New translation batch for cn (#25090)
* Add crowdin translations * Run script/i18n/homogenize-frontmatter.js * Run script/i18n/lint-translation-files.js --check parsing * Run script/i18n/lint-translation-files.js --check rendering * run script/i18n/reset-files-with-broken-liquid-tags.js --language=cn * run script/i18n/reset-known-broken-translation-files.js * Check in cn CSV report Co-authored-by: Mike Surowiec <mikesurowiec@users.noreply.github.com>
This commit is contained in:
docubot
@@ -121,6 +121,7 @@ translations/zh-CN/content/education/explore-the-benefits-of-teaching-and-learni
|
||||
translations/zh-CN/content/education/explore-the-benefits-of-teaching-and-learning-with-github-education/use-github-for-your-schoolwork/why-wasnt-my-application-for-a-student-developer-pack-approved.md,broken liquid tags
|
||||
translations/zh-CN/content/education/manage-coursework-with-github-classroom/integrate-github-classroom-with-an-ide/about-using-makecode-arcade-with-github-classroom.md,broken liquid tags
|
||||
translations/zh-CN/content/education/manage-coursework-with-github-classroom/learn-with-github-classroom/view-autograding-results.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/customizing-your-github-workflow/exploring-integrations/about-github-marketplace.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/getting-started-with-git/updating-credentials-from-the-macos-keychain.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/importing-your-projects-to-github/importing-source-code-to-github/adding-an-existing-project-to-github-using-the-command-line.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/learning-about-github/about-github-advanced-security.md,broken liquid tags
|
||||
@@ -131,9 +132,7 @@ translations/zh-CN/content/get-started/quickstart/github-flow.md,broken liquid t
|
||||
translations/zh-CN/content/get-started/using-git/dealing-with-non-fast-forward-errors.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/using-github/github-mobile.md,broken liquid tags
|
||||
translations/zh-CN/content/get-started/writing-on-github/editing-and-sharing-content-with-gists/creating-gists.md,broken liquid tags
|
||||
translations/zh-CN/content/github/customizing-your-github-workflow/exploring-integrations/about-github-marketplace.md,broken liquid tags
|
||||
translations/zh-CN/content/issues/using-labels-and-milestones-to-track-work/managing-labels.md,broken liquid tags
|
||||
translations/zh-CN/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md,Listed in localization-support#489
|
||||
translations/zh-CN/content/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization.md,broken liquid tags
|
||||
translations/zh-CN/content/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization.md,Listed in localization-support#489
|
||||
translations/zh-CN/content/organizations/organizing-members-into-teams/about-teams.md,broken liquid tags
|
||||
|
||||
|
@@ -46,7 +46,7 @@ To follow-up on notifications, you might consider the question "What was I block
|
||||
|
||||
例如,您可以决定按照以下顺序采取后续行动:
|
||||
- 分配给您的议题和拉取请求。 立即关闭您可以关闭的任何议题或拉取请求,并添加更新。 需要时,保存通知供以后查看。
|
||||
- 查看已保存的收件箱中的通知,尤其是未读更新。 如果帖子不再相关,请取消选中 {% octicon "bookmark" aria-label="The bookmark icon" %} 以从保存的收件箱中删除通知并取消保存它。
|
||||
- 查看已保存的收件箱中的通知,尤其是未读更新。 If the thread is no longer relevant, deselect {% octicon "bookmark" aria-label="The bookmark icon" %} to remove the notification from the saved inbox and unsave it.
|
||||
|
||||
## 管理低优先级通知
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ For more information about how contributions are calculated, see "[Managing cont
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
- The connection between your accounts is governed by <a href="/articles/github-privacy-statement/" class="dotcom-only">GitHub's Privacy Statement</a> and users enabling the connection agree to the <a href="/articles/github-terms-of-service/" class="dotcom-only">GitHub's Terms of Service</a>.
|
||||
- The connection between your accounts is governed by [GitHub's Privacy Statement](/free-pro-team@latest/github/site-policy/github-privacy-statement/) and users enabling the connection agree to the [GitHub's Terms of Service](/free-pro-team@latest/github/site-policy/github-terms-of-service).
|
||||
|
||||
- Before you can connect your {% ifversion fpt or ghec %}{% data variables.product.prodname_enterprise %}{% else %}{% data variables.product.product_name %}{% endif %} profile to your {% data variables.product.prodname_dotcom_the_website %} profile, your enterprise owner must enable {% data variables.product.prodname_github_connect %} and enable contribution sharing between the environments. For more information, contact your enterprise owner.
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ redirect_from:
|
||||
- /articles/inviting-collaborators-to-a-personal-repository
|
||||
- /github/setting-up-and-managing-your-github-user-account/inviting-collaborators-to-a-personal-repository
|
||||
- /github/setting-up-and-managing-your-github-user-account/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository
|
||||
product: '{% ifversion fpt %}{% data reusables.gated-features.user-repo-collaborators %}{% endif %}'
|
||||
product: '{% data reusables.gated-features.user-repo-collaborators %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
@@ -38,8 +38,8 @@ If you're a member of an {% data variables.product.prodname_emu_enterprise %}, y
|
||||
1. 您邀请成为协作者的人员需提供用户名。{% ifversion fpt or ghec %} 如果他们还没有用户名,他们可以注册 {% data variables.product.prodname_dotcom %} 更多信息请参阅“[注册新 {% data variables.product.prodname_dotcom %} 帐户](/articles/signing-up-for-a-new-github-account)”。{% endif %}
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% ifversion fpt or ghec %}
|
||||
{% data reusables.repositories.navigate-to-manage-access %}
|
||||
{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5658%}
|
||||
{% data reusables.repositories.click-collaborators-teams %}
|
||||
1. 单击 **Invite a collaborator(邀请协作者)**。 
|
||||
2. 在搜索字段中,开始键入您想邀请的人员的姓名,然后单击匹配列表中的姓名。 
|
||||
3. 单击 **Add NAME to REPOSITORY(添加姓名到仓库)**。 
|
||||
|
||||
@@ -30,8 +30,8 @@ shortTitle: 删除协作者
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% ifversion fpt or ghec %}
|
||||
{% data reusables.repositories.navigate-to-manage-access %}
|
||||
{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5658 %}
|
||||
{% data reusables.repositories.click-collaborators-teams %}
|
||||
4. 在要要删除的协作者的右侧,单击 {% octicon "trash" aria-label="The trash icon" %}。 
|
||||
{% else %}
|
||||
3. 在左侧边栏中,单击 **Collaborators & teams(协作者和团队)**。 
|
||||
|
||||
@@ -9,7 +9,6 @@ redirect_from:
|
||||
- /articles/removing-yourself-from-a-collaborators-repository
|
||||
- /github/setting-up-and-managing-your-github-user-account/removing-yourself-from-a-collaborators-repository
|
||||
- /github/setting-up-and-managing-your-github-user-account/managing-access-to-your-personal-repositories/removing-yourself-from-a-collaborators-repository
|
||||
product: '{% data reusables.gated-features.user-repo-collaborators %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
@@ -22,6 +21,10 @@ shortTitle: 删除自己
|
||||
---
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5658 %}
|
||||
2. In the "Code, planning, and automation" section of the sidebar, click **{% octicon "repo" aria-label="The repo icon" %} Repositories**.
|
||||
{% else %}
|
||||
2. 在左侧边栏中,单击 **Repositories(仓库)**。 
|
||||
{% endif %}
|
||||
3. 在您要离开的仓库旁边,单击 **Leave(离开)**。 
|
||||
4. 仔细阅读警告,然后单击“I understand, leave this repository(我已了解,离开此仓库)”。 
|
||||
|
||||
@@ -13,12 +13,12 @@ shortTitle: 将 Jira 与项目集成
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% data reusables.user_settings.developer_settings %}
|
||||
3. 在左侧边栏中,单击 **{% data variables.product.prodname_oauth_apps %}**。 
|
||||
3. 单击 **Register a new application(注册新应用程序)**。
|
||||
4. 在 **Application name(应用程序名称)**下输入 "Jira"。
|
||||
5. 在 **Homepage URL(主页 URL)**下,输入 Jira 实例的完整 URL。
|
||||
6. 在 **Authorization callback URL(授权回叫 URL)**下,输入 Jira 实例的完整 URL。
|
||||
7. 单击 **Register application(注册应用程序)**。 
|
||||
{% data reusables.user-settings.oauth_apps %}
|
||||
1. 单击 **Register a new application(注册新应用程序)**。
|
||||
2. 在 **Application name(应用程序名称)**下输入 "Jira"。
|
||||
3. 在 **Homepage URL(主页 URL)**下,输入 Jira 实例的完整 URL。
|
||||
4. 在 **Authorization callback URL(授权回叫 URL)**下,输入 Jira 实例的完整 URL。
|
||||
5. 单击 **Register application(注册应用程序)**。 
|
||||
8. 在 **Developer applications(开发者应用程序)**下,记下 "Client ID"(客户 ID)和 "Client Secret"(客户端密钥)值。 
|
||||
{% data reusables.user_settings.jira_help_docs %}
|
||||
|
||||
|
||||
@@ -14,5 +14,5 @@ shortTitle: Managing your tab size
|
||||
If you feel that tabbed indentation in code rendered on {% data variables.product.product_name %} takes up too much, or too little space, you can change this in your settings.
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
1. 在用户设置侧边栏中,单击 **Appearance(外观)**。 
|
||||
1. In the left sidebar, click **{% octicon "paintbrush" aria-label="The paintbrush icon" %} Appearance**.
|
||||
2. Under "Tab size preference", select the drop-down menu and choose your preference. 
|
||||
|
||||
@@ -26,8 +26,7 @@ shortTitle: 管理预定提醒
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% data reusables.reminders.scheduled-reminders %}
|
||||
|
||||
3. 在要预定提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
1. 在要预定提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
{% data reusables.reminders.add-reminder %}
|
||||
{% data reusables.reminders.authorize-slack %}
|
||||
{% data reusables.reminders.days-dropdown %}
|
||||
@@ -41,16 +40,14 @@ shortTitle: 管理预定提醒
|
||||
## 管理用户帐户的预定提醒
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% data reusables.reminders.scheduled-reminders %}
|
||||
|
||||
3. 在要编辑预定提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
1. 在要编辑预定提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
{% data reusables.reminders.edit-page %}
|
||||
{% data reusables.reminders.update-buttons %}
|
||||
|
||||
## 删除用户帐户的预定提醒
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% data reusables.reminders.scheduled-reminders %}
|
||||
|
||||
3. 在要删除提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
1. 在要删除提醒的组织旁边,单击 **Edit(编辑)**。 
|
||||
{% data reusables.reminders.delete %}
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
@@ -88,7 +88,7 @@ If you are caching the package managers listed below, consider using the respect
|
||||
### `cache` 操作的输入参数
|
||||
|
||||
- `key`:**必要** 保存缓存时创建的键,以及用于搜索缓存的键。 可以是变量、上下文值、静态字符串和函数的任何组合。 密钥最大长度为 512 个字符,密钥长度超过最大长度将导致操作失败。
|
||||
- `path`:**必要** 运行器上缓存或还原的文件路径。 路径可以是绝对路径或相对于工作目录的路径。
|
||||
- `path`:**必要** 运行器上缓存或还原的文件路径。 The path can be an absolute path or relative to the workspace directory.
|
||||
- 路径可以是目录或单个文件,并且支持 glob 模式。
|
||||
- 使用 `cache` 操作的 `v2`,可以指定单个路径,也可以在单独的行上添加多个路径。 例如:
|
||||
```
|
||||
|
||||
@@ -238,7 +238,7 @@ jobs:
|
||||
|
||||
## 嵌入代码
|
||||
|
||||
下面的示例安装 `rubocop` 并用它来嵌入所有文件。 更多信息请参阅 [Rubocop](https://github.com/rubocop-hq/rubocop)。 您可以[配置 Rubocop](https://docs.rubocop.org/rubocop/configuration.html) 来决定特定的嵌入规则。
|
||||
下面的示例安装 `rubocop` 并用它来嵌入所有文件。 For more information, see [RuboCop](https://github.com/rubocop-hq/rubocop). 您可以[配置 Rubocop](https://docs.rubocop.org/rubocop/configuration.html) 来决定特定的嵌入规则。
|
||||
|
||||
```yaml
|
||||
{% data reusables.actions.actions-not-certified-by-github-comment %}
|
||||
|
||||
@@ -84,7 +84,9 @@ Before you begin, you'll create a repository on {% ifversion ghae %}{% data vari
|
||||
- id: random-number-generator
|
||||
run: echo "::set-output name=random-id::$(echo $RANDOM)"
|
||||
shell: bash
|
||||
- run: ${{ github.action_path }}/goodbye.sh
|
||||
- run: echo "${{ github.action_path }}" >> $GITHUB_PATH
|
||||
shell: bash
|
||||
- run: goodbye.sh
|
||||
shell: bash
|
||||
```
|
||||
{% endraw %}
|
||||
|
||||
@@ -47,6 +47,8 @@ Docker 操作必须由默认 Docker 用户 (root) 运行。 不要在 `Dockerfil
|
||||
|
||||
Docker `ENTRYPOINT` 指令有 _shell_ 形式和 _exec_ 形式。 Docker `ENTRYPOINT` 文档建议使用 _exec_ 形式的 `ENTRYPOINT` 指令。 有关 _exec_ 和 _shell_ 形式的更多信息,请参阅 Docker 文档中的 [ENTRYPOINT 参考](https://docs.docker.com/engine/reference/builder/#entrypoint)。
|
||||
|
||||
You should not use `WORKDIR` to specify your entrypoint in your Dockerfile. Instead, you should use an absolute path. For more information, see [WORKDIR](#workdir).
|
||||
|
||||
如果您配置容器使用 _exec_ 形式的 `ENTRYPOINT` 指令,在操作元数据文件中配置的 `args` 不会在命令 shell 中运行。 如果操作的 `args` 包含环境变量,不会替换该变量。 例如,使用以下 _exec_ 格式将不会打印存储在 `$GITHUB_SHA` 中的值, 但会打印 `"$GITHUB_SHA"`。
|
||||
|
||||
```dockerfile
|
||||
|
||||
@@ -13,6 +13,7 @@ versions:
|
||||
ghae: '*'
|
||||
ghec: '*'
|
||||
type: reference
|
||||
miniTocMaxHeadingLevel: 4
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
@@ -20,7 +21,7 @@ type: reference
|
||||
|
||||
## 关于 {% data variables.product.prodname_actions %} 的 YAML 语法
|
||||
|
||||
Docker 和 JavaScript 操作需要元数据文件。 元数据文件名必须是 `action.yml` 或 `action.yaml`。 元数据文件中的数据定义操作的输入、输出和主要进入点。
|
||||
All actions require a metadata file. 元数据文件名必须是 `action.yml` 或 `action.yaml`。 The data in the metadata file defines the inputs, outputs, and runs configuration for your action.
|
||||
|
||||
操作元数据文件使用 YAML 语法。 如果您是 YAML 的新用户,请参阅“[五分钟了解 YAML](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)”。
|
||||
|
||||
@@ -40,7 +41,7 @@ Docker 和 JavaScript 操作需要元数据文件。 元数据文件名必须是
|
||||
|
||||
**可选** 输入参数用于指定操作在运行时预期使用的数据。 {% data variables.product.prodname_dotcom %} 将输入参数存储为环境变量。 大写的输入 ID 在运行时转换为小写。 建议使用小写输入 ID。
|
||||
|
||||
### 示例
|
||||
### Example: Specifying inputs
|
||||
|
||||
此示例配置两个输入:numOctocats 和 octocatEyeColor。 numOctocats 输入不是必要的,默认值为 '1'。 octocatEyeColor 输入是必要的,没有默认值。 使用此操作的工作流程文件必须使用 `with` 关键词来设置 octocatEyeColor 的输入值。 有关 `with` 语法的更多信息,请参阅“[{% data variables.product.prodname_actions %} 的工作流程语法](/articles/workflow-syntax-for-github-actions/#jobsjob_idstepswith)”。
|
||||
|
||||
@@ -83,13 +84,13 @@ inputs:
|
||||
|
||||
**可选** 如果使用输入参数,此 `string` 将记录为警告消息。 您可以使用此警告通知用户输入已被弃用,并提及任何其他替代方式。
|
||||
|
||||
## `outputs`
|
||||
## `outputs` for Docker container and JavaScript actions
|
||||
|
||||
**可选** 输出参数允许您声明操作所设置的数据。 稍后在工作流程中运行的操作可以使用以前运行操作中的输出数据集。 例如,如果有操作执行两个输入的相加 (x + y = z),则该操作可能输出总和 (z),用作其他操作的输入。
|
||||
|
||||
如果不在操作元数据文件中声明输出,您仍然可以设置输出并在工作流程中使用它们。 有关在操作中设置输出的更多信息,请参阅“[{% data variables.product.prodname_actions %} 的工作流程命令](/actions/reference/workflow-commands-for-github-actions/#setting-an-output-parameter)”。
|
||||
|
||||
### 示例
|
||||
### Example: Declaring outputs for Docker container and JavaScript actions
|
||||
|
||||
```yaml
|
||||
outputs:
|
||||
@@ -107,17 +108,11 @@ outputs:
|
||||
|
||||
## 用于复合操作的 `outputs`
|
||||
|
||||
**可选** `outputs` 使用与 `outputs.<output_id>` 及 `outputs.<output_id>.description` 相同的参数(请参阅“用于 {% data variables.product.prodname_actions %}</a> 的
|
||||
**Optional** `outputs` use the same parameters as `outputs.<output_id>` and `outputs.<output_id>.description` (see "[`outputs` for Docker container and JavaScript actions](#outputs-for-docker-container-and-javascript-actions)"), but also includes the `value` token.
|
||||
|
||||
`outputs`”),但也包括 `value` 令牌。</p>
|
||||
|
||||
|
||||
|
||||
### 示例
|
||||
### Example: Declaring outputs for composite actions
|
||||
|
||||
{% raw %}
|
||||
|
||||
|
||||
```yaml
|
||||
outputs:
|
||||
random-number:
|
||||
@@ -130,35 +125,23 @@ runs:
|
||||
run: echo "::set-output name=random-id::$(echo $RANDOM)"
|
||||
shell: bash
|
||||
```
|
||||
|
||||
|
||||
{% endraw %}
|
||||
|
||||
|
||||
|
||||
### `outputs.<output_id>.value`
|
||||
|
||||
**必要** 输出参数将会映射到的值。 您可以使用上下文将此设置为 `string` 或表达式。 例如,您可以使用 `steps` 上下文将输出的 `value` 设置为步骤的输出值。
|
||||
|
||||
有关如何使用上下文语法的更多信息,请参阅“[上下文](/actions/learn-github-actions/contexts)”。
|
||||
|
||||
|
||||
|
||||
## `runs`
|
||||
|
||||
**Required** Specifies whether this is a JavaScript action, a composite action or a Docker action and how the action is executed.
|
||||
|
||||
|
||||
**Required** Specifies whether this is a JavaScript action, a composite action, or a Docker container action and how the action is executed.
|
||||
|
||||
## 用于 JavaScript 操作的 `runs`
|
||||
|
||||
**Required** Configures the path to the action's code and the runtime used to execute the code.
|
||||
|
||||
|
||||
|
||||
### Example using Node.js {% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}v16{% else %}v12{% endif %}
|
||||
|
||||
|
||||
### Example: Using Node.js {% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}v16{% else %}v12{% endif %}
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
@@ -166,32 +149,23 @@ runs:
|
||||
main: 'main.js'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `runs.using`
|
||||
|
||||
**Required** The runtime used to execute the code specified in [`main`](#runsmain).
|
||||
**Required** The runtime used to execute the code specified in [`main`](#runsmain).
|
||||
|
||||
- Use `node12` for Node.js v12.{% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}
|
||||
- Use `node16` for Node.js v16.{% endif %}
|
||||
|
||||
|
||||
|
||||
### `runs.main`
|
||||
|
||||
**必要** 包含操作代码的文件。 The runtime specified in [`using`](#runsusing) executes this file.
|
||||
|
||||
### `runs.pre`
|
||||
|
||||
|
||||
### `pre`
|
||||
|
||||
**可选** 允许您在 `main:` 操作开始之前,在作业开始时运行脚本。 例如,您可以使用 `pre:` 运行基本要求设置脚本。 The runtime specified with the [`using`](#runsusing) syntax will execute this file. `pre:` 操作始终默认运行,但您可以使用 [`pre-if`](#pre-if) 覆盖该设置。
|
||||
**可选** 允许您在 `main:` 操作开始之前,在作业开始时运行脚本。 例如,您可以使用 `pre:` 运行基本要求设置脚本。 The runtime specified with the [`using`](#runsusing) syntax will execute this file. The `pre:` action always runs by default but you can override this using [`runs.pre-if`](#runspre-if).
