Merge pull request #34028 from github/repo-sync

Repo sync

content/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions.md

@@ -61,6 +61,10 @@ For more information about dependency review, see "[AUTOTITLE](/code-security/su
 
 {% data reusables.dependency-review.about-dependency-review-action %}
 
+![Screenshot of a workflow run that uses the dependency review action.](/assets/images/help/graphs/dependency-review-action.png)
+
+{% data reusables.dependency-review.about-dependency-review-action2 %}
+
 ## Keeping the actions in your workflows secure and up to date
 
 {% data reusables.actions.dependabot-version-updates-for-actions %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md

@@ -47,10 +47,16 @@ The dependency review feature becomes available when you enable the dependency g
 
 The action is available for all {% ifversion fpt or ghec %}public repositories, as well as private {% endif %}repositories that have {% data variables.product.prodname_GH_advanced_security %} enabled.
 
+{% data reusables.dependency-review.org-level-enforcement %}
+
 {% data reusables.dependency-review.action-enterprise %}
 
 {% data reusables.dependency-review.about-dependency-review-action %}
 
+![Screenshot of a workflow run that uses the dependency review action.](/assets/images/help/graphs/dependency-review-action.png)
+
+{% data reusables.dependency-review.about-dependency-review-action2 %}
+
 The action uses the dependency review REST API to get the diff of dependency changes between the base commit and head commit. You can use the dependency review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[AUTOTITLE](/rest/dependency-graph/dependency-review)."{% ifversion dependency-review-submission-api %} The action also considers dependencies submitted via the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
 {% data reusables.dependency-review.works-with-submission-api-beta %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md

@@ -51,6 +51,8 @@ Dependency review is available when dependency graph is enabled for {% data vari
 
 {% data reusables.dependency-review.dependency-review-action-overview %}
 
+{% data reusables.dependency-review.org-level-enforcement %}
+
 Here is a list of common configuration options.  For more information, and a full list of options, see [Dependency Review](https://github.com/marketplace/actions/dependency-review) on the {% data variables.product.prodname_marketplace %}.
 
 | Option | Required | Usage |

content/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization.md

@@ -0,0 +1,45 @@
+---
+title: Enforcing dependency review across an organization
+intro: 'Dependency review lets you catch insecure dependencies before you introduce them to your environment. You can enforce the use of the {% data variables.dependency-review.action_name %} across your organization.'
+product: '{% data reusables.gated-features.dependency-review %}'
+shortTitle: Enforce dependency review
+permissions: 'Organization owners can enforce use of the {% data variables.dependency-review.action_name %} in repositories within their organization.'
+versions:
+  feature: repo-rules
+type: overview
+topics:
+  - Advanced Security
+  - Dependency review
+  - Vulnerabilities
+  - Dependencies
+  - Pull requests
+---
+
+## About dependency review enforcement
+
+{% data reusables.dependency-review.action-enterprise %}
+
+{% data reusables.dependency-review.about-dependency-review-action %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
+
+You can enforce the use of the {% data variables.dependency-review.action_name %} in your organization by setting up a repository ruleset that will require the `dependency-review-action` workflow to pass before pull requests can be merged. Repository rulesets are rule settings that allow you to control how users can interact with selected branches and tags in your repositories. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)" and "[Require workflows to pass before merging](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-workflows-to-pass-before-merging)."
+
+## Prerequisites
+
+You need to add the {% data variables.dependency-review.action_name %} to one of the repositories in your organization, and configure the action. For more information, see "[Configuring the dependency review action](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-action)."
+
+## Enforcing dependency review for your organization
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.access-ruleset-settings %}
+1. Click **New branch ruleset**.
+1. Set **Enforcement status** to {% octicon "play" aria-hidden="true" %} **Active**.
+1. Optionally, you can target specific repositories in your organization. For more information, see "[Choosing which repositories to target in your organization](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#choosing-which-repositories-to-target-in-your-organization)."
+1. In the "Rules" section, select the "Require workflows to pass before merging" option.
+1. In "Workflow configurations", click **Add workflow**.
+1. In the dialog, select the repository that you added the {% data variables.dependency-review.action_name %} to. For more information, see "[Prerequisites](#prerequisites)."
+1. Select a branch and the workflow file for dependency review in the enhanced dialog.
+
+   ![Screenshot of the Add required workflow dialog. You need to specify a repository, branch, and workflow.](/assets/images/help/repository/add-required-workflow-dialog.png)
+
+1. Click **Create**.

