Hack week 2025: remove unneeded FBV instances (22) (#54017)
This commit is contained in:
mc
@@ -53,7 +53,7 @@ For more information about installing and using self-hosted runners, see [AUTOTI
|
||||
* Are customizable to your hardware, operating system, software, and security requirements.
|
||||
* Don't need to have a clean instance for every job execution.
|
||||
* Are free to use with {% data variables.product.prodname_actions %}, but you are responsible for the cost of maintaining your runner machines.{% ifversion ghec or ghes %}
|
||||
* Can be organized into groups to restrict access to specific {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %}
|
||||
* Can be organized into groups to restrict access to specific workflows, organizations, and repositories. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %}
|
||||
|
||||
## Requirements for self-hosted runner machines
|
||||
|
||||
|
||||
@@ -62,7 +62,7 @@ For runner groups in an organization, you can change what repositories in the or
|
||||
{% data reusables.actions.runner-groups-org-navigation %}
|
||||
{% data reusables.actions.changing-repository-access-for-a-runner-group %}
|
||||
|
||||
{% ifversion restrict-groups-to-workflows %}
|
||||
{% ifversion ghec or ghes %}
|
||||
|
||||
## Changing which workflows can access a runner group
|
||||
|
||||
|
||||
@@ -344,7 +344,7 @@ For third-party images, such as the images for ARM-powered runners, you can find
|
||||
|
||||
{% data reusables.actions.disable-selfhosted-runners-crossrefs %}
|
||||
|
||||
When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.github %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).
|
||||
When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.github %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion ghec or ghes %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).
|
||||
|
||||
You should also consider the environment of the self-hosted runner machines:
|
||||
* What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others.
|
||||
|
||||
@@ -442,4 +442,4 @@ For information about using the REST API to query the audit log for an organizat
|
||||
|
||||
To continue learning about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows).
|
||||
|
||||
{% ifversion restrict-groups-to-workflows %}You can standardize deployments by creating a self-hosted runner group that can only execute a specific reusable workflow. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %}
|
||||
{% ifversion ghec or ghes %}You can standardize deployments by creating a self-hosted runner group that can only execute a specific reusable workflow. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %}
|
||||
|
||||
@@ -70,7 +70,7 @@ For runner groups in an organization, you can change what repositories in the or
|
||||
{% data reusables.actions.runner-groups-org-navigation %}
|
||||
{% data reusables.actions.changing-repository-access-for-a-runner-group %}
|
||||
|
||||
{% ifversion restrict-groups-to-workflows %}
|
||||
{% ifversion ghec %}
|
||||
|
||||
## Changing which workflows can access a runner group
|
||||
|
||||
|
||||
@@ -47,9 +47,7 @@ If you're connecting to an enterprise on {% data variables.enterprise.data_resid
|
||||
{% data reusables.github-connect.license-sync %}
|
||||
| {% data variables.product.prodname_dependabot %} | Allow users to find and fix vulnerabilities in code dependencies. | [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise) |
|
||||
| {% data variables.product.prodname_dotcom_the_website %} actions | Allow users to use actions from {% data variables.product.prodname_dotcom_the_website %} in public workflow files. | [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) |
|
||||
| {% ifversion server-statistics %} |
|
||||
| {% data variables.product.prodname_server_statistics %} | Analyze your own aggregate data from GitHub Enterprise Server, and help us improve GitHub products. | [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-server-statistics-for-your-enterprise) |
|
||||
| {% endif %} |
|
||||
{% data reusables.github-connect.unified-search %}
|
||||
{% data reusables.github-connect.unified-contributions %}
|
||||
|
||||
@@ -107,9 +105,7 @@ Additional data is transmitted if you enable individual features of {% data vari
|
||||
| {% endif %} |
|
||||
| {% data variables.product.prodname_dependabot_updates %} | Dependencies and the metadata for each dependency's repository<br><br>If a dependency is stored in a private repository on {% data variables.product.prodname_dotcom_the_website %}, data will only be transmitted if {% data variables.product.prodname_dependabot %} is configured and authorized to access that repository. | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %} | {% data variables.product.product_name %} |
