jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 21:07:12 -05:00
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into editorconfig

Browse Source
This commit is contained in:
Chiedo John
2020-11-06 09:19:07 -05:00
committed by GitHub
parent 8542383571 696c08489f
commit 18a55c1c07
6110 changed files with 46027 additions and 9199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/allowed-actions.js vendored
View File

@@ -4,17 +4,13 @@
// can be added it this list.
module.exports = [
'actions/cache@70655ec8323daeeaa7ef06d7c56e1b9191396cbe',
'actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16',
'actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675',
'actions/github-script@5d03ada4b0a753e9460b312e61cc4f8fdeacf163',
'actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45',
'actions/github-script@44b873bc975058192f5279ebe7579496381f575d',
'actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9',
'actions/labeler@5f867a63be70efff62b767459b009290364495eb',
'actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d',
'actions/setup-ruby@5f29a1cd8dfebf420691c4c9a0e832e2fae5a526',
'actions/stale@44f9eae0adddf72dbf3eedfacc999f70afcec1a8',
'actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16', //actions/cache@v2.1.2
'actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f', //actions/checkout@v2.3.4
'actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9', //actions/script@v3.0.0
'actions/labeler@5f867a63be70efff62b767459b009290364495eb', //actions/labeler@v2.2.0
'actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d', //actions/setup-node@v1.4.4
'actions/setup-ruby@5f29a1cd8dfebf420691c4c9a0e832e2fae5a526', //actions/setup-ruby@v1.1.2
'actions/stale@af4072615903a8b031f986d25b1ae3bf45ec44d4', //actions/stale@v3.0.13
'crowdin/github-action@fd9429dd63d6c0f8a8cb4b93ad8076990bd6e688',
'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911',
'docker://chinthakagodawita/autoupdate-action:v1',

4
.github/workflows/60-days-stale-check.yml vendored
View File

@@ -7,9 +7,9 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@44f9eae0adddf72dbf3eedfacc999f70afcec1a8
- uses: actions/stale@af4072615903a8b031f986d25b1ae3bf45ec44d4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity.'
stale-pr-message: 'This PR is stale because it has been open 60 days with no activity.'
days-before-stale: 60

2
.github/workflows/browser-test.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
# Even if if doesn't do anything
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Install

2
.github/workflows/check-all-english-links.yml vendored
View File

@@ -10,7 +10,7 @@ jobs:
if: github.repository == 'github/docs-internal'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: npm ci
run: npm ci
- name: npm run build

2
.github/workflows/codeql.yml vendored
View File

@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- uses: github/codeql-action/init@v1
with:
languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)

2
.github/workflows/crowdin.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Sync
uses: crowdin/github-action@fd9429dd63d6c0f8a8cb4b93ad8076990bd6e688

4
.github/workflows/dry-run-sync-algolia-search-indices.yml vendored
View File

@@ -10,12 +10,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
with:
node-version: 14.x
- name: cache node modules
uses: actions/cache@70655ec8323daeeaa7ef06d7c56e1b9191396cbe
uses: actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

6
.github/workflows/first-responder-docs-content.yml vendored
View File

@@ -11,7 +11,7 @@ jobs:
steps:
- name: Check if the event originated from a team member
uses: actions/github-script@44b873bc975058192f5279ebe7579496381f575d
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
id: set-result
with:
github-token: ${{secrets.DOCUBOT_FR_PROJECT_BOARD_WORKFLOWS_REPO_ORG_READ_SCOPES}}
@@ -53,12 +53,12 @@ jobs:
first-responder-remove-pr:
name: Remove PR from FR project board
if: github.repository == 'github/docs-internal' && (github.event.label.name == 'docs-content-fr' && github.event.action == 'unlabeled') || github.event.action == 'closed'
if: github.repository == 'github/docs-internal' && ((github.event.label.name == 'docs-content-fr' && github.event.action == 'unlabeled') || github.event.action == 'closed')
runs-on: ubuntu-latest
steps:
- name: Remove card from project
uses: actions/github-script@44b873bc975058192f5279ebe7579496381f575d
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
with:
github-token: ${{secrets.DOCUBOT_FR_PROJECT_BOARD_WORKFLOWS_REPO_ORG_READ_SCOPES}}
result-encoding: string

59
.github/workflows/js-lint.yml vendored Normal file
View File

@@ -0,0 +1,59 @@
name: Lint JS
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches-ignore:
- translations
jobs:
see_if_should_skip:
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@36feb0d8d062137530c2e00bd278d138fe191289
with:
cancel_others: 'false'
github_token: ${{ github.token }}
paths: '["**/*.js", "package*.json", ".github/workflows/js-lint.yml"]'
lint:
runs-on: ubuntu-latest
needs: see_if_should_skip
if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
steps:
- name: Check out repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Setup node
uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
with:
node-version: 14.x
- name: Get npm cache directory
id: npm-cache
run: |
echo "::set-output name=dir::$(npm config get cache)"
- name: Cache node modules
uses: actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16
with:
path: ${{ steps.npm-cache.outputs.dir }}
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
run: npm ci
- name: Run linter
run: npx standard
- name: Check dependencies
run: npm run check-deps

3
.github/workflows/merged-notification.yml vendored
View File

@@ -1,10 +1,11 @@
name: Merged notification
on:
pull_request_target:
types: ['closed']
jobs:
comment:
if: github.event.repository.private == false && github.event.pull_request.merged && github.event.pull_request.base.ref == github.event.repository.default_branch
if: github.repository == 'github/docs' && github.event.pull_request.merged && github.event.pull_request.base.ref == github.event.repository.default_branch
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9

2
.github/workflows/pa11y.yml vendored
View File

@@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Get npm cache directory
id: npm-cache

2
.github/workflows/ping-staging-apps.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
env:
HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
steps:
- uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: npm ci
run: npm ci
- name: npm run build

2
.github/workflows/remove-unused-assets.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
echo 'The repo is currently frozen! Exiting this workflow.'
exit 1 # prevents further steps from running
- name: Checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: npm ci
run: npm ci
- name: Run scripts

2
.github/workflows/repo-sync.yml vendored
View File

@@ -32,7 +32,7 @@ jobs:
steps:
- name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Sync repo to branch
uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88

2
.github/workflows/send-eng-issues-to-backlog.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
steps:
- name: Add issues with engineering label to project board
if: contains(github.event.issue.labels.*.name, 'engineering') || contains(github.event.issue.labels.*.name, 'design') || contains(github.event.issue.labels.*.name, 'Design')
uses: actions/github-script@44b873bc975058192f5279ebe7579496381f575d
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
with:
github-token: ${{ secrets.DOCUBOT_FR_PROJECT_BOARD_WORKFLOWS_REPO_ORG_READ_SCOPES }}
script: |

2
.github/workflows/start-new-engineering-pr-workflow.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
DRAFT_COLUMN_ID: 10095775
REGULAR_COLUMN_ID: 10095779
steps:
- uses: actions/github-script@44b873bc975058192f5279ebe7579496381f575d
- uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
continue-on-error: true
with:
github-token: ${{ secrets.DOCUBOT_FR_PROJECT_BOARD_WORKFLOWS_REPO_ORG_READ_SCOPES }}

4
.github/workflows/sync-algolia-search-indices.yml vendored
View File

@@ -13,12 +13,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
with:
node-version: 14.x
- name: cache node modules
uses: actions/cache@70655ec8323daeeaa7ef06d7c56e1b9191396cbe
uses: actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

6
.github/workflows/test-translations.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
with:
ref: translations # check out the 'translations' branch
@@ -52,7 +52,7 @@ jobs:
test-group: [content, meta, rendering, routing, unit, links-and-images]
steps:
- name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Setup node
uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
@@ -77,3 +77,5 @@ jobs:
- name: Run tests
run: npx jest tests/${{ matrix.test-group }}/
env:
NODE_OPTIONS: "--max_old_space_size=4096"

4
.github/workflows/test-windows.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
test-group: [content, meta, rendering, routing, unit, links-and-images]
steps:
- name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Setup node
uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
@@ -47,3 +47,5 @@ jobs:
- name: Run tests
run: npx jest tests/${{ matrix.test-group }}/
env:
NODE_OPTIONS: "--max_old_space_size=4096"

45
.github/workflows/test.yml vendored
View File

@@ -28,48 +28,7 @@ jobs:
cancel_others: 'false'
github_token: ${{ github.token }}
paths: '[".github/workflows/test.yml",".node-version", ".npmrc", "app.json", "content/**", "data/**","lib/**", "Dockerfile", "feature-flags.json", "Gemfile", "Gemfile.lock", "middleware/**", "node_modules/**","package.json", "package-lock.json", "server.js", "tests/**", "translations/**", "Procfile", "webpack.config.js"]'
lint:
needs: see_if_should_skip
runs-on: ubuntu-latest
steps:
# Each of these ifs needs to be repeated at each step to make sure the required check still runs
# Even if if doesn't do anything
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Setup node
uses: actions/setup-node@56899e050abffc08c2b3b61f3ec6a79a9dc3223d
with:
node-version: 14.x
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Get npm cache directory
id: npm-cache
run: |
echo "::set-output name=dir::$(npm config get cache)"
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Cache node modules
uses: actions/cache@d1255ad9362389eac595a9ae406b8e8cb3331f16
with:
path: ${{ steps.npm-cache.outputs.dir }}
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Install dependencies
run: npm ci
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Run linter
run: npx standard
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Check dependencies
run: npm run check-deps
test:
needs: see_if_should_skip
runs-on: ubuntu-latest
@@ -82,7 +41,7 @@ jobs:
# Even if if doesn't do anything
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Check out repo
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Setup node
@@ -116,6 +75,8 @@ jobs:
- if: ${{ needs.see_if_should_skip.outputs.should_skip != 'true' }}
name: Run tests
run: npx jest tests/${{ matrix.test-group }}/
env:
NODE_OPTIONS: "--max_old_space_size=4096"
- name: Send Slack notification if workflow fails
uses: rtCamp/action-slack-notify@e17352feaf9aee300bf0ebc1dfbf467d80438815

4
.github/workflows/translations.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
branch: translations
- if: ${{ steps.pr.outputs.number }}
name: Check if already labeled
uses: actions/github-script@5d03ada4b0a753e9460b312e61cc4f8fdeacf163
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
id: has-label
with:
script: |
@@ -44,7 +44,7 @@ jobs:
number: ${{ steps.pr.outputs.number }}
- if: ${{ !steps.has-label.outputs.result }}
name: Add automerge label
uses: actions/github-script@5d03ada4b0a753e9460b312e61cc4f8fdeacf163
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |

4
.github/workflows/triage-issue-comments.yml vendored
View File

@@ -5,12 +5,12 @@ on:
jobs:
triage-issue-comments:
if: github.repository == 'github/docs'
if: github.repository == 'github/docs' && github.event.issue.pull_request == null
runs-on: ubuntu-latest
steps:
- name: Check if the event originated from a team member
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
id: is-internal-contributor
with:
github-token: ${{secrets.GITHUB_TOKEN}}

6
.github/workflows/triage-stale-check.yml vendored
View File

@@ -7,11 +7,11 @@ jobs:
stale:
if: github.repository == 'github/docs'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@44f9eae0adddf72dbf3eedfacc999f70afcec1a8
- uses: actions/stale@af4072615903a8b031f986d25b1ae3bf45ec44d4
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: 'This PR is stale because it has been open 7 days with no activity and will be automatically closed in 3 days. To keep this PR open, update the PR by adding a comment or pushing a commit.'
days-before-stale: 7
days-before-close: 10

2
.github/workflows/update-graphql-files.yml vendored
View File

@@ -22,7 +22,7 @@ jobs:
echo 'The repo is currently frozen! Exiting this workflow.'
exit 1 # prevents further steps from running
- name: Checkout
uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Set up Ruby
uses: actions/setup-ruby@5f29a1cd8dfebf420691c4c9a0e832e2fae5a526
with:

6
CONTRIBUTING.md
View File

@@ -45,7 +45,7 @@ When you're done making changes and you'd like to propose them for review, use t
### Your PR is merged!
Congratulations! The whole GitHub community thanks you. :sparkles:
Once your PR is merged, you can be added as a contributor in the [readme](README.md#contributors-).
Once your PR is merged, you will be proudly listed as a contributor in the [contributor chart](https://github.com/github/docs/graphs/contributors).
### Keep contributing as you use GitHub Docs
@@ -89,7 +89,7 @@ A [pull request](https://docs.github.com/en/github/collaborating-with-issues-and
When we merge those changes, they should be deployed to the live site within 24 hours. :earth_africa: To learn more about opening a pull request in this repo, see [Opening a pull request](#opening-a-pull-request) below.
### :question: Support
We are a small team working hard to keep up with the documentation demands of a continously changing product. Unfortunately, we just can't help with support questions in this repository. If you are experiencing a problem with GitHub, unrelated to our documentation, please [contact GitHub Support directly](https://support.github.com/contact). Any issues, discussions, or pull requests opened here requesting support will be given information about how to contact GitHub Support, then closed and locked.
We are a small team working hard to keep up with the documentation demands of a continuously changing product. Unfortunately, we just can't help with support questions in this repository. If you are experiencing a problem with GitHub, unrelated to our documentation, please [contact GitHub Support directly](https://support.github.com/contact). Any issues, discussions, or pull requests opened here requesting support will be given information about how to contact GitHub Support, then closed and locked.
If you're having trouble with your GitHub account, contact [Support](https://support.github.com/contact).
@@ -129,7 +129,7 @@ Here's some information that might be helpful while working on a Docs PR:
- [Variables](/data/variables/README.md) - We use variables the same way we use reusables. Variables are for short strings of reusable text.
- [Liquid](/contribution/liquid-helpers.md) - We use liquid helpers to create different versions of our content.
- [Liquid](/contributing/liquid-helpers.md) - We use liquid helpers to create different versions of our content.
- [Scripts](/script/README.md) - The scripts directory is the home for all of the scripts you can run locally.