|
||||
|
||||
在此示例中,`pre:` 操作运行名为 `setup.js` 的脚本:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: {% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}'node16'{% else %}'node12'{% endif %}
|
||||
@@ -200,10 +174,7 @@ runs:
|
||||
post: 'cleanup.js'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `pre-if`
|
||||
### `runs.pre-if`
|
||||
|
||||
**可选** 允许您定义 `pre:` 操作执行的条件。 `pre:` 操作仅在满足 `pre-if` 中的条件后运行。 如果未设置,则 `pre-if` 默认使用 `always()`。 In `pre-if`, status check functions evaluate against the job's status, not the action's own status.
|
||||
|
||||
@@ -211,24 +182,17 @@ runs:
|
||||
|
||||
在此示例中,`cleanup.js` 仅在基于 Linux 的运行器上运行:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
pre: 'cleanup.js'
|
||||
pre-if: runner.os == 'linux'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `post`
|
||||
### `runs.post`
|
||||
|
||||
**可选** 允许您在 `main:` 操作完成后,在作业结束时运行脚本。 例如,您可以使用 `post:` 终止某些进程或删除不需要的文件。 The runtime specified with the [`using`](#runsusing) syntax will execute this file.
|
||||
|
||||
在此示例中,`post:` 操作会运行名为 `cleanup.js` 的脚本:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: {% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}'node16'{% else %}'node12'{% endif %}
|
||||
@@ -236,70 +200,44 @@ runs:
|
||||
post: 'cleanup.js'
|
||||
```
|
||||
|
||||
|
||||
`post:` 操作始终默认运行,但您可以使用 `post-if` 覆盖该设置。
|
||||
|
||||
|
||||
|
||||
### `post-if`
|
||||
### `runs.post-if`
|
||||
|
||||
**可选** 允许您定义 `post:` 操作执行的条件。 `post:` 操作仅在满足 `post-if` 中的条件后运行。 如果未设置,则 `post-if` 默认使用 `always()`。 In `post-if`, status check functions evaluate against the job's status, not the action's own status.
|
||||
|
||||
例如,此 `cleanup.js` 仅在基于 Linux 的运行器上运行:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
post: 'cleanup.js'
|
||||
post-if: runner.os == 'linux'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## 用于复合操作的 `runs`
|
||||
|
||||
**Required** Configures the path to the composite action.
|
||||
|
||||
|
||||
|
||||
### `runs.using`
|
||||
|
||||
**Required** You must set this value to `'composite'`.
|
||||
|
||||
|
||||
|
||||
### `runs.steps`
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghae-issue-4853 or ghec %}
|
||||
|
||||
|
||||
**必要** 您计划在此操作中的步骤。 这些步骤可以是 `run` 步骤或 `uses` 步骤。
|
||||
|
||||
**必要** 您计划在此操作中的步骤。 这些步骤可以是 `run` 步骤或 `uses` 步骤。
|
||||
{% else %}
|
||||
|
||||
**必要** 您计划在此操作中的步骤。
|
||||
|
||||
**必要** 您计划在此操作中的步骤。
|
||||
{% endif %}
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].run`
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghae-issue-4853 or ghec %}
|
||||
|
||||
|
||||
**可选** 您想要运行的命令。 这可以是内联的,也可以是操作仓库中的脚本:
|
||||
|
||||
**可选** 您想要运行的命令。 这可以是内联的,也可以是操作仓库中的脚本:
|
||||
{% else %}
|
||||
|
||||
**必要** 您想要运行的命令。 这可以是内联的,也可以是操作仓库中的脚本:
|
||||
|
||||
**必要** 您想要运行的命令。 这可以是内联的,也可以是操作仓库中的脚本:
|
||||
{% endif %}
|
||||
|
||||
{% raw %}
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -307,14 +245,10 @@ runs:
|
||||
- run: ${{ github.action_path }}/test/script.sh
|
||||
shell: bash
|
||||
```
|
||||
|
||||
|
||||
{% endraw %}
|
||||
|
||||
或者,您也可以使用 `$GITHUB_ACTION_PATH`:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -323,26 +257,17 @@ runs:
|
||||
shell: bash
|
||||
```
|
||||
|
||||
|
||||
更多信息请参阅“[`github context`](/actions/reference/context-and-expression-syntax-for-github-actions#github-context)”。
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].shell`
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghae-issue-4853 or ghec %}
|
||||
|
||||
|
||||
**可选** 您想要在其中运行命令的 shell。 您可以使用[这里](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsshell)列出的任何 shell。 如果设置了 `run`,则必填。
|
||||
|
||||
**可选** 您想要在其中运行命令的 shell。 您可以使用[这里](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsshell)列出的任何 shell。 如果设置了 `run`,则必填。
|
||||
{% else %}
|
||||
|
||||
**必要** 您想要在其中运行命令的 shell。 您可以使用[这里](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsshell)列出的任何 shell。 如果设置了 `run`,则必填。
|
||||
|
||||
**必要** 您想要在其中运行命令的 shell。 您可以使用[这里](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsshell)列出的任何 shell。 如果设置了 `run`,则必填。
|
||||
{% endif %}
|
||||
|
||||
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}
|
||||
#### `runs.steps[*].if`
|
||||
|
||||
**Optional** You can use the `if` conditional to prevent a step from running unless a condition is met. 您可以使用任何支持上下文和表达式来创建条件。
|
||||
@@ -351,9 +276,7 @@ runs:
|
||||
|
||||
**示例:使用上下文**
|
||||
|
||||
此步骤仅在事件类型为 `pull_request` 并且事件操作为 `unassigned` 时运行。
|
||||
|
||||
|
||||
此步骤仅在事件类型为 `pull_request` 并且事件操作为 `unassigned` 时运行。
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
@@ -361,13 +284,10 @@ steps:
|
||||
if: {% raw %}${{ github.event_name == 'pull_request' && github.event.action == 'unassigned' }}{% endraw %}
|
||||
```
|
||||
|
||||
|
||||
**示例:使用状态检查功能**
|
||||
|
||||
The `my backup step` only runs when the previous step of a composite action fails. For more information, see "[Expressions](/actions/learn-github-actions/expressions#job-status-check-functions)."
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- name: My first step
|
||||
@@ -376,49 +296,36 @@ steps:
|
||||
if: {% raw %}${{ failure() }}{% endraw %}
|
||||
uses: actions/heroku@1.0.0
|
||||
```
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
#### `runs.steps[*].name`
|
||||
|
||||
**可选** 复合步骤的名称。
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].id`
|
||||
|
||||
**可选** 步骤的唯一标识符。 您可以使用 `id` 引用上下文中的步骤。 更多信息请参阅“[上下文](/actions/learn-github-actions/contexts)”。
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].env`
|
||||
|
||||
**可选** 设置环境变量的 `map` 仅用于该步骤。 If you want to modify the environment variable stored in the workflow, use `echo "{name}={value}" >> $GITHUB_ENV` in a composite step.
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].working-directory`
|
||||
|
||||
**可选** 指定命令在其中运行的工作目录。
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghae-issue-4853 or ghec %}
|
||||
|
||||
|
||||
#### `runs.steps[*].uses`
|
||||
|
||||
**可选** 选择作为作业步骤一部分运行的操作。 操作是一种可重复使用的代码单位。 您可以使用工作流程所在仓库中、公共仓库中或[发布 Docker 容器映像](https://hub.docker.com/)中定义的操作。
|
||||
|
||||
强烈建议指定 Git ref、SHA 或 Docker 标记编号来包含所用操作的版本。 如果不指定版本,在操作所有者发布更新时可能会中断您的工作流程或造成非预期的行为。
|
||||
|
||||
- 使用已发行操作版本的 SHA 对于稳定性和安全性是最安全的。
|
||||
- 使用特定主要操作版本可在保持兼容性的同时接收关键修复和安全补丁。 还可确保您的工作流程继续工作。
|
||||
- 使用操作的默认分支可能很方便,但如果有人新发布具有突破性更改的主要版本,您的工作流程可能会中断。
|
||||
|
||||
有些操作要求必须通过 [`with`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith) 关键词设置输入。 请查阅操作的自述文件,确定所需的输入。
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -441,15 +348,10 @@ runs:
|
||||
- uses: docker://alpine:3.8
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### `runs.steps[*].with`
|
||||
|
||||
**可选** 输入参数的 `map` 由操作定义。 每个输入参数都是一个键/值对。 输入参数被设置为环境变量。 该变量的前缀为 INPUT_,并转换为大写。
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -461,21 +363,13 @@ runs:
|
||||
middle_name: The
|
||||
last_name: Octocat
|
||||
```
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
## `runs` for Docker container actions
|
||||
|
||||
**Required** Configures the image used for the Docker container action.
|
||||
|
||||
## 用于 Docker 操作的 `runs`
|
||||
|
||||
**必要** 配置用于 Docker 操作的图像。
|
||||
|
||||
|
||||
|
||||
### 在仓库中使用 Dockerfile 的示例
|
||||
|
||||
|
||||
### Example: Using a Dockerfile in your repository
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
@@ -483,12 +377,7 @@ runs:
|
||||
image: 'Dockerfile'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### 使用公共 Docker 注册表容器的示例
|
||||
|
||||
|
||||
### Example: Using public Docker registry container
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
@@ -496,25 +385,18 @@ runs:
|
||||
image: 'docker://debian:stretch-slim'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `runs.using`
|
||||
|
||||
**必要** 必须将此值设置为 `'docker'`。
|
||||
|
||||
### `runs.pre-entrypoint`
|
||||
|
||||
|
||||
### `pre-entrypoint`
|
||||
|
||||
**可选** 允许您在 `entrypoint` 操作开始之前运行脚本。 例如,您可以使用 `pre-entrypoint:` 运行基本要求设置脚本。 {% data variables.product.prodname_actions %} 使用 `docker run` 启动此操作,并在使用同一基本映像的新容器中运行脚本。 这意味着运行时状态与主 `entrypoint` 容器不同,并且必须在任一工作空间中访问所需的任何状态,`HOME` 或作为 `STATE_` 变量。 `pre-entrypoint:` 操作始终默认运行,但您可以使用 [`pre-if`](#pre-if) 覆盖该设置。
|
||||
**可选** 允许您在 `entrypoint` 操作开始之前运行脚本。 例如,您可以使用 `pre-entrypoint:` 运行基本要求设置脚本。 {% data variables.product.prodname_actions %} 使用 `docker run` 启动此操作,并在使用同一基本映像的新容器中运行脚本。 这意味着运行时状态与主 `entrypoint` 容器不同,并且必须在任一工作空间中访问所需的任何状态,`HOME` 或作为 `STATE_` 变量。 The `pre-entrypoint:` action always runs by default but you can override this using [`runs.pre-if`](#runspre-if).
|
||||
|
||||
The runtime specified with the [`using`](#runsusing) syntax will execute this file.
|
||||
|
||||
在此示例中,`pre-entrypoint:` 操作会运行名为 `setup.sh` 的脚本:
|
||||
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: 'docker'
|
||||
@@ -525,34 +407,23 @@ runs:
|
||||
entrypoint: 'main.sh'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `runs.image`
|
||||
|
||||
**必要** 要用作容器来运行操作的 Docker 映像。 值可以是 Docker 基本映像名称、仓库中的本地 `Dockerfile`、Docker Hub 中的公共映像或另一个注册表。 要引用仓库本地的 `Dockerfile`,文件必须命名为 `Dockerfile`,并且您必须使用操作元数据文件的相对路径。 `Docker` 应用程序将执行此文件。
|
||||
|
||||
|
||||
|
||||
### `runs.env`
|
||||
|
||||
**可选** 指定要在容器环境中设置的环境变量的键/值映射。
|
||||
|
||||
|
||||
|
||||
### `runs.entrypoint`
|
||||
|
||||
**可选** 覆盖 `Dockerfile` 中的 Docker `ENTRYPOINT`,或在未指定时设置它。 当 `Dockerfile` 未指定 `ENTRYPOINT` 或者您想要覆盖 `ENTRYPOINT` 指令时使用 `entrypoint`。 如果您省略 `entrypoint`,您在 Docker `ENTRYPOINT` 指令中指定的命令将执行。 Docker `ENTRYPOINT` 指令有 _shell_ 形式和 _exec_ 形式。 Docker `ENTRYPOINT` 文档建议使用 _exec_ 形式的 `ENTRYPOINT` 指令。
|
||||
|
||||
有关 `entrypoint` 如何执行的更多信息,请参阅“[Dockerfile 对 {% data variables.product.prodname_actions %} 的支持](/actions/creating-actions/dockerfile-support-for-github-actions/#entrypoint)”。
|
||||
|
||||
|
||||
|
||||
### `post-entrypoint`
|
||||
|
||||
**可选** 允许您在 `runs.entrypoint` 操作完成后运行清理脚本。 {% data variables.product.prodname_actions %} 使用 `docker run` 来启动此操作。 因为 {% data variables.product.prodname_actions %} 使用同一基本映像在新容器内运行脚本,所以运行时状态与主 `entrypoint` 容器不同。 您可以在任一工作空间中访问所需的任何状态,`HOME` 或作为 `STATE_` 变量。 `post-entrypoint:` 操作始终默认运行,但您可以使用 [`post-if`](#post-if) 覆盖该设置。
|
||||
|
||||
|
||||
**可选** 允许您在 `runs.entrypoint` 操作完成后运行清理脚本。 {% data variables.product.prodname_actions %} 使用 `docker run` 来启动此操作。 因为 {% data variables.product.prodname_actions %} 使用同一基本映像在新容器内运行脚本,所以运行时状态与主 `entrypoint` 容器不同。 您可以在任一工作空间中访问所需的任何状态,`HOME` 或作为 `STATE_` 变量。 The `post-entrypoint:` action always runs by default but you can override this using [`runs.post-if`](#runspost-if).
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
@@ -564,9 +435,6 @@ runs:
|
||||
post-entrypoint: 'cleanup.sh'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `runs.args`
|
||||
|
||||
**可选** 定义 Docker 容器输入的字符串数组。 输入可包含硬编码的字符串。 {% data variables.product.prodname_dotcom %} 在容器启动时将 `args` 传递到容器的 `ENTRYPOINT`。
|
||||
@@ -579,13 +447,9 @@ runs:
|
||||
|
||||
有关将 `CMD` 指令与 {% data variables.product.prodname_actions %} 一起使用的更多信息,请参阅“[Dockerfile 对 {% data variables.product.prodname_actions %} 的支持](/actions/creating-actions/dockerfile-support-for-github-actions/#cmd)”。
|
||||
|
||||
|
||||
|
||||
#### 示例
|
||||
#### Example: Defining arguments for the Docker container
|
||||
|
||||
{% raw %}
|
||||
|
||||
|
||||
```yaml
|
||||
runs:
|
||||
using: 'docker'
|
||||
@@ -595,21 +459,13 @@ runs:
|
||||
- 'foo'
|
||||
- 'bar'
|
||||
```
|
||||
|
||||
|
||||
{% endraw %}
|
||||
|
||||
|
||||
|
||||
## `branding`
|
||||
|
||||
您可以使用颜色和 [Feather](https://feathericons.com/) 图标创建徽章,以个性化和识别操作。 徽章显示在 [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions) 中的操作名称旁边。
|
||||
|
||||
|
||||
|
||||
### 示例
|
||||
|
||||
|
||||
### Example: Configuring branding for an action
|
||||
|
||||
```yaml
|
||||
branding:
|
||||
@@ -617,18 +473,18 @@ branding:
|
||||
color: 'green'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### `branding.color`
|
||||
|
||||
徽章的背景颜色。 可以是以下之一:`white`、`yellow`、`blue`、`green`、`orange`、`red`、`purple` 或 `gray-dark`。
|
||||
|
||||
|
||||
|
||||
### `branding.icon`
|
||||
|
||||
要使用的 [Feather](https://feathericons.com/) 图标的名称。
|
||||
要使用的 [Feather](https://feathericons.com/) 图标的名称。 <!--
|
||||
This table should match the icon list in `app/models/repository_actions/icons.rb` in the internal github repo.
|
||||
This table does not match the latest version the feather library.
|
||||
(Brand icons are omitted, and our supported list is not necessarily up-to-date with the latest version of the feather icon library.)
|
||||
To support a new icon, update `app/models/repository_actions/icons.rb` and add the svg to `/static/images/icons/feather` in the internal github repo.
|
||||
-->
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
|
||||
@@ -29,7 +29,7 @@ By updating your workflows to use OIDC tokens, you can adopt the following good
|
||||
|
||||
- **No cloud secrets**: You won't need to duplicate your cloud credentials as long-lived {% data variables.product.prodname_dotcom %} secrets. Instead, you can configure the OIDC trust on your cloud provider, and then update your workflows to request a short-lived access token from the cloud provider through OIDC.
|
||||
- **Authentication and authorization management**: You have more granular control over how workflows can use credentials, using your cloud provider's authentication (authN) and authorization (authZ) tools to control access to cloud resources.
|
||||
- **Rotating credentials**: With OIDC, your cloud provider issues a short-lived access token that is only valid for a single workflow run, and then automatically expires.
|
||||
- **Rotating credentials**: With OIDC, your cloud provider issues a short-lived access token that is only valid for a single job, and then automatically expires.
|
||||
|
||||
### Getting started with OIDC
|
||||
|
||||
@@ -38,7 +38,7 @@ The following diagram gives an overview of how {% data variables.product.prodnam
|
||||
|
||||
|
||||
1. In your cloud provider, create an OIDC trust between your cloud role and your {% data variables.product.prodname_dotcom %} workflow(s) that need access to the cloud.
|
||||
2. Every time your {% data variables.product.prodname_actions %} workflow job runs, {% data variables.product.prodname_dotcom %}'s OIDC Provider auto-generates an OIDC token. This token contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.
|
||||
2. Every time your job runs, {% data variables.product.prodname_dotcom %}'s OIDC Provider auto-generates an OIDC token. This token contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.
|
||||
3. You could include a step or action in your job to request this token from {% data variables.product.prodname_dotcom %}'s OIDC provider, and present it to the cloud provider.
|
||||
4. Once the cloud provider successfully validates the claims presented in the token, it then provides a short-lived cloud access token that is available only for the duration of the job.
|
||||
|
||||
@@ -51,7 +51,7 @@ When you configure your cloud to trust {% data variables.product.prodname_dotcom
|
||||
|
||||
### Understanding the OIDC token
|
||||
|
||||
Each workflow run requests an OIDC token from {% data variables.product.prodname_dotcom %}'s OIDC provider, which responds with an automatically generated JSON web token (JWT) that is unique for each workflow job where it is generated. During a workflow run, the OIDC token is presented to the cloud provider. To validate the token, the cloud provider checks if the OIDC token's subject and other claims are a match for the conditions that were preconfigured on the cloud role's OIDC trust definition.
|
||||
Each job requests an OIDC token from {% data variables.product.prodname_dotcom %}'s OIDC provider, which responds with an automatically generated JSON web token (JWT) that is unique for each workflow job where it is generated. When the job runs, the OIDC token is presented to the cloud provider. To validate the token, the cloud provider checks if the OIDC token's subject and other claims are a match for the conditions that were preconfigured on the cloud role's OIDC trust definition.
