Merge branch 'main' into patch-3

.devcontainer/devcontainer.json

@@ -22,7 +22,7 @@
 		"davidanson.vscode-markdownlint",
 		"bierner.markdown-preview-github-styles",
 		"streetsidesoftware.code-spell-checker",
-		"hubwriter.open-reusable"
+		"alistairchristie.open-reusables"
 	],
 
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.

.github/CODEOWNERS

@@ -24,7 +24,7 @@ package.json @github/docs-engineering
 /translations/log/ @github/docs-localization @Octomerger
 
 # Site Policy
-/content/github/site-policy/ @github/site-policy-admins
+/content/site-policy/ @github/site-policy-admins
 
 # Content strategy
 /contributing/content-markup-reference.md @github/docs-content-strategy
@@ -32,7 +32,3 @@ package.json @github/docs-engineering
 /contributing/content-model.md @github/docs-content-strategy
 /contributing/content-style-guide.md @github/docs-content-strategy
 /contributing/content-templates.md @github/docs-content-strategy
-
-# Make sure that Octokit maintainers get notified about changes
-# relevant to the Octokit libraries (https://github.com/octokit)
-/content/rest/reference @github/octokit-maintainers

.github/actions-scripts/enterprise-server-issue-templates/release-issue.md

@@ -98,15 +98,18 @@ This file should be automatically updated, but you can also run `script/update-e
 
 ### Before shipping the release branch
 
-- [ ] Add the GHES release notes to `data/release-notes/` and update the versioning frontmatter in `content/admin/release-notes.md` to `enterprise-server: '<=<RELEASE>'`
+- [ ] Add the GHES release notes to `data/release-notes/`.
 - [ ] Add any required smoke tests to the opening post in the megabranch PR.
 
   Usually, we should smoke test any new GHES admin guides, any large features landing in this GHES version for the first time, and the REST and GraphQL API references.
-- [ ] Alert the Neon Squad (formally docs-ecosystem team)  1-2 days before the release to deploy to `github/github`. A PR should already be open in `github/github`, to change `published` to `true` in  `app/api/description/config/releases/ghes-<NEXT RELEASE NUMBER>.yaml`. They will need to:
+- [ ] A few days before shipping, check for broken links. Run `script/check-english-links.js` in a local copy of the megabranch.
+- [ ] [Freeze the repos](https://github.com/github/docs-content/blob/main/docs-content-docs/docs-content-workflows/freezing.md) at least 1-2 days before the release, and post an announcement in Slack so everybody knows. It's helpful to freeze the repos before doing the OpenAPI merges to avoid changes to the megabranch while preparing and deploying.
+- [ ] Alert the Neon Squad (formally docs-ecosystem team)  1-2 days before the release to deploy to `github/github`. A PR should already be open in `github/github`, to change the OpenAPI schema config `published` to `true` in `app/api/description/config/releases/ghes-<NEXT RELEASE NUMBER>.yaml`. They will need to:
   - [ ] Get the required approval from `@github/ecosystem-api-reviewers` then deploy the PR to dotcom. This process generally takes 30-90 minutes.
-  - [ ] Once the PR merges, make sure that the auto-generated PR titled "Update OpenAPI Descriptions" in doc-internal contains both the derefrenced and decorated JSON files for the new GHES release. If everything looks good, merge the "Update OpenAPI Description" PR into the GHES release megabranch. **Note:** Be careful about resolving the conflicts correctly—you may wish to delete the existing OpenAPI files for the release version from the megabranch, so there are no conflicts to resolve and to ensure that the incoming artifacts are the correct ones.
-  - [ ] Add a blocking review to the auto-generated "Update OpenAPI Descriptions" PR in the public REST API description. (Remove this blocking review once the GHES release ships.)
-- [ ] [Freeze the repos](https://github.com/github/docs-content/blob/main/docs-content-docs/docs-content-workflows/freezing.md) at least 1-2 days before the release, and post an announcement in Slack so everybody knows.
+  - [ ] Once the PR merges, make sure that the auto-generated PR titled "Update OpenAPI Descriptions" in doc-internal contains both the dereferenced and decorated JSON files for the new GHES release. If everything looks good, merge the "Update OpenAPI Description" PR into the GHES release megabranch. **Note:** Be careful about resolving the conflicts correctly—you may wish to delete the existing OpenAPI files for the release version from the megabranch (that is, delete the GHES release version `lib/rest/static` decorated and dereferenced JSON files), so there are no conflicts to resolve and to ensure that the incoming artifacts are the correct ones.
+- [ ] Alert the Ecosystem-API team in #ecosystem-api about the pending release freeze and incoming blocking review of OpenAPI updates in the public REST API description (the `rest-api-descriptions` repo). They'll need to block any future "Update OpenAPI Descriptions" PRs in the public REST API description until after the ship.
+  - [ ] Add a blocking review to the auto-generated "Update OpenAPI Descriptions" PR in the public REST API description. (You or they will remove this blocking review once the GHES release ships.)
+
 
 ### 🚢 🛳️ 🚢 Shipping the release branch
 
@@ -114,11 +117,18 @@ This file should be automatically updated, but you can also run `script/update-e
 - [ ] The `github/docs-internal` repo is frozen, and the `Repo Freeze Check / Prevent merging during deployment freezes (pull_request_target)` test is expected to fail.
 
   Use admin permissions to ship the release branch with this failure. Make sure that the merge's commit title does not include anything like `[DO NOT MERGE]`, and remove all the branch's commit details from the merge's commit message except for the co-author list.
-- [ ] Do any required smoke tests listed in the opening post in the megabranch PR.
+- [ ] Do any required smoke tests listed in the opening post in the megabranch PR. You can monitor and check when the production deploy completed by viewing the [`docs-internal` deployments page](https://github.com/github/docs-internal/deployments).
 - [ ] Once smoke tests have passed, you can [unfreeze the repos](https://github.com/github/docs-content/blob/main/docs-content-docs/docs-content-workflows/freezing.md) and post an announcement in Slack.
-- [ ] After unfreezing, push the search index LFS objects for the public `github/docs` repo. The LFS objects were already being pushed for the internal repo after the `sync-english-index-for-<PLAN@RELEASE>` was added to the megabranch. To push the LFS objects, run the [search sync workflow](https://github.com/github/docs-internal/actions/workflows/sync-search-indices.yml). Once you're there, click on `Run workflow` button. A modal will pop up where you can set the following inputs:
-  Branch: The new version megabranch you're working on
-  version: `enterprise-server@<RELEASE>`
-  language: `en`
+- [ ] After unfreezing, the megabranch creator should push the search index LFS objects for the public `github/docs` repo. The LFS objects were already pushed for the internal repo after the `sync-english-index-for-<PLAN@RELEASE>` was added to the megabranch. To push the LFS objects to the public repo:
+  1. First navigate to the [sync search indices workflow](https://github.com/github/docs-internal/actions/workflows/sync-search-indices.yml). 
+  2. Then, to run the workflow with parameters, click on `Run workflow` button. 
+  3. A modal will pop up where you will set the following inputs:
+     - Branch: The new version megabranch you're working on
+     - Version: `enterprise-server@<RELEASE>`
+     - Language: `en`
+  4. Run the job. The workflow job may fail on the first run—so retry the failed job if needed.
+- [ ] After unfreezing, alert the Ecosystem-API team in #ecosystem-api the docs freeze is finished/thawed and the release has shipped. 
+  - [ ] You (or they) can now remove your blocking review on the auto-generated "Update OpenAPI Descriptions" PR in public REST API description (the `rest-api-descriptions` repo). (although it's likely newer PRs have been created since yours with the blocking review, in which case the Ecosystem-API team will close your PR and perform the next step on the most recent PR).
+  - [ ] The Ecosystem-API team will merge the latest auto-generated "Update OpenAPI Descriptions" PR (which will contain the OpenAPI schema config that changed `published` to `true` for the release).
 - [ ] After unfreezing, if there were significant or highlighted GraphQL changes in the release, consider manually running the [GraphQL update workflow](https://github.com/github/docs-internal/actions/workflows/update-graphql-files.yml) to update our GraphQL schemas. By default this workflow only runs once every 24 hours.
 - [ ] After the release, in the `docs-content` repo, add the now live version number to the "Specific GHES version(s)" section in the following files: [`.github/ISSUE_TEMPLATE/release-tier-1-or-2-tracking.yml`](https://github.com/github/docs-content/blob/main/.github/ISSUE_TEMPLATE/release-tier-1-or-2-tracking.yml) and [`.github/ISSUE_TEMPLATE/release-tier-3-or-tier-4.yml`](https://github.com/github/docs-content/blob/main/.github/ISSUE_TEMPLATE/release-tier-3-or-tier-4.yml). When the PR is approved, merge it in. 

.github/actions-scripts/projects.js

@@ -190,7 +190,7 @@ export function generateUpdateProjectNextItemFieldMutation({
     // Strip all non-alphanumeric out of the item ID when creating the mutation ID to avoid a GraphQL parsing error
     // (statistically, this should still give us a unique mutation ID)
     return `
-      set_${fieldID.substr(1)}_item_${item.replaceAll(
+      set_${fieldID.slice(1)}_item_${item.replaceAll(
       /[^a-z0-9]/g,
       ''
     )}: updateProjectNextItemField(input: {

.github/workflows/azure-preview-env-deploy.yml

@@ -53,7 +53,7 @@ jobs:
       # to link a PR to a list of environments later.
       url: ${{ env.APP_URL }}
     env:
-      PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
+      PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER || github.run_id }}
       COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
       BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
       IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
@@ -165,7 +165,7 @@ jobs:
           rsync -rptovR ./user-code/content/./**/*.md ./content
           rsync -rptovR ./user-code/assets/./**/*.png ./assets
           rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data
-          rsync -rptovR ./user-code/components/./**/*.{ts,tsx} ./components
+          rsync -rptovR ./user-code/components/./**/*.{scss,ts,tsx} ./components
           rsync -rptovR --ignore-missing-args ./user-code/lib/./**/*.{js,ts} ./lib
           rsync -rptovR --ignore-missing-args ./user-code/middleware/./**/*.{js,ts} ./middleware
           rsync -rptovR ./user-code/pages/./**/*.tsx ./pages

.github/workflows/browser-test.yml

@@ -59,5 +59,8 @@ jobs:
           path: .next/cache
           key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}
 
+      - name: Run build script
+        run: npm run build
+
       - name: Run browser-test
         run: npm run browser-test

.github/workflows/crowdin-cleanup.yml

@@ -41,7 +41,7 @@ jobs:
         run: script/i18n/homogenize-frontmatter.js
 
       - name: Check in homogenized files
-        uses: EndBug/add-and-commit@756d9ea820f11931e591eaf57f25e0f5b903d5b2
+        uses: EndBug/add-and-commit@050a66787244b10a4874a2a5f682130263edc192
         with:
           # The arguments for the `git add` command
           add: 'translations'

.github/workflows/openapi-decorate.yml

@@ -54,7 +54,7 @@ jobs:
         run: script/rest/update-files.js --decorate-only
 
       - name: Check in the decorated files
-        uses: EndBug/add-and-commit@756d9ea820f11931e591eaf57f25e0f5b903d5b2
+        uses: EndBug/add-and-commit@050a66787244b10a4874a2a5f682130263edc192
         with:
           # The arguments for the `git add` command
           add: '["lib/rest/static/apps", "lib/rest/static/decorated"]'

.github/workflows/optimize-images.yml

@@ -23,6 +23,10 @@ jobs:
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           ref: ${{ github.head_ref }}
+          # Need to specify a PAT here because otherwise GITHUB_TOKEN is used
+          # by default.  Workflows won't trigger in that case because actions
+          # performed with GITHUB_TOKEN don't trigger other workflows.
+          token: ${{ secrets.DOCUBOT_REPO_PAT }}
 
       - name: Check out base ref
         run: git fetch --no-tags --depth=1 origin $GITHUB_BASE_REF

.github/workflows/test.yml

@@ -135,11 +135,6 @@ jobs:
       - name: Run build script
         run: npm run build
 
-      - name: Warm possible disk caching
-        env:
-          NODE_ENV: test
-        run: ./script/warm-before-tests.mjs
-
       - name: Run tests
         env:
           DIFF_FILE: get_diff_files.txt

.github/workflows/triage-unallowed-internal-changes.yml

@@ -39,7 +39,7 @@ jobs:
         id: filter
         with:
           # Base branch used to get changed files
-          base: ${{ github.event.pull_request.base.ref }}
+          base: ${{ github.event.pull_request.base.ref || github.base_ref || github.ref }}
 
           # Enables setting an output in the format in `${FILTER_NAME}_files
           # with the names of the matching files formatted as JSON array

Dockerfile

@@ -89,6 +89,7 @@ COPY --chown=node:node feature-flags.json ./
 COPY --chown=node:node data ./data
 COPY --chown=node:node next.config.js ./
 COPY --chown=node:node server.mjs ./server.mjs
+COPY --chown=node:node start-server.mjs ./start-server.mjs
 
 EXPOSE $PORT
 

LICENSE-CODE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 GitHub
+Copyright 2022 GitHub
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

components/article/ClientSideHighlightJS.tsx

@@ -66,6 +66,10 @@ export default function ClientSideHighlightJS() {
         intersectionObserver.observe(element)
       }
     }
+
+    return () => {
+      intersectionObserver.disconnect()
+    }
   }, [asPath])
 
   return null

components/article/ToolPicker.tsx

@@ -20,6 +20,8 @@ const supportedTools = [
   'vscode',
   'importer_cli',
   'graphql',
+  'powershell',
+  'bash',
 ]
 const toolTitles = {
   webui: 'Web browser',
@@ -30,6 +32,8 @@ const toolTitles = {
   vscode: 'Visual Studio Code',
   importer_cli: 'GitHub Enterprise Importer CLI',
   graphql: 'GraphQL API',
+  powershell: 'PowerShell',
+  bash: 'Bash',
 } as Record<string, string>
 