2
README.md
View File

@@ -27,7 +27,7 @@ If you've found a problem, you can open an issue using a [template](https://gith
#### Solve an issue
If you have a solution to one of the open issues, you will need to fork the repository and submit a PR using the [template](https://github.com/github/docs/blob/main/CONTRIBUTING.md#pull-request-template) that is visible automatically in the pull request body. For more details about this process, please check out [Getting Started with Contributing](/CONTRIBUTING.md).
If you have a solution to one of the open issues, you will need to fork the repository and submit a PR using the [template](https://github.com/github/docs/blob/main/CONTRIBUTING.md#pull-request-template) that is visible automatically in the pull request body. For more details about this process, please check out [Getting Started with Contributing](/CONTRIBUTING.md).
#### Join us in discussions

BIN
assets/images/actions-log-group.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.9 KiB

BIN
assets/images/help/images/comparing-travis-with-actions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
assets/images/help/organizations/org-settings-interaction-limits.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.4 KiB

After

Width:  |  Height:  |  Size: 9.2 KiB

BIN
assets/images/help/organizations/org-settings-moderation-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

BIN
assets/images/help/organizations/organization-temporary-interaction-limits-options.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 68 KiB

BIN
assets/images/help/repository/repo-settings-interaction-limits.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.3 KiB

After

Width:  |  Height:  |  Size: 9.9 KiB

BIN
assets/images/help/repository/repo-settings-moderation-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
assets/images/help/repository/temporary-interaction-limits-options.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 79 KiB

After

Width:  |  Height:  |  Size: 63 KiB

BIN
assets/images/help/settings/settings-sidebar-interaction-limits.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB

BIN
assets/images/help/settings/user-account-temporary-interaction-limits-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

6
content/README.md
View File

@@ -166,6 +166,12 @@ featuredLinks:
- Type: `Boolean`. Default is `false`.
- Optional.
### `changelog`
- Purpose: Render a list of changelog items with timestamps on product pages (ex: `layouts/product-landing.html`)
- Type: `Array`, items are objects `{ href: string, title: string, date: 'YYYY-MM-DD' }`
- Optional.
### Escaping single quotes
If you see two single quotes in a row (`''`) in YML frontmatter where you might expect to see one (`'`), this is the YML-preferred way to escape a single quote. From [the YAML spec](https://yaml.org/spec/history/2001-12-10.html):

4
content/actions/guides/building-and-testing-powershell.md
View File

@@ -21,7 +21,7 @@ This guide shows you how to use PowerShell for CI. It describes how to use Peste
You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
We recommend that you have a basic understanding of PowerShell and Pester. For more information, see:
- [Getting started with PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/learn/ps101/01-getting-started)
- [Getting started with PowerShell](https://docs.microsoft.com/powershell/scripting/learn/ps101/01-getting-started)
- [Pester](https://pester.dev)
{% data reusables.actions.enterprise-setup-prereq %}
@@ -85,7 +85,7 @@ The table below describes the locations for various PowerShell modules in each {
{% note %}
**Note:** The pre-installed packages (such as Pester) used by {% data variables.product.prodname_dotcom %}-hosted runners are regularly updated, and can introduce signficant changes. As a result, it is recommended that you always specify the required package versions by using `Install-Module` with `-MaximumVersion`.
**Note:** The pre-installed packages (such as Pester) used by {% data variables.product.prodname_dotcom %}-hosted runners are regularly updated, and can introduce significant changes. As a result, it is recommended that you always specify the required package versions by using `Install-Module` with `-MaximumVersion`.
{% endnote %}

6
content/actions/guides/storing-workflow-data-as-artifacts.md
View File

@@ -171,12 +171,12 @@ Jobs that are dependent on a previous job's artifacts must wait for the dependen
Job 1 performs these steps:
- Performs a math calculation and saves the result to a text file called `math-homework.txt`.
- Uses the `upload-artifact` action to upload the `math-homework.txt` file with the name `homework`. The action places the file in a directory named `homework`.
- Uses the `upload-artifact` action to upload the `math-homework.txt` file with the artifact name `homework`.
Job 2 uses the result in the previous job:
- Downloads the `homework` artifact uploaded in the previous job. By default, the `download-artifact` action downloads artifacts to the workspace directory that the step is executing in. You can use the `path` input parameter to specify a different download directory.
- Reads the value in the `homework/math-homework.txt` file, performs a math calculation, and saves the result to `math-homework.txt`.
- Uploads the `math-homework.txt` file. This upload overwrites the previous upload because both of the uploads share the same name.
- Reads the value in the `math-homework.txt` file, performs a math calculation, and saves the result to `math-homework.txt` again, overwriting its contents.
- Uploads the `math-homework.txt` file. This upload overwrites the previously uploaded artifact because they share the same name.
Job 3 displays the result uploaded in the previous job:
- Downloads the `homework` artifact.

1
content/actions/hosting-your-own-runners/about-self-hosted-runners.md
View File

