Merge pull request #15509 from github/repo-sync

repo sync

.github/dependabot.yml

@@ -3,7 +3,8 @@ updates:
   - package-ecosystem: npm
     directory: '/'
     schedule:
-      interval: monthly
+      interval: weekly
+      day: tuesday
     open-pull-requests-limit: 20 # default is 5
     ignore:
       - dependency-name: '*'
@@ -13,7 +14,8 @@ updates:
   - package-ecosystem: 'github-actions'
     directory: '/'
     schedule:
-      interval: monthly
+      interval: weekly
+      day: wednesday
     ignore:
       - dependency-name: '*'
         update-types:
@@ -22,7 +24,8 @@ updates:
   - package-ecosystem: 'docker'
     directory: '/'
     schedule:
-      interval: monthly
+      interval: weekly
+      day: thursday
     ignore:
       - dependency-name: '*'
         update-types:

.github/workflows/enterprise-release-sync-search-index.yml

@@ -40,7 +40,7 @@ jobs:
     name: Update English index for new GHES release
     # Skip this check if the event originated from Docubot, to prevent
     # infinite runs when Docubot checks in the search indexes in this workflow
-    if: github.repository == 'github/docs-internal' && github.event.sender.login != 'Docubot'
+    if: github.repository == 'github/docs-internal' && github.event.sender.login != 'Docubot' && github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: checkout

.github/workflows/first-responder-docs-content.yml

@@ -19,7 +19,7 @@ permissions:
 jobs:
   first-responder-triage-pr:
     name: Triage PR to FR project board
-    if: github.repository == 'github/docs-internal' && github.event.pull_request.draft == false && github.event.action != 'unlabeled' && github.event.action != 'closed'
+    if: github.repository == 'github/docs-internal' && github.event.pull_request.draft == false && github.event.action != 'unlabeled' && github.event.action != 'closed' && github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
 
     steps:
@@ -66,7 +66,7 @@ jobs:
 
   first-responder-remove-pr:
     name: Remove PR from FR project board
-    if: github.repository == 'github/docs-internal' && ((github.event.label.name == 'docs-content-fr' && github.event.action == 'unlabeled') || github.event.action == 'closed')
+    if: github.repository == 'github/docs-internal' && ((github.event.label.name == 'docs-content-fr' && github.event.action == 'unlabeled') || github.event.action == 'closed') && github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/hubber-contribution-help.yml

@@ -41,7 +41,7 @@ jobs:
         run: |
           gh pr comment $PR --body "Thanks so much for opening this PR and contributing to GitHub Docs!
 
-          - When you're ready for the Docs team to review this PR, request a review by *docs-content* and your PR will be added to the [Docs Content review board](https://github.com/orgs/github/memexes/901?layout=table&groupedBy%5BcolumnId%5D=11024). **Please factor in at least 72 hours for a review, even longer if this is a substantial change.**
+          - When you're ready for the Docs team to review this PR, add the *ready-for-doc-review* label to your PR to the [Docs Content review board](https://github.com/orgs/github/memexes/901?layout=table&groupedBy%5BcolumnId%5D=11024). **Please factor in at least 72 hours for a review, even longer if this is a substantial change.**
           - If this is a major update to the docs, you might want to go back and open an [issue](https://github.com/github/docs-content/issues/new/choose) to ensure we've covered all areas of the docs in these updates. Not doing so may result in delays or inaccurate documentation."
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

content/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md

@@ -9,6 +9,7 @@ versions:
   fpt: '*'
   ghae: 'issue-4757-and-5856'
   ghec: '*'
+  ghes: '>=3.5'
 type: how_to
 topics:
   - Workflows

content/actions/learn-github-actions/contexts.md

@@ -728,6 +728,8 @@ The `inputs` context contains input properties passed to a reusable workflow. Th
 
 There are no standard properties in the `inputs` context, only those which are defined in the reusable workflow file.
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)".
 
 | Property name | Type | Description |

content/actions/learn-github-actions/usage-limits-billing-and-administration.md

@@ -73,6 +73,8 @@ In addition to the usage limits, you must ensure that you use {% data variables.
 {% ifversion fpt or ghes > 3.3 or ghec %}
 ## Billing for reusable workflows
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 If you reuse a workflow, billing is always associated with the caller workflow. Assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. The caller cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. 
 
 For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -141,15 +141,6 @@ In this example, the attempted script injection is unsuccessful:
 
 With this approach, the value of the {% raw %}`${{ github.event.issue.title }}`{% endraw %} expression is stored in memory and used as a variable, and doesn't interact with the script generation process. In addition, consider using double quote shell variables to avoid [word splitting](https://github.com/koalaman/shellcheck/wiki/SC2086), but this is [one of many](https://mywiki.wooledge.org/BashPitfalls) general recommendations for writing shell scripts, and is not specific to {% data variables.product.prodname_actions %}.
 
-### Using CodeQL to analyze your code
-
-To help you manage the risk of dangerous patterns as early as possible in the development lifecycle, the {% data variables.product.prodname_dotcom %} Security Lab has developed [CodeQL queries](https://github.com/github/codeql/tree/main/javascript/ql/src/experimental/Security/CWE-094) that repository owners can [integrate](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#running-additional-queries) into their CI/CD pipelines. For more information, see "[About code scanning](/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning)."
-
-The scripts currently depend on the CodeQL JavaScript libraries, which means that the analyzed repository must contain at least one JavaScript file and that CodeQL must be [configured to analyze this language](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed).
-
-- `ExpressionInjection.ql`: Covers the expression injections described in this article, and is considered to be reasonably accurate. However, it doesn’t perform data flow tracking between workflow steps.
-- `UntrustedCheckout.ql`: This script's results require manual review to determine whether the code from a pull request is actually treated in an unsafe manner. For more information, see "[Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)"  on the {% data variables.product.prodname_dotcom %} Security Lab blog.
-
 ### Restricting permissions for tokens
 
 To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)."

content/actions/using-workflows/reusing-workflows.md

@@ -16,6 +16,7 @@ topics:
 ---
 
 {% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.reusable-workflows-ghes-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## Overview

content/actions/using-workflows/triggering-a-workflow.md

@@ -130,6 +130,8 @@ You can use activity types and filters to further control when your workflow wil
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## Defining inputs, outputs, and secrets for reusable workflows
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 You can define inputs and secrets that a reusable workflow should receive from a calling workflow. You can also specify outputs that a reusable workflow will make available to a calling workflow. For more information, see "[Reusing workflows](/actions/using-workflows/reusing-workflows)."
 
 {% endif %}

content/actions/using-workflows/workflow-syntax-for-github-actions.md

@@ -56,6 +56,8 @@ The name of your workflow. {% data variables.product.prodname_dotcom %} displays
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## `on.workflow_call`
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 Use `on.workflow_call` to define the inputs and outputs for a reusable workflow. You can also map the secrets that are available to the called workflow. For more information on reusable workflows, see "[Reusing workflows](/actions/using-workflows/reusing-workflows)."
 
 ### `on.workflow_call.inputs`
@@ -881,6 +883,8 @@ Additional Docker container resource options. For a list of options, see "[`dock
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## `jobs.<job_id>.uses`
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 The location and version of a reusable workflow file to run as a job. {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6000 %}Use one of the following syntaxes:{% endif %}
 
 {% data reusables.actions.reusable-workflow-calling-syntax %}

content/admin/code-security/index.md

@@ -0,0 +1,13 @@
+---
+title: Managing code security for your enterprise
+shortTitle: Manage code security
+intro: "You can build security into your developers' workflow with features that keep secrets and vulnerabilities out of your codebase, and that maintain your software supply chain."
+versions:
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+children:
+  - /managing-github-advanced-security-for-your-enterprise
+  - /managing-supply-chain-security-for-your-enterprise
+---

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md

@@ -7,6 +7,7 @@ miniTocMaxHeadingLevel: 3
 redirect_from:
   - /enterprise/admin/configuration/configuring-code-scanning-for-your-appliance
   - /admin/configuration/configuring-code-scanning-for-your-appliance
+  - /admin/advanced-security/configuring-code-scanning-for-your-appliance
 versions:
   ghes: '*'
 type: how_to

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md

@@ -6,6 +6,7 @@ product: '{% data reusables.gated-features.secret-scanning %}'
 miniTocMaxHeadingLevel: 3
 redirect_from:
   - /admin/configuration/configuring-secret-scanning-for-your-appliance
+  - /admin/advanced-security/configuring-secret-scanning-for-your-appliance
 versions:
   ghes: '*'
 type: how_to

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/deploying-github-advanced-security-in-your-enterprise.md

@@ -2,6 +2,8 @@
 title: Deploying GitHub Advanced Security in your enterprise
 intro: 'Learn how to plan, prepare, and implement a phased approach for rolling out {% data variables.product.prodname_GH_advanced_security %} (GHAS) in your enterprise.'
 product: '{% data reusables.gated-features.advanced-security %}'
+redirect_from:
+  - /admin/advanced-security/deploying-github-advanced-security-in-your-enterprise
 miniTocMaxHeadingLevel: 3
 versions:
   ghes: '*'

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise.md

@@ -3,6 +3,8 @@ title: Enabling GitHub Advanced Security for your enterprise
 shortTitle: Enabling GitHub Advanced Security
 intro: 'You can configure {% data variables.product.product_name %} to include {% data variables.product.prodname_GH_advanced_security %}. This provides extra features that help users find and fix security problems in their code.'
 product: '{% data reusables.gated-features.ghas %}'
+redirect_from:
+  - /admin/advanced-security/enabling-github-advanced-security-for-your-enterprise
 versions:
   ghes: '*'
 type: how_to
@@ -56,7 +58,7 @@ For guidance on a phased deployment of GitHub Advanced Security, see "[Deploying
 
     - {% data variables.product.prodname_code_scanning_capc %}, see "[Configuring {% data variables.product.prodname_code_scanning %} for your appliance](/admin/advanced-security/configuring-code-scanning-for-your-appliance#prerequisites-for-code-scanning)."
     - {% data variables.product.prodname_secret_scanning_caps %}, see "[Configuring {% data variables.product.prodname_secret_scanning %} for your appliance](/admin/advanced-security/configuring-secret-scanning-for-your-appliance#prerequisites-for-secret-scanning)."{% endif %}
-    - {% data variables.product.prodname_dependabot %}, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)." 
+    - {% data variables.product.prodname_dependabot %}, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." 
 
 ## Enabling and disabling {% data variables.product.prodname_GH_advanced_security %} features
 
@@ -91,7 +93,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled true
     ```
-    - To enable {% data variables.product.prodname_dependabot %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To enable the dependency graph, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled true
     ```
@@ -110,7 +112,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled false
     ```
-    - To disable {% data variables.product.prodname_dependabot_alerts %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To disable the dependency graph, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled false
     ```

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/index.md

@@ -1,11 +1,12 @@
 ---
 title: Managing GitHub Advanced Security for your enterprise
-shortTitle: Managing GitHub Advanced Security
-intro: 'You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization''s needs.'
+shortTitle: GitHub Advanced Security
+intro: "You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization's needs."
 product: '{% data reusables.gated-features.ghas %}'
 redirect_from:
   - /enterprise/admin/configuration/configuring-advanced-security-features
   - /admin/configuration/configuring-advanced-security-features
+  - /admin/advanced-security
 versions:
   ghes: '*'
   ghec: '*'

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/overview-of-github-advanced-security-deployment.md

@@ -2,6 +2,8 @@
 title: Overview of GitHub Advanced Security deployment
 intro: 'Help your company successfully prepare to adopt {% data variables.product.prodname_GH_advanced_security %} (GHAS) by reviewing and understanding these best practices, rollout examples, and our enterprise-tested phased approach.'
 product: '{% data variables.product.prodname_GH_advanced_security %} is a set of security features designed to make enterprise code more secure. It is available for {% data variables.product.prodname_ghe_server %} 3.0 or higher, {% data variables.product.prodname_ghe_cloud %}, and open source repositories. To learn more about the features, included in {% data variables.product.prodname_GH_advanced_security %}, see "[About GitHub Advanced Security](/get-started/learning-about-github/about-github-advanced-security)."'
+redirect_from:
+  - /admin/advanced-security/overview-of-github-advanced-security-deployment
 miniTocMaxHeadingLevel: 3
 versions:
   ghes: '*'

content/admin/code-security/managing-supply-chain-security-for-your-enterprise/about-supply-chain-security-for-your-enterprise.md

@@ -0,0 +1,20 @@
+---
+title: About supply chain security for your enterprise
+intro: 'You can enable features that help your developers understand and update the dependencies their code relies on.'
+shortTitle: About supply chain security
+permissions: ''
+versions:
+  ghes: '*'
+  ghae: issue-4864
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+You can allow users to identify their projects' dependencies by enabling the dependency graph for {% data variables.product.product_location %}. For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."
+
+You can also allow users on {% data variables.product.product_location %} to find and fix vulnerabilities in their code dependencies by enabling {% data variables.product.prodname_dependabot_alerts %}{% ifversion ghes > 3.2 %} and {% data variables.product.prodname_dependabot_updates %}{% endif %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+After you enable {% data variables.product.prodname_dependabot_alerts %}, you can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.product_location %} and manually sync the data. For more information, see "[Viewing the vulnerability data for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/viewing-the-vulnerability-data-for-your-enterprise)."

content/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise.md

@@ -0,0 +1,60 @@
+---
+title: Enabling the dependency graph for your enterprise
+intro: "You can allow users to identify their projects' dependencies by enabling the dependency graph."
+shortTitle: Enable dependency graph
+permissions: 'Site administrators can enable the dependency graph.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+## About the dependency graph
+
+{% data reusables.dependabot.about-the-dependency-graph %} For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"
+
+After you enable the dependency graph for your enterprise, you can enable {% data variables.product.prodname_dependabot %} to detect vulnerable dependencies in your repository{% ifversion ghes > 3.2 %} and automatically fix the vulnerabilities{% endif %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+{% ifversion ghes > 3.1 %}
+You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend using the {% data variables.enterprise.management_console %} unless {% data variables.product.product_location %} uses clustering.
+
+## Enabling the dependency graph via the {% data variables.enterprise.management_console %}
+
+If your {% data variables.product.product_location %} uses clustering, you cannot enable the dependency graph with the {% data variables.enterprise.management_console %} and must use the administrative shell instead. For more information, see "[Enabling the dependency graph via the administrative shell](#enabling-the-dependency-graph-via-the-administrative-shell)."
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.advanced-security-tab %}
+1. Under "Security," click **Dependency graph**.
+![Checkbox to enable or disable the dependency graph](/assets/images/enterprise/3.2/management-console/enable-dependency-graph-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+1. Click **Visit your instance**.
+
+## Enabling the dependency graph via the administrative shell
+
+{% endif %}{% ifversion ghes < 3.2 %}
+## Enabling the dependency graph
+{% endif %}
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+1. In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
+    {% ifversion ghes > 3.1 %}```shell
+    ghe-config app.dependency-graph.enabled true
+    ```
+    {% else %}```shell
+    ghe-config app.github.dependency-graph-enabled true
+  ghe-config app.github.vulnerability-alerting-and-settings-enabled true
+    ```{% endif %}
+   {% note %}
+
+   **Note**: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
+
+   {% endnote %}
+2. Apply the configuration.
+    ```shell
+    $ ghe-config-apply
+    ```
+3. Return to {% data variables.product.prodname_ghe_server %}.

content/admin/code-security/managing-supply-chain-security-for-your-enterprise/index.md

