[DO NOT MERGE] GitHub Enterprise Server 3.8 release candidate (#34113)

Co-authored-by: Rachael Sewell <rachmari@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: David Jarzebowski <davidjarzebowski@github.com>
Co-authored-by: Steve Guntrip <stevecat@github.com>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
Co-authored-by: docubot <67483024+docubot@users.noreply.github.com>

content/admin/configuration/administering-your-instance-from-the-management-console/about-the-management-console.md

@@ -0,0 +1,38 @@
+---
+title: About the Management Console
+shortTitle: About
+intro: '{% data reusables.enterprise_site_admin_settings.management-console-overview %}'
+versions:
+  ghes: '*'
+type: overview
+topics:
+  - Administrator
+  - Enterprise
+  - Fundamentals
+  - Networking
+  - Monitoring
+---
+
+## About the {% data variables.enterprise.management_console %}
+
+The {% data variables.enterprise.management_console %} allows you to manage the low-level configuration of  {% data variables.location.product_location %}. For example, you can complete initial setup, manage licensing and low-level settings, configure authentication, schedule maintenance windows, and monitor your instance.
+
+You can always reach the {% data variables.enterprise.management_console %} using {% data variables.location.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
+
+To access the {% data variables.enterprise.management_console %}, {% ifversion enterprise-management-console-multi-user-auth %}you can use the root site administrator password established during initial setup of {% data variables.location.product_location %} or log in as a {% data variables.enterprise.management_console %} user. For more information, see "[Accessing the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/accessing-the-management-console)." {% else %}you must use the administrator password established during initial setup of {% data variables.location.product_location %}. {% endif %}You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
+
+The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`. If high availability or clustering is configured, the file is automatically synced from the primary node to any additional nodes. Any change to the primary's password will automatically be replicated to all of the instance's nodes. For more information about high availability, see "[About high availability configuration](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration)."
+
+## Examples of activities in the {% data variables.enterprise.management_console %}
+
+In the {% data variables.enterprise.management_console %}, you can perform administrative tasks for {% data variables.location.product_location %}, including:
+
+- **Initial setup**: Walk through the initial setup process when first launching {% data variables.location.product_location %} by visiting {% data variables.location.product_location %}'s IP address in your browser.
+{%- ifversion enterprise-management-console-multi-user-auth %}
+- **Identity and access management**: Improve the security of {% data variables.location.product_location %} by creating dedicated user accounts for the {% data variables.enterprise.management_console %}. The root site administrator account can control these user accounts' access by assigning either the editor or operator role. For more information, see "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console)."
+{%- endif %}
+- **Configuring authentication policies for the {% data variables.enterprise.management_console %}**: Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. For more information, see "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."
+- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
+- **Scheduling maintenance windows**: Take {% data variables.location.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
+- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
+- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.

content/admin/configuration/administering-your-instance-from-the-management-console/accessing-the-management-console.md

@@ -0,0 +1,31 @@
+---
+title: Accessing the Management Console
+shortTitle: Access
+intro: 'You can access the {% data variables.enterprise.management_console %} {% ifversion ghes < 3.8 %}using the {% data variables.enterprise.management_console %} password{% elsif enterprise-management-console-multi-user-auth %}as the root site administrator or a {% data variables.enterprise.management_console %} user{% endif %}.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+---
+
+{% data reusables.enterprise_site_admin_settings.management-console-access %}
+
+## Accessing the {% data variables.enterprise.management_console %}
+
+The first time that you access the {% data variables.enterprise.management_console %} for {% data variables.location.product_location %}, you must upload your license file. For more information, see "[Managing your license for {% data variables.product.prodname_enterprise %}](/billing/managing-your-license-for-github-enterprise)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.type-management-console-password %}
+{% data reusables.enterprise_management_console.click-continue-authentication %}
+
+## Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
+
+1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
+  ```shell
+  http(s)://HOSTNAME/setup
+  ```
+{% data reusables.enterprise_management_console.type-management-console-password %}
+{% data reusables.enterprise_management_console.click-continue-authentication %}

content/admin/configuration/administering-your-instance-from-the-management-console/index.md

@@ -0,0 +1,27 @@
+---
+title: Administering your instance from the Management Console
+intro: 'You can use the {% data variables.enterprise.management_console %} to perform administrative tasks for {% data variables.location.product_location %}. '
+redirect_from:
+  - /admin/configuration/configuring-your-enterprise/accessing-the-management-console
+  - /enterprise/admin/articles/about-the-management-console
+  - /enterprise/admin/articles/management-console-for-emergency-recovery
+  - /enterprise/admin/articles/web-based-management-console
+  - /enterprise/admin/categories/management-console
+  - /enterprise/admin/articles/accessing-the-management-console
+  - /enterprise/admin/guides/installation/web-based-management-console
+  - /enterprise/admin/installation/accessing-the-management-console
+  - /enterprise/admin/configuration/accessing-the-management-console
+  - /admin/configuration/accessing-the-management-console
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+children:
+  - /about-the-management-console
+  - /managing-access-to-the-management-console
+  - /accessing-the-management-console
+  - /troubleshooting-access-to-the-management-console
+shortTitle: Management Console
+---
+

content/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console.md

@@ -0,0 +1,78 @@
+---
+title: Managing access to the Management Console
+shortTitle: Manage access
+intro: '{% ifversion enterprise-management-console-multi-user-auth %}You can increase the security of {% data variables.location.product_location %} by creating or deleting {% data variables.enterprise.management_console %} users. As the root site administrator, you {% else %}You {% endif %}can access the {% data variables.enterprise.management_console %} as well as configure {% data variables.enterprise.management_console %} authentication rate limits.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+  - SSH
+  - User account
+---
+
+{% data reusables.enterprise_site_admin_settings.management-console-access %} For more information about {% data variables.enterprise.management_console %} access, see "[Accessing the {% data variables.enterprise.management_console %}](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+## Types of {% data variables.enterprise.management_console %} accounts
+
+There are two types of user accounts for the {% data variables.enterprise.management_console %} on a {% data variables.product.product_name %} instance. The root site administrator account authenticates with a password established during the initial setup of {% data variables.location.product_location %}.
+
+The root site administrator can create additional accounts, and assign one of two roles to each.
+
+### Root site administrator
+
+Root site administrators have complete control over the {% data variables.enterprise.management_console %}. They can take every action in the {% data variables.enterprise.management_console %}, including creating and deleting {% data variables.enterprise.management_console %} user accounts.
+
+Only the root site administrator can create and delete {% data variables.enterprise.management_console %} user accounts.
+
+### {% data variables.enterprise.management_console %} user
+
+{% data variables.enterprise.management_console %} users can perform most administrative tasks for {% data variables.location.product_location %}. For heightened security, {% data variables.enterprise.management_console %} users cannot create or delete {% data variables.enterprise.management_console %} user accounts.
+
+Only {% data variables.enterprise.management_console %} users with the operator role can manage SSH keys.
+
+The root site administrator can provision one of two roles for {% data variables.enterprise.management_console %} users:
+
+- **Editor**: A {% data variables.enterprise.management_console %} user with the editor role can perform basic administrative tasks for {% data variables.location.product_location %} in the {% data variables.enterprise.management_console %}. Editors cannot add public SSH keys to the {% data variables.enterprise.management_console %} to grant administrative SSH access to the instance.
+- **Operator**: A {% data variables.enterprise.management_console %} user with the operator role can perform basic administrative tasks for {% data variables.location.product_location %} in the {% data variables.enterprise.management_console %}. Users with the operator role can add SSH keys to the {% data variables.enterprise.management_console %} to grant administrative access to the instance via SSH.
+
+### Creating or deleting a user account for the {% data variables.enterprise.management_console %}
+
+While signed into the {% data variables.enterprise.management_console %} as the root site administrator, you can create new {% data variables.enterprise.management_console %} user accounts.
+
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. Click **Create user**.
+1. Fill in the user's name, username, and email address.
+1. Use the drop-down menu to select the user's role. You may select the editor or operator role.
+1. To finish creating the user account, click **Create**. If email notifications are configured for the instance, the user will automatically receive an invitation email with access instructions for the {% data variables.enterprise.management_console %}. For more information, see "[Inviting new {% data variables.enterprise.management_console %} users](#inviting-new-management-console-users)."
+1. Optionally, to delete a {% data variables.enterprise.management_console %} user account, click {% octicon "trash" aria-label="The trash symbol" %} to the right of any user account you wish to delete. Then confirm deletion.
+
+## Inviting new {% data variables.enterprise.management_console %} users
+
+If you have configured email for notifications for {% data variables.location.product_location %}, new {% data variables.enterprise.management_console %} users will automatically receive an invitation to complete creation of the {% data variables.enterprise.management_console %} user account. For more information, see "[Configuring email for notifications](/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications)."
+
+If you have not configured email notifications for {% data variables.location.product_location %}, you must manually copy the {% data variables.enterprise.management_console %} invitation link and send it to the user. The user must set a password using the link before the user can access the {% data variables.enterprise.management_console %}.
+
+{% data reusables.enterprise_site_admin_settings.sign-in-as-root-administrator %}
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. To copy the invitation link, click {% octicon "link" aria-label="Copy invitation link" %} on any {% data variables.enterprise.management_console %} user account.
+1. Send the invitation link to the {% data variables.enterprise.management_console %} user. The invitation link will lead the user through the final account setup steps.
+
+{% endif %}
+
+{% ifversion enterprise-authentication-rate-limits %}
+## Configuring rate limits for authentication to the {% data variables.enterprise.management_console %}
+
+You can configure the lockout time and login attempt limits for the {% data variables.enterprise.management_console %}. If you configure rate limits, the limits apply to both the root site administrator and any {% data variables.enterprise.management_console %} users.
+
+After you configure rate limits and a user exceeds the limit, the {% data variables.enterprise.management_console %} will remain locked for the duration set by the lockout time. {% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Login attempt rate limiting", configure the lockout time and login attempt rate limit or accept the pre-filled default settings.
+![Fields for configuring lockout time and login attempt rate limit](/assets/images/enterprise/management-console/login-attempt-rate-limiting.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}

content/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console.md

@@ -0,0 +1,47 @@
+---
+title: Troubleshooting access to the Management Console
+shortTitle: Troubleshoot
+intro: 'You can troubleshoot access problems for the {% data variables.enterprise.management_console %}.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+  - SSH
+  - Troubleshooting
+---
+
+## About problems with {% data variables.enterprise.management_console %} access
+
+If you experience problems accessing the Management Console, you can try the following troubleshooting steps.
+
+## Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
+
+The {% data variables.enterprise.management_console %} locks after {% ifversion enterprise-authentication-rate-limits %}the number of failed login attempts configured by your authentication policies. For more information, see "[Managing access to the Management Console](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."{% else %}ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.{% endif %}
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+### Unlocking the root site administrator account
+{% endif %}
+
+{% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+### Unlocking a {% data variables.enterprise.management_console %} user account
+
+The root site administrator can unlock access to the {% data variables.enterprise.management_console %} for other user accounts.
+
+{% data reusables.enterprise_site_admin_settings.sign-in-as-root-administrator %}
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. Locked user accounts will appear as "State: blocked". To unblock the user and allow authentication, to the right of the user's details, click {% octicon "law" aria-label="The law icon" %}.
+
+
+{%- endif %}
+
+## Troubleshooting failed connections to the {% data variables.enterprise.management_console %}
+
+If you cannot connect to the {% data variables.enterprise.management_console %} on {% data variables.location.product_location %}, you can review the following information to troubleshoot the problem.
+
+### Error: "Your session has expired" for connections through a load balancer
+
+If you access {% data variables.location.product_location %} through a load balancer and connections to the {% data variables.enterprise.management_console %} fail with a message that your session has expired, you may need to reconfigure your load balancer. For more information, see "[Using {% data variables.product.product_name %} with a load balancer](/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer#error-your-session-has-expired-for-connections-to-the-management-console)."

content/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer.md

@@ -86,7 +86,7 @@ If you cannot connect to services on {% data variables.location.product_location
 
 ### Error: "Your session has expired" for connections to the {% data variables.enterprise.management_console %}
 
-If you enable support for the `X-Forwarded-For` header on your instance and load balancer, you may not be able to access your instance's {% data variables.enterprise.management_console %}. For more information about the {% data variables.enterprise.management_console %} and ports required for connections, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)" and "[Network ports](/admin/configuration/configuring-network-settings/network-ports)."
+If you enable support for the `X-Forwarded-For` header on your instance and load balancer, you may not be able to access your instance's {% data variables.enterprise.management_console %}. For more information about the {% data variables.enterprise.management_console %} and ports required for connections, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)" and "[Network ports](/admin/configuration/configuring-network-settings/network-ports)."
 
 If {% data variables.location.product_location %} indicates that your session has expired when you connect to the {% data variables.enterprise.management_console %} through a load balancer, try one of the following configurations on your load balancer.
 
@@ -97,6 +97,6 @@ For more information, refer to the documentation for your load balancer.
 
 ### Live updates to issues and check runs not working
 
-When {% data variables.location.product_location %} is accessed via a load balancer or reverse proxy, expected live updates, such as new comments on issues and changes in notification badges or check run output, may not display until the page is refreshed. This is most common when the reverse proxy or load balancer is running in a layer 7 mode or does not support the required [websocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API) protocol. 
+When {% data variables.location.product_location %} is accessed via a load balancer or reverse proxy, expected live updates, such as new comments on issues and changes in notification badges or check run output, may not display until the page is refreshed. This is most common when the reverse proxy or load balancer is running in a layer 7 mode or does not support the required [websocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API) protocol.
 
 To enable live updates, you may need to reconfigure the load balancer or proxy. For more information, refer to the documentation for your load balancer.

content/admin/configuration/configuring-your-enterprise/about-enterprise-configuration.md

@@ -16,7 +16,7 @@ shortTitle: About configuration
 {% ifversion ghes %}
 {% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %} For more information, see "[Site admin dashboard](/admin/configuration/site-admin-dashboard)."
 
-{% data reusables.enterprise_site_admin_settings.about-the-management-console %} For more information, see "[Accessing the management console](/admin/configuration/accessing-the-management-console)."
+{% data reusables.enterprise_site_admin_settings.management-console-overview %} For more information, see "[Accessing the {% data variables.enterprise.management_console %}](/admin/configuration/accessing-the-management-console)."
 
 {% data reusables.enterprise_site_admin_settings.about-ssh-access %} For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
 {% endif %}

content/admin/configuration/configuring-your-enterprise/accessing-the-management-console.md

@@ -1,80 +0,0 @@
----
-title: Accessing the management console
-intro: '{% data reusables.enterprise_site_admin_settings.about-the-management-console %}'
-redirect_from:
-  - /enterprise/admin/articles/about-the-management-console
-  - /enterprise/admin/articles/management-console-for-emergency-recovery
-  - /enterprise/admin/articles/web-based-management-console
-  - /enterprise/admin/categories/management-console
-  - /enterprise/admin/articles/accessing-the-management-console
-  - /enterprise/admin/guides/installation/web-based-management-console
-  - /enterprise/admin/installation/accessing-the-management-console
-  - /enterprise/admin/configuration/accessing-the-management-console
-  - /admin/configuration/accessing-the-management-console
-versions:
-  ghes: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-shortTitle: Access the management console
----
-## About the {% data variables.enterprise.management_console %}
-
-Use the {% data variables.enterprise.management_console %} for basic administrative activities:
-- **Initial setup**: Walk through the initial setup process when first launching {% data variables.location.product_location %} by visiting {% data variables.location.product_location %}'s IP address in your browser.
-- **Configuring authentication policies for the {% data variables.enterprise.management_console %}**: Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. 
-- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
-- **Scheduling maintenance windows**: Take {% data variables.location.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
-- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
-- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.
-
-You can always reach the {% data variables.enterprise.management_console %} using {% data variables.location.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
-
-To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.location.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations. 
-
-The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`, and that file is automatically synced from the primary appliance to any high-availability replicas. Any change to the primary's password will automatically be replicated to high-availability replicas. For more information about high availability, see "[About high availability configuration](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration)."
-
-## Accessing the {% data variables.enterprise.management_console %} as a site administrator
-
-The first time that you access the {% data variables.enterprise.management_console %} as a site administrator, you must upload your {% data variables.product.prodname_enterprise %} license file to authenticate into the app. For more information, see "[Managing your license for {% data variables.product.prodname_enterprise %}](/billing/managing-your-license-for-github-enterprise)."
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.type-management-console-password %}
-
-## Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
-
-1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
-  ```shell
-  http(s)://HOSTNAME/setup
-  ```
-{% data reusables.enterprise_management_console.type-management-console-password %}
-
-{% ifversion enterprise-authentication-rate-limits %}
-## Configuring rate limits for authentication to the {% data variables.enterprise.management_console %}
-
-You can configure the lockout time and login attempt limits for the {% data variables.enterprise.management_console %}. If a user exceeds the login attempt limit, the {% data variables.enterprise.management_console %} will remain locked for the duration set by the lockout time. {% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
-
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. Under "Login attempt rate limiting", configure the lockout time and login attempt rate limit or accept the pre-filled default settings.
-![Fields for configuring lockout time and login attempt rate limit](/assets/images/enterprise/management-console/login-attempt-rate-limiting.png)
-{% data reusables.enterprise_management_console.save-settings %}
-
-{% endif %}
-
-## Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
-
-The {% data variables.enterprise.management_console %} locks after {% ifversion enterprise-authentication-rate-limits %}the number of failed login attempts configured by your authentication policies. For more information, see "[Configuring authentication policy rate limits](/admin/configuration/configuring-your-enterprise/configuring-rate-limits#configuring-authentication-policy-rate-limits)".{% else %}ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.{% endif %}
-
-{% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
-
-## Troubleshooting failed connections to the {% data variables.enterprise.management_console %}
-
-If you cannot connect to the {% data variables.enterprise.management_console %} on {% data variables.location.product_location %}, you can review the following information to troubleshoot the problem.
-
-### Error: "Your session has expired" for connections through a load balancer
-
-If you access {% data variables.location.product_location %} through a load balancer and connections to the {% data variables.enterprise.management_console %} fail with a message that your session has expired, you may need to reconfigure your load balancer. For more information, see "[Using {% data variables.product.product_name %} with a load balancer](/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer#error-your-session-has-expired-for-connections-to-the-management-console)."