 // Imperatively modify article content to show only the selected tool

components/page-header/RestBanner.tsx

@@ -7,6 +7,7 @@ const restRepoDisplayPages = [
   'branches',
   'collaborators',
   'commits',
+  'deploy_keys',
   'deployments',
   'pages',
   'releases',
@@ -19,6 +20,7 @@ const restRepoCategoryExceptionsTitles = {
   branches: 'Branches',
   collaborators: 'Collaborators',
   commits: 'Commits',
+  deploy_keys: 'Deploy Keys',
   deployments: 'Deployments',
   pages: 'GitHub Pages',
   releases: 'Releases',

components/rest/CodeBlock.module.scss

@@ -1,8 +1,4 @@
 .codeBlock {
-  pre {
-    margin-bottom: 0;
-    border: 1px solid var(--color-border-default);
-    max-height: 32rem;
-    overflow: auto;
-  }
+  max-height: 32rem;
+  overflow: auto;
 }

components/rest/CodeBlock.tsx

@@ -20,7 +20,7 @@ export function CodeBlock({ verb, headingLang, codeBlock, highlight }: Props) {
   })
 
   return (
-    <div className="code-extra">
+    <div className={headingLang && 'code-extra'}>
       {headingLang && (
         <header className="d-flex flex-justify-between flex-items-center p-2 text-small rounded-top-1 border">
           {headingLang === 'JavaScript' ? (
@@ -41,13 +41,7 @@ export function CodeBlock({ verb, headingLang, codeBlock, highlight }: Props) {
           </Tooltip>
         </header>
       )}
-      <pre
-        className={cx(
-          styles.methodCodeBlock,
-          'd-flex flex-justify-between flex-items-center rounded-1 border'
-        )}
-        data-highlight={highlight}
-      >
+      <pre className={cx(styles.codeBlock, 'rounded-1 border')} data-highlight={highlight}>
         <code>
           {verb && (
             <span className="color-bg-accent-emphasis color-fg-on-emphasis rounded-1 text-uppercase p-1">

components/rest/RestOperation.tsx

@@ -48,6 +48,7 @@ export function RestOperation({ operation }: Props) {
       {previews && (
         <RestPreviewNotice slug={operation.slug} previews={operation['x-github'].previews} />
       )}
+      <RestResponse responses={operation.responses} variant="error" />
     </div>
   )
 }

components/rest/RestReferencePage.tsx

@@ -68,7 +68,8 @@ export const RestReferencePage = ({
     if (
       hash &&
       (pathname.endsWith('/rest/reference/repos') ||
-        pathname.endsWith('/rest/reference/enterprise-admin'))
+        pathname.endsWith('/rest/reference/enterprise-admin') ||
+        pathname.endsWith('/rest/reference/deployments'))
     ) {
       setLoadClientsideRedirectExceptions(true)
     }
@@ -160,9 +161,6 @@ export const RestReferencePage = ({
             {page.introPlainText}
           </Lead>
         )}
-        <div key={`restCategory-introContent`}>
-          <div dangerouslySetInnerHTML={{ __html: introContent }} />
-        </div>
         <div className="my-3 d-flex">
           <div className="pr-3 mt-1">
             <Circle className="color-fg-on-emphasis color-bg-emphasis">
@@ -185,6 +183,9 @@ export const RestReferencePage = ({
             )}
           </div>
         </div>
+        <div key={`restCategory-introContent`}>
+          <div dangerouslySetInnerHTML={{ __html: introContent }} />
+        </div>
         <MarkdownContent>
           {subcategories.map((subcategory, index) => (
             <div key={`restCategory-${index}`}>

components/rest/RestResponse.tsx

@@ -1,14 +1,44 @@
 import { CodeResponse } from './types'
 import { CodeBlock } from './CodeBlock'
+import { useTranslation } from 'components/hooks/useTranslation'
+import { RestResponseTable } from './RestResponseTable'
 
 type Props = {
   responses: Array<CodeResponse>
+  variant?: 'non-error' | 'error'
 }
 
-export function RestResponse({ responses }: Props) {
+export function RestResponse(props: Props) {
+  const { responses, variant = 'non-error' } = props
+  const { t } = useTranslation('products')
+
+  if (!responses || responses.length === 0) {
+    return null
+  }
+
+  const filteredResponses = responses.filter((response) => {
+    const responseCode = parseInt(response.httpStatusCode)
+
+    if (variant === 'error') {
+      return responseCode >= 400
+    } else {
+      return responseCode < 400
+    }
+  })
+
+  if (filteredResponses.length === 0) {
+    return null
+  }
+
+  if (variant === 'error') {
+    return (
+      <RestResponseTable heading={t('rest.reference.error_codes')} responses={filteredResponses} />
+    )
+  }
+
   return (
     <>
-      {responses.map((response: CodeResponse, index: number) => {
+      {filteredResponses.map((response, index) => {
         return (
           <div key={`${response.httpStatusMessage}-${index}}`}>
             <h4 dangerouslySetInnerHTML={{ __html: response.description }} />

components/rest/RestResponseTable.module.scss

@@ -0,0 +1,48 @@
+.restResponseTable {
+  table-layout: fixed !important;
+
+  thead {
+    tr {
+      border-top: none;
+
+      th {
+        border: 0;
+        font-weight: normal;
+      }
+
+      th:first-child {
+        width: 25%;
+      }
+
+      th:nth-child(2) {
+        width: 75%;
+      }
+    }
+  }
+
+  tr:nth-child(2n) {
+    background: none !important;
+  }
+
+  td {
+    padding: 0.75rem 0.5rem !important;
+    border: 0 !important;
+    vertical-align: top;
+    width: 100%;
+  }
+
+  tbody {
+    tr td:first-child {
+      width: 30%;
+      font-weight: bold;
+    }
+
+    tr td:nth-child(2) {
+      width: 70%;
+    }
+
+    table tr td:not(:first-child) {
+      font-weight: normal;
+    }
+  }
+}

components/rest/RestResponseTable.tsx

@@ -0,0 +1,45 @@
+import cx from 'classnames'
+import { CodeResponse } from './types'
+import { useTranslation } from 'components/hooks/useTranslation'
+import styles from './RestResponseTable.module.scss'
+
+type Props = {
+  heading: string
+  responses: Array<CodeResponse>
+}
+
+export function RestResponseTable({ heading, responses }: Props) {
+  const { t } = useTranslation('products')
+
+  return (
+    <>
+      <h4>{heading}</h4>
+      <table className={cx(styles.restResponseTable)}>
+        <thead>
+          <tr className="text-left">
+            <th>{t('rest.reference.http_status_code')}</th>
+            <th>{t('rest.reference.description')}</th>
+          </tr>
+        </thead>
+        <tbody>
+          {responses.map((response, index) => {
+            return (
+              <tr key={`${response.description}-${index}}`}>
+                <td>
+                  <code>{response.httpStatusCode}</code>
+                </td>
+                <td>
+                  {response.description ? (
+                    <div dangerouslySetInnerHTML={{ __html: response.description }} />
+                  ) : (
+                    response.httpStatusMessage
+                  )}
+                </td>
+              </tr>
+            )
+          })}
+        </tbody>
+      </table>
+    </>
+  )
+}

components/ui/ScrollButton/ScrollButton.tsx

@@ -24,8 +24,10 @@ export const ScrollButton = ({ className, ariaLabel }: ScrollButtonPropsT) => {
       },
       { threshold: [0] }
     )
-
     observer.observe(document.getElementsByTagName('h1')[0])
+    return () => {
+      observer.disconnect()
+    }
   }, [])
 
   const onClick = () => {

content/README.md

@@ -228,7 +228,7 @@ defaultPlatform: linux
 ### `defaultTool`
 
 - Purpose: Override the initial tool selection for a page, where tool refers to the application the reader is using to work with GitHub (such as GitHub.com's web UI, the GitHub CLI, or GitHub Desktop) or the GitHub APIs (such as cURL or the GitHub CLI). For more information about the tool selector, see [Markup reference for GitHub Docs](../contributing/content-markup-reference.md#tool-tags). If this frontmatter is omitted, then the tool-specific content matching the GitHub web UI is shown by default. If a user has indicated a tool preference (by clicking on a tool tab), then the user's preference will be applied instead of the default value.
-- Type: `String`, one of: `webui`, `cli`, `desktop`, `curl`, `codespaces`, `vscode`, `importer_cli`, `graphql`.
+- Type: `String`, one of: `webui`, `cli`, `desktop`, `curl`, `codespaces`, `vscode`, `importer_cli`, `graphql`, `powershell`, `bash`.
 - Optional.
 
 ```yaml

content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md

@@ -134,7 +134,7 @@ Email notifications from {% data variables.product.product_location %} contain t
 | `To` field | This field connects directly to the thread.{% ifversion not ghae %} If you reply to the email, you'll add a new comment to the conversation.{% endif %} |
 | `Cc` address | {% data variables.product.product_name %} will `Cc` you if you're subscribed to a conversation. The second `Cc` email address matches the notification reason. The suffix for these notification reasons is {% data variables.notifications.cc_address %}. The possible notification reasons are: <ul><li>`assign`: You were assigned to an issue or pull request.</li><li>`author`: You created an issue or pull request.</li><li>`ci_activity`: A {% data variables.product.prodname_actions %} workflow run that you triggered was completed.</li><li>`comment`: You commented on an issue or pull request.</li><li>`manual`: There was an update to an issue or pull request you manually subscribed to.</li><li>`mention`: You were mentioned on an issue or pull request.</li><li>`push`: Someone committed to a pull request you're subscribed to.</li><li>`review_requested`: You or a team you're a member of was requested to review a pull request.</li>{% ifversion fpt or ghes or ghae-issue-4864 or ghec %}<li>`security_alert`: {% data variables.product.prodname_dotcom %} detected a vulnerability in a repository you receive alerts for.</li>{% endif %}<li>`state_change`: An issue or pull request you're subscribed to was either closed or opened.</li><li>`subscribed`: There was an update in a repository you're watching.</li><li>`team_mention`: A team you belong to was mentioned on an issue or pull request.</li><li>`your_activity`: You opened, commented on, or closed an issue or pull request.</li></ul> |
 | `mailing list` field | This field identifies the name of the repository and its owner. The format of this address is always `<repository name>.<repository owner>.{% data variables.command_line.backticks %}`. |{% ifversion fpt or ghes or ghae-issue-4864 or ghec %}
-| `X-GitHub-Severity` field | {% data reusables.repositories.security-alerts-x-github-severity %} The possible severity levels are:<ul><li>`low`</li><li>`moderate`</li><li>`high`</li><li>`critical`</li></ul>For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." |{% endif %}
+| `X-GitHub-Severity` field | {% data reusables.repositories.security-alerts-x-github-severity %} The possible severity levels are:<ul><li>`low`</li><li>`moderate`</li><li>`high`</li><li>`critical`</li></ul>For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." |{% endif %}
 
 ## Choosing your notification settings
 

content/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox.md

@@ -173,7 +173,7 @@ If you use {% data variables.product.prodname_dependabot %} to keep your depende
 - `reason:security_alert` to show notifications for {% data variables.product.prodname_dependabot_alerts %} and security update pull requests.
 - `author:app/dependabot` to show notifications generated by {% data variables.product.prodname_dependabot %}. This includes {% data variables.product.prodname_dependabot_alerts %}, security update pull requests, and version update pull requests.
 
-For more information about {% data variables.product.prodname_dependabot %}, see "[About managing vulnerable dependencies](/github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies)."
+For more information about {% data variables.product.prodname_dependabot %}, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
 {% endif %}
 
 {% ifversion ghes < 3.3 or ghae-issue-4864 %}
@@ -182,7 +182,7 @@ If you use {% data variables.product.prodname_dependabot %} to tell you about vu
 - `is:repository_vulnerability_alert` 
 - `reason:security_alert`
 
-For more information about {% data variables.product.prodname_dependabot %}, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
+For more information about {% data variables.product.prodname_dependabot %}, see "[About {% data variables.product.prodname_dependabot_alerts %}](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
 {% endif %}
 
 {% endif %}

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/about-your-personal-dashboard.md

@@ -40,9 +40,23 @@ You can also find a list of your recently visited repositories, teams, and proje
 
 ## Staying updated with activity from the community
 
-In the "All activity" section of your news feed, you can view updates from repositories you're subscribed to and people you follow. The "All activity" section shows updates from repositories you watch or have starred, and from users you follow.
+{% if for-you-feed %}
+The main section of your dashboard has two activity feeds:
+
+- Following: Activity by people you follow and from repositories you watch.
+- For you: Activity and recommendations based on your {% data variables.product.product_name %} network.
+
+### Following feed
+
+This feed shows activity from repositories and users you have shown a direct interest in, by following a user or watching a repository. For example, you'll see updates when a user you follow:
+
+{% else %}
+In the "All activity" section of your news feed, you can view updates from repositories you watch and users you follow.
 
 You'll see updates in your news feed when a user you follow:
+{% endif %}
+
+
 - Stars a repository.
 - Follows another user.{% ifversion fpt or ghes or ghec %}
 - Creates a public repository.{% endif %}
@@ -51,7 +65,26 @@ You'll see updates in your news feed when a user you follow:
 - Forks a public repository.{% endif %}
 - Publishes a new release.
 
-For more information about starring repositories and following people, see "[Saving repositories with stars](/articles/saving-repositories-with-stars/)" and "[Following people](/articles/following-people)."
+For more information about starring repositories and following people, see "[Following people](/articles/following-people)" and "[Be social](/get-started/quickstart/be-social)."
+
+{% if for-you-feed %}
+### For you feed
+
+{% note %}
+
+**Note:** This new tab is currently in public beta and subject to change. 
+
+{% endnote %}
+
+This feed shows activity and recommendations based on your network on {% data variables.product.product_name %}. It's designed to provide updates that inspire you, keep you up-to-date, and help you find new communities you want to participate in. Your network includes:
+
+- Repositories you have starred
+- Repositories you've contributed to
+- Users you follow or sponsor
+- Users you've collaborated with
+- Organizations you follow
+
+{% endif %}
 
 ## Exploring recommended repositories
 

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-security-and-analysis-settings-for-your-user-account.md

@@ -49,5 +49,5 @@ For an overview of repository-level security, see "[Securing your repository](/c
 ## Further reading
 
 - "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"
-- "[Managing vulnerabilities in your project's dependencies](/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies)"
+- "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"
 - "[Keeping your dependencies updated automatically](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically)"

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-a-user-account-repository.md

@@ -45,7 +45,7 @@ The repository owner has full control of the repository. In addition to the acti
 | Customize the repository's social media preview | "[Customizing your repository's social media preview](/github/administering-a-repository/customizing-your-repositorys-social-media-preview)" |
 | Create a template from the repository | "[Creating a template repository](/github/creating-cloning-and-archiving-repositories/creating-a-template-repository)" |{% ifversion fpt or ghes or ghae-issue-4864 or ghec %}
 | Control access to {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies | "[Managing security and analysis settings for your repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)" |{% endif %}{% ifversion fpt or ghec %}
-| Dismiss {% data variables.product.prodname_dependabot_alerts %} in the repository | "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)" |
+| Dismiss {% data variables.product.prodname_dependabot_alerts %} in the repository | "[Viewing {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)" |
 | Manage data use for a private repository | "[Managing data use settings for your private repository](/get-started/privacy-on-github/managing-data-use-settings-for-your-private-repository)"|{% endif %}
 | Define code owners for the repository | "[About code owners](/github/creating-cloning-and-archiving-repositories/about-code-owners)" |
 | Archive the repository | "[Archiving repositories](/repositories/archiving-a-github-repository/archiving-repositories)" |{% ifversion fpt or ghec %}

content/actions/hosting-your-own-runners/about-self-hosted-runners.md

@@ -133,16 +133,30 @@ Some extra configuration might be required to use actions from {% data variables
 
 ## Communication between self-hosted runners and {% data variables.product.product_name %}
 
-The self-hosted runner polls {% data variables.product.product_name %} to retrieve application updates and to check if any jobs are queued for processing. The self-hosted runner uses a HTTPS _long poll_ that opens a connection to {% data variables.product.product_name %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs.
+The self-hosted runner connects to {% data variables.product.product_name %} to receive job assignments and to download new versions of the runner application. The self-hosted runner uses an {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} _long poll_ that opens a connection to {% data variables.product.product_name %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs.
 
 {% data reusables.actions.self-hosted-runner-ports-protocols %}
 
-{% data reusables.actions.self-hosted-runner-communications-for-ghae %}
+{% ifversion fpt or ghec %}
+Since the self-hosted runner opens a connection to {% data variables.product.product_location %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner.
+{% elsif ghes or ghae %}
+Only an outbound connection from the runner to {% data variables.product.product_location %} is required. There is no need for an inbound connection from {% data variables.product.product_location %} to the runner.
+{%- endif %}
+
+{% ifversion ghes %}
+
+{% data variables.product.product_name %} must accept inbound connections from your runners over {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} at {% data variables.product.product_location %}'s hostname and API subdomain, and your runners must allow outbound connections over {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} to {% data variables.product.product_location %}'s hostname and API subdomain.
+
+{% elsif ghae %}
+
+You must ensure that the self-hosted runner has appropriate network access to communicate with your {% data variables.product.product_name %} URL and its subdomains. For example, if your subdomain for {% data variables.product.product_name %} is `octoghae`, then you will need to allow the self-hosted runner to access `octoghae.githubenterprise.com`, `api.octoghae.githubenterprise.com`, and `codeload.octoghae.githubenterprise.com`.
+
+If you use an IP address allow list, you must add your self-hosted runner's IP address to the allow list. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list)."
+
+{% endif %}
 
 {% ifversion fpt or ghec %}
 
-Since the self-hosted runner opens a connection to {% data variables.product.prodname_dotcom %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner.
-
 You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} hosts listed below. Some hosts are required for essential runner operations, while other hosts are only required for certain functionality.
 
 {% note %}
@@ -191,27 +205,25 @@ If you use an IP address allow list for your {% data variables.product.prodname_
 
 {% else %}
 
-You must ensure that the machine has the appropriate network access to communicate with {% data variables.product.product_location %}.{% ifversion ghes %} Self-hosted runners connect directly to {% data variables.product.product_location %} and do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and {% data variables.product.product_location %}. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to {% data variables.product.product_location %}, with no need for traffic to traverse a public network.{% endif %}
+{% ifversion ghes %}Self-hosted runners do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and {% data variables.product.product_location %}. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to {% data variables.product.product_location %}, with no need for traffic to traverse a public network.{% endif %}
 
 {% endif %}
 
+{% ifversion ghae %}
+If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list)."
+{% endif %}
+
 You can also use self-hosted runners with a proxy server. For more information, see "[Using a proxy server with self-hosted runners](/actions/automating-your-workflow-with-github-actions/using-a-proxy-server-with-self-hosted-runners)."
 
 For more information about troubleshooting common network connectivity issues, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity)."
 
-{% ifversion ghes %}
+{% ifversion ghes or ghae %}
 
 ## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %}
 
-Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have [enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect).
+Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.product_location %}. For more information, see "[About using actions in your enterprise](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise)."
 
-If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions.  You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below.
-
-{% note %}
-
-**Note:** Some of the domains listed below are configured using `CNAME` records. Some firewalls might require you to add rules recursively for all `CNAME` records. Note that the `CNAME` records might change in the future, and that only the domains listed below will remain constant.
-
-{% endnote %}
+If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions. You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below. 
 
