Merge branch 'main' into not-sentences

.github/actions-scripts/enterprise-server-issue-templates/release-issue.md

@@ -47,13 +47,7 @@ If you aren't comfortable going through the steps alone, sync up with a docs eng
   ```
 
   **Note:** All of the content in this file will be updated when the release notes are created in the megabranch including the filename `PLACEHOLDER.yml`. You can update the date or leave it as-is and wait to update it when the release notes are finalized.
-- [ ] Create the search indices for the new release:
 
-  ```
-  npm run sync-search-ghes-release
-  ```
-
-  Check in the updated `lib/search/cached-index-names.json`.
 - [ ] (Optional) Add a Release Candidate banner:
 
   ```

.github/actions-scripts/openapi-schema-branch.js

@@ -36,7 +36,7 @@ const changedFiles = execSync('git diff --name-only HEAD').toString()
 if (changedFiles !== '') {
   console.log(`These files were changed:\n${changedFiles}`)
   console.log(
-    `🚧⚠️ Your decorated and dereferenced schema files don't match. Ensure you're using decorated and dereferenced schemas from the automatically created pull requests by the 'github-openapi-bot' user. For more information, see 'script/rest/README.md'. 🛑`
+    `🚧⚠️ Your decorated and dereferenced schema files don't match. Ensure you're using decorated and dereferenced schemas from the automatically created pull requests by the 'github-openapi-bot' user. \n\n If this test is failing after updates to the script/rest directory, run script/rest/update-files.js --decorate-only to re-generate the decorated files from the existing dereferenced files and check those in. \n\n If this test is failing after an update to a package, check the changes the new package makes to the decorated files by running script/rest/update-files.js --decorate-only. If the changes are small style changes that don't impact the overall experience, check the updated decorated file in. Otherwise, more work may be needed to be compatible with the updated package. \n\n For more information, see 'script/rest/README.md'. 🛑`
   )
   process.exit(1)
 }

.github/allowed-actions.js

@@ -9,12 +9,14 @@ export default [
   'actions/labeler@5f867a63be70efff62b767459b009290364495eb', // v2.2.0
   'actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f', // v2.2.0
   'actions/stale@9d6f46564a515a9ea11e7762ab3957ee58ca50da', // v3.0.16
+  'actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074', // v2.2.4
   'alex-page/github-project-automation-plus@fdb7991b72040d611e1123d2b75ff10eda9372c9',
   'andymckay/labeler@22d5392de2b725cea4b284df5824125054049d84',
   'crowdin/github-action@fd9429dd63d6c0f8a8cb4b93ad8076990bd6e688',
   'crykn/copy_folder_to_another_repo_action@0282e8b9fef06de92ddcae9fe6cb44df6226646c',
   'cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa', // uses github-actions-parser v0.23.0
-  'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911',
+  'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911', // v3.0.2
+  'dawidd6/action-download-artifact@b9571484721e8187f1fd08147b497129f8972c74', // v2.14.0
   'docker://chinthakagodawita/autoupdate-action:v1',
   'dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58',
   'github/codeql-action/analyze@v1',
@@ -34,5 +36,6 @@ export default [
   'repo-sync/pull-request@33777245b1aace1a58c87a29c90321aa7a74bd7d',
   'someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd',
   'tjenkinson/gh-action-auto-merge-dependency-updates@4d7756c04d9d999c5968697a621b81c47f533d61',
+  'Bhacaz/checkout-files@c8f01756bfd894ba746d5bf48205e19000b0742b', // v1.0.0
   'EndBug/add-and-commit@2bdc0a61a03738a1d1bda24d566ad0dbe3083d87',
 ]

.github/workflows/check-all-english-links.yml

@@ -39,7 +39,7 @@ jobs:
       # are broken. When an Actions step's exit code is 1, the action run's job status
       # is failure and the run ends. The following steps create an issue for the
       # broken link report only if any links are broken, so `if: ${{ failure() }}`
-      # ensures the steps run desite though the previous step's failure of the job.
+      # ensures the steps run despite the previous step's failure of the job.
       #
       # https://docs.github.com/actions/reference/context-and-expression-syntax-for-github-actions#job-status-check-functions
 

