diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md index 47469217c7..434bd6a936 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md @@ -28,11 +28,10 @@ You can add self-hosted runners at various levels in the management hierarchy: {% data reusables.actions.self-hosted-runner-architecture %} {% data reusables.actions.runner-app-open-source %} When a new version is released, the runner application automatically updates itself when a job is assigned to the runner, or within a week of release if the runner hasn't been assigned any jobs. {% ifversion ghes %} -{% note %} -**Note:** {% data reusables.actions.upgrade-runners-before-upgrade-ghes %} +> [!NOTE] +> {% data reusables.actions.upgrade-runners-before-upgrade-ghes %} -{% endnote %} {% endif %} {% data reusables.actions.self-hosted-runner-auto-removal %} @@ -157,63 +156,9 @@ You must ensure that the machine has the appropriate network access with at leas You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. For more information about the domains and IP addresses used, see "[AUTOTITLE](/rest/meta/meta)." -{% note %} +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} -**Note:** Some of the domains listed below are configured using `CNAME` records. Some firewalls might require you to add rules recursively for all `CNAME` records. Note that the `CNAME` records might change in the future, and that only the domains listed below will remain constant. - -{% endnote %} - -**Needed for essential operations:** - -```shell copy -github.com -api.github.com -*.actions.githubusercontent.com -``` - -**Needed for downloading actions:** - -```shell copy -codeload.github.com -ghcr.io -*.actions.githubusercontent.com -``` - -**Needed for uploading/downloading job summaries, logs, workflow artifacts, and caches:** - -```shell copy -results-receiver.actions.githubusercontent.com -*.blob.core.windows.net -``` - -**Needed for runner version updates:** - -```shell copy -objects.githubusercontent.com -objects-origin.githubusercontent.com -github-releases.githubusercontent.com -github-registry-files.githubusercontent.com -``` - -**Needed for retrieving OIDC tokens:** - -```shell copy -*.actions.githubusercontent.com -``` - -**Needed for downloading or publishing packages or containers to {% data variables.product.prodname_dotcom %} Packages:** - -```shell copy -*.pkg.github.com -ghcr.io -``` - -**Needed for {% data variables.large_files.product_name_long %}** - -```shell copy -github-cloud.githubusercontent.com -github-cloud.s3.amazonaws.com -``` +{% data reusables.actions.runner-essential-communications %} In addition, your workflow may require access to other network resources. @@ -245,11 +190,7 @@ ghcr.io *.actions.githubusercontent.com ``` -{% note %} - -**Note:** Some of the domains listed above are configured using `CNAME` records. Some firewalls might require you to add rules recursively for all `CNAME` records. Note that the `CNAME` records might change in the future, and that only the domains listed above will remain constant. - -{% endnote %} +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} {% endif %} diff --git a/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md b/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md index f7445b9f6c..f4335c17f0 100644 --- a/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md @@ -32,11 +32,8 @@ Using {% data variables.product.prodname_dotcom %}-hosted runners requires netwo {% ifversion github-hosted-runners-emus-entitlements %} -{% note %} - -**Note:** {% data reusables.actions.entitlement-minutes-emus %} For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)." - -{% endnote %} +> [!NOTE] +> {% data reusables.actions.entitlement-minutes-emus %} For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)." {% endif %} @@ -122,11 +119,8 @@ While the job runs, the logs and output can be viewed in the {% data variables.p {% data variables.product.prodname_dotcom %}-hosted Linux runners support hardware acceleration for Android SDK tools, which makes running Android tests much faster and consumes fewer minutes. For more information on Android hardware acceleration, see [Configure hardware acceleration for the Android Emulator](https://developer.android.com/studio/run/emulator-acceleration) in the Android Developers documentation. -{% note %} - -**Note:** The `-latest` runner images are the latest stable images that {% data variables.product.prodname_dotcom %} provides, and might not be the most recent version of the operating system available from the operating system vendor. - -{% endnote %} +> [!NOTE] +> The `-latest` runner images are the latest stable images that {% data variables.product.prodname_dotcom %} provides, and might not be the most recent version of the operating system available from the operating system vendor. {% warning %} @@ -208,6 +202,16 @@ Since there are so many IP address ranges for {% data variables.product.prodname The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. +## Communication requirements for {% data variables.product.prodname_dotcom %}-hosted runners and {% data variables.product.product_name %} + +A {% data variables.product.prodname_dotcom %}-hosted runner must establish connections to {% data variables.product.prodname_dotcom %}-owned endpoints to perform essential communication operations. In addition, your runner may require access to additional networks that you specify or utilize within an action. + +To ensure proper communications for {% data variables.product.prodname_dotcom %}-hosted runners between networks within your configuration, ensure that the following communications are allowed. + +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} + +{% data reusables.actions.runner-essential-communications %} + ## The `etc/hosts` file {% data reusables.actions.runners-etc-hosts-file %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md index 8b1922ff8d..c5a001e8f1 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md @@ -19,6 +19,7 @@ topics: - This feature is currently in beta and subject to change. - Merge protection with rulesets is not related to status checks. For more information about status checks, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks)." +- Merge protection with rulesets will not apply to merge queue groups or {% data variables.product.prodname_dependabot %} pull requests analyzed by default setup. {% endnote %} diff --git a/data/reusables/actions/domain-name-cname-recursive-firewall-rules.md b/data/reusables/actions/domain-name-cname-recursive-firewall-rules.md new file mode 100644 index 0000000000..7a96cd7717 --- /dev/null +++ b/data/reusables/actions/domain-name-cname-recursive-firewall-rules.md @@ -0,0 +1,2 @@ +> [!NOTE] +> Some of the domains listed are configured using `CNAME` records. Some firewalls might require you to add rules recursively for all `CNAME` records. Note that the `CNAME` records might change in the future, and that only the domains listed will remain constant. diff --git a/data/reusables/actions/runner-essential-communications.md b/data/reusables/actions/runner-essential-communications.md new file mode 100644 index 0000000000..f1864f450b --- /dev/null +++ b/data/reusables/actions/runner-essential-communications.md @@ -0,0 +1,51 @@ +**Needed for essential operations:** + +```shell copy +github.com +api.github.com +*.actions.githubusercontent.com +``` + +**Needed for downloading actions:** + +```shell copy +codeload.github.com +ghcr.io +*.actions.githubusercontent.com +``` + +**Needed for uploading/downloading job summaries, logs, workflow artifacts, and caches:** + +```shell copy +results-receiver.actions.githubusercontent.com +*.blob.core.windows.net +``` + +**Needed for runner version updates:** + +```shell copy +objects.githubusercontent.com +objects-origin.githubusercontent.com +github-releases.githubusercontent.com +github-registry-files.githubusercontent.com +``` + +**Needed for retrieving OIDC tokens:** + +```shell copy +*.actions.githubusercontent.com +``` + +**Needed for downloading or publishing packages or containers to {% data variables.product.prodname_dotcom %} Packages:** + +```shell copy +*.pkg.github.com +ghcr.io +``` + +**Needed for {% data variables.large_files.product_name_long %}** + +```shell copy +github-cloud.githubusercontent.com +github-cloud.s3.amazonaws.com +```