|
||||
|
||||
The following example OIDC token uses a subject (`sub`) that references a job environment named `prod` in the `octo-org/octo-repo` repository.
|
||||
|
||||
@@ -147,7 +147,7 @@ In addition, your cloud provider could allow you to assign a role to the access
|
||||
|
||||
### 示例
|
||||
|
||||
The following examples demonstrate how to use "Subject" as a condition. The [subject](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) uses information from the workflow run's [`job` context](/actions/learn-github-actions/contexts#job-context), and instructs your cloud provider that access token requests may only be granted for requests from workflows running in specific branches, environments. The following sections describe some common subjects you can use.
|
||||
The following examples demonstrate how to use "Subject" as a condition. The [subject](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) uses information from the [`job` context](/actions/learn-github-actions/contexts#job-context), and instructs your cloud provider that access token requests may only be granted for requests from workflows running in specific branches, environments. The following sections describe some common subjects you can use.
|
||||
|
||||
#### Filtering for a specific environment
|
||||
|
||||
@@ -217,6 +217,10 @@ You could also use a `curl` command to request the JWT, using the following envi
|
||||
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
|
||||
```
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
## Updating your workflows for OIDC
|
||||
|
||||
You can now update your YAML workflows to use OIDC access tokens instead of secrets. Popular cloud providers have published their official login actions that make it easy for you to get started with OIDC. For more information about updating your workflows, see the cloud-specific guides listed below in "[Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider)."
|
||||
|
||||
@@ -56,14 +56,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. 例如:
|
||||
|
||||
```yaml{:copy}
|
||||
permissions:
|
||||
id-token: write
|
||||
```
|
||||
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
### Requesting the access token
|
||||
|
||||
@@ -93,7 +86,7 @@ jobs:
|
||||
- name: Git clone the repository
|
||||
uses: actions/checkout@v2
|
||||
- name: configure aws credentials
|
||||
uses: aws-actions/configure-aws-credentials@master
|
||||
uses: aws-actions/configure-aws-credentials@v1
|
||||
with:
|
||||
role-to-assume: arn:aws:iam::1234567890:role/example-role
|
||||
role-session-name: samplerolesession
|
||||
|
||||
@@ -50,14 +50,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. 例如:
|
||||
|
||||
```yaml{:copy}
|
||||
permissions:
|
||||
id-token: write
|
||||
```
|
||||
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
### Requesting the access token
|
||||
|
||||
|
||||
@@ -37,14 +37,7 @@ If your cloud provider doesn't yet offer an official action, you can update your
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. 例如:
|
||||
|
||||
```yaml{:copy}
|
||||
permissions:
|
||||
id-token: write
|
||||
```
|
||||
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
### Using official actions
|
||||
|
||||
|
||||
@@ -49,14 +49,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. 例如:
|
||||
|
||||
```yaml{:copy}
|
||||
permissions:
|
||||
id-token: write
|
||||
```
|
||||
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
### Requesting the access token
|
||||
|
||||
|
||||
@@ -54,14 +54,7 @@ This example demonstrates how to use OIDC with the official action to request a
|
||||
|
||||
### Adding permissions settings
|
||||
|
||||
The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. 例如:
|
||||
|
||||
```yaml{:copy}
|
||||
permissions:
|
||||
id-token: write
|
||||
```
|
||||
|
||||
You may need to specify additional permissions here, depending on your workflow's requirements.
|
||||
{% data reusables.actions.oidc-permissions-token %}
|
||||
|
||||
### Requesting the access token
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ For more information about installing and using self-hosted runners, see "[Addin
|
||||
- Use free minutes on your {% data variables.product.prodname_dotcom %} plan, with per-minute rates applied after surpassing the free minutes.
|
||||
|
||||
**Self-hosted runners:**{% endif %}
|
||||
- Receive automatic updates for the self-hosted runner application only. You are responsible for updating the operating system and all other software.
|
||||
- Receive automatic updates for the self-hosted runner application only{% ifversion fpt or ghec or ghes > 3.2 %}, though you may disable automatic updates of the runner. For more information about controlling runner software updates on self-hosted runners, see "[Autoscaling with self-hosted runners](/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#controlling-runner-software-updates-on-self-hosted-runners)."{% else %}.{% endif %} You are responsible for updating the operating system and all other software.
|
||||
- Can use cloud services or local machines that you already pay for.
|
||||
- Are customizable to your hardware, operating system, software, and security requirements.
|
||||
- Don't need to have a clean instance for every job execution.
|
||||
@@ -55,7 +55,7 @@ For more information about installing and using self-hosted runners, see "[Addin
|
||||
You can use any machine as a self-hosted runner as long at it meets these requirements:
|
||||
|
||||
* You can install and run the self-hosted runner application on the machine. For more information, see "[Supported architectures and operating systems for self-hosted runners](#supported-architectures-and-operating-systems-for-self-hosted-runners)."
|
||||
* The machine can communicate with {% data variables.product.prodname_actions %}. For more information, see "[Communication between self-hosted runners and {% data variables.product.prodname_dotcom %}](#communication-between-self-hosted-runners-and-github)."
|
||||
* The machine can communicate with {% data variables.product.prodname_actions %}. For more information, see "[Communication between self-hosted runners and {% data variables.product.product_name %}](#communication-requirements)."
|
||||
* The machine has enough hardware resources for the type of workflows you plan to run. The self-hosted runner application itself only requires minimal resources.
|
||||
* If you want to run workflows that use Docker container actions or service containers, you must use a Linux machine and Docker must be installed.
|
||||
|
||||
@@ -125,6 +125,8 @@ Some extra configuration might be required to use actions from {% data variables
|
||||
|
||||
{% endif %}
|
||||
|
||||
<a name="communication-requirements"></a>
|
||||
|
||||
## Communication between self-hosted runners and {% data variables.product.product_name %}
|
||||
|
||||
The self-hosted runner polls {% data variables.product.product_name %} to retrieve application updates and to check if any jobs are queued for processing. The self-hosted runner uses a HTTPS _long poll_ that opens a connection to {% data variables.product.product_name %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs.
|
||||
|
||||
@@ -27,12 +27,12 @@ The following repositories have detailed instructions for setting up these autos
|
||||
|
||||
Each solution has certain specifics that may be important to consider:
|
||||
|
||||
| **功能** | **actions-runner-controller** | **terraform-aws-github-runner** |
|
||||
|:------------------------------ |:---------------------------------------------------------------------------------- |:--------------------------------------------------------------------- |
|
||||
| Runtime | Kubernetes | Linux and Windows VMs |
|
||||
| Supported Clouds | Azure, Amazon Web Services, Google Cloud Platform, on-premises | Amazon Web Services |
|
||||
| Where runners can be scaled | Enterprise, organization, and repository levels. By runner label and runner group. | Organization and repository levels. By runner label and runner group. |
|
||||
| Pull-based autoscaling support | 是 | 否 |
|
||||
| **功能** | **actions-runner-controller** | **terraform-aws-github-runner** |
|
||||
|:--------------------------- |:---------------------------------------------------------------------------------- |:--------------------------------------------------------------------- |
|
||||
| Runtime | Kubernetes | Linux and Windows VMs |
|
||||
| Supported Clouds | Azure, Amazon Web Services, Google Cloud Platform, on-premises | Amazon Web Services |
|
||||
| Where runners can be scaled | Enterprise, organization, and repository levels. By runner label and runner group. | Organization and repository levels. By runner label and runner group. |
|
||||
| How runners can be scaled | Webhook events, Scheduled, Pull-based | Webhook events, Scheduled (org-level runners only) |
|
||||
|
||||
## Using ephemeral runners for autoscaling
|
||||
|
||||
@@ -42,8 +42,8 @@ This approach allows you to manage your runners as ephemeral systems, since you
|
||||
|
||||
To add an ephemeral runner to your environment, include the `--ephemeral` parameter when registering your runner using `config.sh`. 例如:
|
||||
|
||||
```
|
||||
$ ./config.sh --url https://github.com/octo-org --token example-token --ephemeral
|
||||
```shell
|
||||
./config.sh --url https://github.com/octo-org --token example-token --ephemeral
|
||||
```
|
||||
|
||||
The {% data variables.product.prodname_actions %} service will then automatically de-register the runner after it has processed one job. You can then create your own automation that wipes the runner after it has been de-registered.
|
||||
@@ -54,6 +54,28 @@ The {% data variables.product.prodname_actions %} service will then automaticall
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Controlling runner software updates on self-hosted runners
|
||||
|
||||
By default, self-hosted runners will automatically perform a software update whenever a new version of the runner software is available. If you use ephemeral runners in containers then this can lead to repeated software updates when a new runner version is released. Turning off automatic updates allows you to update the runner version on the container image directly on your own schedule.
|
||||
|
||||
If you want to turn off automatic software updates and install software updates yourself, you can specify the `--disableupdate` parameter when starting the runner. 例如:
|
||||
|
||||
```shell
|
||||
./run.sh --disableupdate
|
||||
```
|
||||
|
||||
If you disable automatic updates, you must still update your runner version regularly. New functionality in {% data variables.product.prodname_actions %} requires changes in both the {% data variables.product.prodname_actions %} service _and_ the runner software. The runner may not be able to correctly process jobs that take advantage of new features in {% data variables.product.prodname_actions %} without a software update.
|
||||
|
||||
If you disable automatic updates, you will be required to update your runner version within 30 days of a new version being made available. You may want to subscribe to notifications for releases in the [`actions/runner` repository](https://github.com/actions/runner/releases). 更多信息请参阅“[配置通知](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#about-custom-notifications)”。
|
||||
|
||||
For instructions on how to install the latest runner version, see the installation instructions for [the latest release](https://github.com/actions/runner/releases).
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you do not perform a software update within 30 days, the {% data variables.product.prodname_actions %} service will not queue jobs to your runner. In addition, if a critical security update is required, the {% data variables.product.prodname_actions %} service will not queue jobs to your runner until it has been updated.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Using webhooks for autoscaling
|
||||
|
||||
You can create your own autoscaling environment by using payloads received from the [`workflow_job`](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job) webhook. This webhook is available at the repository, organization, and enterprise levels, and the payload for this event contains an `action` key that corresponds to the stages of a workflow job's life-cycle; for example when jobs are `queued`, `in_progress`, and `completed`. You must then create your own scaling automation in response to these webhook payloads.
|
||||
|
||||
@@ -33,6 +33,38 @@ shortTitle: Monitor & troubleshoot
|
||||
* **Active**: The runner is currently executing a job.
|
||||
* **Offline**: The runner is not connected to {% data variables.product.product_name %}. This could be because the machine is offline, the self-hosted runner application is not running on the machine, or the self-hosted runner application cannot communicate with {% data variables.product.product_name %}.
|
||||
|
||||
## Checking self-hosted runner network connectivity
|
||||
|
||||
You can use the self-hosted runner application's `run` script with the `--check` parameter to check that a self-hosted runner can access all required network services on {% data variables.product.product_location %}.
|
||||
|
||||
In addition to `--check`, you must provide two arguments to the script:
|
||||
|
||||
* `--url` with the URL to your {% data variables.product.company_short %} repository, organization, or enterprise. For example, `--url https://github.com/octo-org/octo-repo`.
|
||||
* `--pat` with the value of a personal access token, which must have the `workflow` scope. For example, `--pat ghp_abcd1234`. For more information, see "[Creating a personal access token](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
|
||||
|
||||
For example:
|
||||
|
||||
{% mac %}
|
||||
|
||||
{% data reusables.github-actions.self-hosted-runner-check-mac-linux %}
|
||||
|
||||
{% endmac %}
|
||||
{% linux %}
|
||||
|
||||
{% data reusables.github-actions.self-hosted-runner-check-mac-linux %}
|
||||
|
||||
{% endlinux %}
|
||||
{% windows %}
|
||||
|
||||
```shell
|
||||
run.cmd --check --url <em>https://github.com/octo-org/octo-repo</em> --pat <em>ghp_abcd1234</em>
|
||||
```
|
||||
|
||||
{% endwindows %}
|
||||
|
||||
The script tests each service, and outputs either a `PASS` or `FAIL` for each one. If you have any failing checks, you can see more details on the problem in the log file for the check. The log files are located in the `_diag` directory where you installed the runner application, and the path of the log file for each check is shown in the console output of the script.
|
||||
|
||||
If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#communication-requirements)."
|
||||
|
||||
## Reviewing the self-hosted runner application log files
|
||||
|
||||
|
||||
@@ -32,7 +32,6 @@ featuredLinks:
|
||||
- title: GitHub Actions in action – Karan MV
|
||||
href: 'https://www.youtube-nocookie.com/embed/4SWO0Pc76CU'
|
||||
videosHeading: GitHub Universe 2021 videos
|
||||
examples_source: data/product-examples/actions/code-examples.yml
|
||||
product_video: 'https://www.youtube-nocookie.com/embed/cP0I9w2coGU'
|
||||
redirect_from:
|
||||
- /articles/automating-your-workflow-with-github-actions
|
||||
|
||||
@@ -393,7 +393,7 @@ The `steps` context contains information about the steps in the current job that
|
||||
| 属性名称 | 类型 | 描述 |
|
||||
| --------------------------------------------------- | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `steps` | `对象` | 此上下文针对作业中的每个步骤而改变。 您可以从作业中的任何步骤访问此上下文。 This object contains all the properties listed below. |
|
||||
| `steps.<step_id>.outputs` | `对象` | 为步骤定义的输出集。 更多信息请参阅“[{% data variables.product.prodname_actions %} 的元数据语法](/articles/metadata-syntax-for-github-actions#outputs)”。 |
|
||||
| `steps.<step_id>.outputs` | `对象` | 为步骤定义的输出集。 For more information, see "[Metadata syntax for {% data variables.product.prodname_actions %}](/articles/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions)." |
|
||||
| `steps.<step_id>.conclusion` | `字符串` | 在 [`continue-on-error`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) 应用之后完成的步骤的结果。 可能的值包括 `success`、`failure`、`cancelled` 或 `skipped`。 当 `continue-on-error` 步骤失败时,`outcome` 为 `failure`,但最终的 `conclusion` 为 `success`。 |
|
||||
| `steps.<step_id>.outcome` | `字符串` | 在 [`continue-on-error`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) 应用之前完成的步骤的结果。 可能的值包括 `success`、`failure`、`cancelled` 或 `skipped`。 当 `continue-on-error` 步骤失败时,`outcome` 为 `failure`,但最终的 `conclusion` 为 `success`。 |
|
||||
| `steps.<step_id>.outputs.<output_name>` | `字符串` | 特定输出的值。 |
|
||||
|
||||
@@ -268,9 +268,15 @@ jobs:
|
||||
|
||||
`hashFiles('**/package-lock.json', '**/Gemfile.lock')`
|
||||
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}
|
||||
## 状态检查函数
|
||||
|
||||
您可以使用以下状态检查函数作为 `if` 条件中的表达式。 除非您包含其中一个函数,否则 `success()` 的默认状态检查将会应用。 For more information about `if` conditionals, see "[Workflow syntax for GitHub Actions](/articles/workflow-syntax-for-github-actions/#jobsjob_idif)" and "[Metadata syntax for GitHub Composite Actions](/actions/creating-actions/metadata-syntax-for-github-actions/#runsstepsif)".
|
||||
{% else %}
|
||||
## Check Functions
|
||||
您可以使用以下状态检查函数作为 `if` 条件中的表达式。 除非您包含其中一个函数,否则 `success()` 的默认状态检查将会应用。 For more information about `if` conditionals, see "[Workflow syntax for GitHub Actions](/articles/workflow-syntax-for-github-actions/#jobsjob_idif)".
|
||||
{% endif %}
|
||||
|
||||
### success
|
||||
|
||||
@@ -318,6 +324,7 @@ steps:
|
||||
if: {% raw %}${{ failure() }}{% endraw %}
|
||||
```
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghae-issue-5504 or ghec %}
|
||||
### Evaluate Status Explicitly
|
||||
|
||||
Instead of using one of the methods above, you can evaluate the status of the job or composite action that is executing the step directly:
|
||||
@@ -343,6 +350,7 @@ steps:
|
||||
```
|
||||
|
||||
This is the same as using `if: failure()` in a composite action step.
|
||||
{% endif %}
|
||||
|
||||
## 对象过滤器
|
||||
|
||||
|
||||
@@ -47,6 +47,8 @@ topics:
|
||||
|
||||
You can add an action to your workflow by referencing the action in your workflow file.
|
||||
|
||||
You can view the actions referenced in your {% data variables.product.prodname_actions %} workflows as dependencies in the dependency graph of the repository containing your workflows. For more information, see “[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).”
|
||||
|
||||
### Adding an action from {% data variables.product.prodname_marketplace %}
|
||||
|
||||
操作的列表页包括操作的版本以及使用操作所需的工作流程语法。 为使工作流程在操作有更新时也保持稳定,您可以在工作流程文件中指定 Git 或 Docker 标记号以引用所用操作的版本。
|
||||
|
||||
@@ -255,3 +255,8 @@ To understand how billing works for {% data variables.product.prodname_actions %
|
||||
## 联系支持
|
||||
|
||||
{% data reusables.github-actions.contacting-support %}
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
- "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)"{% endif %}
|
||||
|
||||
@@ -18,16 +18,23 @@ shortTitle: 工作流程计费和限制
|
||||
|
||||
## 关于 {% data variables.product.prodname_actions %} 的计费
|
||||
|
||||
{% data reusables.repositories.about-github-actions %} For more information, see "[Understanding {% data variables.product.prodname_actions %}](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghes or ghec %}" and "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% data reusables.github-actions.actions-billing %} 更多信息请参阅“[关于 {% data variables.product.prodname_actions %} 的计费](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)”。
|
||||
{% else %}
|
||||
GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %}s that use self-hosted runners.
|
||||
GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} instances that use self-hosted runners. 更多信息请参阅“[关于自托管运行器](/actions/hosting-your-own-runners/about-self-hosted-runners)”。
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
## 可用性
|
||||
|
||||
{% data variables.product.prodname_actions %} is available on all {% data variables.product.prodname_dotcom %} products, but {% data variables.product.prodname_actions %} is not available for private repositories owned by accounts using legacy per-repository plans. {% data reusables.gated-features.more-info %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## 使用限制
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
@@ -63,7 +63,7 @@ Jenkins 使用指令来管理 _Declarative Pipelines_。 这些指令定义工
|
||||
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| [`environment`](https://jenkins.io/doc/book/pipeline/syntax/#environment) | [`jobs.<job_id>.env`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env) <br> [`jobs.<job_id>.steps[*].env`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv) |
|
||||
| [`options`](https://jenkins.io/doc/book/pipeline/syntax/#parameters) | [`jobs.<job_id>.strategy`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy) <br> [`jobs.<job_id>.strategy.fail-fast`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast) <br> [`jobs.<job_id>.timeout-minutes`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes) |
|
||||
| [`parameters`](https://jenkins.io/doc/book/pipeline/syntax/#parameters) | [`inputs`](/actions/creating-actions/metadata-syntax-for-github-actions#inputs) <br> [`outputs`](/actions/creating-actions/metadata-syntax-for-github-actions#outputs) |
|
||||
| [`parameters`](https://jenkins.io/doc/book/pipeline/syntax/#parameters) | [`inputs`](/actions/creating-actions/metadata-syntax-for-github-actions#inputs) <br> [`outputs`](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions) |
|
||||
| [`triggers`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`on`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on) <br> [`on.<event_name>.types`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes) <br> [<code>on.<push\>.<branches\|tags></code>](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore) <br> [<code>on.<pull_request\>.<branches\></code>](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore) <br> [<code>on.<push\|pull_request>.paths</code>](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore) |
|
||||
| [`triggers { upstreamprojects() }`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`jobs.<job_id>.needs`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds) |
|
||||
| [Jenkins cron syntax](https://jenkins.io/doc/book/pipeline/syntax/#cron-syntax) | [`on.schedule`](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onschedule) |
|
||||
|
||||
@@ -80,20 +80,20 @@ jobs:
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
下表显示默认情况下授予 `GITHUB_TOKEN` 的权限。 People with admin permissions to an {% ifversion not ghes %}enterprise, organization, or repository,{% else %}organization or repository{% endif %} can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the `GITHUB_TOKEN` for your enterprise, organization, or repository, see "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)," "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization)," or "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)."