.github/workflows/check-for-spammy-issues.yml

@@ -23,7 +23,7 @@ jobs:
             const repo = 'docs'
 
             const titleWordCount = issue.title.trim().split(' ').length
-            const titleWordCountMin = 2
+            const titleWordCountMin = 3
 
             try {
               await github.teams.getMembershipForUserInOrg({
@@ -35,18 +35,18 @@ jobs:
               // Do not perform this workflow with GitHub employees. This return
               // statement only gets hit if the user is a GitHub employee
               return
-            } catch(err) {
+            } catch (err) {
               // An error will be thrown if the user is not a GitHub employee
               // If a user is not a GitHub employee, we should check to see if title has at least the minimum required number of words in it and if it does, we can exit the workflow
 
-              if(titleWordCount > titleWordCountMin) {
+              if (titleWordCount >= titleWordCountMin) {
                 return
               }
             }
 
             //
             // Assuming the user is not a GitHub employee and the issue title
-            // has the minimum number of words required, proceed.
+            // does not contain the minimum number of words required, proceed.
             //
 
             // Close the issue and add the invalid label
@@ -63,7 +63,7 @@ jobs:
               owner: owner,
               repo: repo,
               issue_number: issue.number,
-              body: "This issue appears to have been opened accidentally. I'm going to close it now, but feel free to open a new issue or ask any questions in [discussions](https://github.com/github/docs/discussions)!"
+              body: `This issue may have been opened accidentally. I'm going to close it now, but feel free to open a new issue with a more descriptive title or ask any questions in [discussions](https://github.com/github/docs/discussions)!`
             });
 
             // Add the issue to the Done column on the triage board

.github/workflows/content-changes-table-comment.yml

@@ -30,7 +30,7 @@ jobs:
           # Returns list of changed files matching each filter
           filters: |
             filterContentDir:
-              - 'content/**'
+              - 'content/**/*'
   filterContentDir:
     needs: PR-Preview-Links
     if: ${{ needs.PR-Preview-Links.outputs.filterContentDir == 'true' }}
@@ -71,20 +71,25 @@ jobs:
               head: context.payload.pull_request.head.sha
             })
 
-            let changedFiles = response.data.files
-              .map(e => e.raw_url)
-              .filter(file => file.includes('/content/'))
+            const files = response.data.files
 
-            let markdownTable = '| **Article in Staging** | **Live Article** | **Source** | **Changes** |\n| ----------- | ----------- | ----------- | ----------- |\n'
-            for (let file of changedFiles) {
-              file = file.split('/content')[1]
-              const fileURL = file.substring(0, file.length-3)
-              const stagingLink = `https://${stagingPrefix}.herokuapp.com${fileURL}`
-              let fileTitle = file.split('/').pop()
-              fileTitle = fileTitle.substring(0, fileTitle.length - 3)
-              const markdownLine = '| [' + fileTitle + '](' + stagingLink + ') | [' + fileTitle + '](https://docs.github.com' + fileURL + ') | | |\n' 
-              markdownTable += markdownLine
-            }
+            let markdownTable = '| **Source** | **Staging** | **Production** | **What Changed** |\n|:----------- |:----------- |:----------- |:----------- |\n'
+
+            files.filter(({ filename }) => filename.startsWith('content/') && !filename.endsWith('/index.md'))
+                 .forEach(file => {
+                   const fileName = file.filename.split('content/')[1]
+                   const sourceUrl = file.blob_url
+                   const fileUrl = fileName.substring(0, fileName.split('.')[0])
+                   const stagingLink = `https://${stagingPrefix}.herokuapp.com/${fileUrl}`
+                   let markdownLine = ''
+                   
+                   if (file.status == 'modified') {
+                     markdownLine = '| [content/' + fileName + '](' + sourceUrl + ') | [Modified](' + stagingLink + ') | [Original](https://docs.github.com/' + fileUrl + ') | | |\n' 
+                   } else if (file.status == 'added') {
+                     markdownLine = '| New file: [content/' + fileName + '](' + sourceUrl + ') | [Modified](' + stagingLink + ') | | | |\n' 
+                   }
+                   markdownTable += markdownLine
+                 })
 
             function getStagingPrefix (prefix, prNumber, branch) {
               // Added a - in front of prNumber
@@ -102,7 +107,7 @@ jobs:
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
-          body-includes: '## ⚠️ Automatically generated comment ⚠️'
+          body-includes: '<!-- MODIFIED_CONTENT_LINKING_COMMENT -->'
 