@@ -0,0 +1,14 @@
+---
+title: Managing supply chain security for your enterprise
+shortTitle: Supply chain security
+intro: "You can visualize, maintain, and secure the dependencies in your developers' software supply chain."
+versions:
+  ghes: '*'
+  ghae: issue-4864
+topics:
+  - Enterprise
+children:
+  - /about-supply-chain-security-for-your-enterprise
+  - /enabling-the-dependency-graph-for-your-enterprise
+  - /viewing-the-vulnerability-data-for-your-enterprise
+---

content/admin/code-security/managing-supply-chain-security-for-your-enterprise/viewing-the-vulnerability-data-for-your-enterprise.md

@@ -0,0 +1,27 @@
+---
+title: Viewing the vulnerability data for your enterprise
+intro: 'You can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.product_location %}.'
+shortTitle: View vulnerability data
+permissions: 'Site administrators can view vulnerability data on {% data variables.product.product_location %}.'
+versions:
+  ghes: '*'
+  ghae: issue-4864
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+If {% data variables.product.prodname_dependabot_alerts %} are enabled for your enterprise, you can view all vulnerabilities that were downloaded to {% data variables.product.product_location %} from the {% data variables.product.prodname_advisory_database %}.
+
+You can manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
+
+Before you can view vulnerability data, you must enable {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+2. In the left sidebar, click **Vulnerabilities**.
+  ![Vulnerabilities tab in the site admin sidebar](/assets/images/enterprise/business-accounts/vulnerabilities-tab.png)
+3. To sync vulnerability data, click **Sync Vulnerabilities now**.
+  ![Sync vulnerabilities now button](/assets/images/enterprise/site-admin-settings/sync-vulnerabilities-button.png)
+

content/admin/configuration/configuring-github-connect/about-github-connect.md

@@ -29,7 +29,7 @@ After you configure the connection between {% data variables.product.product_loc
 Feature | Description | More information |
 ------- | ----------- | ---------------- |{% ifversion ghes %}
 Automatic user license sync | Manage license usage across your {% data variables.product.prodname_enterprise %} deployments by automatically syncing user licenses from {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %}. | "[Enabling automatic user license sync for your enterprise](/admin/configuration/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise)"{% endif %}{% ifversion ghes or ghae-issue-4864 %}
-{% data variables.product.prodname_dependabot_alerts %} | Allow users to find and fix vulnerabilities in code dependencies. | "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %}  for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)"{% endif %}
+{% data variables.product.prodname_dependabot %} | Allow users to find and fix vulnerabilities in code dependencies. | "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)"{% endif %}
 {% data variables.product.prodname_dotcom_the_website %} actions | Allow users to use actions from {% data variables.product.prodname_dotcom_the_website %} in workflow files. | "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)"
 Unified search | Allow users to include repositories on {% data variables.product.prodname_dotcom_the_website %} in their search results when searching from {% data variables.product.product_location %}. | "[Enabling {% data variables.product.prodname_unified_search %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-unified-search-for-your-enterprise)"
 Unified contributions | Allow users to include anonymized contribution counts for their work on {% data variables.product.product_location %} in their contribution graphs on {% data variables.product.prodname_dotcom_the_website %}. | "[Enabling {% data variables.product.prodname_unified_contributions %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-unified-contributions-for-your-enterprise)"
@@ -52,7 +52,7 @@ When you enable {% data variables.product.prodname_github_connect %} or specific
 
 {% note %}
 
-**Note:** No repositories, issues, or pull requests are ever transmitted by {% data variables.product.prodname_github_connect %}.
+**Note:** No repositories, issues, or pull requests are ever transmitted from {% data variables.product.product_name %} to {% data variables.product.prodname_dotcom_the_website %} by {% data variables.product.prodname_github_connect %}.
 
 {% endnote %}
 
@@ -61,7 +61,8 @@ Additional data is transmitted if you enable individual features of {% data vari
 Feature | Data | Which way does the data flow? | Where is the data used? | 
 ------- | ---- | --------- | ------ |{% ifversion ghes %}
 Automatic user license sync | Each {% data variables.product.product_name %} user's user ID and email addresses | From {% data variables.product.product_name %} to {% data variables.product.prodname_ghe_cloud %} | {% data variables.product.prodname_ghe_cloud %} |{% endif %}{% ifversion ghes or ghae-issue-4864 %}
-{% data variables.product.prodname_dependabot_alerts %} | Vulnerability alerts | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %} | {% data variables.product.product_name%} |{% endif %}
+{% data variables.product.prodname_dependabot_alerts %} | Vulnerability alerts | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %} | {% data variables.product.product_name %} |{% endif %}{% if dependabot-updates-github-connect %}
+{% data variables.product.prodname_dependabot_updates %} | Dependencies and the metadata for each dependency's repository<br><br>If a dependency is stored in a private repository on {% data variables.product.prodname_dotcom_the_website %}, data will only be transmitted if {% data variables.product.prodname_dependabot %} is configured and authorized to access that repository. | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %} | {% data variables.product.product_name %} {% endif %}
 {% data variables.product.prodname_dotcom_the_website %} actions | Name of action, action (YAML file from {% data variables.product.prodname_marketplace %}) | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %}<br><br>From {% data variables.product.product_name %} to {% data variables.product.prodname_dotcom_the_website %} | {% data variables.product.product_name %}
 Unified search | Search terms, search results | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %}<br><br>From {% data variables.product.product_name %} to {% data variables.product.prodname_dotcom_the_website %} | {% data variables.product.product_name %} |
 Unified contributions | Contribution counts | From {% data variables.product.product_name %} to {% data variables.product.prodname_dotcom_the_website %} | {% data variables.product.prodname_dotcom_the_website %} |

content/admin/configuration/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md

@@ -7,7 +7,7 @@ redirect_from:
   - /admin/configuration/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
   - /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
   - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
-permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable automatic user license synchronization.'
+permissions: 'Enterprise owners can enable automatic user license synchronization.'
 versions:
   ghes: '*'
 type: how_to

content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md

@@ -0,0 +1,127 @@
+---
+title: Enabling Dependabot for your enterprise
+intro: "You can allow users of {% data variables.product.product_location %} to find and fix vulnerabilities in code dependencies by enabling {% data variables.product.prodname_dependabot_alerts %}{% ifversion ghes > 3.2 %} and {% data variables.product.prodname_dependabot_updates %}{% endif %}."
+miniTocMaxHeadingLevel: 3
+shortTitle: Dependabot
+redirect_from:
+  - /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
+  - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account
+  - /admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise
+permissions: 'Enterprise owners can enable {% data variables.product.prodname_dependabot %}.'
+versions:
+  ghes: '*'
+  ghae: issue-4864
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+  - Dependabot
+---
+
+## About {% data variables.product.prodname_dependabot %} for {% data variables.product.product_name %}
+
+{% data variables.product.prodname_dependabot %} helps users of {% data variables.product.product_location %} find and fix vulnerabilities in their dependencies.{% ifversion ghes > 3.2 %} You can enable {% data variables.product.prodname_dependabot_alerts %} to notify users about vulnerable dependencies and {% data variables.product.prodname_dependabot_updates %} to fix the vulnerabilities and keep dependencies updated to the latest version.
+
+### About {% data variables.product.prodname_dependabot_alerts %}
+{% endif %}
+
+{% data reusables.dependabot.dependabot-alerts-beta %}
+
+With {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dotcom %} identifies vulnerable dependencies in repositories and creates alerts on {% data variables.product.product_location %}, using data from the {% data variables.product.prodname_advisory_database %} and the dependency graph service.
+
+{% data reusables.repositories.tracks-vulnerabilities %}
+
+After you enable {% data variables.product.prodname_dependabot_alerts %} for your enterprise, vulnerability data is synced from the {% data variables.product.prodname_advisory_database %} to your instance once every hour. Only {% data variables.product.company_short %}-reviewed advisories are synchronized. {% data reusables.security-advisory.link-browsing-advisory-db %} 
+
+You can also choose to manually sync vulnerability data at any time. For more information, see "[Viewing the vulnerability data for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/viewing-the-vulnerability-data-for-your-enterprise)."
+
+{% note %}
+
+**Note:** When you enable enable {% data variables.product.prodname_dependabot_alerts %}, no code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}. 
+
+{% endnote %}
+
+When {% data variables.product.product_location %} receives information about a vulnerability, it identifies repositories in  {% data variables.product.product_location %} that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}. 
+
+For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to {% data variables.product.product_location %}, {% data variables.product.product_name %} scans all existing repositories on {% data variables.product.product_location %} and generates alerts for any repository that is vulnerable. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
+
+{% ifversion ghes > 3.2 %}
+### About {% data variables.product.prodname_dependabot_updates %}
+
+{% data reusables.dependabot.beta-security-and-version-updates %}
+
+After you enable {% data variables.product.prodname_dependabot_alerts %}, you can choose to enable {% data variables.product.prodname_dependabot_updates %}. When {% data variables.product.prodname_dependabot_updates %} are enabled for {% data variables.product.product_location %}, users can configure repositories so that their dependencies are updated and kept secure automatically. 
+
+{% note %} 
+
+**Note:** {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.product_name %} requires {% data variables.product.prodname_actions %} with self-hosted runners.
+
+{% endnote %}
+
+With {% data variables.product.prodname_dependabot_updates %}, {% data variables.product.company_short %} automatically creates pull requests to update dependencies in two ways.
+
+- **{% data variables.product.prodname_dependabot_version_updates %}**: Users add a {% data variables.product.prodname_dependabot %} configuration file to the repository to enable {% data variables.product.prodname_dependabot %} to create pull requests when a new version of a tracked dependency is released. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)."
+- **{% data variables.product.prodname_dependabot_security_updates %}**: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
+{% endif %}
+
+## Enabling {% data variables.product.prodname_dependabot_alerts %}
+
+Before you can enable {% data variables.product.prodname_dependabot_alerts %}:
+- You must enable {% data variables.product.prodname_github_connect %}. For more information, see "[Managing {% data variables.product.prodname_github_connect %}](/admin/configuration/configuring-github-connect/managing-github-connect)."{% ifversion ghes %}
+- You must enable the dependency graph. For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."{% endif %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{%- ifversion ghes < 3.1 %}{% data reusables.enterprise-accounts.settings-tab %}{% endif %}
+{% data reusables.enterprise-accounts.github-connect-tab %}
+{%- if dependabot-updates-github-connect %}
+1. Under "{% data variables.product.prodname_dependabot %}", to the right of "Users can receive vulnerability alerts for open source code dependencies", select the dropdown menu and click **Enabled without notifications**. Optionally, to enable alerts with notifications, click **Enabled with notifications**.
+
+   ![Screenshot of the dropdown menu to enable scanning repositories for vulnerabilities](/assets/images/enterprise/site-admin-settings/dependabot-alerts-dropdown.png)
+
+{%- else %}
+1. Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click **Enabled without notifications**. Optionally, to enable alerts with notifications, click **Enabled with notifications**.
+   ![Drop-down menu to enable scanning repositories for vulnerabilities](/assets/images/enterprise/site-admin-settings/enable-vulnerability-scanning-in-repositories.png)
+{%- endif %}
+   {% tip %}
+
+   **Tip**: We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
+
+   {% endtip %}
+
+{% if dependabot-updates-github-connect %}
+## Enabling {% data variables.product.prodname_dependabot_updates %}
+
+After you enable {% data variables.product.prodname_dependabot_alerts %} for your enterprise, you can enable {% data variables.product.prodname_dependabot_updates %}.
+
+{% ifversion ghes %}
+Before you enable {% data variables.product.prodname_dependabot_updates %}, you must configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %} with self-hosted runners. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+
+{% data variables.product.prodname_dependabot_updates %} are not supported on {% data variables.product.product_name %} if your enterprise uses clustering or a high-availability configuration.
+{% endif %}
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.advanced-security-tab %}
+1. Under "Security", select **{% data variables.product.prodname_dependabot_security_updates %}**.
+
+   ![Screenshot of the checkbox to enable or disable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/enterprise/management-console/enable-dependabot-updates.png)
+
+{% data reusables.enterprise_management_console.save-settings %}
+1. Click **Visit your instance**.
+1. Configure self-hosted runners to create the pull requests that will update dependencies. For more information, see "[Managing self-hosted runners for {% data variables.product.prodname_dependabot_updates %} on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates)."
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.github-connect-tab %}
+1. Under "{% data variables.product.prodname_dependabot %}", to the right of "Users can easily upgrade to non-vulnerable open source code dependencies", click **Enable**.
+
+   ![Screenshot of the dropdown menu to enable updating vulnerable dependencies](/assets/images/enterprise/site-admin-settings/dependabot-updates-button.png)
+
+{% elsif ghes > 3.2 %}
+When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see "[Managing self-hosted runners for {% data variables.product.prodname_dependabot_updates %} on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates)."
+{% endif %}