content/admin/configuration/configuring-your-enterprise/command-line-utilities.md

@@ -580,9 +580,28 @@ To create a standard bundle:
 $ ssh -p 122 admin@HOSTNAME -- 'ghe-cluster-support-bundle -o' > cluster-support-bundle.tgz
 ```
 
+{% ifversion specify-period-for-support-bundle %}
+
+To create a standard bundle including data from the last 3 hours:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-cluster-support-bundle -p '3 hours' -o" > support-bundle.tgz
+```
+
+To create a standard bundle including data from the last 2 days:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-cluster-support-bundle -p '2 days' -o" > support-bundle.tgz
+```
+
+To create a standard bundle including data from the last 4 days and 8 hours:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-cluster-support-bundle -p '4 days 8 hours' -o" > support-bundle.tgz
+```
+
+{% endif %}
+
 To create an extended bundle:
 ```shell
-$ ssh -p 122 admin@HOSTNAME -- 'ghe-cluster-support-bundle -x -o' > cluster-support-bundle.tgz
+$ ssh -p 122 admin@HOSTNAME -- ghe-cluster-support-bundle -x -o' > cluster-support-bundle.tgz
 ```
 
 To send a bundle to {% data variables.contact.github_support %}:
@@ -722,6 +741,14 @@ This utility tests the blob storage configuration for {% data variables.product.
 
 For more information about the configuration of {% data variables.product.prodname_actions %}, see "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.product_name %}](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server)."
 
+{% ifversion ghes-actions-storage-oidc %}
+{% note %}
+
+**Note:** This utility only works with configurations that use a credentials-based connection to the storage provider. It does not work with OpenID Connect (OIDC) configurations.
+
+{% endnote %}
+{% endif %}
+
 ```shell
 ghe-actions-precheck -p [PROVIDER] -cs ["CONNECTION-STRING"]
 ```
@@ -813,6 +840,25 @@ To create a standard bundle:
 $ ssh -p 122 admin@HOSTNAME -- 'ghe-support-bundle -o' > support-bundle.tgz
 ```
 