       - name: Update comment
         uses: peter-evans/create-or-update-comment@5221bf4aa615e5c6e95bb142f9673a9c791be2cd
@@ -110,8 +115,9 @@ jobs:
           comment-id: ${{ steps.findComment.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
-            ## ⚠️ Automatically generated comment ⚠️ 
-            **This comment is automatically generated and will be overwritten the every time changes are committed to this branch.**
+            <!-- MODIFIED_CONTENT_LINKING_COMMENT -->
+            ## Automatically generated comment ℹ️ 
+            **This comment is automatically generated and will be overwritten every time changes are committed to this branch.**
 
             The table contains an overview of files in the `content` directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the `data` directory will not show up in this table.
 

.github/workflows/openapi-schema-check.yml

@@ -1,8 +1,16 @@
 name: OpenAPI dev mode check
 
-# **What it does**:
-# **Why we have it**:
-# **Who does it impact**:
+# **What it does**: Checks that the files in lib/rest/static/decorated match
+#   the files in lib/rest/static/dereferenced. Checks that the decorated
+#   schemas in lib/rest/static/decorated are not in development mode.
+#   Development mode schemas have a branch name and development mode tag in the
+#   info.version property.
+# **Why we have it**: To ensure that we aren't every shipping decorated schemas
+#   that are out of sync with the source derefereced schema. To ensure that
+#   decorated schemas generated locally are not published. Locally generated
+#   decorated schemas are pushing up to the remote for staging purposes only.
+# **Who does it impact**: Docs content writers updating REST API docs and
+#   the docs engineering team as maintainers of the scripts and workflows.
 
 on:
   workflow_dispatch:
@@ -12,6 +20,8 @@ on:
   pull_request:
     paths:
       - 'lib/rest/static/**'
+      - 'script/rest/**/*.js'
+      - 'package*.json'
 
 jobs:
   check-schema-versions:

.github/workflows/site-policy-reminder.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   run:
-    if: |
+    if: >-
       github.event.label.name == 'Site Policy' &&
       github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest

.github/workflows/site-policy-sync.yml

@@ -22,7 +22,7 @@ on:
 jobs:
   # This workflow contains a single job called "build"
   copy-file:
-    if: |
+    if: >-
       github.event.pull_request.merged == true &&
       github.repository == 'github/docs-internal'
     # The type of runner that the job will run on

.github/workflows/staging-build-pr.yml

@@ -0,0 +1,89 @@
+name: Staging - Build PR
+
+# **What it does**: Builds PRs before deploying them.
+# **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# **Who does it impact**: All contributors.
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - unlocked
+
+jobs:
+  build:
+    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
+    name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    concurrency:
+      group: staging_${{ github.head_ref }}
+      cancel-in-progress: true
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+
+      - name: Setup node
+        uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
+        with:
+          node-version: 16.x
+          cache: npm
+
+      # Required for `npm pkg ...` command support
+      - name: Update to npm@^7.20.0
+        run: npm install --global npm@^7.20.0
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Remove development-only dependencies
+        run: npm prune --production
+
+      - name: Remove all npm scripts
+        run: npm pkg delete scripts
+
+      - name: Set npm script for Heroku build to noop
+        run: npm set-script heroku-postbuild "echo 'Application was pre-built!'"
+
+      - name: Create an archive
+        run: |
+          tar -cf app.tar \
+            node_modules/ \
+            .next/ \
+            assets/ \
+            content/ \
+            data/ \
+            includes/ \
+            lib/ \
+            middleware/ \
+            translations/ \
+            server.mjs \
+            package*.json \
+            .npmrc \
+            feature-flags.json \
+            next.config.js \
+            app.json \
+            Procfile
+
+      # Upload only the files needed to run this application.
+      # We are not willing to trust the rest (e.g. script/) for the remainder
+      # of the deployment process.
+      - name: Upload build artifact
+        uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+        with:
+          name: pr_build
+          path: app.tar
+
+      - name: Send Slack notification if workflow fails
+        uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
+        if: ${{ failure() }}
+        with:
+          channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: Staging build failed for PR ${{ github.event.pull_request.html_url }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/staging-deploy-pr.yml