@@ -111,6 +111,7 @@ You must ensure that the machine has the appropriate network access to communica
github.com
api.github.com
*.actions.githubusercontent.com
codeload.github.com
```
If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. For more information, see "[Managing allowed IP addresses for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list)" or "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#using-github-actions-with-an-ip-allow-list)".

59
content/actions/index.md
View File

@@ -4,17 +4,30 @@ shortTitle: GitHub Actions
intro: 'Automate, customize, and execute your software development workflows right in your repository with {% data variables.product.prodname_actions %}. You can discover, create, and share actions to perform any job you''d like, including CI/CD, and combine actions in a completely customized workflow.'
introLinks:
quickstart: /actions/quickstart
learn: /actions/learn-github-actions
reference: /actions/reference
featuredLinks:
guides:
- /actions/guides/setting-up-continuous-integration-using-workflow-templates
- /actions/guides/about-packaging-with-github-actions
gettingStarted:
- /actions/managing-workflow-runs
- /actions/hosting-your-own-runners
guide:
- /actions/guides/setting-up-continuous-integration-using-workflow-templates
- /actions/guides/about-packaging-with-github-actions
popular:
- /actions/reference/workflow-syntax-for-github-actions
- /actions/reference/events-that-trigger-workflows
changelog:
- title: Self-Hosted Runner Group Access Changes
date: '2020-10-16'
href: https://github.blog/changelog/2020-10-16-github-actions-self-hosted-runner-group-access-changes/
- title: Ability to change retention days for artifacts and logs
date: '2020-10-08'
href: https://github.blog/changelog/2020-10-08-github-actions-ability-to-change-retention-days-for-artifacts-and-logs
- title: Deprecating set-env and add-path commands
date: '2020-10-01'
href: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands
- title: Fine-tune access to external actions
date: '2020-10-01'
href: https://github.blog/changelog/2020-10-01-github-actions-fine-tune-access-to-external-actions
redirect_from:
- /articles/automating-your-workflow-with-github-actions/
- /articles/customizing-your-project-with-github-actions/
@@ -36,44 +49,8 @@ versions:
<!-- {% link_with_intro /hosting-your-own-runners %} -->
<!-- {% link_with_intro /reference %} -->
<!-- Article links -->
<div class="d-lg-flex gutter my-6 py-6">
<div class="col-12 col-lg-4 mb-4 mb-lg-0">
<div class="featured-links-heading pb-4">
<h3 class="f5 text-normal text-mono underline-dashed color-gray-5">{% data ui.toc.guides %}</h3>
</div>
<ul class="list-style-none">
{% for link in featuredLinks.guide %}
<li>{% include featured-link %}</li>
{% endfor %}
</ul>
</div>
<div class="col-12 col-lg-4 mb-4 mb-lg-0">
<div class="featured-links-heading pb-4">
<h3 class="f5 text-normal text-mono underline-dashed color-gray-5">{% data ui.toc.popular_articles %}</h3>
</div>
<ul class="list-style-none">
{% for link in featuredLinks.popular %}
<li>{% include featured-link %}</li>
{% endfor %}
</ul>
</div>
<div class="col-12 col-lg-4 mb-4 mb-lg-0">
<div class="featured-links-heading pb-4">
<h3 class="f5 text-normal text-mono underline-dashed color-gray-5">Manage workflows</h3>
</div>
<ul class="list-style-none">
{% for link in featuredLinks.gettingStarted %}
<li>{% include featured-link %}</li>
{% endfor %}
</ul>
</div>
</div>
<!-- Code examples -->
<div class="mt-6 pt-6">
<div class="my-6 pt-6">
<h2 class="mb-2">More guides</h2>
<div class="d-flex flex-wrap gutter">

3
content/actions/learn-github-actions/index.md
View File

@@ -36,7 +36,8 @@ versions:
{% link_with_intro /managing-complex-workflows %}
{% link_with_intro /sharing-workflows-with-your-organization %}
{% link_with_intro /security-hardening-for-github-actions %}
{% link_with_intro /migrating-from-azure-pipelines-to-github-actions %}
{% link_with_intro /migrating-from-circleci-to-github-actions %}
{% link_with_intro /migrating-from-gitlab-cicd-to-github-actions %}
{% link_with_intro /migrating-from-azure-pipelines-to-github-actions %}
{% link_with_intro /migrating-from-jenkins-to-github-actions %}
{% link_with_intro /migrating-from-travis-ci-to-github-actions %}

6
content/actions/learn-github-actions/managing-complex-workflows.md
View File

@@ -24,12 +24,13 @@ This example action demonstrates how to reference an existing secret as an envir
```yaml
jobs:
example-job:
runs-on: ubuntu-latest
steps:
- name: Retrieve secret
env:
super_secret: ${{ secrets.SUPERSECRET }}
run: |
example-command "$SUPER_SECRET"
example-command "$super_secret"
```
{% endraw %}
@@ -49,6 +50,7 @@ jobs:
- run: ./setup_server.sh
build:
needs: setup
runs-on: ubuntu-latest
steps:
- run: ./build_server.sh
test:
@@ -141,7 +143,7 @@ This example shows how a workflow can use labels to specify the required runner:
```yaml
jobs:
example-job:
runs-on: [self-hosted, linux, x64, gpu]
runs-on: [self-hosted, linux, x64, gpu]
```
For more information, see ["Using labels with self-hosted runners](/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners)."

2
content/actions/learn-github-actions/migrating-from-azure-pipelines-to-github-actions.md
View File

@@ -41,7 +41,7 @@ Jobs and steps in Azure Pipelines are very similar to jobs and steps in {% data
### Migrating script steps
You can run a script or a shell command as a step in a workflow. In Azure Pipelines, script steps can be specified using the `script` key, or with the `bash`, `powershell`, or `pwsh` keys. Scripts can also be specified as an input to the [Bash task](https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/bash?view=azure-devops) or the [PowerShell task](https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/powershell?view=azure-devops).
You can run a script or a shell command as a step in a workflow. In Azure Pipelines, script steps can be specified using the `script` key, or with the `bash`, `powershell`, or `pwsh` keys. Scripts can also be specified as an input to the [Bash task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash?view=azure-devops) or the [PowerShell task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell?view=azure-devops).
In {% data variables.product.prodname_actions %}, all scripts are specified using the `run` key. To select a particular shell, you can specify the `shell` key when providing the script. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun)."

4
content/actions/learn-github-actions/migrating-from-gitlab-cicd-to-github-actions.md
View File

@@ -180,7 +180,7 @@ GitLab CI/CD
deploy_prod:
stage: deploy
script:
- echo "Deply to production server"
- echo "Deploy to production server"
rules:
- if: '$CI_COMMIT_BRANCH == "master"'
```
@@ -194,7 +194,7 @@ jobs:
if: contains( github.ref, 'master')
runs-on: ubuntu-latest
steps:
- run: echo "Deply to production server"
- run: echo "Deploy to production server"
```
{% endraw %}
</td>

30
content/actions/learn-github-actions/migrating-from-jenkins-to-github-actions.md
View File

@@ -232,12 +232,19 @@ Jenkins Pipeline
```yaml
pipeline {
agent none
stages {
stage('Run Tests') {
parallel {
stage('Test On MacOS') {
agent { label "macos" }
agent none
stages {
stage('Run Tests') {
matrix {
axes {
axis {
name: 'PLATFORM'
values: 'macos', 'linux'
}
}
agent { label "${PLATFORM}" }
stages {
stage('test') {
tools { nodejs "node-12" }
steps {
dir("scripts/myapp") {
@@ -246,19 +253,10 @@ pipeline {
}
}
}
stage('Test On Linux') {
agent { label "linux" }
tools { nodejs "node-12" }
steps {
dir("script/myapp") {
sh(script: "npm install -g bats")
sh(script: "bats tests")
}
}
}
}
}
}
}
}
```

410
content/actions/learn-github-actions/migrating-from-travis-ci-to-github-actions.md Normal file
View File

@@ -0,0 +1,410 @@
---
title: Migrating from Travis CI to GitHub Actions
intro: '{% data variables.product.prodname_actions %} and Travis CI share multiple similarities, which helps make it relatively straightforward to migrate to {% data variables.product.prodname_actions %}.'
redirect_from:
- /actions/migrating-to-github-actions/migrating-from-travis-ci-to-github-actions
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
---
### Introduction
This guide helps you migrate from Travis CI to {% data variables.product.prodname_actions %}. It compares their concepts and syntax, describes the similarities, and demonstrates their different approaches to common tasks.
### Before you start
Before starting your migration to {% data variables.product.prodname_actions %}, it would be useful to become familiar with how it works:
- For a quick example that demonstrates a {% data variables.product.prodname_actions %} job, see "[Quickstart for {% data variables.product.prodname_actions %}](/actions/quickstart)."
- To learn the essential {% data variables.product.prodname_actions %} concepts, see "[Introduction to GitHub Actions](/actions/learn-github-actions/introduction-to-github-actions)."
### Comparing job execution
To give you control over when CI tasks are executed, a {% data variables.product.prodname_actions %} _workflow_ uses _jobs_ that run in parallel by default. Each job contains _steps_ that are executed in a sequence that you define. If you need to run setup and cleanup actions for a job, you can define steps in each job to perform these.
### Key similarities
{% data variables.product.prodname_actions %} and Travis CI share certain similarities, and understanding these ahead of time can help smooth the migration process.
#### Using YAML syntax
Travis CI and {% data variables.product.prodname_actions %} both use YAML to create jobs and workflows, and these files are stored in the code's repository. For more information on how {% data variables.product.prodname_actions %} uses YAML, see ["Creating a workflow file](/actions/learn-github-actions/introduction-to-github-actions#create-an-example-workflow)."
#### Custom environment variables
Travis CI lets you set environment variables and share them between stages. Similarly, {% data variables.product.prodname_actions %} lets you define environment variables for a step, job, or workflow. For more information, see ["Environment variables](/actions/reference/environment-variables)."
#### Default environment variables
Travis CI and {% data variables.product.prodname_actions %} both include default environment variables that you can use in your YAML files. For {% data variables.product.prodname_actions %}, you can see these listed in "[Default environment variables](/actions/reference/environment-variables#default-environment-variables)."
#### Parallel job processing
Travis CI can use `stages` to run jobs in parallel. Similarly, {% data variables.product.prodname_actions %} runs `jobs` in parallel. For more information, see "[Creating dependent jobs](/actions/learn-github-actions/managing-complex-workflows#creating-dependent-jobs)."
#### Status badges
Travis CI and {% data variables.product.prodname_actions %} both support status badges, which let you indicate whether a build is passing or failing.
For more information, see ["Adding a workflow status badge to your repository](/actions/managing-workflow-runs/adding-a-workflow-status-badge)."
#### Using a build matrix
Travis CI and {% data variables.product.prodname_actions %} both support a build matrix, allowing you to perform testing using combinations of operating systems and software packages. For more information, see "[Using a build matrix](/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix)."
Below is an example comparing the syntax for each system:
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %}
</th>
</tr>
<tr>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
matrix:
include:
- rvm: 2.5
- rvm: 2.6.3
```
{% endraw %}
</td>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
jobs:
build:
strategy:
matrix:
ruby: [2.5, 2.6.3]
```
{% endraw %}
</td>
</tr>
</table>
#### Targeting specific branches
Travis CI and {% data variables.product.prodname_actions %} both allow you to target your CI to a specific branch. For more information, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags)."
Below is an example of the syntax for each system:
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %}
</th>
</tr>
<tr>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
branches:
only:
- main
- 'mona/octocat'
```
{% endraw %}
</td>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
on:
push:
branches:
- main
- 'mona/octocat'
```
{% endraw %}
</td>
</tr>
</table>
#### Checking out submodules
Travis CI and {% data variables.product.prodname_actions %} both allow you to control whether submodules are included in the repository clone.
Below is an example of the syntax for each system:
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %}
</th>
</tr>
<tr>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
git:
submodules: false
```
{% endraw %}
</td>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
- uses: actions/checkout@v2
with:
submodules: false
```
{% endraw %}
</td>
</tr>
</table>
### Key features in {% data variables.product.prodname_actions %}
When migrating from Travis CI, consider the following key features in {% data variables.product.prodname_actions %}:
#### Storing secrets
{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} also includes policies that allow you to limit access to secrets at the repository and organization level. For more information, see "[Encrypted secrets](/actions/reference/encrypted-secrets)."
#### Sharing files between jobs and workflows
{% data variables.product.prodname_actions %} includes integrated support for artifact storage, allowing you to share files between jobs in a workflow. You can also save the resulting files and share them with other workflows. For more information, see "[Sharing data between jobs](/actions/learn-github-actions/essential-features-of-github-actions#sharing-data-between-jobs)."
#### Hosting your own runners
If your jobs require specific hardware or software, {% data variables.product.prodname_actions %} allows you to host your own runners and send your jobs to them for processing. {% data variables.product.prodname_actions %} also lets you use policies to control how these runners are accessed, granting access at the organization or repository level. For more information, see ["Hosting your own runners](/actions/hosting-your-own-runners)."
#### Concurrent jobs and execution time
The concurrent jobs and workflow execution times in {% data variables.product.prodname_actions %} can vary depending on your {% data variables.product.company_short %} plan. For more information, see "[Usage limits, billing, and administration](/actions/reference/usage-limits-billing-and-administration)."
#### Using different languages in {% data variables.product.prodname_actions %}
When working with different languages in {% data variables.product.prodname_actions %}, you can create a step in your job to set up your language dependencies. For more information about working with a particular language, see the specific guide:
- [Building and testing Node.js](/actions/guides/building-and-testing-nodejs)
- [Building and testing PowerShell](/actions/guides/building-and-testing-powershell)
- [Building and testing Python](/actions/guides/building-and-testing-python)
- [Building and testing Java with Maven](/actions/guides/building-and-testing-java-with-maven)
- [Building and testing Java with Gradle](/actions/guides/building-and-testing-java-with-gradle)
- [Building and testing Java with Ant](/actions/guides/building-and-testing-java-with-ant)
### Executing scripts
{% data variables.product.prodname_actions %} can use `run` steps to run scripts or shell commands. To use a particular shell, you can specify the `shell` type when providing the path to the script. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun)."
For example:
```yaml
steps:
- name: Run build script
run: ./.github/scripts/build.sh
shell: bash
```
### Error handling in {% data variables.product.prodname_actions %}
When migrating to {% data variables.product.prodname_actions %}, there are different approaches to error handling that you might need to be aware of.
#### Script error handling
{% data variables.product.prodname_actions %} stops a job immediately if one of the steps returns an error code. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference)."
#### Job error handling
{% data variables.product.prodname_actions %} uses `if` conditionals to execute jobs or steps in certain situations. For example, you can run a step when another step results in a `failure()`. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#example-using-status-check-functions)." You can also use [`continue-on-error`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error) to prevent a workflow run from stopping when a job fails.
### Migrating syntax for conditionals and expressions
To run jobs under conditional expressions, Travis CI and {% data variables.product.prodname_actions %} share a similar `if` condition syntax. {% data variables.product.prodname_actions %} lets you use the `if` conditional to prevent a job or step from running unless a condition is met. For more information, see "[Context and expression syntax for {% data variables.product.prodname_actions %}](/actions/reference/context-and-expression-syntax-for-github-actions)."
This example demonstrates how an `if` conditional can control whether a step is executed:
```yaml
jobs:
conditional:
runs-on: ubuntu-latest
steps:
- run: echo "This step runs with str equals 'ABC' and num equals 123"
if: env.str == 'ABC' && env.num == 123
```
### Migrating phases to steps
Where Travis CI uses _phases_ to run _steps_, {% data variables.product.prodname_actions %} has _steps_ which execute _actions_. You can find prebuilt actions in the [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see "[Building actions](/actions/building-actions)."
Below is an example of the syntax for each system:
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %}
</th>
</tr>
<tr>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
language: python
python:
- "3.7"
script:
- python script.py
```
{% endraw %}
</td>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
jobs:
run_python:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v2
with:
python-version: '3.7'
architecture: 'x64'
- run: python script.py
```
{% endraw %}
</td>
</tr>
</table>
### Caching dependencies
Travis CI and {% data variables.product.prodname_actions %} let you manually cache dependencies for later reuse. This example demonstrates the cache syntax for each system.
<table>
<tr>
<th>
Travis CI
</th>
<th>
GitHub Actions
</th>
</tr>
<tr>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
language: node_js
cache: npm
```
{% endraw %}
</td>
<td class="d-table-cell v-align-top">
{% raw %}
```yaml
- name: Cache node modules
uses: actions/cache@v2
with:
path: ~/.npm
key: v1-npm-deps-${{ hashFiles('**/package-lock.json') }}
restore-keys: v1-npm-deps-
```
{% endraw %}
</td>
</tr>
</table>
For more information, see "[Caching dependencies to speed up workflows](/actions/guides/caching-dependencies-to-speed-up-workflows)."
### Examples of common tasks
This section compares how {% data variables.product.prodname_actions %} and Travis CI perform common tasks.
#### Configuring environment variables
You can create custom environment variables in a {% data variables.product.prodname_actions %} job. For example:
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %} Workflow
</th>
</tr>
<tr>
<td>
```yaml
env:
- MAVEN_PATH="/usr/local/maven"
```
</td>
<td>
```yaml
jobs:
maven-build:
env:
MAVEN_PATH: '/usr/local/maven'
```
</td>
</tr>
</table>
#### Building with Node.js
<table>
<tr>
<th>
Travis CI
</th>
<th>
{% data variables.product.prodname_actions %} Workflow
</th>
</tr>
<tr>
<td>
{% raw %}
```yaml
install:
- npm install
script:
- npm run build
- npm test
```
{% endraw %}
</td>
<td>
{% raw %}
```yaml
name: Node.js CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: '12.x'
- run: npm install
- run: npm run build
- run: npm test
```
{% endraw %}
</td>
</tr>
</table>
### Next steps
To continue learning about the main features of {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."

4
content/actions/learn-github-actions/security-hardening-for-github-actions.md
View File

@@ -26,7 +26,7 @@ Secrets use [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key
To help prevent accidental disclosure, {% data variables.product.product_name %} uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64. However, because there are multiple ways a secret value can be transformed, this redaction is not guaranteed. As a result, there are certain proactive steps and good practices you should follow to help ensure secrets are redacted, and to limit other risks associated with secrets:
- **Never use structured data as a secret**
- Unstructured data can cause secret redaction within logs to fail, because redaction largely relies on finding an exact match for the specific secret value. For example, do not use a blob of JSON, XML, or YAML (or similar) to encapsulate a secret value, as this significantly reduces the probability the secrets will be properly redacted. Instead, create individual secrets for each sensitive value.
- Structured data can cause secret redaction within logs to fail, because redaction largely relies on finding an exact match for the specific secret value. For example, do not use a blob of JSON, XML, or YAML (or similar) to encapsulate a secret value, as this significantly reduces the probability the secrets will be properly redacted. Instead, create individual secrets for each sensitive value.
- **Register all secrets used within workflows**
- If a secret is used to generate another sensitive value within a workflow, that generated value should be formally [registered as a secret](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret), so that it will be redacted if it ever appears in the logs. For example, if using a private key to generate a signed JWT to access a web API, be sure to register that JWT as a secret or else it wont be redacted if it ever enters the log output.
- Registering secrets applies to any sort of transformation/encoding as well. If your secret is transformed in some way (such as Base64 or URL-encoded), be sure to register the new value as a secret too.
@@ -98,7 +98,7 @@ You should also consider the environment of the self-hosted runner machines:
### Auditing {% data variables.product.prodname_actions %} events
You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account perfomed the action.
You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account performed the action.
For example, you can use the audit log to track the `action:org.update_actions_secret` event, which tracks changes to organization secrets:
![Audit log entries](/assets/images/help/repository/audit-log-entries.png)