+{% ifversion specify-period-for-support-bundle %}
+
+To create a standard bundle including data from the last 3 hours:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-support-bundle -p '3 hours' -o" > support-bundle.tgz
+```
+
+To create a standard bundle including data from the last 2 days:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-support-bundle -p '2 days' -o" > support-bundle.tgz
+```
+
+To create a standard bundle including data from the last 4 days and 8 hours:
+```shell
+$ ssh -p 122 admin@HOSTNAME -- "ghe-support-bundle -p '4 days 8 hours' -o" > support-bundle.tgz
+```
+
+{% endif %}
+
 To create an extended bundle:
 ```shell
 $ ssh -p 122 admin@HOSTNAME -- 'ghe-support-bundle -x -o' > support-bundle.tgz

content/admin/configuration/configuring-your-enterprise/configuring-rate-limits.md

@@ -21,7 +21,7 @@ To prevent excessive use of resources on {% data variables.location.product_loca
 
 Implement rate limits carefully and communicate frequently with your users as you tune the limits. To avoid interrupting your users' work, {% data variables.product.company_short %} recommends that you start with permissive rate limits, and gradually tune the limits to suit your environment.
 
-You can also configure rate limits for authentication attempts to the {% data variables.enterprise.management_console %}. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."
+You can also configure rate limits for authentication attempts to the {% data variables.enterprise.management_console %}. For more information, see "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."
 
 ## Enabling rate limits for the {% data variables.product.prodname_enterprise_api %}
 
@@ -94,7 +94,7 @@ To avoid this performance degradation, you can configure a rate limit for {% dat
 
 An appropriate rate limit protects {% data variables.location.product_location %} from abnormal usage of {% data variables.product.prodname_actions %} without interfering with day-to-day operations. The exact threshold depends on your instance's available resources and overall load profile. For more information about the hardware requirements for {% data variables.product.prodname_actions %}, see "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.product_name %}](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server#review-hardware-requirements)."
 
-By default, the rate limit for {% data variables.product.prodname_actions %} is disabled. Because {% data variables.product.product_name %} can handle temporary spikes in usage without performance degradation, this rate limit is intended to protect against sustained high load. We recommend leaving the rate limit disabled unless you are experiencing performance problems. In some cases, {% data variables.contact.github_support %} may recommend that you enable a rate limit for {% data variables.product.prodname_actions %}. 
+By default, the rate limit for {% data variables.product.prodname_actions %} is disabled. Because {% data variables.product.product_name %} can handle temporary spikes in usage without performance degradation, this rate limit is intended to protect against sustained high load. We recommend leaving the rate limit disabled unless you are experiencing performance problems. In some cases, {% data variables.contact.github_support %} may recommend that you enable a rate limit for {% data variables.product.prodname_actions %}.
 
 ### Enabling or disabling rate limits for {% data variables.product.prodname_actions %}
 

content/admin/configuration/configuring-your-enterprise/index.md

@@ -18,7 +18,6 @@ children:
   - /about-enterprise-configuration
   - /deploying-github-ae
   - /initializing-github-ae
-  - /accessing-the-management-console
   - /accessing-the-administrative-shell-ssh
   - /enabling-and-scheduling-maintenance-mode
   - /configuring-backups-on-your-appliance

content/admin/configuration/index.md

@@ -11,6 +11,7 @@ versions:
 topics:
   - Enterprise
 children:
+  - /administering-your-instance-from-the-management-console
   - /configuring-your-enterprise
   - /configuring-network-settings
   - /configuring-github-connect

content/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration.md

@@ -14,7 +14,7 @@ topics:
   - Infrastructure
 shortTitle: About HA configuration
 ---
-When you configure high availability, there is an automated setup of one-way, asynchronous replication of all datastores (Git repositories, MySQL, Redis, and Elasticsearch) from the primary to the replica appliance. Most {% data variables.product.prodname_ghe_server %} configuration settings are also replicated, including the {% data variables.enterprise.management_console %} password. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+When you configure high availability, there is an automated setup of one-way, asynchronous replication of all datastores (Git repositories, MySQL, Redis, and Elasticsearch) from the primary to the replica appliance. Most {% data variables.product.prodname_ghe_server %} configuration settings are also replicated, including the {% data variables.enterprise.management_console %} password. For more information, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)."
 
 {% data variables.product.prodname_ghe_server %} supports an active/passive configuration, where the replica appliance runs as a standby with database services running in replication mode but application services stopped.
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-amazon-s3-storage.md

@@ -13,10 +13,17 @@ topics:
 redirect_from:
   - /admin/github-actions/enabling-github-actions-with-amazon-s3-storage
 shortTitle: Amazon S3 storage
+miniTocMaxHeadingLevel: 3
 ---
 
 {% data reusables.actions.enterprise-storage-about %}
 
+{% ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-storage-about-oidc %}
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+{% endif %}
+
 ## Prerequisites
 
 {% note %}
@@ -29,25 +36,149 @@ shortTitle: Amazon S3 storage
 
 Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
 
-* Create your Amazon S3 bucket for storing data generated by workflow runs. {% indented_data_reference reusables.actions.enterprise-s3-permission spaces=2 %}
-  
+* Create your Amazon S3 bucket for storing data generated by workflow runs.
 {% data reusables.actions.enterprise-common-prereqs %}
+{% data reusables.actions.enterprise-oidc-prereqs %}
 
-## Enabling {% data variables.product.prodname_actions %} with Amazon S3 storage
+{% ifversion ghes-actions-storage-oidc %}
+## Enabling {% data variables.product.prodname_actions %} with Amazon S3 using OIDC (recommended)
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+
+To configure {% data variables.product.prodname_ghe_server %} to use OIDC with an Amazon S3 bucket, you must first create an Amazon OIDC provider, then create an Identity and Access Management (IAM) role, and finally configure {% data variables.product.prodname_ghe_server %} to use the provider and role to access your S3 bucket.
+
+### 1. Create an Amazon OIDC provider
+
+1. Get the thumbprint for {% data variables.location.product_location_enterprise %}.
+   1. Use the following OpenSSL command to get the SHA1 thumbprint for {% data variables.location.product_location_enterprise %}, replacing `HOSTNAME` with the public hostname for {% data variables.location.product_location_enterprise %}
+
+      ```shell{:copy}
+      openssl s_client -connect HOSTNAME:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -sha1 -in /dev/stdin
+      ```
+
+      For example:
+
+      ```shell
+      openssl s_client -connect my-ghes-host.example.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -sha1 -in /dev/stdin
+      ```
+
+      The command returns a thumbprint in the following format:
+
+      ```
+      SHA1 Fingerprint=AB:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56
+      ```
+   1. Remove the colons (`:`) from the thumbprint value, and save the value to use later.
+
+      For example, the thumbprint for the value returned in the previous step is:
+
+      ```
+      AB1234567890ABCDEF1234567890ABCDEF123456
+      ```
+1. Using the AWS CLI, use the following command to create an OIDC provider for {% data variables.location.product_location_enterprise %}. Replace `HOSTNAME` with the public hostname for {% data variables.location.product_location_enterprise %}, and `THUMBPRINT` with the thumbprint value from the previous step.
+
+   ```shell{:copy}
+   aws iam create-open-id-connect-provider \
+     --url https://HOSTNAME/_services/token \
+     --client-id-list "sts.amazonaws.com" \
+     --thumbprint-list "THUMBPRINT"
+   ```
+
+   For example:
+
+   ```shell{:copy}
+   aws iam create-open-id-connect-provider \
+     --url https://my-ghes-host.example.com/_services/token \
+     --client-id-list "sts.amazonaws.com" \
+     --thumbprint-list "AB1234567890ABCDEF1234567890ABCDEF123456"
+   ```
+
+   For more information on installing the AWS CLI, see the [Amazon documentation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+
+   {% warning %}
+
+   **Warning:** If the certificate for {% data variables.location.product_location_enterprise %} changes in the future, you must update the thumbprint value in the Amazon OIDC provider for the OIDC trust to continue to work.
+
+   {% endwarning %}
+
+### 2. Create an IAM role
+
+1. Open the AWS Console, and navigate to the Identity and Access Management (IAM) service.
+1. In the left menu, under "Access management", click **Roles**, then click **Create Role**.
+1. On the "Select trusted entity" page, enter the following options:
+   * For "Trusted entity type", click **Web identity**.
+   * For "Identity provider", use the **Choose provider** drop-down menu and select the OIDC provider you created in the previous steps. It should be named `HOSTNAME/_services/token`, where `HOSTNAME` is the public hostname for {% data variables.location.product_location_enterprise %}.
+   * For "Audience", select `sts.amazonaws.com`.
+1. Click **Next**.
+1. On the "Add permissions" page, use the filter to find and select the  `AmazonS3FullAccess` policy.
+1. Click **Next**.
+1. On the "Name, review, and create" page, enter a name for the role, and click **Create role**.
+1. On the IAM "Roles" page, select the role you just created.
+1. Under "Summary", note the ARN value for the role, as this is needed later.
+1. Click the **Trust relationships** tab, then click **Edit trust policy**.
+1. Edit the trust policy to add a new `sub` claim. The value for `Condition` must match the following example, replacing `HOSTNAME` with the public hostname for {% data variables.location.product_location_enterprise %}:
+
+   ```json
+   ...
+   "Condition": {
+     "StringEquals": {
+       "HOSTNAME/_services/token:aud": "sts.amazonaws.com",
+       "HOSTNAME/_services/token:sub": "HOSTNAME"
+     }
+   }
+   ...
+   ```
+
+   For example:
+
+   ```json
+   ...
+   "Condition": {
+     "StringEquals": {
+       "my-ghes-host.example.com/_services/token:aud": "sts.amazonaws.com",
+       "my-ghes-host.example.com/_services/token:sub": "my-ghes-host.example.com"
+     }
+   }
+   ...
+   ```
+1. Click **Update policy**.
+
+### 3. Configure {% data variables.product.prodname_ghe_server %} to connect to Amazon S3 using OIDC
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
 {% data reusables.actions.enterprise-enable-checkbox %}
+{% data reusables.actions.enterprise-s3-storage-setup %}
+1. Under "Authentication", select **OpenID Connect (OIDC)**, and enter the values for your storage:
+   * **AWS S3 Bucket**: The name of your S3 bucket.
+   * **AWS Role**: The ARN for the role you created in the previous procedures. For example, `arn:aws:iam::123456789:role/my-role-name`.
+   * **AWS Region**: The AWS region for your bucket. For example, `us-east-1`.
+{% data reusables.enterprise_management_console.test-storage-button %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}
+
+## Enabling {% data variables.product.prodname_actions %} with Amazon S3 storage{% ifversion ghes-actions-storage-oidc %} using access keys{% endif %}
+
+1. Using the AWS Console or CLI, create an access key for your storage bucket. {% indented_data_reference reusables.actions.enterprise-s3-permission spaces=3 %}
+
+   For more information on managing AWS access keys, see the "[AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html)."
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+{%- ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-s3-storage-setup %}
+1. Under "Authentication", select **Credentials-based**, and enter your storage bucket's details:
+
+{% indented_data_reference reusables.actions.enterprise-s3-storage-credential-fields spaces=3 %}
+{%- else %}
 1. Under "Artifact & Log Storage", select **Amazon S3**, and enter your storage bucket's details:
 
-   * **AWS Service URL**: The service URL for your bucket. For example, if your S3 bucket was created in the `us-west-2` region, this value should be `https://s3.us-west-2.amazonaws.com`.
-
-     For more information, see "[AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html)" in the AWS documentation.
-   * **AWS S3 Bucket**: The name of your S3 bucket.
-   * **AWS S3 Access Key** and **AWS S3 Secret Key**: The AWS access key ID and secret key for your bucket. For more information on managing AWS access keys, see the "[AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html)."
+{% indented_data_reference reusables.actions.enterprise-s3-storage-credential-fields spaces=3 %}
 
    ![Radio button for selecting Amazon S3 Storage and fields for S3 configuration](/assets/images/enterprise/management-console/actions-aws-s3-storage.png)
+{%- endif %}
 {% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-azure-blob-storage.md

@@ -13,10 +13,17 @@ topics:
 redirect_from:
   - /admin/github-actions/enabling-github-actions-with-azure-blob-storage
 shortTitle: Azure Blob storage
+miniTocMaxHeadingLevel: 3
 ---
 
 {% data reusables.actions.enterprise-storage-about %}
 
+{% ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-storage-about-oidc %}
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+{% endif %}
+
 ## Prerequisites
 
 Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
@@ -33,16 +40,83 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 
   For more information on Azure storage account types and performance tiers, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview?toc=/azure/storage/blobs/toc.json#types-of-storage-accounts).
 {% data reusables.actions.enterprise-common-prereqs %}
+{% data reusables.actions.enterprise-oidc-prereqs %}
 
-## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage
+{% ifversion ghes-actions-storage-oidc %}
+## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using OIDC (recommended)
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+
+To configure {% data variables.product.prodname_ghe_server %} to use OIDC with an Azure storage account, you must first register an Azure Active Directory application with OIDC credentials, then configure your storage account, and finally configure {% data variables.product.prodname_ghe_server %} to access the storage container using the Azure Active Directory application.
+
+### 1. Register an Azure Active Directory application
+
+1. Log in to the Azure portal.
+1. Register a new application in Azure Active Directory. For more information, see [Register an application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) in the Azure documentation.
+1. In your Azure application, under "Essentials", take note of the values for "Application (client) ID" and "Directory (tenant) ID". These values are used later.
+
+   ![Azure portal showing the Active Directory app "Essentials" section](/assets/images/azure/azure-aad-app-storage-ids.png)
+1. In your Azure application, under "Manage", click **Certificates & secrets**, select the **Federated credentials** tab, then click **Add credential**.
+
+   ![Azure portal showing the Active Directory app "certificates & secrets" page](/assets/images/azure/azure-federated-credential.png)
+1. Enter the following details for the credential:
+   1. For "Federated credential scenario", select **Other issuer**.
+   1. For "Issuer", enter `https://HOSTNAME/_services/token`, where `HOSTNAME` is the public hostname for {% data variables.location.product_location_enterprise %}. For example, `https://my-ghes-host.example.com/_services/token`.
+   1. For "Subject identifier", enter the public hostname for {% data variables.location.product_location_enterprise %}. For example, `my-ghes-host.example.com`.
+
+      {% note %}
+
+      **Note:** The subject identifier must only have the hostname of {% data variables.location.product_location_enterprise %}, and _must not_ include the protocol.
+
+      {% endnote %}
+   1. For "Name", enter a name for the credential.
+   1. Click **Add**.
+
+### 2. Configure your storage account
+
+1. In the Azure portal, navigate to your storage account.
+1. Click **Access Control (IAM)**, then click **Add**, and select **Add role assignment**.
+1. For the role, select "Storage Blob Data Owner", then click **Next**.
+1. For members, click **Select members**, and then search for and select the name of the Azure application you created earlier. Click **Select**.
+1. Click **Review + assign**, review the role assignment, then click **Review + assign** again.
+1. In the left menu, under "Settings", click **Endpoints**.
+1. Under "Blob service", take note of the value for "Blob service", specifically the blob endpoint suffix. This is the value after `https://<storageaccountname>.blob`. It is typically `core.windows.net`, but might vary depending on your Azure region or account type.
+
+   For example, if your blob service URL is `https://my-storage-account.blob.core.windows.net`, the blob endpoint suffix is `core.windows.net`.
+
+   Note your storage account name and blob endpoint suffix, as these values are used later.
+
+### 3. Configuring {% data variables.product.prodname_ghe_server %} to connect to Azure using OIDC
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
 {% data reusables.actions.enterprise-enable-checkbox %}
+{% data reusables.actions.enterprise-azure-storage-setup %}
+1. Under "Authentication", select **OpenID Connect (OIDC)**, and enter the values for your storage that you noted down in the previous procedures:
+   * Azure tenant ID
+   * Azure client ID
+   * Azure storage account name
+   * Azure blob endpoint suffix
+{% data reusables.enterprise_management_console.test-storage-button %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}
+
+## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage{% ifversion ghes-actions-storage-oidc %} using a connection string{% endif %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+{%- ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-azure-storage-setup %}
+1. Under "Authentication", select **Credentials-based**, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#view-account-access-keys).
+{%- else %}
 1. Under "Artifact & Log Storage", select **Azure Blob Storage**, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#view-account-access-keys).
 
    ![Radio button for selecting Azure Blob Storage and the Connection string field](/assets/images/enterprise/management-console/actions-azure-storage.png)
+{%- endif %}
 {% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-google-cloud-storage.md

@@ -11,6 +11,7 @@ topics:
   - Infrastructure
   - Storage
 shortTitle: Google Cloud Storage
+miniTocMaxHeadingLevel: 3
 ---
 
 {% note %}
@@ -21,39 +22,149 @@ shortTitle: Google Cloud Storage
 
 {% data reusables.actions.enterprise-storage-about %}
 
+{% ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-storage-about-oidc %}
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+{% endif %}
+
 ## Prerequisites
 
 Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
 
 * Create your Google Cloud Storage bucket for storing data generated by workflow runs.
-* Create a Google Cloud service account that can access the bucket, and create a Hash-based Message Authentication Code (HMAC) key for the service account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.
-
-  The service account must have the following [Identity and Access Management (IAM) permissions](https://cloud.google.com/storage/docs/access-control/iam-permissions) for the bucket:
-
-  * `storage.objects.create`
-  * `storage.objects.get`
-  * `storage.objects.list`
-  * `storage.objects.update`
-  * `storage.objects.delete`
-  * `storage.multipartUploads.create`
-  * `storage.multipartUploads.abort`
-  * `storage.multipartUploads.listParts`
-  * `storage.multipartUploads.list`
 {% data reusables.actions.enterprise-common-prereqs %}
+{% data reusables.actions.enterprise-oidc-prereqs %}
 
-## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage
+{% ifversion ghes-actions-storage-oidc %}
+## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage using OIDC (recommended)
+
+{% data reusables.actions.ghes-storage-oidc-beta-note %}
+
+To configure {% data variables.product.prodname_ghe_server %} to use OIDC with Google Cloud Storage, you must first create a Google Cloud service account, then create a Google Cloud identity pool and identity provider, and finally configure {% data variables.product.prodname_ghe_server %} to use the provider and service account to access your Google Cloud Storage bucket.
+
+### 1. Create a service account
+
+1. Create a service account that can access your bucket using OIDC. For more information, see [Creating and managing service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts) in the Google Cloud documentation.
+
+   When creating the service account, ensure that you do the following:
+
+   * Enable the IAM API as described at the start of [Creating and managing service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts).
+   * Add the following roles to the service account:
+     * Service Account Token Creator
+     * Storage Object Admin
+1. After creating the service account, note its email address, as it is need later. The service account email address is in the format `SERVICE-ACCOUNT-NAME@PROJECT-NAME.iam.gserviceaccount.com`.
+
+### 2. Create an identity pool and identity provider
+
+1. In the Google Cloud console, go to the [New workload provider and pool](https://console.cloud.google.com/iam-admin/workload-identity-pools/create) page.
+1. Under "Create an identity pool", enter a name for the identity pool, and click **Continue**.
+1. Under "Add a provider to pool":
+
+   !["Add a provider to pool" screen when setting a new identity pool in Google Cloud Platform](/assets/images/enterprise/management-console/actions-gcp-idp-setup-1.png)
+
+   1. For "Select a provider", select **OpenID Connect (OIDC)**.
+   1. For "Provider name", enter a name for the provider.
+   1. For "Issuer (URL)", enter the following URL, replacing `HOSTNAME` with the public hostname for {% data variables.location.product_location_enterprise %}:
+
+      ```
+      https://HOSTNAME/_services/token
+      ```
+
+      For example:
+
+      ```
+      https://my-ghes-host.example.com/_services/token
+      ```
+    1. Under "Audiences", leave **Default audience** selected, but note the identity provider URL, as it is needed later. The identity provider URL is in the format `https://iam.googleapis.com/projects/PROJECT-NUMBER/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME`.
+    1. Click **Continue**.
+1. Under "Configure provider attributes":
+
+   !["Configure provider attributes" screen when setting a new identity pool and provider in Google Cloud Platform](/assets/images/enterprise/management-console/actions-gcp-idp-setup-2.png)
+
+   1. For the "OIDC 1" mapping, enter `assertion.sub`.
+   1. Under "Attribute Conditions", click **Add condition**.
+   1. For "Condition CEL", enter the following condition, replacing `HOSTNAME` with the public hostname for {% data variables.location.product_location_enterprise %}:
+
+      ```
+      google.subject == "HOSTNAME"
+      ```
+
+      For example:
+
+      ```
+      google.subject == "my-ghes-host.example.com"
+      ```
+
+      {% note %}
+
+      **Note:** The hostname of {% data variables.location.product_location_enterprise %} used here _must not_ include the protocol.
+
+      {% endnote %}
+   1. Click **Save**.
+1. After creating the identity pool, at the top of the identity pool's page, click **Grant access**.
+
+   !["Grant access to service account" screen when modifying an identity pool in Google Cloud Platform](/assets/images/enterprise/management-console/actions-gcp-idp-setup-3.png)
+
+   1. Under "Select service account", select the service account that you created in the previous procedure.
+   1. Under "Select principals (identities that can access the service account)", select **Only identities matching the filter**.
+   1. For "Attribute name", select **subject**.
+   1. For "Attribute value", enter your {% data variables.product.prodname_ghe_server %} hostname, without the protocol. For example, `my-ghes-host.example.com`.
+   1. Click **Save**.
+   1. You can dismiss the "Configure your application" dialog, as the configuration file is not needed.
+
+### 3. Configure {% data variables.product.prodname_ghe_server %} to connect to Google Cloud Storage using OIDC
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
 {% data reusables.actions.enterprise-enable-checkbox %}
+{% data reusables.actions.enterprise-gcp-storage-setup %}
+1. Under "Authentication", select **OpenID Connect (OIDC)**, and enter the values for your storage:
+   * **Service URL**: The service URL for your bucket. This is usually `https://storage.googleapis.com`.
+   * **Bucket name**: The name of your bucket.
+   * **Workload Identity Provider ID**: The identity provider ID for your identity pool.
+
+     This is in the format `projects/PROJECT-NUMBER/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME`. Note that you must remove the `https://iam.googleapis.com/` prefix from the value noted in the previous procedure.
+
+     For example, `projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider`.
+   * **Service account**: The service account email address that you noted in the previous procedure. For example, `ghes-oidc-service-account@my-project.iam.gserviceaccount.com`.
+{% data reusables.enterprise_management_console.test-storage-button %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}
+
+## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage{% ifversion ghes-actions-storage-oidc %} using a HMAC key{% endif %}
+
+1. Create a Google Cloud service account that can access the bucket, and create a Hash-based Message Authentication Code (HMAC) key for the service account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.
+
+   The service account must have the following [Identity and Access Management (IAM) permissions](https://cloud.google.com/storage/docs/access-control/iam-permissions) for the bucket:
+
+   * `storage.objects.create`
+   * `storage.objects.get`
+   * `storage.objects.list`
+   * `storage.objects.update`
+   * `storage.objects.delete`
+   * `storage.multipartUploads.create`
+   * `storage.multipartUploads.abort`
+   * `storage.multipartUploads.listParts`
+   * `storage.multipartUploads.list`
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+{%- ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-gcp-storage-setup %}
+1. Under "Authentication", select **Credentials-based**, and enter your storage bucket's details:
+
+{% indented_data_reference reusables.actions.enterprise-gcp-storage-credential-fields spaces=3 %}
+{%- else %}
 1. Under "Artifact & Log Storage", select **Google Cloud Storage**, and enter your bucket's details:
 
-   * **Service URL**: The service URL for your bucket. This is usually `https://storage.googleapis.com`.
-   * **Bucket Name**: The name of your bucket.
-   * **HMAC Access Id** and **HMAC Secret**: The Google Cloud access ID and secret for your storage account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.
+{% indented_data_reference reusables.actions.enterprise-gcp-storage-credential-fields spaces=3 %}
 
    ![Radio button for selecting Google Cloud Storage and fields for configuration](/assets/images/enterprise/management-console/actions-google-cloud-storage.png)
+{%- endif %}
 {% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-minio-storage.md

@@ -35,13 +35,24 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
 {% data reusables.actions.enterprise-enable-checkbox %}
+{%- ifversion ghes-actions-storage-oidc %}
+{% data reusables.actions.enterprise-s3-storage-setup %}
+1. Under "Authentication", select **Credentials-based**, and enter your storage bucket's details:
+
+   {% note %}
+
+   **Note:** For MinIO, you cannot use OpenID Connect (OIDC) authentication. You must use credentials-based authentication.
+
+   {% endnote %}
+
+{% indented_data_reference reusables.actions.enterprise-minio-storage-credential-fields spaces=3 %}
+{%- else %}
 1. Under "Artifact & Log Storage", select **Amazon S3**, and enter your storage bucket's details:
 
-   * **AWS Service URL**: The URL to your MinIO service. For example, `https://my-minio.example:9000`.
-   * **AWS S3 Bucket**: The name of your S3 bucket.
-   * **AWS S3 Access Key** and **AWS S3 Secret Key**: The `MINIO_ACCESS_KEY` and `MINIO_SECRET_KEY` used for your MinIO instance.
+{% indented_data_reference reusables.actions.enterprise-minio-storage-credential-fields spaces=3 %}
 
    ![Radio button for selecting Amazon S3 Storage and fields for MinIO configuration](/assets/images/enterprise/management-console/actions-minio-s3-storage.png)
+{% endif %}
 1. Under "Artifact & Log Storage", select **Force path style**.
 
    ![Checkbox to Force path style](/assets/images/enterprise/management-console/actions-minio-force-path-style.png)

content/admin/guides.md

@@ -147,5 +147,9 @@ includeGuides:
   - /admin/user-management/suspending-and-unsuspending-users
   - /admin/overview/creating-an-enterprise-account
   - /admin/user-management/managing-organizations-in-your-enterprise/restoring-a-deleted-organization
+  - /admin/configuration/administering-your-instance-from-the-management-console/about-the-management-console
+  - /admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console
+  - /admin/configuration/administering-your-instance-from-the-management-console/accessing-the-management-console
+  - /admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console
 ---
 

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -29,7 +29,7 @@ redirect_from:
 
 {% ifversion ghec %}
 
-{% data reusables.saml.dotcom-saml-explanation %} 
+{% data reusables.saml.dotcom-saml-explanation %}
 
 {% data reusables.saml.saml-accounts %}
 
@@ -101,7 +101,7 @@ For more detailed information about how to enable SAML using Okta, see "[Configu
 
 ## Configuring SAML SSO
 
-You can enable or disable SAML authentication for {% data variables.location.product_location %}, or you can edit an existing configuration. You can view and edit authentication settings for {% data variables.product.product_name %} in the management console. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+You can enable or disable SAML authentication for {% data variables.location.product_location %}, or you can edit an existing configuration. You can view and edit authentication settings for {% data variables.product.product_name %} in the {% data variables.enterprise.management_console %}. For more information, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)."
 
 {% note %}
 
@@ -113,7 +113,7 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
 1. Select **SAML**.
-   
+
    ![Screenshot of option to enable SAML authentication in management console](/assets/images/enterprise/management-console/auth-select-saml.png)
 1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 
@@ -177,7 +177,7 @@ If the details for your IdP change, you'll need to edit the SAML SSO configurati
 
 **Note**: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
 
-{% endnote %} 
+{% endnote %}
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/saml-configuration-reference.md

@@ -73,7 +73,7 @@ The SP metadata for your enterprise on {% data variables.product.product_name %}
 
 ## SAML attributes
 
-The following SAML attributes are available for {% data variables.product.product_name %}.{% ifversion ghes %} You can change the attribute names in the management console, with the exception of the `administrator` attribute. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."{% endif %}
+The following SAML attributes are available for {% data variables.product.product_name %}.{% ifversion ghes %} You can change the attribute names in the {% data variables.enterprise.management_console %}, with the exception of the `administrator` attribute. For more information, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)."{% endif %}
 
 | Name | Required? | Description |
 | :- | :- | :- |
@@ -103,7 +103,7 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 
 - Your IdP must provide the `<Destination>` element on the root response document and match the ACS URL only when the root response document is signed. If your IdP signs the assertion, {% data variables.product.product_name %} will ignore the assertion.
 - Your IdP must always provide the `<Audience>` element as part of the `<AudienceRestriction>` element. The value must match your `EntityId` for {% data variables.product.product_name %}.{% ifversion ghes or ghae %} This value is the URL where you access {% data variables.location.product_location %}, such as {% ifversion ghes %}`http(s)://HOSTNAME`{% elsif ghae %}`https://SUBDOMAIN.githubenterprise.com`, `https://SUBDOMAIN.github.us`, or `https://SUBDOMAIN.ghe.com`{% endif %}.{% endif %}
-  
+
   {%- ifversion ghec %}
   - If you configure SAML for an organization, this value is `https://github.com/orgs/ORGANIZATION`.
   - If you configure SAML for an enterprise, this URL is `https://github.com/enterprises/ENTERPRISE`.

content/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance.md

@@ -140,7 +140,7 @@ To access the staging instance using the same hostname, update your local hosts
 
 {% endnote %}
 
-Then, review the staging instance's configuration in the {% data variables.enterprise.management_console %}. For more information, see "[Accessing the  {% data variables.enterprise.management_console %}](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+Then, review the staging instance's configuration in the {% data variables.enterprise.management_console %}. For more information, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)."
 
 {% warning %}
 

content/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema.md

@@ -4,6 +4,7 @@ intro: 'You can use {% data variables.product.company_short %}''s form schema to
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '> 3.7'
 miniTocMaxHeadingLevel: 3
 topics:
   - Community

content/get-started/customizing-your-github-workflow/exploring-integrations/github-extensions-and-integrations.md

@@ -1,6 +1,6 @@
 ---
 title: GitHub extensions and integrations
-intro: 'Use {% data variables.product.product_name %} extensions to work seamlessly in {% data variables.product.product_name %} repositories within third-party applications.'
+intro: 'Use {% data variables.product.prodname_dotcom %} extensions to work seamlessly in repositories on {% data variables.location.product_location %} within third-party applications.'
 redirect_from:
   - /articles/about-github-extensions-for-third-party-applications
   - /articles/github-extensions-and-integrations
@@ -9,8 +9,12 @@ redirect_from:
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.7'
 shortTitle: Extensions & integrations
 ---
+
+{% ifversion fpt or ghec %}
+
 ## Editor tools
 
 You can connect to {% data variables.product.product_name %} repositories within third-party editor tools such as Unity and {% data variables.product.prodname_vs %}.
@@ -35,18 +39,44 @@ You can integrate your personal or organization account on {% data variables.loc
 
 You can integrate Jira Cloud with your personal or organization account to scan commits and pull requests, creating relevant metadata and hyperlinks in any mentioned Jira issues. For more information, visit the [Jira integration app](https://github.com/marketplace/jira-software-github) in the marketplace.
 
+{% endif %}
+
+{% ifversion slack-and-team-integrations %}
+
 ## Team communication tools
 
-You can integrate your personal or organization account on {% data variables.location.product_location %} with third-party team communication tools, such as Slack or Microsoft Teams.
+You can integrate your {% ifversion fpt or ghec %}personal{% elsif ghes %}user{% endif %} or organization account on {% data variables.location.product_location %} with third-party team communication tools, such as Slack or Microsoft Teams.
 
 ### Slack and {% data variables.product.product_name %} integration
 
-The Slack + {% data variables.product.prodname_dotcom %} app lets you subscribe to your repositories or organizations and get realtime updates about issues, pull requests, commits, discussions, releases, deployment reviews and deployment statuses. You can also perform activities like opening and closing issues, and you can see detailed references to issues and pull requests without leaving Slack. The app will also ping you personally in Slack if you are mentioned as part of any {% data variables.product.prodname_dotcom %} notifications that you receive in your channels or personal chats.
+The Slack + {% data variables.product.prodname_dotcom %} app lets you subscribe to your repositories or organizations and get real-time updates about activity for the following features on {% data variables.location.product_location %}.
+
+- Issues
+- Pull requests
+- Commits
+- Discussions
+- Releases
+- {% data variables.product.prodname_actions %}
+- Deployments
+
+You can also open and close issues, comment on your issues and pull requests, approve deployments, and see detailed references to issues and pull requests without leaving Slack. The app will also ping you personally on Slack if you are mentioned as part of any {% data variables.product.prodname_dotcom %} notifications that you receive in your channels or personal chats.
 
 The Slack + {% data variables.product.prodname_dotcom %} app is also compatible with [Slack Enterprise Grid](https://slack.com/intl/en-in/help/articles/360000281563-Manage-apps-on-Enterprise-Grid). For more information, visit the [Slack + {% data variables.product.prodname_dotcom %} app](https://github.com/marketplace/slack-github) in the marketplace.
 
 ### Microsoft Teams and {% data variables.product.product_name %} integration
 
-The {% data variables.product.prodname_dotcom %} for Teams app lets you subscribe to your repositories or organizations and get realtime updates about issues, pull requests, commits, discussions, releases, deployment reviews and deployment statuses. You can also perform activities like opening and closing issues, commenting on your issues and pull requests, and you can see detailed references to issues and pull requests without leaving Microsoft Teams. The app will also ping you personally in Teams if you are mentioned as part of any {% data variables.product.prodname_dotcom %} notifications that you receive in your channels or personal chats.
+The {% data variables.product.prodname_dotcom %} for Teams app lets you subscribe to your repositories or organizations and get real-time updates about activity for the following features on {% data variables.location.product_location %}.
+
+- Issues
+- Pull requests
+- Commits
+- Discussions
+- Releases
+- {% data variables.product.prodname_actions %}
+- Deployments
+
+You can also open and close issues, comment on your issues and pull requests, approve deployments, and see detailed references to issues and pull requests without leaving Microsoft Teams. The app will also ping you personally on Teams if you are mentioned as part of any {% data variables.product.prodname_dotcom %} notifications that you receive in your channels or personal chats.
 
 For more information, visit the [{% data variables.product.prodname_dotcom %} for Teams app](https://appsource.microsoft.com/en-us/product/office/WA200002077) in Microsoft AppSource.
+
+{% endif %}

content/get-started/onboarding/getting-started-with-github-enterprise-server.md

@@ -17,17 +17,17 @@ This guide will walk you through setting up, configuring and managing {% data va
 For more information about {% data variables.product.product_name %}, see "[About {% data variables.product.prodname_ghe_server %}](/admin/overview/about-github-enterprise-server)."
 
 ## Part 1: Installing {% data variables.product.product_name %}
-To get started with {% data variables.product.product_name %}, you will need to create your enterprise account, install the instance, use the Management Console for initial setup, configure your instance, and manage billing. 
+To get started with {% data variables.product.product_name %}, you will need to create your enterprise account, install the instance, use the {% data variables.enterprise.management_console %} for initial setup, configure your instance, and manage billing.
 ### 1. Creating your enterprise account
 Before you install {% data variables.product.product_name %}, you can create an enterprise account on {% data variables.product.prodname_dotcom_the_website %} by contacting [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact). An enterprise account on {% data variables.product.prodname_dotcom_the_website %} is useful for billing and for shared features with {% data variables.product.prodname_dotcom_the_website %} via {% data variables.product.prodname_github_connect %}.  For more information, see "[About enterprise accounts](/admin/overview/about-enterprise-accounts)."
 ### 2. Installing {% data variables.product.product_name %}
 To get started with {% data variables.product.product_name %}, you will need to install the appliance on a virtualization platform of your choice. For more information, see "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/admin/installation/setting-up-a-github-enterprise-server-instance)."
 
-### 3. Using the Management Console
-You will use the Management Console to walk through the initial setup process when first launching {% data variables.location.product_location %}. You can also use the  Management Console to manage instance settings such as the license, domain, authentication, and TLS. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+### 3. Using the {% data variables.enterprise.management_console %}
+You will use the {% data variables.enterprise.management_console %} to walk through the initial setup process when first launching {% data variables.location.product_location %}. You can also use the  {% data variables.enterprise.management_console %} to manage instance settings such as the license, domain, authentication, and TLS. For more information, see "[Administering your instance from the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console)."
 
 ### 4. Configuring {% data variables.location.product_location %}
-In addition to the Management Console, you can use the site admin dashboard and the administrative shell (SSH) to manage {% data variables.location.product_location %}. For example, you can configure applications and rate limits, view reports, use command-line utilities. For more information, see "[Configuring your enterprise](/admin/configuration/configuring-your-enterprise)."
+In addition to the {% data variables.enterprise.management_console %}, you can use the site admin dashboard and the administrative shell (SSH) to manage {% data variables.location.product_location %}. For example, you can configure applications and rate limits, view reports, use command-line utilities. For more information, see "[Configuring your enterprise](/admin/configuration/configuring-your-enterprise)."
 
 You can use the default network settings used by {% data variables.product.product_name %} via the dynamic host configuration protocol (DHCP), or you can also configure the network settings using the virtual machine console. You can also configure a proxy server or firewall rules. For more information, see "[Configuring network settings](/admin/configuration/configuring-network-settings)."
 
@@ -98,7 +98,7 @@ You can build integrations with the {% ifversion fpt or ghec %}{% data variables
 
 For more information on enabling and configuring {% data variables.product.prodname_actions %} on {% data variables.product.product_name %}, see "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.prodname_ghe_server %}](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
 
-### 4. Publishing and managing {% data variables.product.prodname_registry %} 
+### 4. Publishing and managing {% data variables.product.prodname_registry %}
 {% data reusables.getting-started.packages %}
 
 For more information on enabling and configuring {% data variables.product.prodname_registry %} for {% data variables.location.product_location %}, see "[Getting started with {% data variables.product.prodname_registry %} for your enterprise](/admin/packages/getting-started-with-github-packages-for-your-enterprise)."

content/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects.md

@@ -767,7 +767,10 @@ gh api graphql -f query='
 ```
 {% endcli %}
 
