Merge branch 'main' into codeowners

.github/workflows/openapi-decorate.yml

@@ -63,6 +63,7 @@ jobs:
           git status
           echo "Deleting the cloned github/rest-api-description repo..."
           rm -rf rest-api-description
+          rm -rf openApiTemp
 
       - name: Create pull request
         env:

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md

@@ -1093,7 +1093,7 @@ Before you'll see `git` category actions, you must enable Git events in the audi
 {%- ifversion ghes %}
 | `repo.disk_archive`  | A repository was archived on disk. For more information, see "[AUTOTITLE](/repositories/archiving-a-github-repository/archiving-repositories)."
 {%- endif %}
-| `repo.download_zip` | A source code archive of a repository was downloaded as a ZIP file.
+| `repo.download_zip` | A source code archive of a repository was downloaded as a ZIP file. For more information, see "[AUTOTITLE](/repositories/working-with-files/using-files/downloading-source-code-archives)."
 | `repo.pages_cname` | A {% data variables.product.prodname_pages %} custom domain was modified in a repository.
 | `repo.pages_create` | A {% data variables.product.prodname_pages %} site was created.
 | `repo.pages_destroy` | A {% data variables.product.prodname_pages %} site was deleted.

content/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation.md

@@ -0,0 +1,145 @@
+---
+title: Authenticating as a GitHub App installation
+shortTitle: Authenticate as an installation
+intro: You can make your {% data variables.product.prodname_github_app %} authenticate as an installation in order to make API requests that affect resources owned by the account where the app is installed.
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: '*'
+  ghec: '*'
+topics:
+  - GitHub Apps
+---
+
+## About authentication as a {% data variables.product.prodname_github_app %} installation
+
+Once your {% data variables.product.prodname_github_app %} is installed on an account, you can make it authenticate as an app installation for API requests. This allows the app to access resources owned by that installation, as long as the app was granted the necessary repository access and permissions. API requests made by an app installation are attributed to the app. For more information about installing GitHub Apps, see "[Installing GitHub Apps](/developers/apps/managing-github-apps/installing-github-apps)."
+
+For example, if you want your app to change the `Status` field of an issue on a project owned by an organization called "octo-org," then you would authenticate as the octo-org installation of your app. The timeline of the issue would state that your app updated the status.
+
+To make an API request as an installation, you must first generate an installation access token. Then, you will send the installation access token in the `Authorization` header of your subsequent API requests. You can also use {% data variables.product.company_short %}'s Octokit SDKs, which can generate an installation access token for you.
+
+API requests that are made by app installations are called "server-to-server requests." If a REST API endpoint works with server-to-server requests, the REST reference documentation for that endpoint will say "Works with {% data variables.product.prodname_github_apps %}." Additionally, your app must have the required permissions to use the endpoint. For more information about the permissions required for REST API endpoints, see "[Permissions required for GitHub Apps](/rest/overview/permissions-required-for-github-apps)."
+
+App installations can also use the GraphQL API. Similar to the REST API, the app must have certain permissions to access objects in the GraphQL API. For GraphQL requests, you should test you app to ensure that your app has the required permissions for the GraphQL queries and mutations that you want to make.
+
+For more information about authenticating as an app on behalf of a user instead of as an app installation, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps)".
+
+## Using an installation access token to authenticate as an app installation
+
+To authenticate as an installation with an installation access token, first use the REST API to generate an installation access token. Then, use that installation access token in the `Authorization` header of a REST API or GraphQL API request. The installation access token will expire after 1 hour.
+
+### Generating an installation access token
+
+{% data reusables.apps.generate-installation-access-token %}
+
+### Authenticating with an installation access token
+
+To authenticate with an installation access token, include it in the `Authorization` header of an API request. The access token will work with both the GraphQL API and the REST API.
+
+Your app must have the required permissions to use the endpoint. For more information about the permissions required for REST API endpoints, see "[Permissions required for GitHub Apps](/rest/overview/permissions-required-for-github-apps)." For GraphQL requests, you should test your app to ensure that it has the required permissions for the GraphQL queries and mutations that you want to make.
+
+In the following example, replace `INSTALLATION_ACCESS_TOKEN` with an installation access token:
+
+```shell
+curl --request GET \
+--url "{% data variables.product.api_url_pre %}meta" \
+--header "Accept: application/vnd.github+json" \
+--header "Authorization: Bearer INSTALLATION_ACCESS_TOKEN"{% ifversion api-date-versioning %}\
+--header "X-GitHub-Api-Version: {{ allVersions[currentVersion].latestApiVersion }}"{% endif %}
+```
+
