19 @@ permissions:
   contents: read
   security-events: write
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
-      - uses: github/codeql-action/init@v1
+      - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
         with:
           languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)
-      - uses: github/codeql-action/analyze@v1
+      - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
         continue-on-error: true

.github/workflows/content-changes-table-comment.yml

@@ -7,12 +7,16 @@ name: Content Changes Table Comment
 on:
   workflow_dispatch:
   pull_request_target:
-    types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
   pull-requests: write
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   PR-Preview-Links:
     if: github.event.pull_request.user.login != 'Octomerger'

.github/workflows/create-translation-batch-pr.yml

@@ -166,6 +166,12 @@ jobs:
           script/i18n/report-reset-files.js --report-type=csv --language=${{ matrix.language }} --log-file=/tmp/batch.log > $csvFile
           git add -f $csvFile && git commit -m "Check in ${{ matrix.language }} CSV report" || echo "Nothing to commit"
 
+      - name: Close existing stale batches
+        uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f
+        with:
+          token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
+          query: 'type:pr label:translation-batch-${{ matrix.language }}'
+
       - name: Create Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.DOCUBOT_REPO_PAT }}

.github/workflows/crowdin-cleanup.yml

@@ -13,6 +13,11 @@ on:
 permissions:
   contents: write
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   homogenize_frontmatter:
     name: Homogenize frontmatter
@@ -36,7 +41,7 @@ jobs:
         run: script/i18n/homogenize-frontmatter.js
 
       - name: Check in homogenized files
-        uses: EndBug/add-and-commit@2bdc0a61a03738a1d1bda24d566ad0dbe3083d87
+        uses: EndBug/add-and-commit@8c12ff729a98cfbcd3fe38b49f55eceb98a5ec02
         with:
           # The arguments for the `git add` command
           add: 'translations'

.github/workflows/docs-review-collect.yml

@@ -40,6 +40,3 @@ jobs:
           ORGANIZATION: 'github'
           REPO: 'github'
           REVIEWER: 'docs-reviewers'
-          # This is an educated guess of how many PRs are opened in a day on the github/github repo
-          # If we are missing PRs, either increase this number or increase the frequency at which this script is run
-          NUM_PRS: 100

.github/workflows/enterprise-dates.yml

@@ -55,7 +55,7 @@ jobs:
 
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad
+        uses: peter-evans/create-pull-request@dcd5fd746d53dd8de555c0f10bca6c35628be47a
         env:
           # Disable pre-commit hooks; they don't play nicely here
           HUSKY: '0'

.github/workflows/enterprise-release-sync-search-index.yml

@@ -29,6 +29,11 @@ on:
 permissions:
   contents: write
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 # This workflow requires a label in the format `sync-english-index-for-<PLAN@RELEASE>`
 jobs:
   updateIndices:
@@ -58,7 +63,7 @@ jobs:
         run: $GITHUB_WORKSPACE/.github/actions-scripts/enterprise-search-label.js
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/hubber-contribution-help.yml

@@ -5,7 +5,7 @@ name: Hubber contribution help
 # **Who does it impact**: docs-internal contributors
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
     paths:

.github/workflows/link-check-all.yml

@@ -16,6 +16,11 @@ permissions:
   # Needed for the 'trilom/file-changes-action' action
   pull-requests: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
@@ -41,7 +46,7 @@ jobs:
           output: ' '
       - name: Insight into changed files
         run: |
-          echo ${{ steps.get_diff_files.outputs.files }}
+          echo "${{ steps.get_diff_files.outputs.files }}"
 
       - name: Link check (warnings, changed files)
         run: |
@@ -51,11 +56,10 @@ jobs:
             --check-anchors \
             --check-images \
             --verbose \
-            ${{ steps.get_diff_files.outputs.files }}
+            "${{ steps.get_diff_files.outputs.files }}"
 
       - name: Link check (critical, all files)
         run: |
-
           ./script/rendered-content-link-checker.mjs \
             --language en \
             --exit \

.github/workflows/link-check-dotcom.yml

@@ -11,6 +11,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
@@ -30,7 +35,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/link-check-ghae.yml

@@ -11,6 +11,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
@@ -30,7 +35,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/link-check-ghec.yml

