Merge branch 'main' into patch-1

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,9 +4,9 @@ Thank you for contributing to this project! You must fill out the information be
 
 ### Why:
 
-Closes [issue link]
+Closes ISSUE
 
-<!-- If there's an existing issue for your change, please link to it in the brackets above.
+<!-- If there's an existing issue for your change, please replace ISSUE above with a link to the issue.
 If there's _not_ an existing issue, please open one first to make it more likely that this update will be accepted: https://github.com/github/docs/issues/new/choose. -->
 
 ### What's being changed (if available, include any code snippets, screenshots, or gifs):

content/actions/creating-actions/about-custom-actions.md

@@ -33,7 +33,7 @@ Actions can run directly on a machine or in a Docker container. You can define a
 
 ## Types of actions
 
-You can build Docker container and JavaScript actions. Actions require a metadata file to define the inputs, outputs and main entrypoint for your action. The metadata filename must be either `action.yml` or `action.yaml`. For more information, see "[Metadata syntax for {% data variables.product.prodname_actions %}](/articles/metadata-syntax-for-github-actions)."
+You can build Docker container, JavaScript, and composite actions. Actions require a metadata file to define the inputs, outputs and main entrypoint for your action. The metadata filename must be either `action.yml` or `action.yaml`. For more information, see "[Metadata syntax for {% data variables.product.prodname_actions %}](/articles/metadata-syntax-for-github-actions)."
 
 | Type | Operating system |
 | ---- | ------------------- |

content/admin/configuration/configuring-github-connect/enabling-server-statistics-for-your-enterprise.md

@@ -14,7 +14,7 @@ shortTitle: Server Statistics
 
 {% data variables.product.prodname_server_statistics %} collects aggregate usage data from {% data variables.location.product_location %}, which you can use to better anticipate the needs of your organization, understand how your team works, and show the value you get from {% data variables.product.prodname_ghe_server %}. 
 
-{% data variables.product.prodname_server_statistics %} only collects certain aggregate metrics on repositories, issues, pull requests, and other features.{% data variables.product.prodname_dotcom %} content, such as code, issues, comments, or pull request content, is not collected. For more information, see "[About {% data variables.product.prodname_server_statistics %}](/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics)."
+{% data variables.product.prodname_server_statistics %} only collects certain aggregate metrics on repositories, issues, pull requests, and other features. {% data variables.product.prodname_dotcom %} content, such as code, issues, comments, or pull request content, is not collected. For more information, see "[About {% data variables.product.prodname_server_statistics %}](/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics)."
 
 By enabling {% data variables.product.prodname_server_statistics %}, you are also helping to improve {% data variables.product.company_short %}. The aggregated data you will provide helps us understand how our customers are using {% data variables.product.prodname_dotcom %}, and make better and more informed product decisions, ultimately benefiting you.
 

content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md

@@ -25,7 +25,7 @@ By default, authorized users can access your enterprise from any IP address. You
 
 {% ifversion ghec %}
 
-If your enterprise uses {% data variables.product.prodname_emus %} with OIDC, you can choose whether to use {% data variables.product.company_short %}'s IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use {% data variables.product.prodname_emus %} with OIDC, you can use {% data variables.product.company_short %}'s allow list feature. 
+If your enterprise uses {% data variables.product.prodname_emus %} with Azure AD and OIDC, you can choose whether to use {% data variables.product.company_short %}'s IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use {% data variables.product.prodname_emus %} with Azure and OIDC, you can use {% data variables.product.company_short %}'s allow list feature. 
 
 {% elsif ghae %}
 
@@ -47,7 +47,7 @@ You can use {% data variables.product.company_short %}'s IP allow list to contro
 
 ## About your IdP's allow list
 
-If you are using {% data variables.product.prodname_emus %} with OIDC, you can use your IdP's allow list. 
+If you are using {% data variables.product.prodname_emus %} with Azure AD and OIDC, you can use your IdP's allow list.
 
 Using your IdP's allow list deactivates the {% data variables.product.company_short %} IP allow list configurations for all organizations in your enterprise and deactivates the GraphQL APIs for enabling and managing IP allow lists. 
 
@@ -124,7 +124,11 @@ To ensure seamless use of the OIDC CAP while still applying the policy to user-t
 
 ## Using your identity provider's allow list
 
-You can use your IdP's allow list if you use {% data variables.product.prodname_emus %} with OIDC.
+{% note %}
+
+**Note:** Using your IdP's allow list is only supported for {% data variables.product.prodname_emus %} with Azure AD and OIDC. 
+
+{% endnote %}
 
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}

data/release-notes/enterprise-server/3-3/15.yml

@@ -12,6 +12,8 @@ sections:
     - |
       **MEDIUM**: Updated Redis to 5.0.14 to address [CVE-2021-32672](https://nvd.nist.gov/vuln/detail/CVE-2021-32672) and [CVE-2021-32762](https://nvd.nist.gov/vuln/detail/CVE-2021-32762).
     - |
+      **MEDIUM**: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23737](https://www.cve.org/CVERecord?id=CVE-2022-23737).
+    - |    
       **LOW**: Due to a CSRF vulnerability, a `GET` request to the instance's `site/toggle_site_admin_and_employee_status` endpoint could toggle a user's site administrator status unknowingly.
     - Packages have been updated to the latest security versions. 
   bugs:

data/release-notes/enterprise-server/3-4/10.yml

@@ -12,6 +12,8 @@ sections:
     - |
       **MEDIUM**: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of `docker` commands directly. For more information, see the [Actions Runner security advisory](https://github.com/actions/runner/security/advisories/GHSA-2c6m-6gqh-6qg3).
     - |
+      **MEDIUM**: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23737](https://www.cve.org/CVERecord?id=CVE-2022-23737).
+    - |  
       **LOW**: Due to a CSRF vulnerability, a `GET` request to the instance's `site/toggle_site_admin_and_employee_status` endpoint could toggle a user's site administrator status unknowingly.
     - Packages have been updated to the latest security versions. 
   bugs:

data/release-notes/enterprise-server/3-5/7.yml

@@ -12,6 +12,8 @@ sections:
     - |
       **MEDIUM**: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of `docker` commands directly. For more information, see the [Actions Runner security advisory](https://github.com/actions/runner/security/advisories/GHSA-2c6m-6gqh-6qg3).
     - |
+      **MEDIUM**: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23737](https://www.cve.org/CVERecord?id=CVE-2022-23737).
+    - |  
       **LOW**: Due to a CSRF vulnerability, a `GET` request to the instance's `site/toggle_site_admin_and_employee_status` endpoint could toggle a user's site administrator status unknowingly.
     - Packages have been updated to the latest security versions. 
   bugs:
@@ -45,4 +47,4 @@ sections:
     - Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
     - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
     - |
-      GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
+      GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]

data/release-notes/enterprise-server/3-6/3.yml

@@ -12,6 +12,8 @@ sections:
     - |
       **MEDIUM**: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of `docker` commands directly. For more information, see the [Actions Runner security advisory](https://github.com/actions/runner/security/advisories/GHSA-2c6m-6gqh-6qg3).
     - |
+      **MEDIUM**: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23737](https://www.cve.org/CVERecord?id=CVE-2022-23737).
+    - |  
       **LOW**: Due to a CSRF vulnerability, a `GET` request to the instance's `site/toggle_site_admin_and_employee_status` endpoint could toggle a user's site administrator status unknowingly.
     - Packages have been updated to the latest security versions. 
   bugs:
@@ -52,4 +54,4 @@ sections:
     - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
     - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
     - |
-      GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
+      GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]