content/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise.md

@@ -1,130 +0,0 @@
----
-title: Enabling the dependency graph and Dependabot alerts for your enterprise
-intro: 'You can allow users on {% data variables.product.product_location %} to find and fix vulnerabilities in code dependencies by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %}.'
-miniTocMaxHeadingLevel: 3
-shortTitle: Dependabot
-redirect_from:
-  - /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
-  - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account
-permissions: 'Enterprise owners who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable the dependency graph and  {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.product_location %}.'
-versions:
-  ghes: '*'
-  ghae: issue-4864
-type: how_to
-topics:
-  - Enterprise
-  - Security
-  - Dependency graph
-  - Dependabot
----
-## About alerts for vulnerable dependencies on {% data variables.product.product_location %}
-
-{% data reusables.dependabot.dependabot-alerts-beta %}
-
-{% data variables.product.prodname_dotcom %} identifies vulnerable dependencies in repositories and creates {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.product_location %}, using:
-
-- Data from the {% data variables.product.prodname_advisory_database %}
-- The dependency graph service
-
-For more information about these features, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)" and "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
-
-### About synchronization of data from the {% data variables.product.prodname_advisory_database %}
-
-{% data reusables.repositories.tracks-vulnerabilities %}
-
-You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_github_connect %}. Once connected, vulnerability data is synced from the {% data variables.product.prodname_advisory_database %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
-
-Only {% data variables.product.company_short %}-reviewed advisories are synchronized. {% data reusables.security-advisory.link-browsing-advisory-db %}
-
-### About scanning of repositories with synchronized data from the {% data variables.product.prodname_advisory_database %}
-
-For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to the instance, {% data variables.product.prodname_ghe_server %} scans all existing repositories in that instance and generates alerts for any repository that is vulnerable. For more information, see "[Detection of vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies)."
-
-### About generation of {% data variables.product.prodname_dependabot_alerts %}
-
-If you enable vulnerability detection, when {% data variables.product.product_location %} receives information about a vulnerability, it identifies repositories in your instance that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}.
-
-## Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.product_location %}
-
-### Prerequisites
-
-For {% data variables.product.product_location %} to detect vulnerable dependencies and generate {% data variables.product.prodname_dependabot_alerts %}:
-- You must enable {% data variables.product.prodname_github_connect %}. {% ifversion ghae %}This also enables the dependency graph service.{% endif %}{% ifversion ghes or ghae %}For more information, see "[Managing {% data variables.product.prodname_github_connect %}](/admin/configuration/configuring-github-connect/managing-github-connect)."{% endif %}
-{% ifversion ghes %}- You must enable the dependency graph service.{% endif %}
-- You must enable vulnerability scanning.
-
-{% ifversion ghes %}
-{% ifversion ghes > 3.1 %}
-You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend you follow the {% data variables.enterprise.management_console %} route unless {% data variables.product.product_location %} uses clustering.
-
-### Enabling the dependency graph via the {% data variables.enterprise.management_console %}
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.advanced-security-tab %}
-1. Under "Security," click **Dependency graph**.
-![Checkbox to enable or disable the dependency graph](/assets/images/enterprise/3.2/management-console/enable-dependency-graph-checkbox.png)
-{% data reusables.enterprise_management_console.save-settings %}
-1. Click **Visit your instance**.
-
-### Enabling the dependency graph via the administrative shell
-{% endif %}{% ifversion ghes < 3.2 %}
-### Enabling the dependency graph
-{% endif %}
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-1. In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
-    {% ifversion ghes > 3.1 %}```shell
-    ghe-config app.dependency-graph.enabled true
-    ```
-    {% else %}```shell
-    ghe-config app.github.dependency-graph-enabled true
-  ghe-config app.github.vulnerability-alerting-and-settings-enabled true
-    ```{% endif %}
-   {% note %}
-
-   **Note**: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
-
-   {% endnote %}
-2. Apply the configuration.
-    ```shell
-    $ ghe-config-apply
-    ```
-3. Return to {% data variables.product.prodname_ghe_server %}.
-{% endif %}
-
-### Enabling {% data variables.product.prodname_dependabot_alerts %}
-
-{% ifversion ghes %}
-Before enabling {% data variables.product.prodname_dependabot_alerts %} for your instance, you need to enable the dependency graph. For more information, see above.
-{% endif %}
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{%- ifversion ghes < 3.1 %}{% data reusables.enterprise-accounts.settings-tab %}{% endif %}
-{% data reusables.enterprise-accounts.github-connect-tab %}
-1. Under "Repositories can be scanned for vulnerabilities", select the drop-down menu and click **Enabled without notifications**. Optionally, to enable alerts with notifications, click **Enabled with notifications**.
-   ![Drop-down menu to enable scanning repositories for vulnerabilities](/assets/images/enterprise/site-admin-settings/enable-vulnerability-scanning-in-repositories.png)
-
-   {% tip %}
-
-   **Tip**: We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.
-
-   {% endtip %}
-
-{% ifversion fpt or ghec or ghes > 3.2 %}
-When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
-{% endif %}
-
-## Viewing vulnerable dependencies on {% data variables.product.product_location %}
-
-You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-2. In the left sidebar, click **Vulnerabilities**.
-  ![Vulnerabilities tab in the site admin sidebar](/assets/images/enterprise/business-accounts/vulnerabilities-tab.png)
-3. To sync vulnerability data, click **Sync Vulnerabilities now**.
-  ![Sync vulnerabilities now button](/assets/images/enterprise/site-admin-settings/sync-vulnerabilities-button.png)

content/admin/configuration/configuring-github-connect/enabling-unified-contributions-for-your-enterprise.md

@@ -11,7 +11,7 @@ redirect_from:
   - /admin/configuration/enabling-unified-contributions-between-github-enterprise-server-and-githubcom
   - /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-unified-contributions-between-github-enterprise-server-and-githubcom
   - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-unified-contributions-between-your-enterprise-account-and-githubcom
-permissions: 'Enterprise owners who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable unified contributions between {% data variables.product.product_location %} and {% data variables.product.prodname_dotcom_the_website %}.'
+permissions: 'Enterprise owners can enable unified contributions between {% data variables.product.product_location %} and {% data variables.product.prodname_dotcom_the_website %}.'
 versions:
   ghes: '*'
   ghae: '*'

content/admin/configuration/configuring-github-connect/enabling-unified-search-for-your-enterprise.md

@@ -11,7 +11,7 @@ redirect_from:
   - /admin/configuration/enabling-unified-search-between-github-enterprise-server-and-githubcom
   - /admin/configuration/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud/enabling-unified-search-between-github-enterprise-server-and-githubcom
   - /admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-unified-search-between-your-enterprise-account-and-githubcom
-permissions: 'Enterprise owners who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable unified search between {% data variables.product.product_name %} and {% data variables.product.prodname_dotcom_the_website %}.'
+permissions: 'Enterprise owners can enable unified search between {% data variables.product.product_name %} and {% data variables.product.prodname_dotcom_the_website %}.'
 versions:
   ghes: '*'
   ghae: '*'

content/admin/configuration/configuring-github-connect/index.md

@@ -20,7 +20,7 @@ children:
   - /about-github-connect
   - /managing-github-connect
   - /enabling-automatic-user-license-sync-for-your-enterprise
-  - /enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise
+  - /enabling-dependabot-for-your-enterprise
   - /enabling-unified-search-for-your-enterprise
   - /enabling-unified-contributions-for-your-enterprise
 shortTitle: GitHub Connect

content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md

@@ -185,3 +185,43 @@ There are three ways to resolve this problem:
 1. Return to {% data variables.product.prodname_ghe_server %}.
 
 {% endif %}
+
+{% ifversion ghes > 3.3 %}
+
+<a name="bundled-actions"></a>
+
+## Troubleshooting bundled actions in {% data variables.product.prodname_actions %}
+
+If you receive the following error when installing {% data variables.product.prodname_actions %} in {% data variables.product.prodname_ghe_server %}, you can resolve the problem by installing the official bundled actions and starter workflows.
+
+```shell
+A part of the Actions setup had problems and needs an administrator to resolve.
+```
+
+To install the official bundled actions and starter workflows within a designated organization in {% data variables.product.prodname_ghe_server %}, follow this procedure.
+
+1. Identify an organization that will store the official bundled actions and starter worflows. You can create a new organization or reuse an existing one. 
+    - To create a new organization, see "[Creating a new organization from scratch](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch)." 
+    - For assistance with choosing a name for this organization, see "[Reserved Names](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server#reserved-names)." 
+
+1. Log in to the administrative shell using SSH. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
+1. To designate your organization as the location to store the bundled actions, use the `ghe-config` command, replacing `ORGANIZATION` with the name of your organization.
+    ```shell
+    $ ghe-config app.actions.actions-org ORGANIZATION
+    ```
+    and:
+    ```shell
+    $ ghe-config app.actions.github-org ORGANIZATION
+    ```
+1.  To add the bundled actions to your organization, unset the SHA.
+    ```shell
+    $ ghe-config --unset 'app.actions.actions-repos-sha1sum'
+    ```
+1. Apply the configuration.
+    ```shell
+    $ ghe-config-apply
+    ```
+
+After you've completed these steps, you can resume configuring {% data variables.product.prodname_actions %} at "[Managing access permissions for GitHub Actions in your enterprise](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server#managing-access-permissions-for-github-actions-in-your-enterprise)."
+
+{% endif %}

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/index.md

@@ -9,7 +9,7 @@ children:
   - /enabling-github-actions-with-azure-blob-storage
   - /enabling-github-actions-with-amazon-s3-storage
   - /enabling-github-actions-with-minio-gateway-for-nas-storage
-  - /setting-up-dependabot-updates
+  - /managing-self-hosted-runners-for-dependabot-updates
 shortTitle: Enable GitHub Actions
 ---
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates.md

@@ -1,6 +1,8 @@
 ---
-title: Setting up Dependabot security and version updates on your enterprise
+title: Managing self-hosted runners for Dependabot updates on your enterprise
 intro: 'You can create dedicated runners for {% data variables.product.product_location %} that {% data variables.product.prodname_dependabot %} uses to create pull requests to help secure and maintain the dependencies used in repositories on your enterprise.'
+redirect_from:
+  - /admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates
 allowTitleToDifferFromFilename: true
 miniTocMaxHeadingLevel: 3
 versions:
@@ -10,38 +12,31 @@ topics:
   - Security
   - Dependabot
   - Dependencies
-shortTitle: Set up Dependabot updates
+shortTitle: Dependabot updates
 ---
 
 {% data reusables.dependabot.beta-security-and-version-updates %}
 
-{% tip %}
+## About self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
 
-**Tip**: If {% data variables.product.product_location %} uses clustering, you cannot set up {% data variables.product.prodname_dependabot %} security and version updates as {% data variables.product.prodname_actions %} are not supported in cluster mode.
+You can help users of {% data variables.product.product_location %} to create and maintain secure code by setting up {% data variables.product.prodname_dependabot %} security and version updates. With {% data variables.product.prodname_dependabot_updates %}, developers can configure repositories so that their dependencies are updated and kept secure automatically. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
 
-{% endtip %}
+To use {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.product_location %}, you must configure self-hosted runners to create the pull requests that will update dependencies.
 
-## About {% data variables.product.prodname_dependabot %} updates
+## Prerequisites
 
-When you set up {% data variables.product.prodname_dependabot %} security and version updates for {% data variables.product.product_location %}, users can configure repositories so that their dependencies are updated and kept secure automatically. This is an important step in helping developers create and maintain secure code.
+{% if dependabot-updates-github-connect %}
+Configuring self-hosted runners is only one step in the middle of the process for enabling {% data variables.product.prodname_dependabot_updates %}. There are several steps you must follow before these steps, including configuring {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %} with self-hosted runners. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+{% else %}
+Before you configure self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you must:
 
-Users can set up {% data variables.product.prodname_dependabot %} to create pull requests to update their dependencies using two features.
+- Configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %} with self-hosted runners. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+- Enable {% data variables.product.prodname_dependabot_alerts %} for your enterprise. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+{% endif %}
 
-- **{% data variables.product.prodname_dependabot_version_updates %}**: Users add a {% data variables.product.prodname_dependabot %} configuration file to the repository to enable {% data variables.product.prodname_dependabot %} to create pull requests when a new version of a tracked dependency is released. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)."
-- **{% data variables.product.prodname_dependabot_security_updates %}**: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
+## Configuring self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
 
-## Prerequisites for {% data variables.product.prodname_dependabot %} updates
-
-Both types of {% data variables.product.prodname_dependabot %} update have the following requirements.
-
-- Configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
-- Set up one or more {% data variables.product.prodname_actions %} self-hosted runners for {% data variables.product.prodname_dependabot %}. For more information, see "[Setting up self-hosted runners for {% data variables.product.prodname_dependabot %} updates](#setting-up-self-hosted-runners-for-dependabot-updates)" below.
-
-Additionally, {% data variables.product.prodname_dependabot_security_updates %} rely on the dependency graph, vulnerability data from {% data variables.product.prodname_github_connect %}, and {% data variables.product.prodname_dependabot_alerts %}. These features must be enabled on {% data variables.product.product_location %}. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
-
-## Setting up self-hosted runners for {% data variables.product.prodname_dependabot %} updates
-
-When you have configured {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}, you need to add self-hosted runners for {% data variables.product.prodname_dependabot %} updates. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+After you configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}, you need to add self-hosted runners for {% data variables.product.prodname_dependabot_updates %}.
 
 ### System requirements for {% data variables.product.prodname_dependabot %} runners
 

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server.md

@@ -31,7 +31,7 @@ This article explains how site administrators can configure {% data variables.pr
 
 {% data reusables.actions.migrating-enterprise %}
 
-## Review hardware considerations
+## Review hardware requirements
 
 {% ifversion ghes = 3.0 %}
 
@@ -45,7 +45,7 @@ This article explains how site administrators can configure {% data variables.pr
 
 {%- ifversion ghes < 3.2 %}
 
-The CPU and memory resources available to {% data variables.product.product_location %} determine the maximum job throughput for {% data variables.product.prodname_actions %}.
+The CPU and memory resources available to {% data variables.product.product_location %} determine the maximum job throughput for {% data variables.product.prodname_actions %}. {% data reusables.actions.minimum-hardware %}
 
 Internal testing at {% data variables.product.company_short %} demonstrated the following maximum throughput for {% data variables.product.prodname_ghe_server %} instances with a range of CPU and memory configurations. You may see different throughput depending on the overall levels of activity on your instance.
 
@@ -53,7 +53,7 @@ Internal testing at {% data variables.product.company_short %} demonstrated the
 
 {%- ifversion ghes > 3.1 %}
 
-The CPU and memory resources available to {% data variables.product.product_location %} determine the number of jobs that can be run concurrently without performance loss.
+The CPU and memory resources available to {% data variables.product.product_location %} determine the number of jobs that can be run concurrently without performance loss. {% data reusables.actions.minimum-hardware %}
 
 The peak quantity of concurrent jobs running without performance loss depends on such factors as job duration, artifact usage, number of repositories running Actions, and how much other work your instance is doing not related to Actions. Internal testing at GitHub demonstrated the following performance targets for GitHub Enterprise Server on a range of CPU and memory configurations:
 

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md

@@ -71,6 +71,7 @@ Think about how your enterprise can use features of {% data variables.product.pr
 {% data reusables.actions.internal-actions-summary %}
 
 {% ifversion ghec or ghes > 3.3 or ghae-issue-4757 %}
+{% data reusables.actions.reusable-workflows-ghes-beta %}
 With reusable workflows, your team can call one workflow from another workflow, avoiding exact duplication. Reusable workflows promote best practice by helping your team use workflows that are well designed and have already been tested. For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
 {% endif %}
 

content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md

@@ -7,7 +7,7 @@ redirect_from:
   - /enterprise/admin/authentication/using-saml
   - /admin/authentication/using-saml
   - /enterprise/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-saml
-intro: 'SAML is an XML-based standard for authentication and authorization. {% data variables.product.prodname_ghe_server %} can act as a service provider (SP) with your internal SAML identity provider (IdP).'
+intro: You can configure SAML single sign-on (SSO) for {% data variables.product.product_name %}, which allows users to authenticate through a SAML identity provider (IdP) to access your instance.
 versions:
   ghes: '*'
 type: how_to
@@ -18,12 +18,25 @@ topics:
   - Identity
   - SSO
 ---
+
+## About SAML for {% data variables.product.product_name %}
+
+SAML SSO allows people to authenticate and access {% data variables.product.product_location %} through an external system for identity management.
+
+SAML is an XML-based standard for authentication and authorization. When you configure SAML for {% data variables.product.product_location %}, the external system for authentication is called an identity provider (IdP). Your instance acts as a SAML service provider (SP). For more information, see [Security Assertion Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) on Wikipedia. 
+
 {% data reusables.enterprise_user_management.built-in-authentication %}
 
 ## Supported SAML services
 
 {% data reusables.saml.saml-supported-idps %}
 
+{% ifversion ghes > 3.3 %}
+
+If your IdP supports encrypted assertions, you can configure encrypted assertions on {% data variables.product.product_name %} for increased security during the authentication process.
+
+{% endif %}
+
 {% data reusables.saml.saml-single-logout-not-supported %}
 
 ## Username considerations with SAML
@@ -54,7 +67,7 @@ A mapping is created between the `NameID` and the {% data variables.product.prod
 
 ## SAML metadata
 
-Your {% data variables.product.prodname_ghe_server %} instance's service provider metadata is available at `http(s)://[hostname]/saml/metadata`.
+The service provider metadata for {% data variables.product.product_location %} is available at `http(s)://[hostname]/saml/metadata`.
 
 To configure your identity provider manually, the Assertion Consumer Service (ACS) URL is `http(s)://[hostname]/saml/consume`. It uses the `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` binding.
 