@@ -11,6 +11,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
@@ -28,7 +33,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/link-check-ghes.yml

@@ -11,6 +11,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
@@ -30,7 +35,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/merged-notification.yml

@@ -11,6 +11,7 @@ on:
 
 permissions:
   issues: write
+  pull-requests: write
 
 jobs:
   comment:

.github/workflows/openapi-decorate.yml

@@ -11,6 +11,11 @@ permissions:
   contents: write
   pull-requests: write
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   generate-decorated-files:
     if: >-
@@ -41,7 +46,7 @@ jobs:
         run: script/rest/update-files.js --decorate-only
 
       - name: Check in the decorated files
-        uses: EndBug/add-and-commit@2bdc0a61a03738a1d1bda24d566ad0dbe3083d87
+        uses: EndBug/add-and-commit@8c12ff729a98cfbcd3fe38b49f55eceb98a5ec02
         with:
           # The arguments for the `git add` command
           add: 'lib/rest/static/decorated'

.github/workflows/openapi-schema-check.yml

@@ -26,6 +26,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   check-schema-versions:
     if: ${{ github.repository == 'github/docs-internal' }}

.github/workflows/orphaned-assets-check.yml

@@ -0,0 +1,30 @@
+name: 'Orphaned assets check'
+
+# **What it does**: Checks that there are no files in ./assets/ that aren't mentioned in any source file.
+# **Why we have it**: To avoid orphans into the repo.
+# **Who does it impact**: Docs content.
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+
+      - name: Setup node
+        uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458
+        with:
+          node-version: 16.13.x
+          cache: npm
+
+      - name: Install
+        run: npm ci
+
+      - name: Check for orphaned assets
+        run: ./script/find-orphaned-assets.mjs --verbose --exit

.github/workflows/pa11y.yml

@@ -30,7 +30,7 @@ jobs:
         run: npm ci --include=optional
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/package-lock-lint.yml

@@ -14,6 +14,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/prod-build-deploy-azure.yml

@@ -0,0 +1,90 @@
+name: Production (Azure) - Build and Deploy
+
+# **What it does**: Builds and deploys the default branch to production
+# **Why we have it**: To enable us to deploy the latest to production whenever necessary rather than relying on PR merges.
+# **Who does it impact**: All contributors.
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  deployments: write
+
+# This allows a subsequently queued workflow run to take priority over
+# previously queued runs but NOT interrupt currently executing runs
+concurrency:
+  group: '${{ github.workflow }}'
+  cancel-in-progress: false
+
+jobs:
+  build-and-deploy:
+    if: ${{ github.repository == 'github/docs-internal' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      IMAGE_TAG_BASE: ${{ secrets.PROD_REGISTRY_SERVER }}/${{ github.repository }}
+
+    steps:
+      - name: 'Docker login'
+        uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
+        with:
+          login-server: ${{ secrets.PROD_REGISTRY_SERVER }}
+          username: ${{ secrets.PROD_REGISTRY_USERNAME }}
+          password: ${{ secrets.PROD_REGISTRY_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
+
+      - name: Check out repo
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          ref: ${{ github.sha }}
+          # To prevent issues with cloning early access content later
+          persist-credentials: 'false'
+          lfs: 'true'
+
+      - name: Check out LFS objects
+        run: git lfs checkout
+
+      - name: Setup node
+        uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458
+        with:
+          node-version: 16.13.x
+          cache: npm
+
+      - name: Clone early access
+        run: npm install dotenv && node script/early-access/clone-for-build.js
+        env:
+          DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }}
+          GIT_BRANCH: main
+
+      - name: 'Build and push image'
+        uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229
+        with:
+          context: .
+          push: true
+          target: 'production_early_access'
+          tags: ${{ env.IMAGE_TAG_BASE }}:${{ github.sha }}, ${{ env.IMAGE_TAG_BASE }}:production
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # TODO - enable this when we disable the other production deploy
+      # - name: Purge Fastly edge cache
+      #   env:
+      #     FASTLY_TOKEN: ${{ secrets.FASTLY_TOKEN }}
+      #     FASTLY_SERVICE_ID: ${{ secrets.FASTLY_SERVICE_ID }}
+      #     FASTLY_SURROGATE_KEY: 'every-deployment'
+      #   run: npm install got && .github/actions-scripts/purge-fastly-edge-cache.js
+
+      - name: Send Slack notification if workflow failed
+        uses: someimportantcompany/github-actions-slack-message@f8d28715e7b8a4717047d23f48c39827cacad340
+        if: ${{ failure() }}
+        with:
+          channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: Production deployment (Azure) failed at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/prod-build-deploy.yml