2
content/actions/reference/encrypted-secrets.md
View File

@@ -106,7 +106,7 @@ steps:
```
{% endraw %}
Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the `ps` command) or captured by [security audit events](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). To help protect secrets, consider using environment variables, `STDIN`, or other mechanisms supported by the target process.
Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the `ps` command) or captured by [security audit events](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). To help protect secrets, consider using environment variables, `STDIN`, or other mechanisms supported by the target process.
If you must pass secrets within a command line, then enclose them within the proper quoting rules. Secrets often contain special characters that may unintentionally affect your shell. To escape these special characters, use quoting with your environment variables. For example:

34
content/actions/reference/events-that-trigger-workflows.md
View File

@@ -100,7 +100,7 @@ You can manually trigger a workflow run using the {% data variables.product.prod
##### Example workflow configuration
This example defines the `name` and `home` inputs and prints them using the `github.event.inputs.name` and `github.event.inputs.home` contexts. If a `name` isn't provided, the default value 'Mona the Octocat' is printed.
This example defines the `name` and `home` inputs and prints them using the `github.event.inputs.name` and `github.event.inputs.home` contexts. If a `home` isn't provided, the default value 'The Octoverse' is printed.
{% raw %}
```yaml
@@ -115,6 +115,7 @@ on:
home:
description: 'location'
required: false
default: 'The Octoverse'
jobs:
say_hello:
@@ -314,6 +315,33 @@ on:
types: [created, deleted]
```
The `issue_comment` event occurs for comments on both issues and pull requests. To determine whether the `issue_comment` event was triggered from an issue or pull request, you can check the event payload for the `issue.pull_request` property and use it as a condition to skip a job.
For example, you can choose to run the `pr_commented` job when comment events occur in a pull request, and the `issue_commented` job when comment events occur in an issue.
```yaml
on: issue_comment
jobs:
pr_commented:
# This job only runs for pull request comments
name: PR comment
if: ${{ github.event.issue.pull_request }}
runs-on: ubuntu-latest
steps:
- run: |
echo "Comment on PR #${{ github.event.issue.number }}"
issue-commented:
# This job only runs for issue comments
name: Issue comment
if: ${{ !github.event.issue.pull_request }}
runs-on: ubuntu-latest
steps:
- run: |
echo "Comment on issue #${{ github.event.issue.number }}"
```
#### `issues`
Runs your workflow anytime the `issues` event occurs. {% data reusables.developer-site.multiple_activity_types %} For information about the REST API, see "[Issues](/v3/issues)."
@@ -655,6 +683,10 @@ on:
{% data reusables.webhooks.workflow_run_desc %}
| Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
| --------------------- | -------------- | ------------ | -------------|
| [`workflow_run`](/webhooks/event-payloads/#workflow_run) | - n/a | Last commit on default branch | Default branch |
If you need to filter branches from this event, you can use `branches` or `branches-ignore`.
In this example, a workflow is configured to run after the separate “Run Tests” workflow completes.

4
content/actions/reference/specifications-for-github-hosted-runners.md
View File

@@ -29,7 +29,7 @@ You can specify the runner type for each job in a workflow. Each job in a workfl
#### Cloud hosts for {% data variables.product.prodname_dotcom %}-hosted runners
{% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on Standard_DS2_v2 virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. For more information about the Standard_DS2_v2 machine resources, see "[Dv2 and DSv2-series](https://docs.microsoft.com/en-us/azure/virtual-machines/dv2-dsv2-series#dsv2-series)" in the Microsoft Azure documentation.
{% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on Standard_DS2_v2 virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. For more information about the Standard_DS2_v2 machine resources, see "[Dv2 and DSv2-series](https://docs.microsoft.com/azure/virtual-machines/dv2-dsv2-series#dsv2-series)" in the Microsoft Azure documentation.
{% data variables.product.prodname_dotcom %} uses [MacStadium](https://www.macstadium.com/) to host the macOS runners.
@@ -37,7 +37,7 @@ You can specify the runner type for each job in a workflow. Each job in a workfl
The Linux and macOS virtual machines both run using passwordless `sudo`. When you need to execute commands or install tools that require more privileges than the current user, you can use `sudo` without needing to provide a password. For more information, see the "[Sudo Manual](https://www.sudo.ws/man/1.8.27/sudo.man.html)."
Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see "[How User Account Control works](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works)" in the Windows documentation.
Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see "[How User Account Control works](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works)" in the Windows documentation.
### Supported runners and hardware resources

57
content/actions/reference/workflow-commands-for-github-actions.md
View File

@@ -65,22 +65,22 @@ You can use the `set-output` command in your workflow to set the same value:
The following table shows which toolkit functions are available within a workflow:
| Toolkit function| Equivalent workflow command|
| ------------- | ------------- |
| `core.addPath` | {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Accessible using environment file `GITHUB_PATH`{% else %} `add-path` {% endif %} |
| `core.debug` | `debug` |
| `core.error` | `error` |
| `core.endGroup` | `endgroup` |
| `core.exportVariable` | {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Accessible using environment file `GITHUB_ENV`{% else %} `set-env` {% endif %} |
| `core.getInput` | Accessible using environment variable `INPUT_{NAME}` |
| `core.getState` | Accessible using environment variable `STATE_{NAME}` |
| `core.isDebug` | Accessible using environment variable `RUNNER_DEBUG` |
| `core.saveState` | `save-state` |
| `core.setFailed` | Used as a shortcut for `::error` and `exit 1` |
| `core.setOutput` | `set-output` |
| `core.setSecret` | `add-mask` |
| `core.startGroup` | `group` |
| `core.warning` | `warning file` |
| Toolkit function | Equivalent workflow command |
| ----------------- | ------------- |
| `core.addPath` | {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Accessible using environment file `GITHUB_PATH`{% else %} `add-path` {% endif %} |
| `core.debug` | `debug` |
| `core.error` | `error` |
| `core.endGroup` | `endgroup` |
| `core.exportVariable` | {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Accessible using environment file `GITHUB_ENV`{% else %} `set-env` {% endif %} |
| `core.getInput` | Accessible using environment variable `INPUT_{NAME}` |
| `core.getState` | Accessible using environment variable `STATE_{NAME}` |
| `core.isDebug` | Accessible using environment variable `RUNNER_DEBUG` |
| `core.saveState` | `save-state` |
| `core.setFailed` | Used as a shortcut for `::error` and `exit 1` |
| `core.setOutput` | `set-output` |
| `core.setSecret` | `add-mask` |
| `core.startGroup` | `group` |
| `core.warning` | `warning file` |
{% if currentVersion ver_lt "enterprise-server@2.23" %}
### Setting an environment variable
@@ -160,6 +160,25 @@ Creates an error message and prints the message to the log. You can optionally p
echo "::error file=app.js,line=10,col=15::Something went wrong"
```
### Grouping log lines
```
::group::{title}
::endgroup::
```
Creates an expandable group in the log. To create a group, use the `group` command and specify a `title`. Anything you print to the log between the `group` and `endgroup` commands is nested inside an expandable entry in the log.
#### Example
```bash
echo "::group::My title"
echo "Inside group"
echo "::endgroup::"
```
![Foldable group in workflow run log](/assets/images/actions-log-group.png)
### Masking a value in log
`::add-mask::{value}`
@@ -255,7 +274,8 @@ echo "action_state=yellow" >> $GITHUB_ENV
Running `$action_state` in a future step will now return `yellow`
#### Multline strings
#### Multiline strings
For multiline strings, you may use a delimiter with the following syntax.
```
@@ -264,7 +284,8 @@ For multiline strings, you may use a delimiter with the following syntax.
{delimiter}
```
#### Example
##### Example
In this example, we use `EOF` as a delimiter and set the `JSON_RESPONSE` environment variable to the value of the curl response.
```
steps:

6
content/admin/authentication/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad.md
View File

@@ -10,7 +10,7 @@ versions:
### About authentication and user provisioning with Azure AD
Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) in the Microsoft Docs.
Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) in the Microsoft Docs.
To manage identity and access for {% data variables.product.product_name %}, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access with SCIM. This configuration allows you to assign or unassign the {% data variables.product.prodname_ghe_managed %} application for a user account in your Azure AD tenant to automatically create, grant access to, or deactivate a corresponding user account on {% data variables.product.product_name %}.
@@ -18,9 +18,9 @@ For more information about managing identity and access for your enterprise on {
### Prerequisites
To configure authentication and user provisioning for {% data variables.product.product_name %} using Azure AD, you must have an Azure AD account and tenant. For more information, see the [Azure AD website](https://azure.microsoft.com/en-us/free/active-directory) and [Quickstart: Create an Azure Active Directory tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) in the Microsoft Docs.
To configure authentication and user provisioning for {% data variables.product.product_name %} using Azure AD, you must have an Azure AD account and tenant. For more information, see the [Azure AD website](https://azure.microsoft.com/free/active-directory) and [Quickstart: Create an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant) in the Microsoft Docs.
{% data reusables.saml.assert-the-administrator-attribute %} For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
{% data reusables.saml.assert-the-administrator-attribute %} For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
{% data reusables.saml.create-a-machine-user %}

2
content/admin/authentication/using-saml.md
View File

@@ -29,7 +29,7 @@ Each {% data variables.product.prodname_ghe_server %} username is determined by
The `NameID` element is required even if other attributes are present.
A mapping is created between the `NameID` and the {% data variables.product.prodname_ghe_server %} username, so the `NameID` should be persistent, unique, and not subject to change for the lifecyle of the user.
A mapping is created between the `NameID` and the {% data variables.product.prodname_ghe_server %} username, so the `NameID` should be persistent, unique, and not subject to change for the lifecycle of the user.
{% note %}

20
content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md
View File

@@ -1,11 +1,11 @@
---
title: Enabling alerts for vulnerable dependencies on GitHub Enterprise Server
intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.'
intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.'
redirect_from:
- /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
- /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server
- /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server
permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.'
permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.'
versions:
enterprise-server: '*'
---
@@ -14,11 +14,11 @@ versions:
{% data reusables.repositories.tracks-vulnerabilities %} For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency.
You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency.
After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_short %} alerts. You can customize how you receive {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-github-dependabot-alerts)."
{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_alerts %}. You can customize how you receive {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-dependabot-alerts)."
{% endif %}
{% if currentVersion == "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate security alerts. You can customize how you receive security alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-security-alerts)."
@@ -28,23 +28,25 @@ After connecting {% data variables.product.product_location %} to {% data variab
{% endif %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}
### Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}
### Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}
{% else %}
### Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}
{% endif %}
Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
{% if currentVersion ver_gt "enterprise-server@2.20" %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_short %} alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_short %} alerts as usual.{% endif %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.{% endif %}
{% if currentVersion == "enterprise-server@2.21" %}We recommend configuring security alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive security alerts as usual.{% endif %}
{% endif %}
{% data reusables.enterprise_site_admin_settings.sign-in %}
1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}:
1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}:
``` shell
$ ghe-dep-graph-enable
```

2
content/admin/enterprise-management/upgrading-github-enterprise-server.md
View File

@@ -49,7 +49,7 @@ There are two types of snapshots:
| Platform | Snapshot method | Snapshot documentation URL |
|---|---|---|
| Amazon AWS | Disk | <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html>
| Azure | VM | <https://azure.microsoft.com/en-us/documentation/articles/backup-azure-vms/>
| Azure | VM | <https://docs.microsoft.com/azure/backup/backup-azure-vms-first-look-arm>
| Hyper-V | VM | <https://docs.microsoft.com/windows-server/virtualization/hyper-v/manage/enable-or-disable-checkpoints-in-hyper-v>
| Google Compute Engine | Disk | <https://cloud.google.com/compute/docs/disks/create-snapshots>
| VMware | VM | <https://pubs.vmware.com/vsphere-50/topic/com.vmware.wssdk.pg.doc_50/PG_Ch11_VM_Manage.13.3.html>

2
content/admin/enterprise-support/submitting-a-ticket.md
View File

@@ -58,7 +58,7 @@ After submitting your support request and optional diagnostic information, {% da
{% if currentVersion == "github-ae@latest" %}
### Submitting a ticket using the {% data variables.contact.ae_azure_portal %}
Commercial customers can submit a support request in the {% data variables.contact.contact_ae_portal %}. Government customers should use the [Azure portal for government customers](https://portal.azure.us/#blade/Microsoft_Azure_Support/HelpAndSupportBlade). For more information, see [Create an Azure support request](https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) in the Microsoft documentation.
Commercial customers can submit a support request in the {% data variables.contact.contact_ae_portal %}. Government customers should use the [Azure portal for government customers](https://portal.azure.us/#blade/Microsoft_Azure_Support/HelpAndSupportBlade). For more information, see [Create an Azure support request](https://docs.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request) in the Microsoft documentation.
For urgent issues, to ensure a quick response, after you submit a ticket, please call the support hotline immediately. Your Technical Support Account Manager (TSAM) will provide you with the number to use in your onboarding session.

20
content/admin/installation/installing-github-enterprise-server-on-azure.md
View File

@@ -14,7 +14,7 @@ You can deploy {% data variables.product.prodname_ghe_server %} on global Azure
- {% data reusables.enterprise_installation.software-license %}
- You must have an Azure account capable of provisioning new machines. For more information, see the [Microsoft Azure website](https://azure.microsoft.com).
- Most actions needed to launch your virtual machine (VM) may also be performed using the Azure Portal. However, we recommend installing the Azure command line interface (CLI) for initial setup. Examples using the Azure CLI 2.0 are included below. For more information, see Azure's guide "[Install Azure CLI 2.0](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)."
- Most actions needed to launch your virtual machine (VM) may also be performed using the Azure Portal. However, we recommend installing the Azure command line interface (CLI) for initial setup. Examples using the Azure CLI 2.0 are included below. For more information, see Azure's guide "[Install Azure CLI 2.0](https://docs.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest)."
### Hardware considerations
@@ -26,9 +26,9 @@ Before launching {% data variables.product.product_location %} on Azure, you'll
#### Supported VM types and regions
The {% data variables.product.prodname_ghe_server %} appliance requires a premium storage data disk, and is supported on any Azure VM that supports premium storage. For more information, see "[Supported VMs](https://docs.microsoft.com/en-us/azure/storage/common/storage-premium-storage#supported-vms)" in the Azure documentation. For general information about available VMs, see [the Azure virtual machines overview page](http://azure.microsoft.com/en-us/pricing/details/virtual-machines/#Linux).
The {% data variables.product.prodname_ghe_server %} appliance requires a premium storage data disk, and is supported on any Azure VM that supports premium storage. For more information, see "[Supported VMs](https://docs.microsoft.com/azure/storage/common/storage-premium-storage#supported-vms)" in the Azure documentation. For general information about available VMs, see [the Azure virtual machines overview page](https://azure.microsoft.com/pricing/details/virtual-machines/#Linux).
{% data variables.product.prodname_ghe_server %} supports any region that supports your VM type. For more information about the supported regions for each VM, see Azure's "[Products available by region](https://azure.microsoft.com/en-us/regions/services/)."
{% data variables.product.prodname_ghe_server %} supports any region that supports your VM type. For more information about the supported regions for each VM, see Azure's "[Products available by region](https://azure.microsoft.com/regions/services/)."
#### Recommended VM types
@@ -47,20 +47,20 @@ We recommend you use a DS v2 instance type with at least 14 GB of RAM. You can u
{% data reusables.enterprise_installation.create-ghe-instance %}
1. Find the most recent {% data variables.product.prodname_ghe_server %} appliance image. For more information about the `vm image list` command, see "[az vm image list](https://docs.microsoft.com/en-us/cli/azure/vm/image?view=azure-cli-latest#az_vm_image_list)" in the Microsoft documentation.
1. Find the most recent {% data variables.product.prodname_ghe_server %} appliance image. For more information about the `vm image list` command, see "[az vm image list](https://docs.microsoft.com/cli/azure/vm/image?view=azure-cli-latest#az_vm_image_list)" in the Microsoft documentation.
```shell
$ az vm image list --all -f GitHub-Enterprise | grep '"urn":' | sort -V
```
2. Create a new VM using the appliance image you found. For more information, see "[az vm create](https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_create)" in the Microsoft documentation.
2. Create a new VM using the appliance image you found. For more information, see "[az vm create](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_create)" in the Microsoft documentation.
Pass in options for the name of your VM, the resource group, the size of your VM, the name of your preferred Azure region, the name of the appliance image VM you listed in the previous step, and the storage SKU for premium storage. For more information about resource groups, see "[Resource groups](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#resource-groups)" in the Microsoft documentation.
Pass in options for the name of your VM, the resource group, the size of your VM, the name of your preferred Azure region, the name of the appliance image VM you listed in the previous step, and the storage SKU for premium storage. For more information about resource groups, see "[Resource groups](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-overview#resource-groups)" in the Microsoft documentation.
```shell
$ az vm create -n <em>VM_NAME</em> -g <em>RESOURCE_GROUP</em> --size <em>VM_SIZE</em> -l <em>REGION</em> --image <em>APPLIANCE_IMAGE_NAME</em> --storage-sku Premium_LRS
```
3. Configure the security settings on your VM to open up required ports. For more information, see "[az vm open-port](https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_open_port)" in the Microsoft documentation. See the table below for a description of each port to determine what ports you need to open.
3. Configure the security settings on your VM to open up required ports. For more information, see "[az vm open-port](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_open_port)" in the Microsoft documentation. See the table below for a description of each port to determine what ports you need to open.
```shell
$ az vm open-port -n <em>VM_NAME</em> -g <em>RESOURCE_GROUP</em> --port <em>PORT_NUMBER</em>
@@ -70,7 +70,7 @@ We recommend you use a DS v2 instance type with at least 14 GB of RAM. You can u
{% data reusables.enterprise_installation.necessary_ports %}
4. Create and attach a new unencrypted data disk to the VM, and configure the size based on your user license count. For more information, see "[az vm disk attach](https://docs.microsoft.com/en-us/cli/azure/vm/disk?view=azure-cli-latest#az_vm_disk_attach)" in the Microsoft documentation.
4. Create and attach a new unencrypted data disk to the VM, and configure the size based on your user license count. For more information, see "[az vm disk attach](https://docs.microsoft.com/cli/azure/vm/disk?view=azure-cli-latest#az_vm_disk_attach)" in the Microsoft documentation.
Pass in options for the name of your VM (for example, `ghe-acme-corp`), the resource group, the premium storage SKU, the size of the disk (for example, `100`), and a name for the resulting VHD.
@@ -86,7 +86,7 @@ We recommend you use a DS v2 instance type with at least 14 GB of RAM. You can u
### Configuring the {% data variables.product.prodname_ghe_server %} virtual machine
1. Before configuring the VM, you must wait for it to enter ReadyRole status. Check the status of the VM with the `vm list` command. For more information, see "[az vm list](https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_list)" in the Microsoft documentation.
1. Before configuring the VM, you must wait for it to enter ReadyRole status. Check the status of the VM with the `vm list` command. For more information, see "[az vm list](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_list)" in the Microsoft documentation.
```shell
$ az vm list -d -g <em>RESOURCE_GROUP</em> -o table
> Name ResourceGroup PowerState PublicIps Fqdns Location Zones
@@ -96,7 +96,7 @@ We recommend you use a DS v2 instance type with at least 14 GB of RAM. You can u
```
{% note %}
**Note:** Azure does not automatically create a FQDNS entry for the VM. For more information, see Azure's guide on how to "[Create a fully qualified domain name in the Azure portal for a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/portal-create-fqdn)."
**Note:** Azure does not automatically create a FQDNS entry for the VM. For more information, see Azure's guide on how to "[Create a fully qualified domain name in the Azure portal for a Linux VM](https://docs.microsoft.com/azure/virtual-machines/linux/portal-create-fqdn)."
{% endnote %}