@@ -5,96 +5,175 @@ name: Staging - Deploy PR
 # **Who does it impact**: All contributors.
 
 on:
-  pull_request:
+  workflow_run:
+    workflows:
+      - 'Staging - Build PR'
     types:
-      - opened
-      - reopened
-      - synchronize
-      - unlocked
-  workflow_dispatch:
-    inputs:
-      pullRequestUrl:
-        description: 'Pull Request URL'
-        required: true
-        default: 'https://github.com/github/docs/pull/1234'
-      forceRebuild:
-        description: 'Force the Heroku App to be rebuilt from scratch? (true/false)'
-        required: false
-        default: 'false'
+      - completed
+
+env:
+  EARLY_ACCESS_SCRIPT_PATH: script/early-access/clone-for-build.js
+  EARLY_ACCESS_SUPPORT_FILES: script/package.json
+  # In this specific workflow relationship, the `github.event.workflow_run.pull_requests`
+  # array will always contain only 1 item! Specifically, it will contain the PR associated
+  # with the `github.event.workflow_run.head_branch` that triggered the preceding
+  # `pull_request` event that triggered the "Staging - Build PR" workflow.
+  PR_URL: ${{ github.event.workflow_run.repository.html_url }}/pull/${{ github.event.workflow_run.pull_requests[0].number }}
 
 jobs:
-  validate-inputs:
-    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
-    name: Validate inputs
+  prepare:
+    if: >-
+      ${{
+        github.event.workflow_run.conclusion == 'success' &&
+        (github.repository == 'github/docs-internal' || github.repository == 'github/docs')
+      }}
     runs-on: ubuntu-latest
-    timeout-minutes: 2
+    timeout-minutes: 5
+    concurrency:
+      group: staging_${{ github.event.workflow_run.head_branch }}
+      cancel-in-progress: true
     outputs:
-      headRef: ${{ steps.validate.outputs.headRef }}
+      source_blob_url: ${{ steps.build-source.outputs.download_url }}
+      check_run_id: ${{ steps.create-check-run.outputs.check_run_id }}
+      check_run_name: ${{ steps.create-check-run.outputs.check_run_name }}
     steps:
-      - if: ${{ github.event_name == 'workflow_dispatch' }}
-        name: Check out repo
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-        with:
-          # Enables cloning the Early Access repo later with the relevant PAT
-          persist-credentials: 'false'
+      - name: Dump event context
+        env:
+          GITHUB_EVENT_CONTEXT: ${{ toJSON(github.event) }}
+        run: echo "$GITHUB_EVENT_CONTEXT"
 
-      - if: ${{ github.event_name == 'workflow_dispatch' }}
-        name: Setup node
+      - name: Create check run
+        id: create-check-run
+        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
+        with:
+          script: |
+            // Create a check run
+            const CHECK_NAME = '${{ github.workflow }} / ${{ github.job }} (${{ github.event_name }})'
+            const { data } = await github.checks.create({
+              name: CHECK_NAME,
+              head_sha: '${{ github.event.workflow_run.head_sha }}',
+              owner: 'github',
+              repo: 'docs-internal',
+              status: 'in_progress',
+              started_at: new Date()
+            })
+            core.setOutput('check_run_id', data.id)
+            core.setOutput('check_run_name', CHECK_NAME)
+
+      - name: Download build artifact
+        uses: dawidd6/action-download-artifact@b9571484721e8187f1fd08147b497129f8972c74
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr_build
+          path: ./
+
+      - name: Show contents
+        run: ls -l
+
+      - name: Extract the archive
+        run: |
+          tar -xf app.tar -C ./
+          rm app.tar
+
+      - name: Show contents again
+        run: ls -l
+
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Setup node to clone early access
         uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
         with:
           node-version: 16.x
           cache: npm
 
