Merge branch 'main' into accessibility-keyboard-shortcuts

.eslintrc.js

@@ -13,6 +13,7 @@ module.exports = {
     babelOptions: { configFile: './.babelrc' },
     sourceType: 'module',
   },
+  ignorePatterns: ['tmp/*'],
   rules: {
     'import/no-extraneous-dependencies': ['error', { packageDir: '.' }],
   },

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@ Closes [issue link]
 ### Check off the following:
 
 - [ ] I have reviewed my changes in staging (look for "Automatically generated comment" and click **Modified** to view your latest changes).
-- [ ] For content changes, I have completed the [self-review checklist](https://github.com/github/docs/blob/main/CONTRIBUTING.md#self-review).
+- [ ] For content changes, I have completed the [self-review checklist](https://github.com/github/docs/blob/main/contributing/self-review.md#self-review).
 
 ### Writer impact (This section is for GitHub staff members only):
 

.github/allowed-actions.js

@@ -12,8 +12,7 @@ export default [
   'actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074', // v2.2.4
   'alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488', // v0.8.1
   'andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90', // v1.0.4
-  'crowdin/github-action@d7f217268068f1244883a993379d62d816f84f25', // v1.4.0
+  'crowdin/github-action@d0622816ed4f4744db27d04374b2cef6867f7bed', // v1.4.1
-  'crykn/copy_folder_to_another_repo_action@0282e8b9fef06de92ddcae9fe6cb44df6226646c',
   'cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa', // uses github-actions-parser v0.23.0
   'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911', // v3.0.2
   'dawidd6/action-download-artifact@af92a8455a59214b7b932932f2662fdefbd78126', // v2.15.0

.github/workflows/build-docker-image.yml

@@ -9,6 +9,15 @@ on:
     branches:
       - main
   pull_request:
+    paths:
+      - .npmrc
+      - Dockerfile
+      - package.json
+      - package-lock.json
+      - next.config.js
+      - tsconfig.json
+      - next-env.d.ts
+      - .github/workflows/build-docker-image.yml
 
 env:
   CI: true

.github/workflows/crowdin.yml

@@ -27,8 +27,13 @@ jobs:
       - name: Remove unwanted git hooks
         run: rm .git/hooks/post-checkout
 
+      - name: Remove all translations
+        run: |
+          git rm -rf --quiet translations/*/content
+          git rm -rf --quiet translations/*/data
+
       - name: Sync
-        uses: crowdin/github-action@d7f217268068f1244883a993379d62d816f84f25
+        uses: crowdin/github-action@d0622816ed4f4744db27d04374b2cef6867f7bed
         with:
           # This option enables the transfer of existing translations in this project to Crowdin.
           # We explicitly set this to `false` since we only want to use the downloaded translations managed by Crowdin.

.github/workflows/remove-unused-assets.yml

@@ -33,7 +33,6 @@ jobs:
       - name: Run scripts
         run: |
           script/remove-unused-assets.js > results.md
-          script/remove-extraneous-translation-files.js
       - name: Get script results to use in PR body
         id: results
         uses: juliangruber/read-file-action@e0a316da496006ffd19142f0fd594a1783f3b512

.github/workflows/site-policy-sync.yml

@@ -2,7 +2,7 @@ name: Site policy sync
 
 # **What it does**: Updates our site-policy repo when changes happen to site policy docs.
 # **Why we have it**: We want keep site-policy repo up to date.
-# **Who does it impact**: Site-policy team.
+# **Who does it impact**: site-policy-admins and Developer Policy teams.
 
 # Controls when the action will run.
 on:
@@ -14,40 +14,67 @@ on:
       - closed
     paths:
       - 'content/github/site-policy/**'
-
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  sync:
-  copy-file:
+    name: Get the latest docs
     if: >-
       github.event.pull_request.merged == true &&
       github.repository == 'github/docs-internal'
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
-
+    permissions:
-    # Steps represent a sequence of tasks that will be executed as part of the job
+      contents: write
+      pull-requests: write
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: checkout docs-internal
-      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
-      # Sets commit message
-      - name: custom message
-        run: |
-          echo "MESSAGE=${{github.event.pull_request.title}}" >> $GITHUB_ENV
 
-      # Pushes to other repo
+      - name: checkout public site-policy
-      - name: Push folder to another repository
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
-        uses: crykn/copy_folder_to_another_repo_action@0282e8b9fef06de92ddcae9fe6cb44df6226646c
-        env:
-          API_TOKEN_GITHUB: ${{ secrets.API_TOKEN_SITEPOLICY }}
         with:
-          source_folder: 'content/github/site-policy'
+          repository: github/site-policy
-          destination_repo: 'github/site-policy'
+          token: ${{ secrets.API_TOKEN_SITEPOLICY }}
-          destination_branch: 'main'
+          fetch-depth: ''
-          destination_branch_create: 'repo-sync'
+          path: public-repo
-          destination_folder: 'Policies'
+
-          user_email: 'site-policy-bot@users.noreply.github.com'
+      - name: Commits internal policies to copy of public repo with descriptive message from triggering PR title
-          user_name: 'site-policy-bot'
+        run: |
-          commit_msg: '${{ env.MESSAGE }}'
+          cd public-repo
+          git config --local user.name 'site-policy-bot'
+          git config --local user.email 'site-policy-bot@github.com'
+          rm -rf Policies
+          cp -r ../content/github/site-policy Policies
+          git status
+          git checkout -b automated-sync-$GITHUB_RUN_ID
+          git add .
+          PR_TITLE=${{ github.event.pull_request.title }}
+          [[ ! -z $PR_TITLE ]] && DESCRIPTION="${PR_TITLE}" || DESCRIPTION="Update manually triggered by workflow"
+          echo "DESCRIPTION=$DESCRIPTION" >> $GITHUB_ENV
+          git commit -m "$(echo $DESCRIPTION)"
+
+      - name: If there are changes to push, create a pull request in the public repo using the gh command line tool, then immediately merge the PR and delete the branch
+        id: createAndMergePullRequest
+        env:
+          GITHUB_TOKEN: ${{ secrets.API_TOKEN_SITEPOLICY }}
+        run: |
+          cd public-repo
+          git config --local user.name 'site-policy-bot'
+          git config --local user.email 'site-policy-bot@github.com'
+          DIFF=$(git diff --name-status --summary HEAD^..HEAD)
+          NUM_FILES_CHANGED=$(git diff --name-only HEAD^..HEAD | wc -l)
+          [[ $NUM_FILES_CHANGED -ge 2 ]] && TITLE="Sync changes from GitHub Docs" || TITLE=$(echo $DIFF | sed -e 's/^A\s/Added /g;s/^D\s/Deleted /g;s/^C\s/Copied /g;s/^M\s/Modified /g;s/^R100\s/Renamed /g;')
+          if [[ ! -z $TITLE ]]
+            then
+              echo -e "This is an automated pull request to sync changes from GitHub Docs.\n\nDiff summary:\n\n${DIFF}" > msg
+              git push --set-upstream origin automated-sync-$GITHUB_RUN_ID
+              PR_URL=$(gh pr create --title "${TITLE}" --body-file msg --head automated-sync-$GITHUB_RUN_ID --base main --repo github/site-policy)
+              gh pr diff ${PR_URL}
+              gh pr merge ${PR_URL} --merge --delete-branch
+            else
+              echo "No updates to push to the public repo"
+          fi
+
+      - name: Delete remote updates branch if previous step failed
+        if: failure() && steps.createAndMergePullRequest.outcome == 'failure'
+        run: git push github/site-policy --delete automated-sync-$GITHUB_RUN_ID

.github/workflows/staging-build-pr.yml

@@ -101,12 +101,13 @@ jobs:
 
       - name: Delete heavy things we won't need deployed
         run: |
-          # Non-WIP translations we don't support yet.
-          rm -fr translations/de* translations/ru* translations/ko* translations/ru*
-
           # Not needed to run after having been built.
           rm -fr .next/cache
 
+          # The dereferenced file is not used in runtime once the
+          # decorated file has been created from it.
+          rm -fr lib/rest/static/dereferenced
+
       - name: Create an archive
         run: |
           tar -c --file=app.tar \

.github/workflows/staging-deploy-pr.yml

@@ -323,13 +323,17 @@ jobs:
           name: pr_build
           path: ${{ runner.temp }}
 
-      - name: Extract user-changes to temp directory
+      # For security reasons, only extract the tar from docs-internal
+      # This allows us to add search indexes and early access content to the build
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Extract user-changes to temp directory
         run: |
           mkdir $RUNNER_TEMP/app
           tar -x --file=$RUNNER_TEMP/app.tar -C "$RUNNER_TEMP/app/"
 
       # Move the LFS content into the temp directory in chunks (destructively)
-      - name: Move the LFS objects
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Move the LFS objects
         run: |
           git lfs ls-files --name-only | xargs -n 1 -I {} sh -c 'mkdir -p "$RUNNER_TEMP/app/$(dirname {})"; mv {} "$RUNNER_TEMP/app/$(dirname {})/"'
 
@@ -341,9 +345,15 @@ jobs:
           mv content/early-access "$RUNNER_TEMP/app/content/"
           mv data/early-access "$RUNNER_TEMP/app/data/"
 
-      - name: Create a gzipped archive
+      - if: ${{ github.repository == 'github/docs-internal' }}
+        name: Create a gzipped archive (docs-internal)
         run: tar -cz --file app.tar.gz "$RUNNER_TEMP/app/"
 
+      # gzip the app.tar from github/docs so we're working with the same format
+      - if: ${{ github.repository == 'github/docs' }}
+        name: Create a gzipped archive (docs)
+        run: gzip -9 < "$RUNNER_TEMP/app.tar" > app.tar.gz
+
       - name: Create a Heroku build source
         id: build-source
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d

.github/workflows/test-windows.yml

@@ -23,7 +23,17 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        test-group: [content, graphql, meta, rendering, routing, unit, linting]
+        test-group:
+          [
+            content,
+            graphql,
+            meta,
+            rendering,
+            routing,
+            unit,
+            linting,
+            translations,
+          ]
     steps:
       - name: Check out repo
         uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97

.github/workflows/test.yml

@@ -26,7 +26,17 @@ jobs:
       fail-fast: false
       matrix:
         # The same array lives in test-windows.yml, so make any updates there too.
-        test-group: [content, graphql, meta, rendering, routing, unit, linting]
+        test-group:
+          [
+            content,
+            graphql,
+            meta,
+            rendering,
+            routing,
+            unit,
+            linting,
+            translations,
+          ]
     steps:
       # Each of these ifs needs to be repeated at each step to make sure the required check still runs
       # Even if if doesn't do anything