@@ -14,9 +14,11 @@ permissions:
   contents: read
   deployments: write
 
+# This allows a subsequently queued workflow run to take priority over
+# previously queued runs but NOT interrupt currently executing runs
 concurrency:
   group: '${{ github.workflow }}'
-  cancel-in-progress: true
+  cancel-in-progress: false
 
 jobs:
   build-and-deploy:
@@ -53,7 +55,7 @@ jobs:
           GIT_BRANCH: main
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/ready-for-doc-review.yml

@@ -5,7 +5,7 @@ name: Ready for docs-content review
 # **Who does it impact**: Writers working in the docs-internal repository
 
 on:
-  pull_request:
+  pull_request_target:
     types: [labeled]
 
 permissions:

.github/workflows/remove-stale-staging-resources.yml

@@ -4,8 +4,9 @@ name: Remove stale staging resources
 # This cleans up any rogue staging applications and environments that outlasted
 # the closure of their corresponding pull requests.
 # **Why we have it**:
-# Staging applications and environments sometimes fail to be destroyed when
-# their corresponding pull request is closed or merged.
+# Staging applications and environments should be destroyed after their
+# corresponding pull request is closed or merged, especially to save money spent
+# on Heroku App staging deployments for closed PRs.
 # **Who does it impact**:
 # Anyone with a closed, spammy, or deleted pull request in docs or docs-internal.
 
@@ -14,8 +15,10 @@ on:
     - cron: '15,45 * * * *' # every thirty minutes at :15 and :45
 
 permissions:
+  actions: read
   contents: read
-  pull-requests: read
+  deployments: write
+  pull-requests: write
 
 jobs:
   remove_stale_staging_apps:
@@ -60,5 +63,7 @@ jobs:
       - name: Run script
         run: script/remove-stale-staging-envs.js
         env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_FR }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ELEVATED_TOKEN: ${{ secrets.DOCS_BOT_FR }}
           REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.run_id }}

.github/workflows/remove-unused-assets.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Remove script results file
         run: rm ./results.md
       - name: Create pull request
-        uses: peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad
+        uses: peter-evans/create-pull-request@dcd5fd746d53dd8de555c0f10bca6c35628be47a
         env:
           # Disable pre-commit hooks; they don't play nicely here
           HUSKY: '0'

.github/workflows/repo-sync.yml

@@ -113,7 +113,6 @@ jobs:
         uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
         env:
           GITHUB_TOKEN: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
-          CI: true
         with:
           source_repo: ${{ secrets.SOURCE_REPO }} # https://${access_token}@github.com/github/the-other-repo.git
           source_branch: main
@@ -121,7 +120,6 @@ jobs:
           github_token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
 
       - name: Create pull request
-        id: create-pull
         uses: repo-sync/pull-request@65194d8015be7624d231796ddee1cd52a5023cb3
         env:
           GITHUB_TOKEN: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
@@ -146,13 +144,6 @@ jobs:
           author: Octomerger
           state: open
 
-      - name: Approve pull request
-        if: ${{ steps.find-pull-request.outputs.number }}
-        uses: juliangruber/approve-pull-request-action@c530832d4d346c597332e20e03605aa94fa150a8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          number: ${{ steps.find-pull-request.outputs.number }}
-
       # Because we get far too much spam ;_;
       - name: Lock conversations
         if: ${{ github.repository == 'github/docs' && steps.find-pull-request.outputs.number }}
@@ -221,8 +212,40 @@ jobs:
               console.log(`Branch is already up-to-date`)
             }
 