|
||||
|
||||
| 作用域 | 默认访问<br>(允许) | 默认访问<br>(限制) | 复刻的仓库的最大访问权限<br> |
|
||||
| ------------------- | ------------------ | ------------------ | ---------------------- |
|
||||
| 操作 | 读/写 | 无 | 读取 |
|
||||
| 检查 | 读/写 | 无 | 读取 |
|
||||
| 内容 | 读/写 | 读取 | 读取 |
|
||||
| 部署 | 读/写 | 无 | 读取 |
|
||||
| id-token | 读/写 | 无 | 读取 |
|
||||
| 议题 | 读/写 | 无 | 读取 |
|
||||
| 元数据 | 读取 | 读取 | 读取 |
|
||||
| 包 | 读/写 | 无 | 读取 |
|
||||
| pull-requests | 读/写 | 无 | 读取 |
|
||||
| repository-projects | 读/写 | 无 | 读取 |
|
||||
| security-events | 读/写 | 无 | 读取 |
|
||||
| 状态 | 读/写 | 无 | 读取 |
|
||||
| 作用域 | 默认访问<br>(允许) | 默认访问<br>(限制) | 复刻的仓库的最大访问权限<br> |
|
||||
| -------- | ------------------ | ------------------ | ---------------------- |
|
||||
| 操作 | 读/写 | 无 | 读取 |
|
||||
| 检查 | 读/写 | 无 | 读取 |
|
||||
| 内容 | 读/写 | 读取 | 读取 |
|
||||
| 部署 | 读/写 | 无 | 读取 |
|
||||
| id-token | 读/写 | 无 | 读取 |
|
||||
| 议题 | 读/写 | 无 | 读取 |
|
||||
| 元数据 | 读取 | 读取 | 读取 |
|
||||
| 包 | 读/写 | 无 | 读取 |
|
||||
{%- ifversion fpt or ghec or ghes > 3.2 or ghae-issue-6187 %}
|
||||
| pages | read/write | none | read |
|
||||
{%- endif %}
|
||||
| pull-requests | read/write | none | read | | repository-projects | read/write | none | read | | security-events | read/write | none | read | | statuses | read/write | none | read |
|
||||
{% else %}
|
||||
| 作用域 | 访问类型 | 通过复刻的仓库访问 |
|
||||
| ------------------- | ---- | --------- |
|
||||
|
||||
@@ -354,3 +354,50 @@ steps:
|
||||
run: cat $HOME/secrets/my_secret.json
|
||||
```
|
||||
{% endraw %}
|
||||
|
||||
|
||||
## Storing Base64 binary blobs as secrets
|
||||
|
||||
You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see ["Limits for secrets"](/actions/security-guides/encrypted-secrets#limits-for-secrets).
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Note that Base64 only converts binary to text, and is not a substitute for actual encryption.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
1. Use `base64` to encode your file into a Base64 string. 例如:
|
||||
|
||||
```
|
||||
$ base64 -i cert.der -o cert.base64
|
||||
```
|
||||
|
||||
1. Create a secret that contains the Base64 string. 例如:
|
||||
|
||||
```
|
||||
$ gh secret set CERTIFICATE_BASE64 < cert.base64
|
||||
✓ Set secret CERTIFICATE_BASE64 for octocat/octorepo
|
||||
```
|
||||
|
||||
1. To access the Base64 string from your runner, pipe the secret to `base64 --decode`. 例如:
|
||||
|
||||
```yaml
|
||||
name: Retrieve Base64 secret
|
||||
on:
|
||||
push:
|
||||
branches: [ octo-branch ]
|
||||
jobs:
|
||||
decode-secret:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Retrieve the secret and decode it to a file
|
||||
env:
|
||||
{% raw %}CERTIFICATE_BASE64: ${{ secrets.CERTIFICATE_BASE64 }}{% endraw %}
|
||||
run: |
|
||||
echo $CERTIFICATE_BASE64 | base64 --decode > cert.der
|
||||
- name: Show certificate information
|
||||
run: |
|
||||
openssl x509 -in cert.der -inform DER -text -noout
|
||||
```
|
||||
|
||||
|
||||
@@ -16,193 +16,9 @@ versions:
|
||||
shortTitle: 触发工作流程的事件
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
## About events that trigger workflows
|
||||
|
||||
## About workflow triggers
|
||||
|
||||
Workflow triggers are events that cause a workflow to run. These events can be:
|
||||
|
||||
- Events that occur in your workflow's repository
|
||||
- Events that occur outside of {% data variables.product.product_name %} and trigger a `repository_dispatch` event on {% data variables.product.product_name %}
|
||||
- Scheduled times
|
||||
- Manual
|
||||
|
||||
For example, you can configure your workflow to run when a push is made to the default branch of your repository, when a release is created, or when an issue is opened.
|
||||
|
||||
Workflow triggers are defined with the `on` key. 更多信息请参阅“[{% data variables.product.prodname_actions %} 的工作流程语法](/articles/workflow-syntax-for-github-actions#on)”。
|
||||
|
||||
以下步骤将触发工作流程运行:
|
||||
|
||||
1. An event occurs on your repository. The event has an associated commit SHA and Git ref.
|
||||
1. {% data variables.product.product_name %} searches the `.github/workflows` directory in your repository for workflow files that are present in the associated commit SHA or Git ref of the event.
|
||||
|
||||
1. A workflow run is triggered for any workflows that have `on:` values that match the triggering event. Some events also require the workflow file to be present on the default branch of the repository in order to run.
|
||||
|
||||
Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. 当工作流程运行时,{% data variables.product.product_name %} 会在运行器环境中设置 `GITHUB_SHA`(提交 SHA)和 `GITHUB_REF`(Git 引用)环境变量。 更多信息请参阅“[使用环境变量](/actions/automating-your-workflow-with-github-actions/using-environment-variables)”。
|
||||
|
||||
### Triggering a workflow from a workflow
|
||||
|
||||
{% data reusables.github-actions.actions-do-not-trigger-workflows %} 更多信息请参阅“[使用 GITHUB_TOKEN 验证身份](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)”。
|
||||
|
||||
If you do want to trigger a workflow from within a workflow run, you can use a personal access token instead of `GITHUB_TOKEN` to trigger events that require a token. 您需要创建个人访问令牌并将其存储为密码。 为了最大限度地降低 {% data variables.product.prodname_actions %} 使用成本,请确保不要创建递归或意外的工作流程。 For more information about creating a personal access token, see "[Creating a personal access token](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." For more information about storing a personal access token as a secret, see "[Creating and storing encrypted secrets](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)."
|
||||
|
||||
For example, the following workflow uses a personal access token (stored as a secret called `MY_TOKEN`) to add a label to an issue via {% data variables.product.prodname_cli %}. Any workflows that run when a label is added will run once this step is performed.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- opened
|
||||
|
||||
jobs:
|
||||
label_issue:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.MY_TOKEN }}{% endraw %}
|
||||
ISSUE_URL: {% raw %}${{ github.event.issue.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh issue edit $ISSUE_URL --add-label "triage"
|
||||
```
|
||||
|
||||
Conversely, the following workflow uses `GITHUB_TOKEN` to add a label to an issue. It will not trigger any workflows that run when a label is added.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- opened
|
||||
|
||||
jobs:
|
||||
label_issue:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
|
||||
ISSUE_URL: {% raw %}${{ github.event.issue.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh issue edit $ISSUE_URL --add-label "triage"
|
||||
```
|
||||
|
||||
## Using events to trigger workflows
|
||||
|
||||
Use the `on` key to specify what events trigger your workflow. For more information about events you can use, see "[Available events](#available-events)" below.
|
||||
|
||||
{% data reusables.github-actions.actions-on-examples %}
|
||||
|
||||
## Using event information
|
||||
|
||||
Information about the event that triggered a workflow run is available in the `github.event` context. The properties in the `github.event` context depend on the type of event that triggered the workflow. For example, a workflow triggered when an issue is labeled would have information about the issue and label.
|
||||
|
||||
### Viewing all properties of an event
|
||||
|
||||
Reference the webhook event documentation for common properties and example payloads. 更多信息请参阅“[web 挂钩事件和有效负载](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads)”。
|
||||
|
||||
You can also print the entire `github.event` context to see what properties are available for the event that triggered your workflow:
|
||||
|
||||
```yaml
|
||||
jobs:
|
||||
print_context:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
EVENT_CONTEXT: {% raw %}${{ toJSON(github.event) }}{% endraw %}
|
||||
run: |
|
||||
echo $EVENT_CONTEXT
|
||||
```
|
||||
|
||||
### Accessing and using event properties
|
||||
|
||||
You can use the `github.event` context in your workflow. For example, the following workflow runs when a pull request that changes `package*.json`, `.github/CODEOWNERS`, or `.github/workflows/**` is opened. If the pull request author (`github.event.pull_request.user.login`) is not `octobot` or `dependabot[bot]`, then the workflow uses the {% data variables.product.prodname_cli %} to label and comment on the pull request (`github.event.pull_request.number`).
|
||||
|
||||
```yaml
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
paths:
|
||||
- '.github/workflows/**'
|
||||
- '.github/CODEOWNERS'
|
||||
- 'package*.json'
|
||||
|
||||
jobs:
|
||||
triage:
|
||||
if: >-
|
||||
github.event.pull_request.user.login != 'octobot' &&
|
||||
github.event.pull_request.user.login != 'dependabot[bot]'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: "Comment about changes we can't accept"
|
||||
env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
|
||||
PR: {% raw %}${{ github.event.pull_request.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh pr edit $PR --add-label 'invalid'
|
||||
gh pr comment $PR --body 'It looks like you edited `package*.json`, `.github/CODEOWNERS`, or `.github/workflows/**`. We do not allow contributions to these files. Please review our [contributing guidelines](https://github.com/octo-org/octo-repo/blob/main/CONTRIBUTING.md) for what contributions are accepted.'
|
||||
```
|
||||
|
||||
For more information about contexts, see "[Contexts](/actions/learn-github-actions/contexts)." For more information about event payloads, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads)."
|
||||
|
||||
## Further controlling how your workflow will run
|
||||
|
||||
If you want more granular control than events, event activity types, or event filters provide, you can use conditionals{% ifversion fpt or ghae or ghes > 3.1 or ghec %} and environments{% endif %} to control whether individual jobs or steps in your workflow will run.
|
||||
|
||||
### Using conditionals
|
||||
|
||||
You can use conditionals to further control whether jobs or steps in your workflow will run. For example, if you want the workflow to run when a specific label is added to an issue, you can trigger on the `issues labeled` event activity type and use a conditional to check what label triggered the workflow. The following workflow will run when any label is added to an issue in the workflow's repository, but the `run_if_label_matches` job will only execute if the label is named `bug`.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- labeled
|
||||
|
||||
jobs:
|
||||
run_if_label_matches:
|
||||
if: github.event.label.name == 'bug'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo 'The label was bug'
|
||||
```
|
||||
|
||||
For more information, see "[Expressions](/actions/learn-github-actions/expressions)."
|
||||
|
||||
{% ifversion fpt or ghae or ghes > 3.1 or ghec %}
|
||||
### Using environments to manually trigger workflow jobs
|
||||
|
||||
If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see "[Using environments for deployment](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job.
|
||||
|
||||
For example, the following workflow will run whenever there is a push to main. The `build` job will always run. The `publish` job will only run after the `build` job successfully completes (due to `needs: [build]`) and after all of the rules (including required reviewers) for the environment called `production` pass (due to `environment: production`).
|
||||
|
||||
```yaml
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: build
|
||||
echo 'building'
|
||||
|
||||
publish:
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
environment: production
|
||||
steps:
|
||||
- name: publish
|
||||
echo 'publishing'
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.gated-features.environments %}
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
Workflow triggers are events that cause a workflow to run. For more information about how to use workflow triggers, see "[Triggering a workflow](/actions/using-workflows/triggering-a-workflow)."
|
||||
|
||||
## Available events
|
||||
|
||||
@@ -794,7 +610,7 @@ jobs:
|
||||
|
||||
#### Running your workflow based on the head or base branch of a pull request
|
||||
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)."
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)”。
|
||||
|
||||
For example, this workflow will run when someone opens a pull request that targets a branch whose name starts with `releases/`:
|
||||
|
||||
@@ -841,7 +657,7 @@ jobs:
|
||||
|
||||
#### Running your workflow based on files changed in a pull request
|
||||
|
||||
You can also configure your workflow to run when a pull request changes specific files. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
You can also configure your workflow to run when a pull request changes specific files. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)”。
|
||||
|
||||
For example, this workflow will run when a pull request includes a change to a JavaScript file (`.js`):
|
||||
|
||||
@@ -978,7 +794,7 @@ on:
|
||||
|
||||
#### Running your workflow based on the head or base branch of a pull request
|
||||
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)."
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)”。
|
||||
|
||||
For example, this workflow will run when someone opens a pull request that targets a branch whose name starts with `releases/`:
|
||||
|
||||
@@ -1025,7 +841,7 @@ jobs:
|
||||
|
||||
#### Running your workflow based on files changed in a pull request
|
||||
|
||||
You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a pull request changes specific files. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a pull request changes specific files. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)”。
|
||||
|
||||
For example, this workflow will run when a pull request includes a change to a JavaScript file (`.js`):
|
||||
|
||||
@@ -1082,7 +898,7 @@ on:
|
||||
|
||||
#### Running your workflow only when a push to specific branches occurs
|
||||
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run when specific branches are pushed. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)."
|
||||
You can use the `branches` or `branches-ignore` filter to configure your workflow to only run when specific branches are pushed. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)”。
|
||||
|
||||
For example, this workflow will run when someone pushes to `main` or to a branch that starts with `releases/`.
|
||||
|
||||
@@ -1113,7 +929,7 @@ on:
|
||||
|
||||
#### Running your workflow only when a push of specific tags occurs
|
||||
|
||||
You can use the `tags` or `tags-ignore` filter to configure your workflow to only run when specific tags or are pushed. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)."
|
||||
You can use the `tags` or `tags-ignore` filter to configure your workflow to only run when specific tags or are pushed. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)”。
|
||||
|
||||
For example, this workflow will run when someone pushes a tag that starts with `v1.`.
|
||||
|
||||
@@ -1126,7 +942,7 @@ on:
|
||||
|
||||
#### Running your workflow only when a push affects specific files
|
||||
|
||||
You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a push to specific files occurs. For more information, see "[Workflow syntax for GitHub Actions](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a push to specific files occurs. 更多信息请参阅“[GitHub Actions 的工作流程语法](/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)”。
|
||||
|
||||
For example, this workflow will run when someone pushes a change to a JavaScript file (`.js`):
|
||||
|
||||
@@ -1168,7 +984,7 @@ on:
|
||||
|
||||
{% data reusables.github-actions.branch-requirement %}
|
||||
|
||||
Runs your workflow when activity related to {% data variables.product.prodname_registry %} occurs in your repository. For more information, see "[{% data variables.product.prodname_registry %} Documentation](/packages)."
|
||||
Runs your workflow when activity related to {% data variables.product.prodname_registry %} occurs in your repository. 更多信息请参阅“[{% data variables.product.prodname_registry %} 文档](/packages)”。
|
||||
|
||||
例如,您可以在软件包为 `published` 时运行工作流程。
|
||||
|
||||
@@ -1220,7 +1036,7 @@ on:
|
||||
|
||||
{% data reusables.github-actions.branch-requirement %}
|
||||
|
||||
You can use the {% data variables.product.product_name %} API to trigger a webhook event called [`repository_dispatch`](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads/#repository_dispatch) when you want to trigger a workflow for activity that happens outside of {% data variables.product.product_name %}. 更多信息请参阅“[创建仓库调度事件](/rest/reference/repos#create-a-repository-dispatch-event)”。
|
||||
当您想要触发在 {% data variables.product.product_name %} 外发生的活动的工作流程时,可以使用 {% data variables.product.product_name %} API 触发名为 [`repository_dispatch`](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads/#repository_dispatch) 的 web 挂钩事件。 更多信息请参阅“[创建仓库调度事件](/rest/reference/repos#create-a-repository-dispatch-event)”。
|
||||
|
||||
When you make a request to create a `repository_dispatch` event, you must specify an `event_type` to describe the activity type. By default, all `repository_dispatch` activity types trigger a workflow to run. You can use the `types` keyword to limit your workflow to run when a specific `event_type` value is sent in the `repository_dispatch` webhook payload.
|
||||
|
||||
@@ -1371,7 +1187,7 @@ on:
|
||||
| --------------------------- | ---- | --------------------------- | --------------------------- |
|
||||
| Same as the caller workflow | n/a | Same as the caller workflow | Same as the caller workflow |
|
||||
|
||||
`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event playload in the called workflow is the same event payload from the calling workflow. For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
|
||||
`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event payload in the called workflow is the same event payload from the calling workflow. For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."
|
||||
|
||||
The example below only runs the workflow when it's called from another workflow:
|
||||
|
||||
|
||||
@@ -34,6 +34,8 @@ If you reuse a workflow from a different repository, any actions in the called w
|
||||
|
||||
When a reusable workflow is triggered by a caller workflow, the `github` context is always associated with the caller workflow. The called workflow is automatically granted access to `github.token` and `secrets.GITHUB_TOKEN`. For more information about the `github` context, see "[Context and expression syntax for GitHub Actions](/actions/reference/context-and-expression-syntax-for-github-actions#github-context)."
|
||||
|
||||
You can view the reused workflows referenced in your {% data variables.product.prodname_actions %} workflows as dependencies in the dependency graph of the repository containing your workflows. For more information, see “[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).”
|
||||
|
||||
### Reusable workflows and starter workflows
|
||||
|
||||
Starter workflows allow everyone in your organization who has permission to create workflows to do so more quickly and easily. When people create a new workflow, they can choose a starter workflow and some or all of the work of writing the workflow will be done for them. Within a starter workflow, you can also reference reusable workflows to make it easy for people to benefit from reusing centrally managed workflow code. If you use a tag or branch name when referencing the reusable workflow, you can ensure that everyone who reuses that workflow will always be using the same YAML code. However, if you reference a reusable workflow by a tag or branch, be sure that you can trust that version of the workflow. For more information, see "[Security hardening for {% data variables.product.prodname_actions %}](/actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows)."
|
||||
@@ -110,7 +112,7 @@ You can define inputs and secrets, which can be passed from the caller workflow
|
||||
runs-on: ubuntu-latest
|
||||
environment: production
|
||||
steps:
|
||||
- uses: ./.github/actions/my-action@v1
|
||||
- uses: ./.github/actions/my-action
|
||||
with:
|
||||
username: ${{ inputs.username }}
|
||||
token: ${{ secrets.envPAT }}
|
||||
@@ -151,7 +153,7 @@ jobs:
|
||||
name: Pass input and secrets to my-action
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: ./.github/actions/my-action@v1
|
||||
- uses: ./.github/actions/my-action
|
||||
with:
|
||||
username: ${{ inputs.username }}
|
||||
token: ${{ secrets.token }}
|
||||
|
||||
@@ -12,36 +12,242 @@ topics:
|
||||
- Workflows
|
||||
- CI
|
||||
- CD
|
||||
miniTocMaxHeadingLevel: 4
|
||||
miniTocMaxHeadingLevel: 3
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
## 概览
|
||||
## About workflow triggers
|
||||
|
||||
{% data reusables.actions.workflows.section-triggering-a-workflow %}
|
||||
Workflow triggers are events that cause a workflow to run. These events can be:
|
||||
|
||||
## Defining event types
|
||||
- Events that occur in your workflow's repository
|
||||
- Events that occur outside of {% data variables.product.product_name %} and trigger a `repository_dispatch` event on {% data variables.product.product_name %}
|
||||
- Scheduled times
|
||||
- Manual
|
||||
|
||||
{% data reusables.actions.workflows.section-triggering-a-workflow-types %}
|
||||
For example, you can configure your workflow to run when a push is made to the default branch of your repository, when a release is created, or when an issue is opened.