|
||||
| {% data variables.product.prodname_dotcom_the_website %} actions | Name of action, action (YAML file from {% data variables.product.prodname_marketplace %}) | From {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.product_name %}<br><br>From {% data variables.product.product_name %} to {% data variables.product.prodname_dotcom_the_website %} | {% data variables.product.product_name %} |
|
||||
| {% ifversion server-statistics %} |
|
||||
| {% data variables.product.prodname_server_statistics %} | Aggregate metrics about your usage of {% data variables.product.prodname_ghe_server %}. For the complete list of metrics, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics#server-statistics-data-collected). | From {% data variables.product.product_name %} to {% data variables.product.prodname_ghe_cloud %} | {% data variables.product.prodname_ghe_cloud %} |
|
||||
| {% endif %} |
|
||||
| Unified search | Search terms, search results | From {% data variables.product.prodname_ghe_cloud %} to {% data variables.product.product_name %}<br><br>From {% data variables.product.product_name %} to {% data variables.product.prodname_ghe_cloud %} | {% data variables.product.product_name %} |
|
||||
| Unified contributions | Contribution counts | From {% data variables.product.product_name %} to {% data variables.product.prodname_ghe_cloud %} | {% data variables.product.prodname_ghe_cloud %} |
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
title: Enabling Server Statistics for your enterprise
|
||||
intro: 'You can analyze your own aggregate data from {% data variables.product.prodname_ghe_server %} and help us improve {% data variables.product.company_short %} products by enabling {% data variables.product.prodname_server_statistics %}.'
|
||||
versions:
|
||||
feature: server-statistics
|
||||
ghes: '*'
|
||||
redirect_from:
|
||||
- /early-access/github/analyze-how-your-team-works-with-server-statistics/about-server-statistics/enabling-server-statistics
|
||||
- /admin/configuration/configuring-github-connect/enabling-server-statistics-for-your-enterprise
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
title: About Server Statistics
|
||||
intro: 'You can use {% data variables.product.prodname_server_statistics %} to analyze your own aggregate data from {% data variables.product.prodname_ghe_server %}, and help us improve {% data variables.product.company_short %} products.'
|
||||
versions:
|
||||
feature: server-statistics
|
||||
ghes: '*'
|
||||
permissions: 'Enterprise owners can enable {% data variables.product.prodname_server_statistics %}.'
|
||||
redirect_from:
|
||||
- /early-access/github/analyze-how-your-team-works-with-server-statistics/about-server-statistics
|
||||
|
||||
@@ -3,7 +3,7 @@ title: Exporting Server Statistics
|
||||
shortTitle: Export Server Statistics
|
||||
intro: 'You can use your own tools to analyze your {% data variables.product.prodname_ghe_server %} usage over time by downloading your {% data variables.product.prodname_server_statistics %} metrics in a CSV or JSON file.'
|
||||
versions:
|
||||
feature: server-statistics
|
||||
ghes: '*'
|
||||
redirect_from:
|
||||
- /early-access/github/analyze-how-your-team-works-with-server-statistics/exploring-server-statistics
|
||||
---
|
||||
|
||||
@@ -3,7 +3,7 @@ title: Analyzing how your team works with Server Statistics
|
||||
shortTitle: Server Statistics
|
||||
intro: 'To analyze how your team works, understand the value you get from {% data variables.product.prodname_ghe_server %}, and help us improve our products, you can use {% data variables.product.prodname_server_statistics %} to review your usage data for {% data variables.product.prodname_ghe_server %} and share this aggregate data with {% data variables.product.company_short %}.'
|
||||
versions:
|
||||
feature: server-statistics
|
||||
ghes: '*'
|
||||
children:
|
||||
- /about-server-statistics
|
||||
- /exporting-server-statistics
|
||||
|
||||
@@ -3,7 +3,7 @@ title: Requesting Server Statistics using the REST API
|
||||
shortTitle: Server Statistics and REST API
|
||||
intro: 'You can use your own tools to analyze your {% data variables.product.prodname_ghe_server %} usage over time by requesting the {% data variables.product.prodname_server_statistics %} metrics collected using the REST API.'