+## Using the Octokit.js SDK to authenticate as an app installation
+
+You can use {% data variables.product.company_short %}'s Octokit.js SDK to authenticate as an app installation. One advantage of using the SDK to authenticate is that you do not need to generate a JSON web token (JWT) yourself. Additionally, the SDK will take care of regenerating an installation access token for you so you don't need to worry about the one hour expiration.
+
+{% note %}
+
+You must install and import `octokit` in order to use the Octokit.js library. The following example uses import statements in accordance with ES6. For more information about different installation and import methods, see [the Octokit.js README's Usage section](https://github.com/octokit/octokit.js/#usage).
+
+{% endnote %}
+
+### Using Octokit.js to authenticate with an installation ID
+
+1. Get the ID of your app. You can find your app's ID on the settings page for your app. For user-owned apps, the settings page is `https://github.com/settings/apps/APP-SLUG`. For organization-owned apps, the settings page is `https://github.com/organizations/ORGANIZATION/settings/apps/APP-SLUG`. Replace `APP-SLUG` with the slugified name of your app. Replace `ORGANIZATION` with the slugified name of your organization. For example, `https://github.com/organizations/octo-org/settings/apps/octo-app`.
+1. Generate a private key. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps)".
+1. Get the ID of the installation that you want to authenticate as.
+
+   If you are responding to a webhook event, the webhook payload will include the installation ID.
+
+   You can also use the REST API to find the ID for an installation of your app. For example, you can get an installation ID with the `GET /users/{username}/installation`, `GET /repos/{owner}/{repo}/installation`, `GET /orgs/{org}/installation`, or `GET /app/installations` endpoints. For more information, see "[AUTOTITLE](/rest/apps/apps)".
+1. Import `App` from `octokit`. Create a new instance of `App`. In the following example, replace `APP_ID` with a reference to your app's ID. Replace `PRIVATE_KEY` with a reference to your app's private key.
+
+   ```javascript{:copy}
+   import { App } from "octokit";
+ 
+   const app = new App({
+     appId: APP_ID,
+     privateKey: PRIVATE_KEY,
+   });
+   ```
+
+1. Use the `getInstallationOctokit` method to create an authenticated `octokit` instance. In the following example, replace `INSTALLATION_ID` with the ID of the installation of your app that you want to authenticate on behalf of.
+
+   ```javascript{:copy}
+   const octokit = await app.getInstallationOctokit(INSTALLATION_ID);
+   ```
+
+1. Use an `octokit` method to make a request to the API.
+
+   Your app must have the required permissions to use the endpoint. For more information about the permissions required for REST API endpoints, see "[Permissions required for GitHub Apps](/rest/overview/permissions-required-for-github-apps)." For GraphQL requests, you should test you app to ensure that your app has the required permissions for the GraphQL queries and mutations that you want to make.
+
+   For example, to make a request to the GraphQL API:
+
+   ```javascript{:copy}
+   await octokit.graphql(`
+     query { 
+       viewer { 
+         login
+       }
+     }
+     `)
+   ```
+
+   For example, to make a request to the REST API:
+
+   ```javascript{:copy}
+   await octokit.request("GET /meta")
+   ```
+
+### Using Octokit.js to authenticate in response to a webhook event
+
+The Octokit.js SDK also passes a pre-authenticated `octokit` instance to webhook event handlers.
+
+1. Get the ID of your app. You can find your app's ID on the settings page for your app. For user-owned apps, the settings page is `https://github.com/settings/apps/APP-SLUG`. For organization-owned apps, the settings page is `https://github.com/organizations/ORGANIZATION/settings/apps/APP-SLUG`. Replace `APP-SLUG` with the slugified name of your app. Replace `ORGANIZATION` with the slugified name of your organization. For example, `https://github.com/organizations/octo-org/settings/apps/octo-app`.
+1. Generate a private key. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps)".
+1. Get the webhook secret that you specified in your app's settings.
+1. Import `App` from `octokit`. Create a new instance of `App`. In the following example, replace `APP_ID` with a reference to your app's ID. Replace `PRIVATE_KEY` with a reference to your app's private key. Replace `WEBHOOK_SECRET` with the your app's webhook secret.
+
+   ```javascript{:copy}
+   import { App } from "octokit";
+ 
+   const app = new App({
+     appId: APP_ID,
+     privateKey: PRIVATE_KEY,
+     webhooks: { WEBHOOK_SECRET },
+   });
+   ```
+
+1. Use an `app.webhooks.*` method to handle webhook events. For more information, see [the Octokit.js README's Webhooks section](https://github.com/octokit/octokit.js#webhooks). For example, to create a comment on an issue when the issue is opened:
+
+   ```javascript
+   app.webhooks.on("issues.opened", ({ octokit, payload }) => {
+     await octokit.request("POST /repos/{owner}/{repo}/issues/{issue_number}/comments", {
+         owner: payload.repository.owner.login,
+         repo: payload.repository.name,
+         issue_number: payload.issue.number,
+         body: `This is a bot post in response to this issue being opened.`,
+         {% ifversion api-date-versioning %}
+         headers: {
+           "x-github-api-version": "{{ allVersions[currentVersion].latestApiVersion }}",
+         },{% endif %}
+       }
+     )
+   });
+   ```