.github/workflows/transfer-to-localization-repo.yml

@@ -0,0 +1,72 @@
+name: Copy to REST API issue to docs-content
+
+# **What it does**: Copies an issue in the open source repo to the docs-content repo, comments on and closes the original issue
+# **Why we have it**: REST API updates cannot be made in the open source repo. Instead, we copy the issue to an internal issue (we do not transfer so that the issue does not disappear for the contributor) and close the original issue.
+# **Who does it impact**: Open source and docs-content maintainers
+
+permissions:
+  contents: write
+
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  transfer-issue:
+    name: Transfer issue
+    runs-on: ubuntu-latest
+    if: (github.event.label.name == 'localization ' && github.repository == 'github/docs')
+    steps:
+      - name: Check if this run was triggered by a member of the docs team
+        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
+        id: triggered-by-member
+        with:
+          github-token: ${{secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES}}
+          result-encoding: string
+          script: |
+            const triggerer_login = context.payload.sender.login
+            const teamMembers = await github.request(
+              `/orgs/github/teams/docs/members?per_page=100`
+            )
+            const logins = teamMembers.data.map(member => member.login)
+            if (logins.includes(triggerer_login)) {
+              console.log(`This workflow was triggered by ${triggerer_login} (on the docs team).`)
+              return 'true'
+            }
+            console.log(`This workflow was triggered by ${triggerer_login} (not on the docs team), so no action will be taken.`)
+            return 'false'
+
+      - name: Exit if not triggered by a docs team member
+        if: steps.triggered-by-member.outputs.result == 'false'
+        run: |
+          echo Aborting. This workflow must be triggered by a member of the docs team.
+          exit 1
+
+      - name: Create an issue in the localization repo
+        run: |
+          new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/localization)"
+          echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV
+        env:
+          GITHUB_TOKEN: ${{secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES}}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+
+      - name: Comment on the new issue
+        run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE"
+        env:
+          GITHUB_TOKEN: ${{secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES}}
+          NEW_ISSUE: ${{ env.NEW_ISSUE }}
+          OLD_ISSUE: ${{ github.event.issue.html_url }}
+
+      - name: Comment on the old issue
+        run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to translated content must be made internally. I have copied your issue to an internal issue, so I will close this issue."
+        env:
+          GITHUB_TOKEN: ${{secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES}}
+          OLD_ISSUE: ${{ github.event.issue.html_url }}
+
+      - name: Close the old issue
+        run: gh issue close $OLD_ISSUE
+        env:
+          GITHUB_TOKEN: ${{secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES}}
+          OLD_ISSUE: ${{ github.event.issue.html_url }}

README.md

@@ -8,21 +8,21 @@ Use the table of contents icon <img src="./assets/images/table-of-contents.png"
 
 ## Contributing
 
-See [the contributing guide](CONTRIBUTING.md) for detailed instructions of how to get started with our project. 
+See [the contributing guide](CONTRIBUTING.md) for detailed instructions on how to get started with our project. 
 
-We accept different [types of contributions](CONTRIBUTING.md/#types-of-contributions-memo), including some that don't require you to write a single line of code.
+We accept different [types of contributions](https://github.com/github/docs/blob/main/contributing/types-of-contributions.md), including some that don't require you to write a single line of code.
 
-On the GitHub Docs site, you can click the make a contribution button to open a PR for quick fixes like typos, updates, or link fixes.
+On the GitHub Docs site, you can click the make a contribution button to open a PR(Pull Request) for quick fixes like typos, updates, or link fixes.
 
 <img src="./assets/images/contribution_cta.png" width="400">
 
-For more complex contributions, you can open an issue using the most appropriate [issue template](https://github.com/github/docs/issues/new/choose) to describe the changes you'd like to see.
+For more complex contributions, you can open an issue using the most appropriate [issue template](https://github.com/github/docs/issues/new/choose) to describe the changes you'd like to see. By this way you can also be a part of Open source contributor's community without even writing a single line of code.
 
 If you're looking for a way to contribute, you can scan through our [existing issues](https://github.com/github/docs/issues) for something to work on. When ready, check out [Getting Started with Contributing](/CONTRIBUTING.md) for detailed instructions.
 
 ### Join us in discussions
 
-We use GitHub Discussions to talk about all sorts of topics related to documentation and this site. For example: if you'd like help troubleshooting a PR, have a great new idea, or want to share something amazing you've learned in our docs, join us in [discussions](https://github.com/github/docs/discussions).
+We use GitHub Discussions to talk about all sorts of topics related to documentation and this site. For example: if you'd like help troubleshooting a PR, have a great new idea, or want to share something amazing you've learned in our docs, join us in the [discussions](https://github.com/github/docs/discussions).
 
 ### And that's it!
 
@@ -33,6 +33,7 @@ That's how you can easily become a member of the GitHub Documentation community.
 ## READMEs
 
 In addition to the README you're reading right now, this repo includes other READMEs that describe the purpose of each subdirectory in more detail:
+YOu can go through among them for specified details regarding the topics listed below.
 
 - [content/README.md](content/README.md)
 - [content/graphql/README.md](content/graphql/README.md)
@@ -54,9 +55,9 @@ In addition to the README you're reading right now, this repo includes other REA
 
 The GitHub product documentation in the assets, content, and data folders are licensed under a [CC-BY license](LICENSE).
 
-All other code in this repository is licensed under a [MIT license](LICENSE-CODE).
+All other code in this repository is licensed under the [MIT license](LICENSE-CODE).
 
-When using the GitHub logos, be sure to follow the [GitHub logo guidelines](https://github.com/logos).
+When you are using the GitHub logos, be sure to follow the [GitHub logo guidelines](https://github.com/logos).
 
 ## Thanks :purple_heart:
 

components/page-footer/SmallFooter.tsx

@@ -1,21 +1,24 @@
+import Link from 'next/link'
+import { useRouter } from 'next/router'
 import { MarkGithubIcon } from '@primer/octicons-react'
 import { useTranslation } from 'components/hooks/useTranslation'
 
 export const SmallFooter = () => {
+  const router = useRouter()
   const { t } = useTranslation('footer')
   return (
     <footer className="container-xl px-3 mt-6 mb-8 px-md-6 position-relative d-flex flex-row-reverse flex-xl-row flex-wrap flex-xl-nowrap flex-justify-center flex-xl-justify-between f6 color-fg-muted">
       <ul className="list-style-none d-flex flex-wrap col-12 col-xl-5 flex-justify-center flex-xl-justify-between mb-2 mb-xl-0">
         <li className="mr-3 mr-xl-0">&copy; {new Date().getFullYear()} GitHub, Inc.</li>
         <li className="mr-3 mr-xl-0">
-          <a href="https://docs.github.com/en/github/site-policy/github-terms-of-service">
+          <Link href={`/${router.locale}/github/site-policy/github-terms-of-service`}>
             {t('terms')}
-          </a>
+          </Link>
         </li>
         <li className="mr-3 mr-xl-0">
-          <a href="https://docs.github.com/en/github/site-policy/github-privacy-statement">
+          <Link href={`/${router.locale}/github/site-policy/github-privacy-statement`}>
             {t('privacy')}
-          </a>
+          </Link>
         </li>
         <li className="mr-3 mr-xl-0">
           <a href="https://github.com/security">{t('product.links.security')}</a>
@@ -24,7 +27,7 @@ export const SmallFooter = () => {
           <a href="https://www.githubstatus.com/">{t('support.links.status')}</a>
         </li>
         <li>
-          <a href="/">{t('support.links.help')}</a>
+          <Link href={`/${router.locale}`}>{t('support.links.help')}</Link>
         </li>
       </ul>
 
@@ -45,7 +48,7 @@ export const SmallFooter = () => {
           <a href="https://github.com/pricing">{t('product.links.pricing')}</a>
         </li>
         <li className="mr-3 mr-xl-0">
-          <a href="https://docs.github.com">{t('platform.links.developer_api')}</a>
+          <Link href={`/${router.locale}/developers`}>{t('platform.links.developer_api')}</Link>
         </li>
         <li className="mr-3 mr-xl-0">
           <a href="https://services.github.com">{t('support.links.training')}</a>

components/page-header/Breadcrumbs.tsx

@@ -2,6 +2,7 @@ import cx from 'classnames'
 import { useRouter } from 'next/router'
 import { useMainContext } from '../context/MainContext'
 import { Link } from 'components/Link'
+import styles from './Header.module.scss'
 
 export type BreadcrumbT = {
   title: string
@@ -21,13 +22,16 @@ export const Breadcrumbs = () => {
       If these change, please also change
       updating script/search/parse-page-sections-into-records.js.
     */
-    <nav data-testid="breadcrumbs" className="f5 breadcrumbs" aria-label="Breadcrumb">
+    <nav
+      data-testid="breadcrumbs"
+      className={cx('f5 breadcrumbs', styles.collapsebreadcrumbs)}
+      aria-label="Breadcrumb"
+    >
       {Object.values(breadcrumbs).map((breadcrumb, i, arr) => {
         if (!breadcrumb) {
           return null
         }
-
+        const title = `${breadcrumb.title}`
-        const title = `${breadcrumb.documentType}: ${breadcrumb.title}`
         return [
           !breadcrumb.href ? (
             <span data-testid="breadcrumb-title" key={title} title={title} className="px-2">
@@ -39,19 +43,16 @@ export const Breadcrumbs = () => {
               data-testid="breadcrumb-link"
               href={breadcrumb.href}
               title={title}
-              className={cx(
+              className={cx('pr-3', pathWithLocale === breadcrumb.href && 'color-fg-muted')}
-                'd-inline-block px-2',
-                pathWithLocale === breadcrumb.href && 'color-fg-muted'
-              )}
             >
               {breadcrumb.title}
+              {i !== arr.length - 1 ? (
+                <span className="color-fg-muted pl-3" key={`${i}-slash`}>
+                  /
+                </span>
+              ) : null}
             </Link>
           ),
-          i !== arr.length - 1 ? (
-            <span className="color-fg-muted" key={`${i}-slash`}>
-              /
-            </span>
-          ) : null,
         ]
       })}
     </nav>

components/page-header/Header.module.scss

@@ -1,3 +1,13 @@
 .breadcrumbs {
   clip-path: inset(-5px -5px -5px 0px);
 }
+
+@media only screen and (max-width: 1750px) {
+  .collapsebreadcrumbs a:not(:first-child):not(:last-child) {
+    display: none;
+  }
+}
+
+.header {
+  display: unset;
+}

components/page-header/Header.tsx

@@ -41,13 +41,18 @@ export const Header = () => {
 
   return (
     <div
-      className={`border-bottom color-border-muted no-print position-sticky top-0 z-3  ${
+      className={cx(
-        scroll ? 'color-shadow-medium' : 'color-shadow-small'
+        'border-bottom d-unset color-border-muted no-print z-3 color-bg-default',
-      } color-bg-default`}
+        styles.header
+      )}
     >
       {error !== '404' && <HeaderNotifications />}
-
+      <header
-      <header className={cx('container-xl px-3 px-md-6 pt-3 pb-3 z-3')}>
+        className={cx(
+          'color-bg-default px-3 px-md-6 pt-3 pb-3 position-sticky top-0 z-3 border-bottom',
+          scroll && 'color-shadow-small'
+        )}
+      >
         {/* desktop header */}
         <div
           className="d-none d-lg-flex flex-justify-end flex-items-center"

components/release-notes/PatchNotes.tsx

@@ -16,6 +16,26 @@ const SectionToLabelMap: Record<string, string> = {
   backups: 'Backups',
 }
 