|
||||
|
||||
## 定向特定分支
|
||||
Workflow triggers are defined with the `on` key. 更多信息请参阅“[{% data variables.product.prodname_actions %} 的工作流程语法](/articles/workflow-syntax-for-github-actions#on)”。
|
||||
|
||||
以下步骤将触发工作流程运行:
|
||||
|
||||
1. An event occurs on your repository. The event has an associated commit SHA and Git ref.
|
||||
1. {% data variables.product.product_name %} searches the `.github/workflows` directory in your repository for workflow files that are present in the associated commit SHA or Git ref of the event.
|
||||
1. A workflow run is triggered for any workflows that have `on:` values that match the triggering event. Some events also require the workflow file to be present on the default branch of the repository in order to run.
|
||||
|
||||
Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. 当工作流程运行时,{% data variables.product.product_name %} 会在运行器环境中设置 `GITHUB_SHA`(提交 SHA)和 `GITHUB_REF`(Git 引用)环境变量。 更多信息请参阅“[使用环境变量](/actions/automating-your-workflow-with-github-actions/using-environment-variables)”。
|
||||
|
||||
### Triggering a workflow from a workflow
|
||||
|
||||
{% data reusables.github-actions.actions-do-not-trigger-workflows %} 更多信息请参阅“[使用 GITHUB_TOKEN 验证身份](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)”。
|
||||
|
||||
If you do want to trigger a workflow from within a workflow run, you can use a personal access token instead of `GITHUB_TOKEN` to trigger events that require a token. 您需要创建个人访问令牌并将其存储为密码。 为了最大限度地降低 {% data variables.product.prodname_actions %} 使用成本,请确保不要创建递归或意外的工作流程。 For more information about creating a personal access token, see "[Creating a personal access token](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." For more information about storing a personal access token as a secret, see "[Creating and storing encrypted secrets](/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)."
|
||||
|
||||
For example, the following workflow uses a personal access token (stored as a secret called `MY_TOKEN`) to add a label to an issue via {% data variables.product.prodname_cli %}. Any workflows that run when a label is added will run once this step is performed.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- opened
|
||||
|
||||
jobs:
|
||||
label_issue:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.MY_TOKEN }}{% endraw %}
|
||||
ISSUE_URL: {% raw %}${{ github.event.issue.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh issue edit $ISSUE_URL --add-label "triage"
|
||||
```
|
||||
|
||||
Conversely, the following workflow uses `GITHUB_TOKEN` to add a label to an issue. It will not trigger any workflows that run when a label is added.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- opened
|
||||
|
||||
jobs:
|
||||
label_issue:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
|
||||
ISSUE_URL: {% raw %}${{ github.event.issue.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh issue edit $ISSUE_URL --add-label "triage"
|
||||
```
|
||||
|
||||
## Using events to trigger workflows
|
||||
|
||||
Use the `on` key to specify what events trigger your workflow. For more information about events you can use, see "[Events that trigger workflows](/actions/using-workflows/events-that-trigger-workflows)."
|
||||
|
||||
### Using a single event
|
||||
|
||||
{% data reusables.github-actions.on-single-example %}
|
||||
|
||||
### Using multiple events
|
||||
|
||||
{% data reusables.github-actions.on-multiple-example %}
|
||||
|
||||
### Using activity types and filters with multiple events
|
||||
|
||||
You can use activity types and filters to further control when your workflow will run. For more information, see [Using event activity types](#using-event-activity-types) and [Using filters](#using-filters). {% data reusables.github-actions.actions-multiple-types %}
|
||||
|
||||
## Using event activity types
|
||||
|
||||
{% data reusables.github-actions.actions-activity-types %}
|
||||
|
||||
## Using filters
|
||||
|
||||
{% data reusables.github-actions.actions-filters %}
|
||||
|
||||
### Using filters to target specific branches for pull request events
|
||||
|
||||
{% data reusables.actions.workflows.section-triggering-a-workflow-branches %}
|
||||
|
||||
## Running on specific branches or tags
|
||||
### Using filters to target specific branches or tags for push events
|
||||
|
||||
{% data reusables.actions.workflows.section-run-on-specific-branches-or-tags %}
|
||||
|
||||
## Specifying which branches the workflow can run on
|
||||
|
||||
{% data reusables.actions.workflows.section-specifying-branches %}
|
||||
|
||||
## Using specific file paths
|
||||
### Using filters to target specific paths for pull request or push events
|
||||
|
||||
{% data reusables.actions.workflows.section-triggering-a-workflow-paths %}
|
||||
|
||||
## Using a schedule
|
||||
### Using filters to target specific branches for workflow run events
|
||||
|
||||
{% data reusables.actions.workflows.section-triggering-a-workflow-schedule %}
|
||||
{% data reusables.actions.workflows.section-specifying-branches %}
|
||||
|
||||
## Defining inputs for manually triggered workflows
|
||||
|
||||
{% data reusables.github-actions.workflow-dispatch-inputs %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
|
||||
## Defining inputs, outputs, and secrets for reusable workflows
|
||||
|
||||
You can define inputs and secrets that a reusable workflow should receive from a calling workflow. You can also specify outputs that a reusable workflow will make available to a calling workflow. For more information, see "[Reusing workflows](/actions/using-workflows/reusing-workflows)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Using event information
|
||||
|
||||
Information about the event that triggered a workflow run is available in the `github.event` context. The properties in the `github.event` context depend on the type of event that triggered the workflow. For example, a workflow triggered when an issue is labeled would have information about the issue and label.
|
||||
|
||||
### Viewing all properties of an event
|
||||
|
||||
Reference the webhook event documentation for common properties and example payloads. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads)."
|
||||
|
||||
You can also print the entire `github.event` context to see what properties are available for the event that triggered your workflow:
|
||||
|
||||
```yaml
|
||||
jobs:
|
||||
print_context:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
EVENT_CONTEXT: {% raw %}${{ toJSON(github.event) }}{% endraw %}
|
||||
run: |
|
||||
echo $EVENT_CONTEXT
|
||||
```
|
||||
|
||||
### Accessing and using event properties
|
||||
|
||||
You can use the `github.event` context in your workflow. For example, the following workflow runs when a pull request that changes `package*.json`, `.github/CODEOWNERS`, or `.github/workflows/**` is opened. If the pull request author (`github.event.pull_request.user.login`) is not `octobot` or `dependabot[bot]`, then the workflow uses the {% data variables.product.prodname_cli %} to label and comment on the pull request (`github.event.pull_request.number`).
|
||||
|
||||
```yaml
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
paths:
|
||||
- '.github/workflows/**'
|
||||
- '.github/CODEOWNERS'
|
||||
- 'package*.json'
|
||||
|
||||
jobs:
|
||||
triage:
|
||||
if: >-
|
||||
github.event.pull_request.user.login != 'octobot' &&
|
||||
github.event.pull_request.user.login != 'dependabot[bot]'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: "Comment about changes we can't accept"
|
||||
env:
|
||||
GITHUB_TOKEN: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
|
||||
PR: {% raw %}${{ github.event.pull_request.html_url }}{% endraw %}
|
||||
run: |
|
||||
gh pr edit $PR --add-label 'invalid'
|
||||
gh pr comment $PR --body 'It looks like you edited `package*.json`, `.github/CODEOWNERS`, or `.github/workflows/**`. We do not allow contributions to these files. Please review our [contributing guidelines](https://github.com/octo-org/octo-repo/blob/main/CONTRIBUTING.md) for what contributions are accepted.'
|
||||
```
|
||||
|
||||
For more information about contexts, see "[Contexts](/actions/learn-github-actions/contexts)." For more information about event payloads, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads)."
|
||||
|
||||
## Further controlling how your workflow will run
|
||||
|
||||
If you want more granular control than events, event activity types, or event filters provide, you can use conditionals{% ifversion fpt or ghae or ghes > 3.1 or ghec %} and environments{% endif %} to control whether individual jobs or steps in your workflow will run.
|
||||
|
||||
### Using conditionals
|
||||
|
||||
You can use conditionals to further control whether jobs or steps in your workflow will run. For example, if you want the workflow to run when a specific label is added to an issue, you can trigger on the `issues labeled` event activity type and use a conditional to check what label triggered the workflow. The following workflow will run when any label is added to an issue in the workflow's repository, but the `run_if_label_matches` job will only execute if the label is named `bug`.
|
||||
|
||||
```yaml
|
||||
on:
|
||||
issues:
|
||||
types:
|
||||
- labeled
|
||||
|
||||
jobs:
|
||||
run_if_label_matches:
|
||||
if: github.event.label.name == 'bug'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo 'The label was bug'
|
||||
```
|
||||
|
||||
For more information, see "[Expressions](/actions/learn-github-actions/expressions)."
|
||||
|
||||
{% ifversion fpt or ghae or ghes > 3.1 or ghec %}
|
||||
|
||||
### Using environments to manually trigger workflow jobs
|
||||
|
||||
If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see "[Using environments for deployment](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job.
|
||||
|
||||
For example, the following workflow will run whenever there is a push to main. The `build` job will always run. The `publish` job will only run after the `build` job successfully completes (due to `needs: [build]`) and after all of the rules (including required reviewers) for the environment called `production` pass (due to `environment: production`).
|
||||
|
||||
```yaml
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: build
|
||||
echo 'building'
|
||||
|
||||
publish:
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
environment: production
|
||||
steps:
|
||||
- name: publish
|
||||
echo 'publishing'
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.gated-features.environments %}
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
## Available events
|
||||
|
||||
For a full list of available events, see "[Events that trigger workflows](/actions/using-workflows/events-that-trigger-workflows)."
|
||||
|
||||
@@ -92,7 +92,7 @@ core.setOutput('SELECTED_COLOR', 'green');
|
||||
|
||||
设置操作的输出参数。
|
||||
|
||||
(可选)您也可以在操作的元数据文件中声明输出参数。 更多信息请参阅“[{% data variables.product.prodname_actions %} 的元数据语法](/articles/metadata-syntax-for-github-actions#outputs)”。
|
||||
(可选)您也可以在操作的元数据文件中声明输出参数。 For more information, see "[Metadata syntax for {% data variables.product.prodname_actions %}](/articles/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions)."
|
||||
|
||||
### 示例
|
||||
|
||||
@@ -292,7 +292,7 @@ Only the second `set-output` and `echo` workflow commands are included in the lo
|
||||
|
||||
您可以使用 `save-state` 命令来创建环境变量,以便与工作流程的 `pre:` 或 `post:` 操作共享。 例如,您可以使用 `pre:` 操作创建文件,将该文件位置传给 `main:` 操作,然后使用 `post:` 操作删除文件。 或者,您可以使用 `main:` 操作创建文件,将该文件位置传给 `post:` 操作,然后使用 `post:` 操作删除文件。
|
||||
|
||||
如果您有多个 `pre:` 或 `post:` 操作,则只能访问使用了 `save-state` 的操作中的已保存值。 有关 `post:` 操作的更多信息,请参阅“[{% data variables.product.prodname_actions %} 的元数据语法](/actions/creating-actions/metadata-syntax-for-github-actions#post)”。
|
||||
如果您有多个 `pre:` 或 `post:` 操作,则只能访问使用了 `save-state` 的操作中的已保存值。 有关 `post:` 操作的更多信息,请参阅“[{% data variables.product.prodname_actions %} 的元数据语法](/actions/creating-actions/metadata-syntax-for-github-actions#runspost)”。
|
||||
|
||||
`save-state` 命令只能在操作内运行,并且对 YAML 文件不可用。 保存的值将作为环境值存储,带 `STATE_` 前缀。
|
||||
|
||||
|
||||
@@ -149,7 +149,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Pass the received secret to an action
|
||||
uses: ./.github/actions/my-action@v1
|
||||
uses: ./.github/actions/my-action
|
||||
with:
|
||||
token: ${{ secrets.access-token }}
|
||||
```
|
||||
@@ -171,42 +171,7 @@ A boolean specifying whether the secret must be supplied.
|
||||
|
||||
## `on.workflow_dispatch.inputs`
|
||||
|
||||
When using the `workflow_dispatch` event, you can optionally specify inputs that are passed to the workflow.
|
||||
|
||||
触发的工作流程接收 `github.event.input` 上下文中的输入。 更多信息请参阅“[上下文](/actions/learn-github-actions/contexts#github-context)”。
|
||||
|
||||
### 示例
|
||||
```yaml
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
logLevel:
|
||||
description: 'Log level'
|
||||
required: true
|
||||
default: 'warning' {% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5511 %}
|
||||
type: choice
|
||||
options:
|
||||
- info
|
||||
- warning
|
||||
- debug {% endif %}
|
||||
tags:
|
||||
description: 'Test scenario tags'
|
||||
required: false {% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5511 %}
|
||||
type: boolean
|
||||
environment:
|
||||
description: 'Environment to run tests against'
|
||||
type: environment
|
||||
required: true {% endif %}
|
||||
|
||||
jobs:
|
||||
print-tag:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Print the input tag to STDOUT
|
||||
run: echo {% raw %} The tag is ${{ github.event.inputs.tag }} {% endraw %}
|
||||
```
|
||||
|
||||
{% data reusables.github-actions.workflow-dispatch-inputs %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
## `权限`
|
||||
@@ -1008,7 +973,7 @@ For more information about branch, tag, and path filter syntax, see "[`on.<push>
|
||||
| `'**'` | 匹配所有分支和标记名称。 这是不使用 `branches` or `tags` 过滤器时的默认行为。 | `all/the/branches`<br/><br/>`every/tag` |
|
||||
| `'*feature'` | `*` 字符是 YAML 中的特殊字符。 当模式以 `*` 开头时,您必须使用引号。 | `mona-feature`<br/><br/>`feature`<br/><br/>`ver-10-feature` |
|
||||
| `v2*` | 匹配以 `v2` 开头的分支和标记名称。 | `v2`<br/><br/>`v2.0`<br/><br/>`v2.9` |
|
||||
| `v[12].[0-9]+.[0-9]+` | 将所有语义版本控制分支和标记与主要版本 1 或 2 匹配 | `v1.10.1`<br/><br/>`v2.0.0` |
|
||||
| `v[12].[0-9]+.[0-9]+` | 将所有语义版本控制分支和标记与主要版本 1 或 2 匹配. | `v1.10.1`<br/><br/>`v2.0.0` |
|
||||
|
||||
### 匹配文件路径的模式
|
||||
|
||||
|
||||
@@ -38,6 +38,8 @@ topics:
|
||||
|
||||
## 上传自定义 TLS 证书
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.tls-downtime %}
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
{% data reusables.enterprise_site_admin_settings.management-console %}
|
||||
{% data reusables.enterprise_management_console.privacy %}
|
||||
@@ -67,6 +69,8 @@ Let's Encrypt 是公共证书颁发机构,他们使用 ACME 协议颁发受浏
|
||||
|
||||
{% data reusables.enterprise_installation.lets-encrypt-prerequisites %}
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.tls-downtime %}
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
{% data reusables.enterprise_site_admin_settings.management-console %}
|
||||
{% data reusables.enterprise_management_console.privacy %}
|
||||
|
||||
@@ -136,5 +136,5 @@ $ ghe-restore -c 169.154.1.1
|
||||
{% endnote %}
|
||||
|
||||
You can use these additional options with `ghe-restore` command:
|
||||
- The `-c` flag overwrites the settings, certificate, and license data on the target host even if it is already configured. Omit this flag if you are setting up a staging instance for testing purposes and you wish to retain the existing configuration on the target. For more information, see the "Using using backup and restore commands" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#using-the-backup-and-restore-commands).
|
||||
- The `-c` flag overwrites the settings, certificate, and license data on the target host even if it is already configured. Omit this flag if you are setting up a staging instance for testing purposes and you wish to retain the existing configuration on the target. For more information, see the "Using backup and restore commands" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#using-the-backup-and-restore-commands).
|
||||
- The `-s` flag allows you to select a different backup snapshot.
|
||||
|
||||
@@ -88,8 +88,7 @@ settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-all
|
||||
4. If the test email fails, [troubleshoot your email settings](#troubleshooting-email-delivery).
|
||||
5. When the test email succeeds, at the bottom of the page, click **Save settings**.
|
||||
|
||||
6. Wait for the configuration run to complete.
|
||||
|
||||
{% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
|
||||
|
||||
## Configuring DNS and firewall settings to allow incoming emails
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ topics:
|
||||
|
||||
## 使用 `ghe-export-graphs` 导出 collectd 数据
|
||||
|
||||
命令行工具 `ghe-export-graphs` 将导出 `collectd` 存储在 RRD 数据库中的数据。 此命令会将数据转换为 XML 格式并导出到一个 tarball (.tgz) 中。
|
||||
命令行工具 `ghe-export-graphs` 将导出 `collectd` 存储在 RRD 数据库中的数据。 This command turns the data into XML and exports it into a single tarball (`.tgz`).
|
||||
|
||||
此文件的主要用途是为 {% data variables.contact.contact_ent_support %} 团队提供关于 VM 性能的数据(无需下载整个支持包), 不应包含在常规备份导出范围中,也没有对应的导入文件。 如果您联系 {% data variables.contact.contact_ent_support %},我们可能会要求您提供此数据,以便协助故障排查。
|
||||
|
||||
|
||||
@@ -52,9 +52,11 @@ If you use Docker container actions or service containers in your workflows, you
|
||||
|
||||
If these settings aren't correctly configured, you might receive errors like `Resource unexpectedly moved to https://<IP_ADDRESS>` when setting or changing your {% data variables.product.prodname_actions %} configuration.
|
||||
|
||||
## Runners not connecting to {% data variables.product.prodname_ghe_server %} after changing the hostname
|
||||
## Runners not connecting to {% data variables.product.prodname_ghe_server %} with a new hostname
|
||||
|
||||
If you change the hostname of {% data variables.product.product_location %}, self-hosted runners will be unable to connect to the old hostname, and will not execute any jobs.
|
||||
{% data reusables.enterprise_installation.changing-hostname-not-supported %}
|
||||
|
||||
If you deploy {% data variables.product.prodname_ghe_server %} in your environment with a new hostname and the old hostname no longer resolves to your instance, self-hosted runners will be unable to connect to the old hostname, and will not execute any jobs.
|
||||
|
||||
You will need to update the configuration of your self-hosted runners to use the new hostname for {% data variables.product.product_location %}. Each self-hosted runner will require one of the following procedures:
|
||||
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
---
|
||||
title: About GitHub Actions for enterprises
|
||||
shortTitle: 关于 GitHub Actions
|
||||
intro: '{% data variables.product.prodname_actions %} can improve developer productivity by automating your enterprise''s software development cycle.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: overview
|
||||
topics:
|
||||
- Actions
|
||||
- Enterprise
|
||||
---
|
||||
|
||||
With {% data variables.product.prodname_actions %}, you can improve developer productivity by automating every phase of your enterprise's software development workflow.
|
||||
|
||||
| 任务 | 更多信息 |
|
||||
| --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Automatically test and build your application | "[关于持续集成](/actions/automating-builds-and-tests/about-continuous-integration)" |
|
||||
| Deploy your application | "[About continuous deployment](/actions/deployment/about-deployments/about-continuous-deployment)" |
|
||||
| Automatically and securely package code into artifacts and containers | "[About packaging with {% data variables.product.prodname_actions %}](/actions/publishing-packages/about-packaging-with-github-actions)" |
|
||||
| Automate your project management tasks | "[Using {% data variables.product.prodname_actions %} for project management](/actions/managing-issues-and-pull-requests/using-github-actions-for-project-management)" |
|
||||
|
||||
{% data variables.product.prodname_actions %} helps your team work faster at scale. When large repositories start using {% data variables.product.prodname_actions %}, teams merge significantly more pull requests per day, and the pull requests are merged significantly faster. For more information, see "[Writing and shipping code faster](https://octoverse.github.com/writing-code-faster/#scale-through-automation)" in the State of the Octoverse.
|
||||
|
||||
{% data variables.product.prodname_actions %} also provides greater control over deployments. For example, you can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow, or limit access to secrets.{% ifversion ghec or ghae-issue-4856 %} If your workflows need to access resources from a cloud provider that supports OpenID Connect (OIDC), you can configure your workflows to authenticate directly to the cloud provider. This will allow you to stop storing credentials as long-lived secrets and provide other security benefits. For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)."{% endif %}
|
||||
|
||||
{% data variables.product.prodname_actions %} is developer friendly, because it's integrated directly into the familiar {% data variables.product.product_name %} experience.
|
||||
|
||||
You can create your own unique automations, or you can use and adapt workflows from our ecosystem of over 10,000 actions built by industry leaders and the open source community. 更多信息请参阅“[查找和自定义操作](/actions/learn-github-actions/finding-and-customizing-actions)”。
|
||||
|
||||
{% ifversion ghec %}You can enjoy the convenience of {% data variables.product.company_short %}-hosted runners, which are maintained and upgraded by {% data variables.product.company_short %}, or you{% else %}You{% endif %} can control your own private CI/CD infrastructure by using self-hosted runners. Self-hosted runners allow you to determine the exact environment and resources that complete your builds, testing, and deployments, without exposing your software development cycle to the internet. For more information, see {% ifversion ghec %}"[About {% data variables.product.company_short %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners)" and{% endif %} "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)."
|
||||
|
||||
{% data variables.product.prodname_actions %} also includes tools to govern your enterprise's software development cycle and meet compliance obligations. 更多信息请参阅“[在企业中执行 {% data variables.product.prodname_actions %} 的策略](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise)”。
|
||||
|
||||
|
||||
To learn more about how you can successfully adopt {% data variables.product.prodname_actions %} for your enterprise, follow the "[Adopt {% data variables.product.prodname_actions %} for your enterprise](/admin/guides#adopt-github-actions-for-your-enterprise)" learning path.