content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md

@@ -17,6 +17,7 @@ children:
   - /using-the-dependency-submission-api
   - /about-dependency-review
   - /configuring-dependency-review
+  - /enforcing-dependency-review-across-an-organization
   - /exploring-the-dependencies-of-a-repository
   - /troubleshooting-the-dependency-graph
 ---

data/release-notes/enterprise-server/3-10/15.yml

@@ -1,5 +1,8 @@
-date: '2024-07-10'
+date: '2024-07-19'
 intro: |
+
+  >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.10.14**) is not available for download. The following release notes include the updates introduced in that release.
+
   {% warning %}
 
   **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.10.14-known-issues)" section of these release notes.
@@ -32,6 +35,8 @@ sections:
     - |
       Packages have been updated to the latest security versions.
   bugs:
+    - |
+      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
     - |
       On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
     - |

data/release-notes/enterprise-server/3-11/13.yml

@@ -1,4 +1,7 @@
-date: '2024-07-10'
+date: '2024-07-19'
+intro: |
+
+     >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.11.12**) is not available for download. The following release notes include the updates introduced in that release.
 sections:
   security_fixes:
     - |
@@ -24,6 +27,8 @@ sections:
     - |
       Packages have been updated to the latest security versions.
   bugs:
+    - |
+      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
     - |
       On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
     - |

data/release-notes/enterprise-server/3-12/7.yml

@@ -1,4 +1,7 @@
-date: '2024-07-10'
+date: '2024-07-19'
+intro: |
+
+   >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.12.6**) is not available for download. The following release notes include the updates introduced in that release.
 sections:
   security_fixes:
     - |
@@ -24,6 +27,8 @@ sections:
     - |
       Packages have been updated to the latest security versions.
   bugs:
+    - |
+      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
     - |
       On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
     - |

data/release-notes/enterprise-server/3-13/2.yml

@@ -1,4 +1,7 @@
-date: '2024-07-10'
+date: '2024-07-19'
+intro: |
+
+    >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.13.1**) is not available for download. The following release notes include the updates introduced in that release.
 sections:
   security_fixes:
     - |
@@ -26,6 +29,8 @@ sections:
     - |
       Packages have been updated to the latest security versions.
   bugs:
+    - |
+      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
     - |
       On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
     - |
@@ -135,7 +140,7 @@ sections:
       To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
   known_issues:
     - |
-      TODO: Add finalized release note for https://github.com/github/ghes/issues/9451.
+      When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the Elasticsearch indices need to be reindexed before some data will appear. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
     - |
       Custom firewall rules are removed during the upgrade process.
     - |

data/release-notes/enterprise-server/3-9/18.yml

@@ -1,5 +1,8 @@
-date: '2024-07-10'
+date: '2024-07-19'
 intro: |
+
+  >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.9.17**) is not available for download. The following release notes include the updates introduced in that release.
+
   {% warning %}
 
   **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.17-known-issues)" section of these release notes.
@@ -26,6 +29,8 @@ sections:
     - |
       Firewall port 9199, which linked to a static maintenance page used when enabling maintenance mode with an IP exception list, was opened unnecessarily.
   bugs:
+    - |
+      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
     - |
       On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
     - |

data/reusables/dependency-review/about-dependency-review-action.md

@@ -1,5 +1 @@
 You can use the [`dependency-review-action`](https://github.com/actions/dependency-review-action) in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.
-
-![Screenshot of a workflow run that uses the Dependency review action.](/assets/images/help/graphs/dependency-review-action.png)
-
-By default, the {% data variables.dependency-review.action_name %} check will fail if it discovers any vulnerable packages. A failed check blocks a pull request from being merged when the repository owner requires the dependency review check to pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)."

data/reusables/dependency-review/about-dependency-review-action2.md

@@ -0,0 +1 @@
+By default, the {% data variables.dependency-review.action_name %} check will fail if it discovers any vulnerable packages. A failed check blocks a pull request from being merged when the repository owner requires the dependency review check to pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)."