+const LabelColorMap = {
+  features: 'color-bg-success-emphasis',
+  bugs: 'color-bg-attention-emphasis',
+  known_issues: 'color-bg-accent-emphasis',
+  security_fixes: 'color-bg-sponsors-emphasis',
+  changes: 'color-bg-success-emphasis',
+  deprecations: 'color-bg-done-emphasis',
+  backups: 'color-bg-severe-emphasis',
+}
+
+const HeadingColorMap = {
+  features: 'color-fg-success',
+  bugs: 'color-fg-attention',
+  known_issues: 'color-fg-accent',
+  security_fixes: 'color-fg-sponsors',
+  changes: 'color-fg-success',
+  deprecations: 'color-fg-done',
+  backups: 'color-fg-severe',
+}
+
 type Props = {
   patch: ReleaseNotePatch
   withReleaseNoteLabel?: boolean
@@ -25,6 +45,10 @@ export function PatchNotes({ patch, withReleaseNoteLabel }: Props) {
     <>
       {Object.entries(patch.sections).map(([key, sectionItems], i, arr) => {
         const isLast = i === arr.length - 1
+        const primaryLabelColor =
+          LabelColorMap[key as keyof typeof LabelColorMap] || LabelColorMap.features
+        const primaryHeadingColor =
+          HeadingColorMap[key as keyof typeof HeadingColorMap] || HeadingColorMap.features
         return (
           <div
             key={key}
@@ -36,7 +60,12 @@ export function PatchNotes({ patch, withReleaseNoteLabel }: Props) {
           >
             {withReleaseNoteLabel && (
               <div className="col-12 col-xl-3 mb-5">
-                <span className="px-3 py-2 text-small text-bold text-uppercase color-bg-emphasis color-fg-on-emphasis">
+                <span
+                  className={cx(
+                    'px-3 py-2 color-fg-on-emphasis text-small text-bold text-uppercase',
+                    primaryLabelColor
+                  )}
+                >
                   {SectionToLabelMap[key] || 'INVALID SECTION'}
                 </span>
               </div>
@@ -52,7 +81,11 @@ export function PatchNotes({ patch, withReleaseNoteLabel }: Props) {
                   <Fragment key={slug}>
                     <h4
                       id={slug}
-                      className={cx(styles.sectionHeading, 'text-uppercase text-bold f4')}
+                      className={cx(
+                        styles.sectionHeading,
+                        primaryHeadingColor,
+                        'text-uppercase text-bold f4'
+                      )}
                     >
                       <Link href={`#${slug}`} className="color-fg-inherit">
                         {item.heading}

components/sublanding/LearningTrack.module.scss

@@ -1,3 +1,10 @@
 .fadeBottom {
   background: linear-gradient(to top, var(--color-canvas-default), transparent);
 }
+
+/* Because of the sticky header */
+.hashAnchor {
+  &:target {
+    scroll-margin-top: 75px;
+  }
+}

components/sublanding/LearningTrack.tsx

@@ -4,6 +4,7 @@ import { ArrowRightIcon } from '@primer/octicons-react'
 import { useState } from 'react'
 import { FeaturedTrack } from 'components/context/ProductSubLandingContext'
 import { TruncateLines } from 'components/ui/TruncateLines'
+import slugger from 'github-slugger'
 import styles from './LearningTrack.module.scss'
 
 type Props = {
@@ -17,6 +18,7 @@ export const LearningTrack = ({ track }: Props) => {
     setNumVisible(track?.guides?.length || 0)
   }
   const { t } = useTranslation('product_sublanding')
+  const slug = track?.title ? slugger.slug(track?.title) : ''
 
   return (
     <div data-testid="learning-track" className="my-3 px-4 col-12 col-md-6">
@@ -24,7 +26,11 @@ export const LearningTrack = ({ track }: Props) => {
         <div className="Box-header color-bg-subtle p-4 d-flex flex-1 flex-items-start flex-wrap">
           <div className="d-flex flex-auto flex-items-start col-8 col-md-12 col-xl-8">
             <div className="my-xl-0 mr-xl-3">
-              <h5 className="mb-3 color-text f3 text-semibold">{track?.title}</h5>
+              <h5 id={slug} className={cx('mb-3 color-text f3 text-semibold', styles.hashAnchor)}>
+                <a className="color-unset" href={`#${slug}`}>
+                  {track?.title}
+                </a>
+              </h5>
               <TruncateLines as="p" maxLines={3} className="color-text">
                 {track?.description}
               </TruncateLines>

content/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox.md

@@ -108,7 +108,7 @@ To add a `repo:` filter, you must include the owner of the repository in the que
 
 ### Supported `is:` queries
 
-To filter notifications for specific activity on {% data variables.product.product_location %}, you can use the  `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% ifversion not ghae %}, and to only see {% ifversion fpt or ghes or ghec %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %}
+To filter notifications for specific activity on {% data variables.product.product_location %}, you can use the  `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% ifversion not ghae %}, and to only see {% data variables.product.prodname_dependabot %} alerts, use `is:repository-vulnerability-alert`{% endif %}.
 
 - `is:check-suite`
 - `is:commit`
@@ -167,7 +167,7 @@ For example, to see notifications from the octo-org organization, use `org:octo-
 {% ifversion fpt or ghes or ghae-issue-4864 or ghec %}
 ## {% data variables.product.prodname_dependabot %} custom filters
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
 If you use {% data variables.product.prodname_dependabot %} to keep your dependencies up-to-date, you can use and save these custom filters:
 - `is:repository_vulnerability_alert` to show notifications for {% data variables.product.prodname_dependabot_alerts %}.
 - `reason:security_alert` to show notifications for {% data variables.product.prodname_dependabot_alerts %} and security update pull requests.
@@ -176,9 +176,9 @@ If you use {% data variables.product.prodname_dependabot %} to keep your depende
 For more information about {% data variables.product.prodname_dependabot %}, see "[About managing vulnerable dependencies](/github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies)."
 {% endif %}
 
-{% ifversion ghes or ghae-issue-4864 %}
+{% ifversion ghes < 3.3 or ghae-issue-4864 %}
 
-If you use {% data variables.product.prodname_dependabot %} to keep your dependencies-up-to-date, you can use and save these custom filters to show notifications for {% data variables.product.prodname_dependabot_alerts %}:
+If you use {% data variables.product.prodname_dependabot %} to tell you about vulnerable dependencies, you can use and save these custom filters to show notifications for {% data variables.product.prodname_dependabot_alerts %}:
 - `is:repository_vulnerability_alert` 
 - `reason:security_alert`
 

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-security-and-analysis-settings-for-your-user-account.md

@@ -4,6 +4,7 @@ intro: 'You can control features that secure and analyze the code in your projec
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.2'
 topics:
   - Accounts
 redirect_from:
@@ -17,6 +18,8 @@ shortTitle: Manage security & analysis
 
 You can still manage the security and analysis features for individual repositories. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)."
 
+You can also review the security log for all activity on your user account. For more information, see "[Reviewing your security log](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)."
+
 {% data reusables.security.some-security-and-analysis-features-are-enabled-by-default %}
 
 {% data reusables.security.security-and-analysis-features-enable-read-only %}
@@ -28,11 +31,11 @@ For an overview of repository-level security, see "[Securing your repository](/c
 {% data reusables.user_settings.access_settings %}
 {% data reusables.user_settings.security-analysis %}
 3. Under "Configure security and analysis features", to the right of the feature, click **Disable all** or **Enable all**.
-  !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png)
+  {% ifversion ghes > 3.2 %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png){% else %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png){% endif %}
-6. Optionally, enable the feature by default for new repositories in your organization.
+6. Optionally, enable the feature by default for new repositories that you own.
-  !["Enable by default" option for new repositories](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png)
+  {% ifversion ghes > 3.2 %}!["Enable by default" option for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png){% else %}!["Enable by default" option for new repositories](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png){% endif %}
 7. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories you own.
-  ![Button to disable or enable feature](/assets/images/help/settings/security-and-analysis-enable-dependency-graph.png)
+  {% ifversion ghes > 3.2 %}![Button to disable or enable feature](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-dependency-graph.png){% else %}![Button to disable or enable feature](/assets/images/help/settings/security-and-analysis-enable-dependency-graph.png){% endif %}
 
 {% data reusables.security.displayed-information %}
 
@@ -40,11 +43,11 @@ For an overview of repository-level security, see "[Securing your repository](/c
 
 {% data reusables.user_settings.access_settings %}
 {% data reusables.user_settings.security-analysis %}
-3. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories in your organization.
+3. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories that you own.
-  ![Checkbox for enabling or disabling a feature for new repositories](/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png)
+  {% ifversion ghes > 3.2 %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% else %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% endif %}
 
 ## Further reading
 
 - "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"
 - "[Managing vulnerabilities in your project's dependencies](/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies)"
-{% ifversion fpt or ghec %}- "[Keeping your dependencies updated automatically](/github/administering-a-repository/keeping-your-dependencies-updated-automatically)"{% endif %}
+- "[Keeping your dependencies updated automatically](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically)"

content/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/merging-multiple-user-accounts.md

@@ -23,6 +23,7 @@ shortTitle: Merge multiple user accounts
 1. [Transfer any repositories](/articles/how-to-transfer-a-repository) from the account you want to delete to the account you want to keep. Issues, pull requests, and wikis are transferred as well. Verify the repositories exist on the account you want to keep.
 2. [Update the remote URLs](/github/getting-started-with-github/managing-remote-repositories) in any local clones of the repositories that were moved.
 3. [Delete the account](/articles/deleting-your-user-account) you no longer want to use.
+4. To attribute past commits to the new account, add the email address you used to author the commits to the account you're keeping. For more information, see "[Why are my contributions not showing up on my profile?](/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-graphs-on-your-profile/why-are-my-contributions-not-showing-up-on-my-profile#your-local-git-commit-email-isnt-connected-to-your-account)"
 
 ## Further reading
 

content/actions/automating-builds-and-tests/building-and-testing-python.md

@@ -60,7 +60,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ["3.6", "3.7", "3.8", "3.9"]
 
     steps:
       - uses: actions/checkout@v2
@@ -119,7 +119,7 @@ jobs:
       # You can use PyPy versions in python-version.
       # For example, pypy2 and pypy3
       matrix:
-        python-version: [2.7, 3.6, 3.7, 3.8, 3.9]
+        python-version: ["2.7", "3.6", "3.7", "3.8", "3.9"]
 
     steps:
       - uses: actions/checkout@v2
@@ -182,12 +182,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python-version: [3.6, 3.7, 3.8, 3.9, pypy2, pypy3]
+        python-version: ["3.6", "3.7", "3.8", "3.9", pypy2, pypy3]
         exclude:
           - os: macos-latest
-            python-version: 3.6
+            python-version: "3.6"
           - os: windows-latest
-            python-version: 3.6
+            python-version: "3.6"
 ```
 {% endraw %}
 
@@ -344,7 +344,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python: [3.7, 3.8, 3.9]
+        python: ["3.7", "3.8", "3.9"]
 
     steps:
       - uses: actions/checkout@v2
@@ -378,7 +378,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ["3.6", "3.7", "3.8", "3.9"]
 
     steps:
       - uses: actions/checkout@v2

content/actions/creating-actions/creating-a-docker-container-action.md

@@ -57,7 +57,7 @@ Before you begin, you'll need to create a {% data variables.product.prodname_dot
 
 ## Creating a Dockerfile
 
-In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. For more information, see "[Dockerfile support for {% data variables.product.prodname_actions %}](/actions/creating-actions/dockerfile-support-for-github-actions)."
+In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. Make sure that your filename is capitalized correctly (use a capital `D` but not a capital `f`) if you're having issues. For more information, see "[Dockerfile support for {% data variables.product.prodname_actions %}](/actions/creating-actions/dockerfile-support-for-github-actions)."
 
 **Dockerfile**
 ```Dockerfile{:copy}

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md

@@ -44,7 +44,7 @@ By default, the validation only includes the audience (`aud`) condition, so you
 "Condition": {
   "StringEquals": {
     "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
-    "token.actions.githubusercontent.com:sub": "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
+    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
 ```
 
 ## Updating your {% data variables.product.prodname_actions %} workflow
@@ -96,9 +96,9 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::1234567890:role/example-role
           role-session-name: samplerolesession
-          aws-region: ${{ env.AWS_REGION }}
+          aws-region: {% raw %}${{ env.AWS_REGION }}{% endraw %}
       # Upload a file to AWS s3
       - name:  Copy index.html to s3
         run: |
-          aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/
+          aws s3 cp ./index.html s3://{% raw %}${{ env.BUCKET_NAME }}{% endraw %}/
 ```

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md

@@ -33,8 +33,8 @@ This guide gives an overview of how to configure Azure to trust {% data variable
 
 To configure the OIDC identity provider in Azure, you will need to perform the following configuration. For instructions on making these changes, refer to [the Azure documentation](https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure).
 