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
- "[Understanding {% data variables.product.prodname_actions %}](/actions/learn-github-actions/understanding-github-actions)"{% ifversion ghec %}
|
||||
- "[About billing for {% data variables.product.prodname_actions %}](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)"{% endif %}
|
||||
@@ -9,6 +9,7 @@ topics:
|
||||
- Enterprise
|
||||
- Actions
|
||||
children:
|
||||
- /about-github-actions-for-enterprises
|
||||
- /introducing-github-actions-to-your-enterprise
|
||||
- /migrating-your-enterprise-to-github-actions
|
||||
- /getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
|
||||
@@ -14,7 +14,7 @@ topics:
|
||||
|
||||
## About {% data variables.product.prodname_actions %} for enterprises
|
||||
|
||||
{% data reusables.actions.about-actions %} With {% data variables.product.prodname_actions %}, your enterprise can automate, customize, and execute your software development workflows like testing and deployments. For more information about the basics of {% data variables.product.prodname_actions %}, see "[Understanding {% data variables.product.prodname_actions %}](/actions/learn-github-actions/understanding-github-actions)."
|
||||
{% data reusables.actions.about-actions %} With {% data variables.product.prodname_actions %}, your enterprise can automate, customize, and execute your software development workflows like testing and deployments. For more information, see "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -178,7 +178,7 @@ topics:
|
||||
{% data reusables.enterprise_site_admin_settings.sign-in %}
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
3. 在左侧边栏中,单击 **LDAP users**。 
|
||||
4. 要搜索用户,请输入完整或部分用户名,然后单击 **Search**。 现有用户将显示在搜索结果中。 如果用户不存在,请单击 **Create** 以配置新用户帐户。 
|
||||
4. 要搜索用户,请输入完整或部分用户名,然后单击 **Search**。 现有用户将显示在搜索结果中。 如果用户不存在,请单击 **Create** 以配置新用户帐户。 
|
||||
|
||||
## 更新 LDAP 帐户
|
||||
|
||||
|
||||
@@ -47,6 +47,7 @@ redirect_from:
|
||||
| -------------------------------------------- |:--------------------------------------------------------------:|:-------------------------------------------------------------:|
|
||||
| Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" aria-label= "The check icon" %} | |
|
||||
| Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %}
|
||||
| Okta | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %}
|
||||
| OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %} | |
|
||||
| PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %} | |
|
||||
| Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | |
|
||||
|
||||
@@ -15,8 +15,6 @@ redirect_from:
|
||||
- /admin/authentication/managing-identity-and-access-for-your-enterprise/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account
|
||||
---
|
||||
|
||||
{% data reusables.enterprise-accounts.emu-saml-note %}
|
||||
|
||||
## 关于企业帐户的 SAML 单点登录
|
||||
|
||||
{% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %}
|
||||
|
||||
@@ -97,12 +97,14 @@ featuredLinks:
|
||||
- '{% ifversion ghes %}/admin/installation{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/identity-and-access-management/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/overview/about-upgrades-to-new-releases{% endif %}'
|
||||
- '{% ifversion ghae %}/get-started/signing-up-for-github/setting-up-a-trial-of-github-ae{% endif %}'
|
||||
- '{% ifversion ghes %}/billing/managing-your-license-for-github-enterprise{% endif %}'
|
||||
- '{% ifversion ghes %}/admin/configuration/command-line-utilities{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/user-management/managing-organizations-in-your-enterprise/viewing-the-audit-logs-for-organizations-in-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/user-management/monitoring-activity-in-your-enterprise/managing-global-webhooks{% endif %}'
|
||||
- '{% ifversion ghec %}/billing/managing-your-license-for-github-enterprise/using-visual-studio-subscription-with-github-enterprise/setting-up-visual-studio-subscription-with-github-enterprise{% endif %}'
|
||||
- /admin/configuration/configuring-github-connect/managing-github-connect
|
||||
- /admin/enterprise-support/about-github-enterprise-support
|
||||
videos:
|
||||
- title: "GitHub in the Enterprise – Maya Ross"
|
||||
|
||||
@@ -40,12 +40,12 @@ shortTitle: 在 Azure 上安装
|
||||
|
||||
{% data reusables.enterprise_installation.create-ghe-instance %}
|
||||
|
||||
1. 找到最新的 {% data variables.product.prodname_ghe_server %} 设备映像。 更多关于 `vm image list` 命令的信息,请参阅 Microsoft 文档中的“[az vm image list](https://docs.microsoft.com/cli/azure/vm/image?view=azure-cli-latest#az_vm_image_list)”。
|
||||
1. 找到最新的 {% data variables.product.prodname_ghe_server %} 设备映像。 For more information about the `vm image list` command, see "[`az vm image list`](https://docs.microsoft.com/cli/azure/vm/image?view=azure-cli-latest#az_vm_image_list)" in the Microsoft documentation.
|
||||
```shell
|
||||
$ az vm image list --all -f GitHub-Enterprise | grep '"urn":' | sort -V
|
||||
```
|
||||
|
||||
2. 使用找到的设备映像创建新的 VM。 更多信息请参阅 Microsoft 文档中的“[az vm 创建](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_create)”。
|
||||
2. 使用找到的设备映像创建新的 VM。 For more information, see "[`az vm create`](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_create)" in the Microsoft documentation.
|
||||
|
||||
传入以下选项:VM 名称、资源组、VM 大小、首选 Azure 地区名称、上一步中列出的设备映像 VM 的名称,以及用于高级存储的存储 SKU。 更多关于资源组的信息,请参阅 Microsoft 文档中的“[资源组](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-overview#resource-groups)”。
|
||||
|
||||
@@ -53,7 +53,7 @@ shortTitle: 在 Azure 上安装
|
||||
$ az vm create -n <em>VM_NAME</em> -g <em>RESOURCE_GROUP</em> --size <em>VM_SIZE</em> -l <em>REGION</em> --image <em>APPLIANCE_IMAGE_NAME</em> --storage-sku Premium_LRS
|
||||
```
|
||||
|
||||
3. 在 VM 上配置安全设置,以打开所需端口。 更多信息请参阅 Microsoft 文档中的 "[az vm open-port](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_open_port)"。 请参阅下表中对每个端口的说明,以确定需要打开的端口。
|
||||
3. 在 VM 上配置安全设置,以打开所需端口。 For more information, see "[`az vm open-port`](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_open_port)" in the Microsoft documentation. 请参阅下表中对每个端口的说明,以确定需要打开的端口。
|
||||
|
||||
```shell
|
||||
$ az vm open-port -n <em>VM_NAME</em> -g <em>RESOURCE_GROUP</em> --port <em>PORT_NUMBER</em>
|
||||
@@ -63,7 +63,7 @@ shortTitle: 在 Azure 上安装
|
||||
|
||||
{% data reusables.enterprise_installation.necessary_ports %}
|
||||
|
||||
4. Create and attach a new managed data disk to the VM, and configure the size based on your license count. All Azure managed disks created since June 10, 2017 are encrypted at rest by default with Storage Service Encryption (SSE). For more information about the `az vm disk attach` command, see "[az vm disk attach](https://docs.microsoft.com/cli/azure/vm/disk?view=azure-cli-latest#az_vm_disk_attach)" in the Microsoft documentation.
|
||||
4. 创建新的未加密数据磁盘并将其附加至 VM,然后根据用户许可数配置大小。 For more information, see "[`az vm disk attach`](https://docs.microsoft.com/cli/azure/vm/disk?view=azure-cli-latest#az_vm_disk_attach)" in the Microsoft documentation.
|
||||
|
||||
传入以下选项:VM 名称(例如 `ghe-acme-corp`)、资源组、高级存储 SKU、磁盘大小(例如 `100`)以及生成的 VHD 的名称。
|
||||
|
||||
@@ -79,7 +79,7 @@ shortTitle: 在 Azure 上安装
|
||||
|
||||
## 配置 {% data variables.product.prodname_ghe_server %} 虚拟机
|
||||
|
||||
1. 在配置 VM 之前,您必须等待其进入 ReadyRole 状态。 使用 `vm list` 命令检查 VM 的状态。 更多信息请参阅 Microsoft 文档中的“[az vm 列表](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_list)”。
|
||||
1. 在配置 VM 之前,您必须等待其进入 ReadyRole 状态。 使用 `vm list` 命令检查 VM 的状态。 For more information, see "[`az vm list`](https://docs.microsoft.com/cli/azure/vm?view=azure-cli-latest#az_vm_list)" in the Microsoft documentation.
|
||||
```shell
|
||||
$ az vm list -d -g <em>RESOURCE_GROUP</em> -o table
|
||||
> Name ResourceGroup PowerState PublicIps Fqdns Location Zones
|
||||
|
||||
@@ -0,0 +1,31 @@
|
||||
---
|
||||
title: Accessing compliance reports for your enterprise
|
||||
intro: 'You can access {% data variables.product.company_short %}''s compliance reports, such as our SOC reports and Cloud Security Alliance CAIQ self-assessment (CSA CAIQ), for your enterprise.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Accounts
|
||||
- Enterprise
|
||||
- Fundamentals
|
||||
permissions: Enterprise owners can access compliance reports for the enterprise.
|
||||
shortTitle: Access compliance reports
|
||||
---
|
||||
|
||||
## About {% data variables.product.company_short %}'s compliance reports
|
||||
|
||||
You can access {% data variables.product.company_short %}'s compliance reports in your enterprise settings.
|
||||
|
||||
{% data reusables.security.compliance-report-list %}
|
||||
|
||||
## Accessing compliance reports for your enterprise
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.enterprise-accounts-compliance-tab %}
|
||||
1. Under "Resources", to the right of the report you want to access, click {% octicon "download" aria-label="The Download icon" %} **Download** or {% octicon "link-external" aria-label="The external link icon" %} **View**.
|
||||
|
||||
{% data reusables.security.compliance-report-screenshot %}
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
- "[Accessing compliance reports for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/accessing-compliance-reports-for-your-organization)"
|
||||
@@ -15,6 +15,7 @@ children:
|
||||
- /system-overview
|
||||
- /about-the-github-enterprise-api
|
||||
- /creating-an-enterprise-account
|
||||
- /accessing-compliance-reports-for-your-enterprise
|
||||
---
|
||||
|
||||
如需了解更多信息或购买 {% data variables.product.prodname_enterprise %},请参阅 [{% data variables.product.prodname_enterprise %}](https://github.com/enterprise)。
|
||||
|
||||
@@ -100,6 +100,10 @@ You can enforce policies to control how {% data variables.product.prodname_actio
|
||||
|
||||
{% data reusables.github-actions.private-repository-forks-overview %}
|
||||
|
||||
If a policy is enabled for an enterprise, the policy can be selectively disabled in individual organizations or repositories. If a policy is disabled for an enterprise, individual organizations or repositories cannot enable it.
|
||||
|
||||
{% data reusables.github-actions.private-repository-forks-options %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
|
||||
@@ -146,9 +146,8 @@ You can use a SSH certificate authorities (CA) to allow members of any organizat
|
||||
{% data reusables.organizations.delete-ssh-ca %}
|
||||
|
||||
{% ifversion ghec or ghae %}
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
- "[About identity and access management for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)"
|
||||
|
||||
- "[About identity and access management for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)"{% ifversion ghec %}
|
||||
- "[Accessing compliance reports for your enterprise](/admin/overview/accessing-compliance-reports-for-your-enterprise)"{% endif %}
|
||||
{% endif %}
|
||||
|
||||
@@ -90,6 +90,9 @@ The `$GITHUB_VIA` variable is available in the pre-receive hook environment when
|
||||
| <pre>git refs delete api</pre> | Deletion of a ref via the API | "[Git database](/rest/reference/git#delete-a-reference)" in the REST API documentation |
|
||||
| <pre>git refs update api</pre> | Update of a ref via the API | "[Git database](/rest/reference/git#update-a-reference)" in the REST API documentation |
|
||||
| <pre>git repo contents api</pre> | Change to a file's contents via the API | "[Create or update file contents](/rest/reference/repos#create-or-update-file-contents)" in the REST API documentation |
|
||||
{%- ifversion ghes > 3.0 %}
|
||||
| `merge ` | Merge of a pull request using auto-merge | "[Automatically merging a pull request](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request)" |
|
||||
{%- endif %}
|
||||
| <pre>merge base into head</pre> | Update of the topic branch from the base branch when the base branch requires strict status checks (via **Update branch** in a pull request, for example) | "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)" |
|
||||
| <pre>pull request branch delete button</pre> | Deletion of a topic branch from a pull request in the web interface | "[Deleting and restoring branches in a pull request](/github/administering-a-repository/deleting-and-restoring-branches-in-a-pull-request#deleting-a-branch-used-for-a-pull-request)" |
|
||||
| <pre>pull request branch undo button</pre> | Restoration of a topic branch from a pull request in the web interface | "[Deleting and restoring branches in a pull request](/github/administering-a-repository/deleting-and-restoring-branches-in-a-pull-request#restoring-a-deleted-branch)" |
|
||||
|
||||
@@ -9,6 +9,7 @@ redirect_from:
|
||||
intro: '创建团队后,组织管理员可以将用户从 {% data variables.product.product_location %} 添加到团队并决定他们可以访问哪些仓库。'
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Access management
|
||||
@@ -30,8 +31,12 @@ topics:
|
||||
{% data reusables.organizations.invite_to_team %}
|
||||
{% data reusables.organizations.review-team-repository-access %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
|
||||
## 将团队映射到 LDAP 组(例如,使用 LDAP 同步进行用户身份验证)
|
||||
|
||||
{% data reusables.enterprise_management_console.badge_indicator %}
|
||||
|
||||
要将新成员添加到已同步至 LDAP 组的团队,请将用户添加为 LDAP 组的成员,或者联系您的 LDAP 管理员。
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
- /admin/user-management/continuous-integration-using-jenkins
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: reference
|
||||
topics:
|
||||
- CI
|
||||
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /admin/user-management/creating-teams
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Access management
|
||||
@@ -32,6 +33,8 @@ A prudent combination of teams is a powerful way to control repository access. F
|
||||
{% data reusables.organizations.create-team-choose-parent %}
|
||||
{% data reusables.organizations.create_team %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
|
||||
## Creating teams with LDAP Sync enabled
|
||||
|
||||
Instances using LDAP for user authentication can use LDAP Sync to manage a team's members. Setting the group's **Distinguished Name** (DN) in the **LDAP group** field will map a team to an LDAP group on your LDAP server. If you use LDAP Sync to manage a team's members, you won't be able to manage your team within {% data variables.product.product_location %}. The mapped team will sync its members in the background and periodically at the interval configured when LDAP Sync is enabled. For more information, see "[Enabling LDAP Sync](/enterprise/admin/authentication/using-ldap#enabling-ldap-sync)."
|
||||
@@ -60,3 +63,5 @@ You must be a site admin and an organization owner to create a team with LDAP sy
|
||||
{% data reusables.organizations.team_visibility %}
|
||||
{% data reusables.organizations.create-team-choose-parent %}
|
||||
{% data reusables.organizations.create_team %}
|
||||
|
||||
{% endif %}
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 使用 Jira 管理项目
|
||||
intro: '您可以将 Jira 与 {% data variables.product.prodname_enterprise %} 集成以进行项目管理。'
|
||||
intro: '您可以将 Jira 与 {% data variables.product.product_name %} 集成以进行项目管理。'
|
||||
redirect_from:
|
||||
- /enterprise/admin/guides/installation/project-management-using-jira
|
||||
- /enterprise/admin/articles/project-management-using-jira
|
||||
@@ -10,6 +10,7 @@ redirect_from:
|
||||
- /admin/user-management/managing-projects-using-jira
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Enterprise
|
||||
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /admin/user-management/removing-users-from-teams-and-organizations
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
type: how_to
|
||||
topics:
|
||||
- Access management
|
||||
@@ -25,6 +26,8 @@ shortTitle: 删除用户成员资格
|
||||
|
||||
## 移除团队成员
|
||||
|
||||
{% ifversion ghes %}
|
||||
|
||||
{% warning %}
|
||||
|
||||
**注**:{% data reusables.enterprise_management_console.badge_indicator %}
|
||||
@@ -33,6 +36,8 @@ shortTitle: 删除用户成员资格
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.user_settings.access_org %}
|
||||
{% data reusables.organizations.specific_team %}
|
||||
|
||||
@@ -15,7 +15,7 @@ shortTitle: 管理支持权利
|
||||
|
||||
拥有企业帐户支持权限的人员可以使用支持门户打开、查看和评论与企业帐户相关的支持事件单。
|
||||
|
||||
企业所有人和帐单管理员自动拥有支持权利。 企业所有者可以向企业帐户拥有的组织成员添加支持权利。
|
||||
企业所有人和帐单管理员自动拥有支持权利。 Enterprise owners can add support entitlements to up to 20 additional members of organizations owned by their enterprise account.