content/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app.md

@@ -0,0 +1,26 @@
+---
+title: Generating an installation access token for a GitHub App
+shortTitle: Installation access token
+intro: Learn how to generate an installation access token for your {% data variables.product.prodname_github_app %}.
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: '*'
+  ghec: '*'
+topics:
+  - GitHub Apps
+---
+
+## About installation access tokens
+
+In order to authenticate as an app installation, you must generate an installation access token. For more information about authenticating as an app installation, see "[Authenticating as a GitHub App installation](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)."
+
+{% note %}
+
+**Note**: Instead of generating an installation access token, you can use {% data variables.product.company_short %}'s Octokit SDKs to authenticate as an app. The SDK will take care of generating an installation access token for you and will regenerate the token once it expires. For more information about authenticating as an app installation, see "[Authenticating as a GitHub App installation](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation)."
+
+{% endnote %}
+
+## Generating an installation access token
+
+{% data reusables.apps.generate-installation-access-token %}

content/apps/creating-github-apps/authenticating-with-a-github-app/index.md

@@ -10,9 +10,11 @@ topics:
   - GitHub Apps
 children:
   - /authenticating-with-github-apps
-  - /identifying-and-authorizing-users-for-github-apps
-  - /refreshing-user-to-server-access-tokens
   - /authenticating-as-a-github-app
+  - /authenticating-as-a-github-app-installation
   - /managing-private-keys-for-github-apps
   - /generating-a-json-web-token-jwt-for-a-github-app
+  - /generating-an-installation-access-token-for-a-github-app
+  - /identifying-and-authorizing-users-for-github-apps
+  - /refreshing-user-to-server-access-tokens
 ---