data/reusables/dependency-review/org-level-enforcement.md

@@ -0,0 +1,5 @@
+{% ifversion repo-rules %}
+
+Organization owners can roll out dependency review at scale by enforcing the use of the {% data variables.dependency-review.action_name %} across repositories in the organization. This involves the use of repository rulesets for which you'll set the {% data variables.dependency-review.action_name %} as a required workflow, which means that pull requests can only be merged once the workflow passes all the required checks. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization)."
+
+{% endif %}

src/audit-logs/data/fpt/organization.json

@@ -1534,6 +1534,21 @@
     "description": "Push protection for secret scanning was enabled for all new repositories in the organization.",
     "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations"
   },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "org.self_hosted_runner_offline",
     "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",

src/audit-logs/data/fpt/user.json

@@ -669,6 +669,21 @@
     "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",

src/audit-logs/data/ghec/enterprise.json

@@ -494,6 +494,11 @@
     "description": "Secret scanning was enabled for new repositories in your enterprise.",
     "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise"
   },
+  {
+    "action": "business_secret_scanning_generic_secrets.disabled",
+    "description": "Generic secrets have been disabled at the business level",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "business_secret_scanning_generic_secrets.enabled",
     "description": "Generic secrets have been enabled at the business level",

src/audit-logs/data/ghec/organization.json

@@ -1534,6 +1534,21 @@
     "description": "Push protection for secret scanning was enabled for all new repositories in the organization.",
     "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations"
   },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "org.self_hosted_runner_offline",
     "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",

src/audit-logs/data/ghec/user.json

@@ -669,6 +669,21 @@
     "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",

src/audit-logs/data/ghes-3.10/enterprise.json

@@ -39,6 +39,26 @@
     "description": "A workflow run artifact was manually deleted.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "audit_log_streaming.check",
+    "description": "A manual check of the endpoint configured for audit log streaming was performed.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.create",
+    "description": "An endpoint was added for audit log streaming.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.destroy",
+    "description": "An audit log streaming endpoint was deleted.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.update",
+    "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",

src/audit-logs/data/ghes-3.11/enterprise.json

@@ -39,6 +39,26 @@
     "description": "A workflow run artifact was manually deleted.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "audit_log_streaming.check",
+    "description": "A manual check of the endpoint configured for audit log streaming was performed.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.create",
+    "description": "An endpoint was added for audit log streaming.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.destroy",
+    "description": "An audit log streaming endpoint was deleted.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.update",
+    "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",

src/audit-logs/data/ghes-3.12/enterprise.json

@@ -39,6 +39,26 @@
     "description": "A workflow run artifact was manually deleted.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "audit_log_streaming.check",
+    "description": "A manual check of the endpoint configured for audit log streaming was performed.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.create",
+    "description": "An endpoint was added for audit log streaming.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.destroy",
+    "description": "An audit log streaming endpoint was deleted.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.update",
+    "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",

src/audit-logs/data/ghes-3.13/enterprise.json

@@ -39,6 +39,26 @@
     "description": "A workflow run artifact was manually deleted.",
     "docs_reference_links": "N/A"
   },
+  {
+    "action": "audit_log_streaming.check",
+    "description": "A manual check of the endpoint configured for audit log streaming was performed.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.create",
+    "description": "An endpoint was added for audit log streaming.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.destroy",
+    "description": "An audit log streaming endpoint was deleted.",
+    "docs_reference_links": "N/A"
+  },
+  {
+    "action": "audit_log_streaming.update",
+    "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.",
+    "docs_reference_links": "N/A"
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",

src/audit-logs/lib/config.json

@@ -3,5 +3,5 @@
     "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "apiRequestEvent": "This event is only available via audit log streaming."
   },
-  "sha": "2c44efa5301a678da66dfc2ef6646642ddfc3c1e"
+  "sha": "ade3f07f6be41a3c708b0a7e1d1afc565309f1aa"
 }

src/secret-scanning/lib/config.json

@@ -1,3 +1,3 @@
 {
-  "sha": "44240be9486b0bffa65fbc451b37ae3775858699"
+  "sha": "d9929cf86fbe567f045f18e66b874cc451447db9"
 }