@@ -86,32 +99,92 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
-3. Select **SAML**.
-![SAML authentication](/assets/images/enterprise/management-console/auth-select-saml.png)
-4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select SAML built-in authentication checkbox](/assets/images/enterprise/management-console/saml-built-in-authentication.png)
-5. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
-![SAML idP SSO](/assets/images/enterprise/management-console/saml-idp-sso.png)
+1. Select **SAML**.
+   
+   ![Screenshot of option to enable SAML authentication in management console](/assets/images/enterprise/management-console/auth-select-saml.png)
+1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 
-  {% tip %}
+   ![Screenshot of option to enable built-in authentication outside of SAML IdP](/assets/images/enterprise/management-console/saml-built-in-authentication.png)
+1. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
 
-  **Note**: We recommend keeping this value **unselected**. You should enable this feature **only** in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by {% data variables.contact.enterprise_support %}.
+   ![Screenshot of option to enable IdP-initiated unsolicited response](/assets/images/enterprise/management-console/saml-idp-sso.png)
 
-  {% endtip %}
+   {% tip %}
 
-5. Select **Disable administrator demotion/promotion** if you **do not** want your SAML provider to determine administrator rights for users on {% data variables.product.product_location %}.
-![SAML disable admin configuration](/assets/images/enterprise/management-console/disable-admin-demotion-promotion.png)
-6. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
-![SAML authentication](/assets/images/enterprise/management-console/saml-single-sign-url.png)
-7. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.product.product_location %}.
-![SAML issuer](/assets/images/enterprise/management-console/saml-issuer.png)
-8. In the **Signature Method** and **Digest Method** drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.product.product_location %}. Specify the format with the **Name Identifier Format** drop-down menu.
-![SAML method](/assets/images/enterprise/management-console/saml-method.png)
-9. Under **Verification certificate**, click **Choose File** and choose a certificate to validate SAML responses from the IdP.
-![SAML authentication](/assets/images/enterprise/management-console/saml-verification-cert.png)
-10. Modify the SAML attribute names to match your IdP if needed, or accept the default names.
- ![SAML attribute names](/assets/images/enterprise/management-console/saml-attributes.png)
+   **Note**: We recommend keeping this value **unselected**. You should enable this feature **only** in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by {% data variables.contact.enterprise_support %}.
 
-{% ifversion ghes %}
+   {% endtip %}
+
+1. Select **Disable administrator demotion/promotion** if you **do not** want your SAML provider to determine administrator rights for users on {% data variables.product.product_location %}.
+
+   ![Screenshot of option to enable option to respect the "administrator" attribute from the IdP to enable or disable administrative rights](/assets/images/enterprise/management-console/disable-admin-demotion-promotion.png)
+1. Optionally, to allow {% data variables.product.product_location %} to send and receive encrypted assertions to and from your SAML IdP, select **Require encrypted assertions**. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
+
+   ![Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section](/assets/images/help/saml/management-console-enable-encrypted-assertions.png)
+
+   {% warning %}
+
+   **Warning**: Incorrectly configuring encrypted assertions can cause all authentication to {% data variables.product.product_location %} to fail.
+
+   - You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.product.product_location %}'s public certificate to your IdP. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
+
+   - Before enabling encrypted assertions, {% data variables.product.company_short %} recommends testing encrypted assertions in a staging environment, and confirming that SAML authentication functions as you expect. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
+
+   {% endwarning %}
+1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
+
+   ![Screenshot of text field for single sign-on URL](/assets/images/enterprise/management-console/saml-single-sign-url.png)
+1. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.product.product_location %}.
+
+   ![Screenshot of text field for SAML issuer URL](/assets/images/enterprise/management-console/saml-issuer.png)
+1. In the **Signature Method** and **Digest Method** drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.product.product_location %}. Specify the format with the **Name Identifier Format** drop-down menu.
+
+   ![Screenshot of drop-down menus to select signature and digest method](/assets/images/enterprise/management-console/saml-method.png)
+1. Under **Verification certificate**, click **Choose File** and choose a certificate to validate SAML responses from the IdP.
+
+   ![Screenshot of button for uploading validation certificate from IdP](/assets/images/enterprise/management-console/saml-verification-cert.png)
+1. Modify the SAML attribute names to match your IdP if needed, or accept the default names.
+
+   ![Screenshot of fields for entering additional SAML attributes](/assets/images/enterprise/management-console/saml-attributes.png)
+
+{% ifversion ghes > 3.3 %}
+
+## Enabling encrypted assertions
+
+To enable encrypted assertions, your SAML IdP must also support encrypted assertions. You must provide {% data variables.product.product_location %}'s public certificate to your IdP, and configure encryption settings that match your IdP.
+
+{% warning %}
+
+**Warning**: Incorrectly configuring encrypted assertions can cause all authentication to {% data variables.product.product_location %} to fail. {% data variables.product.company_short %} strongly recommends testing your SAML configuration in a staging environment. For more information about staging instances, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
+
+{% endwarning %}
+
+1. Configure SAML for {% data variables.product.product_location %}. For more information, see "[Configuring SAML settings](#configuring-saml-settings)."
+{% data reusables.enterprise_installation.ssh-into-instance %}
+1. Run the following command to output {% data variables.product.product_location %}'s public certificate.
+
+        openssl pkcs12 -in /data/user/common/saml-sp.p12 -nokeys -passin pass:
+1. In the output, copy the text beginning with `-----BEGIN CERTIFICATE-----` and ending with `-----END CERTIFICATE-----`, and paste the output into a plaintext file.
+1. Sign into your SAML IdP as an administrator.
+1. In the application for {% data variables.product.product_location %}, enable encrypted assertions.
+   - Note the encryption method and key transport method.
+   - Provide the public certificate from step 3.
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+1. Select **Require encrypted assertions**.
+
+   ![Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section](/assets/images/help/saml/management-console-enable-encrypted-assertions.png)
+1. To the right of "Encryption Method", select the encryption method for your IdP from step 5.
+
+   ![Screenshot of "Encryption Method" for encrypted assertions](/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png)
+1. To the right of "Key Transport Method", select the key transport method for your IdP from step 5.
+
+   ![Screenshot of "Key Transport Method" for encrypted assertions](/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png)
+1. Click **Save settings**.
+{% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
+
+{% endif %}
 
 ## Updating a user's SAML `NameID`
 
@@ -128,8 +201,6 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 7. Click **Update NameID**.
   !["Update NameID" button under updated NameID value within modal](/assets/images/enterprise/site-admin-settings/update-saml-nameid-update.png)
 
-{% endif %}
-
 ## Revoking access to {% data variables.product.product_location %}
 
 If you remove a user from your identity provider, you must also manually suspend them. Otherwise, they'll continue to be able to authenticate using access tokens or SSH keys. For more information, see "[Suspending and unsuspending users](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users)".

content/admin/index.md

@@ -127,7 +127,7 @@ children:
   - /enterprise-management
   - /github-actions
   - /packages
-  - /advanced-security
+  - /code-security
   - /guides
   - /release-notes
   - /all-releases

content/admin/overview/system-overview.md

@@ -102,6 +102,12 @@ You can manually collect and send troubleshooting data to {% data variables.cont
 
 By default, the appliance also offers Secure Shell (SSH) access for both repository access using Git and administrative purposes. For more information, see "[About SSH](/enterprise/user/articles/about-ssh)" and "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/installation/accessing-the-administrative-shell-ssh)."
 
+{% ifversion ghes > 3.3 %}
+
+If you configure SAML authentication for {% data variables.product.product_location %}, you can enable encrypted assertions between the instance and your SAML IdP. For more information, see "[Using SAML](/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml#enabling-encrypted-assertions)."
+
+{% endif %}
+
 ### Users and access permissions
 
 {% data variables.product.prodname_ghe_server %} provides three types of accounts.

content/billing/managing-billing-for-your-github-account/index.md

@@ -29,6 +29,6 @@ children:
   - /managing-invoices-for-your-enterprise
   - /connecting-an-azure-subscription-to-your-enterprise
   - /how-does-upgrading-or-downgrading-affect-the-billing-process
+  - /one-time-payments-for-customers-in-india
   - /discounted-subscriptions-for-github-accounts
 ---
-

content/billing/managing-billing-for-your-github-account/one-time-payments-for-customers-in-india.md

@@ -0,0 +1,69 @@
+---
+title: One-time payments for customers in India
+intro: "Customers in India who have been impacted by the Reserve Bank of India's recurring payment regulation can now make one-time payments for their GitHub subscriptions and services."
+redirect_from:
+  - /early-access/billing/india-rbi-regulation
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Billing
+  - Sponsors
+  - Policy
+shortTitle: India one-time payments
+---
+
+
+## About the Reserve Bank of India's recurring payments regulation
+
+A new payments regulation from the Reserve Bank of India (RBI) recently came into effect. This regulation places additional requirements on recurring online transactions and has prevented some {% data variables.product.company_short %} customers in India from making recurring payments. Customers using payment methods issued in India for any recurring transactions on {% data variables.product.product_name %} may find that their payments are declined by their banks or card issuers. For more information, see [the RBI's press release](https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=51353).
+
+The regulation applies to all recurring transactions, including:
+- {% data variables.product.prodname_dotcom %} plan subscriptions (Pro, Team, Enterprise)
+- {% data variables.product.prodname_marketplace %} purchases
+- {% data variables.product.prodname_sponsors %} transactions
+- Git Large File Storage purchases
+- {% data variables.product.prodname_actions %}, {% data variables.product.prodname_registry %}, and {% data variables.product.prodname_codespaces %} consumption
+
+In order to minimize disruption, recurring payments for our affected customers were paused on October 29th, 2021. Paid features and services have remained available to customers impacted by the RBI regulation.
+
+## About one-time payments on {% data variables.product.company_short %}
+
+As we work with our payment gateway provider to meet the new requirements, we are providing a temporary one-time payment option for impacted customers in India. From February 15th 2022, {% data variables.product.company_short %} customers in India who have been affected by the new RBI regulation will be able to make one-time payments on their regular billing cycle cadence.
+
+### For customers on monthly billing
+
+Customers on monthly billing plans will be able to make a one-time payment on the same day their billing cycle usually renews. For example, if you're usually billed on the 7th of each month, you will now be able to make a one-time payment from your account from the 7th of each month. Your first one-time payment will also include any accrued usage from October 2021 onwards.
+
+If you are currently billed monthly, and would like to switch to yearly billing, you can reduce the frequency of your one-time payments. For more information, see "[Changing the duration of your billing cycle](/en/billing/managing-your-github-billing-settings/changing-the-duration-of-your-billing-cycle)."
+
+### For customers on yearly billing
+
+If you are billed yearly, and your renewal date was between October 1st, 2021 and February 14th, 2022, you will be able to make a one-time payment for your annual subscriptions from February 15th. This initial payment will include the prorated outstanding cost of your subscription for the period since your previous billing cycle ended.
+
+If your billing cycle is due to renew after February 15th, we will attempt to take the recurring payment. If the payment attempt is declined, you will then be able to make a one-time payment through your account's billing page.
+
+In the meantime, we are actively working with our payment partners to restore recurring payments for impacted customers. For more information or questions, you can contact [GitHub Support](https://support.github.com/contact).
+
+### Impact to {% data variables.product.prodname_sponsors %}
+
+Existing sponsorships will remain in place during this period and maintainers will continue to be paid out as expected. Payments for the accrued sponsorship amounts from the funding account will be collected at the same time as other accrued charges.
+
+## Making a one-time payment for a GitHub subscription
+
+{% note %}
+
+**Note**: Affected customers will receive an email notification with a link to their billing settings when payment is due. Two further reminder emails will be sent 7 and 14 days later if payment has not been made. After 14 days, paid features and services will be locked until payment is made.
+
+{% endnote %}
+
+{% data reusables.user_settings.access_settings %}
+{% data reusables.user_settings.billing_plans %}
+3. At the top of the page, click **Pay now**.
+  ![One-time payment pay now button](/assets/images/help/billing/pay-now-button.png)
+4. Review your billing and payment information. If you need to make an edit, click **Edit** next to the relevant section. Otherwise, click **Submit payment**.
+  ![One-time payment summary](/assets/images/help/billing/payment-summary.png)
+5. Optionally, if you clicked **Edit**, make any necessary changes, and then click **Submit payment**.
+  ![One-time payment edit summary](/assets/images/help/billing/payment-summary-edit.png)
+6. Once payment for the current billing cycle has been successfully made, the **Pay now** button on your "Billing & plans" page will be disabled until your next payment is due.
+  ![One-time payment pay now button disabled](/assets/images/help/billing/pay-now-button-disabled.png)

content/code-security/getting-started/securing-your-repository.md

@@ -32,7 +32,7 @@ The first step to securing a repository is to set up who can see and modify your
 
 From the main page of your repository, click **{% octicon "gear" aria-label="The Settings gear" %}Settings**, then scroll down to the "Danger Zone."
 
-- To change who can view your repository, click **Change visibility**. For more information, see "[Setting repository visibility](/github/administering-a-repository/setting-repository-visibility)."{% ifversion fpt or ghec %}
+- To change who can view your repository, click **Change visibility**. For more information, see "[Setting repository visibility](/github/administering-a-repository/setting-repository-visibility)."{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
 - To change who can access your repository and adjust permissions, click **Manage access**. For more information, see"[Managing teams and people with access to your repository](/github/administering-a-repository/managing-teams-and-people-with-access-to-your-repository)."{% endif %}
 
 {% ifversion fpt or ghes > 3.0 or ghae or ghec %}

content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies.md

@@ -32,7 +32,7 @@ When {% data variables.product.prodname_dependabot %} detects vulnerable depende
 {% ifversion ghes or ghae-issue-4864 %}
 By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive {% data variables.product.prodname_dependabot_alerts %} by email.
 
-Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
+Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
 {% endif %}
 
 ## Configuring notifications for {% data variables.product.prodname_dependabot_alerts %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md

@@ -46,4 +46,4 @@ Dependency review supports the same languages and package management ecosystems
 
 ## Enabling dependency review
 
-The dependency review feature becomes available when you enable the dependency graph. {% ifversion fpt or ghec %}For more information, see "[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph)."{% endif %}{% ifversion ghes or ghae %}For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."{% endif %}
+The dependency review feature becomes available when you enable the dependency graph. {% ifversion fpt or ghec %}For more information, see "[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph)."{% endif %}{% ifversion ghes or ghae %}For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."{% endif %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md

@@ -27,10 +27,7 @@ shortTitle: Dependency graph
 
 ## About the dependency graph
 
-The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows{% ifversion fpt or ghec %}:
-
-- Dependencies, the ecosystems and packages it depends on
-- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.product_name %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
+{% data reusables.dependabot.about-the-dependency-graph %}
 
 When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% ifversion fpt or ghec %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
 
@@ -65,7 +62,7 @@ You can use the dependency graph to:
 
 {% ifversion fpt or ghec %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %}
 
-{% ifversion ghes or ghae %}If the dependency graph is not available in your system, your enterprise owner can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see  "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."{% endif %}
+{% ifversion ghes or ghae %}If the dependency graph is not available in your system, your enterprise owner can enable the dependency graph. For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."{% endif %}
 
 When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% ifversion fpt or ghec %} and every push to other repositories in the graph{% endif %}.
 

content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md

@@ -34,7 +34,7 @@ The dependency graph shows the dependencies{% ifversion fpt or ghec %} and depen
 ![Dependents tab on the dependency graph page](/assets/images/help/graphs/dependency-graph-dependents-tab.png){% endif %}
 
 {% ifversion ghes or ghae-issue-4864 %}
-Enterprise owners can configure the dependency graph at an enterprise level. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
+Enterprise owners can configure the dependency graph at an enterprise level. For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."
 {% endif %}
 
 ### Dependencies view

content/organizations/managing-access-to-your-organizations-repositories/adding-outside-collaborators-to-repositories-in-your-organization.md

@@ -38,16 +38,11 @@ To further support your team's collaboration abilities, you can upgrade to {% da
 
 ## Adding outside collaborators to a repository
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+You can give outside collaborators access to a repository in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#inviting-a-team-or-person)." 
+{% else %}
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
-{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
-{% data reusables.repositories.click-collaborators-teams %}
-{% data reusables.organizations.invite-teams-or-people %}
-5. In the search field, start typing the name of person you want to invite, then click a name in the list of matches.
-  ![Search field for typing the name of a person to invite to the repository](/assets/images/help/repository/manage-access-invite-search-field.png)
-6. Under "Choose a role", select the permissions to grant to the person, then click **Add NAME to REPOSITORY**.
-  ![Selecting permissions for the person](/assets/images/help/repository/manage-access-invite-choose-role-add.png)
-{% else %}
 5. In the left sidebar, click **Collaborators & teams**.
   ![Repository settings sidebar with Collaborators & teams highlighted](/assets/images/help/repository/org-repo-settings-collaborators-and-teams.png)
 6. Under "Collaborators", type the name of the person you'd like to give access to the repository, then click **Add collaborator**.

content/organizations/managing-access-to-your-organizations-repositories/managing-an-individuals-access-to-an-organization-repository.md

@@ -24,15 +24,15 @@ When you remove a collaborator from a repository in your organization, the colla
 
 {% data reusables.repositories.deleted_forks_from_private_repositories_warning %}
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+## Managing an individual's access to an organization repository
+You can give a person access to a repository or change a person's level of access to a repository in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository)."
+{% else %}
 ## Giving a person access to a repository
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
-{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
-{% data reusables.repositories.click-collaborators-teams %}
-{% else %}
 {% data reusables.repositories.navigate-to-manage-access %}
-{% endif %}
 {% data reusables.organizations.invite-teams-or-people %}
 1. In the search field, start typing the name of the person to invite, then click a name in the list of matches.
   ![Search field for typing the name of a team or person to invite to the repository](/assets/images/help/repository/manage-access-invite-search-field.png)
@@ -51,7 +51,7 @@ When you remove a collaborator from a repository in your organization, the colla
 ![Manage access button for a repository](/assets/images/help/organizations/repository-manage-access.png)
 7. Review the person's access to a given repository, such as whether they're a collaborator or have access to the repository via team membership.
 ![Repository access matrix for the user](/assets/images/help/organizations/repository-access-matrix-for-user.png)
-
+{% endif %}
 ## Further reading
 
 {% ifversion fpt or ghec %}- "[Limiting interactions with your repository](/articles/limiting-interactions-with-your-repository)"{% endif %}

content/organizations/managing-access-to-your-organizations-repositories/managing-team-access-to-an-organization-repository.md

@@ -28,6 +28,9 @@ People with admin access to a repository can manage team access to the repositor
 
 ## Giving a team access to a repository
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+You can give a team access to a repository or change a team's level of access to a repository in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#inviting-a-team-or-person)." 
+{% else %}
 {% data reusables.profile.access_org %}
 {% data reusables.user_settings.access_org %}
 {% data reusables.organizations.specific_team %}
@@ -38,9 +41,18 @@ People with admin access to a repository can manage team access to the repositor
   ![Repository search field](/assets/images/help/organizations/team-repositories-add.png)
 7. Optionally, to the right of the repository name, use the drop-down menu and choose a different permission level for the team.
   ![Repository access level dropdown](/assets/images/help/organizations/team-repositories-change-permission-level.png)
-
+{% endif %}
 ## Removing a team's access to a repository
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+You can remove a team's access to an organization repository in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#removing-access-for-a-team-or-person)."
+
+If a team has direct access to a repository, you can remove that team's access to the repository. If a team's access to the repository is inherited from a parent team, you must remove the repository from the parent team in order to remove the repository from child teams.
+
+{% data reusables.repositories.deleted_forks_from_private_repositories_warning %}
+
+{% else %}
+
 You can remove a team's access to a repository if the team has direct access to a repository. If a team's access to the repository is inherited from a parent team, you must remove the repository from the parent team in order to remove the repository from child teams.
 
 {% data reusables.repositories.deleted_forks_from_private_repositories_warning %}
@@ -55,7 +67,7 @@ You can remove a team's access to a repository if the team has direct access to
   ![Drop-down menu with the option to remove a repository from a team](/assets/images/help/teams/remove-team-repo-dropdown.png)
 7. Review the repository or repositories that will be removed from the team, then click **Remove repositories**.
   ![Modal box with a list of repositories that the team will no longer have access to](/assets/images/help/teams/confirm-remove-team-repos.png)
-
+{% endif %}
 ## Further reading
 
 - "[Repository roles for an organization](/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)"

content/organizations/managing-access-to-your-organizations-repositories/removing-an-outside-collaborator-from-an-organization-repository.md

@@ -60,6 +60,9 @@ If you only want to remove an outside collaborator from certain repositories in
 8. To confirm, click **Remove access**.
 ![Confirm outside collaborator who will be removed from the repository](/assets/images/help/teams/confirm-remove-outside-collaborator-from-a-repository.png)
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+You can also remove an outside collaborator from a repository in the access overview in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#removing-access-for-a-team-or-person)."
+{% endif %}
 ## Further reading
 
 - "[Adding outside collaborators to repositories in your organization](/articles/adding-outside-collaborators-to-repositories-in-your-organization)"

content/organizations/managing-access-to-your-organizations-repositories/viewing-people-with-access-to-your-repository.md

@@ -16,23 +16,20 @@ shortTitle: View people with access
 ---
 
 Administrators can use this information to help off-board people, gather data for compliance, and other general security checkups.
-
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+![Access management overview](/assets/images/help/repository/manage-access-overview.png)
+{% else %}
 ![Repository people permissions list](/assets/images/help/repository/repository-permissions-list.png)
-
+{% endif %}
 ## Viewing people with access to your repository
 
-{% ifversion fpt or ghec %}
-{% note %}
-
-**Note**: You can also see a combined overview of teams and people with access to your repository. For more information, see "[Managing teams and people with access to your repository](/github/administering-a-repository/managing-teams-and-people-with-access-to-your-repository)."
-
-{% endnote %}
-{% endif %}
-
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
+You can see a combined overview of teams and people with access to your repository in your repository settings. For more information, see "[Managing teams and people with access to your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository#about-access-management-for-repositories)." 
+{% else %}
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.accessing-repository-graphs %}
 {% data reusables.repositories.accessing-repository-people %}
-
+{% endif %}
 ## Exporting a list of people with access to your repository
 
 Owners of organizations on {% data variables.product.prodname_ghe_cloud %} or {% data variables.product.prodname_ghe_server %} can export a CSV list of people who have access to a repository.

content/organizations/managing-organization-settings/index.md

@@ -20,6 +20,7 @@ children:
   - /setting-permissions-for-deleting-or-transferring-repositories
   - /restricting-repository-visibility-changes-in-your-organization
   - /managing-the-forking-policy-for-your-organization
+  - /managing-pull-request-reviews-in-your-organization
   - /disabling-or-limiting-github-actions-for-your-organization
   - /configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization
   - /setting-permissions-for-adding-outside-collaborators

content/organizations/managing-organization-settings/managing-pull-request-reviews-in-your-organization.md

@@ -0,0 +1,29 @@
+---
+title: Managing pull request reviews in your organization
+intro: 'You can limit which users can approve or request changes to a pull requests in your organization.'
+versions:
+  feature: pull-request-approval-limit
+permissions: Organization owners can limit which users can submit reviews that approve or request changes to a pull request.
+topics:
+  - Organizations
+  - Pull requests
+shortTitle: Manage pull request reviews
+---
+
+## About code review limits
+
+By default, in public repositories, any user can submit reviews that approve or request changes to a pull request.
+
+You can limit who is able to approve or request changes to pull requests in public repositories owned by your organization. After you enable code review limits, anyone can comment on pull requests in your public repositories, but only people with explicit access to a repository can approve a pull request or request changes.
+
+You can also enable code review limits for individual repositories. If you enable or limits for your organization, you will override any limits for individual repositories owned by the organization. For more information, see "[Managing pull request reviews in your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-pull-request-reviews-in-your-repository)."
+
+## Enabling code review limits
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.moderation-settings %}
+1. Under "{% octicon "report" aria-label="The report icon" %} Moderation", click **Code review limits**.
+![Screenshot of sidebar item for code review limits for organizations](/assets/images/help/organizations/code-review-limits-organizations.png)
+1. Review the information on screen. Click **Limit review on all repositories** to limit reviews to those with explicit access, or click **Remove review limits from all repositories** to remove the limits from every public repository in your organization.
+![Screenshot of code review limits settings for organizations](/assets/images/help/organizations/code-review-limits-organizations-settings.png)

content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization.md

@@ -99,7 +99,7 @@ You can only choose an additional permission if it's not already included in the
 
 If a person is given different levels of access through different avenues, such as team membership and the base permissions for an organization, the highest access overrides the others. For example, if an organization owner gives an organization member a custom role that uses the "Read" inherited role, and then an organization owner sets the organization's base permission to "Write", then this custom role will have write access, along with any additional permissions included in the custom role.
 
-If a person has been given conflicting access, you'll see a warning on the repository access page. The warning appears with "{% octicon "alert" aria-label="The alert icon" %} Mixed roles" next to the person with the conflicting access. To see the source of the conflicting access, hover over the warning icon or click **Mixed roles**.
+{% data reusables.organizations.mixed-roles-warning %}
 
 To resolve conflicting access, you can adjust your organization's base permissions or the team's access, or edit the custom role. For more information, see:
   - "[Setting base permissions for an organization](/github/setting-up-and-managing-organizations-and-teams/setting-base-permissions-for-an-organization)"

content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md

@@ -127,6 +127,7 @@ Some of the features listed below are limited to organizations using {% data var
 | Manage the default branch name (see "[Managing the default branch name for repositories in your organization](/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization)") | **X** | | |  |
 | Manage default labels (see "[Managing default labels for repositories in your organization](/articles/managing-default-labels-for-repositories-in-your-organization)") | **X** | | |  |{% ifversion ghec %}
 | Enable team synchronization (see "[Managing team synchronization for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization)" for details) | **X** |  | |  |{% endif %}
+| Manage pull request reviews in the organization (see "[Managing pull request reviews in your organization](/organizations/managing-organization-settings/managing-pull-request-reviews-in-your-organization)") | **X** |  | |  |
 
 {% elsif ghes > 3.2 or ghae-issue-4999 %}
 <!--GHES 3.3+ and eventual GHAE release don't have the extra column for Billing managers, but have security managers-->
@@ -170,7 +171,8 @@ Some of the features listed below are limited to organizations using {% data var
 | Convert organization members to [outside collaborators](#outside-collaborators) | **X** | |  |
 | [View people with access to an organization repository](/articles/viewing-people-with-access-to-your-repository) | **X** | |  |
 | [Export a list of people with access to an organization repository](/articles/viewing-people-with-access-to-your-repository/#exporting-a-list-of-people-with-access-to-your-repository) | **X** | |  |
-| Manage default labels (see "[Managing default labels for repositories in your organization](/articles/managing-default-labels-for-repositories-in-your-organization)") | **X** | |  |
+| Manage default labels (see "[Managing default labels for repositories in your organization](/articles/managing-default-labels-for-repositories-in-your-organization)") | **X** | |  |{% if pull-request-approval-limit %}
+| Manage pull request reviews in the organization (see "[Managing pull request reviews in your organization](/organizations/managing-organization-settings/managing-pull-request-reviews-in-your-organization)") | **X** |  | |  |{% endif %}
 {% ifversion ghae %}| Manage IP allow lists (see "[Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)") | **X** | |  |{% endif %}
 
 

content/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests.md

@@ -15,6 +15,7 @@ versions:
 topics:
   - Pull requests
 ---
+
 ## About pull requests
 
 {% note %}
@@ -31,7 +32,7 @@ After initializing a pull request, you'll see a review page that shows a high-le
 
 Once you've created a pull request, you can push commits from your topic branch to add them to your existing pull request. These commits will appear in chronological order within your pull request and the changes will be visible in the "Files changed" tab.
 
-Other contributors can review your proposed changes, add review comments, contribute to the pull request discussion, and even add commits to the pull request.
+Other contributors can review your proposed changes, add review comments, contribute to the pull request discussion, and even add commits to the pull request. {% if pull-request-approval-limit %}{% data reusables.pull_requests.code-review-limits %}{% endif %}
 
 {% ifversion fpt or ghec %}
 You can see information about the branch's current deployment status and past deployment activity on the "Conversation" tab. For more information, see "[Viewing deployment activity for a repository](/repositories/viewing-activity-and-data-for-your-repository/viewing-deployment-activity-for-your-repository)."

content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews.md

@@ -19,6 +19,8 @@ shortTitle: About PR reviews
 
 After a pull request is opened, anyone with *read* access can review and comment on the changes it proposes. You can also suggest specific changes to lines of code, which the author can apply directly from the pull request. For more information, see "[Reviewing proposed changes in a pull request](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request)."
 