-      - name: Enable GitHub auto-merge
+      - name: Check pull request file count after updating
         if: ${{ steps.find-pull-request.outputs.number }}
+        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
+        id: pr-files
+        env:
+          PR_NUMBER: ${{ steps.find-pull-request.outputs.number }}
+        with:
+          github-token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
+          result-encoding: string
+          script: |
+            const { data: prFiles } = await github.pulls.listFiles({
+              ...context.repo,
+              pull_number: process.env.PR_NUMBER,
+            })
+            core.setOutput('count', (prFiles && prFiles.length || 0).toString())
+
+      # Sometimes after updating the branch, there aren't any remaining files changed.
+      # If not, we should close the PR instead of merging it and triggering deployments.
+      - name: Close the pull request if no files remain
+        if: ${{ steps.find-pull-request.outputs.number && steps.pr-files.outputs.count == '0' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr close ${{ steps.find-pull-request.outputs.number }} --repo $GITHUB_REPOSITORY
+
+      - name: Approve pull request
+        if: ${{ steps.find-pull-request.outputs.number && steps.pr-files.outputs.count != '0' }}
+        uses: juliangruber/approve-pull-request-action@c530832d4d346c597332e20e03605aa94fa150a8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.find-pull-request.outputs.number }}
+
+      - name: Enable GitHub auto-merge
+        if: ${{ steps.find-pull-request.outputs.number && steps.pr-files.outputs.count != '0' }}
         env:
           GITHUB_TOKEN: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
           AUTOMERGE_PR_NUMBER: ${{ steps.find-pull-request.outputs.number }}

.github/workflows/staging-build-and-deploy-pr.yml

@@ -6,16 +6,16 @@ name: Staging - Build and Deploy PR (fast and private-only)
 
 # This whole workflow is only guaranteed to be secure in the *private
 # repo* and because we repo-sync these files over the to the public one,
-# IT'S CRUCIALLY IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
+# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
 
 on:
-  # Ideally, we'd like to use 'pull_request' because we can more easily
-  # test changes to this workflow without relying on merges to 'main'.
-  # But this is guaranteed to be safer and won't have the problem of
-  # necessary secrets not being available.
-  # Perhaps some day when we're confident this workflow will always
-  # work in a regular PR, we can switch to that.
-  pull_request_target:
+  # The advantage of 'pull_request' over 'pull_request_target' is that we
+  # can make changes to this file and test them in a pull request, instead
+  # of relying on landing it in 'main' first.
+  # From a security point of view, its arguably safer this way because
+  # unlike 'pull_request_target', these only have secrets if the pull
+  # request creator has permission to access secrets.
+  pull_request:
 
 permissions:
   actions: read
@@ -24,12 +24,9 @@ permissions:
   pull-requests: read
   statuses: write
 
-# This allows one Build workflow run to interrupt another
-# These are different from the concurrency in that here it checks if the
-# whole workflow runs again. The "inner concurrency" is used for
-# undeployments to cleaning up resources.
+# This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
-  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}'
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
 jobs:
@@ -44,11 +41,7 @@ jobs:
     runs-on: self-hosted
 
     timeout-minutes: 5
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
-    concurrency:
-      group: 'PR Staging @ ${{ github.event.pull_request.head.label }}'
-      cancel-in-progress: true
+
     steps:
       - name: Check out repo
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
@@ -71,7 +64,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}
@@ -85,15 +78,6 @@ jobs:
           DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }}
           GIT_BRANCH: ${{ github.event.pull_request.head.sha }}
 
-      - name: Check that the PR isn't blocking deploys
-        # We can't use ${{...}} on this if statement because of this bug
-        # https://github.com/cschleiden/actions-linter/issues/114
-        if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'automated-block-deploy')
-        run: |
-          echo "The PR appears to have the label 'automated-block-deploy'"
-          echo "Will not proceed to deploy the PR."
-          exit 2
-
       - name: Create a Heroku build source
         id: build-source
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d