-1. Create an Active Directory application and a service principal.
+1. Create an Azure Active Directory application and a service principal.
-2. Add federated credentials for the Active Directory application.
+2. Add federated credentials for the Azure Active Directory application.
 3. Create {% data variables.product.prodname_dotcom %} secrets for storing Azure configuration.
 
 Additional guidance for configuring the identity provider:

content/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners.md

@@ -23,7 +23,7 @@ You can automatically increase or decrease the number of self-hosted runners in
 
 The following repositories have detailed instructions for setting up these autoscalers: 
 
-- [actions-runner-controller/actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) - A Kubernetes controller for {% data variables.product.prodname_actions %} self-hosted runnners.
+- [actions-runner-controller/actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) - A Kubernetes controller for {% data variables.product.prodname_actions %} self-hosted runners.
 - [philips-labs/terraform-aws-github-runner](https://github.com/philips-labs/terraform-aws-github-runner) - A Terraform module for scalable {% data variables.product.prodname_actions %} runners on Amazon Web Services.
 
 Each solution has certain specifics that may be important to consider:
@@ -77,4 +77,4 @@ To  authenticate using a {% data variables.product.prodname_dotcom %} App, it mu
 
 You can register and delete enterprise self-hosted runners using [the API](/rest/reference/enterprise-admin#github-actions). To authenticate to the API, your autoscaling implementation can use an access token.
 
-Your access token will requite the `manage_runners:enterprise` scope.
+Your access token will require the `manage_runners:enterprise` scope.

content/actions/learn-github-actions/contexts.md

@@ -41,6 +41,7 @@ Contexts are a way to access information about workflow runs, runner environment
 | `strategy` | `object` | Enables access to the configured strategy parameters and information about the current job. Strategy parameters include `fail-fast`, `job-index`, `job-total`, and `max-parallel`. |
 | `matrix` | `object` | Enables access to the matrix parameters you configured for the current job. For example, if you configure a matrix build with the `os` and `node` versions, the `matrix` context object includes the `os` and `node` versions of the current job. |
 | `needs` | `object` | Enables access to the outputs of all jobs that are defined as a dependency of the current job. For more information, see [`needs` context](#needs-context). |
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-4757 %}| `inputs` | `object` | Enables access to the inputs of reusable workflow. For more information, see [`inputs` context](#inputs-context). |{% endif %}
 
 As part of an expression, you may access context information using one of two syntaxes.
 - Index syntax: `github['sha']`
@@ -74,6 +75,11 @@ The `github` context contains information about the workflow run and the event t
 | `github.head_ref` | `string` | The `head_ref` or source branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either `pull_request` or `pull_request_target`. |
 | `github.job` | `string` | The [`job_id`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_id) of the current job. |
 | `github.ref` | `string` | The branch or tag ref that triggered the workflow run. For branches this is the format  `refs/heads/<branch_name>`, and for tags it is `refs/tags/<tag_name>`. |
+{%- ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5338 %}
+| `github.ref_name` | `string` | {% data reusables.actions.ref_name-description %} |
+| `github.ref_protected` | `string` | {% data reusables.actions.ref_protected-description %} |
+| `github.ref_type` | `string` | {% data reusables.actions.ref_type-description %} |
+{%- endif %}
 | `github.repository` | `string` | The owner and repository name. For example, `Codertocat/Hello-World`. |
 | `github.repository_owner` | `string` | The repository owner's name. For example, `Codertocat`. |
 | `github.run_id` | `string` | {% data reusables.github-actions.run_id_description %} |
@@ -148,6 +154,19 @@ The `needs` context contains outputs from all jobs that are defined as a depende
 | `needs.<job id>.outputs.<output name>` | `string` | The value of a specific output for a job that the current job depends on. |
 | `needs.<job id>.result` | `string` | The result of a job that the current job depends on. Possible values are `success`, `failure`, `cancelled`, or `skipped`. |
 
+{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-4757 %}
+### `inputs` context
+
+The `inputs` context contains information about the inputs of reusable workflow. The inputs are defined in [`workflow_call` event configuration](/actions/learn-github-actions/events-that-trigger-workflows#workflow-reuse-events). These inputs are passed from [`jobs.<job_id>.with`](/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idwith) in an external workflow.
+
+For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)".
+
+| Property name | Type | Description |
+|---------------|------|-------------|
+| `inputs` | `object` | This context is only available when it is [a reusable workflow](/actions/learn-github-actions/reusing-workflows). |
+| `inputs.<name>` | `string` or `number` or `boolean` | Each input value passed from an external workflow. |
+{% endif %}
+
 #### Example printing context information to the log file
 
 To inspect the information that is accessible in each context, you can use this workflow file example.

content/actions/learn-github-actions/environment-variables.md

@@ -68,6 +68,11 @@ We strongly recommend that actions use environment variables to access the files
 | `GITHUB_WORKSPACE` | The {% data variables.product.prodname_dotcom %} workspace directory path, initially empty. For example, `/home/runner/work/my-repo-name/my-repo-name`. The [actions/checkout](https://github.com/actions/checkout) action will check out files, by default a copy of your repository, within this directory. |
 | `GITHUB_SHA` | The commit SHA that triggered the workflow. For example, `ffac537e6cbbf934b08745a378932722df287a53`. |
 | `GITHUB_REF` | The branch or tag ref that triggered the workflow. For example, `refs/heads/feature-branch-1`. If neither a branch or tag is available for the event type, the variable will not exist. |
+{%- ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5338 %}
+| `GITHUB_REF_NAME` | {% data reusables.actions.ref_name-description %} |
+| `GITHUB_REF_PROTECTED` | {% data reusables.actions.ref_protected-description %} |
+| `GITHUB_REF_TYPE` | {% data reusables.actions.ref_type-description %} |
+{%- endif %}
 | `GITHUB_HEAD_REF` | Only set for pull request events. The name of the head branch.
 | `GITHUB_BASE_REF` | Only set for pull request events. The name of the base branch.
 | `GITHUB_SERVER_URL`| Returns the URL of the {% data variables.product.product_name %} server. For example: `https://{% data variables.product.product_url %}`.

content/admin/advanced-security/deploying-github-advanced-security-in-your-enterprise.md

@@ -290,15 +290,11 @@ GitHub helps you avoid using third-party software that contains known vulnerabil
 |----|----|
 | Dependabot Alerts | You can track your repository's dependencies and receive Dependabot alerts when your enterprise detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)." |
 | Dependency Graph | The dependency graph is a summary of the manifest and lock files stored in a repository. It shows you the ecosystems and packages your codebase depends on (its dependencies) and the repositories and packages that depend on your project (its dependents). For more information, see "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." |{% ifversion ghes > 3.1 or ghec %}
-| Dependency Review | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" or  "[Reviewing Dependency Changes in a Pull Request](/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." | {% endif %} {% ifversion ghec %}
+| Dependency Review | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" or  "[Reviewing Dependency Changes in a Pull Request](/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." | {% endif %} {% ifversion ghec or ghes > 3.2 %}
 | Dependabot Security Updates | Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. For more information, see "[About Dependabot security updates](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)." |
 | Dependabot Version Updates | Dependabot can be used to keep the packages you use updated to the latest versions. For more information, see "[About Dependabot version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)." | {% endif %}
 
-{% note %}
+{% data reusables.dependabot.beta-security-and-version-updates-onboarding %}
-
-**Note:** Dependabot security updates and version updates are currently only available for {% data variables.product.prodname_ghe_cloud %} and will be available for {% data variables.product.prodname_ghe_server %} as outlined in our [public roadmap](https://github.com/github/roadmap).
-
-{% endnote %}
 
 ### Step 8: Establish a remediation process
 

content/admin/advanced-security/enabling-github-advanced-security-for-your-enterprise.md

@@ -110,7 +110,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled false
     ```
-    - To disable {% data variables.product.prodname_dependabot %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To disable {% data variables.product.prodname_dependabot_alerts %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled false
     ```

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-ldap.md

@@ -139,7 +139,7 @@ After you enable LDAP sync, a synchronization job will run at the specified time
 A synchronization job will also run at the specified time interval to perform the following operations on each team that has been mapped to an LDAP group:
 
 - If a team's corresponding LDAP group has been removed, remove all members from the team.
-- If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
+- If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user is no longer a member of any team in the organization, remove the user from the organization. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
 - If LDAP member entries have been added to the LDAP group, add the corresponding users to the team. If the user regains access to any repositories as a result, restore any private forks of the repositories that were deleted because the user lost access in the past 90 days.
 
 {% data reusables.enterprise_user_management.ldap-sync-nested-teams %}

content/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account.md

@@ -103,6 +103,8 @@ Before enabling {% data variables.product.prodname_dependabot_alerts %} for your
 
    {% endtip %}
 
+When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
+
 ## Viewing vulnerable dependencies on {% data variables.product.product_location %}
 
 You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.

content/admin/enterprise-management/caching-repositories/about-repository-caching.md

@@ -0,0 +1,21 @@
+---
+title: About repository caching
+intro: "You can increase the performance of Git read operations for distributed teams and CI farms with repository caching."
+versions:
+  ghes: '>=3.3'
+type: overview
+topics:
+  - Enterprise
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}
+
+If you have teams and CI farms located around the world, you may experience reduced performance on your primary {% data variables.product.prodname_ghe_server %} instance. While active geo-replicas can improve the performance of read requests, this comes at the cost of limiting write throughput. To reduce load on your primary instance and improve write throughput performance, you can configure a repository cache, an asynchronous read-only mirror of repositories located near these geographically-distributed clients. 
+
+A repository cache eliminates the need for {% data variables.product.product_name %} to transmit the same Git data over a long-haul network link multiple times to serve multiple clients, by serving your repository data close to CI farms and distributed teams. For instance, if your primary instance is in North America and you also have a large presence in Asia, you will benefit from setting up the repository cache in Asia for use by CI runners there.
+
+The repository cache listens to the primary instance, whether that's a single instance or a geo-replicated set of instances, for changes to Git data. CI farms and other read-heavy consumers clone and fetch from the repository cache instead of the primary instance. Changes are propagated across the network, at periodic intervals, once per cache instance rather than once per client. Git data will typically be visible on the repository cache within several minutes after the data is pushed to the primary instance.
+
+You have fine-grained control over which repositories are allowed to sync to the repository cache.
+
+{% data reusables.enterprise.repository-caching-config-summary %} For more information, see "[Configuring a repository cache](/admin/enterprise-management/caching-repositories/configuring-a-repository-cache)."

content/admin/enterprise-management/caching-repositories/configuring-a-repository-cache.md