12
content/admin/installation/installing-github-enterprise-server-on-hyper-v.md
View File

@@ -12,7 +12,7 @@ versions:
- {% data reusables.enterprise_installation.software-license %}
- You must have Windows Server 2008 through Windows Server 2016, which support Hyper-V.
- Most actions needed to create your virtual machine (VM) may also be performed using the [Hyper-V Manager](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/remotely-manage-hyper-v-hosts). However, we recommend using the Windows PowerShell command-line shell for initial setup. Examples using PowerShell are included below. For more information, see the Microsoft guide "[Getting Started with Windows PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-5.1)."
- Most actions needed to create your virtual machine (VM) may also be performed using the [Hyper-V Manager](https://docs.microsoft.com/windows-server/virtualization/hyper-v/manage/remotely-manage-hyper-v-hosts). However, we recommend using the Windows PowerShell command-line shell for initial setup. Examples using PowerShell are included below. For more information, see the Microsoft guide "[Getting Started with Windows PowerShell](https://docs.microsoft.com/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-5.1)."
### Hardware considerations
@@ -30,23 +30,23 @@ versions:
{% data reusables.enterprise_installation.create-ghe-instance %}
1. In PowerShell, create a new Generation 1 virtual machine, configure the size based on your user license count, and attach the {% data variables.product.prodname_ghe_server %} image you downloaded. For more information, see "[New-VM](https://docs.microsoft.com/en-us/powershell/module/hyper-v/new-vm?view=win10-ps)" in the Microsoft documentation.
1. In PowerShell, create a new Generation 1 virtual machine, configure the size based on your user license count, and attach the {% data variables.product.prodname_ghe_server %} image you downloaded. For more information, see "[New-VM](https://docs.microsoft.com/powershell/module/hyper-v/new-vm?view=win10-ps)" in the Microsoft documentation.
```shell
PS C:\> New-VM -Generation 1 -Name <em>VM_NAME</em> -MemoryStartupBytes <em>MEMORY_SIZE</em> -BootDevice VHD -VHDPath <em>PATH_TO_VHD</em>
```
{% data reusables.enterprise_installation.create-attached-storage-volume %} Replace `PATH_TO_DATA_DISK` with the path to the location where you create the disk. For more information, see "[New-VHD](https://docs.microsoft.com/en-us/powershell/module/hyper-v/new-vhd?view=win10-ps)" in the Microsoft documentation.
{% data reusables.enterprise_installation.create-attached-storage-volume %} Replace `PATH_TO_DATA_DISK` with the path to the location where you create the disk. For more information, see "[New-VHD](https://docs.microsoft.com/powershell/module/hyper-v/new-vhd?view=win10-ps)" in the Microsoft documentation.
```shell
PS C:\> New-VHD -Path <em>PATH_TO_DATA_DISK</em> -SizeBytes <em>DISK_SIZE</em>
```
3. Attach the data disk to your instance. For more information, see "[Add-VMHardDiskDrive](https://docs.microsoft.com/en-us/powershell/module/hyper-v/add-vmharddiskdrive?view=win10-ps)" in the Microsoft documentation.
3. Attach the data disk to your instance. For more information, see "[Add-VMHardDiskDrive](https://docs.microsoft.com/powershell/module/hyper-v/add-vmharddiskdrive?view=win10-ps)" in the Microsoft documentation.
```shell
PS C:\> Add-VMHardDiskDrive -VMName <em>VM_NAME</em> -Path <em>PATH_TO_DATA_DISK</em>
```
4. Start the VM. For more information, see "[Start-VM](https://docs.microsoft.com/en-us/powershell/module/hyper-v/start-vm?view=win10-ps)" in the Microsoft documentation.
4. Start the VM. For more information, see "[Start-VM](https://docs.microsoft.com/powershell/module/hyper-v/start-vm?view=win10-ps)" in the Microsoft documentation.
```shell
PS C:\> Start-VM -Name <em>VM_NAME</em>
```
5. Get the IP address of your VM. For more information, see "[Get-VMNetworkAdapter](https://docs.microsoft.com/en-us/powershell/module/hyper-v/get-vmnetworkadapter?view=win10-ps)" in the Microsoft documentation.
5. Get the IP address of your VM. For more information, see "[Get-VMNetworkAdapter](https://docs.microsoft.com/powershell/module/hyper-v/get-vmnetworkadapter?view=win10-ps)" in the Microsoft documentation.
```shell
PS C:\> (Get-VMNetworkAdapter -VMName <em>VM_NAME</em>).IpAddresses
```

2
content/admin/packages/configuring-third-party-storage-for-packages.md
View File

@@ -13,7 +13,7 @@ versions:
{% data variables.product.prodname_registry %} on {% data variables.product.prodname_ghe_server %} uses external blob storage to store your packages. The amount of storage required depends on your usage of {% data variables.product.prodname_registry %}.
At this time, {% data variables.product.prodname_registry %} supports blob storage with Amazon Web Services (AWS) S3. MinIO is also supported, but configuration is not currently implemented in the {% data variables.product.product_name %} interface. You can use MinIO for storage by following the instructions for AWS S3, entering the analagous information for your MinIO configuration.
At this time, {% data variables.product.prodname_registry %} supports blob storage with Amazon Web Services (AWS) S3. MinIO is also supported, but configuration is not currently implemented in the {% data variables.product.product_name %} interface. You can use MinIO for storage by following the instructions for AWS S3, entering the analogous information for your MinIO configuration.
For the best experience, we recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.

4
content/admin/user-management/auditing-users-across-your-enterprise.md
View File

@@ -66,9 +66,9 @@ You can only use a {% data variables.product.product_name %} username, not an in
The `org` qualifier limits actions to a specific organization. For example:
* `org:my-org` finds all events that occured for the `my-org` organization.
* `org:my-org` finds all events that occurred for the `my-org` organization.
* `org:my-org action:team` finds all team events performed within the `my-org` organization.
* `-org:my-org` excludes all events that occured for the `my-org` organization.
* `-org:my-org` excludes all events that occurred for the `my-org` organization.
#### Search based on the action performed

5
content/desktop/installing-and-configuring-github-desktop/creating-your-first-repository-using-github-desktop.md
View File

@@ -92,13 +92,8 @@ Now that you've created and published your repository, you're ready to make chan
4. At the bottom of the **Changes** list, enter a commit message. To the right of your profile picture, type a short description of the commit. Since we're changing the _README.md_ file, "Add information about purpose of project" would be a good commit summary. Below the summary, you'll see a "Description" text field where you can type a longer description of the changes in the commit, which is helpful when looking back at the history of a project and understanding why changes were made. Since you're making a basic update of a _README.md_ file, you can skip the description.
![Commit message](/assets/images/help/desktop/getting-started-guide/commit-message.png)
<<<<<<< HEAD
5. Click **Commit to BRANCH NAME**. The commit button shows your current branch so you can be sure to commit to the branch you want.
![Commit to branch](/assets/images/help/desktop/getting-started-guide/click-commit-to-master.png)
=======
5. Click **Commit to master**. The commit button shows your current branch, which in this case is `master`, so that you know which branch you are making a commit to.
![Commit to master](/assets/images/help/desktop/getting-started-guide/click-commit-to-master.png)
>>>>>>> master
6. To push your changes to the remote repository on {% data variables.product.product_name %}, click **Push origin**.
![Push origin](/assets/images/help/desktop/getting-started-guide/push-to-origin.png)
- The **Push origin** button is the same one that you clicked to publish your repository to {% data variables.product.product_name %}. This button changes contextually based on where you are at in the Git workflow. It should now say `Push origin` with a `1` next to it, indicating that there is one commit that has not been pushed up to {% data variables.product.product_name %}.

2
content/developers/apps/creating-ci-tests-with-the-checks-api.md
View File

@@ -836,7 +836,7 @@ Here are a few common problems and some suggested solutions. If you run into any
* **Q:** My app isn't pushing code to GitHub. I don't see the fixes that RuboCop automatically makes!
**A:** Make sure you have **Read & write** permissions for "Repository contents," and that you are cloning the repository with your intallation token. See [Step 2.2. Cloning the repository](#step-22-cloning-the-repository) for details.
**A:** Make sure you have **Read & write** permissions for "Repository contents," and that you are cloning the repository with your installation token. See [Step 2.2. Cloning the repository](#step-22-cloning-the-repository) for details.
* **Q:** I see an error in the `template_server.rb` debug output related to cloning my repository.