content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -147,7 +147,9 @@ For supported languages, {% data variables.product.prodname_dependabot %} detect
 1. View the details for an alert. For more information, see "[Viewing {% data variables.product.prodname_dependabot_alerts %}](#viewing-dependabot-alerts)" (above).
 {% ifversion fpt or ghec or ghes %}
 1. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click **Create {% data variables.product.prodname_dependabot %} security update** at the top of the alert details page to create a pull request.
-  ![Create {% data variables.product.prodname_dependabot %} security update button](/assets/images/help/repository/create-dependabot-security-update-button-ungrouped.png)
+
+  ![Screenshot of a {% data variables.product.prodname_dependabot %} alert with the "Create {% data variables.product.prodname_dependabot %} security update" button highlighted with a dark orange outline.](/assets/images/help/repository/create-dependabot-security-update-button-ungrouped.png)
+
 1. Optionally, if you do not use {% data variables.product.prodname_dependabot_security_updates %}, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.
 {% elsif ghae %}
 1. You can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to the manifest or lock file to a secure version.
@@ -201,12 +203,11 @@ You can view all open alerts, and you can reopen alerts that have been previousl
 1. To just view closed alerts, click **Closed**.
 
    {%- ifversion dependabot-bulk-alerts %}
-   ![Screenshot showing the list of Dependabot alerts with the "Closed" tab highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-closed-checkbox.png)
-   {%- else %}
-   ![Screenshot showing the list of Dependabot alerts with the "Closed" tab highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-closed.png)
+   ![Screenshot showing the list of {% data variables.product.prodname_dependabot_alerts %} with the "Closed" tab highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-closed-checkbox.png)
    {%- endif %}
+
 1. Click the alert that you would like to view or update.
-2. Optionally, if the alert was dismissed and you wish to reopen it, click **Reopen**. Alerts that have already been fixed cannot be reopened.
+1. Optionally, if the alert was dismissed and you wish to reopen it, click **Reopen**. Alerts that have already been fixed cannot be reopened.
 
    {% indented_data_reference reusables.enterprise.3-5-missing-feature spaces=3 %}
    ![Screenshot showing the "Reopen" button](/assets/images/help/repository/reopen-dismissed-alert.png)

content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md

@@ -49,10 +49,12 @@ You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifver
    {% ifversion ghec %}![Enable {% data variables.product.prodname_GH_advanced_security %} for your repository](/assets/images/help/repository/enable-ghas-dotcom.png)
    {% elsif ghes or ghae %}![Enable {% data variables.product.prodname_GH_advanced_security %} for your repository](/assets/images/enterprise/3.1/help/repository/enable-ghas.png){% endif %}
 1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**.
-1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled.
-   ![Enable {% data variables.product.prodname_secret_scanning %} for your repository](/assets/images/help/repository/enable-secret-scanning-ghec.png){% endif %}{% ifversion fpt %}
-2. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository.
-   ![Enable {% data variables.product.prodname_secret_scanning %} for your repository](/assets/images/help/repository/enable-secret-scanning-alerts-fpt.png){% endif %}
+1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. 
+   
+   ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %}
+1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. 
+   
+   ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}
 
 {% ifversion secret-scanning-push-protection %}
 1. Optionally, if you want to enable push protection, click **Enable** to the right of "Push protection." {% data reusables.secret-scanning.push-protection-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."

content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md

@@ -684,7 +684,7 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
 | `create_actions_secret` |Triggered when a {% data variables.product.prodname_actions %} secret is created for a repository. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository)."{% endif %}
 | `destroy` | Triggered when [a repository is deleted](/repositories/creating-and-managing-repositories/deleting-a-repository).{% ifversion fpt or ghec %}
 | `disable` | Triggered when a repository is disabled (e.g., for [insufficient funds](/billing/managing-your-github-billing-settings/unlocking-a-locked-account)).{% endif %}
-| `download_zip` | A source code archive of a repository was downloaded as a ZIP file.
+| `download_zip` | A source code archive of a repository was downloaded as a ZIP file.  For more information, see "[AUTOTITLE](/repositories/working-with-files/using-files/downloading-source-code-archives)."
 | `enable` | Triggered when a repository is re-enabled.{% ifversion fpt or ghes or ghec %}
 | `remove_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is removed.{% endif %}
 | `remove_member` | Triggered when a user is [removed from a repository as a collaborator](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository).