|
||||
versions:
|
||||
feature: server-statistics
|
||||
ghes: '*'
|
||||
redirect_from:
|
||||
- /early-access/github/analyze-how-your-team-works-with-server-statistics/requesting-server-statistics-using-the-rest-api
|
||||
---
|
||||
|
||||
@@ -58,8 +58,8 @@ To set up the audit log stream, follow the instructions for your provider:
|
||||
|
||||
* [Amazon S3](#setting-up-streaming-to-amazon-s3)
|
||||
* [Azure Blob Storage](#setting-up-streaming-to-azure-blob-storage)
|
||||
* [Azure Event Hubs](#setting-up-streaming-to-azure-event-hubs){% ifversion streaming-datadog %}
|
||||
* [Datadog](#setting-up-streaming-to-datadog){% endif %}
|
||||
* [Azure Event Hubs](#setting-up-streaming-to-azure-event-hubs)
|
||||
* [Datadog](#setting-up-streaming-to-datadog)
|
||||
* [Google Cloud Storage](#setting-up-streaming-to-google-cloud-storage)
|
||||
* [Splunk](#setting-up-streaming-to-splunk)
|
||||
|
||||
@@ -230,8 +230,6 @@ From {% data variables.product.prodname_dotcom %}:
|
||||
1. Click **Check endpoint** to verify that {% data variables.product.prodname_dotcom %} can connect and write to the Azure Events Hub endpoint.
|
||||
{% data reusables.enterprise.verify-audit-log-streaming-endpoint %}
|
||||
|
||||
{% ifversion streaming-datadog %}
|
||||
|
||||
### Setting up streaming to Datadog
|
||||
|
||||
To set up streaming to Datadog, create a client token or an API key in Datadog, then configure audit log streaming in {% data variables.product.product_name %} using the token for authentication. You do not need to create a bucket or other storage container in Datadog.
|
||||
@@ -247,7 +245,6 @@ After you set up streaming to Datadog, you can see your audit log data by filter
|
||||
1. To verify that {% data variables.product.prodname_dotcom %} can connect and write to the Datadog endpoint, click **Check endpoint**.
|
||||
{% data reusables.enterprise.verify-audit-log-streaming-endpoint %}
|
||||
1. After a few minutes, confirm that audit log data appears on the **Logs** tab in Datadog. If it doesn't appear, confirm that your token and site are correct in {% data variables.product.prodname_dotcom %}.
|
||||
{% endif %}
|
||||
|
||||
### Setting up streaming to Google Cloud Storage
|
||||
|
||||
@@ -298,9 +295,7 @@ To stream audit logs to Splunk's HTTP Event Collector (HEC) endpoint, make sure
|
||||
|
||||
Pause the stream to perform maintenance on the receiving application without losing audit data. Audit logs are stored for up to seven days on {% data variables.product.github %} and are then exported when you unpause the stream.
|
||||
|
||||
{% ifversion streaming-datadog %}
|
||||
Datadog only accepts logs from up to 18 hours in the past. If you pause a stream to a Datadog endpoint for more than 18 hours, you risk losing logs that Datadog won't accept after you resume streaming.
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.enterprise.navigate-to-log-streaming-tab %}
|
||||
1. To the right of your configured stream, click **Pause stream**.
|
||||
|
||||
@@ -178,11 +178,9 @@ You can enable branch restrictions in public repositories owned by a {% data var
|
||||
|
||||
When you enable branch restrictions, only users, teams, or apps that have been given permission can push to the protected branch. You can view and edit the users, teams, or apps with push access to a protected branch in the protected branch's settings. When status checks are required, the people, teams, and apps that have permission to push to a protected branch will still be prevented from merging into the branch when the required checks fail. People, teams, and apps that have permission to push to a protected branch will still need to create a pull request when pull requests are required.
|
||||
|
||||
{% ifversion restrict-pushes-create-branch %}
|
||||
Optionally, you can apply the same restrictions to the creation of branches that match the rule. For example, if you create a rule that only allows a certain team to push to any branches that contain the word `release`, only members of that team would be able to create a new branch that contains the word `release`.
|
||||
{% endif %}
|
||||
|
||||
You can only give push access to a protected branch, or give permission to create a matching branch, to users, teams, or installed {% data variables.product.prodname_github_apps %} with write access to a repository. People and apps with admin permissions to a repository are always able to push to a protected branch{% ifversion restrict-pushes-create-branch %} or create a matching branch{% endif %}.