+{% ifversion projects-v2-webhooks %}
 
 ## Using webhooks
 
 You can use webhooks to subscribe to events taking place in your project. For example, when an item is edited, {% data variables.product.product_name %} can send a HTTP POST payload to the webhook's configured URL which can trigger automation on your server. For more information about webhooks, see "[About webhooks](/developers/webhooks-and-events/webhooks/about-webhooks)." To learn more about the `projects_v2_item` webhook event, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#projects_v2_item)."
+
+{% endif %}

content/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations.md

@@ -4,7 +4,7 @@ shortTitle: Using built-in automations
 intro: You can use built-in workflows to automate your projects.
 miniTocMaxHeadingLevel: 3
 versions:
-  feature: projects-v2
+  feature: projects-v2-workflows
 type: tutorial
 topics:
   - Projects

content/issues/planning-and-tracking-with-projects/creating-projects/migrating-from-projects-classic.md

@@ -3,7 +3,7 @@ title: 'Migrating from {% data variables.product.prodname_projects_v1 %}'
 intro: 'You can migrate your {% data variables.projects.projects_v1_board %} to the new {% data variables.product.prodname_projects_v2 %} experience.'
 miniTocMaxHeadingLevel: 3
 versions:
-  feature: projects-v2
+  feature: projects-v2-migration
 redirect_from:
   - /issues/trying-out-the-new-projects-experience/migrating-your-project
 type: tutorial

content/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/filtering-projects.md

@@ -22,8 +22,12 @@ In board layout, you can click on item data to filter for items with that value.
 
 Using multiple filters will act as a logical AND filter. For example, `label:bug status:"In progress"` will return items with the `bug` label and the "In progress" status. You can also provide multiple values for the same field to act as a logical OR filter. For example, `label:bug,support` will return items with either the `bug` or `support` labels. {% data variables.product.prodname_projects_v2 %} does not currently support logical OR filters across multiple fields.
 
+{% ifversion projects-v2-insights %}
+
 The same filters are available for charts you create using insights for {% data variables.product.prodname_projects_v2 %}, allowing you to filter the data used to create your charts. For more information, see "[Using insights with projects](/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/about-insights-for-projects)."
 
+{% endif %}
+
 When you filter a view and then add an item, the filtered metadata will be applied to new item. For example, if you're filtering by `status:"In progress"` and you add an item, the new item will have its status set to "In progress."
 
 You can use filters to produce views for very specific purposes. For example, you could use `assignee:@me status:todo last-updated:5days` to create a view of all work assigned to the current user, with the "todo" status, that hasn't been updated in the last five days. You could create a triage view by using a negative filter, such as `no:label no:assignee repo:octocat/game`, which would show items without a label and without an assignee that are located in the `octocat/game` repository.
@@ -204,6 +208,8 @@ You can filter by specific text fields or use a general text filter across all t
 | <code><em>TEXT</em></code>     | **API** will show items with "API" in the title or any other text field.
 | <code>field:<em>TEXT</em> TEXT | **label:bug rendering** will show items with the "bug" label and with "rendering" in the title or any other text field.
 
+{% ifversion projects-v2-wildcard-text-filtering %}
+
 You can also use a <code>&ast;</code> as a wildcard.
 
 | Qualifier  | Example
@@ -211,3 +217,5 @@ You can also use a <code>&ast;</code> as a wildcard.
 | <code>field:&ast;<em>TEXT</em>&ast;    | **label:&ast;bug&ast;** will show items with a label that contains the word "bug."
 | <code>field:<em>TEXT</em>&ast;         | **title:API&ast;** will show items with a title that begins with "API."
 | <code>field:&ast;<em>TEXT</em>         | **label:&ast;support** will show items with a label that ends with "support."
+
+{% endif %}

content/issues/planning-and-tracking-with-projects/index.md

@@ -21,3 +21,4 @@ redirect_from:
   - /issues/trying-out-the-new-projects-experience
 ---
 
+{% data reusables.projects.projects-beta %}

content/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects.md

@@ -12,9 +12,11 @@ topics:
   - Projects
 ---
 
+{% data reusables.projects.projects-beta %}
+
 ## About {% data variables.product.prodname_projects_v2 %}
 
-A project is an adaptable spreadsheet that integrates with your issues and pull requests on {% data variables.product.company_short %} to help you plan and track your work effectively. You can create and customize multiple views by filtering, sorting, grouping your issues and pull requests, adding custom fields to track metadata specific to your team, and visualize work with configurable charts. Rather than enforcing a specific methodology, a project provides flexible features you can customize to your team’s needs and processes.
+A project is an adaptable spreadsheet that integrates with your issues and pull requests on {% data variables.product.company_short %} to help you plan and track your work effectively. You can create and customize multiple views by filtering, sorting, grouping your issues and pull requests,{% ifversion projects-v2-insights %} visualize work with configurable charts,{% endif %} and add custom fields to track metadata specific to your team. Rather than enforcing a specific methodology, a project provides flexible features you can customize to your team’s needs and processes.
 
 ### Staying up-to-date
 
@@ -32,9 +34,9 @@ You can use custom fields to add metadata to your issues, pull requests, and dra
 
 ### Automating your projects
 
-There are a number of ways you can add automation to your project. Built-in workflows allow you to automatically set fields when items are added or changed{% ifversion projects-v2-auto-archive %}, and you can also configure your project to automatically archive items when they meet certain criteria{% ifversion projects-v2-auto-add %} and automatically add items from a repository when they match set criteria{% endif %}{% endif %}. For more information, see "[Using the built-in automations](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations)."
+{% ifversion projects-v2-workflows %}There are a number of ways you can add automation to your project. Built-in workflows allow you to automatically set fields when items are added or changed{% ifversion projects-v2-auto-archive %}, and you can also configure your project to automatically archive items when they meet certain criteria{% ifversion projects-v2-auto-add %} and automatically add items from a repository when they match set criteria{% endif %}{% endif %}. For more information, see "[Using the built-in automations](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations)."{% endif %}
 
-You can also use the GraphQL API and {% data variables.product.prodname_actions %} to take even greater control of your project. For more information, see "[Using the API to manage Projects](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects)" and "[Automating Projects using Actions](/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions)."
+You can {% ifversion projects-v2-workflows %}also{% endif %} use the GraphQL API and {% data variables.product.prodname_actions %} to take {% ifversion projects-v2-workflows %}even greater{% endif %} control of your project. For more information, see "[Using the API to manage Projects](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects)" and "[Automating Projects using Actions](/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions)."
 
 {% ifversion projects-v2-tasklists %}
 

content/issues/planning-and-tracking-with-projects/learning-about-projects/best-practices-for-projects.md

@@ -62,13 +62,16 @@ To prevent information from getting out of sync, maintain a single source of tru
 
 You can automate tasks to spend less time on busy work and more time on the project itself. The less you need to remember to do manually, the more likely your project will stay up to date.
 
+{% ifversion projects-v2-workflows %}
+
 {% data variables.product.prodname_projects_v2 %} offers built-in workflows. For example, when an issue is closed, you can automatically set the status to "Done." {% ifversion projects-v2-auto-archive %}You can also configure built-in workflows to automatically archive items when they meet certain criteria{% ifversion projects-v2-auto-add %} and to automatically add items from a repository when they match a filter{% endif %}.{% endif %}
 
-Additionally, {% data variables.product.prodname_actions %} and the GraphQL API enable you to automate routine project management tasks. For example, to keep track of pull requests awaiting review, you can create a workflow that adds a pull request to a project and sets the status to "needs review"; this process can be automatically triggered when a pull request is marked as "ready for review."
+Additionally, {%endif %}{% data variables.product.prodname_actions %} and the GraphQL API enable you to automate routine project management tasks. For example, to keep track of pull requests awaiting review, you can create a workflow that adds a pull request to a project and sets the status to "needs review"; this process can be automatically triggered when a pull request is marked as "ready for review."
 
+{% ifversion projects-v2-workflows %}
 - For more information about the built-in workflows, see "[Using the built-in automations](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations)."{% ifversion projects-v2-auto-archive %}
 - For more information about automatically archiving items, see "[Archiving items automatically](/issues/planning-and-tracking-with-projects/automating-your-project/archiving-items-automatically)."{% endif %}{% ifversion projects-v2-auto-add %}
-- For more information about automatically adding items, see "[Adding items automatically](/issues/planning-and-tracking-with-projects/automating-your-project/adding-items-automatically)."{% endif %}
+- For more information about automatically adding items, see "[Adding items automatically](/issues/planning-and-tracking-with-projects/automating-your-project/adding-items-automatically)."{% endif %}{% endif %}
 - For an example workflow, see "[Automating {% data variables.product.prodname_projects_v2 %} using Actions](/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions)."
 - For more information about the API, see "[Using the API to manage {% data variables.product.prodname_projects_v2 %}](/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects)."
 - For more information about {% data variables.product.prodname_actions %}, see ["{% data variables.product.prodname_actions %}](/actions)."

content/issues/planning-and-tracking-with-projects/learning-about-projects/quickstart-for-projects.md

@@ -144,6 +144,8 @@ To indicate the purpose of the view, give it a descriptive name.
 