|
||||
|
||||
## 向企业成员添加支持权利
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ topics:
|
||||
{% ifversion ghes %}
|
||||
## 系统事件
|
||||
|
||||
所有经过审核的系统事件(包括所有推送和拉取)都会记录到 `/var/log/github/audit.log` 中。 日志每 24 小时自动轮换一次,并会保留七天。
|
||||
All audited system events are logged to `/var/log/github/audit.log`. 日志每 24 小时自动轮换一次,并会保留七天。
|
||||
|
||||
支持包中包含系统日志。 更多信息请参阅“[向 {% data variables.product.prodname_dotcom %} Support 提供数据](/admin/enterprise-support/providing-data-to-github-support)”。
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
||||
- /github/authenticating-to-github/creating-a-personal-access-token
|
||||
- /github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token
|
||||
- /github/extending-github/git-automation-with-oauth-tokens
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
|
||||
@@ -18,7 +18,11 @@ shortTitle: 部署密钥
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5658 %}
|
||||
3. In the "Security" section of the sidebar, click **{% octicon "key" aria-label="The key icon" %} Deploy keys**.
|
||||
{% else %}
|
||||
3. 在左侧边栏中,单击 **Deploy keys(部署密钥)**。 
|
||||
{% endif %}
|
||||
4. 在 Deploy keys(部署密钥)页面中,记下与您的帐户关联的部署密钥。 对于您无法识别或已过期的密钥,请单击 **Delete(删除)**。 如果有您要保留的有效部署密钥,请单击 **Approve(批准)**。 
|
||||
|
||||
更多信息请参阅“[管理部署密钥](/guides/managing-deploy-keys)”。
|
||||
|
||||
@@ -22,12 +22,10 @@ shortTitle: 安全日志
|
||||
安全日志列出了过去 90 天内执行的所有操作。
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% ifversion fpt or ghae or ghes or ghec %}
|
||||
2. 在用户设置侧边栏中,单击 **Security log(安全日志)**。 
|
||||
{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5658 %}
|
||||
1. In the "Archives" section of the sidebar, click **{% octicon "log" aria-label="The log icon" %} Security log**.
|
||||
{% else %}
|
||||
{% data reusables.user_settings.security %}
|
||||
3. 在“Security history(安全历史记录)”下,将显示您的日志。 
|
||||
4. 单击条目以查看有关该事件的更多信息。 
|
||||
1. 在用户设置侧边栏中,单击 **Security log(安全日志)**。 
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghae or ghes or ghec %}
|
||||
|
||||
@@ -33,7 +33,7 @@ $ ssh -T -p 443 git@ssh.github.com
|
||||
|
||||
如果您能在端口 443 上通过 SSH 连接到 `git@ssh.{% data variables.command_line.backticks %}`,则可以覆盖您的 SSH 设置以强制与 {% data variables.product.product_location %} 的任何连接均通过该服务器和端口运行。
|
||||
|
||||
要在您的 ssh 配置中设置此项,编辑位于 `~/.ssh/config` 的文件,添加以下部分:
|
||||
To set this in your SSH confifguration file, edit the file at `~/.ssh/config`, and add this section:
|
||||
|
||||
```
|
||||
Host {% data variables.command_line.codeblock %}
|
||||
|
||||
@@ -37,6 +37,10 @@ If you want to view an overview of your subscription and usage for {% data varia
|
||||
|
||||
## 查看企业帐户的订阅和使用情况
|
||||
|
||||
You can view the subscription and usage for your enterprise and download a file with license details.
|
||||
|
||||
{% data reusables.billing.license-statuses %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
{% data reusables.enterprise-accounts.license-tab %}
|
||||
|
||||
@@ -36,7 +36,7 @@ topics:
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
1. 在页面顶部用户名的右侧,单击 **Switch to another account(切换到另一个帐户)**。 
|
||||
1. 开始键入要切换到的帐户名称,然后单击帐户的名称。 
|
||||
1. 在左侧边栏中,单击 **Billing & plans(计费和方案)**。 
|
||||
1. In the left sidebar, click **{% octicon "credit-card" aria-label="The credit card icon" %} Billing and plans**.
|
||||
|
||||
## 延伸阅读
|
||||
|
||||
|
||||
@@ -30,6 +30,10 @@ You can view license usage for {% data variables.product.prodname_ghe_server %}
|
||||
|
||||
## Viewing license usage on {% ifversion ghec %}{% data variables.product.prodname_dotcom_the_website %}{% elsif ghes %}{% data variables.product.product_location %}{% endif %}
|
||||
|
||||
You can view the license usage for your enterprise and download a file with license details.
|
||||
|
||||
{% data reusables.billing.license-statuses %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise-on-dotcom %}
|
||||
|
||||
@@ -0,0 +1,119 @@
|
||||
---
|
||||
title: About code scanning alerts
|
||||
intro: Learn about the different types of code scanning alerts and the information that helps you understand the problem each alert highlights.
|
||||
product: '{% data reusables.gated-features.code-scanning %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
ghec: '*'
|
||||
type: overview
|
||||
topics:
|
||||
- Advanced Security
|
||||
- Code scanning
|
||||
- CodeQL
|
||||
---
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
|
||||
## 关于 {% data variables.product.prodname_code_scanning %} 中的警报
|
||||
|
||||
您可以设置 {% data variables.product.prodname_code_scanning %},以使用默认 {% data variables.product.prodname_codeql %} 分析、第三方分析或多种类型的分析来检查仓库中的代码。 分析完成后,生成的警报将并排显示在仓库的安全视图中。 第三方工具或自定义查询的结果可能不包括您在 {% data variables.product.company_short %} 的默认 {% data variables.product.prodname_codeql %} 分析所检测的警报中看到的所有属性。 更多信息请参阅“[为仓库设置 {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)”。
|
||||
|
||||
默认情况下, {% data variables.product.prodname_code_scanning %} 定期在默认分支和拉取请求中分析您的代码。 有关管理拉取请求中的警报的更多信息,请参阅“[对拉取请求中的 {% data variables.product.prodname_code_scanning %} 警报分类](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)”。
|
||||
|
||||
## About alert details
|
||||
|
||||
每个警报都会高亮显示代码的问题以及识别该问题的工具名称。 You can see the line of code that triggered the alert, as well as properties of the alert, such as the alert severity{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, security severity,{% endif %} and the nature of the problem. 警报还会告知该问题第一次被引入的时间。 对于由 {% data variables.product.prodname_codeql %} 分析确定的警报,您还会看到如何解决问题的信息。
|
||||
|
||||
|
||||
|
||||
If you set up {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, you can also find data-flow problems in your code. 数据流分析将查找代码中的潜在安全问题,例如:不安全地使用数据、将危险参数传递给函数以及泄漏敏感信息。
|
||||
|
||||
当 {% data variables.product.prodname_code_scanning %} 报告数据流警报时,{% data variables.product.prodname_dotcom %} 将显示数据在代码中如何移动。 {% data variables.product.prodname_code_scanning_capc %} 可用于识别泄露敏感信息的代码区域,以及可能成为恶意用户攻击切入点的代码区域。
|
||||
|
||||
### About severity levels
|
||||
|
||||
Alert severity levels may be `Error`, `Warning`, or `Note`.
|
||||
|
||||
If {% data variables.product.prodname_code_scanning %} is enabled as a pull request check, the check will fail if it detects any results with a severity of `error`. {% ifversion fpt or ghes > 3.1 or ghae or ghec %}You can specify which severity level of code scanning alerts causes a check failure. For more information, see "[Defining the severities causing pull request check failure](/code-security/secure-coding/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure)."{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
### About security severity levels
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} displays security severity levels for alerts that are generated by security queries. Security severity levels can be `Critical`, `High`, `Medium`, or `Low`.
|
||||
|
||||
To calculate the security severity of an alert, we use Common Vulnerability Scoring System (CVSS) data. CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, and is commonly used by other security products to score alerts. For more information about how severity levels are calculated, see [this blog post](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/).
|
||||
|
||||
By default, any {% data variables.product.prodname_code_scanning %} results with a security severity of `Critical` or `High` will cause a check failure. You can specify which security severity level for {% data variables.product.prodname_code_scanning %} results should cause a check failure. For more information, see "[Defining the severities causing pull request check failure](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure)."{% endif %}
|
||||
|
||||
### About labels for alerts that are not found in application code
|
||||
|
||||
{% data variables.product.product_name %} assigns a category label to alerts that are not found in application code. The label relates to the location of the alert.
|
||||
|
||||
- **Generated**: Code generated by the build process
|
||||
- **Test**: Test code
|
||||
- **Library**: Library or third-party code
|
||||
- **Documentation**: Documentation
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} categorizes files by file path. You cannot manually categorize source files.
|
||||
|
||||
Here is an example from the {% data variables.product.prodname_code_scanning %} alert list of an alert marked as occurring in library code.
|
||||
|
||||
|
||||
|
||||
On the alert page, you can see that the filepath is marked as library code (`Library` label).
|
||||
|
||||
|
||||
|
||||
{% if codeql-ml-queries %}
|
||||
|
||||
## About experimental alerts
|
||||
|
||||
{% data reusables.code-scanning.beta-codeql-ml-queries %}
|
||||
|
||||
In repositories that run {% data variables.product.prodname_code_scanning %} using the {% data variables.product.prodname_codeql %} action, you may see some alerts that are marked as experimental. These are alerts that were found using a machine learning model to extend the capabilities of an existing {% data variables.product.prodname_codeql %} query.
|
||||
|
||||
|
||||
|
||||
### Benefits of using machine learning models to extend queries
|
||||
|
||||
Queries that use machine learning models are capable of finding vulnerabilities in code that was written using frameworks and libraries that the original query writer did not include.
|
||||
|
||||
Each of the security queries for {% data variables.product.prodname_codeql %} identifies code that's vulnerable to a specific type of attack. Security researchers write the queries and include the most common frameworks and libraries. So each existing query finds vulnerable uses of common frameworks and libraries. However, developers use many different frameworks and libraries, and a manually maintained query cannot include them all. Consequently, manually maintained queries do not provide coverage for all frameworks and libraries.
|
||||
|
||||
{% data variables.product.prodname_codeql %} uses a machine learning model to extend an existing security query to cover a wider range of frameworks and libraries. The machine learning model is trained to detect problems in code it's never seen before. Queries that use the model will find results for frameworks and libraries that are not described in the original query.
|
||||
|
||||
### Alerts identified using machine learning
|
||||
|
||||
Alerts found using a machine learning model are tagged as "Experimental alerts" to show that the technology is under active development. These alerts have a higher rate of false positive results than the queries they are based on. The machine learning model will improve based on user actions such as marking a poor result as a false positive or fixing a good result.
|
||||
|
||||
|
||||
|
||||
## Enabling experimental alerts
|
||||
|
||||
The default {% data variables.product.prodname_codeql %} query suites do not include any queries that use machine learning to generate experimental alerts. To run machine learning queries during {% data variables.product.prodname_code_scanning %} you need to run the additional queries contained in one of the following query suites.
|
||||
|
||||
{% data reusables.code-scanning.codeql-query-suites %}
|
||||
|
||||
When you update your workflow to run an additional query suite this will increase the analysis time.
|
||||
|
||||
``` yaml
|
||||
- uses: github/codeql-action/init@v1
|
||||
with:
|
||||
# Run extended queries including queries using machine learning
|
||||
queries: security-extended
|
||||
```
|
||||
|
||||
更多信息请参阅“[配置代码扫描](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs)”。
|
||||
|
||||
## Disabling experimental alerts
|
||||
|
||||
The simplest way to disable queries that use machine learning to generate experimental alerts is to stop running the `security-extended` or `security-and-quality` query suite. In the example above, you would comment out the `queries` line. If you need to continue to run the `security-extended` or `security-and-quality` suite and the machine learning queries are causing problems, then you can open a ticket with [{% data variables.product.company_short %} support](https://support.github.com/contact) with the following details.
|
||||
|
||||
- Ticket title: "{% data variables.product.prodname_code_scanning %}: removal from experimental alerts beta"
|
||||
- Specify details of the repositories or organizations that are affected
|
||||
- Request an escalation to engineering
|
||||
|
||||
{% endif %}
|
||||
@@ -43,7 +43,7 @@ There are two main ways to use {% data variables.product.prodname_codeql %} anal
|
||||
|
||||
## About {% data variables.product.prodname_codeql %} queries
|
||||
|
||||
{% data variables.product.company_short %} experts, security researchers, and community contributors write and maintain the default {% data variables.product.prodname_codeql %} queries used for {% data variables.product.prodname_code_scanning %}. The queries are regularly updated to improve analysis and reduce any false positive results. The queries are open source, so you can view and contribute to the queries in the [`github/codeql`](https://github.com/github/codeql) repository. 更多信息请参阅 GitHub Security Lab 网站上的 [{% data variables.product.prodname_codeql %}](https://securitylab.github.com/tools/codeql)。 You can also write your own queries. For more information, see "[About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)" in the {% data variables.product.prodname_codeql %} documentation.
|
||||
{% data variables.product.company_short %} experts, security researchers, and community contributors write and maintain the default {% data variables.product.prodname_codeql %} queries used for {% data variables.product.prodname_code_scanning %}. The queries are regularly updated to improve analysis and reduce any false positive results. The queries are open source, so you can view and contribute to the queries in the [`github/codeql`](https://github.com/github/codeql) repository. 更多信息请参阅 {% data variables.product.prodname_codeql %} 网站上的 [{% data variables.product.prodname_codeql %}](https://codeql.github.com/)。 You can also write your own queries. For more information, see "[About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)" in the {% data variables.product.prodname_codeql %} documentation.
|
||||
|
||||
You can run additional queries as part of your code scanning analysis.
|
||||
|
||||
|
||||
@@ -18,7 +18,6 @@ topics:
|
||||
- Code scanning
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
|
||||
@@ -24,7 +24,7 @@ topics:
|
||||
- Python
|
||||
shortTitle: Configure code scanning
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
|
||||
@@ -89,7 +89,7 @@ If you scan pull requests, then the results appear as alerts in a pull request c
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
### Defining the severities causing pull request check failure
|
||||
|
||||
By default, only alerts with the severity level of `Error`{% ifversion fpt or ghes > 3.1 or ghae or ghec %} or security severity level of `Critical` or `High`{% endif %} will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities{% ifversion fpt or ghes > 3.1 or ghae or ghec %} and of security severities{% endif %} that will cause a pull request check failure in your repository settings. For more information about severity levels, see "[Managing code scanning alerts for your repository](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#about-alerts-details)."
|
||||
By default, only alerts with the severity level of `Error`{% ifversion fpt or ghes > 3.1 or ghae or ghec %} or security severity level of `Critical` or `High`{% endif %} will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities{% ifversion fpt or ghes > 3.1 or ghae or ghec %} and of security severities{% endif %} that will cause a pull request check failure in your repository settings. For more information about severity levels, see "[About code scanning alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alert-details)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
@@ -351,7 +351,7 @@ To add one or more queries, add a `with: queries:` entry within the `uses: githu
|
||||
|
||||
You can also specify query suites in the value of `queries`. Query suites are collections of queries, usually grouped by purpose or language.
|
||||
|
||||
{% data reusables.code-scanning.codeql-query-suites %}
|
||||
{% data reusables.code-scanning.codeql-query-suites-explanation %}
|
||||
|
||||
{% if codeql-packs %}
|
||||
### Working with custom configuration files
|
||||
|
||||
@@ -26,7 +26,7 @@ topics:
|
||||
- C#
|
||||
- Java
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
|
||||
|
||||
@@ -16,6 +16,7 @@ topics:
|
||||
- Code scanning
|
||||
children:
|
||||
- /about-code-scanning
|
||||
- /about-code-scanning-alerts
|
||||
- /triaging-code-scanning-alerts-in-pull-requests
|
||||
- /setting-up-code-scanning-for-a-repository
|
||||
- /managing-code-scanning-alerts-for-your-repository
|
||||
@@ -28,4 +29,4 @@ children:
|
||||
- /running-codeql-code-scanning-in-a-container
|
||||
- /viewing-code-scanning-logs
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
@@ -23,62 +23,9 @@ topics:
|
||||
- Alerts
|
||||
- Repositories
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
## About alerts from {% data variables.product.prodname_code_scanning %}
|
||||
|
||||
You can set up {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
|
||||
|
||||
By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
|
||||
|
||||
{% data reusables.code-scanning.upload-sarif-alert-limit %}
|
||||
|
||||
## About alerts details
|
||||
|
||||
Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, security severity,{% endif %} and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by {% data variables.product.prodname_codeql %} analysis, you will also see information on how to fix the problem.
|
||||
|
||||
|
||||
|
||||
If you set up {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, this can also detect data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information.
|
||||
|
||||
When {% data variables.product.prodname_code_scanning %} reports data-flow alerts, {% data variables.product.prodname_dotcom %} shows you how data moves through the code. {% data variables.product.prodname_code_scanning_capc %} allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users.
|
||||
|
||||
### About severity levels
|
||||
|
||||
Alert severity levels may be `Error`, `Warning`, or `Note`.
|
||||
|
||||
By default, any code scanning results with a severity of `error` will cause check failure. {% ifversion fpt or ghes > 3.1 or ghae or ghec %}You can specify the severity level at which pull requests that trigger code scanning alerts should fail. For more information, see "[Defining the severities causing pull request check failure](/code-security/secure-coding/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure)."{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
### About security severity levels
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} displays security severity levels for alerts that are generated by security queries. Security severity levels can be `Critical`, `High`, `Medium`, or `Low`.
|
||||
|
||||
To calculate the security severity of an alert, we use Common Vulnerability Scoring System (CVSS) data. CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, and is commonly used by other security products to score alerts. For more information about how severity levels are calculated, see [the blog post](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/).
|
||||
|
||||
By default, any code scanning results with a security severity of `Critical` or `High` will cause a check failure. You can specify which security severity level for code scanning results should cause a check failure. For more information, see "[Defining the severities causing pull request check failure](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure)."{% endif %}
|
||||
|
||||
### About labels for alerts that are not found in application code
|
||||
|
||||
{% data variables.product.product_name %} assigns a category label to alerts that are not found in application code. The label relates to the location of the alert.
|
||||
|
||||
- **Generated**: Code generated by the build process
|
||||
- **Test**: Test code
|
||||
- **Library**: Library or third-party code
|
||||
- **Documentation**: Documentation
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} categorizes files by file path. You cannot manually categorize source files.
|
||||
|
||||
Here is an example from the {% data variables.product.prodname_code_scanning %} alert list of an alert marked as occuring in library code.
|
||||
|
||||
|
||||
|
||||
On the alert page, you can see that the filepath is marked as library code (`Library` label).
|
||||
|
||||
|
||||
|
||||
## Viewing the alerts for a repository
|
||||
|
||||
Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
|
||||
@@ -104,6 +51,8 @@ By default, the code scanning alerts page is filtered to show alerts for the def
|
||||
1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
|
||||
|
||||
|
||||
For more information, see "[About {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts)."
|
||||
|
||||
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
{% note %}
|
||||
|
||||
@@ -133,7 +82,7 @@ If you enter multiple filters, the view will show alerts matching _all_ these fi
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghec %}
|
||||
|
||||
You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag.
|
||||
You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag{% if codeql-ml-queries %} and `-tag:experimental` will omit all experimental alerts. For more information, see "[About {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)."{% else %}.{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -177,7 +126,7 @@ You can search the list of alerts. This is useful if there is a large number of
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.3 or ghae-issue-5036 %}
|
||||
{% if code-scanning-task-lists %}
|
||||
## Tracking {% data variables.product.prodname_code_scanning %} alerts in issues
|
||||
|
||||
{% data reusables.code-scanning.beta-alert-tracking-in-issues %}
|
||||
|
||||
@@ -23,7 +23,6 @@ topics:
|
||||
- Java
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
||||
|
||||
@@ -5,9 +5,7 @@ intro: You can add code scanning alerts to issues using task lists. This makes i
|
||||
product: '{% data reusables.gated-features.code-scanning %}'
|
||||
permissions: 'If you have write permission to a repository you can track {% data variables.product.prodname_code_scanning %} alerts in issues using task lists.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '> 3.3'
|
||||
ghae: issue-5036
|
||||
feature: code-scanning-task-lists
|
||||
type: how_to
|
||||
topics:
|
||||
- Advanced Security
|
||||
|
||||
@@ -22,7 +22,6 @@ topics:
|
||||
- Repositories
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ topics:
|
||||
- C#
|
||||
- Java
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.not-available %}
|
||||
@@ -192,6 +192,19 @@ If you split your analysis into multiple workflows as described above, we still
|
||||
|
||||
If your analysis is still too slow to be run during `push` or `pull_request` events, then you may want to only trigger analysis on the `schedule` event. For more information, see "[Events](/actions/learn-github-actions/introduction-to-github-actions#events)."
|
||||
|
||||
### Check which query suites the workflow runs
|
||||
|
||||
By default, there are three main query suites available for each language. If you have optimized the CodeQL database build and the process is still too long, you could reduce the number of queries you run. The default query suite is run automatically; it contains the fastest security queries with the lowest rates of false positive results.
|
||||
|
||||
You may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the `queries` element. You can experiment with disabling the additional query suite or queries. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs)."
|
||||
|
||||
{% if codeql-ml-queries %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If you run the `security-extended` or `security-and-quality` query suite for JavaScript, then some queries use experimental technology. For more information, see "[About code scanning alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)."