|
||||
You can only give push access to a protected branch, or give permission to create a matching branch, to users, teams, or installed {% data variables.product.prodname_github_apps %} with write access to a repository. People and apps with admin permissions to a repository are always able to push to a protected branch or create a matching branch.
|
||||
|
||||
### Allow force pushes
|
||||
|
||||
|
||||
@@ -92,9 +92,7 @@ When you create a branch rule, the branch you specify doesn't have to exist yet
|
||||
1. Optionally, select **Do not allow bypassing the above settings**.
|
||||
1. Optionally,{% ifversion fpt or ghec %} in public repositories owned by a {% data variables.product.prodname_free_user %} organization and in all repositories owned by an organization using {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %},{% endif %} enable branch restrictions.
|
||||
* Select **Restrict who can push to matching branches**.
|
||||
{%- ifversion restrict-pushes-create-branch %}
|
||||
* Optionally, to also restrict the creation of matching branches, select **Restrict pushes that create matching branches**.
|
||||
{%- endif %}
|
||||
* In the search field, search for and select the people, teams, or apps who will have permission to push to the protected branch or create a matching branch.
|
||||
1. Optionally, under "Rules applied to everyone including administrators", select **Allow force pushes**.
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
To control access to runners at the organization{% ifversion ghec or ghes %} and/or enterprise levels, enterprise and organization owners can use runner groups.{% else %} level, organizations using the {% data variables.product.prodname_team %} plan can use runner groups.{% endif %} Runner groups are used to collect sets of runners and create a security boundary around them.
|
||||
|
||||
When you grant access to a runner group, you can see the runner group listed in the organization's runner settings. Optionally, you can assign additional granular repository{% ifversion restrict-groups-to-workflows %} and workflow{% endif %} access policies to the runner group.
|
||||
When you grant access to a runner group, you can see the runner group listed in the organization's runner settings. Optionally, you can assign additional granular repository{% ifversion ghec or ghes %} and workflow{% endif %} access policies to the runner group.
|
||||
|
||||
When new runners are created, they are automatically assigned to the default group unless otherwise specified. Runners can only be in one group at a time. You can move runners from one runner group to another. For more information, see [Moving a runner to a group](#moving-a-runner-to-a-group).
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ Always include a security admonition above this procedure. This is either one of
|
||||
|
||||
{% endcomment %}
|
||||
|
||||
Enterprises can add their runners to groups for access management. Enterprises can create groups of runners that are accessible to specific organizations in the enterprise account{% ifversion restrict-groups-to-workflows %} or to specific workflows{% endif %}. Organization owners can then assign additional granular repository{% ifversion restrict-groups-to-workflows %} or workflow{% endif %} access policies to the enterprise runner groups. For information about how to create a runner group with the REST API, see the enterprise endpoints in the [{% data variables.product.prodname_actions %} REST API](/rest/actions#self-hosted-runner-groups).
|
||||
Enterprises can add their runners to groups for access management. Enterprises can create groups of runners that are accessible to specific organizations in the enterprise account{% ifversion ghec or ghes %} or to specific workflows{% endif %}. Organization owners can then assign additional granular repository{% ifversion ghec or ghes %} or workflow{% endif %} access policies to the enterprise runner groups. For information about how to create a runner group with the REST API, see the enterprise endpoints in the [{% data variables.product.prodname_actions %} REST API](/rest/actions#self-hosted-runner-groups).
|
||||
|
||||
If no group is specified during the registration process, runners are automatically added to a default group. You can later move the runner from the default group to a custom group. For more information, see [Moving a runner to a group](#moving-a-runner-to-a-group).