 ![Example priorities](/assets/images/help/projects/project-view-switch.gif)
 
+{% ifversion projects-v2-workflows %}
+
 ## Configure built-in automation
 
 {% ifversion projects-v2-auto-add %}
@@ -188,6 +190,8 @@ Finally, add a built in workflow to set the status to **Todo** when an item is a
 1. Click the **Disabled** toggle to enable the workflow.
   ![Screenshot showing the "enable" control for a workflow](/assets/images/help/projects-v2/workflow-enable.png)
 
+{% endif %}
+
 ## Further reading
 
 - "[Adding items to your project](/issues/planning-and-tracking-with-projects/managing-items-in-your-project/adding-items-to-your-project)"

content/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/about-insights-for-projects.md

@@ -3,7 +3,7 @@ title: 'About insights for {% data variables.product.prodname_projects_v2 %}'
 intro: You can view and customize charts that are built from your project's data.
 miniTocMaxHeadingLevel: 3
 versions:
-  feature: projects-v2
+  feature: projects-v2-insights
 redirect_from:
   - /issues/trying-out-the-new-projects-experience/using-insights-with-projects
 type: tutorial

content/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/configuring-charts.md

@@ -3,7 +3,7 @@ title: Configuring charts
 intro: Learn how to configure your charts and filter data from your project.
 miniTocMaxHeadingLevel: 3
 versions:
-  feature: projects-v2
+  feature: projects-v2-insights
 type: tutorial
 product: '{% data reusables.gated-features.historical-insights-for-projects %}'
 permissions: '{% data reusables.projects.insights-permissions %}'

content/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/creating-charts.md

@@ -3,7 +3,7 @@ title: Creating charts
 intro: Learn how to create new charts to save your configurations.
 miniTocMaxHeadingLevel: 3
 versions:
-  feature: projects-v2
+  feature: projects-v2-insights
 type: tutorial
 product: '{% data reusables.gated-features.historical-insights-for-projects %}'
 permissions: '{% data reusables.projects.insights-permissions %}'

content/issues/planning-and-tracking-with-projects/viewing-insights-from-your-project/index.md

@@ -3,7 +3,7 @@ title: 'Viewing insights from your {% data variables.projects.project_v2 %}'
 shortTitle: Viewing insights
 intro: You can use insights to visualize your projects by creating and sharing charts built from your project's data.
 versions:
-  feature: projects-v2
+  feature: projects-v2-insights
 topics:
   - Issues
   - Projects
@@ -14,4 +14,3 @@ children:
   - /configuring-charts
 allowTitleToDifferFromFilename: true
 ---
-

content/organizations/managing-organization-settings/disabling-insights-for-projects-in-your-organization.md

@@ -2,7 +2,7 @@
 title: 'Disabling insights for {% data variables.projects.projects_v2 %} in your organization'
 intro: 'Organization owners can turn off insights for {% data variables.product.prodname_projects_v2 %} in their organization.'
 versions:
-  feature: projects-v2
+  feature: projects-v2-insights
 product: '{% data reusables.gated-features.historical-insights-for-projects %}'
 topics:
   - Projects

content/rest/announcement-banners/index.md

@@ -3,8 +3,8 @@ title: Announcement Banners
 intro: 'The Announcement Banners API enables you to view, create, and remove an announcement banner for your enterprise or organization.'
 versions:
   ghec: '*'
-  ghes: '>=3.9'
-  ghae: '>=3.9'
+  ghes: '>=3.8'
+  ghae: '>=3.8'
 miniTocMaxHeadingLevel: 3
 children:
   - /enterprises

content/rest/announcement-banners/organizations.md

@@ -4,8 +4,8 @@ shortTitle: Organization
 intro: 'The Organization Announcement Banners API allows you to get, set, and remove the announcement banner for your organization.'
 versions:
   ghec: '*'
-  ghes: '>=3.9'
-  ghae: '>=3.9'
+  ghes: '>=3.8'
+  ghae: '>=3.8'
 miniTocMaxHeadingLevel: 3
 allowTitleToDifferFromFilename: true
 ---

content/rest/overview/endpoints-available-for-fine-grained-personal-access-tokens.md

@@ -274,6 +274,8 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`GET /codes_of_conduct`](/rest/codes-of-conduct#get-all-codes-of-conduct)
 - [`GET /codes_of_conduct/{key}`](/rest/codes-of-conduct#get-a-code-of-conduct)
 
+{% ifversion fpt or ghec %}
+
 ## codespaces
 
 - [`GET /orgs/{org}/codespaces`](/rest/codespaces#list-in-organization)
@@ -324,6 +326,8 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`POST /user/codespaces/{codespace_name}/start`](/rest/codespaces#start-a-codespace-for-the-authenticated-user)
 - [`POST /user/codespaces/{codespace_name}/stop`](/rest/codespaces#stop-a-codespace-for-the-authenticated-user)
 
+{% endif %}
+
 ## collaborators
 
 - [`GET /repos/{owner}/{repo}/collaborators`](/rest/collaborators/collaborators#list-repository-collaborators)
@@ -464,6 +468,8 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`GET /gitignore/templates`](/rest/gitignore#get-all-gitignore-templates)
 - [`GET /gitignore/templates/{name}`](/rest/gitignore#get-a-gitignore-template)
 
+{% ifversion fpt or ghec %}
+
 ## interactions
 
 - [`GET /orgs/{org}/interaction-limits`](/rest/interactions#get-interaction-restrictions-for-an-organization)
@@ -476,6 +482,8 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`PUT /user/interaction-limits`](/rest/interactions#set-interaction-restrictions-for-your-public-repositories)
 - [`DELETE /user/interaction-limits`](/rest/interactions#remove-interaction-restrictions-from-your-public-repositories)
 
+{% endif %}
+
 ## issues
 
 - [`GET /issues`](/rest/issues#list-issues-assigned-to-the-authenticated-user)
@@ -544,12 +552,12 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`GET /repos/{owner}/{repo}/stats/commit_activity`](/rest/metrics/statistics#get-the-last-year-of-commit-activity)
 - [`GET /repos/{owner}/{repo}/stats/contributors`](/rest/metrics/statistics#get-all-contributor-commit-activity)
 - [`GET /repos/{owner}/{repo}/stats/participation`](/rest/metrics/statistics#get-the-weekly-commit-count)
-- [`GET /repos/{owner}/{repo}/stats/punch_card`](/rest/metrics/statistics#get-the-hourly-commit-count-for-each-day)
-- [`GET /repos/{owner}/{repo}/community/profile`](/rest/metrics/community#get-community-profile-metrics)
-- [`GET /repos/{owner}/{repo}/traffic/clones`](/rest/metrics/traffic#get-repository-clones)
-- [`GET /repos/{owner}/{repo}/traffic/popular/paths`](/rest/metrics/traffic#get-top-referral-paths)
-- [`GET /repos/{owner}/{repo}/traffic/popular/referrers`](/rest/metrics/traffic#get-top-referral-sources)
-- [`GET /repos/{owner}/{repo}/traffic/views`](/rest/metrics/traffic#get-page-views)
+- [`GET /repos/{owner}/{repo}/stats/punch_card`](/rest/metrics/statistics#get-the-hourly-commit-count-for-each-day){% ifversion fpt or ghec %}
+- [`GET /repos/{owner}/{repo}/community/profile`](/rest/metrics/community#get-community-profile-metrics){% endif %}{% ifversion fpt or ghec %}
+- [`GET /repos/{owner}/{repo}/traffic/clones`](/rest/metrics/traffic#get-repository-clones){% endif %}{% ifversion fpt or ghec %}
+- [`GET /repos/{owner}/{repo}/traffic/popular/paths`](/rest/metrics/traffic#get-top-referral-paths){% endif %}{% ifversion fpt or ghec %}
+- [`GET /repos/{owner}/{repo}/traffic/popular/referrers`](/rest/metrics/traffic#get-top-referral-sources){% endif %}{% ifversion fpt or ghec %}
+- [`GET /repos/{owner}/{repo}/traffic/views`](/rest/metrics/traffic#get-page-views){% endif %}
 
 ## migrations
 
@@ -618,23 +626,28 @@ shortTitle: '{% data variables.product.pat_v2_caps %}-enabled endpoints'
 - [`DELETE /orgs/{org}/invitations/{invitation_id}`](/rest/orgs#cancel-an-organization-invitation)
 - [`GET /orgs/{org}/invitations/{invitation_id}/teams`](/rest/orgs#list-organization-invitation-teams)
 
+{% ifversion fpt or ghec %}
+
 ## packages
 
-- [`GET /orgs/{org}/packages`](/rest/packages#list-packages-for-an-organization)
-- [`GET /orgs/{org}/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-an-organization)
-- [`DELETE /orgs/{org}/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-an-organization)
-- [`GET /orgs/{org}/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-an-organization)
-- [`GET /orgs/{org}/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-an-organization)
-- [`GET /user/packages`](/rest/packages#list-packages-for-the-authenticated-user)
-- [`GET /user/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-the-authenticated-user)
-- [`DELETE /user/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-the-authenticated-user)
-- [`GET /user/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-the-authenticated-user)
-- [`GET /user/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-the-authenticated-user)
-- [`GET /users/{username}/packages`](/rest/packages#list-packages-for-user)
-- [`GET /users/{username}/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-a-user)
-- [`DELETE /users/{username}/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-a-user)
-- [`GET /users/{username}/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-a-user)
-- [`GET /users/{username}/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-a-user)
+{% ifversion fpt or ghec %}
+- [`GET /orgs/{org}/packages`](/rest/packages#list-packages-for-an-organization){% endif %}{% ifversion fpt or ghec %}
+- [`GET /orgs/{org}/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-an-organization){% endif %}{% ifversion fpt or ghec %}
+- [`DELETE /orgs/{org}/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-an-organization){% endif %}{% ifversion fpt or ghec %}
+- [`GET /orgs/{org}/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-an-organization){% endif %}{% ifversion fpt or ghec %}
+- [`GET /orgs/{org}/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-an-organization){% endif %}{% ifversion fpt or ghec %}
+- [`GET /user/packages`](/rest/packages#list-packages-for-the-authenticated-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /user/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-the-authenticated-user){% endif %}{% ifversion fpt or ghec %}
+- [`DELETE /user/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-the-authenticated-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /user/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-the-authenticated-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /user/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-the-authenticated-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /users/{username}/packages`](/rest/packages#list-packages-for-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /users/{username}/packages/{package_type}/{package_name}`](/rest/packages#get-a-package-for-a-user){% endif %}{% ifversion fpt or ghec %}
+- [`DELETE /users/{username}/packages/{package_type}/{package_name}`](/rest/packages#delete-a-package-for-a-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /users/{username}/packages/{package_type}/{package_name}/versions`](/rest/packages#get-all-package-versions-for-a-package-owned-by-a-user){% endif %}{% ifversion fpt or ghec %}
+- [`GET /users/{username}/packages/{package_type}/{package_name}/versions/{package_version_id}`](/rest/packages#get-a-package-version-for-a-user){% endif %}
+
+{% endif %}
 
 ## pages
 

content/rest/overview/permissions-required-for-fine-grained-personal-access-tokens.md

@@ -618,6 +618,8 @@ When you create a {% data variables.product.pat_v2 %}, you grant it a set of per
 
 {% ifversion fpt or ghec %}
 
+{% ifversion fpt or ghec %}
+
 ## Organization codespaces
 
 {% ifversion fpt or ghec %}- [`GET /orgs/{org}/codespaces`](/rest/codespaces#list-in-organization) (read){% endif %}
@@ -647,6 +649,8 @@ When you create a {% data variables.product.pat_v2 %}, you grant it a set of per
 
 {% ifversion ghec %}
 
+{% endif %}
+
 ## Organization custom roles
 
 {% ifversion ghec %}- [`GET /organizations/{organization_id}/custom_roles`](/rest/orgs#list-custom-repository-roles-in-an-organization) (read){% endif %}

content/support/contacting-github-support/providing-data-to-github-support.md

@@ -4,6 +4,7 @@ intro: 'Since {% data variables.contact.github_support %} doesn''t have access t
 shortTitle: Providing data
 versions:
   ghes: '*'
+permissions: Site administrators and enterprise owners can provide data to {% data variables.contact.github_support %}.
 redirect_from:
   - /enterprise/admin/guides/installation/troubleshooting
   - /enterprise/admin/articles/support-bundles
@@ -17,9 +18,13 @@ topics:
 
 ## About diagnostic files and support bundles
 
-{% data variables.contact.github_support %} may ask you to provide additional data in the form of sanitized log files. There are three types of log file you may be asked to provide.
+To help you troubleshoot issues with a {% data variables.product.prodname_ghe_server %} instance in your environment, {% data variables.contact.github_support %} may request one or more types of data.
 
-Diagnostic files contain information about a {% data variables.product.prodname_ghe_server %} instance's settings and environment, support bundles contain diagnostics and logs from the past two days, and extended support bundles also contain diagnostics and logs but from the past seven days.
+| Data | File format | Description |
+| :- | :- | :- |
+| Diagnostic file | Plaintext | Contains information about the instance's settings and environment. |
+| Support bundle | Archive | Contains a diagnostics file and sanitized log files from the past two days{% ifversion specify-period-for-support-bundle %} by default{% endif %}. |
+| Extended support bundle | Archive | Contains a diagnostics file and sanitized log files from the past seven days. |
 
 ## About log file sanitization
 
@@ -41,7 +46,7 @@ Authentication tokens, keys, and secrets are removed from log files in the follo
 
 ## Creating and sharing diagnostic files
 
-Diagnostic files are an overview of a {% data variables.product.prodname_ghe_server %} instance's settings and environment that contains:
+Diagnostic files are an overview of a {% data variables.product.prodname_ghe_server %} instance's settings and environment that contain:
 
 - Client license information, including company name, expiration date, and number of user licenses
 - Version numbers and SHAs
@@ -56,7 +61,7 @@ You can download the diagnostics for your instance from the {% data variables.en
 
 ### Creating a diagnostic file from the {% data variables.enterprise.management_console %}
 
-You can use this method if you don't have your SSH key readily available.
+You can create a diagnostic file from the {% data variables.enterprise.management_console %} if you don't currently have SSH access.
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
@@ -91,7 +96,7 @@ After you submit your support request, we may ask you to share a support bundle
 
 For more information, see "[About the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise)."
 
-Support bundles include logs from the past two days. To get logs from the past seven days, you can download an extended support bundle. For more information, see "[Creating and sharing extended support bundles](#creating-and-sharing-extended-support-bundles)."
+Support bundles include logs from the past two days{% ifversion specify-period-for-support-bundle %} by default. You can specify an exact duration in hours or days{% endif %}. To provide logs from the past seven days, you can download an extended support bundle. For more information, see "[Creating and sharing extended support bundles](#creating-and-sharing-extended-support-bundles)."
 
 {% tip %}
 
@@ -152,7 +157,7 @@ You can directly upload a support bundle to our server if:
 
 ## Creating and sharing extended support bundles
 
-Support bundles include logs from the past two days, while _extended_ support bundles include logs from the past seven days. If the events that {% data variables.contact.github_support %} is investigating occurred more than two days ago, we may ask you to share an extended support bundle. You will need SSH access to download an extended bundle - you cannot download an extended bundle from the {% data variables.enterprise.management_console %}.
+Support bundles include logs from the past two days{% ifversion specify-period-for-support-bundle %} by default{% endif %}, while _extended_ support bundles include logs from the past seven days. If the events that {% data variables.contact.github_support %} is investigating occurred more than two days ago, we may ask you to share an extended support bundle. You will need SSH access to download an extended bundle - you cannot download an extended bundle from the {% data variables.enterprise.management_console %}.
 
 To prevent bundles from becoming too large, bundles only contain logs that haven't been rotated and compressed. Log rotation on {% data variables.product.prodname_ghe_server %} happens at various frequencies (daily or weekly) for different log files, depending on how large we expect the logs to be.
 

data/features/bypass-branch-protections.yml

@@ -3,5 +3,5 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.7'
+  ghes: '>= 3.8'
   ghae: '>= 3.8'

data/features/custom-repo-role-api.yml

@@ -2,5 +2,5 @@
 # Custom Repo Roles Management API
 versions:
   ghec: '*'
-  ghes: '>=3.8'
-  ghae: '>= 3.8'
+  ghes: '>=3.9'
+  ghae: '>=3.9'

data/features/dependabot-PEP621-support.yml

@@ -5,4 +5,3 @@ versions:
   fpt: '*'
   ghec: '*'
   ghes: '>= 3.8'
-  ghae: '>= 3.8'

data/features/dependabot-security-updates-unlock-transitive-dependencies.yml

@@ -2,4 +2,4 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.7'
+  ghes: '>=3.8'

data/features/dependency-review-action-fail-on-scopes.yml

@@ -3,5 +3,5 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '> 3.8'
-  ghae: '> 3.8'
+  ghes: '> 3.7'
+  ghae: '> 3.7'

data/features/device-and-settings-management-page.yml

@@ -4,4 +4,3 @@ versions:
   fpt: '*'
   ghec: '*'
   ghes: '>=3.8'
-  ghae: '>= 3.8'

data/features/discussions-category-specific-pins.yml

@@ -4,4 +4,3 @@ versions:
   fpt: '*'
   ghec: '*'
   ghes: '>=3.8'
-  ghae: '>=3.8'

data/features/enterprise-management-console-multi-user-auth.yml

@@ -0,0 +1,4 @@
+# Reference: #8546
+# Documentation for multi-user authentication for the Management Console
+versions:
+  ghes: '>=3.8'

data/features/ghes-actions-storage-oidc.yml

@@ -0,0 +1,4 @@
+# Reference: #8607.
+# OIDC for Actions external storage on GHES
+versions:
+  ghes: '>=3.8'

data/features/org-owners-limit-forks-creation.yml

@@ -2,5 +2,5 @@
 # Org owners can limit where forks can be created.
 versions:
   ghec: '*'
-  ghes: '>=3.7'
-  ghae: '>=3.7'
+  ghes: '>=3.8'
+  ghae: '>=3.8'

data/features/projects-v2-add-to-team.yml

@@ -2,4 +2,3 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.8'

data/features/projects-v2-auto-archive.yml

@@ -3,5 +3,3 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.8'
-  ghae: '>=3.8'

data/features/projects-v2-column-visibility.yml

@@ -2,4 +2,3 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.8'

data/features/projects-v2-insights.yml

@@ -0,0 +1,4 @@
+# Insights for Projects
+versions:
+  fpt: '*'
+  ghec: '*'

data/features/projects-v2-migration.yml

@@ -0,0 +1,4 @@
+# Migrating from classic projects
+versions:
+  fpt: '*'
+  ghec: '*'

data/features/projects-v2-webhooks.yml

@@ -0,0 +1,4 @@
+# Webhooks for Projects
+versions:
+  fpt: '*'
+  ghec: '*'

data/features/projects-v2-wildcard-text-filtering.yml

@@ -0,0 +1,4 @@
+# *ildcard text filtering for Projects
+versions:
+  fpt: '*'
+  ghec: '*'

data/features/projects-v2-workflows.yml

@@ -0,0 +1,4 @@
+# Built-in workflows for Projects
+versions:
+  fpt: '*'
+  ghec: '*'

data/features/projects-v2.yml

@@ -3,3 +3,4 @@
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.8'

data/features/security-overview-single-repo-enablement.yml

@@ -1,6 +1,6 @@
 # Reference: #8765.
 # Documentation for the single-repo enablement panel for security overview coverage view
 versions:
-  ghes: '> 3.8'
-  ghae: '> 3.8'
+  ghes: '> 3.7'
+  ghae: '> 3.7'
   ghec: '*'

data/features/slack-and-team-integrations.yml

@@ -0,0 +1,6 @@
+# Reference: #8287
+# Slack and Teams integrations (now available for GHES)
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>= 3.8'