-      - if: ${{ github.event_name == 'workflow_dispatch' }}
-        name: Install dependencies
-        run: npm ci
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Download the script to clone early access
+        uses: Bhacaz/checkout-files@c8f01756bfd894ba746d5bf48205e19000b0742b
+        with:
+          files: ${{ env.EARLY_ACCESS_SCRIPT_PATH }} ${{ env.EARLY_ACCESS_SUPPORT_FILES }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
-      - if: ${{ github.event_name == 'workflow_dispatch' }}
-        name: Validate and get head.ref
-        id: validate
+      # Add any dependencies that are needed for this workflow below
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Install temporary development-only dependencies
+        run: npm install --no-save rimraf
+
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Clone early access
+        run: node ${{ env.EARLY_ACCESS_SCRIPT_PATH }}
+        env:
+          DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }}
+          GIT_BRANCH: ${{ github.event.workflow_run.head_branch }}
+
+      # Remove any dependencies installed for this workflow below
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Remove development-only dependencies
+        run: npm prune --production
+
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Delete the script directory after cloning early access
+        run: rm -rf script/
+
+      - name: Create a gzipped archive
+        run: |
+          touch app.tar.gz
+          tar --exclude=app.tar.gz -czf app.tar.gz ./
+
+      - name: Install Heroku client development-only dependency
+        run: npm install --no-save heroku-client
+
+      - name: Create a Heroku build source
+        id: build-source
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
         env:
-          PR_URL: ${{ github.event.inputs.pullRequestUrl }}
-          FORCE_REBUILD: ${{ github.event.inputs.forceRebuild }}
+          HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
         with:
           script: |
-            const parsePrUrl = require('./script/deployment/parse-pr-url')
+            const { owner, repo } = context.repo
 
-            // Manually resolve workflow_dispatch inputs
-            const { PR_URL, FORCE_REBUILD } = process.env
-
-            if (!['true', 'false'].includes(FORCE_REBUILD)) {
-              throw new Error(`'forceRebuild' input must be either 'true' or 'false' but was '${FORCE_REBUILD}'`)
+            if (owner !== 'github') {
+              throw new Error(`Repository owner must be 'github' but was: ${owner}`)
+            }
+            if (repo !== 'docs-internal' && repo !== 'docs') {
+              throw new Error(`Repository name must be either 'docs-internal' or 'docs' but was: ${repo}`)
             }
 
-            const { owner, repo, pullNumber } = parsePrUrl(PR_URL)
-            if (!owner || !repo || !pullNumber) {
-              throw new Error(`'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`)
-            }
+            const Heroku = require('heroku-client')
+            const heroku = new Heroku({ token: process.env.HEROKU_API_TOKEN })
 
-            const { data: pullRequest } = await github.pulls.get({
-              owner,
-              repo,
-              pull_number: pullNumber
-            })
+            const { source_blob: sourceBlob } = await heroku.post('/sources')
+            const { put_url: uploadUrl, get_url: downloadUrl } = sourceBlob
 
-            core.setOutput('headRef', pullRequest.head.ref)
+            core.setOutput('upload_url', uploadUrl)
+            core.setOutput('download_url', downloadUrl)
+
+      # See: https://devcenter.heroku.com/articles/build-and-release-using-the-api#sources-endpoint
+      - name: Upload to the Heroku build source
+        run: |
+          curl '${{ steps.build-source.outputs.upload_url }}' \
+            -X PUT \
+            -H 'Content-Type:' \
+            --data-binary @app.tar.gz
+
+      - name: Send Slack notification if workflow fails
+        uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
+        if: ${{ failure() }}
+        with:
+          channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: Staging preparation failed for PR ${{ env.PR_URL }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
   deploy:
-    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
-    needs: validate-inputs
-    name: Deploy
+    needs: prepare
     runs-on: ubuntu-latest
     timeout-minutes: 10
     concurrency:
-      group: staging_${{ needs.validate-inputs.outputs.headRef || github.head_ref }}
+      group: staging_${{ github.event.workflow_run.head_branch }}
       cancel-in-progress: true
     steps:
-      - name: Check out repo
+      - name: Check out repo's default branch
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-        with:
-          # Enables cloning the Early Access repo later with the relevant PAT
-          persist-credentials: 'false'
 