2
content/developers/apps/identifying-and-authorizing-users-for-github-apps.md
View File

@@ -662,7 +662,7 @@ While most of your API interaction should occur using your server-to-server inst
* [Create commit signature protection](/v3/repos/branches/#create-commit-signature-protection)
* [Delete commit signature protection](/v3/repos/branches/#delete-commit-signature-protection)
* [Get status checks protection](/v3/repos/branches/#get-status-checks-protection)
* [Update status check potection](/v3/repos/branches/#update-status-check-potection)
* [Update status check protection](/v3/repos/branches/#update-status-check-protection)
* [Remove status check protection](/v3/repos/branches/#remove-status-check-protection)
* [Get all status check contexts](/v3/repos/branches/#get-all-status-check-contexts)
* [Add status check contexts](/v3/repos/branches/#add-status-check-contexts)

2
content/developers/apps/setting-up-your-development-environment-to-create-a-github-app.md
View File

@@ -262,7 +262,7 @@ Before you can use the Octokit.rb library to make API calls, you'll need to init
# Instantiate an Octokit client authenticated as a GitHub App.
# GitHub App authentication requires that you construct a
# JWT (https://jwt.io/introduction/) signed with the app's private key,
# so GitHub can be sure that it came from the app an not altererd by
# so GitHub can be sure that it came from the app an not altered by
# a malicious third party.
def authenticate_app
payload = {

2
content/developers/github-marketplace/rest-endpoints-for-the-github-marketplace-api.md
View File

@@ -1,6 +1,6 @@
---
title: REST endpoints for the GitHub Marketplace API
intro: 'To help manage your app on {% data variables.product.prodname_marketplace %}, use these {% data variables.product.prodname_marketplace %} API endoints.'
intro: 'To help manage your app on {% data variables.product.prodname_marketplace %}, use these {% data variables.product.prodname_marketplace %} API endpoints.'
redirect_from:
- /apps/marketplace/github-marketplace-api-endpoints/
- /apps/marketplace/integrating-with-the-github-marketplace-api/github-marketplace-rest-api-endpoints/

14
content/github/administering-a-repository/about-github-dependabot-version-updates.md → content/github/administering-a-repository/about-dependabot-version-updates.md
View File

@@ -1,8 +1,10 @@
---
title: About GitHub Dependabot version updates
title: About Dependabot version updates
intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the packages you use updated to the latest versions.'
redirect_from:
- /github/administering-a-repository/about-github-dependabot
- /github/administering-a-repository/about-dependabot
- /github/administering-a-repository/about-github-dependabot-version-updates
versions:
free-pro-team: '*'
---
@@ -13,11 +15,11 @@ versions:
{% data variables.product.prodname_dependabot %} takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.
You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot_short %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot_short %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary.
You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary.
When {% data variables.product.prodname_dependabot_short %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot_short %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
{% data reusables.dependabot.dependabot-tos %}
@@ -27,7 +29,7 @@ You specify how often to check each ecosystem for new versions in the configurat
{% data reusables.dependabot.initial-updates %}
If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot_short %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency.
If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency.
### Supported repositories and ecosystems

2
content/github/administering-a-repository/about-releases.md
View File

@@ -30,7 +30,7 @@ People with admin permissions to a repository can choose whether {% data variabl
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_short %} alerts to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
You can view the **Dependents** tab of the dependency graph to see which repositories and packages depend on code in your repository, and may therefore be affected by a new release. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
{% endif %}

10
content/github/administering-a-repository/about-securing-your-repository.md
View File

@@ -21,14 +21,14 @@ The first step to securing a repository is to set up who can see and modify your
Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage them to upgrade. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
- **{% data variables.product.prodname_dependabot_short %} alerts and security updates**
- **{% data variables.product.prodname_dependabot_alerts %} and security updates**
View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
- **{% data variables.product.prodname_dependabot_short %} version updates**
- **{% data variables.product.prodname_dependabot %} version updates**
Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)."
Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)."
- **{% data variables.product.prodname_code_scanning_capc %} alerts**
@@ -44,6 +44,6 @@ The first step to securing a repository is to set up who can see and modify your
* Ecosystems and packages that your repository depends on
* Repositories and packages that depend on your repository
You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_short %} alerts for dependencies with security vulnerabilities.
You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_alerts %} for dependencies with security vulnerabilities.
You can find the dependency graph on the **Insights** tab for your repository. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."

12
content/github/administering-a-repository/configuration-options-for-dependency-updates.md
View File

@@ -12,7 +12,7 @@ versions:
The {% data variables.product.prodname_dependabot %} configuration file, *dependabot.yml*, uses YAML syntax. If you're new to YAML and want to learn more, see "[Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)."
You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)."
You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
### Configuration options for *dependabot.yml*
@@ -56,13 +56,13 @@ In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option
Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options.
In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)."
In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
{% endnote %}
### `package-ecosystem`
**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot_short %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.
**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below.
{% data reusables.dependabot.supported-package-managers %}
@@ -308,7 +308,7 @@ updates:
{% note %}
**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot#supported-repositories-and-ecosystems)."
**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot#supported-repositories-and-ecosystems)."
{% endnote %}
@@ -544,7 +544,7 @@ updates:
### `vendor`
Use the `vendor` option to tell {% data variables.product.prodname_dependabot_short %} to vendor dependencies when updating them.
Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them.
```yaml
# Configure version updates for both dependencies defined in manifests and vendored dependencies
@@ -559,7 +559,7 @@ updates:
interval: "weekly"
```
{% data variables.product.prodname_dependabot_short %} only updates the vendored dependencies located in specific directories in a repository.
{% data variables.product.prodname_dependabot %} only updates the vendored dependencies located in specific directories in a repository.
| Package manager | Required file path for vendored dependencies | More information |
|------------------|-------------------------------|--------|

2
content/github/administering-a-repository/customizing-dependency-updates.md
View File

@@ -20,7 +20,7 @@ After you've enabled version updates, you can customize how {% data variables.pr
For more information about the configuration options, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates)."
When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot_short %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)."
When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)."
### Impact of configuration changes on security updates

4
content/github/administering-a-repository/enabling-and-disabling-version-updates.md
View File

@@ -10,7 +10,7 @@ versions:
### About version updates for dependencies
You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot_short %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)."
You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
{% data reusables.dependabot.initial-updates %} For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)."
@@ -72,7 +72,7 @@ On a fork, you also need to explicitly enable {% data variables.product.prodname
### Checking the status of version updates
After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot_short %} last checked for new versions.
After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions.
![Repository Insights tab, Dependency graph, Dependabot tab](/assets/images/help/dependabot/dependabot-tab-view-beta.png)

4
content/github/administering-a-repository/index.md
View File

@@ -91,11 +91,11 @@ versions:
<!-- endif -->
<!-- if currentVersion == "free-pro-team@latest" -->
{% topic_link_in_list /keeping-your-dependencies-updated-automatically %}
{% link_in_list /about-github-dependabot-version-updates %}
{% link_in_list /about-dependabot-version-updates %}
{% link_in_list /enabling-and-disabling-version-updates %}
{% link_in_list /listing-dependencies-configured-for-version-updates %}
{% link_in_list /managing-pull-requests-for-dependency-updates %}
{% link_in_list /customizing-dependency-updates %}
{% link_in_list /configuration-options-for-dependency-updates %}
{% link_in_list /keeping-your-actions-up-to-date-with-github-dependabot %}
{% link_in_list /keeping-your-actions-up-to-date-with-dependabot %}
<!-- endif -->

8
content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md → content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md
View File