data/features/specify-period-for-support-bundle.yml

@@ -0,0 +1,4 @@
+# Reference: github/docs-content#8986
+# Specify a period for log collection in a GHES support bundle
+versions:
+  ghes: '>3.7'

data/features/token-audit-log.yml

@@ -1,2 +1,4 @@
 versions:
   ghec: '*'
+  ghes: '>3.7'
+  ghae: '>3.7'

data/graphql/ghes-3.8/graphql_previews.enterprise.yml

@@ -0,0 +1,138 @@
+- title: Access to package version deletion
+  description: >-
+    This preview adds support for the DeletePackageVersion mutation which
+    enables deletion of private package versions.
+  toggled_by: ':package-deletes-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.deletePackageVersion
+  owning_teams:
+    - '@github/pe-package-registry'
+- title: Deployments
+  description: >-
+    This preview adds support for deployments mutations and new deployments
+    features.
+  toggled_by: ':flash-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - DeploymentStatus.environment
+    - Mutation.createDeploymentStatus
+    - CreateDeploymentStatusInput
+    - CreateDeploymentStatusPayload
+    - Mutation.createDeployment
+    - CreateDeploymentInput
+    - CreateDeploymentPayload
+  owning_teams:
+    - '@github/c2c-actions-service'
+- title: >-
+    MergeInfoPreview - More detailed information about a pull request's merge
+    state.
+  description: >-
+    This preview adds support for accessing fields that provide more detailed
+    information about a pull request's merge state.
+  toggled_by: ':merge-info-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - PullRequest.canBeRebased
+    - PullRequest.mergeStateStatus
+  owning_teams:
+    - '@github/pe-pull-requests'
+- title: UpdateRefsPreview - Update multiple refs in a single operation.
+  description: This preview adds support for updating multiple refs in a single operation.
+  toggled_by: ':update-refs-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.updateRefs
+    - GitRefname
+    - RefUpdate
+    - UpdateRefsInput
+    - UpdateRefsPayload
+  owning_teams:
+    - '@github/reponauts'
+- title: Access to a Repository's Dependency Graph
+  description: This preview adds support for reading a dependency graph for a repository.
+  toggled_by: ':hawkgirl-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - DependencyGraphManifest
+    - Repository.dependencyGraphManifests
+    - DependencyGraphManifestEdge
+    - DependencyGraphManifestConnection
+    - DependencyGraphDependency
+    - DependencyGraphDependencyEdge
+    - DependencyGraphDependencyConnection
+    - DependencyGraphPackageRelease.dependencies
+  owning_teams:
+    - '@github/dependency-graph'
+- title: Project Event Details
+  description: >-
+    This preview adds project, project card, and project column details to
+    project-related issue events.
+  toggled_by: ':starfox-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - AddedToProjectEvent.project
+    - AddedToProjectEvent.projectCard
+    - AddedToProjectEvent.projectColumnName
+    - ConvertedNoteToIssueEvent.project
+    - ConvertedNoteToIssueEvent.projectCard
+    - ConvertedNoteToIssueEvent.projectColumnName
+    - MovedColumnsInProjectEvent.project
+    - MovedColumnsInProjectEvent.projectCard
+    - MovedColumnsInProjectEvent.projectColumnName
+    - MovedColumnsInProjectEvent.previousProjectColumnName
+    - RemovedFromProjectEvent.project
+    - RemovedFromProjectEvent.projectColumnName
+  owning_teams:
+    - '@github/github-projects'
+- title: Labels Preview
+  description: >-
+    This preview adds support for adding, updating, creating and deleting
+    labels.
+  toggled_by: ':bane-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.createLabel
+    - CreateLabelPayload
+    - CreateLabelInput
+    - Mutation.deleteLabel
+    - DeleteLabelPayload
+    - DeleteLabelInput
+    - Mutation.updateLabel
+    - UpdateLabelPayload
+    - UpdateLabelInput
+  owning_teams:
+    - '@github/pe-pull-requests'
+- title: Import Project
+  description: This preview adds support for importing projects.
+  toggled_by: ':slothette-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.importProject
+  owning_teams:
+    - '@github/pe-issues-projects'
+- title: Team Review Assignments Preview
+  description: >-
+    This preview adds support for updating the settings for team review
+    assignment.
+  toggled_by: ':stone-crop-preview'
+  announcement: null
+  updates: null
+  toggled_on:
+    - Mutation.updateTeamReviewAssignment
+    - UpdateTeamReviewAssignmentInput
+    - TeamReviewAssignmentAlgorithm
+    - Team.reviewRequestDelegationEnabled
+    - Team.reviewRequestDelegationAlgorithm
+    - Team.reviewRequestDelegationMemberCount
+    - Team.reviewRequestDelegationNotifyTeam
+  owning_teams:
+    - '@github/pe-pull-requests'

data/graphql/ghes-3.8/graphql_upcoming_changes.public-enterprise.yml

@@ -0,0 +1,283 @@
+---
+upcoming_changes:
+  - location: LegacyMigration.uploadUrlTemplate
+    description: '`uploadUrlTemplate` will be removed. Use `uploadUrl` instead.'
+    reason:
+      '`uploadUrlTemplate` is being removed because it is not a standard URL and
+      adds an extra user step.'
+    date: '2019-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: AssignedEvent.user
+    description: '`user` will be removed. Use the `assignee` field instead.'
+    reason: Assignees can now be mannequins.
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: UnassignedEvent.user
+    description: '`user` will be removed. Use the `assignee` field instead.'
+    reason: Assignees can now be mannequins.
+    date: '2020-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: tambling
+  - location: Issue.timeline
+    description: '`timeline` will be removed. Use Issue.timelineItems instead.'
+    reason: '`timeline` will be removed'
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: mikesea
+  - location: PullRequest.timeline
+    description: '`timeline` will be removed. Use PullRequest.timelineItems instead.'
+    reason: '`timeline` will be removed'
+    date: '2020-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: mikesea
+  - location: MergeStateStatus.DRAFT
+    description: '`DRAFT` will be removed. Use PullRequest.isDraft instead.'
+    reason:
+      DRAFT state will be removed from this enum and `isDraft` should be used
+      instead
+    date: '2021-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: nplasterer
+  - location: PackageType.DOCKER
+    description: '`DOCKER` will be removed.'
+    reason:
+      DOCKER will be removed from this enum as this type will be migrated to only
+      be used by the Packages REST API.
+    date: '2021-06-21'
+    criticality: breaking
+    owner: reybard
+  - location: ReactionGroup.users
+    description: '`users` will be removed. Use the `reactors` field instead.'
+    reason: Reactors can now be mannequins, bots, and organizations.
+    date: '2021-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: synthead
+  - location: AddPullRequestToMergeQueueInput.branch
+    description: '`branch` will be removed.'
+    reason:
+      PRs are added to the merge queue for the base branch, the `branch` argument
+      is now a no-op
+    date: '2022-07-01T00:00:00+00:00'
+    criticality: breaking
+    owner: jhunschejones
+  - location: DependencyGraphDependency.packageLabel
+    description:
+      '`packageLabel` will be removed. Use normalized `packageName` field
+      instead.'
+    reason: '`packageLabel` will be removed.'
+    date: '2022-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: github/dependency_graph
+  - location: RemovePullRequestFromMergeQueueInput.branch
+    description: '`branch` will be removed.'
+    reason:
+      PRs are removed from the merge queue for the base branch, the `branch` argument
+      is now a no-op
+    date: '2022-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: jhunschejones
+  - location: RepositoryVulnerabilityAlert.fixReason
+    description: '`fixReason` will be removed.'
+    reason:
+      The `fixReason` field is being removed. You can still use `fixedAt` and
+      `dismissReason`.
+    date: '2022-10-01T00:00:00+00:00'
+    criticality: breaking
+    owner: jamestran201
+  - location: Commit.changedFiles
+    description: '`changedFiles` will be removed. Use `changedFilesIfAvailable` instead.'
+    reason: '`changedFiles` will be removed.'
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: adamshwert
+  - location: ProjectNextFieldType.ASSIGNEES
+    description:
+      '`ASSIGNEES` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.DATE
+    description:
+      '`DATE` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.ITERATION
+    description:
+      '`ITERATION` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.LABELS
+    description:
+      '`LABELS` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.LINKED_PULL_REQUESTS
+    description:
+      '`LINKED_PULL_REQUESTS` will be removed. Follow the ProjectV2 guide
+      at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.MILESTONE
+    description:
+      '`MILESTONE` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.NUMBER
+    description:
+      '`NUMBER` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.REPOSITORY
+    description:
+      '`REPOSITORY` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.REVIEWERS
+    description:
+      '`REVIEWERS` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.SINGLE_SELECT
+    description:
+      '`SINGLE_SELECT` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.TEXT
+    description:
+      '`TEXT` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.TITLE
+    description:
+      '`TITLE` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.TRACKED_BY
+    description:
+      '`TRACKED_BY` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectNextFieldType.TRACKS
+    description:
+      '`TRACKS` will be removed. Follow the ProjectV2 guide at https://github.blog/changelog/2022-06-23-the-new-github-issues-june-23rd-update/,
+      to find a suitable replacement.'
+    reason:
+      The `ProjectNext` API is deprecated in favour of the more capable `ProjectV2`
+      API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: lukewar
+  - location: ProjectV2View.visibleFields
+    description:
+      '`visibleFields` will be removed. Check out the `ProjectV2View#fields`
+      API as an example for the more capable alternative.'
+    reason:
+      The `ProjectV2View#visibleFields` API is deprecated in favour of the more
+      capable `ProjectV2View#fields` API.
+    date: '2023-01-01T00:00:00+00:00'
+    criticality: breaking
+    owner: mattruggio
+  - location: ProjectV2View.groupBy
+    description:
+      '`groupBy` will be removed. Check out the `ProjectV2View#group_by_fields`
+      API as an example for the more capable alternative.'
+    reason:
+      The `ProjectV2View#order_by` API is deprecated in favour of the more capable
+      `ProjectV2View#group_by_field` API.
+    date: '2023-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: alcere
+  - location: ProjectV2View.sortBy
+    description:
+      '`sortBy` will be removed. Check out the `ProjectV2View#sort_by_fields`
+      API as an example for the more capable alternative.'
+    reason:
+      The `ProjectV2View#sort_by` API is deprecated in favour of the more capable
+      `ProjectV2View#sort_by_fields` API.
+    date: '2023-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: traumverloren
+  - location: ProjectV2View.verticalGroupBy
+    description:
+      '`verticalGroupBy` will be removed. Check out the `ProjectV2View#vertical_group_by_fields`
+      API as an example for the more capable alternative.'
+    reason:
+      The `ProjectV2View#vertical_group_by` API is deprecated in favour of the
+      more capable `ProjectV2View#vertical_group_by_fields` API.
+    date: '2023-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: traumverloren
+  - location: Repository.squashPrTitleUsedAsDefault
+    description:
+      '`squashPrTitleUsedAsDefault` will be removed. Use `Repository.squashMergeCommitTitle`
+      instead.'
+    reason: '`squashPrTitleUsedAsDefault` will be removed.'
+    date: '2023-04-01T00:00:00+00:00'
+    criticality: breaking
+    owner: github/pull_requests

data/release-notes/enterprise-server/3-7/0-rc1.yml

@@ -29,7 +29,7 @@ sections:
       notes:
         # https://github.com/github/releases/issues/2344
         - |
-          Azure Maps replaces MapBox for rendering GeoJSON files as graphical maps. Administrators can enable map rendering and provide an Azure Maps token in the Management Console. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+          Azure Maps replaces MapBox for rendering GeoJSON files as graphical maps. Administrators can enable map rendering and provide an Azure Maps token in the Management Console. For more information, see "[Administering your instance from the Management Console](/admin/configuration/administering-your-instance-from-the-management-console)."
 
     - heading: Authentication
       notes:
@@ -148,7 +148,7 @@ sections:
         # https://github.com/github/releases/issues/2307
         - |
           Users can take advantage of the following improvements to the [GitHub Advisory Database](https://github.com/advisories).
-          
+
           - The database displays advisories for for Elixir, Erlang's Hex package manager, and more.
           - Users can find malware advisories by searching for `type:malware`.
           - The database displays advisories for GitHub Actions vulnerabilities.
@@ -185,9 +185,9 @@ sections:
         # https://github.com/github/releases/issues/2325
         - |
           To support secure cloud deployments at scale, organization owners and repository administrators can complete the following tasks with the OpenID Connect REST API. For more information, see "[GitHub Actions OIDC](/rest/actions/oidc)" in the REST API documentation
-          
+
           - Enable a standard OpenID Connect configuration across cloud deployment workflows by customizing the `subject` claim format.
-          - Ensure additional compliance and security for OpenID Connect deployments by appending the `issuer` URL with the enterprise's slug. 
+          - Ensure additional compliance and security for OpenID Connect deployments by appending the `issuer` URL with the enterprise's slug.
           - Configure advanced OpenID Connect policies by using additional OpenID Connect token claims like `repository_id` and `repo_visibility`.
 
           For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)."
@@ -197,7 +197,7 @@ sections:
           GitHub Actions users who use dependency caching to speed up workflows can now use the GitHub Actions Cache REST API to accomplish the following tasks.
 
           - List all caches within a repository and sort by metadata.
-          - Delete a corrupt or stale cache entry. 
+          - Delete a corrupt or stale cache entry.
           For more information, see "[Caching dependencies to speed up workflows](/actions/using-workflows/caching-dependencies-to-speed-up-workflows#managing-caches)" and "[GitHub Actions Cache](/rest/actions/cache)" in the REST API documentation.
 
         # https://github.com/github/docs-content/issues/7689
@@ -243,7 +243,7 @@ sections:
         # https://github.com/github/releases/issues/2406
         - |
           Improvements have been made to the creation and management of forks.
-          
+
           - When forking a repository, users can choose to only include the repository's default branch in the fork.
           - Users can use a repository's' **Fork** button to see existing forks of the repository.
           - The **Fetch upstream** button has been renamed to **Sync fork** to better describe the button's behavior. If the sync causes a conflict, the web UI prompts the user to contribute changes to the parent repository, discard changes, or resolve the conflict.
@@ -300,7 +300,7 @@ sections:
 
   changes:
     - Secret scanning no longer supports custom patterns that use `.*` as an end delimiter in the "After secret" field, as the pattern syntax would cause scan problems and inconsistencies.
-  
+
     # https://github.com/github/releases/issues/2535
     - When creating a new release, users can now submit the form using <kbd>Ctrl</kbd> + <kbd>Enter</kbd> in macOS, or <kbd>Ctrl</kbd> + <kbd>Enter</kbd> in Windows or Linux.
 

data/release-notes/enterprise-server/3-7/0.yml

@@ -24,7 +24,7 @@ sections:
       notes:
         # https://github.com/github/releases/issues/2344
         - |
-          Azure Maps replaces MapBox for rendering GeoJSON files as graphical maps. Administrators can enable map rendering and provide an Azure Maps token in the Management Console. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+          Azure Maps replaces MapBox for rendering GeoJSON files as graphical maps. Administrators can enable map rendering and provide an Azure Maps token in the Management Console. For more information, see "[Administering your instance from the Management Console](/admin/configuration/administering-your-instance-from-the-management-console)."
 