@@ -0,0 +1,90 @@
+---
+title: Configuring a repository cache
+intro: "You can configure a repository cache by creating a new appliance, connecting the repository cache to your primary appliance, and configuring replication of repository networks to the repository cache."
+versions:
+  ghes: '>=3.3'
+type: how_to
+topics:
+  - Enterprise
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}
+
+## About configuration for repository caching
+
+{% data reusables.enterprise.repository-caching-config-summary %} Then, you can set data location policies that govern which repository networks are replicated to the repository cache.
+
+Repository caching is not supported with clustering.
+
+## DNS for repository caches
+
+The primary instance and repository cache should have different DNS names. For example, if your primary instance is at `github.example.com`, you might decide to name a cache `europe-ci.github.example.com` or `github.asia.example.com`.
+
+To have your CI machines fetch from the repository cache instead of the primary instance, you can use Git's `url.<base>.insteadOf` configuration setting. For more information, see [`git-config`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf) in the Git documentation. 
+
+For example, the global `.gitconfig` for the CI machine would include these lines.
+
+```
+[url "https://europe-ci.github.example.com/"]
+	insteadOf = https://github.example.com/
+```
+
+Then, when told to fetch `https://github.example.com/myorg/myrepo`, Git will instead fetch from `https://europe-ci.github.example.com/myorg/myrepo`.
+
+## Configuring a repository cache
+
+1. During the beta, you must enable the feature flag for repository caching on your primary {% data variables.product.prodname_ghe_server %} appliance.
+   
+   ```
+   $ ghe-config cluster.cache-enabled true
+   ```
+
+1. Set up a new {% data variables.product.prodname_ghe_server %} appliance on your desired platform. This appliance will be your repository cache. For more information, see "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/admin/guides/installation/setting-up-a-github-enterprise-server-instance)."
+{% data reusables.enterprise_installation.replica-steps %}
+1. Connect to the repository cache's IP address using SSH.
+
+   ```shell
+   $ ssh -p 122 admin@<em>REPLICA IP</em>
+   ```
+
+{% data reusables.enterprise_installation.generate-replication-key-pair %}
+{% data reusables.enterprise_installation.add-ssh-key-to-primary %}
+1. To verify the connection to the primary and enable replica mode for the repository cache, run `ghe-repl-setup` again.
+
+   ```shell
+   $ ghe-repl-setup <em>PRIMARY IP</em>
+   ```
+
+1. Set a `cache_location` for the repository cache, replacing *CACHE-LOCATION* with an alphanumeric identifier, such as the region where the cache is deployed.
+
+   ```shell
+   $ ghe-repl-node --cache <em>CACHE-LOCATION</em>
+   ```
+
+{% data reusables.enterprise_installation.replication-command %}
+{% data reusables.enterprise_installation.verify-replication-channel %}
+1. To enable replication of repository networks to the repository cache, set a data location policy. For more information, see "[Data location policies](#data-location-policies)."
+
+## Data location policies
+
+You can control data locality by configuring data location policies for your repositories with the `spokesctl cache-policy` command. Data location policies determine which repository networks are replicated on which repository caches. By default, no repository networks will be replicated on any repository caches until a data location policy is configured.
+
+You can configure a policy to replicate all networks with the `--default` flag. For example, this command will create a policy to replicate a single copy of every repository network to the set of repository caches whose `cache_location` is "kansas".
+
+ ```
+ $ ghe-spokesctl cache-policy set --default 1 kansas
+ ```
+
+To configure replication for a repository network, specify the repository that is the root of the network. A repository network includes a repository and all of the repository's forks. You cannot replicate part of a network without replicating the whole network.
+
+```
+$ ghe-spokesctl cache-policy set <owner/repository> 1 kansas
+```
+
+You can override a policy that replicates all networks and exclude specific networks by specifying a replica count of zero for the network. For example, this command specifies that any repository cache in location "kansas" cannot contain any copies of that network.
+
+```
+$ ghe-spokesctl cache-policy set <owner/repository> 0 kansas
+```
+
+Replica counts greater than one in a given cache location are not supported.

content/admin/enterprise-management/caching-repositories/index.md

@@ -0,0 +1,13 @@
+---
+title: Caching repositories
+intro: "You can improve performance for your geographically-distributed team with repository caching, which provides read-only mirrors close to your users and CI clients."
+versions:
+  ghes: '>=3.3'
+topics:
+  - Enterprise
+children:
+  - /about-repository-caching
+  - /configuring-a-repository-cache
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}

content/admin/enterprise-management/configuring-high-availability/about-geo-replication.md

@@ -22,7 +22,9 @@ Geo DNS, such as [Amazon's Route 53 service](http://docs.aws.amazon.com/Route53/
 
 ## Limitations
 
-Writing requests to the replica requires sending the data to the primary and all replicas. This means that the performance of all writes are limited by the slowest replica, although new geo-replicas can seed the majority of their data from existing co-located geo-replicas, rather than from the primary. Geo-replication will not add capacity to a {% data variables.product.prodname_ghe_server %} instance or solve performance issues related to insufficient CPU or memory resources. If the primary appliance is offline, active replicas will be unable to serve any read or write requests. 
+Writing requests to the replica requires sending the data to the primary and all replicas. This means that the performance of all writes is limited by the slowest replica, although new geo-replicas can seed the majority of their data from existing co-located geo-replicas, rather than from the primary. To reduce the latency and bandwidth caused by distributed teams and large CI farms without impacting write throughput, you can configure repository caching instead. For more information, see "[About repository caching](/admin/enterprise-management/caching-repositories/about-repository-caching)."
+
+Geo-replication will not add capacity to a {% data variables.product.prodname_ghe_server %} instance or solve performance issues related to insufficient CPU or memory resources. If the primary appliance is offline, active replicas will be unable to serve any read or write requests. 
 
 {% data reusables.enterprise_installation.replica-limit %}
 

content/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration.md

@@ -29,6 +29,7 @@ Use a high availability configuration for protection against:
 A high availability configuration is not a good solution for:
 
   - **Scaling-out**. While you can distribute traffic geographically using geo-replication, the performance of writes is limited to the speed and availability of the primary appliance. For more information, see "[About geo-replication](/enterprise/{{ currentVersion }}/admin/guides/installation/about-geo-replication/)."
+  - **CI/CD load**. If you have a large number of CI clients that are geographically distant from your primary instance, you may benefit from configuring a repository cache. For more information, see "[About repository caching](/admin/enterprise-management/caching-repositories/about-repository-caching)."
   - **Backing up your primary appliance**. A high availability replica does not replace off-site backups in your disaster recovery plan. Some forms of data corruption or loss may be replicated immediately from the primary to the replica. To ensure safe rollback to a stable past state, you must perform regular backups with historical snapshots.
   - **Zero downtime upgrades**. To prevent data loss and split-brain situations in controlled promotion scenarios, place the primary appliance in maintenance mode and wait for all writes to complete before promoting the replica.
 

content/admin/enterprise-management/configuring-high-availability/creating-a-high-availability-replica.md

@@ -20,30 +20,19 @@ shortTitle: Create HA replica
 
 1. Set up a new {% data variables.product.prodname_ghe_server %} appliance on your desired platform. The replica appliance should mirror the primary appliance's CPU, RAM, and storage settings. We recommend that you install the replica appliance in an independent environment. The underlying hardware, software, and network components should be isolated from those of the primary appliance. If you are a using a cloud provider, use a separate region or zone. For more information, see ["Setting up a {% data variables.product.prodname_ghe_server %} instance"](/enterprise/{{ currentVersion }}/admin/guides/installation/setting-up-a-github-enterprise-server-instance).
 2. In a browser, navigate to the new replica appliance's IP address and upload your {% data variables.product.prodname_enterprise %} license.
-3. Set an admin password that matches the password on the primary appliance and continue.
+{% data reusables.enterprise_installation.replica-steps %}
-4. Click **Configure as Replica**.
-![Installation options with link to configure your new instance as a replica](/assets/images/enterprise/management-console/configure-as-replica.png)
-5. Under "Add new SSH key", type your SSH key.
-![Add SSH key](/assets/images/enterprise/management-console/add-ssh-key.png)
-6. Click **Add key**, then click **Continue**.
 6. Connect to the replica appliance's IP address using SSH.
   ```shell
   $ ssh -p 122 admin@<em>REPLICA IP</em>
   ```
-7. To generate a key pair for replication, use the `ghe-repl-setup` command with the primary appliance's IP address and copy the public key that it returns.
+{% data reusables.enterprise_installation.generate-replication-key-pair %}
-  ```shell
-  $ ghe-repl-setup <em>PRIMARY IP</em>
-  ```
 {% data reusables.enterprise_installation.add-ssh-key-to-primary %}
 9. To verify the connection to the primary and enable replica mode for the new replica, run `ghe-repl-setup` again.
   ```shell
   $ ghe-repl-setup <em>PRIMARY IP</em>
   ```
 {% data reusables.enterprise_installation.replication-command %}
-11. To verify the status of each datastore's replication channel, use the `ghe-repl-status` command.
+{% data reusables.enterprise_installation.verify-replication-channel %}
-  ```shell
-  $ ghe-repl-status
-  ```
 
 ## Creating geo-replication replicas
 

content/admin/enterprise-management/index.md

@@ -12,6 +12,7 @@ children:
   - /updating-the-virtual-machine-and-physical-resources
   - /configuring-clustering
   - /configuring-high-availability
+  - /caching-repositories
 shortTitle: 'Monitor, manage & update'
 ---
 

content/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md

@@ -148,3 +148,30 @@ If any of these services are at or near 100% CPU utilization, or the memory is n
 
     When running `ghe-config-apply`, if you see output like `Failed to run nomad job '/etc/nomad-jobs/<name>.hcl'`, then the change has likely over-allocated CPU or memory resources. If this happens, edit the configuration files again and lower the allocated CPU or memory, then re-run `ghe-config-apply`.
 1. After the configuration is applied, run `ghe-actions-check` to verify that the {% data variables.product.prodname_actions %} services are operational.
+
+## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
+
+{% data reusables.dependabot.beta-security-and-version-updates %}
+
+After you set up {% data variables.product.prodname_dependabot %} updates for {% data variables.product.product_location %}, you may see failures when existing workflows are triggered by {% data variables.product.prodname_dependabot %} events.
+
+By default, {% data variables.product.prodname_actions %} workflow runs that are triggered by {% data variables.product.prodname_dependabot %} from `push`, `pull_request`, `pull_request_review`, or `pull_request_review_comment` events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only `GITHUB_TOKEN` and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by {% data variables.product.prodname_dependabot %}.
+
+There are three ways to resolve this problem:
+
+1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[Expressions](/actions/learn-github-actions/expressions)."
+2. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[Automating {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#responding-to-events)."
+3. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`. For more information, see "[Providing workflows triggered by{% data variables.product.prodname_dependabot %} access to secrets and increased permissions](#providing-workflows-triggered-by-dependabot-access-to-secrets-and-increased-permissions)" below.
+
+### Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions
+
+1. Log in to the administrative shell using SSH. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
+1. To remove the limitations on workflows triggered by {% data variables.product.prodname_dependabot %} on {% data variables.product.product_location %}, use the following command.
+    ``` shell
+    $ ghe-config app.actions.disable-dependabot-enforcement true
+    ```
+1. Apply the configuration.
+    ```shell
+    $ ghe-config-apply
+    ```
+1. Return to {% data variables.product.prodname_ghe_server %}.