       - name: Setup node
         uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
@@ -105,16 +184,21 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Install one-off development-only dependencies
+        run: npm install --no-save --include=optional esm
+
       - name: Deploy
+        id: deploy
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
-          DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }}
           HYDRO_ENDPOINT: ${{ secrets.HYDRO_ENDPOINT }}
           HYDRO_SECRET: ${{ secrets.HYDRO_SECRET }}
-          PR_URL: ${{ github.event.inputs.pullRequestUrl }}
-          FORCE_REBUILD: ${{ github.event.inputs.forceRebuild }}
+          PR_URL: ${{ env.PR_URL }}
+          SOURCE_BLOB_URL: ${{ needs.prepare.outputs.source_blob_url }}
+          CHECK_RUN_ID: ${{ needs.prepare.outputs.check_run_id }}
+          CHECK_RUN_NAME: '${{ needs.prepare.outputs.check_run_name }}'
         with:
           script: |
             const { GITHUB_TOKEN, HEROKU_API_TOKEN } = process.env
@@ -129,9 +213,13 @@ jobs:
               throw new Error('You must supply a HEROKU_API_TOKEN environment variable!')
             }
 
-            const parsePrUrl = require('./script/deployment/parse-pr-url')
-            const getOctokit = require('./script/helpers/github')
-            const deployToStaging = require('./script/deployment/deploy-to-staging')
+            // Workaround to allow us to load ESM files with `require(...)`
+            const esm = require('esm')
+            require = esm({})
+
+            const { default: parsePrUrl } = require('./script/deployment/parse-pr-url')
+            const { default: getOctokit } = require('./script/helpers/github')
+            const { default: deployToStaging } = require('./script/deployment/deploy-to-staging')
 
             // This helper uses the `GITHUB_TOKEN` implicitly!
             // We're using our usual version of Octokit vs. the provided `github`
@@ -139,37 +227,75 @@ jobs:
             const octokit = getOctokit()
 
             try {
-              let pullRequest = null
-              let forceRebuild = false
-
-              // Manually resolve workflow_dispatch inputs
-              if (context.eventName === 'workflow_dispatch') {
-                const { PR_URL, FORCE_REBUILD } = process.env
-
-                forceRebuild = FORCE_REBUILD === 'true'
-
-                const { owner, repo, pullNumber } = parsePrUrl(PR_URL)
-                if (!owner || !repo || !pullNumber) {
-                  throw new Error(`'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`)
-                }
-
-                const { data: pr } = await octokit.pulls.get({
-                  owner,
-                  repo,
-                  pull_number: pullNumber
-                })
-                pullRequest = pr
+              const { PR_URL, SOURCE_BLOB_URL, CHECK_RUN_ID, CHECK_RUN_NAME } = process.env
+              const { owner, repo, pullNumber } = parsePrUrl(PR_URL)
+              if (!owner || !repo || !pullNumber) {
+                throw new Error(`'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`)
               }
 