     - heading: Authentication
       notes:

data/release-notes/enterprise-server/3-8/0-rc1.yml

@@ -0,0 +1,479 @@
+date: '2023-02-07'
+release_candidate: true
+deprecated: false
+intro: |
+  {% note %}
+
+  **Note:** If {% data variables.location.product_location %} is running a release candidate build, you can't upgrade with a hotpatch. We recommend that you only run release candidates in a test environment.
+
+  {% endnote %}
+
+  For upgrade instructions, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
+
+sections:
+  features:
+    - heading: Projects beta
+      notes:
+        # https://github.com/github/docs-content/issues/8857
+        - |
+          Projects, the flexible tool for planning and tracking work on GitHub Enterprise Server, is now available as a beta. A project is an adaptable spreadsheet that integrates issues and pull requests to help users plan and track work effectively. Users can create and customize multiple views, and each view can filter, sort, and group issues and pull requests. Users can also define custom fields to track the unique metadata for a team or project, allowing customization for any needs or processes. This feature is subject to change. For more information, see "[About Projects](/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects)."
+
+    - heading: REST API versioning
+      notes:
+        # https://github.com/github/releases/issues/2022
+        - |
+          To provide API integrators a smooth migration path and time to update integrations after GitHub makes occasional breaking changes, the REST API now uses calendar-based versioning. GitHub Enterprise Server 3.8 provides version 2022-11-28 of the REST API. For more information, see "[API Versions](/rest/overview/api-versions?apiVersion=2022-11-28)" in the REST API documentation.
+
+          If you currently use the REST API, requests that do not specify a version will default to the calendar version included with this release of GitHub Enterprise Server. No action is required at this time. GitHub will provide advance notice before removing support for old versions.
+
+    - heading: Instance administration
+      notes:
+        # https://github.com/github/releases/issues/2701
+        - |
+          Site administrators can improve the security of an instance by creating dedicated user accounts for the Management Console. Only the root site administrator can create user accounts. To control access for the user accounts, assign either the editor or operator role. Operators can manage administrative SSH access for the instance. For more information, see "[Managing access to the Management Console](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console)."
+
+        # https://github.com/github/releases/issues/2759
+        - |
+          To establish or comply with internal policies, site administrators can use the Management Console to configure an instance's policy for retention of data related to checks, including checks data generated by GitHub Actions and the Statuses API. Administrators can enable or disable retention, set a custom retention threshold, or set a custom hard-delete threshold.
+
+        # https://github.com/github/releases/issues/2814
+        - |
+          When generating support bundles using the `ghe-support-bundle` command-line utility, site administrators can specify the exact duration to use for collection of data in the bundle. For more information, see "[Command-line utilities](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-support-bundle)."
+
+    - heading: Identity and access management
+      notes:
+        # https://github.com/github/releases/issues/2681
+        - |
+          Users can review and revoke both browser and GitHub Mobile sessions for a GitHub Enterprise Server instance. For more information, see "[Viewing and managing your sessions](/authentication/keeping-your-account-and-data-secure/viewing-and-managing-your-sessions)."
+
+    - heading: Policies
+      notes:
+        # https://github.com/github/docs-content/issues/7661
+        - |
+          Enterprise owners can configure whether repository administrators can enable or disable Dependabot alerts. On instances with a GitHub Advanced Security license, enterprise owners can also set policies to control whether repository administrators can enable GitHub Advanced Security features or secret scanning. For more information, see "[Enforcing policies for code security and analysis for your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)."
+
+    - heading: Audit logs
+      notes:
+        # https://github.com/github/releases/issues/2665
+        - |
+          Enterprise and organization owners can support adherance to the principle of least privilege by granting access to audit log endpoints without providing full administrative privileges. To provide this access, personal access tokens and OAuth apps now support the `read:audit_log` scope. For more information, see "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)."
+
+        # https://github.com/github/releases/issues/2676
+        - |
+          Enterprise owners can more easily detect and trace activity associated with authentication tokens by viewing token data in audit log events. For more information, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
+
+        # https://github.com/github/releases/issues/2587
+        - |
+          Enterprise owners can configure audit log streaming to a Datadog endpoint. For more information, see "[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-datadog)."
+
+    - heading: GitHub Advanced Security
+      notes:
+        # https://github.com/github/releases/issues/2644
+        - |
+          Enterprise owners on an instance with a GitHub Advanced Security license can view changes to GitHub Advanced Security, secret scanning, and push protection enablement in the audit log. Organization owners can view changes to custom messages for push protection in the audit log. For more information, see the following documentation.
+
+          - "[`business_secret_scanning` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning-category-actions)," "[`business_secret_scanning_push_protection` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning_push_protection-category-actions)," and "[`business_secret_scanning_push_protection_custom_message` category actions](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#business_secret_scanning_push_protection_custom_message-category-actions)" in "Audit log events for your enterprise"
+          - "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#org-category-actions)"
+
+        # https://github.com/github/releases/issues/2647
+        - |
+          Enterprise owners on an instance with a GitHub Advanced Security license can ensure compliance and simplify the rollout of secret scanning and push protection to all organizations on the instance using the REST API. This endpoint supplements the existing web UI, as well as the endpoints for repositories and organizations. For more information, see "[Code security and analysis](/rest/enterprise-admin/code-security-and-analysis?apiVersion=2022-11-28)" in the REST API documentation.
+
+        # https://github.com/github/releases/issues/2647
+        # https://github.com/github/releases/issues/2669
+        - |
+          Enterprise and organization owners who use secret scanning on an instance with a GitHub Advanced Security license can use the REST API to specify a custom link to display when push protection blocks a push containing a secret. For more information, see "[Code security and analysis](/rest/enterprise-admin/code-security-and-analysis?apiVersion=2022-11-28)" or "[Organizations](/rest/orgs/orgs?apiVersion=2022-11-28#update-an-organization)" in the REST API documentation.
+
+        # https://github.com/github/releases/issues/2386
+        - |
+          Users on an instance with a GitHub Advanced Security license who dismiss a secret scanning alert can help other users understand the reason for dismissal by providing an optional comment using the web UI or REST API. For more information, see the following documentation.
+
+          - "[Managing alerts from secret scanning](/code-security/secret-scanning/managing-alerts-from-secret-scanning)"
+          - "[Secret scanning](/rest/secret-scanning?apiVersion=2022-11-28#update-a-secret-scanning-alert)" in the REST API documentation
+
+        # https://github.com/github/releases/issues/2777
+        - |
+          Users on an instance with a GitHub Advanced Security license can filter results from the Code Scanning API based on alert severity at either the repository or organization levels. Use the `severity` parameter to return only code scanning alerts with a specific severity. For more information, see "[Code Scanning](/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-a-repository)" in the REST API documentation.
+
+        # https://github.com/github/releases/issues/2509
+        # https://github.com/github/releases/issues/2703
+        - |
+          Users on an instance with a GitHub Advanced Security license can analyze two additional languages for vulnerabilities and errors using CodeQL code scanning. Support for Ruby is generally available, and support for Kotlin is in beta and subject to change.
+
+          - Ruby analysis can detect more than twice the number of common weaknesses (CWEs) it could detect during beta. A total of 30 rules can identify a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. GitHub Enterprise Server supports all common Ruby versions, up to and including 3.1.
+          - Kotlin support is an extension of existing Java support, and benefits from the [existing CodeQL queries for Java](https://codeql.github.com/codeql-query-help/java/), which apply to both mobile and server-side applications. GitHub has also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection, and more.
+
+          For more information about code scanning, see "[About code scanning with CodeQL](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)."
+
+        # https://github.com/github/docs-content/issues/8424
+        - |
+          Users on an instance with a GitHub Advanced Security license who use CodeQL code scanning can customize the build configuration for Go analysis within the GitHub Actions workflow file. Existing CodeQL workflows for Go analysis require no changes, and will continue to be supported. For more information, see "[Configuring the CodeQL workflow for compiled languages](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
+
+    - heading: Dependabot
+      notes:
+        # https://github.com/github/releases/issues/2738
+        # https://github.com/github/releases/issues/2739
+        - |
+          To improve code security and simplify the process of updating vulnerable dependencies, more users can receive automatic pull requests with dependency updates.
+          
+          - GitHub Actions authors can automatically update dependencies within workflow files.
+          - Dart or Flutter developers who use Pub can automatically update dependencies within their projects.
+          
+          For more information, see "[About Dependabot security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
+
+        # https://github.com/github/releases/issues/2438
+        # https://github.com/github/releases/issues/2553
+        - |
+          Dart and JavaScript developers on an instance with the dependency graph enabled can receive Dependabot alerts for known vulnerabilities within a project's dependencies.
+          
+          - For Dart, the dependency graph detects `pubspec.lock` and `pubspec.yaml` files.
+          - JavaScript developers who use Node.js and npm can receive alerts for known vulnerabilities within Yarn v2 and v3 manifests. This supplements the existing support for v1 manifests. The dependency graph detects `package.json`, and `yarn.lock` files.
+          
+          For more information, see the following articles.
+
+          - "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)"
+          - "[Browsing security advisories in the GitHub Advisory Database](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database#about-the-github-advisory-database)"
+          - "[About Dependabot alerts](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)"
+
+        # https://github.com/github/releases/issues/2554
+        - |
+          Python developers who use supported package managers on an instance with the dependency graph enabled can receive Dependabot alerts for dependencies within `pyproject.toml` files that follow the [PEP 621 standard](https://peps.python.org/pep-0621/). For more information, see "[About Dependabot version updates](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems)."
+
+        # https://github.com/github/releases/issues/2645
+        - |
+          Python developers who receive Dependabot alerts can reduce the number of version updates when a current dependency requirement is already satisfied by a new version. To configure this behavior, use the `increase-if-necessary` versioning strategy. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy)."
+
+        # https://github.com/github/releases/issues/2591
+        - |
+          Enterprise owners can retrieve Dependabot alerts for the instance using the REST API. This endpoint is in beta and subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)" in the REST API documentation.
+
+        # https://github.com/github/releases/issues/2590
+        - |
+          Organization owners can retrieve Dependabot alerts for the organization using the REST API. This endpoint is in beta and subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)."
+
+        # https://github.com/github/releases/issues/2323
+        - |
+          Users can programmatically view and act on Dependabot alerts using the REST API. New endpoints to view, list, and update Dependabot alerts are available in beta. These endpoints are subject to change. For more information, see "[Dependabot alerts](/rest/dependabot/alerts?apiVersion=2022-11-28)" in the REST API documentation.
+
+    - heading: Code security
+      notes:
+        # https://github.com/github/releases/issues/2706
+        # https://github.com/github/releases/issues/2768
+        # https://github.com/github/releases/issues/2770
+        - |
+          To increase visibility into security posture and improve risk analysis, users can access coverage and risk views within the security overview. The coverage view shows enablement across repositories, while the risk view surfaces alerts across repositories. Organization owners, security managers, and repository administrators on an instance with a GitHub Advanced Security license can enable security features from the security overview's coverage view. The views replace the "Overview" page, and are in public beta and subject to change. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)."
+
+        # https://github.com/github/releases/issues/2713
+        - |
+          Contributors can define a repository's security policy by creating a `SECURITY.md` file. To increase the policy's visibility, GitHub Enterprise Server will link to the policy from the repository's {% octicon "code" aria-label="The code icon" %} **Code** tab. For more information, see "[Adding a security policy to your repository](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
+
+        # https://github.com/github/releases/issues/2440
+        - |
+          The Dependency review API is generally available, and the associated GitHub Action now allows users to reference a local or external configuration file. For more information, see the following documentation.
+
+          - "[Dependency review](/rest/dependency-graph/dependency-review?apiVersion=2022-11-28)" in the REST API documentation
+          - "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#about-configuring-the-dependency-review-action)"
+
+        # https://github.com/github/releases/issues/2787
+        - |
+          The GraphQL API provides access to a repository's dependency graph. This feature is in preview and subject to change. For more information, see "[Objects](/graphql/reference/objects#dependencygraphdependency)" in the GraphQL API documentation.
+
+    - heading: GitHub Actions
+      notes:
+        # https://github.com/github/releases/issues/2730
+        - |
+          During configuration of storage for GitHub Actions, site administrators can avoid risks associated with the input of sensitive secrets and access keys by using OIDC to connect to object storage providers. GitHub Actions on GitHub Enterprise Server supports OIDC for connections to AWS, Azure, and Google Cloud Platform. This feature is in beta and subject to change. For more information, see "[Enabling GitHub Actions for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server)."
+
+        # https://github.com/github/releases/issues/2618
+        - |
+          To prevent untrusted logging of data from the `set-state` and `set-output` workflow commands, action authors can use environment files for the management of state and output.
+
+          - To use this feature, the runner application must be version 2.297.0 or later. Versions 2.298.2 and later will warn users who use the `save-state` or `set-output` commands. These commands will be fully disabled in a future release.
+          - To use the updated `saveState` and `setOutput` functions, workflows using the GitHub Actions Toolkit must call `@actions/core` v1.10.0 or later.
+
+          For more information, see "[Workflow commands for GitHub Actions](/actions/using-workflows/workflow-commands-for-github-actions#environment-files)."
+
+        # https://github.com/github/releases/issues/2293
+        - |
+          The ability to share actions and reusable workflows from private repositories is generally available. Users can share workflows in a private repository with other private repositories owned by the same organization or user account, or with all private repositories on the instance. For more information, see the following documentation.
+
+          - "[Managing GitHub Actions settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)"
+          - "[GitHub Actions Permissions](/rest/actions/permissions?apiVersion=2022-11-28#get-the-level-of-access-for-workflows-outside-of-the-repository)" in the REST API documentation
+
+        # https://github.com/github/releases/issues/2694
+        - |
+          Users can improve workflow readability and avoid the need to store non-sensitive configuration data as encrypted secrets by defining configuration variables, which allow reuse across workflows in a repository or organization. This feature is in beta and subject to change. For more information, see "[Variables](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)."
+
+        # https://github.com/github/releases/issues/2517
+        - |
+          Users can dynamically name workflow runs. `run-name` accepts expressions, and the dynamic name appears in the list of workflow runs. For more information, see "[Workflow syntax for GitHub Actions](/actions/using-workflows/workflow-syntax-for-github-actions#run-name)."
+
+        # https://github.com/github/releases/issues/2616
+        - |
+          Users can prevent a job from running on a runner outside the intended group by defining the names of the intended runner groups for a workflow within the `runs-on` key.
+
+          ```yaml
+          runs-on:
+            group: my-group
+            labels: [ self-hosted, label-1 ]
+          ```
+
+          Additionally, GitHub Enterprise Server will no longer allow the creation of runner groups with identical names at the organization and enterprise level. A warning banner will appear for any runner groups within an organization that share a name with a runner group for the enterprise.
+
+        # https://github.com/github/releases/issues/2693
+        - |
+          Users can enforce standard CI/CD practices across all of an organization's repositories by defining required workflows. These workflows are triggered as required status checks for all pull requests that target repositories' default branch, which blocks merging until the check passes. This feature is in beta and subject to change. For more information, see "[Required workflows](/actions/using-workflows/required-workflows)."
+
+        # https://github.com/github/releases/issues/2655
+        - |
+          To enable standardization of OIDC configurations across cloud deployment workflows, organization owners and repository administrators can configure the `subject` claim format within OIDC tokens by defining a custom template. For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-subject-claims-for-an-organization-or-repository)."
+
+        # https://github.com/github/releases/issues/2571
+        - |
+          To enable more transparency and control over cache usage within repositories, users who cache dependencies and other reused files with `actions/cache` can manage caches from the instance's web UI. For more information, see "[Caching dependencies to speed up workflows](/actions/using-workflows/caching-dependencies-to-speed-up-workflows#managing-caches)."
+
+    - heading: Community experience
+      notes:
+        # https://github.com/github/releases/issues/2536
+        - |
+          Users can set expectations surrounding availability by displaying a local timezone within their profiles. People who view the user's profile or hovercard will see the timezone, as well as how many hours behind or ahead they are of the user's local time. For more information, see "[Personalizing your profile](/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-your-location-and-time-zone)."
+
+    - heading: GitHub Discussions
+      notes:
+        # https://github.com/github/releases/issues/2672
+        - |
+          To improve discoverability, GitHub Discussions features the following improvements.
+
+          - Repository owners can pin discussions to a specific category.
+          - Category titles and descriptions are displayed on the category's page.
+
+    - heading: Organizations
+      notes:
+        # https://github.com/github/releases/issues/2418
+        - |
+          To manage how organization members fork repositories, organization owners can set a dedicated forking policy for any organization. This policy must be stricter than an a forking policy set for the enterprise. For more information, see "[Managing the forking policy for your organization](/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization)."
+
+        # https://github.com/github/releases/issues/2539
+        - |
+          Organization owners can improve organization security by preventing outside collaborators from requesting the installation of GitHub and OAuth apps. For more information, see "[Limiting OAuth App and GitHub App access requests](/organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests)."
+
+    - heading: Repositories
+      notes:
+        # https://github.com/github/releases/issues/2175
+        - |
+          To avoid providing full administrative access to a repository when unnecessary, repository administrators can create a custom role that allows users to bypass branch protections. To enforce branch protections for all users with administrative access or bypass permissions, administrators can enable **Do not allow bypassing the above settings**. For more information, see "[Managing custom repository roles for an organization](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-repository-roles-for-an-organization#repository)" and "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#do-not-allow-bypassing-the-above-settings)."
+
+        # https://github.com/github/releases/issues/2610
+        # https://github.com/github/releases/issues/2626
+        - |
+          Repository administrators can ensure the security and stability of branches by requiring pull request approval by someone other than the last pusher, or by locking the branch. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-settings)."
+
+        # https://github.com/github/releases/issues/2666
+        - |
+          In scenarios where someone should review code within a GitHub Actions workflow before the workflow runs, repository administrators can require approval from a user with write access to the repository before a workflow run can be triggered from a private fork. For more information, see "[Managing GitHub Actions settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories)."
+
+    - heading: Issues
+      notes:
+        # https://github.com/github/releases/issues/2018
+        - |
+          The GraphQL API supports creation and removal of the link between a branch and an issue. For more information, see the following documentation.
+
+          - "[Creating a branch to work on an issue](/issues/tracking-your-work-with-issues/creating-a-branch-for-an-issue)"
+          - "[createLinkedBranch](/graphql/reference/mutations#createlinkedbranch)" and "[deleteLinkedBranch](/graphql/reference/mutations#deletelinkedbranch)" in the "Mutations" GraphQL API documentation
+          - "[Objects](/graphql/reference/objects#issue)" in the GraphQL API documentation
+
+    - heading: Pull requests
+      notes:
+        # https://github.com/github/releases/issues/2511
+        - |
+          Users with multiple email addresses associated with their accounts can better ensure that Git commits created by squash-merging are associated with the correct email address. When merging the pull request, a drop-down menu will appear, allowing the user to select the email address to use as the commit's author.
+
+    - heading: Releases
+      notes:
+        # https://github.com/github/releases/issues/2584
+        - |
+          Users can mark a specific release within a repository as the latest release using the web UI, REST API, or GraphQL API. For more information, see the following documentation.
+
+          - "[Managing releases in a repository](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)"
+          - "[Releases](/rest/releases/releases?apiVersion=2022-11-28#create-a-release)" in the REST API documentation
+          - "[Objects](/graphql/reference/objects#release)" in the GraphQL API documentation
+
+    - heading: Integrations
+      notes:
+        # https://github.com/github/releases/issues/2625
+        - |
+          Users can save time and switch context less often by receiving and acting on real-time updates about GitHub Enterprise Server activity directly within Slack or Microsoft Teams. GitHub's integrations for these services are now generally available. For more information, see "[About integrations](/get-started/customizing-your-github-workflow/exploring-integrations/about-integrations)."
+
+  changes:
+    # https://github.com/github/releases/issues/2702
+    - |
+      When a site administrator runs a command using administrative SSH access, the command is now logged. To help GitHub Support troubleshoot and debug, support bundles include a log containing these commands.
+      
+    # https://github.com/github/releases/issues/2538
+    - |
+      To simplify the discovery of events within enterprise, organization, or user audit logs, the search bar now displays a list of available filters.
+
+    # https://github.com/github/releases/issues/2815
+    - |
+      Before a site administrator can migrate away from GitHub Enterprise Server using the [GitHub Enterprise Importer CLI](https://github.com/github/gh-gei), the [startRepositoryMigration](/graphql/reference/mutations#startrepositorymigration) GraphQL API, or the [Start an organization migration](/rest/migrations/orgs?apiVersion=2022-11-28#start-an-organization-migration) REST API, the administrator must use the Management Console to configure a blob storage provider for the storage of migration archives. Supported provides include Amazon S3 and Azure Blob Storage. Previously, blob storage was not required and could optionally be configured using `gh gei`. This change adds support for migrations where the Git source or metadata is larger than 1 GB.
+
+    # https://github.com/github/releases/issues/2705
+    - |
+      To help users on an instance with a GitHub Advanced Security license better understand detected secrets and take action, secret scanning alerts concerning third-party API keys now include a link to the provider's documentation. For more information, see "[About secret scanning](/code-security/secret-scanning/about-secret-scanning)."
+
+    # https://github.com/github/releases/issues/2386
+    - |
+      Users on an instance with a GitHub Advanced Security license will now see the actions that users took on a secret scanning alert directly within the alert's timeline, including when a contributor bypassed push protection for a secret.
+
+    # https://github.com/github/releases/issues/2387
+    - |
+      Instances with a GitHub Advanced Security license will regularly run a historical scan to detect newly added secret types on repositories with GitHub Advanced Security and secret scanning enabled. Previously, users needed to manually run a historical scan.
+
+    # https://github.com/github/releases/issues/2640
+    - |
+      On instances with a GitHub Advanced Security license, to ensure that secret scanning can always display a preview of a detected secret in the APIs or web UI, the detected secrets are now stored separately from source code. Detected secrets are stored using symmetric encryption.
+
+    # https://github.com/github/releases/issues/2696
+    - |
+      When using private registries for Dependabot updates, GitHub Enterprise Server behaves more securely. If a private registry is configured for any of the following ecosystems, the instance will no longer make any package requests to public registries.
+
+      - Bundler
+      - Docker
+      - Gradle
+      - Maven
+      - npm
+      - Nuget
+      - Python
+      - Yarn
+
+      For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."
+
+    # https://github.com/github/releases/issues/2750
+    - |
+      Elixir developers who use [self-hosted Hex repositories](https://hex.pm/docs/self_hosting) can configure a private registry for Dependabot version updates on GitHub Enterprise Server. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."
+
+    # https://github.com/github/releases/issues/2598
+    - |
+      Dependabot alerts features the following usability improvements.
+
+      - The page for an alert refreshes automatically after Dependabot attempts to create a pull request for an update.
+      - Alerts are more accurately mapped to pull requests from Dependabot updates.
+      - To improve the alert for the community, users can suggest improvements to alerts directly in the GitHub Advisory Database.
+
+    # https://github.com/github/releases/issues/2744
+    - |
+      Users can more easily mention **@dependabot**. When mentioning users, the Dependabot user account now appears as an autocomplete suggestion.
+
+    # https://github.com/github/releases/issues/2631
+    - |
+      In repositories with vulnerable dependencies, Dependabot will no longer display a yellow banner. To notify contributors of vulnerable dependencies, the **Security** tab displays an alert counter.
+
+    # https://github.com/github/releases/issues/2602
+    - |
+      If a user forks a repository with an existing Dependabot configuration in `dependabot.yml`, Dependabot updates will be disabled in the fork by default. To enable updates in the fork, the user must visit the repository's code security and analysis settings. For more information, see "[Configuring Dependabot version updates](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)."
+
+    # https://github.com/github/releases/issues/2621
+    - |
+      Integrators who wish to receive a webhook for Dependabot alerts must use the new `dependabot_alert` webhook. This webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."
+
+    # https://github.com/github/releases/issues/2704
+    - |
+      To improve readability of GitHub Actions workflows that reference other actions by commit SHA, action authors often write a comment including the corresponding semantic version on the line that calls the action. To save time, pull requests for Dependabot version updates will now automatically update the semantic version in these comments.
+
+    # https://github.com/github/releases/issues/2294
+    - |
+      JavaScript developers who use Node.js, npm, and Dependabot security updates can save time when updating npm projects with transitive dependencies.
+
+      - Dependabot can update both parent and child dependencies together. Previously, Dependabot would not update transitive dependencies when the parent required an incompatible specific version range, requiring manual upgrades.
+      - Dependabot can create pull requests that resolve alerts where an update to a direct dependency would remove the vulnerable transitive dependency from the tree.
+
+      For more information, see "[About Dependabot security updates](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
+
+    # https://github.com/github/releases/issues/2700
+    - |
+      For people who use Dependabot for version updates in the Docker ecosystem, Dependabot will proactively update Docker image tags in Kubernetes manifests. For more information, see "[Configuring Dependabot version updates](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)" and "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)."
+
+    # https://github.com/github/releases/issues/2461
+    - |
+      A number of improvements are available to users who contribute to security advisories on GitHub.com, including the following changes.
+
+      - To ensure faster review, GitHub prompts users to add a reason for the change.
+      - To ensure that the contribution matches the user's intent, GitHub will not reorder reference links in the diff.
+
+    # https://github.com/github/releases/issues/2492
+    - |
+      GitHub Actions features the following discoverability and accessibility improvements.
+
+      - The navigation experience for searching workflows and workflow runs is improved.
+      - Added structure better represents the hierarchy between caller and called reusable workflows.
+      - The mobile browsing experience is more consistent, and supports multiple viewport sizes.
+
+    # https://github.com/github/releases/issues/2524
+    - |
+      GitHub Actions workflows will no longer trigger endlessly when using `GITHUB_TOKEN` with `workflow_dispatch` and `repository_dispatch` events. Prior to this change, events triggered by `GITHUB_TOKEN` would not create a new workflow run. For more information, see "[Triggering a workflow](/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow)."
+
+    # https://github.com/github/releases/issues/2543
+    - |
+      For scheduled runs of GitHub Actions workflows, users will see additional information about the repository, organization, and enterprise within the payload for `github.event`.
+
+    # https://github.com/github/releases/issues/2727
+    - |
+      Users of GitHub Actions have better insight into the progress of a job when using environment protection rules. The `workflow_job` webhook supports a new `waiting` state whenever a job is awaiting an environment protection rule. Also, when a job refers to an `environment` key in its YAML definition, the `workflow_job` webhook payload will also include a new property, `deployment`. `deployment` contains metadata about the deployment that the check run created. For more information, see "[Using environments for deployment](/actions/deployment/targeting-different-environments/using-environments-for-deployment)."
+
+    # https://github.com/github/releases/issues/2515
+    # https://github.com/github/releases/issues/2743
+    - |
+      Organization owners can find more meaningful context within audit log events.
+
+      - `business.sso_response` and `org.sso_response` events appear in the REST API and payloads for audit log streaming.
+      - `repo.rename`, `project.rename`, and `protected_branch.update_name` events include the current and past names for these renamed within the `old_name` field.
+      - Events for Dependabot alerts contain `alert_number`, `ghsa_id`, `dismiss_reason`, and `dismiss_comment` fields, in addition to a link back to the alert and an accurate timestamp.
+
+    # https://github.com/github/releases/issues/2537
+    - |
+      Users can view a list that contains all of an organization's followers from the organization's profile.
+
+    # https://github.com/github/releases/issues/2717
+    - |
+      The banner displayed atop an archived repository in the web UI now includes the repository's archival date.
+
+    # https://github.com/github/releases/issues/2286
+    - |
+      The **Conversations** and **Files** tabs in pull requests now load more quickly due to deferred syntax highlighting.
+
+    # https://github.com/github/releases/issues/2561
+    - |
+      To provide a more consistent experience between the web UI and users' workstations, and to speed up the process of checking whether users can merge a pull request automatically, GitHub Enterprise Server now uses the `merge-ort` strategy. For more information, see [Merge strategies](https://git-scm.com/docs/merge-strategies#Documentation/merge-strategies.txt-ort) in the Git documentation.
+
+    # https://github.com/github/releases/issues/2496
+    - |
+      To improve the display of the initial comment in pull requests that contain one commit, GitHub Enterprise Server now automatically reformats detailed commit messages to adhere to GitHub's Markdown conventions.
+
+    # https://github.com/github/releases/issues/2511
+    - |
+      When squash-merging a pull request, the author of the Git commit is displayed before merging. Previously, the commit author was only displayed when merging with a merge commit.
+
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
+    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+
+  deprecations:
+    - heading: Unsecure algorithms disabled for administrative SSH connections
+      notes:
+        # https://github.com/github/enterprise-releases/issues/3217
+        - |
+          GitHub has disabled the use of unsecure algorithms for SSH connections to the administrative shell.
+
+    - heading: Deprecation of the `repository_vulnerability_alert` webhook
+      notes:
+        # https://github.com/github/releases/issues/2621
+        - |
+          For integrators who wish to receive webhooks for Dependabot alerts activity, the `dependabot_alert` webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."