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/index.md

@@ -10,6 +10,7 @@ children:
   - /enabling-github-actions-with-azure-blob-storage
   - /enabling-github-actions-with-amazon-s3-storage
   - /enabling-github-actions-with-minio-gateway-for-nas-storage
+  - /setting-up-dependabot-updates
 shortTitle: Enable GitHub Actions
 ---
 

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates.md

@@ -0,0 +1,77 @@
+---
+title: Setting up Dependabot security and version updates on your enterprise
+intro: 'You can create dedicated runners for {% data variables.product.product_location %} that {% data variables.product.prodname_dependabot %} uses to create pull requests to help secure and maintain the dependencies used in repositories on your enterprise.'
+allowTitleToDifferFromFilename: true
+miniTocMaxHeadingLevel: 3
+versions:
+  ghes: '> 3.2'
+topics:
+  - Enterprise
+  - Security
+  - Dependabot
+  - Dependencies
+shortTitle: Set up Dependabot updates
+---
+
+{% data reusables.dependabot.beta-security-and-version-updates %}
+
+{% tip %}
+
+**Tip**: If {% data variables.product.product_location %} uses clustering, you cannot set up {% data variables.product.prodname_dependabot %} security and version updates as {% data variables.product.prodname_actions %} are not supported in cluster mode.
+
+{% endtip %}
+
+## About {% data variables.product.prodname_dependabot %} updates
+
+When you set up {% data variables.product.prodname_dependabot %} security and version updates for {% data variables.product.product_location %}, users can configure repositories so that their dependencies are updated and kept secure automatically. This is an important step in helping developers create and maintain secure code.
+
+Users can set up {% data variables.product.prodname_dependabot %} to create pull requests to update their dependencies using two features.
+
+- **{% data variables.product.prodname_dependabot_version_updates %}**: Users add a {% data variables.product.prodname_dependabot %} configuration file to the repository to enable {% data variables.product.prodname_dependabot %} to create pull requests when a new version of a tracked dependency is released. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)."
+- **{% data variables.product.prodname_dependabot_security_updates %}**: Users toggle a repository setting to enable {% data variables.product.prodname_dependabot %} to create pull requests when {% data variables.product.prodname_dotcom %} detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
+
+## Prerequisites for {% data variables.product.prodname_dependabot %} updates
+
+Both types of {% data variables.product.prodname_dependabot %} update have the following requirements.
+
+- Configure {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+- Set up one or more {% data variables.product.prodname_actions %} self-hosted runners for {% data variables.product.prodname_dependabot %}. For more information, see "[Setting up self-hosted runners for {% data variables.product.prodname_dependabot %} updates](#setting-up-self-hosted-runners-for-dependabot-updates)" below.
+
+Additionally, {% data variables.product.prodname_dependabot_security_updates %} rely on the dependency graph, vulnerability data from {% data variables.product.prodname_github_connect %}, and {% data variables.product.prodname_dependabot_alerts %}. These features must be enabled on {% data variables.product.product_location %}. For more information, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot %} alerts on your enterprise account](/admin/configuration/managing-connections-between-your-enterprise-accounts/enabling-the-dependency-graph-and-dependabot-alerts-on-your-enterprise-account)."
+
+## Setting up self-hosted runners for {% data variables.product.prodname_dependabot %} updates
+
+When you have configured {% data variables.product.product_location %} to use {% data variables.product.prodname_actions %}, you need to add self-hosted runners for {% data variables.product.prodname_dependabot %} updates. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for GitHub Enterprise Server](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/getting-started-with-github-actions-for-github-enterprise-server)."
+
+### System requirements for {% data variables.product.prodname_dependabot %} runners
+
+Any VM that you use for {% data variables.product.prodname_dependabot %} runners must meet the requirements for self-hosted runners. In addition, they must meet the following requirements.
+
+- Linux operating system
+- The following dependencies installed:
+  - Docker running as the same user as the self-hosted runner application
+  - Git
+
+The CPU and memory requirements will depend on the number of concurrent runners you deploy on a given VM. As guidance, we have successfully set up 20 runners on a single 2 CPU 8GB machine, but ultimately, your CPU and memory requirements will heavily depend on the repositories being updated. Some ecosystems will require more resources than others.
+
+If you specify more than 14 concurrent runners on a VM, you must also update the Docker `/etc/docker/daemon.json` configuration to increase the default number of networks Docker can create.
+
+```
+{
+  "default-address-pools": [
+    {"base":"10.10.0.0/16","size":24}
+  ]
+}
+```
+
+### Network requirements for {% data variables.product.prodname_dependabot %} runners
+
+{% data variables.product.prodname_dependabot %} runners require access to the public internet, {% data variables.product.prodname_dotcom_the_website %}, and any internal registries that will be used in {% data variables.product.prodname_dependabot %} updates. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency.
+
+### Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
+
+1. Provision self-hosted runners, at the repository, organization, or enterprise account level. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
+
+2. Verify that the self-hosted runners meet the requirements for {% data variables.product.prodname_dependabot %} before assigning a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see "[Using labels with self-hosted runners](/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner)."
+
+3. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "[Troubleshooting {% data variables.product.prodname_actions %} for your enterprise](/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise#enabling-workflows-triggered-by-dependabot-access-to-dependabot-secrets-and-increased-permissions)."

content/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect.md

@@ -18,7 +18,6 @@ shortTitle: Use GitHub Connect for actions
 
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
-{% data reusables.actions.enterprise-github-connect-warning %}
 
 By default, {% data variables.product.prodname_actions %} workflows on {% data variables.product.product_name %} cannot use actions directly from {% data variables.product.prodname_dotcom_the_website %} or [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions).
 
@@ -26,6 +25,8 @@ To make all actions from {% data variables.product.prodname_dotcom_the_website %
 
 ## Enabling automatic access to all {% data variables.product.prodname_dotcom_the_website %} actions
 
+{% data reusables.actions.enterprise-github-connect-warning %}
+
 Before enabling access to all actions from {% data variables.product.prodname_dotcom_the_website %} on your enterprise instance, you must connect your enterprise to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting your enterprise to {% data variables.product.prodname_ghe_cloud %}](/admin/configuration/managing-connections-between-your-enterprise-accounts/connecting-your-enterprise-account-to-github-enterprise-cloud)."
 
 {% data reusables.enterprise-accounts.access-enterprise %}
@@ -41,3 +42,27 @@ Before enabling access to all actions from {% data variables.product.prodname_do
   ![Drop-down menu to actions from GitHub.com in workflows runs](/assets/images/enterprise/site-admin-settings/enable-marketplace-actions-drop-down.png)
 {%- endif %}
 1. {% data reusables.actions.enterprise-limit-actions-use %}
+
+{% ifversion ghes > 3.2 or ghae-issue-4815 %}
+
+## Automatic retirement of namespaces for actions accessed on {% data variables.product.prodname_dotcom_the_website %}
+
+When you enable {% data variables.product.prodname_github_connect %}, users see no change in behavior for existing workflows because {% data variables.product.prodname_actions %} searches {% data variables.product.product_location %} for each action before falling back to {% data variables.product.prodname_dotcom_the_website%}. This ensures that any custom versions of actions your enterprise has created are used in preference to their counterparts on {% data variables.product.prodname_dotcom_the_website%}.
+
+Automatic retirement of namespaces for actions accessed on {% data variables.product.prodname_dotcom_the_website %} blocks the potential for a man-in-the-middle attack by a malicious user with access to {% data variables.product.product_location %}. When an action on {% data variables.product.prodname_dotcom_the_website %} is used for the first time, that namespace is retired in {% data variables.product.product_location %}. This blocks any user creating an organization and repository in your enterprise that matches that organization and repository name on {% data variables.product.prodname_dotcom_the_website %}. This ensures that when a workflow runs, the intended action is always run.
+
+After using an action from {% data variables.product.prodname_dotcom_the_website %}, if you want to create an action in {% data variables.product.product_location %} with the same name, first you need to make the namespace for that organization and repository available.
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+2. In the left sidebar, under **Site admin** click **Retired namespaces**.
+3. Locate the namespace that you want use in {% data variables.product.product_location %} and click **Unretire**.
+   ![Unretire namespace](/assets/images/enterprise/site-admin-settings/unretire-namespace.png)
+4. Go to the relevant organization and create a new repository.
+
+   {% tip %}
+
+   **Tip:** When you unretire a namespace, always create the new repository with that name as soon as possible. If a workflow calls the associated action on {% data variables.product.prodname_dotcom_the_website %} before you create the local repository, the namespace will be retired again. For actions used in workflows that run frequently, you may find that a namespace is retired again before you have time to create the local repository. In this case, you can temporarily disable the relevant workflows until you have created the new repository.
+
+   {% endtip %}
+
+{% endif %}

content/admin/github-actions/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md

@@ -34,6 +34,14 @@ If your machine has access to both systems at the same time, you can do the sync
 
 The `actions-sync` tool can only download actions from {% data variables.product.prodname_dotcom_the_website %} that are stored in public repositories.
 
+{% ifversion ghes > 3.2 or ghae-issue-4815 %}
+{% note %}
+
+**Note:** The `actions-sync` tool is intended for use in systems where {% data variables.product.prodname_github_connect %} is not enabled. If you run the tool on a system with {% data variables.product.prodname_github_connect %} enabled, you may see the error `The repository <repo_name> has been retired and cannot be reused`. This indicates that a workflow has used that action directly on {% data variables.product.prodname_dotcom_the_website %} and the namespace is retired on {% data variables.product.product_location %}. For more information, see "[Automatic retirement of namespaces for actions accessed on {% data variables.product.prodname_dotcom_the_website%}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect#automatic-retirement-of-namespaces-for-actions-accessed-on-githubcom)." 
+
+{% endnote %}
+{% endif %}
+
 ## Prerequisites
 
 * Before using the `actions-sync` tool, you must ensure that all destination organizations already exist in your enterprise. The following example demonstrates how to sync actions to an organization named `synced-actions`. For more information, see "[Creating a new organization from scratch](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch)."

content/admin/github-actions/managing-access-to-actions-from-githubcom/using-the-latest-version-of-the-official-bundled-actions.md

@@ -47,3 +47,11 @@ Once {% data variables.product.prodname_github_connect %} is configured, you can
   ![View code link](/assets/images/enterprise/site-admin-settings/exit-admin-page-for-repository.png)
 1. Configure your workflow's YAML to use `actions/checkout@v2`.
 1. Each time your workflow runs, the runner will use the `v2` version of `actions/checkout` from {% data variables.product.prodname_dotcom_the_website %}.
+
+   {% ifversion ghes > 3.2 or ghae-issue-4815 %}
+   {% note %}
+
+   **Note:** The first time the `checkout` action is used from {% data variables.product.prodname_dotcom_the_website %}, the `actions/checkout` namespace is automatically retired on {% data variables.product.product_location %}. If you ever want to revert to using a local copy of the action, you first need to remove the namespace from retirement. For more information, see "[Automatic retirement of namespaces for actions accessed on {% data variables.product.prodname_dotcom_the_website%}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect#automatic-retirement-of-namespaces-for-actions-accessed-on-githubcom)."
+
+   {% endnote %}
+   {% endif %}

content/admin/packages/enabling-github-packages-with-minio.md

@@ -19,7 +19,9 @@ shortTitle: Enable Packages with MinIO
 - Make sure to configure the bucket you'll want to use in the future. We do not recommend changing your storage after you start using {% data variables.product.prodname_registry %}.
 
 {% endwarning %}
+
 ## Prerequisites
+
 Before you can enable and configure {% data variables.product.prodname_registry %} on {% data variables.product.product_location_enterprise %}, you need to prepare your MinIO storage bucket. To help you quickly set up a MinIO bucket and navigate MinIO's customization options, see the "[Quickstart for configuring your MinIO storage bucket for {% data variables.product.prodname_registry %}](/admin/packages/quickstart-for-configuring-your-minio-storage-bucket-for-github-packages)."
 