+{% if pull-request-approval-limit %}{% data reusables.pull_requests.code-review-limits %}{% endif %}
+
 Repository owners and collaborators can request a pull request review from a specific person. Organization members can also request a pull request review from a team with read access to the repository. For more information, see "[Requesting a pull request review](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review)." {% ifversion fpt or ghae or ghes or ghec %}You can specify a subset of team members to be automatically assigned in the place of the whole team. For more information, see "[Managing code review settings for your team](/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team)."{% endif %}
 
 Reviews allow for discussion of proposed changes and help ensure that the changes meet the repository's contributing guidelines and other quality standards. You can define which individuals or teams own certain types or areas of code in a CODEOWNERS file. When a pull request modifies code that has a defined owner, that individual or team will automatically be requested as a reviewer. For more information, see "[About code owners](/articles/about-code-owners/)."

content/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches.md

@@ -159,7 +159,7 @@ You can only give push access to a protected branch to users, teams, or installe
 
 ### Allow force pushes
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5624 %}
 By default, {% data variables.product.product_name %} blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:
 
 1. Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.

content/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule.md

@@ -50,7 +50,7 @@ When you create a branch rule, the branch you specify doesn't have to exist yet
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.repository-branches %}
 {% data reusables.repositories.add-branch-protection-rules %}
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5506 %}
 1. Optionally, enable required pull requests.
    - Under "Protect matching branches", select **Require a pull request before merging**.
      ![Pull request review restriction checkbox](/assets/images/help/repository/PR-reviews-required-updated.png)
@@ -67,7 +67,7 @@ When you create a branch rule, the branch you specify doesn't have to exist yet
      ![Dismiss stale pull request approvals when new commits are pushed checkbox](/assets/images/help/repository/PR-reviews-required-dismiss-stale.png)
    - Optionally, to require review from a code owner when the pull request affects code that has a designated owner, select **Require review from Code Owners**. For more information, see "[About code owners](/github/creating-cloning-and-archiving-repositories/about-code-owners)."
      ![Require review from code owners](/assets/images/help/repository/PR-review-required-code-owner.png)
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5611 %}
    - Optionally, to allow specific people or teams to push code to the branch without being subject to the pull request rules above, select **Allow specific actors to bypass pull request requirements**. Then, search for and select the people or teams who are allowed to bypass the pull request requirements.
      ![Allow specific actors to bypass pull request requirements checkbox](/assets/images/help/repository/PR-bypass-requirements.png)
 {% endif %}
@@ -106,7 +106,7 @@ When you create a branch rule, the branch you specify doesn't have to exist yet
      ![Branch restriction search](/assets/images/help/repository/restrict-branch-search.png)
 1. Optionally, under "Rules applied to everyone including administrators", select **Allow force pushes**.
   ![Allow force pushes option](/assets/images/help/repository/allow-force-pushes.png)
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5624 %}
   Then, choose who can force push to the branch.
     - Select **Everyone** to allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.
     - Select **Specify who can force push** to allow only specific people or teams to force push to the branch. Then, search for and select those people or teams.

content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/index.md

@@ -12,10 +12,10 @@ children:
   - /setting-repository-visibility
   - /managing-teams-and-people-with-access-to-your-repository
   - /managing-the-forking-policy-for-your-repository
+  - /managing-pull-request-reviews-in-your-repository
   - /managing-git-lfs-objects-in-archives-of-your-repository
   - /enabling-anonymous-git-read-access-for-a-repository
   - /about-email-notifications-for-pushes-to-your-repository
   - /configuring-autolinks-to-reference-external-resources
 shortTitle: Manage repository settings
 ---
-

content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-pull-request-reviews-in-your-repository.md

@@ -0,0 +1,30 @@
+---
+title: Managing pull request reviews in your repository
+intro: 'You can limit which users can approve or request changes to a pull requests in a public repository.'
+versions:
+  feature: pull-request-approval-limit
+permissions: Repository administrators can limit which users can approve or request changes to a pull request in a public repository.
+topics:
+  - Repositories
+  - Pull requests
+shortTitle: Manage pull request reviews
+---
+
+## About code review limits
+
+By default, in public repositories, any user can submit reviews that approve or request changes to a pull request.
+
+You can limit which users are able to submit reviews that approve or request changes to pull requests in your public repository. When you enable code review limits, anyone can comment on pull requests in your public repository, but only people with read access or higher can approve pull requests or request changes.
+
+You can also enable code review limits for an organization. If you enable limits for an organization, you will override any limits for individual repositories owned by the organization. For more information, see "[Managing pull request reviews in your organization](/organizations/managing-organization-settings/managing-pull-request-reviews-in-your-organization)"
+
+## Enabling code review limits
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+1. Under **Access**, click **Moderation options**.
+![Moderation options repository settings](/assets/images/help/repository/access-settings-repositories.png)
+1. Under **Moderation options**, click **Code review limits**.
+![Code review limits repositories](/assets/images/help/repository/code-review-limits-repositories.png)
+1. Select or deselect **Limit to users explicitly granted read or higher access**.
+![Limit review in repository](/assets/images/help/repository/limit-reviews-in-repository.png)

content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository.md

@@ -9,6 +9,8 @@ redirect_from:
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.3'
+  ghae: 'issue-5974'
 topics:
   - Repositories
 shortTitle: Teams & people
@@ -20,6 +22,8 @@ For each repository that you administer on {% data variables.product.prodname_do
 
 This overview can help you audit access to your repository, onboard or off-board contractors or employees, and effectively respond to security incidents.
 
+{% data reusables.organizations.mixed-roles-warning %}
+
 For more information about repository roles, see "[Permission levels for a user account repository](/github/setting-up-and-managing-your-github-user-account/permission-levels-for-a-user-account-repository)" and "[Repository roles for an organization](/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)."
 
 ![Access management overview](/assets/images/help/repository/manage-access-overview.png)
@@ -28,15 +32,23 @@ For more information about repository roles, see "[Permission levels for a user
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
 {% data reusables.repositories.click-collaborators-teams %}
-4. Under "Manage access", in the search field, start typing the name of the team or person you'd like to find.
+{% else %}
+{% data reusables.repositories.navigate-to-manage-access %}
+{% endif %}
+1. Under "Manage access", in the search field, start typing the name of the team or person you'd like to find. Optionally, use the dropdown menus to filter your search. 
   ![Search field for filtering list of teams or people with access](/assets/images/help/repository/manage-access-filter.png)
 
 ## Changing permissions for a team or person
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
+{% data reusables.repositories.click-collaborators-teams %}
+{% else %}
 {% data reusables.repositories.navigate-to-manage-access %}
+{% endif %}
 4. Under "Manage access", find the team or person whose role you'd like to change, then select the Role drop-down and click a new role.
   ![Using the "Role" drop-down to select new permissions for a team or person](/assets/images/help/repository/manage-access-role-drop-down.png)
 
@@ -44,7 +56,11 @@ For more information about repository roles, see "[Permission levels for a user
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
 {% data reusables.repositories.click-collaborators-teams %}
+{% else %}
+{% data reusables.repositories.navigate-to-manage-access %}
+{% endif %}
 {% data reusables.organizations.invite-teams-or-people %}
 5. In the search field, start typing the name of the team or person to invite, then click a name in the list of matches.
   ![Search field for typing the name of a team or person to invite to the repository](/assets/images/help/repository/manage-access-invite-search-field.png)
@@ -55,7 +71,11 @@ For more information about repository roles, see "[Permission levels for a user
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5658 %}
 {% data reusables.repositories.click-collaborators-teams %}
+{% else %}
+{% data reusables.repositories.navigate-to-manage-access %}
+{% endif %}
 4. Under "Manage access", find the team or person whose access you'd like to remove, then click {% octicon "trash" aria-label="The trash icon" %}.
   ![trash icon for removing access](/assets/images/help/repository/manage-access-remove.png)
 

content/repositories/releasing-projects-on-github/about-releases.md

@@ -36,13 +36,12 @@ You can receive notifications when new releases are published in a repository wi
 Anyone with read access to a repository can view and compare releases, but only people with write permissions to a repository can manage releases. For more information, see "[Managing releases in a repository](/github/administering-a-repository/managing-releases-in-a-repository)."
 
 {% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-4974 %}
-
 You can manually create release notes while managing a release. Alternatively, you can automatically generate release notes from a default template, or customize your own release notes template. For more information, see "[Automatically generated release notes](/repositories/releasing-projects-on-github/automatically-generated-release-notes)."
-
-People with admin permissions to a repository can choose whether {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in the ZIP files and tarballs that {% data variables.product.product_name %} creates for each release. For more information, see "[Managing {% data variables.large_files.product_name_short %} objects in archives of your repository](/github/administering-a-repository/managing-git-lfs-objects-in-archives-of-your-repository)."
 {% endif %}
 
 {% ifversion fpt or ghec %}
+People with admin permissions to a repository can choose whether {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in the ZIP files and tarballs that {% data variables.product.product_name %} creates for each release. For more information, see "[Managing {% data variables.large_files.product_name_short %} objects in archives of your repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
+
 If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
 
 You can view the **Dependents** tab of the dependency graph to see which repositories and packages depend on code in your repository, and may therefore be affected by a new release. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."

content/rest/reference/migrations.md

@@ -8,6 +8,8 @@ redirect_from:
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.3'
+  ghae: 'issue-6184'
 topics:
   - API
 miniTocMaxHeadingLevel: 3
@@ -27,6 +29,7 @@ The Migrations API is only available to authenticated organization owners. For m
   {% if operation.subcategory == 'orgs' %}{% include rest_operation %}{% endif %}
 {% endfor %}
 
+{% ifversion fpt or ghec %}
 ## Source imports
 
 {% data variables.migrations.source_imports_intro %}
@@ -111,7 +114,7 @@ A more detailed example can be seen in this diagram:
 {% for operation in currentRestOperations %}
   {% if operation.subcategory == 'source-imports' %}{% include rest_operation %}{% endif %}
 {% endfor %}
-
+{% endif %}
 ## User
 
 The User migrations API is only available to authenticated account owners. For more information, see "[Other authentication methods](/rest/overview/other-authentication-methods)."

data/features/dependabot-updates-github-connect.yml

@@ -0,0 +1,3 @@
+versions:
+  ghes: '>=3.4'
+  ghae: 'issue-5867'

data/features/pull-request-approval-limit.yml

@@ -0,0 +1,7 @@
+# Reference: #5244
+# Documentation for moderation setting to limit who can approve or request changes on a PR.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.4'
+  ghae: 'issue-5244'

data/graphql/ghae/schema.docs-ghae.graphql

@@ -13356,52 +13356,6 @@ enum IdentityProviderConfigurationState {
   UNCONFIGURED
 }
 
-"""
-An import to GitHub
-"""
-type Import implements Node {
-  """
-  Identifies the date and time when the object was created.
-  """
-  createdAt: DateTime!
-
-  """
-  The user that created the Import
-  """
-  creator: Actor!
-  id: ID!
-
-  """
-  The repositories associated with this Import
-  """
-  repositories(
-    """
-    Returns the elements in the list that come after the specified cursor.
-    """
-    after: String
-
-    """
-    Returns the elements in the list that come before the specified cursor.
-    """
-    before: String
-
-    """
-    Returns the first _n_ elements from the list.
-    """
-    first: Int
-
-    """
-    Returns the last _n_ elements from the list.
-    """
-    last: Int
-
-    """
-    Ordering options for repository
-    """
-    orderBy: RepositoryOrder = {field: CREATED_AT, direction: ASC}
-  ): RepositoryConnection!
-}
-
 """
 Autogenerated input type of ImportProject
 """
@@ -35606,6 +35560,16 @@ input StartRepositoryMigrationInput {
   """
   continueOnError: Boolean
 
+  """
+  The signed URL to access the user-uploaded git archive
+  """
+  gitArchiveUrl: String
+
+  """
+  The signed URL to access the user-uploaded metadata archive
+  """
+  metadataArchiveUrl: String
+
   """
   The ID of the organization that will own the imported repository.
   """

data/graphql/ghec/schema.docs.graphql

@@ -14264,52 +14264,6 @@ enum IdentityProviderConfigurationState {
   UNCONFIGURED
 }
 
-"""
-An import to GitHub
-"""
-type Import implements Node {
-  """
-  Identifies the date and time when the object was created.
-  """
-  createdAt: DateTime!
-
-  """
-  The user that created the Import
-  """
-  creator: Actor!
-  id: ID!
-
-  """
-  The repositories associated with this Import
-  """
-  repositories(
-    """
-    Returns the elements in the list that come after the specified cursor.
-    """
-    after: String
-
-    """
-    Returns the elements in the list that come before the specified cursor.
-    """
-    before: String
-
-    """
-    Returns the first _n_ elements from the list.
-    """
-    first: Int
-
-    """
-    Returns the last _n_ elements from the list.
-    """
-    last: Int
-
-    """
-    Ordering options for repository
-    """
-    orderBy: RepositoryOrder = {field: CREATED_AT, direction: ASC}
-  ): RepositoryConnection!
-}
-
 """
 Autogenerated input type of ImportProject
 """
@@ -40816,6 +40770,16 @@ input StartRepositoryMigrationInput {
   """
   continueOnError: Boolean
 
+  """
+  The signed URL to access the user-uploaded git archive
+  """
+  gitArchiveUrl: String
+
+  """
+  The signed URL to access the user-uploaded metadata archive
+  """
+  metadataArchiveUrl: String
+
   """
   The ID of the organization that will own the imported repository.
   """

data/graphql/ghes-3.4/graphql_previews.enterprise.yml

@@ -0,0 +1,122 @@
+- title: Access to package version deletion
+  description: >-
+    This preview adds support for the DeletePackageVersion mutation which
+    enables deletion of private package versions.
+  toggled_by: ':package-deletes-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.deletePackageVersion
+  owning_teams:
+    - '@github/pe-package-registry'
+- title: Deployments
+  description: >-
+    This preview adds support for deployments mutations and new deployments
+    features.
+  toggled_by: ':flash-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - DeploymentStatus.environment
+    - Mutation.createDeploymentStatus
+    - CreateDeploymentStatusInput
+    - CreateDeploymentStatusPayload
+    - Mutation.createDeployment
+    - CreateDeploymentInput
+    - CreateDeploymentPayload
+  owning_teams:
+    - '@github/c2c-actions-service'
+- title: >-
+    MergeInfoPreview - More detailed information about a pull request's merge
+    state.
+  description: >-
+    This preview adds support for accessing fields that provide more detailed
+    information about a pull request's merge state.
+  toggled_by: ':merge-info-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - PullRequest.canBeRebased
+    - PullRequest.mergeStateStatus
+  owning_teams:
+    - '@github/pe-pull-requests'
+- title: UpdateRefsPreview - Update multiple refs in a single operation.
+  description: This preview adds support for updating multiple refs in a single operation.
+  toggled_by: ':update-refs-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.updateRefs
+    - GitRefname
+    - RefUpdate
+    - UpdateRefsInput
+    - UpdateRefsPayload
+  owning_teams:
+    - '@github/reponauts'
+- title: Project Event Details
+  description: >-
+    This preview adds project, project card, and project column details to
+    project-related issue events.
+  toggled_by: ':starfox-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - AddedToProjectEvent.project
+    - AddedToProjectEvent.projectCard
+    - AddedToProjectEvent.projectColumnName
+    - ConvertedNoteToIssueEvent.project
+    - ConvertedNoteToIssueEvent.projectCard
+    - ConvertedNoteToIssueEvent.projectColumnName
+    - MovedColumnsInProjectEvent.project
+    - MovedColumnsInProjectEvent.projectCard
+    - MovedColumnsInProjectEvent.projectColumnName
+    - MovedColumnsInProjectEvent.previousProjectColumnName
+    - RemovedFromProjectEvent.project
+    - RemovedFromProjectEvent.projectColumnName
+  owning_teams:
+    - '@github/github-projects'
+- title: Labels Preview
+  description: >-
+    This preview adds support for adding, updating, creating and deleting
+    labels.
+  toggled_by: ':bane-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.createLabel
+    - CreateLabelPayload
+    - CreateLabelInput
+    - Mutation.deleteLabel
+    - DeleteLabelPayload
+    - DeleteLabelInput
+    - Mutation.updateLabel
+    - UpdateLabelPayload
+    - UpdateLabelInput
+  owning_teams:
+    - '@github/pe-pull-requests'
+- title: Import Project
+  description: This preview adds support for importing projects.
+  toggled_by: ':slothette-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.importProject
+  owning_teams:
+    - '@github/pe-issues-projects'
+- title: Team Review Assignments Preview
+  description: >-
+    This preview adds support for updating the settings for team review
+    assignment.
+  toggled_by: ':stone-crop-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.updateTeamReviewAssignment
+    - UpdateTeamReviewAssignmentInput
+    - TeamReviewAssignmentAlgorithm
+    - Team.reviewRequestDelegationEnabled
+    - Team.reviewRequestDelegationAlgorithm
+    - Team.reviewRequestDelegationMemberCount
+    - Team.reviewRequestDelegationNotifyTeam
+  owning_teams:
+    - '@github/pe-pull-requests'