content/organizations/managing-user-access-to-your-organizations-repositories/setting-base-permissions-for-an-organization.md

@@ -28,6 +28,12 @@ If someone with admin access to an organization's repository grants a member a h
 If you've created a custom repository role with an inherited role that is lower access than your organization's base permissions, any members assigned to that role will default to the organization's base permissions rather than the inherited role. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization)."
 {% endif %}
 
+{% note %}
+
+**Note:** All changes to base permissions will affect both new and existing members. 
+
+{% endnote %}
+
 ## Setting base permissions
 
 {% data reusables.profile.access_org %}

content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository.md

@@ -14,7 +14,7 @@ redirect_from:
 ---
 ## About {% data variables.large_files.product_name_short %} objects in archives
 
-{% data variables.product.product_name %} creates source code archives of your repository in the form of ZIP files and tarballs. People can download these archives on the main page of your repository or as release assets. By default, {% data variables.large_files.product_name_short %} objects are not included in these archives, only the pointer files to these objects. To improve the usability of archives for your repository, you can choose to include the {% data variables.large_files.product_name_short %} objects instead. To be included, the {% data variables.large_files.product_name_short %} objects must be covered by tracking rules in a *.gitattributes* file that has been committed to the repository.
+{% data variables.product.product_name %} creates [source code archives](/repositories/working-with-files/using-files/downloading-source-code-archives) of your repository in the form of ZIP files and tarballs. People can download these archives on the main page of your repository or as release assets. By default, {% data variables.large_files.product_name_short %} objects are not included in these archives, only the pointer files to these objects. To improve the usability of archives for your repository, you can choose to include the {% data variables.large_files.product_name_short %} objects instead. To be included, the {% data variables.large_files.product_name_short %} objects must be covered by tracking rules in a *.gitattributes* file that has been committed to the repository.
 
 If you choose to include {% data variables.large_files.product_name_short %} objects in archives of your repository, every download of those archives will count towards bandwidth usage for your account. Each account receives {% data variables.large_files.initial_bandwidth_quota %} per month of bandwidth for free, and you can pay for additional usage. For more information, see "[AUTOTITLE](/repositories/working-with-files/managing-large-files/about-storage-and-bandwidth-usage)" and "[AUTOTITLE](/billing/managing-billing-for-git-large-file-storage)."
 

content/repositories/working-with-files/managing-large-files/about-storage-and-bandwidth-usage.md

@@ -24,7 +24,7 @@ For example:
 - If {% data variables.product.prodname_actions %} downloads a 500 MB file that is tracked with LFS, it will use 500 MB of the repository owner's allotted bandwidth.
 
 {% ifversion fpt or ghec %}
-If {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in source code archives for your repository, downloads of those archives will count towards bandwidth usage for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
+If {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in [source code archives](/repositories/working-with-files/using-files/downloading-source-code-archives) for your repository, downloads of those archives will count towards bandwidth usage for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
 {% endif %}
 
 {% tip %}

content/repositories/working-with-files/using-files/downloading-source-code-archives.md