.github/workflows/staging-build-pr.yml

@@ -8,17 +8,16 @@ name: Staging - Build PR
 
 on:
   pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
 
 permissions:
   contents: read
 
-# This allows one Build workflow run to interrupt another
+# This allows a subsequently queued workflow run to interrupt previous runs
+# These are different from the concurrency in that here it checks if the
+# whole workflow runs again. The "inner concurrency" is used for
+# undeployments to cleaning up resources.
 concurrency:
-  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}'
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
 jobs:
@@ -28,10 +27,9 @@ jobs:
 
     runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
     timeout-minutes: 5
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
+    # This interrupts Build and Deploy workflow runs in progress for this PR branch.
     concurrency:
-      group: 'PR Staging @ ${{ github.event.pull_request.head.label }}'
+      group: 'PR Staging @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
       cancel-in-progress: true
     steps:
       - name: Check out repo
@@ -84,7 +82,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}
@@ -131,7 +129,7 @@ jobs:
       # We are not willing to trust the rest (e.g. script/) for the remainder
       # of the deployment process.
       - name: Upload build artifact
-        uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
         with:
           name: pr_build
           path: app.tar

.github/workflows/staging-deploy-pr.yml

@@ -198,68 +198,12 @@ jobs:
           color: failure
           text: Staging build failed for PR ${{ needs.pr-metadata.outputs.url }} at commit ${{ needs.pr-metadata.outputs.head_sha }}. See ${{ env.BUILD_ACTIONS_RUN_LOG }}. This run was ${{ env.ACTIONS_RUN_LOG }}.
 
-  check-pr-before-prepare:
-    needs: pr-metadata
-    if: >-
-      ${{
-        needs.pr-metadata.outputs.number != '0' &&
-        github.event.workflow_run.conclusion == 'success'
-      }}
-    runs-on: ubuntu-latest
-    # This timeout should match or exceed the value of the timeout for Undeploy
-    timeout-minutes: 5
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
-    concurrency:
-      group: 'PR Staging @ ${{ needs.pr-metadata.outputs.head_label }}'
-      cancel-in-progress: true
-    outputs:
-      pull_request_state: ${{ steps.check-pr.outputs.state }}
-    steps:
-      - name: Check pull request state
-        id: check-pr
-        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
-        env:
-          PR_NUMBER: ${{ needs.pr-metadata.outputs.number }}
-        with:
-          script: |
-            // Equivalent of the 'await-sleep' module without the install
-            const sleep = ms => new Promise(resolve => setTimeout(resolve, ms))
-
-            const blockingLabel = 'automated-block-deploy'
-            const { owner, repo } = context.repo
-            const startTime = Date.now()
-
-            let pullRequest = {}
-            let blocked = true
-
-            // Keep polling the PR until the blocking label has been removed
-            while (blocked) {
-              const { data: pr } = await github.pulls.get({
-                owner,
-                repo,
-                pull_number: process.env.PR_NUMBER
-              })
-
-              blocked = pr.labels.some(({ name }) => name === blockingLabel)
-              if (blocked) {
-                console.warn(`WARNING! PR currently has blocking label "${blockingLabel}" (after ${Date.now() - startTime} ms). Will check again soon...`)
-                await sleep(15000) // Wait 15 seconds and check again
-              } else {
-                console.log(`PR was unblocked (after ${Date.now() - startTime} ms)!`)
-                pullRequest = pr
-              }
-            }
-
-            core.setOutput('state', pullRequest.state)
-
   prepare-for-deploy:
-    needs: [pr-metadata, check-pr-before-prepare]
-    if: ${{ needs.check-pr-before-prepare.outputs.pull_request_state == 'open' }}
+    needs: pr-metadata
+    if: ${{ needs.pr-metadata.outputs.state == 'open' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
+    # This interrupts Build and Deploy workflow runs in progress for this PR branch.
     concurrency:
       group: 'PR Staging @ ${{ needs.pr-metadata.outputs.head_label }}'
       cancel-in-progress: true
@@ -395,8 +339,7 @@ jobs:
     needs: [pr-metadata, prepare-for-deploy]
     runs-on: ubuntu-latest
     timeout-minutes: 1
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
+    # This interrupts Build and Deploy workflow runs in progress for this PR branch.
     concurrency:
       group: 'PR Staging @ ${{ needs.pr-metadata.outputs.head_label }}'
       cancel-in-progress: true
@@ -423,8 +366,7 @@ jobs:
     if: ${{ needs.check-pr-before-deploy.outputs.pull_request_state == 'open' }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
-    # progress for this PR branch.
+    # This interrupts Build and Deploy workflow runs in progress for this PR branch.
     concurrency:
       group: 'PR Staging @ ${{ needs.pr-metadata.outputs.head_label }}'
       cancel-in-progress: true