data/graphql/ghes-3.4/graphql_upcoming_changes.public-enterprise.yml

@@ -0,0 +1,116 @@
+---
+upcoming_changes:
+  - location: LegacyMigration.uploadUrlTemplate
+    description: '`uploadUrlTemplate` will be removed. Use `uploadUrl` instead.'
+    reason:
+      '`uploadUrlTemplate` is being removed because it is not a standard URL and
+      adds an extra user step.'
+    date: '2019-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: AssignedEvent.user
+    description: '`user` will be removed. Use the `assignee` field instead.'
+    reason: Assignees can now be mannequins.
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: EnterpriseBillingInfo.availableSeats
+    description:
+      '`availableSeats` will be removed. Use EnterpriseBillingInfo.totalAvailableLicenses
+      instead.'
+    reason:
+      '`availableSeats` will be replaced with `totalAvailableLicenses` to provide
+      more clarity on the value being returned'
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BlakeWilliams
+  - location: EnterpriseBillingInfo.seats
+    description: '`seats` will be removed. Use EnterpriseBillingInfo.totalLicenses instead.'
+    reason:
+      '`seats` will be replaced with `totalLicenses` to provide more clarity on
+      the value being returned'
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BlakeWilliams
+  - location: UnassignedEvent.user
+    description: '`user` will be removed. Use the `assignee` field instead.'
+    reason: Assignees can now be mannequins.
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: EnterprisePendingMemberInvitationEdge.isUnlicensed
+    description: '`isUnlicensed` will be removed.'
+    reason: All pending members consume a license
+    date: '2020-07-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BrentWheeldon
+  - location: EnterpriseOwnerInfo.pendingCollaborators
+    description:
+      '`pendingCollaborators` will be removed. Use the `pendingCollaboratorInvitations`
+      field instead.'
+    reason:
+      Repository invitations can now be associated with an email, not only an
+      invitee.
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: jdennes
+  - location: Issue.timeline
+    description: '`timeline` will be removed. Use Issue.timelineItems instead.'
+    reason: '`timeline` will be removed'
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: mikesea
+  - location: PullRequest.timeline
+    description: '`timeline` will be removed. Use PullRequest.timelineItems instead.'
+    reason: '`timeline` will be removed'
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: mikesea
+  - location: RepositoryInvitationOrderField.INVITEE_LOGIN
+    description: '`INVITEE_LOGIN` will be removed.'
+    reason:
+      '`INVITEE_LOGIN` is no longer a valid field value. Repository invitations
+      can now be associated with an email, not only an invitee.'
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: jdennes
+  - location: EnterpriseMemberEdge.isUnlicensed
+    description: '`isUnlicensed` will be removed.'
+    reason: All members consume a license
+    date: '2021-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BrentWheeldon
+  - location: EnterpriseOutsideCollaboratorEdge.isUnlicensed
+    description: '`isUnlicensed` will be removed.'
+    reason: All outside collaborators consume a license
+    date: '2021-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BrentWheeldon
+  - location: EnterprisePendingCollaboratorEdge.isUnlicensed
+    description: '`isUnlicensed` will be removed.'
+    reason: All pending collaborators consume a license
+    date: '2021-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: BrentWheeldon
+  - location: MergeStateStatus.DRAFT
+    description: '`DRAFT` will be removed. Use PullRequest.isDraft instead.'
+    reason:
+      DRAFT state will be removed from this enum and `isDraft` should be used
+      instead
+    date: '2021-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: nplasterer
+  - location: PackageType.DOCKER
+    description: '`DOCKER` will be removed.'
+    reason:
+      DOCKER will be removed from this enum as this type will be migrated to only
+      be used by the Packages REST API.
+    date: '2021-06-21'
+    criticality: breaking
+    owner: reybard
+  - location: ReactionGroup.users
+    description: '`users` will be removed. Use the `reactors` field instead.'
+    reason: Reactors can now be mannequins, bots, and organizations.
+    date: '2021-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: synthead

data/graphql/schema.docs.graphql

@@ -14264,52 +14264,6 @@ enum IdentityProviderConfigurationState {
   UNCONFIGURED
 }
 
-"""
-An import to GitHub
-"""
-type Import implements Node {
-  """
-  Identifies the date and time when the object was created.
-  """
-  createdAt: DateTime!
-
-  """
-  The user that created the Import
-  """
-  creator: Actor!
-  id: ID!
-
-  """
-  The repositories associated with this Import
-  """
-  repositories(
-    """
-    Returns the elements in the list that come after the specified cursor.
-    """
-    after: String
-
-    """
-    Returns the elements in the list that come before the specified cursor.
-    """
-    before: String
-
-    """
-    Returns the first _n_ elements from the list.
-    """
-    first: Int
-
-    """
-    Returns the last _n_ elements from the list.
-    """
-    last: Int
-
-    """
-    Ordering options for repository
-    """
-    orderBy: RepositoryOrder = {field: CREATED_AT, direction: ASC}
-  ): RepositoryConnection!
-}
-
 """
 Autogenerated input type of ImportProject
 """
@@ -40816,6 +40770,16 @@ input StartRepositoryMigrationInput {
   """
   continueOnError: Boolean
 
+  """
+  The signed URL to access the user-uploaded git archive
+  """
+  gitArchiveUrl: String
+
+  """
+  The signed URL to access the user-uploaded metadata archive
+  """
+  metadataArchiveUrl: String
+
   """
   The ID of the organization that will own the imported repository.
   """