 Ensure your MinIO external storage access key ID and secret have these permissions:

content/admin/user-management/managing-users-in-your-enterprise/impersonating-a-user.md

@@ -0,0 +1,39 @@
+---
+title: Impersonating a user
+intro: 'You can impersonate users and perform actions on their behalf, for troubleshooting, unblocking, and other legitimate reasons.'
+permissions: 'Enterprise owners can impersonate users within their enterprise.'
+versions:
+  ghes: '>3.2'
+type: how_to
+topics:
+  - Administrator
+  - Enterprise
+  - User account
+shortTitle: Impersonate a user
+---
+
+## About user impersonation
+
+If you need to temporarily take over a user account, for example when troubleshooting a user problem, or when the user is unavailable and urgent action is required, you can start an impersonation session to act on their behalf.
+
+For each impersonation session, you need to provide a reason for the impersonation. A session is limited to one hour, and you will have the same access as the user being impersonated.
+
+Actions you perform during an impersonation session are recorded as events in the enterprise audit log, as well as the impersonated user's security log. The person being impersonated is sent an email notification when the impersonation session starts. For more information, see "[Audited actions](/admin/user-management/monitoring-activity-in-your-enterprise/audited-actions)" and "[Reviewing your security log](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)."
+
+## Impersonating a user
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.search-user %}
+{% data reusables.enterprise_site_admin_settings.click-user %}
+4. In the top left of the page, click **User info**.
+
+   ![User info](/assets/images/enterprise/stafftools/user-info.png)
+5. Under "Danger Zone", click **Sign in to GitHub as @username**
+
+   ![Impersonate user](/assets/images/enterprise/stafftools/impersonate.png)
+6. Select a reason from the dropdown list. If you select **Other** you will need to provide additional context in the **Notes** section. Click **Begin impersonation** to begin the session.
+
+   ![Impersonation reason](/assets/images/enterprise/stafftools/impersonation-reason.png)
+7. When you are ready to end the impersonation session, click the **Return to your mundane life as username** banner at the top of the page.
+
+   ![End impersonation](/assets/images/enterprise/stafftools/end-impersonation.png)

content/admin/user-management/managing-users-in-your-enterprise/index.md

@@ -26,6 +26,7 @@ children:
   - /viewing-people-in-your-enterprise
   - /viewing-and-managing-a-users-saml-access-to-your-enterprise
   - /auditing-users-across-your-enterprise
+  - /impersonating-a-user
   - /managing-dormant-users
   - /suspending-and-unsuspending-users
   - /placing-a-legal-hold-on-a-user-or-organization
@@ -34,4 +35,3 @@ children:
   - /rebuilding-contributions-data
 shortTitle: Manage users
 ---
-

content/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users.md

@@ -6,8 +6,9 @@ redirect_from:
   - /enterprise/admin/articles/determining-whether-a-user-account-is-dormant/
   - /enterprise/admin/user-management/managing-dormant-users
   - /admin/user-management/managing-dormant-users
-intro: 'A user account is considered to be dormant if it has not been active for at least a month.{% ifversion ghes %} You may choose to suspend dormant users to free up user licenses.{% endif %}'
+intro: '{% data reusables.enterprise-accounts.dormant-user-activity-threshold %}'
 versions:
+  ghec: '*'
   ghes: '*'
   ghae: '*'
 type: how_to
@@ -16,16 +17,12 @@ topics:
   - Enterprise
   - Licensing
 ---
-"Activity" includes, but is not limited to:
+{% data reusables.enterprise-accounts.dormant-user-activity %}
-- Signing in to {% data variables.product.product_name %}.
-- Commenting on issues and pull requests.
-- Creating, deleting, watching, and starring repositories.
-- Pushing commits.{% ifversion ghes or ghae %}
-- Accessing resources by using a personal access token or SSH key.{% endif %}
 
+{% ifversion ghes or ghae%}
 ## Viewing dormant users
 
-You can view a list of all dormant users who have not been suspended and who are not site administrators.
+{% data reusables.enterprise-accounts.viewing-dormant-users %}
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 3. In the left sidebar, click **Dormant users**.
@@ -47,11 +44,29 @@ You can view a list of all dormant users who have not been suspended and who are
 {% data reusables.enterprise_site_admin_settings.dormancy-threshold %}
 
 {% data reusables.enterprise-accounts.access-enterprise %}
-{% ifversion ghes or ghae %}
 {% data reusables.enterprise-accounts.policies-tab %}
-{% else %}
 {% data reusables.enterprise-accounts.settings-tab %}
-{% endif %}
 {% data reusables.enterprise-accounts.options-tab %}
 4. Under "Dormancy threshold", use the drop-down menu, and click the desired dormancy threshold.
 ![The Dormancy threshold drop-down menu](/assets/images/enterprise/site-admin-settings/dormancy-threshold-menu.png)
+
+{% endif %}
+
+{% ifversion ghec %}
+
+{% data reusables.enterprise-accounts.dormant-user-release-phase %}
+
+{% warning %}
+
+**Note:** During the private beta, ongoing improvements to the report download feature may limit its availability.
+
+{% endwarning %}
+
+## Downloading the dormant users report from your enterprise account
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.enterprise-accounts-compliance-tab %}
+1. To download your Dormant Users (beta) report as a CSV file, under "Other", click {% octicon "download" aria-label="The Download icon" %} **Download**.
+  ![Download button under "Other" on the Compliance page](/assets/images/help/business-accounts/dormant-users-download-button.png)
+
+{% endif %}

content/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md

@@ -38,6 +38,10 @@ You can view {% ifversion ghec %}all the {% data variables.product.prodname_ghe_
 {% ifversion ghec %}1. Optionally, to view a list of pending invitations, click **_NUMBER_ pending**.
   !["NUMBER pending" button to the right of search and filter options](/assets/images/help/enterprises/members-pending.png){% endif %}
 
+## Viewing dormant users
+
+You can view a list of all dormant users {% ifversion ghes or ghae %} who have not been suspended and {% endif %}who are not site administrators. {% data reusables.enterprise-accounts.dormant-user-activity-threshold %} For more information, see "[Managing dormant users](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users)."
+
 ## Further reading
 
 - "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)"

content/admin/user-management/monitoring-activity-in-your-enterprise/audited-actions.md

@@ -159,8 +159,9 @@ Action                | Description
 Action                        | Description
 ----------------------------- | -----------------------------------------------
 `staff.disable_repo`          | A site admin disabled access to a repository and all of its forks.
-`staff.enable_repo`           | A site admin re-enabled access to a repository and all of its forks.
+`staff.enable_repo`           | A site admin re-enabled access to a repository and all of its forks.{% ifversion ghes > 3.2 %}
-`staff.fake_login`            | A site admin signed into {% data variables.product.product_name %} as another user.
+`staff.exit_fake_login`       | A site admin ended an impersonation session on {% data variables.product.product_name %}.
+`staff.fake_login`            | A site admin signed into {% data variables.product.product_name %} as another user.{% endif %}
 `staff.repo_unlock`           | A site admin unlocked (temporarily gained full access to) one of a user's private repositories.
 `staff.unlock`                | A site admin unlocked (temporarily gained full access to) all of a user's private repositories.
 

content/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys.md

@@ -58,7 +58,7 @@ You can delete unauthorized (or possibly compromised) SSH keys to ensure that an
 
   {% endtip %}
 
-4. Open Git Bash. If you're using Git Shell, which is included in {% data variables.product.prodname_desktop %}, open Git Shell and skip to step 6.
+4. Open Git Bash. 
 
 5. {% data reusables.desktop.windows_git_bash_turn_on_ssh_agent %}
 

content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md

@@ -49,7 +49,7 @@ Repository administrators can enforce required commit signing on a branch to blo
 {% data reusables.identity-and-permissions.verification-status-check %}
 
 {% ifversion fpt or ghec %}
-{% data variables.product.product_name %} will automatically use GPG to sign commits you make using the {% data variables.product.product_name %} web interface, except for when you squash and merge a pull request that you are not the author of. Commits signed by {% data variables.product.product_name %} will have a verified status on {% data variables.product.product_name %}. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is `5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23`. You can optionally choose to have {% data variables.product.product_name %} sign commits you make in {% data variables.product.prodname_codespaces %}. For more information about enabling GPG verification for your codespaces, see "[Managing GPG verification for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-gpg-verification-for-codespaces)."
+{% data variables.product.product_name %} will automatically use GPG to sign commits you make using the {% data variables.product.product_name %} web interface. Commits signed by {% data variables.product.product_name %} will have a verified status on {% data variables.product.product_name %}. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is `5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23`. You can optionally choose to have {% data variables.product.product_name %} sign commits you make in {% data variables.product.prodname_codespaces %}. For more information about enabling GPG verification for your codespaces, see "[Managing GPG verification for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-gpg-verification-for-codespaces)."
 {% endif %}
 
 ## GPG commit signature verification

content/authentication/troubleshooting-ssh/error-ssh-add-illegal-option----k.md

@@ -22,7 +22,7 @@ The `-K` option is in Apple's standard version of `ssh-add`, which stores the pa
 To add your SSH private key to the ssh-agent, you can specify the path to the Apple version of `ssh-add`:
 
 ```shell
-  $ /usr/bin/ssh-add -K ~/.ssh/id_rsa
+  $ /usr/bin/ssh-add -K ~/.ssh/id_ed25519
 ```
 
 {% note %}

content/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security.md

@@ -1,6 +1,6 @@
 ---
 title: About billing for GitHub Advanced Security
-intro: 'If you want to use {% data variables.product.prodname_GH_advanced_security %} features{% ifversion fpt or ghec %} in a private or internal repository{% endif %}, you need a license.{% ifversion fpt or ghec %} These features are available free of charge for public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}'
+intro: 'If you want to use {% data variables.product.prodname_GH_advanced_security %} features{% ifversion fpt or ghec %} in a private or internal repository{% endif %}, you need a license{% ifversion fpt %} for your enterprise{% endif %}.{% ifversion fpt or ghec %} These features are available free of charge for public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}'
 product: '{% data reusables.gated-features.ghas %}'
 redirect_from:
   - /admin/advanced-security/about-licensing-for-github-advanced-security
@@ -21,9 +21,13 @@ shortTitle: Advanced Security billing
 
 ## About billing for {% data variables.product.prodname_GH_advanced_security %}
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt %}
 
-If you want to use {% data variables.product.prodname_GH_advanced_security %} features on any repository apart from a public repository on {% data variables.product.prodname_dotcom_the_website %}, you will need a license. For more information about {% data variables.product.prodname_GH_advanced_security %}, see "[About {% data variables.product.prodname_GH_advanced_security %}](/github/getting-started-with-github/about-github-advanced-security)."
+If you want to use {% data variables.product.prodname_GH_advanced_security %} features on any repository apart from a public repository on {% data variables.product.prodname_dotcom_the_website %}, you will need a {% data variables.product.prodname_GH_advanced_security %} license, available with {% data variables.product.prodname_ghe_cloud %} or {% data variables.product.prodname_ghe_server %}. For more information about {% data variables.product.prodname_GH_advanced_security %}, see "[About {% data variables.product.prodname_GH_advanced_security %}](/github/getting-started-with-github/about-github-advanced-security)."
+
+{% elsif ghec %}
+
+If you want to use {% data variables.product.prodname_GH_advanced_security %} features on any repository apart from a public repository on {% data variables.product.prodname_dotcom_the_website %}, you will need a {% data variables.product.prodname_GH_advanced_security %} license. For more information about {% data variables.product.prodname_GH_advanced_security %}, see "[About {% data variables.product.prodname_GH_advanced_security %}](/github/getting-started-with-github/about-github-advanced-security)."
 
 {% elsif ghes %}
 
@@ -57,21 +61,17 @@ For more information on viewing license usage, see "[Viewing your {% data variab
 
 {% endif %}
 
-## Calculating committer spending
+## Understanding active committer usage
 
-The following example timeline demonstrates the events during a month that affect billing for {% data variables.product.prodname_GH_advanced_security %} in an enterprise. For each month, you will find events, the total committer count, and the total number of committers that {% data variables.product.company_short %} would bill for.
+The following example timeline demonstrates how active committer count for {% data variables.product.prodname_GH_advanced_security %} could change over time in an enterprise. For each month, you will find events, along with the resulting committer count.
 