 ```
 github.com
@@ -219,6 +231,13 @@ api.github.com
 codeload.github.com
 ```
 
+{% note %}
+
+**Note:** Some of the domains listed above are configured using `CNAME` records. Some firewalls might require you to add rules recursively for all `CNAME` records. Note that the `CNAME` records might change in the future, and that only the domains listed above will remain constant.
+
+{% endnote %}
+
+
 {% endif %}
 
 ## Self-hosted runner security

content/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups.md

@@ -14,7 +14,6 @@ shortTitle: Manage access to runners
 
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
-{% data reusables.actions.restrict-runner-workflow-beta %}
 
 ## About self-hosted runner groups
 

content/actions/managing-workflow-runs/re-running-workflows-and-jobs.md

@@ -1,6 +1,6 @@
 ---
 title: Re-running workflows and jobs
-intro: You can re-run a workflow run up to 30 days after its initial run.
+intro: You can re-run a workflow run{% if re-run-jobs %}, all failed jobs in a workflow run, or specific jobs in a workflow run{% endif %} up to 30 days after its initial run.
 permissions: People with write permissions to a repository can re-run workflows in the repository.
 miniTocMaxHeadingLevel: 3
 redirect_from:
@@ -15,9 +15,11 @@ versions:
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
-## Re-running all the jobs in a workflow
+## About re-running workflows and jobs
 
-Re-running a workflow uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. You can re-run a workflow for up to 30 days after the initial run.
+Re-running a workflow{% if re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. You can re-run a workflow{% if re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.
+
+## Re-running all the jobs in a workflow
 
 {% webui %}
 
@@ -26,7 +28,9 @@ Re-running a workflow uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (
 {% data reusables.repositories.navigate-to-workflow %}
 {% data reusables.repositories.view-run %}
 {% ifversion fpt or ghes > 3.2 or ghae-issue-4721 or ghec %}
-1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run all jobs**
+1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run all jobs**.
+
+   If no jobs failed, you will not see the **Re-run jobs** drop-down menu. Instead, click **Re-run all jobs**.
     ![Rerun checks drop-down menu](/assets/images/help/repository/rerun-checks-drop-down.png)
 {% endif %}
 {% ifversion ghes < 3.3 or ghae %}
@@ -54,8 +58,64 @@ gh run watch
 
 {% endcli %}
 
+{% if re-run-jobs %}
+## Re-running failed jobs in a workflow
+
+If any jobs in a workflow run failed, you can re-run just the jobs that failed. When you re-run failed jobs in a workflow, a new workflow run will start for all failed jobs and their dependents. Any outputs for any successful jobs in the previous workflow run will be used for the re-run. Any artifacts that were created in the initial run will be available in the re-run. Any environment protection rules that passed in the previous run will automatically pass in the re-run.
+
+{% webui %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+{% data reusables.repositories.navigate-to-workflow %}
+{% data reusables.repositories.view-run %}
+1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run failed jobs**.
+    ![Re-run failed jobs drop-down menu](/assets/images/help/repository/rerun-failed-jobs-drop-down.png)
+
+{% endwebui %}
+
+{% cli %}
+
+To re-run failed jobs in a workflow run, use the `run rerun` subcommand with the `--failed` flag. Replace `run-id` with the ID of the run for which you want to re-run failed jobs. If you don't specify a `run-id`, {% data variables.product.prodname_cli %} returns an interactive menu for you to choose a recent failed run.
+
+```shell
+gh run rerun <em>run-id</em> --failed
+```
+
+{% endcli %}
+
+## Re-running a specific job in a workflow
+
+When you re-run a specific job in a workflow, a new workflow run will start for the job and any dependents. Any outputs for any other jobs in the previous workflow run will be used for the re-run. Any artifacts that were created in the initial run will be available in the re-run. Any environment protection rules that passed in the previous run will automatically pass in the re-run.
+
+{% webui %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+{% data reusables.repositories.navigate-to-workflow %}
+{% data reusables.repositories.view-run %}
+1. Next to the job that you want to re-run, click {% octicon "sync" aria-label="The re-run icon" %}.
+   ![Re-run selected job](/assets/images/help/repository/re-run-selected-job.png)
+
+   Alternatively, click on a job to view the log. In the log, click {% octicon "sync" aria-label="The re-run icon" %}.
+   ![Re-run selected job](/assets/images/help/repository/re-run-single-job-from-log.png)
+
+{% endwebui %}
+
+{% cli %}
+
+To re-run a specific job in a workflow run, use the `run rerun` subcommand with the `--job` flag. Replace `job-id` with the ID of the job that you want to re-run.
+
+```shell
+gh run rerun --job <em>job-id</em>
+```
+
+{% endcli %}
+
+{% endif %}
+
 {% ifversion fpt or ghes > 3.2 or ghae-issue-4721 or ghec %}
-### Reviewing previous workflow runs
+## Reviewing previous workflow runs
 
 You can view the results from your previous attempts at running a workflow. You can also view previous workflow runs using the API. For more information, see ["Get a workflow run"](/rest/reference/actions#get-a-workflow-run).
 
@@ -63,8 +123,13 @@ You can view the results from your previous attempts at running a workflow. You
 {% data reusables.repositories.actions-tab %}
 {% data reusables.repositories.navigate-to-workflow %}
 {% data reusables.repositories.view-run %}
+{%- if re-run-jobs %}
+1. Any previous run attempts are shown in the **Latest** drop-down menu.
+   ![Previous run attempts](/assets/images/help/repository/previous-run-attempts.png)
+{%- else %}
 1. Any previous run attempts are shown in the left pane.
     ![Rerun workflow](/assets/images/help/settings/actions-review-workflow-rerun.png)
+{%- endif %}
 1. Click an entry to view its results.
 
 {% endif %}

content/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs.md

@@ -63,6 +63,16 @@ You can download the log files from your workflow run. You can also download a w
   ![Download logs drop-down menu](/assets/images/help/repository/download-logs-drop-down-updated-2.png)
   
 
+  {% if re-run-jobs %}
+
+  {% note %}
+
+  **Note**: When you download the log archive for a workflow that was partially re-run, the archive only includes the jobs that were re-run. To get a complete set of logs for jobs that were run from a workflow, you must download the log archives for the previous run attempts that ran the other jobs.
+
+  {% endnote %}
+
+  {% endif %}
+
 ## Deleting logs
 
 You can delete the log files from your workflow run. {% data reusables.repositories.permissions-statement-write %}

content/actions/security-guides/automatic-token-authentication.md

@@ -23,7 +23,7 @@ At the start of each workflow run, {% data variables.product.prodname_dotcom %}
 
 When you enable {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dotcom %} installs a {% data variables.product.prodname_github_app %} on your repository. The `GITHUB_TOKEN` secret is a {% data variables.product.prodname_github_app %} installation access token. You can use the installation access token to authenticate on behalf of the {% data variables.product.prodname_github_app %} installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see "[Permissions for the `GITHUB_TOKEN`](#permissions-for-the-github_token)."
 
-Before each job begins, {% data variables.product.prodname_dotcom %} fetches an installation access token for the job. The token expires when the job is finished.
+Before each job begins, {% data variables.product.prodname_dotcom %} fetches an installation access token for the job. {% data reusables.actions.github-token-expiration %}
 
 The token is also available in the `github.token` context. For more information, see "[Contexts](/actions/learn-github-actions/contexts#github-context)."
 

content/actions/security-guides/encrypted-secrets.md

@@ -227,6 +227,10 @@ steps:
 ```
 {% endraw %}
 
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and [`jobs.<job_id>.steps[*].if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif).
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
 Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the `ps` command) or captured by [security audit events](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). To help protect secrets, consider using environment variables, `STDIN`, or other mechanisms supported by the target process.
 
 If you must pass secrets within a command line, then enclose them within the proper quoting rules. Secrets often contain special characters that may unintentionally affect your shell. To escape these special characters, use quoting with your environment variables. For example:

content/actions/using-workflows/caching-dependencies-to-speed-up-workflows.md

@@ -234,3 +234,11 @@ For example, if a pull request contains a `feature` branch (the current scope) a
 ## Usage limits and eviction policy
 
 {% data variables.product.prodname_dotcom %} will remove any cache entries that have not been accessed in over 7 days. There is no limit on the number of caches you can store, but the total size of all caches in a repository is limited to 10 GB. If you exceed this limit, {% data variables.product.prodname_dotcom %} will save your cache but will begin evicting caches until the total size is less than 10 GB.
+
+{% if actions-cache-management %}
+
+## Managing caches
+
+You can use the {% data variables.product.product_name %} REST API to manage your caches. At present, you can use the API to see your cache usage, with more functionality expected in future updates. For more information, see the "[Actions](/rest/reference/actions#cache)" REST API documentation.
+
+{% endif %}

content/actions/using-workflows/workflow-commands-for-github-actions.md

@@ -2,6 +2,7 @@
 title: Workflow commands for GitHub Actions
 shortTitle: Workflow commands
 intro: You can use workflow commands when running shell commands in a workflow or in an action's code.
+defaultTool: bash
 redirect_from:
   - /articles/development-tools-for-github-actions
   - /github/automating-your-workflow-with-github-actions/development-tools-for-github-actions
@@ -26,10 +27,24 @@ Actions can communicate with the runner machine to set environment variables, ou
 
 Most workflow commands use the `echo` command in a specific format, while others are invoked by writing to a file. For more information, see ["Environment files".](#environment-files)
 
-``` bash
+### Example
+
+{% bash %}
+
+```bash{:copy}
 echo "::workflow-command parameter1={data},parameter2={data}::{command value}"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::workflow-command parameter1={data},parameter2={data}::{command value}"
+```
+
+{% endpowershell %}
+
 {% note %}
 
 **Note:** Workflow command and parameter names are not case-sensitive.
@@ -46,14 +61,18 @@ echo "::workflow-command parameter1={data},parameter2={data}::{command value}"
 
 The [actions/toolkit](https://github.com/actions/toolkit) includes a number of functions that can be executed as workflow commands. Use the `::` syntax to run the workflow commands within your YAML file; these commands are then sent to the runner over `stdout`. For example, instead of using code to set an output, as below:
 
-```javascript
+```javascript{:copy}
 core.setOutput('SELECTED_COLOR', 'green');
 ```
 
+### Example: Setting a value
+
 You can use the `set-output` command in your workflow to set the same value:
 
+{% bash %}
+
 {% raw %}
-``` yaml
+```yaml{:copy}
       - name: Set selected color
         run: echo '::set-output name=SELECTED_COLOR::green'
         id: random-color-generator
@@ -62,6 +81,22 @@ You can use the `set-output` command in your workflow to set the same value:
 ```
 {% endraw %}
 