data/reusables/actions/enterprise-azure-storage-setup.md

@@ -0,0 +1 @@
+1. Under "Artifact & Log Storage", next to "Azure Blob Storage", click **Setup**.

data/reusables/actions/enterprise-enable-checkbox.md

@@ -1,2 +1,3 @@
 1. Select **Enable GitHub Actions**.
-  ![Checkbox to Enable GitHub Actions](/assets/images/enterprise/management-console/enable-github-actions.png)
+
+   ![Checkbox to Enable GitHub Actions](/assets/images/enterprise/management-console/enable-github-actions.png)

data/reusables/actions/enterprise-gcp-storage-credential-fields.md

@@ -0,0 +1,3 @@
+* **Service URL**: The service URL for your bucket. This is usually `https://storage.googleapis.com`.
+* **Bucket Name**: The name of your bucket.
+* **HMAC Access Id** and **HMAC Secret**: The Google Cloud access ID and secret for your storage account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.

data/reusables/actions/enterprise-gcp-storage-setup.md

@@ -0,0 +1 @@
+1. Under "Artifact & Log Storage", next to "Google Cloud Storage", click **Setup**.

data/reusables/actions/enterprise-minio-storage-credential-fields.md

@@ -0,0 +1,3 @@
+* **AWS Service URL**: The URL to your MinIO service. For example, `https://my-minio.example:9000`.
+* **AWS S3 Bucket**: The name of your S3 bucket.
+* **AWS S3 Access Key** and **AWS S3 Secret Key**: The `MINIO_ACCESS_KEY` and `MINIO_SECRET_KEY` used for your MinIO instance.

data/reusables/actions/enterprise-oidc-prereqs.md

@@ -0,0 +1,10 @@
+{% ifversion ghes-actions-storage-oidc %}
+* If you are using OIDC for the connection to your storage provider, you must expose the following OIDC token service URLs on {% data variables.location.product_location_enterprise %} to the public internet:
+
+  ```
+  https://<HOSTNAME>/_services/token/.well-known/openid-configuration
+  https://<HOSTNAME>/_services/token/.well-known/jwks
+  ```
+
+  This ensures that the storage provider can contact {% data variables.location.product_location_enterprise %} for authentication.
+{%- endif %}

data/reusables/actions/enterprise-postinstall-nextsteps.md

@@ -1,3 +1,3 @@
-### Next steps
+## Next steps
 
 After the configuration run has successfully completed, {% data variables.product.prodname_actions %} will be enabled on {% data variables.location.product_location %}. For your next steps, such as managing {% data variables.product.prodname_actions %} access permissions and adding self-hosted runners, return to "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.prodname_ghe_server %}](/admin/github-actions/getting-started-with-github-actions-for-github-enterprise-server#enabling-github-actions-with-your-storage-provider)."

data/reusables/actions/enterprise-s3-storage-credential-fields.md

@@ -0,0 +1,5 @@
+* **AWS Service URL**: The service URL for your bucket. For example, if your S3 bucket was created in the `us-west-2` region, this value should be `https://s3.us-west-2.amazonaws.com`.
+
+  For more information, see "[AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html)" in the AWS documentation.
+* **AWS S3 Bucket**: The name of your S3 bucket.
+* **AWS S3 Access Key** and **AWS S3 Secret Key**: The AWS access key ID and secret key for your bucket.

data/reusables/actions/enterprise-s3-storage-setup.md

@@ -0,0 +1 @@
+1. Under "Artifact & Log Storage", next to "Amazon S3", click **Setup**.

data/reusables/actions/enterprise-storage-about-oidc.md

@@ -0,0 +1,6 @@
+There are two options for configuring {% data variables.product.prodname_ghe_server %} to connect to your external storage provider:
+
+* OpenID Connect (OIDC)
+* Traditional credentials-based authentication using secrets
+
+We recommend using OIDC where possible, as you won't need create or manage sensitive and long-lived credential secrets for your storage provider, and risk them being exposed. After defining a trust with OIDC, your cloud storage provider automatically issues short-lived access tokens to {% data variables.location.product_location_enterprise %}, which automatically expire.

data/reusables/actions/ghes-storage-oidc-beta-note.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** Using OIDC to connect to an external storage provider is in beta and subject to change.
+
+{% endnote %}

data/reusables/actions/jobs/section-choosing-the-runner-for-a-job.md

@@ -48,7 +48,9 @@ For more information, see "[About self-hosted runners](/github/automating-your-w
 
 You can use `runs-on` to target runner groups, so that the job will execute on any runner that is a member of that group. For more granular control, you can also combine runner groups with labels.
 
+{% ifversion fpt or ghec %}
 Runner groups can only have [{% data variables.actions.hosted_runner %}s](/actions/using-github-hosted-runners/using-larger-runners) or [self-hosted runners](/actions/hosting-your-own-runners) as members.
+{% endif %}
 
 #### Example: Using groups to control where jobs are run
 

data/reusables/enterprise_management_console/click-continue-authentication.md

@@ -0,0 +1 @@
+1. Click **Continue**.

data/reusables/enterprise_management_console/type-management-console-password.md

@@ -1,2 +1,6 @@
+{%- ifversion enterprise-management-console-multi-user-auth %}
+1. If you have created multiple {% data variables.enterprise.management_console %} user accounts, select **Root site admin** or **{% data variables.enterprise.management_console %} user**. For more information about {% data variables.enterprise.management_console %} user accounts see, "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console)."
+1. Type your {% data variables.enterprise.management_console %} credentials. Then click **Continue**.
+{%- else %}
 1. If prompted, type your {% data variables.enterprise.management_console %} password.
-  ![{% data variables.enterprise.management_console %} unlock screen](/assets/images/enterprise/management-console/unlock-password.png)
+{%- endif %}

data/reusables/enterprise_management_console/unlocking-management-console-with-shell.md

@@ -1 +1 @@
-To immediately unlock the {% data variables.enterprise.management_console %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/admin/guides/installation/accessing-the-administrative-shell-ssh/)."
+To immediately unlock access to the {% data variables.enterprise.management_console %}{% ifversion enterprise-management-console-multi-user-auth %} by the root site administrator{% endif %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/admin/guides/installation/accessing-the-administrative-shell-ssh/)."

data/reusables/enterprise_site_admin_settings/about-the-management-console.md

@@ -1 +0,0 @@
-You can use the {% data variables.enterprise.management_console %} to manage virtual appliance settings such as the domain, authentication, and SSL.

data/reusables/enterprise_site_admin_settings/access-settings.md

@@ -1,7 +1,2 @@
 1. From an administrative account on {% data variables.product.product_name %}, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
-
-   ![Screenshot of the rocket ship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
-
 1. If you're not already on the "Site admin" page, in the upper-left corner, click **Site admin**.
-
-   ![Screenshot of "Site admin" link](/assets/images/enterprise/site-admin-settings/site-admin-link.png)

data/reusables/enterprise_site_admin_settings/click-user-management.md

@@ -0,0 +1 @@
+1. In the top navigation bar, click **User Management**.

data/reusables/enterprise_site_admin_settings/management-console-access.md

@@ -0,0 +1,5 @@
+## About access to the {% data variables.enterprise.management_console %}
+
+{% data reusables.enterprise_site_admin_settings.management-console-overview %} For more information, see "[About the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/about-the-management-console)."
+
+You can access the {% data variables.enterprise.management_console %}{% ifversion enterprise-management-console-multi-user-auth %} as the root site administrator or a {% data variables.enterprise.management_console %} user{% elsif ghes < 3.8 %} using the {% data variables.enterprise.management_console %} password{% endif %}. An administrator created the {% ifversion enterprise-management-console-multi-user-auth %}root site administrator {% endif %}password during the initial setup process for {% data variables.location.product_location %}.

data/reusables/enterprise_site_admin_settings/management-console-overview.md

@@ -0,0 +1 @@
+From the {% data variables.enterprise.management_console %}, you can initialize, configure, and monitor {% data variables.location.product_location %}.

data/reusables/enterprise_site_admin_settings/management-console.md

@@ -1,2 +1 @@
 1. In the left sidebar, click **{% data variables.enterprise.management_console %}**.
-![{% data variables.enterprise.management_console %} tab in the left sidebar](/assets/images/enterprise/management-console/management-console-tab.png)