-| Date | Events during the month | Total committer count | Committers billed for the month |
+| Date | Events during the month | Total committers | 
-| :- | :- | -: | -: |
+| :- | :- | -: | 
-| <nobr>August 1</nobr> | A member of your enterprise enables {% data variables.product.prodname_GH_advanced_security %} for repository **X**. Repository **X** has 50 committers over the past 90 days. | **50** | **50** |
+| <nobr>April 15</nobr> | A member of your enterprise enables {% data variables.product.prodname_GH_advanced_security %} for repository **X**. Repository **X** has 50 committers over the past 90 days. | **50** | 
-| <nobr>September 5</nobr> | Developer **A** leaves the team working on repository **X**. Developer **A**'s contributions continue to count for 90 days. | **50** | **50** |
+| <nobr>May 1</nobr> | Developer **A** leaves the team working on repository **X**. Developer **A**'s contributions continue to count for 90 days. | **50** | **50** |
-| <nobr>September 8</nobr> | Developer **B** pushes a commit to repository **X** for the first time. Developer **B**'s usage is pro-rated, because the developer began contributing to repository **X** partway through the month. | <sub>_50 + 1_</sub></br>**51** | <sub>_50 + 0.8_</sub><br/>**50.8** |
+| <nobr>August 1</nobr> | Developer **A**'s contributions no longer count towards the licences required, because 90 days have passed. | <sub>_50 - 1_</sub></br>**49** | 
-| October and November | Developer **A**'s contributions to repository **X** continue to count because the contributions were within the past 90 days. {% data variables.product.company_short %} now bills for developer **B** for the entire month because developer **B** now has contributions within the past 90 days. | **51** | **51** |
+| <nobr>August 15</nobr> | A member of your enterprise enables {% data variables.product.prodname_GH_advanced_security %} for a second repository, repository **Y**. In the last 90 days, a total of 20 developers contributed to that repository. Of those 20 developers, 10 also recently worked on repo **X** and do not require additional licenses. | <sub>_49 + 10_</sub><br/>**59** | 
-| <nobr>December 4</nobr> | 90 days have passed since developer **A**'s last contribution to repository _X. The 90 days lapsed after December started, so {% data variables.product.company_short %} bills for developer **A** for the entire month. | <sub>_51 - 1_</sub><br/>**50** | <sub></sub><br/>**51** |
+| <nobr>August 16</nobr> | A member of your enterprise disables {% data variables.product.prodname_GH_advanced_security %} for repository **X**. Of the 49 developers who were working on repository **X**, 10 still also work on repository **Y**, which has a total of 20 developers contributing in the last 90 days. | <sub>_49 - 29_</sub><br/>**20** |
-| <nobr>December 11</nobr> | Developer **C** joins the company and pushes a commit to repository **X** for the first time. Developer **C**'s usage is pro-rated at 70% for 21 out of 30 days. | <sub>_50 + 1_</sub><br/>**51** | <sub>_51 + .07_</sub><br/>**51.7** |
-| <nobr>January</nobr> | {% data variables.product.company_short %} no longer bills for developer **A**. {% data variables.product.company_short %} bills for developer **C** for the entire month. | **51** | **51** |
-| <nobr>February 15</nobr> | A member of your enterprise disables {% data variables.product.prodname_GH_advanced_security %} for repository **X**. The 51 contributors to repository **X** do not work in any other repositories with {% data variables.product.prodname_GH_advanced_security %}. {% data variables.product.company_short %} bills for the developers' usage in repository **X** for February. | <sub>_51 - 51_</sub><br/>**0** | <sub></sub><br/>**51** |
-| <nobr>March</nobr> | No repository owned by your enterprise has {% data variables.product.prodname_GH_advanced_security %} enabled. | **0** | **0** |
 
 ## Getting the most out of {% data variables.product.prodname_GH_advanced_security %}
 

content/code-security/getting-started/github-security-features.md

@@ -34,13 +34,16 @@ Make it easy for your users to confidentially report security vulnerabilities th
 
 Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
 
+{% endif %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
+
 ### {% data variables.product.prodname_dependabot_alerts %} and security updates
 
 View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
 and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
 {% endif %}
 
-{% ifversion ghes or ghae-issue-4864 %}
+{% ifversion ghes < 3.3 or ghae-issue-4864 %}
 ### {% data variables.product.prodname_dependabot_alerts %}
 
 {% data reusables.dependabot.dependabot-alerts-beta %}
@@ -48,7 +51,7 @@ and "[About {% data variables.product.prodname_dependabot_security_updates %}](/
 View alerts about dependencies that are known to contain security vulnerabilities, and manage these alerts. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
 {% endif %}
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
 ### {% data variables.product.prodname_dependabot %} version updates
 
 Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)."

content/code-security/getting-started/securing-your-organization.md

@@ -62,7 +62,7 @@ For more information, see "[About dependency review](/code-security/supply-chain
 
 {% endif %}
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
 ## Managing {% data variables.product.prodname_dependabot_security_updates %}
 
 For any repository that uses {% data variables.product.prodname_dependabot_alerts %}, you can enable {% data variables.product.prodname_dependabot_security_updates %} to raise pull requests with security updates when vulnerabilities are detected. You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all repositories across your organization.
@@ -79,7 +79,7 @@ For more information, see "[About {% data variables.product.prodname_dependabot_
 
 You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/about-dependabot-version-updates)."
 
-To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a *dependabot.yml* configuration file. For more information, see "[Enabling and disabling version updates](/code-security/supply-chain-security/enabling-and-disabling-version-updates)."
+To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a *dependabot.yml* configuration file. For more information, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)."
 
 {% endif %}
 
@@ -118,7 +118,7 @@ For more information, see "[Managing security and analysis settings for your org
 ## Next steps
 {% ifversion fpt or ghes > 3.1 or ghae-next or ghec %}You can view, filter, and sort security alerts for repositories owned by your organization in the security overview. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)."{% endif %}
 
-You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes > 2.22 or ghec %} "[Viewing and updating vulnerable dependencies in your repository](/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository),"{% endif %} {% ifversion fpt or ghec %}"[Managing pull requests for dependency updates](/code-security/supply-chain-security/managing-pull-requests-for-dependency-updates)," {% endif %}"[Managing {% data variables.product.prodname_code_scanning %} for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)," and "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
+You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes > 2.22 or ghec %} "[Viewing and updating vulnerable dependencies in your repository](/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository),"{% endif %} {% ifversion fpt or ghec or ghes > 3.2 %}"[Managing pull requests for dependency updates](/code-security/supply-chain-security/managing-pull-requests-for-dependency-updates)," {% endif %}"[Managing {% data variables.product.prodname_code_scanning %} for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)," and "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
 
 {% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/code-security/security-advisories/about-github-security-advisories)" and "[Creating a security advisory](/code-security/security-advisories/creating-a-security-advisory)."
 {% endif %}

content/code-security/getting-started/securing-your-repository.md

@@ -91,7 +91,7 @@ For more information, see "[About dependency review](/code-security/supply-chain
 
 {% endif %}
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
 
 ## Managing {% data variables.product.prodname_dependabot_security_updates %}
 
@@ -107,7 +107,7 @@ For more information, see "[About {% data variables.product.prodname_dependabot_
 
 You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/about-dependabot-version-updates)."
 
-To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a *dependabot.yml* configuration file. For more information, see "[Enabling and disabling version updates](/code-security/supply-chain-security/enabling-and-disabling-version-updates)."
+To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a *dependabot.yml* configuration file. For more information, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)."
 
 {% endif %}
 
@@ -128,7 +128,7 @@ You can set up {% data variables.product.prodname_code_scanning %} to automatica
 4. Next to {% data variables.product.prodname_secret_scanning_caps %}, click **Enable**. 
 
 ## Next steps
-You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[Viewing and updating vulnerable dependencies in your repository](/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository),"{% endif %} {% ifversion fpt or ghec %}"[Managing pull requests for dependency updates](/code-security/supply-chain-security/managing-pull-requests-for-dependency-updates)," {% endif %}"[Managing {% data variables.product.prodname_code_scanning %} for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)," and "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
+You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[Viewing and updating vulnerable dependencies in your repository](/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository),"{% endif %} {% ifversion fpt or ghec or ghes > 3.2 %}"[Managing pull requests for dependency updates](/code-security/supply-chain-security/managing-pull-requests-for-dependency-updates)," {% endif %}"[Managing {% data variables.product.prodname_code_scanning %} for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)," and "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
 
 {% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/code-security/security-advisories/about-github-security-advisories)" and "[Creating a security advisory](/code-security/security-advisories/creating-a-security-advisory)."
 {% endif %}

content/code-security/guides.md

@@ -58,7 +58,7 @@ includeGuides:
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates
-  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates
+  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/listing-dependencies-configured-for-version-updates
   - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot

content/code-security/index.md

@@ -12,7 +12,7 @@ featuredLinks:
     - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif%}'
   guideCards:
     - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates{% endif %}'
-    - '{% ifversion fpt %}/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates{% endif %}'
+    - '{% ifversion fpt %}/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates{% endif %}'
     - '{% ifversion fpt %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif %}'
     - '{% ifversion ghes %}/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository{% endif %}'
     - '{% ifversion ghes %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies{% endif %}'

content/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates.md

@@ -10,6 +10,7 @@ redirect_from:
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '> 3.2'
 type: overview
 topics:
   - Dependabot
@@ -19,15 +20,19 @@ topics:
   - Pull requests
 shortTitle: Dependabot version updates
 ---
+
+{% data reusables.dependabot.beta-security-and-version-updates %}
+{% data reusables.dependabot.enterprise-enable-dependabot %}
+
 ## About {% data variables.product.prodname_dependabot_version_updates %}
 
 {% data variables.product.prodname_dependabot %} takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.
 
 You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. 
 
-When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)."
+When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling {% data variables.product.prodname_dependabot %} version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates)."
 
-If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
+If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
 
 {% data reusables.dependabot.pull-request-security-vs-version-updates %}
 
@@ -44,8 +49,7 @@ If you've enabled security updates, you'll sometimes see extra pull requests for
 ## Supported repositories and ecosystems
 <!-- If you make changes to this feature, update /getting-started-with-github/github-language-support to reflect any changes to supported repositories or ecosystems. -->
 
-You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#vendor)."
+You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for dependency updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#vendor)."
-
 {% note %}
 
 {% data reusables.dependabot.private-dependencies-note %} 
@@ -56,8 +60,8 @@ You can configure version updates for repositories that contain a dependency man
 
 {% data reusables.dependabot.supported-package-managers %}
 
-If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. For more information, see "[About integrations](/github/customizing-your-github-workflow/about-integrations)."
+If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see "[About integrations](/github/customizing-your-github-workflow/about-integrations)."{% endif %}
 
 ## About notifications for {% data variables.product.prodname_dependabot %} version updates
 
-You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} version updates. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#dependabot-custom-filters)."
+You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox)."

content/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions.md

@@ -6,6 +6,7 @@ miniTocMaxHeadingLevel: 3
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.2'
 type: how_to
 topics:
   - Actions
@@ -18,6 +19,9 @@ topics:
 shortTitle: Use Dependabot with actions
 ---
 
+{% data reusables.dependabot.beta-security-and-version-updates %}
+{% data reusables.dependabot.enterprise-enable-dependabot %}
+
 ## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %}
 
 {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.
@@ -33,6 +37,16 @@ For workflows initiated by {% data variables.product.prodname_dependabot %} (`gi
 
 For more information, see ["Keeping your GitHub Actions and workflows secure: Preventing pwn requests"](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 
+{% ifversion ghes > 3.2 %}
+{% note %}
+
+**Note:** Your site administrator can override these restrictions for {% data variables.product.product_location %}. For more information, see "[Troubleshooting {% data variables.product.prodname_actions %} for your enterprise](/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise#troubleshooting-failures-when-dependabot-triggers-existing-workflows)."
+
+If the restrictions are removed, when a workflow is triggered by {% data variables.product.prodname_dependabot %} it will have access to any secrets that are normally available. In addition, workflows triggered by {% data variables.product.prodname_dependabot %} can use the `permissions` term to increase the default scope of the `GITHUB_TOKEN` from read-only access.
+
+{% endnote %}
+{% endif %}
+
 ### Handling `pull_request` events
 
 If your workflow needs access to secrets or a `GITHUB_TOKEN` with write permissions, you have two options: using `pull_request_target`, or using two separate workflows. We will detail using `pull_request_target` in this section, and using two workflows below in "[Handling `push` events](#handling-push-events)."