+{% endbash %}
+
+{% powershell %}
+
+{% raw %}
+```yaml{:copy}
+      - name: Set selected color
+        run: Write-Output "::set-output name=SELECTED_COLOR::green"
+        id: random-color-generator
+      - name: Get color
+        run: Write-Output "The selected color is ${{ steps.random-color-generator.outputs.SELECTED_COLOR }}"
+```
+{% endraw %}
+
+{% endpowershell %}
+
 The following table shows which toolkit functions are available within a workflow:
 
 | Toolkit function | Equivalent workflow command |
@@ -85,186 +120,336 @@ The following table shows which toolkit functions are available within a workflo
 
 ## Setting an output parameter
 
-```
+Sets an action's output parameter.
+
+```{:copy}
 ::set-output name={name}::{value}
 ```
 
-Sets an action's output parameter.
-
 Optionally, you can also declare output parameters in an action's metadata file. For more information, see "[Metadata syntax for {% data variables.product.prodname_actions %}](/articles/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions)."
 
-### Example
+### Example: Setting an output parameter
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "::set-output name=action_fruit::strawberry"
 ```
 
-## Setting a debug message
+{% endbash %}
 
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::set-output name=action_fruit::strawberry"
 ```
-::debug::{message}
-```
+
+{% endpowershell %}
+
+## Setting a debug message
 
 Prints a debug message to the log. You must create a secret named `ACTIONS_STEP_DEBUG` with the value `true` to see the debug messages set by this command in the log. For more information, see "[Enabling debug logging](/actions/managing-workflow-runs/enabling-debug-logging)."
 
-### Example
+```{:copy}
+::debug::{message}
+```
 
-``` bash
+### Example: Setting a debug message
+
+{% bash %}
+
+```bash{:copy}
 echo "::debug::Set the Octocat variable"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::debug::Set the Octocat variable"
+```
+
+{% endpowershell %}
+
 {% ifversion fpt or ghes > 3.2 or ghae-issue-4929 or ghec %}
 
 ## Setting a notice message
 
-```
+Creates a notice message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
+
+```{:copy}
 ::notice file={name},line={line},endLine={endLine},title={title}::{message}
 ```
 
-Creates a notice message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
-
 {% data reusables.actions.message-parameters %}
 
-### Example
+### Example: Setting a notice message
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "::notice file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::notice file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
+```
+
+{% endpowershell %}
 {% endif %}
 
 ## Setting a warning message
 
-```
+Creates a warning message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
+
+```{:copy}
 ::warning file={name},line={line},endLine={endLine},title={title}::{message}
 ```
 
-Creates a warning message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
-
 {% data reusables.actions.message-parameters %}
 
-### Example
+### Example: Setting a warning message
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "::warning file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
 ```
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::warning file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
+```
+
+{% endpowershell %}
 
 ## Setting an error message
 
-```
+Creates an error message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
+
+```{:copy}
 ::error file={name},line={line},endLine={endLine},title={title}::{message}
 ```
 
-Creates an error message and prints the message to the log. {% data reusables.actions.message-annotation-explanation %}
-
 {% data reusables.actions.message-parameters %}
 
-### Example
+### Example: Setting an error message
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "::error file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::error file=app.js,line=1,col=5,endColumn=7::Missing semicolon"
+```
+
+{% endpowershell %}
 ## Grouping log lines
 
-```
+Creates an expandable group in the log. To create a group, use the `group` command and specify a `title`. Anything you print to the log between the `group` and `endgroup` commands is nested inside an expandable entry in the log.
+
+```{:copy}
 ::group::{title}
 ::endgroup::
 ```
 
-Creates an expandable group in the log. To create a group, use the `group` command and specify a `title`. Anything you print to the log between the `group` and `endgroup` commands is nested inside an expandable entry in the log.
+### Example: Grouping log lines
 
-### Example
+{% bash %}
 
-```bash
-echo "::group::My title"
-echo "Inside group"
-echo "::endgroup::"
+```yaml{:copy}
+jobs:
+  bash-example:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Group of log lines
+        run: |
+            echo "::group::My title"
+            echo "Inside group"
+            echo "::endgroup::"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```yaml{:copy}
+jobs:
+  powershell-example:
+    runs-on: windows-latest
+    steps:
+      - name: Group of log lines
+        run: |
+            Write-Output "::group::My title"
+            Write-Output "Inside group"
+            Write-Output "::endgroup::"
+```
+
+{% endpowershell %}
+
 ![Foldable group in workflow run log](/assets/images/actions-log-group.png)
 
 ## Masking a value in log
 
-```
+```{:copy}
 ::add-mask::{value}
 ```
 
 Masking a value prevents a string or variable from being printed in the log. Each masked word separated by whitespace is replaced with the `*` character. You can use an environment variable or string for the mask's `value`.
 
-### Example masking a string
+### Example: Masking a string
 
 When you print `"Mona The Octocat"` in the log, you'll see `"***"`.
 
-```bash
+{% bash %}
+
+```bash{:copy}
 echo "::add-mask::Mona The Octocat"
 ```
 
-### Example masking an environment variable
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+Write-Output "::add-mask::Mona The Octocat"
+```
+
+{% endpowershell %}
+
+### Example: Masking an environment variable
 
 When you print the variable `MY_NAME` or the value `"Mona The Octocat"` in the log, you'll see `"***"` instead of `"Mona The Octocat"`.
 
-```bash
-MY_NAME="Mona The Octocat"
-echo "::add-mask::$MY_NAME"
+{% bash %}
+
+```yaml{:copy}
+jobs:
+  bash-example:
+    runs-on: ubuntu-latest
+    env:
+      MY_NAME: "Mona The Octocat"
+    steps:
+      - name: bash-version
+        run: echo "::add-mask::$MY_NAME"
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+```yaml{:copy}
+jobs:
+  powershell-example:
+    runs-on: windows-latest
+    env:
+      MY_NAME: "Mona The Octocat"
+    steps:
+      - name: powershell-version
+        run: Write-Output "::add-mask::$env:MY_NAME"
+```
+
+{% endpowershell %}
+
 ## Stopping and starting workflow commands
 
-`::stop-commands::{endtoken}`
-
 Stops processing any workflow commands. This special command allows you to log anything without accidentally running a workflow command. For example, you could stop logging to output an entire script that has comments.
 
+```{:copy}
+::stop-commands::{endtoken}
+```
+
 To stop the processing of workflow commands, pass a unique token to `stop-commands`. To resume processing workflow commands, pass the same token that you used to stop workflow commands.
 
 {% warning %}
 
-**Warning:** Make sure the token you're using is randomly generated and unique for each run. As demonstrated in the example below, you can generate a unique hash of your `github.token` for each run.
+**Warning:** Make sure the token you're using is randomly generated and unique for each run.
 
 {% endwarning %}
 
-```
+```{:copy}
 ::{endtoken}::
 ```
 
-### Example stopping and starting workflow commands
+### Example: Stopping and starting workflow commands
+
+{% bash %}
 
 {% raw %}
 
-```yaml
+```yaml{:copy}
 jobs:
   workflow-command-job:
     runs-on: ubuntu-latest
     steps:
-      - name: disable workflow commands
+      - name: Disable workflow commands
         run: |
-          echo '::warning:: this is a warning'
-          echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`"
-          echo '::warning:: this will NOT be a warning'
-          echo "::`echo -n ${{ github.token }} | sha256sum | head -c 64`::"
-          echo '::warning:: this is a warning again'
+          echo '::warning:: This is a warning message, to demonstrate that commands are being processed.'
+          stopMarker=$(uuidgen)
+          echo "::stop-commands::$stopMarker"
+          echo '::warning:: This will NOT be rendered as a warning, because stop-commands has been invoked.'
+          echo "::$stopMarker::"
+          echo '::warning:: This is a warning again, because stop-commands has been turned off.'
+```
+{% endraw %}
+
+{% endbash %}
+
+{% powershell %}
+
+{% raw %}
+```yaml{:copy}
+jobs:
+  workflow-command-job:
+    runs-on: windows-latest
+    steps:
+      - name: Disable workflow commands
+        run: |
+          Write-Output '::warning:: This is a warning message, to demonstrate that commands are being processed.'
+          $stopMarker = New-Guid
+          Write-Output "::stop-commands::$stopMarker"
+          Write-Output '::warning:: This will NOT be rendered as a warning, because stop-commands has been invoked.'
+          Write-Output "::$stopMarker::"
+          Write-Output '::warning:: This is a warning again, because stop-commands has been turned off.'
 ```
 
 {% endraw %}
 
+{% endpowershell %}
+
 ## Echoing command outputs
 
-```
+Enables or disables echoing of workflow commands. For example, if you use the `set-output` command in a workflow, it sets an output parameter but the workflow run's log does not show the command itself. If you enable command echoing, then the log shows the command, such as `::set-output name={name}::{value}`.
+
+```{:copy}
 ::echo::on
 ::echo::off
 ```
 
-Enables or disables echoing of workflow commands. For example, if you use the `set-output` command in a workflow, it sets an output parameter but the workflow run's log does not show the command itself. If you enable command echoing, then the log shows the command, such as `::set-output name={name}::{value}`.
-
 Command echoing is disabled by default. However, a workflow command is echoed if there are any errors processing the command.
 
 The `add-mask`, `debug`, `warning`, and `error` commands do not support echoing because their outputs are already echoed to the log.
 
 You can also enable command echoing globally by turning on step debug logging using the `ACTIONS_STEP_DEBUG` secret. For more information, see "[Enabling debug logging](/actions/managing-workflow-runs/enabling-debug-logging)". In contrast, the `echo` workflow command lets you enable command echoing at a more granular level, rather than enabling it for every workflow in a repository.
 
-### Example toggling command echoing
+### Example: Toggling command echoing
 
-```yaml
+{% bash %}
+
+```yaml{:copy}
 jobs:
   workflow-command-job:
     runs-on: ubuntu-latest
@@ -278,9 +463,29 @@ jobs:
           echo '::set-output name=action_echo::disabled'
 ```
 
-The step above prints the following lines to the log:
+{% endbash %}
 
+{% powershell %}
+
+```yaml{:copy}
+jobs:
+  workflow-command-job:
+    runs-on: windows-latest
+    steps:
+      - name: toggle workflow command echoing
+        run: |
+          write-output "::set-output name=action_echo::disabled"
+          write-output "::echo::on"
+          write-output "::set-output name=action_echo::enabled"
+          write-output "::echo::off"
+          write-output "::set-output name=action_echo::disabled"
 ```
+
+{% endpowershell %}
+
+The example above prints the following lines to the log:
+
+```{:copy}
 ::set-output name=action_echo::enabled
 ::echo::off
 ```
@@ -297,13 +502,13 @@ The `save-state`  command can only be run within an action, and is not available
 
 This example uses JavaScript to run the `save-state` command. The resulting environment variable is named `STATE_processID` with the value of `12345`:
 
-``` javascript
+```javascript{:copy}
 console.log('::save-state name=processID::12345')
 ```
 
 The `STATE_processID` variable is then exclusively available to the cleanup script running under the `main` action. This example runs in `main` and uses JavaScript to display the value assigned to the `STATE_processID` environment variable:
 
-``` javascript
+```javascript{:copy}
 console.log("The running PID from the main action is: " +  process.env.STATE_processID);
 ```
 
@@ -311,37 +516,70 @@ console.log("The running PID from the main action is: " +  process.env.STATE_pro
 
 During the execution of a workflow, the runner generates temporary files that can be used to perform certain actions. The path to these files are exposed via environment variables. You will need to use UTF-8 encoding when writing to these files to ensure proper processing of the commands. Multiple commands can be written to the same file, separated by newlines.
 
-{% warning %}
+{% powershell %}
 
-**Warning:** On Windows, legacy PowerShell (`shell: powershell`) does not use UTF-8 by default.
+{% note %}
 
-When using `shell: powershell`, you must specify UTF-8 encoding. For example:
+**Note:** PowerShell versions 5.1 and below (`shell: powershell`) do not use UTF-8 by default, so you must specify the UTF-8 encoding. For example:
 
-```yaml
+```yaml{:copy}
 jobs:
   legacy-powershell-example:
-    uses: windows-2019
+    runs-on: windows-latest
     steps:
       - shell: powershell
-        run: echo "mypath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        run: |
+          "mypath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 ```
 
-Alternatively, you can use PowerShell Core (`shell: pwsh`), which defaults to UTF-8.
+PowerShell Core versions 6 and higher (`shell: pwsh`) use UTF-8 by default. For example:
 
-{% endwarning %}
+```yaml{:copy}
+jobs:
+  powershell-core-example:
+    runs-on: windows-latest
+    steps:
+      - shell: pwsh
+        run: |
+          "mypath" >> $env:GITHUB_PATH
+```
+
+{% endnote %}
+
+{% endpowershell %}
 
 ## Setting an environment variable
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "{environment_variable_name}={value}" >> $GITHUB_ENV
 ```
 
+{% endbash %}
+
+{% powershell %}
+
+- Using PowerShell version 6 and higher:
+```pwsh{:copy}
+"{environment_variable_name}={value}" >> $env:GITHUB_ENV
+```
+
+- Using PowerShell version 5.1 and below:
+```powershell{:copy}
+"{environment_variable_name}={value}" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+```
+
+{% endpowershell %}
+
 You can make an environment variable available to any subsequent steps in a workflow job by defining or updating the environment variable and writing this to the `GITHUB_ENV` environment file. The step that creates or updates the environment variable does not have access to the new value, but all subsequent steps in a job will have access. The names of environment variables are case-sensitive, and you can include punctuation. For more information, see "[Environment variables](/actions/learn-github-actions/environment-variables)."
 
 ### Example
 
+{% bash %}
+
 {% raw %}
-```
+```yaml{:copy}
 steps:
   - name: Set the value
     id: step_one
@@ -354,11 +592,31 @@ steps:
 ```
 {% endraw %}
 
+{% endbash %}
+
+{% powershell %}
+
+{% raw %}
+```yaml{:copy}
+steps:
+  - name: Set the value
+    id: step_one
+    run: |
+      "action_state=yellow" >> $env:GITHUB_ENV
+  - name: Use the value
+    id: step_two
+    run: |
+      Write-Output "${{ env.action_state }}" # This will output 'yellow'
+```
+{% endraw %}
+
+{% endpowershell %}
+
 ### Multiline strings
 
 For multiline strings, you may use a delimiter with the following syntax. 
 
-```
+```{:copy}
 {name}<<{delimiter}
 {value}
 {delimiter}
@@ -366,29 +624,75 @@ For multiline strings, you may use a delimiter with the following syntax.
 