+              const { data: pullRequest } = await octokit.pulls.get({
+                owner,
+                repo,
+                pull_number: pullNumber
+              })
+
               await deployToStaging({
-                herokuToken: HEROKU_API_TOKEN,
                 octokit,
-                pullRequest: pullRequest || context.payload.pull_request,
-                forceRebuild,
+                pullRequest,
+                forceRebuild: false,
+                // These parameters will ONLY be set by Actions
+                sourceBlobUrl: SOURCE_BLOB_URL,
                 runId: context.runId
               })
+
+              await octokit.checks.update({
+                owner: 'github',
+                repo: 'docs-internal',
+                conclusion: 'success',
+                status: 'completed',
+                name: CHECK_RUN_NAME,
+                check_run_id: CHECK_RUN_ID,
+                output: {
+                  title: 'Successfully deployed to staging',
+                  summary: 'Success',
+                  text: 'Succeeded! 🚀\n\nSee full logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+                },
+                completed_at: new Date()
+              })
             } catch (error) {
+              await octokit.checks.update({
+                owner: 'github',
+                repo: 'docs-internal',
+                conclusion: 'failure',
+                status: 'completed',
+                name: CHECK_RUN_NAME,
+                check_run_id: CHECK_RUN_ID,
+                output: {
+                  title: `Failed to deploy to staging: ${error.message}`,
+                  summary: error.message,
+                  text: 'Failed! 🚫\n\nSee full logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+                }
+                completed_at: new Date()
+              })
               console.error(`Failed to deploy to staging: ${error.message}`)
               console.error(error)
               throw error
             }
+
+      - name: Mark the deployment as inactive if timed out
+        if: ${{ steps.deploy.outcome == 'cancelled' }}
+        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
+        with:
+          script: |
+            // TODO: Find the relevant deployment
+            // TODO: Create a new deployment status for it as "inactive"
+            return 'TODO'
+
+      - name: Send Slack notification if workflow fails
+        uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
+        if: ${{ failure() }}
+        with:
+          channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: Staging deployment failed for PR ${{ env.PR_URL }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/staging-undeploy-pr.yml

@@ -5,7 +5,7 @@ name: Staging - Undeploy PR
 # **Who does it impact**: All contributors.
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - locked
@@ -20,10 +20,10 @@ jobs:
       group: staging_${{ github.head_ref }}
       cancel-in-progress: true
     steps:
-      - name: Check out repo
+      - name: Check out repo's default branch
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
-          # Enables cloning the Early Access repo later with the relevant PAT
+          # For enhanced security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
           persist-credentials: 'false'
 
       - name: Setup node
@@ -35,6 +35,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Install one-off development-only dependencies
+        run: npm install --no-save --include=optional esm
+
       - name: Undeploy
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
         env:
@@ -54,8 +57,12 @@ jobs:
               throw new Error('You must supply a HEROKU_API_TOKEN environment variable!')
             }
 
-            const getOctokit = require('./script/helpers/github')
-            const undeployFromStaging = require('./script/deployment/undeploy-from-staging')
+            // Workaround to allow us to load ESM files with `require(...)`
+            const esm = require('esm')
+            require = esm({})
+
+            const { default: getOctokit } = require('./script/helpers/github')
+            const { default: undeployFromStaging } = require('./script/deployment/undeploy-from-staging')
 
             // This helper uses the `GITHUB_TOKEN` implicitly!
             // We're using our usual version of Octokit vs. the provided `github`
@@ -64,7 +71,6 @@ jobs:
 
             try {
               await undeployFromStaging({
-                herokuToken: HEROKU_API_TOKEN,
                 octokit,
                 pullRequest: context.payload.pull_request,
                 runId: context.runId

.github/workflows/sync-search-indices.yml

@@ -22,7 +22,7 @@ name: Sync search indexes
 on:
   workflow_dispatch:
   schedule:
-    - cron: '53 0/4 * * *' # Run every four hours at 53 minutes past the hour
+    - cron: '53 0/8 * * *' # Run every eight hours at 53 minutes past the hour
 
 jobs:
   updateIndexes:

.github/workflows/workflow-lint.yml

@@ -28,4 +28,4 @@ jobs:
       - name: Run linter
         uses: cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa
         with:
-          workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml"]'
+          workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml", "!.github/workflows/staging-deploy-pr.yml"]'

Dockerfile

@@ -18,6 +18,7 @@ WORKDIR /usr/src/docs
 FROM base as all_deps
 
 COPY package*.json ./
+COPY .npmrc ./
 
 RUN npm ci