Merge pull request #20129 from github/repo-sync

repo sync
2025-12-30 03:01:36 -05:00 · 2022-08-24 13:04:16 -04:00
parent cd445e478a 3032431868
commit dfd9d43af1
19 changed files with 115 additions and 3 deletions
--- a/assets/images/help/organizations/secret-scanning-custom-link.png
+++ b/assets/images/help/organizations/secret-scanning-custom-link.png
--- a/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png
+++ b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png
--- a/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png
+++ b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png
--- a/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png
+++ b/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png
--- a/content/code-security/secret-scanning/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/about-secret-scanning.md
@@ -39,7 +39,7 @@ Service providers can partner with {% data variables.product.company_short %} to

 {% ifversion secret-scanning-push-protection %}

-You can also enable {% data variables.product.prodname_secret_scanning %} as a push protection for a repository or an organization. When you enable this feature, {% data variables.product.prodname_secret_scanning %} prevents contributors from pushing code with a detected secret. To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. For more information, see "[Protecting pushes with {% data variables.product.prodname_secret_scanning %}](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
+You can also enable {% data variables.product.prodname_secret_scanning %} as a push protection for a repository or an organization. When you enable this feature, {% data variables.product.prodname_secret_scanning %} prevents contributors from pushing code with a detected secret. To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[Protecting pushes with {% data variables.product.prodname_secret_scanning %}](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."

 {% endif %}

--- a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
+++ b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
@@ -60,8 +60,20 @@ Organization owners, security managers, and repository administrators can enable

 Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. 

+{% ifversion push-protection-custom-link-orgs %} 
+
+Organization admins can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+![Screenshot showing that a push is blocked when a user attempts to push a secret to a repository](/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png)
+
+{% else %}
+
 ![Screenshot showing that a push is blocked when a user attempts to push a secret to a repository](/assets/images/help/repository/secret-scanning-push-protection-with-link.png)

+{% endif %}
+
 {% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Pushing a branch blocked by push protection](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."

 If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[Removing sensitive data from a repository](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
@@ -89,6 +101,14 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe

 {% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.

+{% ifversion push-protection-custom-link-orgs %} 
+
+Organization admins can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+{% endif %}
+
 You can remove the secret from the file using the web UI. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.

  ![Screenshot showing commit in web ui allowed after secret fixed](/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-allowed.png)
--- a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
+++ b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
@@ -27,6 +27,14 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe

 {% endtip %}

+{% ifversion push-protection-custom-link-orgs %} 
+
+Organization admins can provide a custom link that will be included in the message from {% data variables.product.product_name %} when your push is blocked. This custom link can contain resources and advice specific to your organization and its policies.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+{% endif %}
+
 ## Resolving a blocked push on the command line

 {% data reusables.secret-scanning.push-protection-command-line-choice %}
--- a/data/features/push-protection-custom-link-orgs-beta.yml
+++ b/data/features/push-protection-custom-link-orgs-beta.yml
@@ -0,0 +1,8 @@
+# Issue 7299
+# Push protection custom links beta flags
+# See "push-protection-custom-link-orgs" for the feature
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.7'
+  ghae: 'issue-7299'
--- a/data/features/push-protection-custom-link-orgs.yml
+++ b/data/features/push-protection-custom-link-orgs.yml
@@ -0,0 +1,8 @@
+# Issue 7299
+# Push protection custom links
+# See "push-protection-custom-link-orgs-beta" for the beta flags
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.7'
+  ghae: 'issue-7299'
--- a/data/graphql/ghae/schema.docs-ghae.graphql
+++ b/data/graphql/ghae/schema.docs-ghae.graphql
@@ -38740,6 +38740,11 @@ input TransferIssueInput {
  """
  clientMutationId: String

+  """
+  Whether to create labels if they don't exist in the target repository (matched by name)
+  """
+  createLabelsIfMissing: Boolean = false
+
  """
  The Node ID of the issue to be transferred
  """
--- a/data/graphql/ghec/schema.docs.graphql
+++ b/data/graphql/ghec/schema.docs.graphql
@@ -47749,6 +47749,11 @@ input TransferIssueInput {
  """
  clientMutationId: String

+  """
+  Whether to create labels if they don't exist in the target repository (matched by name)
+  """
+  createLabelsIfMissing: Boolean = false
+
  """
  The Node ID of the issue to be transferred
  """
--- a/data/graphql/schema.docs.graphql
+++ b/data/graphql/schema.docs.graphql
@@ -47749,6 +47749,11 @@ input TransferIssueInput {
  """
  clientMutationId: String