 #### Example
 
-In this example, we use `EOF` as a delimiter and set the `JSON_RESPONSE` environment variable to the value of the curl response.
-```yaml
+This example uses `EOF` as a delimiter, and sets the `JSON_RESPONSE` environment variable to the value of the `curl` response.
+
+{% bash %}
+
+```yaml{:copy}
 steps:
-  - name: Set the value
+  - name: Set the value in bash
     id: step_one
     run: |
       echo 'JSON_RESPONSE<<EOF' >> $GITHUB_ENV
-      curl https://httpbin.org/json >> $GITHUB_ENV
+      curl https://example.lab >> $GITHUB_ENV
       echo 'EOF' >> $GITHUB_ENV
 ```
 
-## Adding a system path
+{% endbash %}
 
-``` bash
-echo "{path}" >> $GITHUB_PATH
+{% powershell %}
+
+```yaml{:copy}
+steps:
+  - name: Set the value in pwsh
+    id: step_one
+    run: |
+      "JSON_RESPONSE<<EOF" >> $env:GITHUB_ENV
+      (Invoke-WebRequest -Uri "https://example.lab").Content >> $env:GITHUB_ENV
+      "EOF" >> $env:GITHUB_ENV
+    shell: pwsh
 ```
 
+{% endpowershell %}
+
+## Adding a system path
+
 Prepends a directory to the system `PATH` variable and automatically makes it available to all subsequent actions in the current job; the currently running action cannot access the updated path variable. To see the currently defined paths for your job, you can use `echo "$PATH"` in a step or an action.
 
+{% bash %}
+
+```bash{:copy}
+echo "{path}" >> $GITHUB_PATH
+```
+{% endbash %}
+
+{% powershell %}
+
+```pwsh{:copy}
+"{path}" >> $env:GITHUB_PATH
+```
+
+{% endpowershell %}
+
 ### Example
 
 This example demonstrates how to add the user `$HOME/.local/bin` directory to `PATH`:
 
-``` bash
+{% bash %}
+
+```bash{:copy}
 echo "$HOME/.local/bin" >> $GITHUB_PATH
 ```
+
+{% endbash %}
+
+
+This example demonstrates how to add the user `$env:HOMEPATH/.local/bin` directory to `PATH`:
+
+{% powershell %}
+
+```pwsh{:copy}
+"$env:HOMEPATH/.local/bin" >> $env:GITHUB_PATH
+```
+
+{% endpowershell %}

content/actions/using-workflows/workflow-syntax-for-github-actions.md

@@ -342,6 +342,31 @@ steps:
     uses: actions/heroku@1.0.0
 ```
 
+#### Example: Using secrets
+
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job.
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
+{% raw %}
+```yaml
+name: Run a step if a secret has been set
+on: push
+jobs:
+  my-jobname:
+    runs-on: ubuntu-latest
+    env:
+      super_secret: ${{ secrets.SuperSecret }}
+    steps:
+      - if: ${{ env.super_secret != '' }}
+        run: echo 'This step will only run if the secret has a value set.'
+      - if: ${{ env.super_secret == '' }}
+        run: echo 'This step will only run if the secret does not have a value set.'
+```
+{% endraw %}
+
+For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and "[Encrypted secrets](/actions/security-guides/encrypted-secrets)."
+
 ### `jobs.<job_id>.steps[*].name`
 
 A name for your step to display on {% data variables.product.prodname_dotcom %}.
@@ -714,6 +739,12 @@ The maximum number of minutes to let a job run before {% data variables.product.
 
 If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see {% ifversion fpt or ghec or ghes %}"[Usage limits and billing](/actions/reference/usage-limits-billing-and-administration#usage-limits)" for {% data variables.product.prodname_dotcom %}-hosted runners and {% endif %}"[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits){% ifversion fpt or ghec or ghes %}" for self-hosted runner usage limits.{% elsif ghae %}."{% endif %}
 
+{% note %}
+
+**Note:** {% data reusables.actions.github-token-expiration %} For self-hosted runners, the token may be the limiting factor if the job timeout is greater than 24 hours. For more information on the `GITHUB_TOKEN`, see "[About the `GITHUB_TOKEN` secret](/actions/security-guides/automatic-token-authentication#about-the-github_token-secret)."
+
+{% endnote %}
+
 ## `jobs.<job_id>.strategy`
 
 {% data reusables.actions.jobs.section-using-a-build-matrix-for-your-jobs-strategy %}

content/admin/code-security/managing-github-advanced-security-for-your-enterprise/deploying-github-advanced-security-in-your-enterprise.md

@@ -290,7 +290,7 @@ GitHub helps you avoid using third-party software that contains known vulnerabil
 
 | Dependency Management Tool | Description |
 |----|----|
-| Dependabot Alerts | You can track your repository's dependencies and receive Dependabot alerts when your enterprise detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)." |
+| Dependabot Alerts | You can track your repository's dependencies and receive Dependabot alerts when your enterprise detects vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)." |
 | Dependency Graph | The dependency graph is a summary of the manifest and lock files stored in a repository. It shows you the ecosystems and packages your codebase depends on (its dependencies) and the repositories and packages that depend on your project (its dependents). For more information, see "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." |{% ifversion ghes > 3.1 or ghec %}
 | Dependency Review | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" or  "[Reviewing Dependency Changes in a Pull Request](/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." | {% endif %} {% ifversion ghec or ghes > 3.2 %}
 | Dependabot Security Updates | Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. For more information, see "[About Dependabot security updates](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)." |

content/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise.md

@@ -49,7 +49,7 @@ You can also choose to manually sync vulnerability data at any time. For more in
 
 When {% data variables.product.product_location %} receives information about a vulnerability, it identifies repositories in  {% data variables.product.product_location %} that use the affected version of the dependency and generates {% data variables.product.prodname_dependabot_alerts %}. You can choose whether or not to notify users automatically about new {% data variables.product.prodname_dependabot_alerts %}. 
 
-For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to {% data variables.product.product_location %}, {% data variables.product.product_name %} scans all existing repositories on {% data variables.product.product_location %} and generates alerts for any repository that is vulnerable. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
+For repositories with {% data variables.product.prodname_dependabot_alerts %} enabled, scanning is triggered on any push to the default branch that contains a manifest file or lock file. Additionally, when a new vulnerability record is added to {% data variables.product.product_location %}, {% data variables.product.product_name %} scans all existing repositories on {% data variables.product.product_location %} and generates alerts for any repository that is vulnerable. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
 
 {% ifversion ghes > 3.2 %}
 ### About {% data variables.product.prodname_dependabot_updates %}
@@ -67,7 +67,7 @@ After you enable {% data variables.product.prodname_dependabot_alerts %}, you ca
 With {% data variables.product.prodname_dependabot_updates %}, {% data variables.product.company_short %} automatically creates pull requests to update dependencies in two ways.
 
 - **{% data variables.product.prodname_dependabot_version_updates %}**: Users add a {% data variables.product.prodname_dependabot %} configuration file to the repository to enable {% data variables.product.prodname_dependabot %} to create pull requests when a new version of a tracked dependency is released. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)."
-- **{% data variables.product.prodname_dependabot_security_updates %}**: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
+- **{% data variables.product.prodname_dependabot_security_updates %}**: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
 {% endif %}
 
 ## Enabling {% data variables.product.prodname_dependabot_alerts %}

content/admin/configuration/configuring-network-settings/configuring-a-hostname.md

@@ -16,7 +16,11 @@ topics:
 ---
 If you configure a hostname instead of a hard-coded IP address, you will be able to change the physical hardware that {% data variables.product.product_location %} runs on without affecting users or client software.
 
-The hostname setting in the {% data variables.enterprise.management_console %} should be set to an appropriate fully qualified domain name (FQDN) which is resolvable on the internet or within your internal network. For example, your hostname setting could be `github.companyname.com.` We also recommend enabling subdomain isolation for the chosen hostname to mitigate several cross-site scripting style vulnerabilities. For more information on hostname settings, see [Section 2.1 of the HTTP RFC](https://tools.ietf.org/html/rfc1123#section-2).
+The hostname setting in the {% data variables.enterprise.management_console %} should be set to an appropriate fully qualified domain name (FQDN) which is resolvable on the internet or within your internal network. For example, your hostname setting could be `github.companyname.com.` Web and API requests will automatically redirect to the hostname configured in the {% data variables.enterprise.management_console %}.
+
+After you configure a hostname, you can enable subdomain isolation to further increase the security of {% data variables.product.product_location %}. For more information, see "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation/)."
+
+For more information on the supported hostname types, see [Section 2.1 of the HTTP RFC](https://tools.ietf.org/html/rfc1123#section-2).
 
 {% data reusables.enterprise_installation.changing-hostname-not-supported %}
 
@@ -30,4 +34,4 @@ The hostname setting in the {% data variables.enterprise.management_console %} s
 {% data reusables.enterprise_management_console.test-domain-settings-failure %}
 {% data reusables.enterprise_management_console.save-settings %}
 
-After you configure a hostname, we recommend that you enable subdomain isolation for {% data variables.product.product_location %}. For more information, see "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation/)."
+To help mitigate various cross-site scripting vulnerabilities, we recommend that you enable subdomain isolation for {% data variables.product.product_location %} after you configure a hostname. For more information, see "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation/)."

content/admin/configuration/configuring-network-settings/network-ports.md

@@ -25,7 +25,7 @@ Some administrative ports are required to configure {% data variables.product.pr
 | Port | Service | Description |
 |---|---|---|
 | 8443 | HTTPS | Secure web-based {% data variables.enterprise.management_console %}. Required for basic installation and configuration. |
-| 8080 | HTTP | Plain-text web-based {% data variables.enterprise.management_console %}. Not required unless SSL is disabled manually. |
+| 8080 | HTTP | Plain-text web-based {% data variables.enterprise.management_console %}. Not required unless TLS is disabled manually. |
 | 122 | SSH | Shell access for {% data variables.product.product_location %}. Required to be open to incoming connections between all nodes in a high availability configuration. The default SSH port (22) is dedicated to Git and SSH application network traffic. |
 | 1194/UDP | VPN | Secure replication network tunnel in high availability configuration. Required to be open for communication between all nodes in the configuration.|
 | 123/UDP| NTP | Required for time protocol operation. |
@@ -38,7 +38,7 @@ Application ports provide web application and Git access for end users.
 | Port | Service | Description |
 |---|---|---|
 | 443 | HTTPS | Access to the web application and Git over HTTPS. |
-| 80 | HTTP | Access to the web application. All requests are redirected to the HTTPS port when SSL is enabled. |
+| 80 | HTTP | Access to the web application. All requests are redirected to the HTTPS port if TLS is configured. |
 | 22 | SSH | Access to Git over SSH. Supports clone, fetch, and push operations to public and private repositories. |
 | 9418 | Git | Git protocol port supports clone and fetch operations to public repositories with unencrypted network communication. {% data reusables.enterprise_installation.when-9418-necessary %} |
 
@@ -51,3 +51,18 @@ Email ports must be accessible directly or via relay for inbound email support f
 | Port | Service | Description |
 |---|---|---|
 | 25 | SMTP | Support for SMTP with encryption (STARTTLS). |
+
+## {% data variables.product.prodname_actions %} ports
+
+{% data variables.product.prodname_actions %} ports must be accessible for self-hosted runners to connect to {% data variables.product.product_location %}. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-server)."
+
+| Port | Service | Description |
+|---|---|---|
+| 443 | HTTPS | Self-hosted runners connect to {% data variables.product.product_location %} to receive job assignments and to download new versions of the runner application. Required if TLS is configured.
+| 80 | HTTP | Self-hosted runners connect to {% data variables.product.product_location %} to receive job assignments and to download new versions of the runner application. Required if TLS is not configured.
+
+If you enable automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, {% data variables.product.prodname_actions %} will always search for an action on {% data variables.product.product_location %} first, via these ports, before checking {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect#about-resolution-for-actions-using-github-connect)."
+
+## Further reading
+
+- "[Configuring TLS](/admin/configuration/configuring-network-settings/configuring-tls)"

content/admin/configuration/configuring-your-enterprise/about-enterprise-configuration.md

@@ -22,6 +22,8 @@ shortTitle: About configuration
 {% endif %}
 
 {% ifversion ghae %}
+To get started with {% data variables.product.product_name %}, you first need to deploy {% data variables.product.product_name %}. For more information, see "[Deploying {% data variables.product.product_name %}](/admin/configuration/configuring-your-enterprise/deploying-github-ae)."
+
 The first time you access your enterprise, you will complete an initial configuration to get {% data variables.product.product_name %} ready to use. The initial configuration includes connecting your enterprise with an identity provider (IdP), authenticating with SAML SSO, configuring policies for repositories and organizations in your enterprise, and configuring SMTP for outbound email. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
 
 Later, you can use the site admin dashboard and enterprise settings to further configure your enterprise, manage users, organizations and repositories, and set policies that reduce risk and increase quality. 