.github/workflows/staging-undeploy-pr.yml

@@ -1,93 +0,0 @@
-name: Staging - Undeploy PR
-
-# **What it does**: To undeploy PRs from a Heroku staging environment, i.e. destroy the Heroku App.
-# **Why we have it**: To save money spent on deployments for closed PRs.
-# **Who does it impact**: All contributors.
-
-on:
-  pull_request_target:
-    types:
-      - closed
-
-permissions:
-  contents: read
-  deployments: write
-  pull-requests: write
-
-# This prevents one Undeploy workflow run from interrupting another
-concurrency:
-  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}'
-  cancel-in-progress: false
-
-jobs:
-  debug:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump full context for debugging
-        env:
-          GITHUB_CONTEXT: ${{ toJSON(github) }}
-        run: echo "$GITHUB_CONTEXT"
-
-  cancel-jobs-before-undeploy:
-    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
-    runs-on: ubuntu-latest
-    # This interrupts Build and Deploy workflow runs in progress for this PR
-    # branch. However, it does so with an intentionally short, independent job
-    # so that the following `undeploy` job cannot be cancelled once started!
-    concurrency:
-      group: 'PR Staging @ ${{ github.event.pull_request.head.label }}'
-      cancel-in-progress: true
-    steps:
-      - name: Cancelling other deployments via concurrency configuration
-        run: |
-          echo 'Cancelling other deployment runs (if any)...'
-
-  undeploy:
-    needs: cancel-jobs-before-undeploy
-    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    # IMPORTANT: Intentionally OMIT a `concurrency` configuration from this job!
-    steps:
-      - name: Add a label to the PR to block deployment during undeployment
-        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
-        with:
-          add-labels: 'automated-block-deploy'
-
-      - name: Check out repo's default branch
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
-        with:
-          # For enhanced security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-          persist-credentials: 'false'
-
-      - name: Setup node
-        uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458
-        with:
-          node-version: 16.13.x
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Undeploy
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
-          RUN_ID: ${{ github.run_id }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: .github/actions-scripts/staging-undeploy.js
-
-      - if: ${{ always() }}
-        name: Remove the label from the PR to unblock deployment
-        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
-        with:
-          remove-labels: 'automated-block-deploy'
-
-      - name: Send Slack notification if workflow failed
-        uses: someimportantcompany/github-actions-slack-message@f8d28715e7b8a4717047d23f48c39827cacad340
-        if: ${{ failure() }}
-        with:
-          channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
-          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
-          color: failure
-          text: Staging undeployment failed for PR ${{ github.event.pull_request.html_url }} at commit ${{ github.head_sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}.

.github/workflows/sync-search-indices.yml

@@ -65,7 +65,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/sync-search-pr.yml

@@ -16,6 +16,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -33,7 +38,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/test-windows.yml

@@ -15,8 +15,10 @@ on:
 permissions:
   contents: read
 
-env:
-  CI: true
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
   test:
@@ -54,7 +56,7 @@ jobs:
         run: npm ci
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/test.yml

@@ -15,8 +15,10 @@ permissions:
   # Needed for the 'trilom/file-changes-action' action
   pull-requests: read
 
-env:
-  CI: true
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
   test:
@@ -80,7 +82,7 @@ jobs:
           GIT_BRANCH: ${{ github.head_ref || github.ref }}
 
       - name: Cache nextjs build
-        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
+        uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
         with:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}

.github/workflows/triage-unallowed-contributions.yml

@@ -21,7 +21,7 @@ on:
       - 'lib/search/indexes/**'
       - 'package*.json'
       - 'Procfile'
-      - 'scripts/**'
+      - 'script/**'
       - 'translations/**'
 
 permissions:

.github/workflows/triage-unallowed-internal-changes.yml

@@ -17,6 +17,11 @@ permissions:
   # This is needed by dorny/paths-filter
   pull-requests: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   check-internal-changes:
     if: github.repository == 'github/docs-internal' && github.event.pull_request.user.login != 'Octomerger'