@@ -0,0 +1,74 @@
+---
+title: Downloading source code archives
+intro: 'You can download a snapshot of the code in your repository.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: '*'
+  ghec: '*'
+topics:
+  - Repositories
+shortTitle: Source code archives
+---
+## Overview of source code archives
+
+You can download a snapshot of any branch, tag, or specific commit from {% data variables.location.product_location %}. These snapshots are generated by the [`git archive` command](https://git-scm.com/docs/git-archive) in one of two formats: tarball or zipball. Snapshots don't contain the entire repository history. If you want the entire history, you can clone the repository. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository)."
+
+## Downloading source code archives
+
+You can download the source code archives in three ways.
+
+### Downloading source code archives from the repository view
+
+{% data reusables.repositories.navigate-to-repo %}
+1. Above the list of files, click {% octicon "download" aria-label="The download icon" %} **Code**.
+
+   !["Code" button](/assets/images/help/repository/code-button.png)
+
+1. Click {% octicon "file-zip" aria-label="The ZIP icon" %} **Download ZIP**.
+
+### Downloading source code archives from a release
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.releases %}
+1. Scroll down to the "Assets" section of the release.
+1. To download the source code, click {% octicon "file-zip" aria-label="The ZIP icon" %} **Source code (zip)** or {% octicon "file-zip" aria-label="The ZIP icon" %} **Source code (tar.gz)**.
+
+### Downloading source code archives from a tag
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.releases %}
+1. At the top of the Releases page, click **Tags**.
+1. To download the source code, click {% octicon "file-zip" aria-label="The ZIP icon" %} **zip** or {% octicon "file-zip" aria-label="The ZIP icon" %} **tar.gz**.
+
+   ![Screenshot of the "Tags" page of a repository. The zip and tar.gz options are outlined in dark orange.](/assets/images/help/repository/tags-download-zip-targz.png)
+
+## Source code archive URLs
+
+Source code archives are available at specific URLs for each repository. For example, consider the repository `github/codeql`. There are different URLs for downloading a branch, a tag, or a specific commit ID.
+
+| Type of archive | Example | URL     |
+|-----------------|---------|---------|
+| Branch          | `main`  | [https://github.com/github/codeql/archive/refs/**heads/main**.tar.gz](https://github.com/github/codeql/archive/refs/heads/main.tar.gz) |
+| Tag             | `codeql-cli/latest` | [https://github.com/github/codeql/archive/refs/**tags/codeql-cli/latest**.zip](https://github.com/github/codeql/archive/refs/tags/codeql-cli/latest.zip)  |
+| Commit          | `aef66c4` | [https://github.com/github/codeql/archive/**aef66c462abe817e33aad91d97aa782a1e2ad2c7**.zip](https://github.com/github/codeql/archive/aef66c462abe817e33aad91d97aa782a1e2ad2c7.zip) |
+
+{% note %}
+
+**Note**: You can use either `.zip` or `.tar.gz` in the URLs above to request a zipball or tarball respectively.
+
+{% endnote %}
+
+## Stability of source code archives
+
+Source code archives are generated on request, cached for a while, and then deleted. If the same archive is requested again in the future, it'll be regenerated. It's important to understand what guarantees {% data variables.product.company_short %} makes about source code archives.
+
+* An archive of a commit ID will always have the same file contents whenever it's requested, assuming the commit ID is still in the repository.
+* Because branches and tags can move to different commit IDs, future downloads of an archive may have different contents than previously downloaded archives of the same branch or tag. Assuming the branch or tag still points at the same commit ID, it will have the same file contents.
+* The exact compression settings used to generate a zipball or tarball may change over time. The extracted contents won't change if the branch or tag doesn't change, but the outer compressed archive may have a different byte layout. {% data variables.product.company_short %} will give at least six months' notice before changing compression settings.
+
+If you rely on stability of source code archives for reproducibility (ensuring you always get identical files inside the archive), we recommend using the [archives REST API](/rest/repos/contents#download-a-repository-archive-tar) with a commit ID for `:ref`. Using the commit ID ensures you'll always get the same file contents inside the archive and you’ll be immune to repositories rewriting tags or moving branch heads.
+
+If you rely on stability of archives for security (for example: to ensure you don't attempt to unzip a maliciously-crafted file), we recommend using releases instead of using source downloads. For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/about-releases)."
+
+You can use something like [this third-party {% data variables.product.company_short %} action](https://github.com/softprops/action-gh-release) to create and push these files as part of your release process. The [Release Assets REST API](/rest/releases/assets#get-a-release-asset) can later be used to retrieve them.