content/admin/configuration/configuring-your-enterprise/deploying-github-ae.md

@@ -0,0 +1,68 @@
+---
+title: Deploying GitHub AE
+intro: 'You can deploy {% data variables.product.product_name %} to an available Azure region.'
+versions:
+  ghae: '*'
+topics:
+  - Accounts
+  - Enterprise
+type: how_to
+shortTitle: Deploy GitHub AE
+redirect_from:
+  - /get-started/signing-up-for-github/setting-up-a-trial-of-github-ae
+---
+
+## About deployment of {% data variables.product.product_name %}
+
+{% data reusables.github-ae.github-ae-enables-you %} For more information, see "[About {% data variables.product.prodname_ghe_managed %}](/admin/overview/about-github-ae)."
+
+After you purchase or start a trial of {% data variables.product.product_name %}, you can deploy {% data variables.product.product_name %} to an available Azure region. This guide refers to the Azure resource that contains the deployment of {% data variables.product.product_name %} as the {% data variables.product.product_name %} account. You'll use the Azure portal at [https://portal.azure.com](https://portal.azure.com) to deploy the {% data variables.product.product_name %} account.
+
+## Prerequisites
+
+- Before you can deploy {% data variables.product.product_name %}, you must request access from your {% data variables.product.company_short %} account team. {% data variables.product.company_short %} will enable deployment of {% data variables.product.product_name %} for your Azure subscription. If you haven't already purchased {% data variables.product.product_name %}, you can contact {% data variables.contact.contact_enterprise_sales %} to check your eligibility for a trial.
+
+- You must have permission to perform the `/register/action` operation for the resource provider in Azure. The permission is included in the `Contributor` and `Owner` roles. For more information, see [Azure resource providers and types](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Microsoft documentation.
+
+## Deploying {% data variables.product.product_name %} with the {% data variables.actions.azure_portal %}
+
+The {% data variables.actions.azure_portal %} allows you to deploy the {% data variables.product.product_name %} account in your Azure resource group.
+
+1. Click one of the following two links to begin deployment of {% data variables.product.product_name %}. The link you should click depends on the Azure cloud where you plan to deploy {% data variables.product.product_name %}. For more information about Azure Government, see [What is Azure Government?](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-welcome) in the Microsoft documentation.
+   
+   - [Deploy {% data variables.product.product_name %} to Azure Commercial](https://aka.ms/create-github-ae-instance)
+   - [Deploy {% data variables.product.product_name %} to Azure Government](https://aka.ms/create-github-ae-instance-gov)
+1. To begin the process of adding a new {% data variables.product.product_name %} account, click **Create GitHub AE account**.
+1. Complete the "Project details" and "Instance details" fields.
+    ![{% data variables.actions.azure_portal %} search result](/assets/images/azure/github-ae-azure-portal-form.png)
+    - **Account name:** The hostname for your enterprise
+    - **Administrator username:** A username for the initial enterprise owner that will be created in {% data variables.product.product_name %}
+    - **Administrator email:** The email address that will receive the login information
+1. To review a summary of the proposed changes, click **Review + create**.
+1. After the validation process has completed, click **Create**.
+
+The email address you entered above will receive instructions on how to access your enterprise. After you have access, you can get started by following the initial setup steps. For more information, see "[Initializing {% data variables.product.product_name %}](/admin/configuration/initializing-github-ae)."
+
+{% note %}
+
+**Note:** Software updates for your {% data variables.product.product_name %} deployment are performed by {% data variables.product.prodname_dotcom %}. For more information, see "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)."
+
+{% endnote %}
+
+## Navigating to your enterprise
+
+You can use the {% data variables.actions.azure_portal %} to navigate to your {% data variables.product.product_name %} deployment. The resulting list includes all the {% data variables.product.product_name %} deployments in your Azure region.
+
+1. On the {% data variables.actions.azure_portal %}, in the left panel, click **All resources**.
+1. From the available filters, click **All types**, then deselect **Select all** and select **GitHub AE**:
+    ![{% data variables.actions.azure_portal %} search result](/assets/images/azure/github-ae-azure-portal-type-filter.png)
+
+## Next steps
+
+- Once your deployment has been provisioned, the next step is to initialize {% data variables.product.product_name %}. For more information, see "[Initializing {% data variables.product.product_name %}](/github-ae@latest/admin/configuration/configuring-your-enterprise/initializing-github-ae)."
+- If you're trying {% data variables.product.product_name %}, you can upgrade to a full license at any time during the trial period by contacting contact {% data variables.contact.contact_enterprise_sales %}. If you haven't upgraded by the last day of your trial, then the deployment is automatically deleted. If you need more time to evaluate {% data variables.product.product_name %}, contact {% data variables.contact.contact_enterprise_sales %} to request an extension.
+
+## Further reading 
+
+- "[Enabling {% data variables.product.prodname_advanced_security %} features on {% data variables.product.product_name %}](/github/getting-started-with-github/about-github-advanced-security#enabling-advanced-security-features-on-github-ae)"
+- "[{% data variables.product.product_name %} release notes](/github-ae@latest/admin/overview/github-ae-release-notes)" 

content/admin/configuration/configuring-your-enterprise/index.md

@@ -16,6 +16,7 @@ topics:
   - Enterprise
 children:
   - /about-enterprise-configuration
+  - /deploying-github-ae
   - /initializing-github-ae
   - /accessing-the-management-console
   - /accessing-the-administrative-shell-ssh

content/admin/enterprise-management/configuring-high-availability/initiating-a-failover-to-your-replica-appliance.md

@@ -18,25 +18,32 @@ The time required to failover depends on how long it takes to manually promote t
 
 {% data reusables.enterprise_installation.promoting-a-replica %}
 
-1. To allow replication to finish before you switch appliances, put the primary appliance into maintenance mode:
-    - To use the management console, see "[Enabling and scheduling maintenance mode](/enterprise/admin/guides/installation/enabling-and-scheduling-maintenance-mode/)"
-    - You can also use the `ghe-maintenance -s` command.
-      ```shell
-      $ ghe-maintenance -s
-      ```
-2.  When the number of active Git operations, MySQL queries, and Resque jobs reaches zero, wait 30 seconds. 
+1. If the primary appliance is available, to allow replication to finish before you switch appliances, on the primary appliance, put the primary appliance into maintenance mode.
 
-    {% note %}
+    - Put the appliance into maintenance mode.
 
-    **Note:** Nomad will always have jobs running, even in maintenance mode, so you can safely ignore these jobs.
+       - To use the management console, see "[Enabling and scheduling maintenance mode](/enterprise/admin/guides/installation/enabling-and-scheduling-maintenance-mode/)"
+
+       - You can also use the `ghe-maintenance -s` command.
+         ```shell
+         $ ghe-maintenance -s
+         ```
+
+   - When the number of active Git operations, MySQL queries, and Resque jobs reaches zero, wait 30 seconds. 
+
+      {% note %}
+
+      **Note:** Nomad will always have jobs running, even in maintenance mode, so you can safely ignore these jobs.
     
-    {% endnote %}
+      {% endnote %}
 
-3. To verify all replication channels report `OK`, use the `ghe-repl-status -vv` command.
-  ```shell
-  $ ghe-repl-status -vv
-  ```
-4. To stop replication and promote the replica appliance to primary status, use the `ghe-repl-promote` command. This will also automatically put the primary node in maintenance node if it’s reachable.
+   - To verify all replication channels report `OK`, use the `ghe-repl-status -vv` command.
+
+      ```shell
+      $ ghe-repl-status -vv
+      ```
+
+4. On the replica appliance, to stop replication and promote the replica appliance to primary status, use the `ghe-repl-promote` command. This will also automatically put the primary node in maintenance node if it’s reachable.
   ```shell
   $ ghe-repl-promote
   ```

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises.md

@@ -33,7 +33,7 @@ topics:
 
 {% data variables.product.prodname_actions %} helps your team work faster at scale. When large repositories start using {% data variables.product.prodname_actions %}, teams merge significantly more pull requests per day, and the pull requests are merged significantly faster. For more information, see "[Writing and shipping code faster](https://octoverse.github.com/writing-code-faster/#scale-through-automation)" in the State of the Octoverse.
 
-You can create your own unique automations, or you can use and adapt workflows from our ecosystem of over 10,000 actions built by industry leaders and the open source community. For more information, see "[Finding and customizing actions](/actions/learn-github-actions/finding-and-customizing-actions)."
+You can create your own unique automations, or you can use and adapt workflows from our ecosystem of over 10,000 actions built by industry leaders and the open source community. {% ifversion ghec %}For more information, see "[Finding and customizing actions](/actions/learn-github-actions/finding-and-customizing-actions)."{% else %}You can restrict your developers to using actions that exist on {% data variables.product.product_location %}, or you can allow your developers to access actions on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[About using actions in your enterprise](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise)."{% endif %}
 
 {% data variables.product.prodname_actions %} is developer friendly, because it's integrated directly into the familiar {% data variables.product.product_name %} experience.
 

content/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise.md

@@ -13,7 +13,7 @@ type: overview
 topics:
   - Actions
   - Enterprise
-shortTitle: Add actions in your enterprise
+shortTitle: About actions in your enterprise
 ---
 
 {% data reusables.actions.enterprise-beta %}
@@ -23,13 +23,24 @@ shortTitle: Add actions in your enterprise
 
 {% data variables.product.prodname_actions %} workflows can use _actions_, which are individual tasks that you can combine to create jobs and customize your workflow. You can create your own actions, or use and customize actions shared by the {% data variables.product.prodname_dotcom %} community.
 
-{% data reusables.actions.enterprise-no-internet-actions %}
+{% data reusables.actions.enterprise-no-internet-actions %} You can restrict your developers to using actions that are stored on {% data variables.product.product_location %}, which includes most official {% data variables.product.company_short %}-authored actions, as well as any actions your developers create. Alternatively, to allow your developers to benefit from the full ecosystem of actions built by industry leaders and the open source community, you can configure access to other actions from {% data variables.product.prodname_dotcom_the_website %}. 
+
+We recommend allowing automatic access to all actions from {% data variables.product.prodname_dotcom_the_website %}. {% ifversion ghes %}However, this does require {% data variables.product.product_name %} to make outbound connections to {% data variables.product.prodname_dotcom_the_website %}. If you don't want to allow these connections, or{% else %}If{% endif %} you want to have greater control over which actions are used on your enterprise, you can manually sync specific actions from {% data variables.product.prodname_dotcom_the_website %}.
 
 ## Official actions bundled with your enterprise instance
 
 {% data reusables.actions.actions-bundled-with-ghes %}
 
-The bundled official actions include `actions/checkout`, `actions/upload-artifact`, `actions/download-artifact`, `actions/labeler`, and various `actions/setup-` actions, among others. To see all the official actions included on your enterprise instance, browse to the `actions` organization on your instance: <code>https://<em>HOSTNAME</em>/actions</code>.
+The bundled official actions include the following, among others.
+- `actions/checkout`
+- `actions/upload-artifact`
+- `actions/download-artifact`
+- `actions/labeler`
+- Various `actions/setup-` actions
+
+To see all the official actions included on your enterprise instance, browse to the `actions` organization on your instance: <code>https://<em>HOSTNAME</em>/actions</code>.
+
+There is no connection required between {% data variables.product.product_location %} and {% data variables.product.prodname_dotcom_the_website %} to use these actions.
 
 Each action is a repository in the `actions` organization, and each action repository includes the necessary tags, branches, and commit SHAs that your workflows can use to reference the action. For information on how to update the bundled official actions, see "[Using the latest version of the official bundled actions](/admin/github-actions/using-the-latest-version-of-the-official-bundled-actions)."
 
@@ -43,14 +54,21 @@ Each action is a repository in the `actions` organization, and each action repos
 
 ## Configuring access to actions on {% data variables.product.prodname_dotcom_the_website %}
 
-{% ifversion ghes %}
-Before you can configure access to actions on {% data variables.product.prodname_dotcom_the_website %}, you must configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
-{% endif %}
-
 {% data reusables.actions.access-actions-on-dotcom %}
 
 The recommended approach is to enable automatic access to all actions from {% data variables.product.prodname_dotcom_the_website %}. You can do this by using {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.product_name %} with {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)". 
 
+{% ifversion ghes %}
+{% note %}
+
+**Note:** Before you can configure access to actions on {% data variables.product.prodname_dotcom_the_website %}, you must configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+
+
+{% endnote %}
+{% endif %}
+
+{% data reusables.actions.self-hosted-runner-networking-to-dotcom %}
+
 {% data reusables.actions.enterprise-limit-actions-use %}
 
-Alternatively, if you want stricter control over which actions are allowed in your enterprise, you can manually download and sync actions onto your enterprise instance using the `actions-sync` tool. For more information, see "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/github-actions/manually-syncing-actions-from-githubcom)."
+Alternatively, if you want stricter control over which actions are allowed in your enterprise, or you do not want to allow outbound connections to {% data variables.product.prodname_dotcom_the_website %}, you can manually download and sync actions onto your enterprise instance using the `actions-sync` tool. For more information, see "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/github-actions/manually-syncing-actions-from-githubcom)."

content/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect.md

@@ -21,11 +21,18 @@ shortTitle: Use GitHub Connect for actions
 
 ## About automatic access to {% data variables.product.prodname_dotcom_the_website %} actions
 
-By default, {% data variables.product.prodname_actions %} workflows on {% data variables.product.product_name %} cannot use actions directly from {% data variables.product.prodname_dotcom_the_website %} or [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions).
+By default, {% data variables.product.prodname_actions %} workflows on {% data variables.product.product_name %} cannot use actions directly from {% data variables.product.prodname_dotcom_the_website %} or [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions). To make all actions from {% data variables.product.prodname_dotcom_the_website %} available on your enterprise instance, you can use {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.product_name %} with {% data variables.product.prodname_ghe_cloud %}. 
 
-To make all actions from {% data variables.product.prodname_dotcom_the_website %} available on your enterprise instance, you can use {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.product_name %} with {% data variables.product.prodname_ghe_cloud %}. For other ways of accessing actions from {% data variables.product.prodname_dotcom_the_website %}, see "[About using actions in your enterprise](/admin/github-actions/about-using-actions-in-your-enterprise)."
+{% data reusables.actions.self-hosted-runner-networking-to-dotcom %}
 
-To use actions from {% data variables.product.prodname_dotcom_the_website %}, your self-hosted runners must be able to download public actions from `api.github.com`.
+Alternatively, if you want stricter control over which actions are allowed in your enterprise, you can manually download and sync actions onto your enterprise instance using the `actions-sync` tool. For more information, see "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/github-actions/manually-syncing-actions-from-githubcom)."
+
+## About resolution for actions using {% data variables.product.prodname_github_connect %}
+
+{% data reusables.actions.github-connect-resolution %}
+
+If a user has already created an organization and repository in your enterprise that matches an organization and repository name on {% data variables.product.prodname_dotcom_the_website %}, the repository on your enterprise will be used instead of the {% data variables.product.prodname_dotcom_the_website %} repository. {% ifversion ghes < 3.3 or ghae %}A malicious user could take advantage of this behavior to run code as part of a workflow{% else %}For more information, see "[Automatic retirement of namespaces for actions accessed on {% data variables.product.prodname_dotcom_the_website%}](#automatic-retirement-of-namespaces-for-actions-accessed-on-githubcom)."
+{% endif %}
 
 ## Enabling automatic access to all {% data variables.product.prodname_dotcom_the_website %} actions
 
@@ -33,8 +40,6 @@ Before enabling access to all actions from {% data variables.product.prodname_do
 - Configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
 - Enable{% else %} enable{% endif %} {% data variables.product.prodname_github_connect %}. For more information, see "[Managing {% data variables.product.prodname_github_connect %}](/admin/configuration/configuring-github-connect/managing-github-connect)."
 
-{% data reusables.actions.enterprise-github-connect-warning %}
-
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.github-connect-tab %}
 1. Under "Users can utilize actions from GitHub.com in workflow runs", use the drop-down menu and select **Enabled**.

content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md

@@ -54,7 +54,7 @@ A mapping is created between the `NameID` and the {% data variables.product.prod
 
 {% note %}
 
-**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign in to your {% data variables.product.prodname_ghe_server %} instance. {% ifversion ghes %}To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %} For more information, see "[Error: 'Another user already owns the account'](#error-another-user-already-owns-the-account)."{% endif %}
+**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign into {% data variables.product.product_location %}. To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."
 