@@ -1,6 +1,8 @@
---
title: Keeping your actions up to date with GitHub Dependabot
title: Keeping your actions up to date with Dependabot
intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the actions you use updated to the latest versions.'
redirect_from:
- /github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot
versions:
free-pro-team: '*'
---
@@ -9,7 +11,7 @@ versions:
### About {% data variables.product.prodname_dependabot_version_updates %} for actions
Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot_short %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot_short %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
### Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions
@@ -23,7 +25,7 @@ You can also enable {% data variables.product.prodname_dependabot_version_update
#### Example *dependabot.yml* file for {% data variables.product.prodname_actions %}
The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot_short %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot_short %} will continue to check for outdated versions of actions once a day.
The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot %} will continue to check for outdated versions of actions once a day.
```yaml
# Set update schedule for GitHub Actions

4
content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md
View File

@@ -9,7 +9,7 @@ versions:
### Viewing dependencies monitored by {% data variables.product.prodname_dependabot %}
After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot_short %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.accessing-repository-graphs %}
@@ -22,7 +22,7 @@ If any dependencies are missing, check the log files for errors. If any package
### Viewing {% data variables.product.prodname_dependabot %} log files
1. On the **{% data variables.product.prodname_dependabot_short %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates.
1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates.
![View log file](/assets/images/help/dependabot/last-checked-link.png)
2. Optionally, to rerun the version check, click **Check for updates**.
![Check for updates](/assets/images/help/dependabot/check-for-updates.png)

2
content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md
View File

@@ -11,7 +11,7 @@ versions:
{% data reusables.dependabot.pull-request-introduction %}
When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)."

4
content/github/authenticating-to-github/connecting-with-third-party-applications.md
View File

@@ -55,10 +55,10 @@ There are several types of data that applications can request.
| Type of data | Description |
| --- | --- |
| Commit status | You can grant access for a third-party application to report your commit status. Commit status access allows applications to determine if a build is a successful against a specific commit. Applications won't have access to your code, but they <em>can</em> read and write status information against a specific commit. |
| Deployments | Deployment status access allows applicationss to determine if a deployment is successful against a specific commit for public and private repositories. Applicationss won't have access to your code. |
| Deployments | Deployment status access allows applications to determine if a deployment is successful against a specific commit for public and private repositories. Applications won't have access to your code. |
| Gists | [Gist](https://gist.github.com) access allows applications to read or write to both your public and secret Gists. |
| Hooks | [Webhooks](/webhooks) access allows applications to read or write hook configurations on repositories you manage. |
| Notifications | Notification access allows applicationss to read your {% data variables.product.product_name %} notifications, such as comments on issues and pull requests. However, applications remain unable to access anything in your repositories. |
| Notifications | Notification access allows applications to read your {% data variables.product.product_name %} notifications, such as comments on issues and pull requests. However, applications remain unable to access anything in your repositories. |
| Organizations and teams | Organization and teams access allows apps to access and manage organization and team membership. |
| Personal user data | User data includes information found in your user profile, like your name, e-mail address, and location. |
| Repositories | Repository information includes the names of contributors, the branches you've created, and the actual files within your repository. Applications can request access for either public or private repositories on a user-wide level. |

1
content/github/building-a-strong-community/blocking-a-user-from-your-personal-account.md
View File

@@ -20,6 +20,7 @@ You can block a user in your account settings or from the user's profile. {% dat
When you block a user:
- The user stops following you
- The user stops watching and unpins your repositories
- The user is not able to join any organizations you are an owner of
- The user's stars and issue assignments are removed from your repositories
- The user's forks of your repositories are deleted
- You delete any forks of the user's repositories

1
content/github/building-a-strong-community/index.md
View File

@@ -37,6 +37,7 @@ versions:
{% link_in_list /managing-disruptive-comments %}
{% link_in_list /locking-conversations %}
{% link_in_list /limiting-interactions-in-your-repository %}
{% link_in_list /limiting-interactions-for-your-user-account %}
{% link_in_list /limiting-interactions-in-your-organization %}
{% link_in_list /tracking-changes-in-a-comment %}
{% link_in_list /managing-how-contributors-report-abuse-in-your-organizations-repository %}

27
content/github/building-a-strong-community/limiting-interactions-for-your-user-account.md Normal file
View File

@@ -0,0 +1,27 @@
---
title: Limiting interactions for your user account
intro: 'You can temporarily enforce a period of limited activity for certain users in all public repositories owned by your user account.'
versions:
free-pro-team: '*'
permissions: Anyone can limit interactions for their own user account.
---
### About temporary interaction limits
Limiting interactions for your user account enables temporary interaction limits for all public repositories owned by your user account. {% data reusables.community.interaction-limits-restrictions %}
{% data reusables.community.interaction-limits-duration %} After the duration of your limit passes, users can resume normal activity in your public repositories.
{% data reusables.community.types-of-interaction-limits %}
When you enable user-wide activity limitations, you can't enable or disable interaction limits on individual repositories. For more information on limiting activity for an individual repository, see "[Limiting interactions in your repository](/articles/limiting-interactions-in-your-repository)."
You can also block users. For more information, see "[Blocking a user from your personal account](/github/building-a-strong-community/blocking-a-user-from-your-personal-account)."
### Limiting interactions for your user account
{% data reusables.user_settings.access_settings %}
1. In your user settings sidebar, under "Moderation settings", click **Interaction limits**.
!["Interaction limits" tab in the user settings sidebar](/assets/images/help/settings/settings-sidebar-interaction-limits.png)
{% data reusables.community.set-interaction-limit %}
![Temporary interaction limit options](/assets/images/help/settings/user-account-temporary-interaction-limits-options.png)

30
content/github/building-a-strong-community/limiting-interactions-in-your-organization.md
View File

@@ -1,31 +1,39 @@
---
title: Limiting interactions in your organization
intro: 'Organization owners can temporarily restrict certain users from commenting, opening issues, or creating pull requests in the organization''s public repositories to enforce a period of limited activity.'
intro: 'You can temporarily enforce a period of limited activity for certain users in all public repositories owned by your organization.'
redirect_from:
- /github/setting-up-and-managing-organizations-and-teams/limiting-interactions-in-your-organization
- /articles/limiting-interactions-in-your-organization
versions:
free-pro-team: '*'
permissions: Organization owners can limit interactions in an organization.
---
After 24 hours, users can resume normal activity in your organization's public repositories. When you enable organization-wide activity limitations, you can't enable or disable interaction limits on individual repositories. For more information on per-repository activity limitation, see "[Limiting interactions in your repository](/articles/limiting-interactions-in-your-repository)."
### About temporary interaction limits
{% tip %}
Limiting interactions in your organization enables temporary interaction limits for all public repositories owned by the organization. {% data reusables.community.interaction-limits-restrictions %}
**Tip:** Organization owners can also block users for a specific amount of time. After the block expires, the user is automatically unblocked. For more information, see "[Blocking a user from your organization](/articles/blocking-a-user-from-your-organization)."
{% data reusables.community.interaction-limits-duration %} After the duration of your limit passes, users can resume normal activity in your organization's public repositories.
{% endtip %}
{% data reusables.community.types-of-interaction-limits %}
Members of the organization are not affected by any of the limit types.
When you enable organization-wide activity limitations, you can't enable or disable interaction limits on individual repositories. For more information on limiting activity for an individual repository, see "[Limiting interactions in your repository](/articles/limiting-interactions-in-your-repository)."
Organization owners can also block users for a specific amount of time. After the block expires, the user is automatically unblocked. For more information, see "[Blocking a user from your organization](/articles/blocking-a-user-from-your-organization)."
### Limiting interactions in your organization
{% data reusables.profile.access_profile %}
{% data reusables.profile.access_org %}
{% data reusables.organizations.org_settings %}
4. In your organization's Settings sidebar, click **Interaction limits**.
![Interaction limits in organization settings ](/assets/images/help/organizations/org-settings-interaction-limits.png)
5. Under "Temporary interaction limits", click one or more options.
1. In the organization settings sidebar, click **Moderation settings**.
!["Moderation settings" in the organization settings sidebar](/assets/images/help/organizations/org-settings-moderation-settings.png)
1. Under "Moderation settings", click **Interaction limits**.
!["Interaction limits" in the organization settings sidebar](/assets/images/help/organizations/org-settings-interaction-limits.png)
{% data reusables.community.set-interaction-limit %}
![Temporary interaction limit options](/assets/images/help/organizations/organization-temporary-interaction-limits-options.png)
- **Limit to existing users**: Limits activity for organization users with accounts that are less than 24 hours old who do not have prior contributions and are not collaborators.
- **Limit to prior contributors**: Limits activity for organization users who have not previously contributed and are not collaborators.
- **Limit to repository collaborators**: Limits activity for organization users who do not have write access or are not collaborators.
### Further reading
- "[Reporting abuse or spam](/articles/reporting-abuse-or-spam)"

26
content/github/building-a-strong-community/limiting-interactions-in-your-repository.md
View File

@@ -1,30 +1,34 @@
---
title: Limiting interactions in your repository
intro: 'People with owner or admin access can temporarily restrict certain users from commenting, opening issues, or creating pull requests in your public repository to enforce a period of limited activity.'
intro: 'You can temporarily enforce a period of limited activity for certain users on a public repository.'
redirect_from:
- /articles/limiting-interactions-with-your-repository/
- /articles/limiting-interactions-in-your-repository
versions:
free-pro-team: '*'
permissions: People with admin permissions to a repository can temporarily limit interactions in that repository.
---
After 24 hours, users can resume normal activity in your repository.
### About temporary interaction limits
{% tip %}
{% data reusables.community.interaction-limits-restrictions %}
**Tip:** Organization owners can enable organization-wide activity limitations. If organization-wide activity limitations are enabled, you can't limit activity for individual repositories. For more information, see "[Limiting interactions in your organization](/articles/limiting-interactions-in-your-organization)."
{% data reusables.community.interaction-limits-duration %} After the duration of your limit passes, users can resume normal activity in your repository.
{% endtip %}
{% data reusables.community.types-of-interaction-limits %}
You can also enable activity limitations on all repositories owned by your user account or an organization. If a user-wide or organization-wide limit is enabled, you can't limit activity for individual repositories owned by the account. For more information, see "[Limiting interactions for your user account](/github/building-a-strong-community/limiting-interactions-for-your-user-account)" and "[Limiting interactions in your organization](/github/building-a-strong-community/limiting-interactions-in-your-organization)."
### Limiting interactions in your repository
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
3. In your repository's Settings sidebar, click **Interaction limits**.
![Interaction limits in repository settings ](/assets/images/help/repository/repo-settings-interaction-limits.png)
4. Under "Temporary interaction limits", click one or more options:
1. In the left sidebar, click **Moderation settings**.
!["Moderation settings" in repository settings sidebar](/assets/images/help/repository/repo-settings-moderation-settings.png)
1. Under "Moderation settings", click **Interaction limits**.
![Interaction limits in repository settings ](/assets/images/help/repository/repo-settings-interaction-limits.png)
{% data reusables.community.set-interaction-limit %}
![Temporary interaction limit options](/assets/images/help/repository/temporary-interaction-limits-options.png)
- **Limit to existing users**: Limits activity for users with accounts that are less than 24 hours old who do not have prior contributions and are not collaborators.
- **Limit to prior contributors**: Limits activity for users who have not previously contributed and are not collaborators.
- **Limit to repository collaborators**: Limits activity for users who do not have write access or are not collaborators.
### Further reading
- "[Reporting abuse or spam](/articles/reporting-abuse-or-spam)"

4
content/github/collaborating-with-issues-and-pull-requests/about-pull-request-reviews.md
View File

@@ -38,6 +38,10 @@ You can view all of the reviews a pull request has received in the Conversation
{% data reusables.pull_requests.resolving-conversations %}
### Re-requesting a review
{% data reusables.pull_requests.re-request-review %}
### Required reviews
{% data reusables.pull_requests.required-reviews-for-prs-summary %}

4
content/github/collaborating-with-issues-and-pull-requests/incorporating-feedback-in-your-pull-request.md
View File

@@ -29,6 +29,10 @@ Each person who suggested a change included in the commit will be a co-author of
5. Click **Commit changes.**
![Commit changes button](/assets/images/help/pull_requests/commit-changes-button.png)
### Re-requesting a review
{% data reusables.pull_requests.re-request-review %}
### Opening an issue for an out-of-scope suggestion
If someone suggests changes to your pull request and the changes are out of the pull request's scope, you can open a new issue to track the feedback. For more information, see "[Opening an issue from a comment](/github/managing-your-work-on-github/opening-an-issue-from-a-comment)."

5
content/github/developing-online-with-codespaces/configuring-codespaces-for-your-project.md
View File

@@ -61,7 +61,6 @@ You can use configuration keys supported by {% data variables.product.prodname_c
- `settings`
- `extensions`
- `forwardPorts`
- `devPort`
- `postCreateCommand`
#### Docker, Dockerfile, or image settings
@@ -73,13 +72,9 @@ You can use configuration keys supported by {% data variables.product.prodname_c
- `remoteEnv`
- `containerUser`
- `remoteUser`
- `updateRemoteUserUID`
- `mounts`
- `workspaceMount`
- `workspaceFolder`
- `runArgs`
- `overrideCommand`
- `shutdownAction`
- `dockerComposeFile`
For more information about the available settings for `devcontainer.json`, see [devcontainer.json reference](https://aka.ms/vscode-remote/devcontainer.json) in the {% data variables.product.prodname_vscode %} documentation.

2
content/github/developing-online-with-codespaces/personalizing-codespaces-for-your-account.md
View File

@@ -32,7 +32,7 @@ If none of these files are found, then any files or folders in `dotfiles` starti
Any changes to your `dotfiles` repository will apply only to each new codespace, and do not affect any existing codespace.
For more information, see [Personalizing](https://docs.microsoft.com/en-us/visualstudio/online/reference/personalizing) in the {% data variables.product.prodname_vscode %} documentation.
For more information, see [Personalizing](https://docs.microsoft.com/visualstudio/online/reference/personalizing) in the {% data variables.product.prodname_vscode %} documentation.
{% note %}

8
content/github/getting-started-with-github/finding-ways-to-contribute-to-open-source-on-github.md
View File

@@ -32,14 +32,14 @@ Some open-source projects provide mirrors on {% data variables.product.prodname_
Here are a few prominent repositories that are mirrored on {% data variables.product.prodname_dotcom_the_website %}:
- [android](https://github.com/android)
- [Android Open Source Project](https://github.com/aosp-mirror)
- [The Apache Software Foundation](https://github.com/apache)
- [The Chromium Project](https://github.com/chromium)
- [The Eclipse Foundation](https://github.com/eclipse)
- [Eclipse Foundation](https://github.com/eclipse)
- [The FreeBSD Project](https://github.com/freebsd)
- [The Glasgow Haskell Compiler](https://github.com/ghc)
- [Glasgow Haskell Compiler](https://github.com/ghc)
- [GNOME](https://github.com/GNOME)
- [The Linux kernel source tree](https://github.com/torvalds/linux)
- [Linux kernel source tree](https://github.com/torvalds/linux)
- [Qt](https://github.com/qt)
To set up your own mirror, you can configure [a post-receive hook](https://git-scm.com/book/en/Customizing-Git-Git-Hooks) on your official project repository to automatically push commits to a mirror repository on {% data variables.product.product_name %}.

2
content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md
View File

@@ -13,7 +13,7 @@ versions:
You can request a 45-day trial to evaluate {% data variables.product.prodname_ghe_server %}. Your trial will be installed as a virtual appliance, with options for on-premises or cloud deployment. For a list of supported visualization platforms, see "[Setting up a GitHub Enterprise Server instance](/enterprise/admin/installation/setting-up-a-github-enterprise-server-instance)."
{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
Trials are also available for {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Setting up a trial of {% data variables.product.prodname_ghe_cloud %}](/articles/setting-up-a-trial-of-github-enterprise-cloud)."

8
content/github/managing-large-files/removing-files-from-a-repositorys-history.md
View File

@@ -16,10 +16,6 @@ versions:
{% endwarning %}
### Removing a file that was added in an earlier commit
If you added a file in an earlier commit, you need to remove it from the repository's history. To remove files from the repository's history, you can use the BFG Repo-Cleaner or the `git filter-branch` command. For more information see "[Removing sensitive data from a repository](/github/authenticating-to-github/removing-sensitive-data-from-a-repository)."
### Removing a file added in the most recent unpushed commit
If the file was added with your most recent commit, and you have not pushed to {% data variables.product.product_location %}, you can delete the file and amend the commit:
@@ -43,3 +39,7 @@ If the file was added with your most recent commit, and you have not pushed to {
$ git push
# Push our rewritten, smaller commit
```
### Removing a file that was added in an earlier commit
If you added a file in an earlier commit, you need to remove it from the repository's history. To remove files from the repository's history, you can use the BFG Repo-Cleaner or the `git filter-branch` command. For more information see "[Removing sensitive data from a repository](/github/authenticating-to-github/removing-sensitive-data-from-a-repository)."

12
content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md
View File

@@ -17,7 +17,7 @@ When your code depends on a package that has a security vulnerability, this vuln
### Detection of vulnerable dependencies
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_short %} alerts{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
{% if currentVersion == "free-pro-team@latest" %}
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)."
@@ -49,11 +49,11 @@ You can also enable or disable {% data variables.product.prodname_dependabot_ale
{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
@@ -66,12 +66,12 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc
{% endwarning %}
### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts
### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts
You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_short %} alerts.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_short %} alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-github-dependabot-alerts)."
By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
@@ -83,6 +83,6 @@ We send security alerts to people with admin permissions in the affected reposit
{% if currentVersion == "free-pro-team@latest" %}
### Further reading
- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)"
- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)"
- "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Understanding how {% data variables.product.product_name %} uses and protects your data](/categories/understanding-how-github-uses-and-protects-your-data)"{% endif %}

35
content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md Normal file
View File

@@ -0,0 +1,35 @@
---
title: About Dependabot security updates
intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.'
shortTitle: About Dependabot security updates
redirect_from:
- /github/managing-security-vulnerabilities/about-github-dependabot-security-updates
versions:
free-pro-team: '*'
---
### About {% data variables.product.prodname_dependabot_security_updates %}
{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)."
{% note %}
**Note**
The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)."
{% endnote %}
### About pull requests for security updates
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.
When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)."
{% data reusables.dependabot.automated-tests-note %}
### About compatibility scores
{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.

33
content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md
View File

@@ -1,33 +0,0 @@
---
title: About GitHub Dependabot security updates
intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.'
shortTitle: About Dependabot security updates
versions:
free-pro-team: '*'
---
### About {% data variables.product.prodname_dependabot_security_updates %}
{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot_short %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot_short %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)."
{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot_short %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)."
{% note %}
**Note**
The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_short %} alerts. You will see a {% data variables.product.prodname_dependabot_short %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot_short %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)."
{% endnote %}
### About pull requests for security updates
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_short %} alerts for the repository.
When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot_short %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot_short %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)."
{% data reusables.dependabot.automated-tests-note %}
### About compatibility scores
{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.