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
## Results differ between analysis platforms
|
||||
|
||||
|
||||
@@ -22,4 +22,3 @@ children:
|
||||
- /using-codeql-code-scanning-with-your-existing-ci-system
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
@@ -19,7 +19,7 @@ topics:
|
||||
- Webhooks
|
||||
- Integration
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
|
||||
@@ -22,4 +22,3 @@ children:
|
||||
- /sarif-support-for-code-scanning
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
@@ -21,7 +21,7 @@ topics:
|
||||
- Integration
|
||||
- SARIF
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
||||
|
||||
@@ -24,7 +24,7 @@ topics:
|
||||
- CI
|
||||
- SARIF
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
|
||||
@@ -166,7 +166,7 @@ codeql database analyze <database> --format=<format> \
|
||||
| Option | Required | Usage |
|
||||
|--------|:--------:|-----|
|
||||
| `<database>` | {% octicon "check-circle-fill" aria-label="Required" %} | Specify the path for the directory that contains the {% data variables.product.prodname_codeql %} database to analyze. |
|
||||
| `<packs,queries>` | | Specify {% data variables.product.prodname_codeql %} packs or queries to run. To run the standard queries used for {% data variables.product.prodname_code_scanning %}, omit this parameter. To see the other query suites included in the {% data variables.product.prodname_codeql_cli %} bundle, look in `/<extraction-root>/codeql/qlpacks/codeql-<language>/codeql-suites`. For information about creating your own query suite, see [Creating CodeQL query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/) in the documentation for the {% data variables.product.prodname_codeql_cli %}.
|
||||
| `<packs,queries>` | | Specify {% data variables.product.prodname_codeql %} packs or queries to run. To run the standard queries used for {% data variables.product.prodname_code_scanning %}, omit this parameter. To see the other query suites included in the {% data variables.product.prodname_codeql_cli %} bundle, look in `/<extraction-root>/qlpacks/codeql/<language>-queries/codeql-suites`. For information about creating your own query suite, see [Creating CodeQL query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/) in the documentation for the {% data variables.product.prodname_codeql_cli %}.
|
||||
| <nobr>`--format`</nobr> | {% octicon "check-circle-fill" aria-label="Required" %} | Specify the format for the results file generated by the command. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghae or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see "[SARIF support for {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/sarif-support-for-code-scanning)."
|
||||
| <nobr>`--output`</nobr> | {% octicon "check-circle-fill" aria-label="Required" %} | Specify where to save the SARIF results file.{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
|
||||
| <nobr>`--sarif-category`<nobr> | {% octicon "question" aria-label="Required with multiple results sets" %} | Optional for single database analysis. Required to define the language when you analyze multiple databases for a single commit in a repository. Specify a category to include in the SARIF results file for this analysis. A category is used to distinguish multiple analyses for the same tool and commit, but performed on different languages or different parts of the code.|{% endif %}{% ifversion fpt or ghes > 3.3 or ghae or ghec %}
|
||||
|
||||
@@ -29,7 +29,6 @@ topics:
|
||||
- Java
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
||||
{% data reusables.code-scanning.beta %}
|
||||
@@ -84,7 +83,7 @@ $ /path/to-runner/codeql-runner-linux init --languages cpp,java
|
||||
|
||||
{% data reusables.code-scanning.run-additional-queries %}
|
||||
|
||||
{% data reusables.code-scanning.codeql-query-suites %}
|
||||
{% data reusables.code-scanning.codeql-query-suites-explanation %}
|
||||
|
||||
要添加一个或多个查询,请将逗号分隔的路径列表传递给 `init` 命令的 `--queries` 标志。 您也可以在配置文件中指定额外查询。
|
||||
|
||||
|
||||
@@ -28,4 +28,3 @@ children:
|
||||
- /migrating-from-the-codeql-runner-to-codeql-cli
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
@@ -50,7 +50,7 @@ These examples assume that the source code has been checked out to the current w
|
||||
|
||||
These examples also assume that the {% data variables.product.prodname_codeql_cli %} is placed on the current PATH.
|
||||
|
||||
In these examples, a {% data variables.product.prodname_dotcom %} token with suitable scopes is stored in the `$TOKEN` environment variable and passed to the example commands via stdin, or is stored in the `$GITHUB_TOKEN` environment variable.
|
||||
In these examples, a {% data variables.product.prodname_dotcom %} token with suitable scopes is stored in the `$TOKEN` environment variable and passed to the example commands via `stdin`, or is stored in the `$GITHUB_TOKEN` environment variable.
|
||||
|
||||
The ref name and commit SHA being checked out and analyzed in these examples are known during the workflow. For a branch, use `refs/heads/BRANCH-NAME` as the ref. For the head commit of a pull request, use `refs/pulls/NUMBER/head`. For a {% data variables.product.prodname_dotcom %}-generated merge commit of a pull request, use `refs/pulls/NUMBER/merge`. The examples below all use `refs/heads/main`. If you use a different branch name, you must modify the sample code.
|
||||
|
||||
|
||||
@@ -25,7 +25,7 @@ topics:
|
||||
- CI
|
||||
- SARIF
|
||||
---
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
<!--UI-LINK: When GitHub Enterprise Server <=3.0 doesn't have GitHub Actions set up, the Security > Code scanning alerts view links to this article.-->
|
||||
|
||||
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
||||
|
||||
@@ -24,7 +24,6 @@ topics:
|
||||
- CI
|
||||
---
|
||||
|
||||
<!--For this article in earlier GHES versions, see /content/github/finding-security-vulnerabilities-and-errors-in-your-code-->
|
||||
|
||||
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
@@ -139,3 +139,9 @@ You can view and manage alerts from security features to address dependencies an
|
||||
|
||||
{% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/code-security/security-advisories/about-github-security-advisories)" and "[Creating a security advisory](/code-security/security-advisories/creating-a-security-advisory)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Further reading
|
||||
|
||||
"[Accessing compliance reports for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/accessing-compliance-reports-for-your-organization)"
|
||||
{% endif %}
|
||||
@@ -30,6 +30,7 @@ includeGuides:
|
||||
- /code-security/secret-scanning/secret-scanning-partners
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository
|
||||
|
||||
@@ -15,6 +15,8 @@ topics:
|
||||
- Security overview
|
||||
- Advanced Security
|
||||
- Alerts
|
||||
- Dependabot
|
||||
- Dependencies
|
||||
- Organizations
|
||||
- Teams
|
||||
shortTitle: About security overview
|
||||
@@ -26,7 +28,7 @@ shortTitle: About security overview
|
||||
|
||||
您可以使用安全概述来简要了解组织的安全状态,或识别需要干预的问题仓库。
|
||||
|
||||
- 在组织级别,安全概述显示组织拥有的仓库的聚合和仓库特定安全信息。
|
||||
- 在组织级别,安全概述显示组织拥有的仓库的聚合和仓库特定安全信息。 You can also filter information per security feature.
|
||||
- 在团队级别,安全概述显示团队拥有管理权限的仓库特定安全信息。 For more information, see "[Managing team access to an organization repository](/organizations/managing-access-to-your-organizations-repositories/managing-team-access-to-an-organization-repository)."
|
||||
- At the repository-level, the security overview shows which security features are enabled for the repository, and offers the option to configure any available security features not currently in use.
|
||||
|
||||
@@ -40,7 +42,7 @@ The application security team at your company can use the security overview for
|
||||
|
||||
在安全概述中,您可以查看、排序和筛选警报,以了解组织和特定仓库中的安全风险。 The security summary is highly interactive, allowing you to investigate specific categories of information, based on qualifiers like alert risk level, alert type, and feature enablement. You can also apply multiple filters to focus on narrower areas of interest. 例如,您可以识别具有大量 {% data variables.product.prodname_dependabot_alerts %} 的私有仓库或者没有 {% data variables.product.prodname_code_scanning %} 警报的仓库。 For more information, see "[Filtering alerts in the security overview](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
|
||||
|
||||
{% ifversion ghec or ghes > 3.4 %}
|
||||
{% if security-overview-views %}
|
||||
|
||||
In the security overview, at both the organization and repository level, there are dedicated views for specific security features, such as secret scanning alerts and code scanning alerts. You can use these views to limit your analysis to a specific set of alerts, and narrow the results further with a range of filters specific to each view. For example, in the secret scanning alert view, you can use the `Secret type` filter to view only secret scanning alerts for a specific secret, like a GitHub Personal Access Token. At the repository level, you can use the security overview to assess the specific repository's current security status, and configure any additional security features not yet in use on the repository.
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ permissions: Organization owners and security managers can access the security o
|
||||
product: '{% data reusables.gated-features.security-center %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghae: issue-4554
|
||||
ghes: '>3.1'
|
||||
ghec: '*'
|
||||
type: how_to
|
||||
@@ -99,7 +100,7 @@ Available in the organization-level overview.
|
||||
| ------------------------- | ----------------------- |
|
||||
| <code>topic:<em>TOPIC-NAME</em></code> | 显示分类为 *TOPIC-NAME* 的仓库。 |
|
||||
|
||||
{% ifversion ghec or ghes > 3.4 %}
|
||||
{% if security-overview-views %}
|
||||
|
||||
## Filter by severity
|
||||
|
||||
@@ -121,16 +122,16 @@ Available in the code scanning alert views. All code scanning alerts have one of
|
||||
|
||||
Available in the secret scanning alert views.
|
||||
|
||||
| 限定符 | 描述 |
|
||||
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `secret-type:SERVICE_PROVIDER` | Displays alerts for the specified secret and provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} partners](/code-security/secret-scanning/secret-scanning-partners) |
|
||||
| `secret-type:CUSTOM-PATTERN` | Displays alerts for secrets matching the specified custom pattern. |
|
||||
| {% ifversion not fpt %}For more information, see "[Defining custom patterns for secret scanning](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} | |
|
||||
| 限定符 | 描述 |
|
||||
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `secret-type:SERVICE_PROVIDER` | Displays alerts for the specified secret and provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} partners](/code-security/secret-scanning/secret-scanning-partners)." |
|
||||
| `secret-type:CUSTOM-PATTERN` | Displays alerts for secrets matching the specified custom pattern. |
|
||||
| {% ifversion not fpt %}For more information, see "[Defining custom patterns for secret scanning](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} | |
|
||||
|
||||
## Filter by provider
|
||||
|
||||
Available in the secret scanning alert views.
|
||||
|
||||
| 限定符 | 描述 |
|
||||
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `provider:PROVIDER_NAME` | Displays alerts for all secrets issues by the specified provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} partners](/code-security/secret-scanning/secret-scanning-partners) |
|
||||
| 限定符 | 描述 |
|
||||
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `provider:PROVIDER_NAME` | Displays alerts for all secrets issues by the specified provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} partners](/code-security/secret-scanning/secret-scanning-partners)." |
|
||||
|
||||
@@ -5,6 +5,7 @@ permissions: Organization owners and security managers can access the security o
|
||||
product: '{% data reusables.gated-features.security-center %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghae: issue-5503
|
||||
ghes: '>3.1'
|
||||
ghec: '*'
|
||||
type: how_to
|
||||
@@ -25,8 +26,8 @@ shortTitle: View the security overview
|
||||
{% data reusables.organizations.security-overview %}
|
||||
1. 要查看有关警报类型的汇总信息,请单击 **Show more(显示更多)**。 
|
||||
{% data reusables.organizations.filter-security-overview %}
|
||||
|
||||
{% ifversion ghec or ghes > 3.4 %}
|
||||
{% if security-overview-views %}
|
||||
1. Alternatively and optionally, use the sidebar on the left to filter information per security feature. On each page, you can use filters that are specific to each feature to fine-tune your search. 
|
||||
|
||||
## Viewing alerts across your organization
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@ topics:
|
||||
- Repositories
|
||||
- Dependencies
|
||||
- Pull requests
|
||||
shortTitle: Use Dependabot with actions
|
||||
shortTitle: Use Dependabot with Actions
|
||||
---
|
||||
|
||||
{% data reusables.dependabot.beta-security-and-version-updates %}
|
||||
|
||||
@@ -27,7 +27,9 @@ shortTitle: 配置选项
|
||||
|
||||
{% data variables.product.prodname_dependabot %} 配置文件 *dependabot.yml* 使用 YAML 语法。 如果您是 YAML 的新用户并想要了解更多信息,请参阅“[五分钟了解 YAML](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)”。
|
||||
|
||||
必须将此文件存储在仓库的 `.github` 目录中。 添加或更新 *dependabot.yml* 文件时,这将触发对版本更新的立即检查。 下次安全警报触发安全更新的拉取请求时将使用所有同时影响安全更新的选项。 For more information, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)."
|
||||
必须将此文件存储在仓库的 `.github` 目录中。 添加或更新 *dependabot.yml* 文件时,这将触发对版本更新的立即检查。 For more information and an example, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates#enabling-dependabot-version-updates)."
|
||||
|
||||
下次安全警报触发安全更新的拉取请求时将使用所有同时影响安全更新的选项。 For more information, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)."
|
||||
|
||||
*dependabot.yml* 文件有两个必需的顶级密钥:`version` 和 `updates`。 您可以选择性包括一个顶级`注册表`键。 该文件必须以 `version: 2` 开头。
|
||||
|
||||
@@ -75,7 +77,7 @@ shortTitle: 配置选项
|
||||
|
||||
仅对默认分支上有漏洞的包清单提出安全更新。 如果为同一分支设置配置选项(不使用 `target-branch` 时为 true),并为有漏洞的清单指定 `package-ecosystem` 和 `directory`,则安全更新的拉取请求使用相关选项。
|
||||
|
||||
一般而言,安全更新会使用影响拉取请求的任何配置选项,例如添加元数据或改变其行为。 For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)."
|
||||
一般而言,安全更新会使用影响拉取请求的任何配置选项,例如添加元数据或改变其行为。 有关安全更新的更多信息,请参阅“[配置 {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)”。
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -168,7 +170,7 @@ updates:
|
||||
|
||||
{% note %}
|
||||
|
||||
**注意**:`时间表` 定义 {% data variables.product.prodname_dependabot %} 尝试更新的时间。 但是,这不是您可收到拉取请求的唯一时间。 更新可基于 `dependabot.yml` 文件的更改、更新失败后清单文件的更改或 {% data variables.product.prodname_dependabot_security_updates %} 触发。 For more information, see "[Frequency of {% data variables.product.prodname_dependabot %} pull requests](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates#frequency-of-dependabot-pull-requests)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
|
||||
**注意**:`时间表` 定义 {% data variables.product.prodname_dependabot %} 尝试更新的时间。 但是,这不是您可收到拉取请求的唯一时间。 更新可基于 `dependabot.yml` 文件的更改、更新失败后清单文件的更改或 {% data variables.product.prodname_dependabot_security_updates %} 触发。 更多信息请参阅“[{% data variables.product.prodname_dependabot %} 拉取请求的频率](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates#frequency-of-dependabot-pull-requests)”和“[关于 {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)”。
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -305,7 +307,7 @@ updates:
|
||||
|
||||
您可以搜索仓库中是否有 `"@dependabot ignore" in:comments`,以检查仓库是否存储了 `ignore` 首选项。 如果您希望取消忽略以这种方式忽略的依赖项,请重新打开拉取请求。
|
||||
|
||||
For more information about the `@dependabot ignore` commands, see "[Managing pull requests for dependency updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)."
|
||||
有关 `@dependabot ignore` 命令的更多信息,请参阅“[管理依赖关系更新的拉取请求](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)”。
|
||||
|
||||
#### 指定要忽略的依赖项和版本
|
||||
|
||||
@@ -489,9 +491,9 @@ updates:
|
||||
|
||||
### `registries`
|
||||
|
||||
要允许 {% data variables.product.prodname_dependabot %} 在执行版本更新时访问私人包注册表,您必须在相关的 `updates` 配置中包括 `registries` 设置。 您可以通过将 `registrations` 设置为 `"*"` 来允许使用所有定义的注册表。 或者,您可以列出更新可以使用的注册表。 要执行此操作,请使用 _dependabot.yml_ 文件的顶层 `registries` 部分定义的注册表。
|
||||
要允许 {% data variables.product.prodname_dependabot %} 在执行版本更新时访问私人包注册表,您必须在相关的 `updates` 配置中包括 `registries` 设置。 您可以通过将 `registrations` 设置为 `"*"` 来允许使用所有定义的注册表。 或者,您可以列出更新可以使用的注册表。 要执行此操作,请使用 _dependabot.yml_ 文件的顶层 `registries` 部分定义的注册表。 For more information, see "[Configuration options for private registries](#configuration-options-for-private-registries)" below.
|
||||
|
||||
要允许 {% data variables.product.prodname_dependabot %} 使用 `bundler`、`mix` 和 `pip` 包管理器来更新私人注册表中的依赖项,您可以选择允许外部代码执行。 更多信息请参阅 [`insecure-external-code-execution`](#insecure-external-code-execution)。
|
||||
要允许 {% data variables.product.prodname_dependabot %} 使用 `bundler`、`mix` 和 `pip` 包管理器来更新私人注册表中的依赖项,您可以选择允许外部代码执行。 For more information, see [`insecure-external-code-execution`](#insecure-external-code-execution) above.
|
||||
|
||||
```yaml
|
||||
# Allow {% data variables.product.prodname_dependabot %} to use one of the two defined private registries
|
||||
|
||||
@@ -52,4 +52,4 @@ Dependabot Preview 已直接植入 {% data variables.product.prodname_dotcom %}
|
||||
|
||||
如果使用私人注册表,则必须将现有的 Dependabot Preview 密钥添加到仓库或组织的“ Dependabot 密钥”中。 更多信息请参阅“[管理 Dependabot 的加密密码](/code-security/supply-chain-security/managing-encrypted-secrets-for-dependabot)”。
|
||||
|
||||
如果您在迁移方面有任何问题或需要帮助,您可以在 [dependabot/dependabot-core](https://github.com/dependabot/dependabot-core/issues/new?assignees=%40dependabot%2Fpreview-migration-reviewers&labels=E%3A+preview-migration&template=migration-issue.md&title=) 仓库中查看或打开议题。
|
||||
If you have any questions or need help migrating, you can view or open issues in the [`dependabot/dependabot-core`](https://github.com/dependabot/dependabot-core/issues/new?assignees=%40dependabot%2Fpreview-migration-reviewers&labels=E%3A+preview-migration&template=migration-issue.md&title=) repository.
|
||||
|
||||
@@ -38,7 +38,7 @@ redirect_from:
|
||||
|
||||
有时,您可能只想更新清单中一个依赖项的版本并生成拉取请求。 但是,如果此直接依赖项的更新版本也更新了依赖项,则拉取请求的更改可能超过您的预期。 每个清单和锁定文件的依赖项审查提供了一种简单的方法来查看更改的内容,以及任何新的依赖项版本是否包含已知的漏洞。
|
||||
|
||||
通过检查拉取请求中的依赖项审查并更改被标记为有漏洞的任何依赖项,可以避免将漏洞添加到项目中。 有关依赖项审查工作的更多信息,请参阅“[审查拉取请求中的依赖项更改](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/incorporating-feedback-in-your-pull-request)”。
|
||||
通过检查拉取请求中的依赖项审查并更改被标记为有漏洞的任何依赖项,可以避免将漏洞添加到项目中。 For more information about how dependency review works, see "[Reviewing dependency changes in a pull request](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
|
||||
|
||||
{% data variables.product.prodname_dependabot_alerts %} 将会查找依赖项中存在的漏洞,但避免引入潜在问题比在以后修复它们要好得多。 有关 {% data variables.product.prodname_dependabot_alerts %} 的更多信息,请参阅“[关于有漏洞依赖项的警报](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)”。
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user