 {% endnote %}
 
@@ -96,6 +96,14 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 
 ## Configuring SAML settings
 
+You can enable or disable SAML authentication for {% data variables.product.product_location %}, or you can edit an existing configuration. You can view and edit authentication settings for {% data variables.product.product_name %} in the {% data variables.enterprise.management_console %}. For more information, see "[Accessing the management console](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+
+{% note %}
+
+**Note**: {% data reusables.enterprise.test-in-staging %}
+
+{% endnote %}
+
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
@@ -118,19 +126,11 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 1. Select **Disable administrator demotion/promotion** if you **do not** want your SAML provider to determine administrator rights for users on {% data variables.product.product_location %}.
 
    ![Screenshot of option to enable option to respect the "administrator" attribute from the IdP to enable or disable administrative rights](/assets/images/enterprise/management-console/disable-admin-demotion-promotion.png)
-1. Optionally, to allow {% data variables.product.product_location %} to send and receive encrypted assertions to and from your SAML IdP, select **Require encrypted assertions**. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
+{%- ifversion ghes > 3.3 %}
+1. Optionally, to allow {% data variables.product.product_location %} to receive encrypted assertions from your SAML IdP, select **Require encrypted assertions**. You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.product.product_location %}'s public certificate to your IdP. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
 
    ![Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section](/assets/images/help/saml/management-console-enable-encrypted-assertions.png)
-
-   {% warning %}
-
-   **Warning**: Incorrectly configuring encrypted assertions can cause all authentication to {% data variables.product.product_location %} to fail.
-
-   - You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.product.product_location %}'s public certificate to your IdP. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
-
-   - Before enabling encrypted assertions, {% data variables.product.company_short %} recommends testing encrypted assertions in a staging environment, and confirming that SAML authentication functions as you expect. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
-
-   {% endwarning %}
+{%- endif %}
 1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
 
    ![Screenshot of text field for single sign-on URL](/assets/images/enterprise/management-console/saml-single-sign-url.png)
@@ -153,37 +153,38 @@ To specify more than one value for an attribute, use multiple `<saml2:AttributeV
 
 To enable encrypted assertions, your SAML IdP must also support encrypted assertions. You must provide {% data variables.product.product_location %}'s public certificate to your IdP, and configure encryption settings that match your IdP.
 
-{% warning %}
+{% note %}
 
-**Warning**: Incorrectly configuring encrypted assertions can cause all authentication to {% data variables.product.product_location %} to fail. {% data variables.product.company_short %} strongly recommends testing your SAML configuration in a staging environment. For more information about staging instances, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
+**Note**: {% data reusables.enterprise.test-in-staging %}
 
-{% endwarning %}
+{% endnote %}
 
-1. Configure SAML for {% data variables.product.product_location %}. For more information, see "[Configuring SAML settings](#configuring-saml-settings)."
-{% data reusables.enterprise_installation.ssh-into-instance %}
-1. Run the following command to output {% data variables.product.product_location %}'s public certificate.
-
-        openssl pkcs12 -in /data/user/common/saml-sp.p12 -nokeys -passin pass:
-1. In the output, copy the text beginning with `-----BEGIN CERTIFICATE-----` and ending with `-----END CERTIFICATE-----`, and paste the output into a plaintext file.
-1. Sign into your SAML IdP as an administrator.
-1. In the application for {% data variables.product.product_location %}, enable encrypted assertions.
-   - Note the encryption method and key transport method.
-   - Provide the public certificate from step 3.
+1. Optionally, enable SAML debugging. SAML debugging records verbose entries in {% data variables.product.product_name %}'s authentication log, and may help you troubleshoot failed authentication attempts. For more information, see "[Configuring SAML debugging](#configuring-saml-debugging)."
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
 1. Select **Require encrypted assertions**.
 
    ![Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section](/assets/images/help/saml/management-console-enable-encrypted-assertions.png)
-1. To the right of "Encryption Method", select the encryption method for your IdP from step 5.
+1. To the right of "Encryption Certificate", click **Download** to save a copy of {% data variables.product.product_location %}'s public certificate on your local machine.
+
+   ![Screenshot of "Download" button for public certificate for encrypted assertions](/assets/images/help/saml/management-console-encrypted-assertions-download-certificate.png)
+1. Sign into your SAML IdP as an administrator.
+1. In the application for {% data variables.product.product_location %}, enable encrypted assertions.
+   - Note the encryption method and key transport method.
+   - Provide the public certificate you downloaded in step 7.
+1. Return to the management console on {% data variables.product.product_location %}.
+1. To the right of "Encryption Method", select the encryption method for your IdP from step 9.
 
    ![Screenshot of "Encryption Method" for encrypted assertions](/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png)
-1. To the right of "Key Transport Method", select the key transport method for your IdP from step 5.
+1. To the right of "Key Transport Method", select the key transport method for your IdP from step 9.
 
    ![Screenshot of "Key Transport Method" for encrypted assertions](/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png)
 1. Click **Save settings**.
 {% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
 
+If you enabled SAML debugging to test authentication with encrypted assertions, disable SAML debugging when you're done testing. For more information, see "[Configuring SAML debugging](#configuring-saml-debugging)."
+
 {% endif %}
 
 ## Updating a user's SAML `NameID`
@@ -245,11 +246,11 @@ When the user signs in again, {% data variables.product.prodname_ghe_server %} c
 
 > Another user already owns the account. Please have your administrator check the authentication log.
 
-The message typically indicates that the person's username or email address has changed on the IdP. {% ifversion ghes %}Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %}For help updating the `NameID` mapping, contact {% data variables.contact.contact_ent_support %}.{% endif %}
+The message typically indicates that the person's username or email address has changed on the IdP. Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."
 
 ### Error: Recipient in SAML response was blank or not valid
 
-If the `Recipient` does not match the ACS URL for your {% data variables.product.prodname_ghe_server %} instance, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
+If the `Recipient` does not match the ACS URL for {% data variables.product.product_location %}, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
 
 ```
 Recipient in the SAML response must not be blank.
@@ -259,7 +260,7 @@ Recipient in the SAML response must not be blank.
 Recipient in the SAML response was not valid.
 ```
 
-Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com/saml/consume`.
+Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for {% data variables.product.product_location %}. For example, `https://ghe.corp.example.com/saml/consume`.
 
 ### Error: "SAML Response is not signed or has been modified"
 
@@ -279,4 +280,40 @@ If the IdP's response has a missing or incorrect value for `Audience`, the follo
 Audience is invalid. Audience attribute does not match https://<em>YOUR-INSTANCE-URL</em>
 ```
 
-Ensure that you set the value for `Audience` on your IdP to the `EntityId` for your {% data variables.product.prodname_ghe_server %} instance, which is the full URL to your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com`.
+Ensure that you set the value for `Audience` on your IdP to the `EntityId` for {% data variables.product.product_location %}, which is the full URL to {% data variables.product.product_location %}. For example, `https://ghe.corp.example.com`.
+
+### Configuring SAML debugging
+
+You can configure {% data variables.product.product_name %} to write verbose debug logs to _/var/log/github/auth.log_ for every SAML authentication attempt. You may be able to troubleshoot failed authentication attempts with this extra output.
+
+{% warning %}
+
+**Warnings**:
+
+- Only enable SAML debugging temporarily, and disable debugging immediately after you finish troubleshooting. If you leave debugging enabled, the size of your log may increase much faster than usual, which can negatively impact the performance of {% data variables.product.product_name %}.
+- Test new authentication settings for {% data variables.product.product_location %} in a staging environment before you apply the settings in your production environment. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
+
+{% endwarning %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.options-tab %}
+1. Under "SAML debugging", select the drop-down and click **Enabled**.
+
+   ![Screenshot of drop-down to enable SAML debugging](/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-enabled.png)
+
+1. Attempt to sign into {% data variables.product.product_location %} through your SAML IdP.
+
+1. Review the debug output in _/var/log/github/auth.log_ on {% data variables.product.product_location %}.
+
+1. When you're done troubleshooting, select the drop-down and click **Disabled**.
+
+   ![Screenshot of drop-down to disable SAML debugging](/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-disabled.png)
+
+### Decoding responses in _auth.log_
+
+Some output in _auth.log_ may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.product.product_location %} to decode these responses. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh)."
+
+```shell
+$ base64 --decode <em>ENCODED OUTPUT</em>
+```

content/admin/index.md

@@ -96,7 +96,7 @@ featuredLinks:
     - '{% ifversion ghae %}/admin/identity-and-access-management/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad{% endif %}'
     - '{% ifversion ghae %}/billing/managing-billing-for-your-github-account/about-billing-for-your-enterprise{% endif %}'
     - '{% ifversion ghae %}/admin/overview/about-upgrades-to-new-releases{% endif %}'
-    - '{% ifversion ghae %}/get-started/signing-up-for-github/setting-up-a-trial-of-github-ae{% endif %}'
+    - '{% ifversion ghae %}/admin/configuration/configuring-your-enterprise/deploying-github-ae{% endif %}'
     - '{% ifversion ghes %}/billing/managing-your-license-for-github-enterprise{% endif %}'
     - '{% ifversion ghes %}/admin/configuration/command-line-utilities{% endif %}'
     - '{% ifversion ghec %}/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise{% endif %}'

content/admin/user-management/migrating-data-to-and-from-your-enterprise/about-migrations.md

@@ -24,7 +24,7 @@ There are three types of migrations you can perform:
 
 In a migration, everything revolves around a repository. Most data associated with a repository can be migrated. For example, a repository within an organization will migrate the repository *and* the organization, as well as any users, teams, issues, and pull requests associated with the repository.
 
-The items in the table below can be migrated with a repository. Any items not shown in the list of migrated data can not be migrated.
+The items in the table below can be migrated with a repository. Any items not shown in the list of migrated data can not be migrated, including {% data variables.large_files.product_name_short %} assets.
 
 {% data reusables.enterprise_migrations.fork-persistence %}
 

content/authentication/connecting-to-github-with-ssh/checking-for-existing-ssh-keys.md

@@ -25,7 +25,7 @@ shortTitle: Check for existing SSH key
   # Lists the files in your .ssh directory, if they exist
   ```
 
-3. Check the directory listing to see if you already have a public SSH key. By default, the {% ifversion ghae %}filename of a supported public key for {% data variables.product.product_name %} is *id_rsa.pub*.{% elsif fpt or ghes %}filenames of supported public keys for {% data variables.product.product_name %} are one of the following.
+3. Check the directory listing to see if you already have a public SSH key. By default, the {% ifversion ghae %}filename of a supported public key for {% data variables.product.product_name %} is *id_rsa.pub*.{% else %}filenames of supported public keys for {% data variables.product.product_name %} are one of the following.
     - *id_rsa.pub*
     - *id_ecdsa.pub*
     - *id_ed25519.pub*{% endif %}

content/authentication/troubleshooting-ssh/using-ssh-over-the-https-port.md

@@ -32,7 +32,7 @@ If that worked, great! If not, you may need to [follow our troubleshooting guide
 
 If you are able to SSH into `git@ssh.{% data variables.command_line.backticks %}` over port 443, you can override your SSH settings to force any connection to {% data variables.product.product_location %} to run through that server and port.
 