data/release-notes/enterprise-server/3-4/0-rc1.yml

@@ -0,0 +1,285 @@
+date: '2022-03-15'
+release_candidate: true
+deprecated: false
+intro: |
+  {% note %}
+
+  **Note:** If {% data variables.product.product_location %} is running a release candidate build, you can't upgrade with a hotpatch. We recommend only running release candidates on test environments.
+
+  {% endnote %}
+
+  For upgrade instructions, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
+
+  > This release is dedicated to our colleague and friend John, a Hubber who was always there to help. You will be greatly missed.
+  >
+  > **John "Ralph" Wiebalk 1986–2021**
+
+sections:
+  features:
+    - heading: Secret scanning REST API now returns locations
+      notes:
+        # https://github.com/github/releases/issues/1642
+        - |
+          {% data variables.product.prodname_GH_advanced_security %} customers can now use the REST API to retrieve commit details of secrets detected in private repository scans. The new endpoint returns details of a secret's first detection within a file, including the secret's location and commit SHA. For more information, see "[Secret scanning](/rest/reference/secret-scanning)" in the REST API documentation.
+
+    - heading: Export license data of committer-based billing for GitHub Advanced Security
+      notes:
+        # https://github.com/github/releases/issues/1757
+        - |
+          Enterprise and organization owners can now export their {% data variables.product.prodname_GH_advanced_security %} license usage data to a CSV file. The {% data variables.product.prodname_advanced_security %} billing data can also be retrieved via billing endpoints in the REST API. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-11-export-github-advanced-security-license-usage-data/)."
+
+    - heading: GitHub Actions reusable workflows in public beta
+      notes:
+        # https://github.com/github/releases/issues/1541
+        - |
+          You can now reuse entire workflows as if they were an action. This feature is available in public beta. Instead of copying and pasting workflow definitions across repositories, you can now reference an existing workflow with a single line of configuration. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-05-github-actions-dry-your-github-actions-configuration-by-reusing-workflows/)."
+
+    - heading: Dependabot security and version updates in public beta
+      notes:
+        # https://github.com/github/releases/issues/2004
+        - |
+          {% data variables.product.prodname_dependabot %} is now available in {% data variables.product.prodname_ghe_server %} 3.4 as a public beta, offering both version updates and security updates for several popular ecosystems. {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_ghe_server %} requires {% data variables.product.prodname_actions %} and a pool of self-hosted runners configured for {% data variables.product.prodname_dependabot %} use. {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_ghe_server %} also requires {% data variables.product.prodname_github_connect %} and {% data variables.product.prodname_dependabot %} to be enabled by an administrator. Beta feedback and suggestions can be shared in the [{% data variables.product.prodname_dependabot %} Feedback GitHub discussion](https://github.com/github/feedback/discussions/categories/dependabot-feedback). For more information and to try the beta, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
+
+  changes:
+    - heading: Administration Changes
+      notes:
+        # https://github.com/github/releases/issues/1657
+        - Users can now choose the number of spaces a tab is equal to, by setting their preferred tab size in the "Appearance" settings of their user account. All code with a tab indent will render using the preferred tab size.
+
+        # https://github.com/github/docs-content/issues/5801
+        - The {% data variables.product.prodname_github_connect %} data connection record now includes a list of enabled {% data variables.product.prodname_github_connect %} features.
+
+    - heading: Performance Changes
+      notes:
+      # https://github.com/github/releases/issues/2031
+      - WireGuard, used to secure communication between {% data variables.product.prodname_ghe_server %} instances in a High Availability configuration, has been migrated to the Kernel implementation.
+
+    - heading: Notification Changes
+      notes:
+      # https://github.com/github/releases/issues/1801
+      - Organization owners can now unsubscribe from email notifications when new deploy keys are added to repositories belonging to their organizations. For more information, see "[Configuring notifications](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications)."
+
+      # https://github.com/github/releases/issues/1714
+      - 'Notification emails from newly created issues and pull requests now include `(Issue #xx)` or `(PR #xx)` in the email subject, so you can recognize and filter emails that reference these types of issues.'
+
+    - heading: Organization Changes
+      notes:
+        # https://github.com/github/releases/issues/1509
+        - Organizations can now display a `README.md` file on their profile Overview. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-14-readmes-for-organization-profiles/)."
+
+        # https://github.com/github/releases/issues/1883
+        - Members of organizations can now view a list of their enterprise owners under the organization's "People" tab. The enterprise owners list is also now accessible using the GraphQL API. For more information, see the "[`enterpriseOwners`](/graphql/reference/objects#organization)" field under the Organization object in the GraphQL API documentation.
+
+    - heading: Repositories changes
+      notes:
+        # https://github.com/github/releases/issues/1944
+        - |
+          A "Manage Access" section is now shown on the "Collaborators and teams" page in your repository settings. The new section makes it easier for repository administrators to see and manage who has access to their repository, and the level of access granted to each user. Administrators can now:
+
+          * Search all members, teams and collaborators who have access to the repository.
+          * View when members have mixed role assignments, granted to them directly as individuals or indirectly via a team. This is visualized through a new "mixed roles" warning, which displays the highest level role the user is granted if their permission level is higher than their assigned role.
+          * Manage access to popular repositories reliably, with page pagination and fewer timeouts when large groups of users have access.
+
+        # https://github.com/github/releases/issues/1748
+        - '{% data variables.product.prodname_ghe_server %} 3.4 includes improvements to the repository invitation experience, such as notifications for private repository invites, a UI prompt when visiting a private repository you have a pending invitation for, and a banner on a public repository overview page when there is an pending invitation.'
+
+        # https://github.com/github/releases/issues/1739
+        - You can now use single-character prefixes for custom autolinks. Autolink prefixes also now allow `.`, `-`, `_`, `+`, `=`, `:`, `/`, and `#` characters, as well as alphanumerics. For more information about custom autolinks, see "[Configuring autolinks to reference external resources](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources)."
+
+        # https://github.com/github/releases/issues/1776
+        - A `CODE_OF_CONDUCT.md` file in the root of a repository is now highlighted in the "About" sidebar on the repository overview page.
+
+    - heading: 'Releases changes'
+      notes:
+        # https://github.com/github/releases/issues/1723
+        - '{% data variables.product.prodname_ghe_server %} 3.4 includes improvements to the Releases UI, such as automatically generated release notes which display a summary of all the pull requests for a given release. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-20-improvements-to-github-releases-generally-available/)."'
+
+        # https://github.com/github/releases/issues/1606
+        - When a release is published, an avatar list is now displayed at the bottom of the release. Avatars for all user accounts mentioned in the release notes are shown. For more information, see "[Managing releases in a repository](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)."
+
+    - heading: 'Markdown changes'
+      notes:
+        # https://github.com/github/releases/issues/1779
+        - You can now use the new "Accessibility" settings page to manage your keyboard shortcuts. You can choose to disable keyboard shortcuts that only use single characters like <kbd>S</kbd>, <kbd>G</kbd> <kbd>C</kbd>, and <kbd>.</kbd> (the period key). For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-16-managing-keyboard-shortcuts-using-accessibility-settings/)."
+
+        # https://github.com/github/releases/issues/1727
+        - You can now choose to use a fixed-width font in Markdown-enabled fields, like issue comments and pull request descriptions. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-12-fixed-width-font-support-in-markdown-enabled-fields/)."
+
+        # https://github.com/github/releases/issues/1761
+        - You can now paste a URL on selected text to quickly create a Markdown link. This works in all Markdown-enabled fields, such as issue comments and pull request descriptions. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-linkify-selected-text-on-url-paste/)."
+
+        # https://github.com/github/releases/issues/1758
+        - An image URL can now be appended with a theme context, such as `#gh-dark-mode-only`, to define how the Markdown image is displayed to a viewer. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-24-specify-theme-context-for-images-in-markdown/)."
+
+        # https://github.com/github/releases/issues/1686
+        - When creating or editing a gist file with the Markdown (`.md`) file extension, you can now use the "Preview" or "Preview Changes" tab to display a Markdown rendering of the file contents. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-17-preview-the-markdown-rendering-of-gists/)."
+
+        # https://github.com/github/releases/issues/1754
+        - When typing the name of a {% data variables.product.prodname_dotcom %} user in issues, pull requests and discussions, the @mention suggester now ranks existing participants higher than other {% data variables.product.prodname_dotcom %} users, so that it's more likely the user you're looking for will be listed.
+
+        # https://github.com/github/releases/issues/1636
+        - Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.
+
+    - heading: 'Issues and pull requests changes'
+      notes:
+        # https://github.com/github/releases/issues/1731
+        - The diff setting to hide whitespace changes in the pull request "Files changed" tab is now retained for your user account for that pull request. The setting you have chosen is automatically reapplied if you navigate away from the page and then revisit the "Files changed" tab of the same pull request.
+
+        # https://github.com/github/releases/issues/1663
+        - When using auto assignment for pull request code reviews, you can now choose to only notify requested team members independently of your auto assignment settings. This setting is useful in scenarios where many users are auto assigned but not all users require notification. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-team-member-pull-request-review-notifications-can-be-configured-independently-of-auto-assignment/)."
+
+    - heading: 'Branches changes'
+      notes:
+        # https://github.com/github/releases/issues/1526
+        - Organization and repository administrators can now trigger webhooks to listen for changes to branch protection rules on their repositories. For more information, see the "[branch_protection_rule](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule)" event in the webhooks events and payloads documentation.
+
+        # https://github.com/github/releases/issues/1759
+        - When configuring protected branches, you can now enforce that a required status check is provided by a specific {% data variables.product.prodname_github_app %}. If a status is then provided by a different application, or by a user via a commit status, merging is prevented. This ensures all changes are validated by the intended application. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-12-01-ensure-required-status-checks-provided-by-the-intended-app/)."
+
+        # https://github.com/github/releases/issues/1911
+        - Only users with administrator permissions are now able to rename protected branches and modify branch protection rules. Previously, with the exception of the default branch, a collaborator could rename a branch and consequently any non-wildcard branch protection rules that applied to that branch were also renamed. For more information, see "[Renaming a branch](/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/renaming-a-branch)" and "[Managing a branch protection rule](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule)."
+
+        # https://github.com/github/releases/issues/1845
+        - Administrators can now allow only specific users and teams to bypass pull request requirements. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-19-allow-bypassing-required-pull-requests/)."
+
+        # https://github.com/github/releases/issues/1850
+        - Administrators can now allow only specific users and teams to force push to a repository. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-12-21-specify-who-can-force-push-to-a-repository/)."
+
+        # https://github.com/github/releases/issues/1796
+        - When requiring pull requests for all changes to a protected branch, administrators can now choose if approved reviews are also a requirement. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-require-pull-requests-without-requiring-reviews/)."
+
+    - heading: 'GitHub Actions changes'
+      notes:
+        # https://github.com/github/releases/issues/1906
+        - '{% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} for the `create`, `deployment`, and `deployment_status` events now always receive a read-only token and no secrets. Similarly, workflows triggered by {% data variables.product.prodname_dependabot %} for the `pull_request_target` event on pull requests where the base ref was created by {% data variables.product.prodname_dependabot %}, now always receive a read-only token and no secrets. These changes are designed to prevent potentially malicious code from executing in a privileged workflow. For more information, see "[Automating {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions)."'
+
+        # https://github.com/github/releases/issues/1667
+        - Workflow runs on `push` and `pull_request` events triggered by {% data variables.product.prodname_dependabot %} will now respect the permissions specified in your workflows, allowing you to control how you manage automatic dependency updates. The default token permissions will remain read-only. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-06-github-actions-workflows-triggered-by-dependabot-prs-will-respect-permissions-key-in-workflows/)."
+
+        # https://github.com/github/releases/issues/1668
+        - '{% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} will now be sent the {% data variables.product.prodname_dependabot %} secrets. You can now pull from private package registries in your CI using the same secrets you have configured for {% data variables.product.prodname_dependabot %} to use, improving how {% data variables.product.prodname_actions %} and {% data variables.product.prodname_dependabot %} work together. For more information, see "[Automating {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions)."'
+
+        # https://github.com/github/releases/issues/1615
+        - You can now manage runner groups and see the status of your self-hosted runners using new Runners and Runner Groups pages in the UI. The Actions settings page for your repository or organization now shows a summary view of your runners, and allows you to deep dive into a specific runner to edit it or see what job it may be currently running. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-20-github-actions-experience-refresh-for-the-management-of-self-hosted-runners/)."
+
+        # https://github.com/github/releases/issues/1785
+        - 'Actions authors can now have their action run in Node.js 16 by specifying [`runs.using` as `node16` in the action''s `action.yml`](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions). This is in addition to the existing Node.js 12 support; actions can continue to specify `runs.using: node12` to use the Node.js 12 runtime.'
+
+        # https://github.com/github/releases/issues/1799
+        - 'For manually triggered workflows, {% data variables.product.prodname_actions %} now supports the `choice`, `boolean`, and `environment` input types in addition to the default `string` type. For more information, see "[`on.workflow_dispatch.inputs`](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputs)."'
+
+        # https://github.com/github/releases/issues/1782
+        - Actions written in YAML, also known as composite actions, now support `if` conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.
+
+        # https://github.com/github/releases/issues/1919
+        - The search order behavior for self-hosted runners has now changed, so that the first available matching runner at any level will run the job in all cases. This allows jobs to be sent to self-hosted runners much faster, especially for organizations and enterprises with lots of self-hosted runners. Previously, when running a job that required a self-hosted runner, {% data variables.product.prodname_actions %} would look for self-hosted runners in the repository, organization, and enterprise, in that order.
+
+        # https://github.com/github/releases/issues/1753
+        - Runner labels for {% data variables.product.prodname_actions %} self-hosted runners can now be listed, added and removed using the REST API. For more information about using the new APIs at a repository, organization, or enterprise level, see "[Repositories](/rest/reference/actions#list-labels-for-a-self-hosted-runner-for-a-repository)", "[Organizations](/rest/reference/actions#add-custom-labels-to-a-self-hosted-runner-for-an-organization)", and "[Enterprises](/rest/reference/enterprise-admin#list-labels-for-a-self-hosted-runner-for-an-enterprise)" in the REST API documentation.
+
+    - heading: 'Dependabot and Dependency graph changes'
+      notes:
+        # https://github.com/github/releases/issues/1520
+        - Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both `pyproject.toml` and `poetry.lock` manifest files.
+
+        # https://github.com/github/releases/issues/1921
+        - When configuring {% data variables.product.prodname_dependabot %} security and version updates on GitHub Enterprise Server, we recommend you also enable {% data variables.product.prodname_dependabot %} in {% data variables.product.prodname_github_connect %}. This will allow {% data variables.product.prodname_dependabot %} to retrieve an updated list of dependencies and vulnerabilities from {% data variables.product.prodname_dotcom_the_website %}, by querying for information such as the changelogs of the public releases of open source code that you depend upon. For more information, see "[Enabling the dependency graph and Dependabot alerts for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
+
+        # https://github.com/github/releases/issues/1717
+        - '{% data variables.product.prodname_dependabot_alerts %} alerts can now be dismissed using the GraphQL API. For more information, see the "[dismissRepositoryVulnerabilityAlert](/graphql/reference/mutations#dismissrepositoryvulnerabilityalert)" mutation in the GraphQL API documentation.'
+
+    - heading: 'Code scanning and secret scanning changes'
+      notes:
+        # https://github.com/github/releases/issues/1802
+        - The {% data variables.product.prodname_codeql %} CLI now supports including markdown-rendered query help in SARIF files, so that the help text can be viewed in the {% data variables.product.prodname_code_scanning %} UI when the query generates an alert. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-23-display-help-text-for-your-custom-codeql-queries-in-code-scanning/)."
+
+        # https://github.com/github/releases/issues/1790
+        - The {% data variables.product.prodname_codeql %} CLI and {% data variables.product.prodname_vscode %} extension now support building databases and analyzing code on machines powered by Apple Silicon, such as Apple M1. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-codeql-now-supports-apple-silicon-m1/)."
+
+        # https://github.com/github/releases/issues/1732
+        - |
+          The depth of {% data variables.product.prodname_codeql %}'s analysis has been improved by adding support for more [libraries and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/) from the Python ecosystem. As a result, {% data variables.product.prodname_codeql %} can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of {% data variables.product.prodname_code_scanning %} alerts. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-24-codeql-code-scanning-now-recognizes-more-python-libraries-and-frameworks/)."
+
+        # https://github.com/github/releases/issues/1567
+        - Code scanning with {% data variables.product.prodname_codeql %} now includes beta support for analyzing code in all common Ruby versions, up to and including 3.02. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-27-codeql-code-scanning-adds-beta-support-for-ruby/)."
+
+        # https://github.com/github/releases/issues/1764
+        - |
+          Several improvements have been made to the {% data variables.product.prodname_code_scanning %} API:
+
+          * The `fixed_at` timestamp has been added to alerts. This timestamp is the first time that the alert was not detected in an analysis.
+          * Alert results can now be sorted using `sort` and `direction` on either `created`, `updated` or `number`. For more information, see "[List code scanning alerts for a repository](/rest/reference/code-scanning#list-code-scanning-alerts-for-a-repository)."
+          * A `Last-Modified` header has been added to the alerts and alert endpoint response. For more information, see [`Last-Modified`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Last-Modified) in the Mozilla documentation.
+          * The `relatedLocations` field has been added to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the [SARIF spec](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012616) and for more information see "[Get a code scanning analysis for a repository](/rest/reference/code-scanning#get-a-code-scanning-analysis-for-a-repository)."
+          * Both `help` and `tags` data have been added to the webhook response alert rule object. For more information, see "[Code scanning alert webhooks events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)."
+          * Personal access tokens with the `public_repo` scope now have write access for code scanning endpoints on public repos, if the user has permission.
+
+          For more information, see "[Code scanning](/rest/reference/code-scanning)" in the REST API documentation.
+
+        # https://github.com/github/releases/issues/1943
+        - '{% data variables.product.prodname_GH_advanced_security %} customers can now use the REST API to retrieve private repository secret scanning results at the enterprise level. The new endpoint supplements the existing repository-level and organization-level endpoints. For more information, see "[Secret scanning](/rest/reference/secret-scanning)" in the REST API documentation.'
+
+  # No security/bug fixes for the RC release
+  # security_fixes:
+  #   - PLACEHOLDER
+
+  # bugs:
+  #   - PLACEHOLDER
+
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+
+  deprecations:
+    - heading: Deprecation of GitHub Enterprise Server 3.0
+      notes:
+        - '**{% data variables.product.prodname_ghe_server %} 3.0 was discontinued on February 16, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.'
+    - heading: Deprecation of GitHub Enterprise Server 3.1
+      notes:
+        - '**{% data variables.product.prodname_ghe_server %} 3.1 will be discontinued on June 3, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.'
+
+    - heading: Deprecation of XenServer Hypervisor support
+      notes:
+        # https://github.com/github/docs-content/issues/4439
+        - Starting in {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_ghe_server %} on XenServer was deprecated and is no longer supported. Please contact [GitHub Support](https://support.github.com) with questions or concerns.
+
+    - heading: Deprecation of the Content Attachments API preview
+      notes:
+        #
+        - Due to low usage, we have deprecated the Content References API preview in {% data variables.product.prodname_ghe_server %} 3.4. The API was previously accessible with the `corsair-preview` header. Users can continue to navigate to external URLs without this API. Any registered usages of the Content References API will no longer receive a webhook notification for URLs from your registered domain(s) and we no longer return valid response codes for attempted updates to existing content attachments.
+
+    - heading: Deprecation of the Codes of Conduct API preview
+      notes:
+        # https://github.com/github/releases/issues/1708
+        - 'The Codes of Conduct API preview, which was accessible with the `scarlet-witch-preview` header, is deprecated and no longer accessible in {% data variables.product.prodname_ghe_server %} 3.4. We instead recommend using the "[Get community profile metrics](/rest/reference/repos#get-community-profile-metrics)" endpoint to retrieve information about a repository''s code of conduct. For more information, see the "[Deprecation Notice: Codes of Conduct API preview](https://github.blog/changelog/2021-10-01-deprecating-codes-of-conduct-api-preview/)" in the {% data variables.product.prodname_dotcom %} changelog.'
+
+    - heading: Deprecation of OAuth Application API endpoints and API authentication using query parameters
+      notes:
+        # https://github.com/github/releases/issues/1316
+        - |
+          Starting with {% data variables.product.prodname_ghe_server %} 3.4, the [deprecated version of the OAuth Application API endpoints](https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/#endpoints-affected) have been removed. If you encounter 404 error messages on these endpoints, convert your code to the versions of the OAuth Application API that do not have `access_tokens` in the URL. We've also disabled the use of API authentication using query parameters. We instead recommend using [API authentication in the request header](https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#changes-to-make).
+
+    - heading: Deprecation of the CodeQL runner
+      notes:
+        # https://github.com/github/releases/issues/1632
+        - The {% data variables.product.prodname_codeql %} runner is deprecated in {% data variables.product.prodname_ghe_server %} 3.4 and is no longer supported. The deprecation only affects users who use {% data variables.product.prodname_codeql %} code scanning in third party CI/CD systems; {% data variables.product.prodname_actions %} users are not affected. We strongly recommend that customers migrate to the {% data variables.product.prodname_codeql %} CLI, which is a feature-complete replacement for the {% data variables.product.prodname_codeql %} runner. For more information, see the [{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
+
+    - heading: Deprecation of custom bit-cache extensions
+      notes:
+        # https://github.com/github/releases/issues/1415
+        - |
+          Starting in {% data variables.product.prodname_ghe_server %} 3.1, support for {% data variables.product.company_short %}'s proprietary bit-cache extensions began to be phased out. These extensions are deprecated in {% data variables.product.prodname_ghe_server %} 3.3 onwards.
+
+          Any repositories that were already present and active on {% data variables.product.product_location %} running version 3.1 or 3.2 will have been automatically updated.
+
+          Repositories which were not present and active before upgrading to {% data variables.product.prodname_ghe_server %} 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed.
+
+          To start a repository maintenance task manually, browse to `https://<hostname>/stafftools/repositories/<owner>/<repository>/network` for each affected repository and click the Schedule button.
+
+  backups:
+    - '{% data variables.product.prodname_ghe_server %} 3.4 requires at least [GitHub Enterprise Backup Utilities 3.4.0](https://github.com/github/backup-utils) for [Backups and Disaster Recovery](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance).'

data/reusables/actions/minimum-hardware.md

@@ -0,0 +1 @@
+{% data variables.product.company_short %} recommends a minimum of 8 vCPU and 64 GB memory to run {% data variables.product.prodname_actions %}.

data/reusables/actions/reusable-workflows-ghes-beta.md

@@ -0,0 +1,9 @@
+{% ifversion ghes = 3.4 %}
+
+{% note %}
+
+**Note**: Reusable workflows are currently in beta and subject to change.
+
+{% endnote %}
+
+{% endif %}

data/reusables/dependabot/about-the-dependency-graph.md

@@ -0,0 +1,4 @@
+The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows{% ifversion fpt or ghec %}:
+
+- Dependencies, the ecosystems and packages it depends on
+- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.product_name %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}

data/reusables/dependabot/beta-security-and-version-updates.md

@@ -1,9 +1,11 @@
 {% ifversion ghes > 3.2 %}
 
 {% note %}
-
+{% if dependabot-updates-github-connect %}
+**Note:** {% data variables.product.prodname_dependabot %} security and version updates are currently in public beta and subject to change.
+{% else %}
 **Note:** {% data variables.product.prodname_dependabot %} security and version updates are currently in private beta and subject to change. To request access to the beta release, [contact your account management team](https://enterprise.github.com/contact).
-
+{% endif %}
 {% endnote %}
 
 {% endif %}

data/reusables/dependabot/dependabot-alerts-dependency-graph-enterprise.md

@@ -1,3 +1,3 @@
 {% ifversion ghes or ghae-issue-4864 %}
-The dependency graph and {% data variables.product.prodname_dependabot_alerts %} are configured at an enterprise level by the enterprise owner. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
+The dependency graph and {% data variables.product.prodname_dependabot_alerts %} are configured at an enterprise level by the enterprise owner. For more information, see {% ifversion ghes %}"[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)" and {% endif %}"[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
 {% endif %} 

data/reusables/dependabot/enterprise-enable-dependabot.md

@@ -2,7 +2,7 @@
 
 {% note %}
 
-**Note:** Your site administrator must set up {% data variables.product.prodname_dependabot %} updates for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
+**Note:** Your site administrator must set up {% data variables.product.prodname_dependabot_updates %} for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
 
 {% endnote %}
 

data/reusables/enterprise_user_management/built-in-authentication-option.md

@@ -1 +1 @@
-Optionally, select **Allow built-in authentication** to invite users to use built-in authentication if they don’t belong to {% data variables.product.product_location %}'s identity provider.
+Optionally, to allow people to use built-in authentication if they don't have an account on your IdP, select **Allow built-in authentication**. For more information, see "[Allowing built-in authentication for users outside your identity provider](/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/allowing-built-in-authentication-for-users-outside-your-identity-provider)."

data/reusables/enterprise_user_management/built-in-authentication.md

@@ -1 +1 @@
-If you want to authenticate users without adding them to your identity provider, you can configure built-in authentication. For more information, see "[Allowing built-in authentication for users outside your identity provider](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-built-in-authentication-for-users-outside-your-identity-provider)."
+If you want to authenticate some users without adding them to your identity provider, you can configure built-in authentication in addition to SAML SSO. For more information, see "[Allowing built-in authentication for users outside your identity provider](/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/allowing-built-in-authentication-for-users-outside-your-identity-provider)."

data/reusables/github-actions/github-token-available-permissions.md

@@ -24,3 +24,9 @@ You can use the following syntax to define read or write access for all of the a
 ```yaml
 permissions: read-all|write-all
 ```
+
+You can use the following syntax to disable permissions for all of the available scopes:
+
+```yaml
+permissions: {}
+```