content/repositories/working-with-files/using-files/index.md

@@ -10,6 +10,7 @@ children:
   - /navigating-code-on-github
   - /viewing-a-file
   - /getting-permanent-links-to-files
+  - /downloading-source-code-archives
   - /working-with-non-code-files
 ---
 

data/reusables/apps/generate-installation-access-token.md

@@ -0,0 +1,31 @@
+1. Generate a JSON web token (JWT) for your app. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app)".
+1. Get the ID of the installation that you want to authenticate as.
+
+   If you are responding to a webhook event, the webhook payload will include the installation ID.
+
+   You can also use the REST API to find the ID for an installation of your app. For example, you can get an installation ID with the `GET /users/{username}/installation`, `GET /repos/{owner}/{repo}/installation`, `GET /orgs/{org}/installation`, or `GET /app/installations` endpoints. For more information, see "[AUTOTITLE](/rest/apps/apps)".
+1. Send a REST API `POST` request to `/app/installations/INSTALLATION_ID/access_tokens`. Include your JSON web token in the `Authorization` header of your request. Replace `INSTALLATION_ID` with the ID of the installation that you want to authenticate as.
+
+   For example, send this curl request. Replace `INSTALLATION_ID` with the ID of the installation and `JWT` with your JSON web token:
+
+   ```shell
+   curl --request POST \
+   --url "{% data variables.product.api_url_pre %}app/installations/INSTALLATION_ID/access_tokens" \
+   --header "Accept: application/vnd.github+json" \
+   --header "Authorization: Bearer JWT"{% ifversion api-date-versioning %}\
+   --header "X-GitHub-Api-Version: {{ allVersions[currentVersion].latestApiVersion }}"{% endif %}
+   ```
+
+   Optionally, you can use the `repositories` or `repository_ids` body parameters to specify individual repositories that the installation access token can access. If you don't use `repositories` or `repository_ids` to grant access to specific repositories, the installation access token will have access to all repositories that the installation was granted access to. The installation access token cannot be granted access to repositories that the installation was not granted access to.
+
+   Optionally, use the `permissions` body parameter to specify the permissions that the installation access token should have. If `permissions` is not specified, the installation access token will have all of the permissions that were granted to the app. The installation access token cannot be granted permissions that the app was not granted.
+
+   The response will include an installation access token, the time that the token expires, the permissions that the token has, and the repositories that the token can access. The installation access token will expire after 1 hour.
+
+   For more information about this endpoint, see "[AUTOTITLE](/rest/apps/apps)".
+
+   {% note %}
+
+   **Note:** {% data reusables.getting-started.bearer-vs-token %}
+
+   {% endnote %}

data/reusables/large_files/can-include-lfs-objects-archives.md

@@ -1,3 +1,3 @@
 {% ifversion fpt or ghec %}
-You can choose whether {% data variables.large_files.product_name_short %} objects are included in source code archives, such as ZIP files and tarballs, that {% data variables.product.product_name %} creates for your repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
+You can choose whether {% data variables.large_files.product_name_short %} objects are included in [source code archives](/repositories/working-with-files/using-files/downloading-source-code-archives), such as ZIP files and tarballs, that {% data variables.product.product_name %} creates for your repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
 {% endif %}

src/graphql/scripts/utils/process-previews.js

@@ -7,8 +7,10 @@ const inputOrPayload = /(Input|Payload)$/m
 export default function processPreviews(previews) {
   // clean up raw yml data
   previews.forEach((preview) => {
-    // remove any extra info that follows a hyphen
-    preview.title = sentenceCase(preview.title.replace(/ -.+/, '')).replace('it hub', 'itHub') // fix overcorrected `git hub` from sentenceCasing
+    preview.title = sentenceCase(preview.title)
+      .replace(/ -.+/, '') // remove any extra info that follows a hyphen
+      .replace('it hub', 'itHub') // fix overcorrected `git hub` from sentenceCasing
+      .replace(' s ', "'s ") // sentenceCase replaces apostrophes with spaces
 
     // Add `preview` to the end of titles if needed
     preview.title = preview.title.endsWith('preview') ? preview.title : `${preview.title} preview`