+  """
+  Whether to create labels if they don't exist in the target repository (matched by name)
+  """
+  createLabelsIfMissing: Boolean = false
+
  """
  The Node ID of the issue to be transferred
  """
--- a/data/reusables/advanced-security/custom-link-beta.md
+++ b/data/reusables/advanced-security/custom-link-beta.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** The ability to add resource links to blocked push messages is currently in public beta and subject to change.
+
+{% endnote %}
--- a/data/reusables/advanced-security/secret-scanning-push-protection-org.md
+++ b/data/reusables/advanced-security/secret-scanning-push-protection-org.md
@@ -1,3 +1,7 @@
 1. Under "{% data variables.product.prodname_secret_scanning_caps %}", under "Push protection", click **Enable all**.
   ![Screenshot showing how to enable push protection for {% data variables.product.prodname_secret_scanning %} for an organization](/assets/images/help/organizations/secret-scanning-enable-push-protection.png)
-1. Optionally, click "Automatically enable for private repositories added to {% data variables.product.prodname_secret_scanning %}."
+1. Optionally, click "Automatically enable for private repositories added to {% data variables.product.prodname_secret_scanning %}."{% ifversion push-protection-custom-link-orgs %}
+1. Optionally, to include a custom link in the message that members will see when they attempt to push a secret, select **Add a resource link in the CLI and web UI when a commit is blocked**, then type a URL, and click **Save link**.
+   {% ifversion push-protection-custom-link-orgs-beta %}{% indented_data_reference reusables.advanced-security.custom-link-beta spaces=3 %}{% endif %}
+
+   ![Screenshot showing checkbox and text field for enabling a custom link](/assets/images/help/organizations/secret-scanning-custom-link.png){% endif %}
--- a/data/reusables/secret-scanning/push-protection-web-ui-choice.md
+++ b/data/reusables/secret-scanning/push-protection-web-ui-choice.md
@@ -2,5 +2,12 @@ When you use the web UI to attempt to commit a supported secret to a repository

 You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.

+{% ifversion push-protection-custom-link-orgs %}
+
+  ![Screenshot showing commit in web ui blocked because of secret scanning push protection](/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png)
+
+{% else %}
+
  ![Screenshot showing commit in web ui blocked because of secret scanning push protection](/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png)
-  
+  
+{% endif %}
--- a/lib/graphql/static/changelog.json
+++ b/lib/graphql/static/changelog.json
@@ -1,4 +1,17 @@
 [
+  {
+    "schemaChanges": [
+      {
+        "title": "The GraphQL schema includes these changes:",
+        "changes": [
+          "<p>Input field <code>createLabelsIfMissing</code> was added to input object type <code>TransferIssueInput</code></p>"
+        ]
+      }
+    ],
+    "previewChanges": [],
+    "upcomingChanges": [],
+    "date": "2022-08-24"
+  },
  {
    "schemaChanges": [
      {
--- a/lib/graphql/static/schema-dotcom.json
+++ b/lib/graphql/static/schema-dotcom.json
@@ -87260,6 +87260,14 @@
          "kind": "scalars",
          "href": "/graphql/reference/scalars#string"
        },
+        {
+          "name": "createLabelsIfMissing",
+          "description": "<p>Whether to create labels if they don't exist in the target repository (matched by name).</p>",
+          "type": "Boolean",
+          "id": "boolean",
+          "kind": "scalars",
+          "href": "/graphql/reference/scalars#boolean"
+        },
        {
          "name": "issueId",
          "description": "<p>The Node ID of the issue to be transferred.</p>",
--- a/lib/graphql/static/schema-ghae.json
+++ b/lib/graphql/static/schema-ghae.json
@@ -71048,6 +71048,14 @@
          "kind": "scalars",
          "href": "/graphql/reference/scalars#string"
        },
+        {
+          "name": "createLabelsIfMissing",
+          "description": "<p>Whether to create labels if they don't exist in the target repository (matched by name).</p>",
+          "type": "Boolean",
+          "id": "boolean",
+          "kind": "scalars",
+          "href": "/graphql/reference/scalars#boolean"
+        },
        {
          "name": "issueId",
          "description": "<p>The Node ID of the issue to be transferred.</p>",
--- a/lib/graphql/static/schema-ghec.json
+++ b/lib/graphql/static/schema-ghec.json
@@ -87260,6 +87260,14 @@
          "kind": "scalars",
          "href": "/graphql/reference/scalars#string"
        },
+        {
+          "name": "createLabelsIfMissing",
+          "description": "<p>Whether to create labels if they don't exist in the target repository (matched by name).</p>",
+          "type": "Boolean",
+          "id": "boolean",
+          "kind": "scalars",
+          "href": "/graphql/reference/scalars#boolean"
+        },
        {
          "name": "issueId",
          "description": "<p>The Node ID of the issue to be transferred.</p>",