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ Always include a security admonition above this procedure. This is either one of
|
||||
{% endcomment %}
|
||||
|
||||
> [!NOTE]
|
||||
> When creating a runner group, you must choose a policy that defines which repositories{% ifversion restrict-groups-to-workflows %} and workflows{% endif %} have access to the runner group. To change which repositories and workflows can access the runner group, organization owners{% ifversion custom-org-roles %} and users with the “Manage organization runners and runner groups” permission{% endif %} can set a policy for the organization. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners).
|
||||
> When creating a runner group, you must choose a policy that defines which repositories{% ifversion ghec or ghes %} and workflows{% endif %} have access to the runner group. To change which repositories and workflows can access the runner group, organization owners{% ifversion custom-org-roles %} and users with the “Manage organization runners and runner groups” permission{% endif %} can set a policy for the organization. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners).
|
||||
|
||||
All organizations have a single default runner group. {% ifversion fpt %}Organization owners using the {% data variables.product.prodname_team %} plan{% else %}Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %}{% endif %} can create additional organization-level runner groups. {% ifversion custom-org-roles %}For more information about custom organization roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %}
|
||||
|
||||
@@ -22,5 +22,5 @@ For information about how to create a runner group with the REST API, see [AUTOT
|
||||
1. In the "Runner groups" section, click **New runner group**.
|
||||
1. Enter a name for your runner group.
|
||||
{% data reusables.actions.runner-group-assign-policy-repo %}
|
||||
{% data reusables.actions.runner-group-assign-policy-workflow %}{%- ifversion restrict-groups-to-workflows %} Organization-owned runner groups cannot access workflows from a different organization in the enterprise; instead, you must create an enterprise-owned runner group.{% endif %}
|
||||
{% data reusables.actions.runner-group-assign-policy-workflow %}{%- ifversion ghec or ghes %} Organization-owned runner groups cannot access workflows from a different organization in the enterprise; instead, you must create an enterprise-owned runner group.{% endif %}
|
||||
{% data reusables.actions.create-runner-group %}
|
||||
|
||||
@@ -20,7 +20,6 @@ permissions:
|
||||
id-token: write # This is required for requesting the JWT
|
||||
```
|
||||
|
||||
{% ifversion restricted-permissions-oidc %}
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
|
||||
For reusable workflows that are owned by the same user, organization, or enterprise as the caller workflow, the OIDC token generated in the reusable workflow can be accessed from the caller's context.
|
||||
@@ -28,4 +27,3 @@ For reusable workflows outside your enterprise or organization, the `permissions
|
||||
This ensures that the OIDC token generated in the reusable workflow is only allowed to be consumed in the caller workflows when intended.
|
||||
|
||||
For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows).
|
||||
{% endif %}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{%- ifversion restrict-groups-to-workflows %}
|
||||
{%- ifversion ghec or ghes %}
|
||||
1. Assign a policy for workflow access.
|
||||
|
||||
You can configure a runner group to be accessible to a specific list of workflows, or to all workflows. This setting can't be overridden if you are configuring an organization's runner group that was shared by an enterprise. If you specify what workflow can access the runner group, you must use the full path to the workflow, including the repository name and owner, and you must pin the workflow to a branch, tag, or full SHA. For example: `octo-org/octo-repo/.github/workflows/build.yml@v2, octo-org/octo-repo/.github/workflows/deploy.yml@d6dc6c96df4f32fa27b039f2084f576ed2c5c2a5, monalisa/octo-test/.github/workflows/test.yml@main`.
|
||||
|
||||
@@ -3,4 +3,4 @@
|
||||
> [!NOTE]
|
||||
> When you require SSH certificates, users will not be able to authenticate to access the organization's repositories over HTTPS or with an unsigned SSH key{% ifversion ghes %}.{% elsif ghec %}, regardless of whether the SSH key is authorized for an organization that requires authentication through an external identity system.{% endif %}
|
||||
>
|
||||
> The requirement does not apply to authorized {% data variables.product.prodname_github_apps %} {% ifversion ssh-cert-policy-allow-u2s-tokens %}(including user-to-server tokens){% endif %}, deploy keys, or to {% data variables.product.prodname_dotcom %} features such as {% data variables.product.prodname_actions %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_codespaces %}{% endif %}, which are trusted environments within the {% data variables.product.prodname_dotcom %} ecosystem.
|
||||
> The requirement does not apply to authorized {% data variables.product.prodname_github_apps %} (including user-to-server tokens), deploy keys, or to {% data variables.product.prodname_dotcom %} features such as {% data variables.product.prodname_actions %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_codespaces %}{% endif %}, which are trusted environments within the {% data variables.product.prodname_dotcom %} ecosystem.
|
||||
|
||||
Reference in New Issue
Block a user