-To set this in your SSH confifguration file, edit the file at `~/.ssh/config`, and add this section:
+To set this in your SSH configuration file, edit the file at `~/.ssh/config`, and add this section:
 
 ```
 Host {% data variables.command_line.codeblock %}

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts.md

@@ -27,7 +27,15 @@ By default, {% data variables.product.prodname_code_scanning %} analyzes your co
 
 Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the alert severity{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, security severity,{% endif %} and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by {% data variables.product.prodname_codeql %} analysis, you will also see information on how to fix the problem.
 
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
+{% data reusables.code-scanning.alert-default-branch %}
+{% endif %}
+
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
 ![Example alert from {% data variables.product.prodname_code_scanning %}](/assets/images/help/repository/code-scanning-alert.png)
+{% else %}
+![Example alert from {% data variables.product.prodname_code_scanning %}](/assets/images/enterprise/3.4/repository/code-scanning-alert.png)
+{% endif %}
 
 If you set up {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, you can also find data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information.
 

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md

@@ -46,9 +46,16 @@ By default, the code scanning alerts page is filtered to show alerts for the def
 {% else %}
    ![List of alerts from {% data variables.product.prodname_code_scanning %}](/assets/images/enterprise/3.1/help/repository/code-scanning-click-alert.png)
 {% endif %}
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
+     {% data reusables.code-scanning.alert-default-branch %}
+     ![The "Affected branches" section in an alert](/assets/images/help/repository/code-scanning-affected-branches.png){% endif %}
 1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used.
+  {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
    ![The "Show paths" link on an alert](/assets/images/help/repository/code-scanning-show-paths.png)
-1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
+   {% else %}
+   ![The "Show paths" link on an alert](/assets/images/enterprise/3.4/repository/code-scanning-show-paths.png)
+   {% endif %}
+2. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
    ![Details for an alert](/assets/images/help/repository/code-scanning-alert-details.png)
 
 For more information, see "[About {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts)."
@@ -80,6 +87,10 @@ The benefit of using keyword filters is that only values with results are shown
 
 If you enter multiple filters, the view will show alerts matching _all_ these filters. For example, `is:closed severity:high branch:main` will only display closed high-severity alerts that are present on the `main` branch. The exception is filters relating to refs (`ref`, `branch` and `pr`): `is:open branch:main branch:next` will show you open alerts from both the `main` branch and the `next` branch.
 
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
+{% data reusables.code-scanning.filter-non-default-branches %}
+{% endif %}
+
 {% ifversion fpt or ghes > 3.3 or ghec %}
 
 You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag{% if codeql-ml-queries %} and `-tag:experimental` will omit all experimental alerts. For more information, see "[About {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)."{% else %}.{% endif %}
@@ -96,10 +107,12 @@ You can use the "Only alerts in application code" filter or `autofilter:true` ke
 
 You can search the list of alerts. This is useful if there is a large number of alerts in your repository, or if you don't know the exact name for an alert for example. {% data variables.product.product_name %} performs the free text search across:
 - The name of the alert
-- The alert description
 - The alert details (this also includes the information hidden from view by default in the **Show more** collapsible section)
-
+ {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
  ![The alert information used in searches](/assets/images/help/repository/code-scanning-free-text-search-areas.png)
+ {% else %}
+ ![The alert information used in searches](/assets/images/enterprise/3.4/repository/code-scanning-free-text-search-areas.png)
+ {% endif %}
 
 | Supported search | Syntax example | Results |
 | ---- | ---- | ---- |
@@ -113,7 +126,7 @@ You can search the list of alerts. This is useful if there is a large number of
 
 **Tips:** 
 - The multiple word search is equivalent to an OR search.
-- The AND search will return results where the search terms are found _anywhere_, in any order in the alert name, description, or details.
+- The AND search will return results where the search terms are found _anywhere_, in any order in the alert name or details.
 
 {% endtip %}
 
@@ -143,7 +156,7 @@ If you have write permission for a repository, you can view fixed alerts by view
 
 You can use{% ifversion fpt or ghes > 3.1 or ghae or ghec %} the free text search or{% endif %} the filters to display a subset of alerts and then in turn mark all matching alerts as closed. 
 
-Alerts may be fixed in one branch but not in another. You can use the "Branch" drop-down menu, on the summary of alerts, to check whether an alert is fixed in a particular branch.
+Alerts may be fixed in one branch but not in another. You can use the "Branch" filter, on the summary of alerts, to check whether an alert is fixed in a particular branch.
 
 {% ifversion fpt or ghes > 3.1 or ghae or ghec %}
 ![Filtering alerts by branch](/assets/images/help/repository/code-scanning-branch-filter.png)
@@ -151,6 +164,9 @@ Alerts may be fixed in one branch but not in another. You can use the "Branch" d
 ![Filtering alerts by branch](/assets/images/enterprise/3.1/help/repository/code-scanning-branch-filter.png)
 {% endif %}
 
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
+{% data reusables.code-scanning.filter-non-default-branches %}
+{% endif %}
 ## Dismissing or deleting alerts
 
 There are two ways of closing an alert. You can fix the problem in the code, or you can dismiss the alert. Alternatively, if you have admin permissions for the repository, you can delete alerts. Deleting alerts is useful in situations where you have set up a {% data variables.product.prodname_code_scanning %} tool and then decided to remove it, or where you have configured {% data variables.product.prodname_codeql %} analysis with a larger set of queries than you want to continue using, and you've then removed some queries from the tool. In both cases, deleting alerts allows you to clean up your {% data variables.product.prodname_code_scanning %} results. You can delete alerts from the summary list within the **Security** tab.

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md

@@ -39,7 +39,11 @@ You can use more than one issue to track the same {% data variables.product.prod
 
 - A "tracked in" section will also show in the corresponding alert page. 
 
+  {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
   ![Tracked in section on code scanning alert page](/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png)
+  {% else %}
+  ![Tracked in section on code scanning alert page](/assets/images/enterprise/3.4/repository/code-scanning-alert-tracked-in-pill.png)
+  {% endif %}
 
 - On the tracking issue, {% data variables.product.prodname_dotcom %} displays a security badge icon in the task list and on the hovercard. 
   
@@ -65,7 +69,11 @@ The status of the tracked alert won't change if you change the checkbox state of
 1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see "[Managing code scanning alerts for your repository](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts)."
 {% endif %}
 1. Towards the top of the page, on the right side, click **Create issue**. 
+   {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
    ![Create a tracking issue for the code scanning alert](/assets/images/help/repository/code-scanning-create-issue-for-alert.png)
+   {% else %}
+   ![Create a tracking issue for the code scanning alert](/assets/images/enterprise/3.4/repository/code-scanning-create-issue-for-alert.png)
+   {% endif %}
    {% data variables.product.prodname_dotcom %} automatically creates an issue to track the alert and adds the alert as a task list item.
    {% data variables.product.prodname_dotcom %} prepopulates the issue:
    - The title contains the name of the {% data variables.product.prodname_code_scanning %} alert.

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md

@@ -74,10 +74,17 @@ If you have write permission for the repository, some annotations contain links
 
 To see more information about an alert, users with write permission can click the **Show more details** link shown in the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem.
 
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
+{% data reusables.code-scanning.alert-default-branch %}
+{% endif %}
+
 In the detailed view for an alert, some {% data variables.product.prodname_code_scanning %} tools, like {% data variables.product.prodname_codeql %} analysis, also include a description of the problem and a **Show more** link for guidance on how to fix your code.
 
+{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6249 %}
 ![Alert description and link to show more information](/assets/images/help/repository/code-scanning-pr-alert.png)
-
+{% else %}
+![Alert description and link to show more information](/assets/images/enterprise/3.4/repository/code-scanning-pr-alert.png)
+{% endif %}
 ## Fixing an alert on your pull request
 
 Anyone with push access to a pull request can fix a {% data variables.product.prodname_code_scanning %} alert that's identified on that pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is closed and the annotation removed.

content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md

@@ -1,11 +1,12 @@
 ---
-title: About alerts for vulnerable dependencies
+title: About Dependabot alerts
 intro: '{% data variables.product.product_name %} sends {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository.'
 redirect_from:
   - /articles/about-security-alerts-for-vulnerable-dependencies
   - /github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies
   - /github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
   - /code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
 versions:
   fpt: '*'
   ghes: '*'
@@ -81,7 +82,7 @@ For repositories where {% data variables.product.prodname_dependabot_security_up
 
 ## Access to  {% data variables.product.prodname_dependabot_alerts %}
 
-You can see all of the alerts that affect a particular project{% ifversion fpt or ghec %} on the repository's Security tab or{% endif %} in the repository's dependency graph. For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."
+You can see all of the alerts that affect a particular project{% ifversion fpt or ghec %} on the repository's Security tab or{% endif %} in the repository's dependency graph. For more information, see "[Viewing {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."
 
 By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}. {% ifversion fpt or ghec %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
 {% endif %}
@@ -95,5 +96,5 @@ You can also see all the {% data variables.product.prodname_dependabot_alerts %}
 ## Further reading
 
 - "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)"
-- "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)"{% endif %}
+- "[Viewing {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)"{% endif %}
 {% ifversion fpt or ghec %}- "[Privacy on {% data variables.product.prodname_dotcom %}](/get-started/privacy-on-github)"{% endif %}

content/code-security/dependabot/dependabot-alerts/browsing-security-vulnerabilities-in-the-github-advisory-database.md

@@ -6,6 +6,7 @@ miniTocMaxHeadingLevel: 3
 redirect_from:
   - /github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database
   - /code-security/supply-chain-security/browsing-security-vulnerabilities-in-the-github-advisory-database
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database
 versions:
   fpt: '*'
   ghec: '*'
@@ -35,7 +36,7 @@ The {% data variables.product.prodname_advisory_database %} contains a list of k
 
 We carefully review each advisory for validity. Each {% data variables.product.company_short %}-reviewed advisory has a full description, and contains both ecosystem and package information.
 
-If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory affects packages you depend on. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
+If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory affects packages you depend on. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
 
 ### About unreviewed advisories
 
@@ -107,7 +108,7 @@ You can search the database, and use qualifiers to narrow your search. For examp
 
 ## Viewing your vulnerable repositories
 
-For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies#access-to-dependabot-alerts)."
+For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies#access-to-dependabot-alerts)."
 
 1. Navigate to https://github.com/advisories.
 2. Click an advisory.

content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md

@@ -1,10 +1,11 @@
 ---
-title: Configuring notifications for vulnerable dependencies
-shortTitle: Configuring notifications
+title: Configuring notifications for Dependabot alerts
+shortTitle: Configure notifications
 intro: 'Optimize how you receive notifications about  {% data variables.product.prodname_dependabot_alerts %}.'
 redirect_from:
   - /github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies
   - /code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies
 versions:
   fpt: '*'
   ghes: '*'
@@ -58,7 +59,7 @@ You can configure notification settings for yourself or your organization from t
 
 ## How to reduce the noise from notifications for vulnerable dependencies
 
-If you are concerned about receiving too many notifications for {% data variables.product.prodname_dependabot_alerts %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. You can still navigate to see your {% data variables.product.prodname_dependabot_alerts %} in your repository's Security tab. For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."
+If you are concerned about receiving too many notifications for {% data variables.product.prodname_dependabot_alerts %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. You can still navigate to see your {% data variables.product.prodname_dependabot_alerts %} in your repository's Security tab. For more information, see "[Viewing {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."
 
 ## Further reading
 

content/code-security/dependabot/dependabot-alerts/editing-security-advisories-in-the-github-advisory-database.md

@@ -3,6 +3,7 @@ title: Editing security advisories in the GitHub Advisory Database
 intro: 'You can submit improvements to any advisory published in the {% data variables.product.prodname_advisory_database %}.'
 redirect_from:
   - /code-security/security-advisories/editing-security-advisories-in-the-github-advisory-database
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database
 versions:
   fpt: '*'
   ghec: '*'

content/code-security/dependabot/dependabot-alerts/index.md

@@ -0,0 +1,24 @@
+---
+title: Identifying vulnerabilities in your project's dependencies with Dependabot alerts
+shortTitle: Dependabot alerts
+intro: '{% data variables.product.prodname_dependabot %} generates {% data variables.product.prodname_dependabot_alerts %} when known vulnerabilites are detected in dependencies that your project uses.'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: issue-4864
+  ghec: '*'
+topics:
+  - Dependabot
+  - Alerts
+  - Vulnerabilities
+  - Repositories
+  - Dependencies
+children:
+  - /browsing-security-vulnerabilities-in-the-github-advisory-database
+  - /editing-security-advisories-in-the-github-advisory-database
+  - /about-dependabot-alerts
+  - /viewing-and-updating-dependabot-alerts
+  - /configuring-notifications-for-dependabot-alerts
+---
+

content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -1,12 +1,13 @@
 ---
-title: Viewing and updating vulnerable dependencies in your repository
+title: Viewing and updating Dependabot alerts
 intro: 'If {% data variables.product.product_name %} discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.'
 redirect_from:
   - /articles/viewing-and-updating-vulnerable-dependencies-in-your-repository
   - /github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository
   - /code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/viewing-and-updating-vulnerable-dependencies-in-your-repository
 permissions: Repository administrators and organization owners can view and update dependencies.
-shortTitle: View vulnerable dependencies
+shortTitle: View Dependabot alerts
 versions:
   fpt: '*'
   ghes: '*'
@@ -25,7 +26,7 @@ topics:
 {% data reusables.dependabot.beta-security-and-version-updates %}
 {% data reusables.dependabot.enterprise-enable-dependabot %}
 
-Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt or ghec or ghes > 3.2 %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5638 %} filter alerts by package, ecosystem, or manifest. You can also{% endif %} sort the list of alerts, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
+Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt or ghec or ghes > 3.2 %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5638 %} filter alerts by package, ecosystem, or manifest. You can also{% endif %} sort the list of alerts, and you can click into specific alerts for more details. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
 
 {% ifversion fpt or ghec or ghes > 3.2 %}
 You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
@@ -112,7 +113,7 @@ Each {% data variables.product.prodname_dependabot %} alert has a unique numeric
 
 ## Further reading
 
-- "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"{% ifversion fpt or ghec or ghes > 3.2 %}
+- "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"{% ifversion fpt or ghec or ghes > 3.2 %}
 - "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)"{% endif %}
 - "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)"
 - "[Troubleshooting the detection of vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies)"{% ifversion fpt or ghec or ghes > 3.2 %}

content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md

@@ -6,6 +6,7 @@ redirect_from:
   - /github/managing-security-vulnerabilities/about-github-dependabot-security-updates
   - /github/managing-security-vulnerabilities/about-dependabot-security-updates
   - /code-security/supply-chain-security/about-dependabot-security-updates
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates
 versions:
   fpt: '*'
   ghec: '*'
@@ -27,7 +28,7 @@ topics:
 
 ## About {% data variables.product.prodname_dependabot_security_updates %}
 
-{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
+{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
 
 {% data variables.product.prodname_dotcom %} may send  {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %}
 

content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md

@@ -9,6 +9,7 @@ redirect_from:
   - /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates
   - /github/managing-security-vulnerabilities/configuring-dependabot-security-updates
   - /code-security/supply-chain-security/configuring-dependabot-security-updates
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates
 versions:
   fpt: '*'
   ghec: '*'
@@ -37,7 +38,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates %
 
 ## Supported repositories
 
-{% data variables.product.prodname_dotcom %} automatically enables {% data variables.product.prodname_dependabot_security_updates %} for every repository that meets these prerequisites. 
+{% data variables.product.prodname_dotcom %} automatically enables {% data variables.product.prodname_dependabot_security_updates %} for every repository that meets these prerequisites.
 
 {% note %}
 
@@ -59,7 +60,7 @@ If security updates are not enabled for your repository and you don't know why,
 
 You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository (see below).
 
-You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)." 
+You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)."
 
 {% data variables.product.prodname_dependabot_security_updates %} require specific repository settings. For more information, see "[Supported repositories](#supported-repositories)."
 
@@ -68,12 +69,12 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.navigate-to-security-and-analysis %}
-1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} security updates", click **Enable** or **Disable**.
+1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_dependabot %} security updates", click **Enable** to enable the feature or **Disable** to disable it. {% ifversion fpt or ghec %}For public repositories, the button is disabled if the feature is always enabled.{% endif %}
   {% ifversion fpt or ghec %}!["Code security and analysis" section with button to enable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/help/repository/enable-dependabot-security-updates-button.png){% else %}!["Code security and analysis" section with button to enable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/enterprise/3.3/repository/security-and-analysis-disable-or-enable-ghes.png){% endif %}
 
 
 ## Further reading
 
-- "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"{% ifversion fpt or ghec %}
+- "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"{% ifversion fpt or ghec %}
 - "[Managing data use settings for your private repository](/get-started/privacy-on-github/managing-data-use-settings-for-your-private-repository)"{% endif %}
 - "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)"

content/code-security/dependabot/dependabot-security-updates/index.md

@@ -0,0 +1,20 @@
+---
+title: Automatically updating dependencies with known vulnerabilities with Dependabot security updates
+intro: '{% data variables.product.prodname_dependabot %} can help you fix vulnerable dependencies by automatically raising pull requests to update dependencies to secure versions.'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.2'
+topics:
+  - Repositories
+  - Dependabot
+  - Security updates
+  - Dependencies
+  - Pull requests
+shortTitle: Dependabot security updates
+children:
+  - /about-dependabot-security-updates
+  - /configuring-dependabot-security-updates
+---
+

content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md

@@ -8,6 +8,7 @@ redirect_from:
   - /github/administering-a-repository/about-dependabot-version-updates
   - /code-security/supply-chain-security/about-dependabot-version-updates
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/upgrading-from-dependabotcom-to-github-native-dependabot
+  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
 versions:
   fpt: '*'
   ghec: '*'
@@ -31,7 +32,7 @@ shortTitle: Dependabot version updates
 
 You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. 
 
-When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)."
+When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Configuring {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)."
 
 If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
 
@@ -50,7 +51,7 @@ If you've enabled security updates, you'll sometimes see extra pull requests for
 ## Supported repositories and ecosystems
 <!-- If you make changes to this feature, update /getting-started-with-github/github-language-support to reflect any changes to supported repositories or ecosystems. -->
 
-You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for dependency updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#vendor)."
+You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for the dependabot.yml file](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#vendor)."
 {% note %}
 
 {% data reusables.dependabot.private-dependencies-note %}