.github/workflows/update-graphql-files.yml

@@ -48,7 +48,7 @@ jobs:
           script/graphql/update-files.js
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad
+        uses: peter-evans/create-pull-request@dcd5fd746d53dd8de555c0f10bca6c35628be47a
         env:
           # Disable pre-commit hooks; they don't play nicely here
           HUSKY: '0'

.github/workflows/workflow-lint.yml

@@ -6,12 +6,6 @@ name: Lint workflows
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - '.github/workflows/*.yml'
-      - '.github/workflows/*.yaml'
   pull_request:
     paths:
       - '.github/workflows/*.yml'
@@ -20,6 +14,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   lint:
     if: ${{ github.repository == 'github/docs-internal' }}

Dockerfile

@@ -5,7 +5,7 @@
 # --------------------------------------------------------------------------------
 # BASE IMAGE
 # --------------------------------------------------------------------------------
-FROM node:16.2.0-alpine as base
+FROM node:16-alpine as base
 
 RUN apk add --no-cache make g++ git
 
@@ -17,11 +17,15 @@ WORKDIR /usr/src/docs
 # ---------------
 FROM base as all_deps
 
-COPY package*.json ./
 COPY .npmrc ./
+COPY package*.json ./
 
 RUN npm ci
 
+# This the appropriate necessary extra for node:16-alpine
+# Other options are https://www.npmjs.com/search?q=%40next%2Fswc
+RUN npm i @next/swc-linux-x64-musl --no-save
+
 
 # ---------------
 # PROD DEPS
@@ -36,14 +40,12 @@ RUN npm prune --production
 # ---------------
 FROM all_deps as builder
 
-ENV NODE_ENV production
-
 COPY stylesheets ./stylesheets
 COPY pages ./pages
 COPY components ./components
 COPY lib ./lib
 
-# one part of the build relies on this content file to pull all-products
+# One part of the build relies on this content file to pull all-products
 COPY content/index.md ./content/index.md
 
 COPY next.config.js ./next.config.js
@@ -56,7 +58,7 @@ RUN npm run build
 # MAIN IMAGE
 # --------------------------------------------------------------------------------
 
-FROM node:16.2.0-alpine as production
+FROM node:16-alpine as production
 
 # Let's make our home
 WORKDIR /usr/src/docs
@@ -76,24 +78,28 @@ COPY --chown=node:node --from=builder /usr/src/docs/.next /usr/src/docs/.next
 # We should always be running in production mode
 ENV NODE_ENV production
 
-# Hide iframes, add warnings to external links
-ENV AIRGAP true
+# Whether to hide iframes, add warnings to external links
+ENV AIRGAP false
 
-# Copy only what's needed to run the server
-COPY --chown=node:node assets ./assets
-COPY --chown=node:node content ./content
-COPY --chown=node:node data ./data
-COPY --chown=node:node includes ./includes
-COPY --chown=node:node lib ./lib
-COPY --chown=node:node middleware ./middleware
-COPY --chown=node:node translations ./translations
-COPY --chown=node:node server.mjs ./server.mjs
-COPY --chown=node:node package*.json ./
-COPY --chown=node:node feature-flags.json ./
-COPY --chown=node:node next.config.js ./
+# By default we typically don't want to run in clustered mode
+ENV WEB_CONCURRENCY 1
 
 # This makes sure server.mjs always picks up the preferred port
-ENV PORT=4000
+ENV PORT 4000
+
+# Copy only what's needed to run the server
+COPY --chown=node:node package.json ./
+COPY --chown=node:node assets ./assets
+COPY --chown=node:node includes ./includes
+COPY --chown=node:node translations ./translations
+COPY --chown=node:node content ./content
+COPY --chown=node:node lib ./lib
+COPY --chown=node:node middleware ./middleware
+COPY --chown=node:node feature-flags.json ./
+COPY --chown=node:node data ./data
+COPY --chown=node:node next.config.js ./
+COPY --chown=node:node server.mjs ./server.mjs
+
 EXPOSE $PORT
 
 CMD ["node", "server.mjs"]