15
content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md → content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md
View File

@@ -1,20 +1,21 @@
---
title: Configuring GitHub Dependabot security updates
title: Configuring Dependabot security updates
intro: 'You can use {% data variables.product.prodname_dependabot_security_updates %} or manual pull requests to easily update vulnerable dependencies.'
shortTitle: Configuring Dependabot security updates
redirect_from:
- /articles/configuring-automated-security-fixes
- /github/managing-security-vulnerabilities/configuring-automated-security-fixes
- /github/managing-security-vulnerabilities/configuring-automated-security-updates
shortTitle: Configuring Dependabot security updates
- /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates
versions:
free-pro-team: '*'
---
### About configuring {% data variables.product.prodname_dependabot_security_updates %}
You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_short %} alerts and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)" below.
You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)" below.
{% data reusables.dependabot.dependabot-tos %}
@@ -24,7 +25,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates %
{% note %}
**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)."
**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)."
{% endnote %}
@@ -34,7 +35,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates %
| Repository is not archived | "[Archiving repositories](/github/creating-cloning-and-archiving-repositories/archiving-repositories)" |
| Repository is public, or repository is private and you have enabled read-only analysis by {% data variables.product.prodname_dotcom %}, dependency graph, and vulnerability alerts in the repository's settings | "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)." |
| Repository contains dependency manifest file from a package ecosystem that {% data variables.product.prodname_dotcom %} supports | "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)" |
| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-github-dependabot-security-updates-for-your-repositories)" |
| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-dependabot-security-updates-for-your-repositories)" |
| Repository is not already using an integration for dependency management | "[About integrations](/github/customizing-your-github-workflow/about-integrations)" |
If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates are still not working, you can [contact support](https://support.github.com/contact).
@@ -50,7 +51,7 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-dependabot-alerts %}
1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot_short %} security updates**.
1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot %} security updates**.
![Drop-down menu with the option to enable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/help/repository/enable-dependabot-security-updates-drop-down.png)
### Further reading

12
content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md
View File

@@ -1,7 +1,7 @@
---
title: Configuring notifications for vulnerable dependencies
shortTitle: Configuring notifications
intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts.'
intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.'
versions:
free-pro-team: '*'
enterprise-server: '>=2.21'
@@ -9,10 +9,10 @@ versions:
### About notifications for vulnerable dependencies
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot_short %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability.
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability.
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_short %} alerts for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)."
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %}
@@ -21,7 +21,7 @@ Your site administrator needs to enable security alerts for vulnerable dependenc
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.20" %}
By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} by email.{% endif %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
{% if currentVersion ver_lt "enterprise-server@2.22" %}Site administrators can also enable security alerts without notifications. For more information, see "[Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
@@ -33,14 +33,14 @@ You can configure notification settings for yourself or your organization from t
{% data reusables.notifications.vulnerable-dependency-notification-options %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
![{% data variables.product.prodname_dependabot_short %} alerts options](/assets/images/help/notifications-v2/dependabot-alerts-options.png)
![{% data variables.product.prodname_dependabot_alerts %} options](/assets/images/help/notifications-v2/dependabot-alerts-options.png)
{% else %}
![Security alerts options](/assets/images/help/notifications-v2/security-alerts-options.png)
{% endif %}
{% note %}
**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)."
**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)."
{% endnote %}

6
content/github/managing-security-vulnerabilities/index.md
View File

@@ -30,9 +30,9 @@ versions:
{% link_in_list /about-alerts-for-vulnerable-dependencies %}
{% link_in_list /configuring-notifications-for-vulnerable-dependencies %}
<!-- if currentVersion == "free-pro-team@latest" -->
{% link_in_list /about-github-dependabot-security-updates %}
{% link_in_list /configuring-github-dependabot-security-updates %}
{% link_in_list /about-dependabot-security-updates %}
{% link_in_list /configuring-dependabot-security-updates %}
{% link_in_list /viewing-and-updating-vulnerable-dependencies-in-your-repository %}
{% link_in_list /troubleshooting-the-detection-of-vulnerable-dependencies %}
{% link_in_list /troubleshooting-github-dependabot-errors %}
{% link_in_list /troubleshooting-dependabot-errors %}
<!-- endif -->

84
content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md Normal file
View File

@@ -0,0 +1,84 @@
---
title: Troubleshooting Dependabot errors
intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot %}.'
shortTitle: Troubleshooting errors
redirect_from:
- /github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors
versions:
free-pro-team: '*'
---
{% data reusables.dependabot.beta-note %}
### About {% data variables.product.prodname_dependabot %} errors
{% data reusables.dependabot.pull-request-introduction %}
If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error.
### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %}
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.
![{% data variables.product.prodname_dependabot_alerts %} view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png)
There are three reasons why an alert may have no pull request link:
1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository.
1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file.
1. An error blocked {% data variables.product.prodname_dependabot %} from creating a pull request.
If an error blocked {% data variables.product.prodname_dependabot %} from creating a pull request, you can display details of the error by clicking the alert.
![{% data variables.product.prodname_dependabot %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png)
### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}
When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot %} are listed on the {% data variables.product.prodname_dependabot %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot %}** tab.
![{% data variables.product.prodname_dependabot %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png)
To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed.
![{% data variables.product.prodname_dependabot %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png)
### Understanding {% data variables.product.prodname_dependabot %} errors
Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot %} configuration files. Consequently, some errors are specific to one type of update.
#### {% data variables.product.prodname_dependabot %} cannot update DEPENDENCY to a non-vulnerable version
**Security updates only.** {% data variables.product.prodname_dependabot %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository.
Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem.
The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
#### {% data variables.product.prodname_dependabot %} cannot update to the required version as there is already an open pull request for the latest version
**Security updates only.** {% data variables.product.prodname_dependabot %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version.
There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
#### {% data variables.product.prodname_dependabot %} timed out during its update
{% data variables.product.prodname_dependabot %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out.
This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot %} to review the version update and generate the pull request in the time available.
If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
#### {% data variables.product.prodname_dependabot %} cannot open any more pull requests
There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests.
There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)."
The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
### Triggering a {% data variables.product.prodname_dependabot %} pull request manually
If you unblock {% data variables.product.prodname_dependabot %}, you can manually trigger a fresh attempt to create a pull request.
- **Security updates**—display the {% data variables.product.prodname_dependabot %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot %} security update**.
- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**.

82
content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md
View File

@@ -1,82 +0,0 @@
---
title: Troubleshooting GitHub Dependabot errors
intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot_short %}.'
shortTitle: Troubleshooting errors
versions:
free-pro-team: '*'
---
{% data reusables.dependabot.beta-note %}
### About {% data variables.product.prodname_dependabot %} errors
{% data reusables.dependabot.pull-request-introduction %}
If anything prevents {% data variables.product.prodname_dependabot_short %} from raising a pull request, this is reported as an error.
### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %}
When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot_short %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_short %} alerts view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_short %} alerts** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.
![{% data variables.product.prodname_dependabot_short %} alerts view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png)
There are three reasons why an alert may have no pull request link:
1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository.
1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file.
1. An error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request.
If an error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request, you can display details of the error by clicking the alert.
![{% data variables.product.prodname_dependabot_short %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png)
### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}
When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot_short %} are listed on the {% data variables.product.prodname_dependabot_short %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot_short %}** tab.
![{% data variables.product.prodname_dependabot_short %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png)
To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed.
![{% data variables.product.prodname_dependabot_short %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png)
### Understanding {% data variables.product.prodname_dependabot_short %} errors
Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot_short %} configuration files. Consequently, some errors are specific to one type of update.
#### {% data variables.product.prodname_dependabot_short %} cannot update DEPENDENCY to a non-vulnerable version
**Security updates only.** {% data variables.product.prodname_dependabot_short %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository.
Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem.
The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
#### {% data variables.product.prodname_dependabot_short %} cannot update to the required version as there is already an open pull request for the latest version
**Security updates only.** {% data variables.product.prodname_dependabot_short %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version.
There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
#### {% data variables.product.prodname_dependabot_short %} timed out during its update
{% data variables.product.prodname_dependabot_short %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out.
This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot_short %} to review the version update and generate the pull request in the time available.
If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
#### {% data variables.product.prodname_dependabot_short %} cannot open any more pull requests
There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot_short %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests.
There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)."
The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
### Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually
If you unblock {% data variables.product.prodname_dependabot_short %}, you can manually trigger a fresh attempt to create a pull request.
- **Security updates**—display the {% data variables.product.prodname_dependabot_short %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot_short %} security update**.
- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**.

32
content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md
View File

@@ -14,14 +14,14 @@ The results of dependency detection reported by {% data variables.product.produc
* {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies. It's a free, curated database of vulnerability information for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)" and "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
* The dependency graph parses all known package manifest files in a users repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repositorys dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
* {% data variables.product.prodname_dependabot_short %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_short %} alerts are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot_short %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)."
* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)."
{% data variables.product.prodname_dependabot_short %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database.
{% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database.
### Why don't I get vulnerability alerts for some ecosystems?
{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_short %} alerts, and {% data variables.product.prodname_dependabot_short %} security updates are provided for several ecosystems, including Javas Maven, JavaScripts npm and Yarn, .NETs NuGet, Pythons pip, Ruby's RubyGems, and PHPs Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_alerts %}, and {% data variables.product.prodname_dependabot %} security updates are provided for several ecosystems, including Javas Maven, JavaScripts npm and Yarn, .NETs NuGet, Pythons pip, Ruby's RubyGems, and PHPs Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
It's worth noting that [{% data variables.product.prodname_dotcom %} Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories) may exist for other ecosystems. The information in a security advisory is provided by the maintainers of a particular repository. This data is not curated in the same way as information for the supported ecosystems.
@@ -31,7 +31,7 @@ It's worth noting that [{% data variables.product.prodname_dotcom %} Security Ad
The dependency graph includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file.
{% data variables.product.prodname_dependabot_short %} alerts advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot_short %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are:
{% data variables.product.prodname_dependabot_alerts %} advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are:
* Direct dependencies explicitly declared in a manifest or lockfile
* Transitive dependencies declared in a lockfile
@@ -51,21 +51,21 @@ Yes, the dependency graph has two categories of limits:
1. **Processing limits**
These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_short %} alerts being created.
These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_alerts %} being created.
Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_short %} alerts.
Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_alerts %}.
By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_short %} alerts are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}.
By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_alerts %} are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}.
2. **Visualization limits**
These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_short %} alerts that are created.
These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_alerts %} that are created.
The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_short %} alerts are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}.
The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_alerts %} are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}.
**Check**: Is the missing dependency in a manifest file that's over 0.5 MB, or in a repository with a large number of manifests?
### Does {% data variables.product.prodname_dependabot_short %} generate alerts for vulnerabilities that have been known for many years?
### Does {% data variables.product.prodname_dependabot %} generate alerts for vulnerabilities that have been known for many years?
The {% data variables.product.prodname_advisory_database %} was launched in November 2019, and initially back-filled to include vulnerability information for the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software.
@@ -77,19 +77,19 @@ Some information on older vulnerabilities is available, especially where these C
Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts.
Since {% data variables.product.prodname_dependabot_short %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.
Since {% data variables.product.prodname_dependabot %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.
### Does each dependency vulnerability generate a separate alert?
When a dependency has multiple vulnerabilities, only one aggregated alert is generated for that dependency, instead of one alert per vulnerability.
The {% data variables.product.prodname_dependabot_short %} alerts count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities.
The {% data variables.product.prodname_dependabot_alerts %} count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities.
![{% data variables.product.prodname_dependabot_short %} alerts view](/assets/images/help/repository/dependabot-alerts-view.png)
![{% data variables.product.prodname_dependabot_alerts %} view](/assets/images/help/repository/dependabot-alerts-view.png)
When you click to display the alert details, you can see how many vulnerabilities are included in the alert.
![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot_short %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png)
![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png)
**Check**: If there is a discrepancy in the totals you are seeing, check that you are not comparing alert numbers with vulnerability numbers.
@@ -98,4 +98,4 @@ When you click to display the alert details, you can see how many vulnerabilitie
- "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)"
- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)"
- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)"

14
content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md
View File

@@ -10,11 +10,11 @@ versions:
---
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)."
You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
### About updates for vulnerable dependencies in your repository
{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot_short %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
### Viewing and updating vulnerable dependencies
@@ -24,16 +24,16 @@ You can enable automatic security updates for any repository that uses {% data v
1. Click the alert you'd like to view.
![Alert selected in list of alerts](/assets/images/help/graphs/click-alert-in-alerts-list.png)
1. Review the details of the vulnerability and, if available, the pull request containing the automated security update.
1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot_short %} security update**.
![Create {% data variables.product.prodname_dependabot_short %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png)
1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot_short %} includes information on commands you can use to control {% data variables.product.prodname_dependabot_short %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-github-dependabot-pull-requests-with-comment-commands)."
1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot %} security update**.
![Create {% data variables.product.prodname_dependabot %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png)
1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)."
1. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert.
![Choosing reason for dismissing the alert via the "Dismiss" drop-down](/assets/images/help/repository/dependabot-alert-dismiss-drop-down.png)
### Further reading
- "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)"
- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)"
- "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)"
- "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)"
- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)"
- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)"

2
content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md
View File

@@ -121,7 +121,7 @@ Email notifications from {% data variables.product.product_name %} contain the f
3. On the notifications settings page, choose how you receive notifications when:
- There are updates in repositories or team discussions you're watching or in a conversation you're participating in. For more information, see "[About participating and watching notifications](#about-participating-and-watching-notifications)."
- You gain access to a new repository or you've joined a new team. For more information, see "[Automatic watching](#automatic-watching)."{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
- There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#github-dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %}
- There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %}
- There are new security alerts in your repository. For more information, see "[Security alert notification options](#security-alert-notification-options)." {% endif %} {% if currentVersion == "free-pro-team@latest" %}
- There are workflow runs updates on repositories set up with {% data variables.product.prodname_actions %}. For more information, see "[{% data variables.product.prodname_actions %} notification options](#github-actions-notification-options)."{% endif %}

Some files were not shown because too many files have changed in this diff Show More