From ecbb38c0bab7471271841a00130588adf7fc2486 Mon Sep 17 00:00:00 2001 From: Ashley Date: Thu, 12 Dec 2024 05:27:14 -0500 Subject: [PATCH 1/2] [Remove Quotes] Removes quotes from links in code-security folder (#53584) Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- ...pting-github-advanced-security-at-scale.md | 6 +- ...lign-on-your-rollout-strategy-and-goals.md | 4 +- .../phase-2-preparing-to-enable-at-scale.md | 32 ++++---- .../phase-3-pilot-programs.md | 38 ++++----- .../phase-4-create-internal-documentation.md | 4 +- ...phase-5-rollout-and-scale-code-scanning.md | 22 ++--- ...ase-6-rollout-and-scale-secret-scanning.md | 24 +++--- ...ql-code-scanning-for-compiled-languages.md | 34 ++++---- ...-for-code-scanning-with-codeql-at-scale.md | 8 +- ...guring-advanced-setup-for-code-scanning.md | 34 ++++---- ...g-your-advanced-setup-for-code-scanning.md | 80 +++++++++---------- ...ing-codeql-code-scanning-in-a-container.md | 4 +- ...efault-setup-for-code-scanning-at-scale.md | 32 ++++---- ...iguring-default-setup-for-code-scanning.md | 32 ++++---- ...luating-default-setup-for-code-scanning.md | 10 +-- .../about-integration-with-code-scanning.md | 10 +-- .../sarif-support-for-code-scanning.md | 40 +++++----- .../uploading-a-sarif-file-to-github.md | 38 ++++----- ...e-scanning-with-your-existing-ci-system.md | 18 ++--- .../about-code-scanning-with-codeql.md | 18 ++--- .../about-code-scanning.md | 16 ++-- .../about-code-scanning-alerts.md | 16 ++-- ...ode-scanning-alerts-for-your-repository.md | 22 ++--- .../disabling-autofix-for-code-scanning.md | 4 +- .../fixing-alerts-in-security-campaign.md | 2 +- .../resolving-code-scanning-alerts.md | 18 ++--- .../responsible-use-autofix-code-scanning.md | 18 ++--- ...nning-alerts-in-issues-using-task-lists.md | 10 +-- ...g-code-scanning-alerts-in-pull-requests.md | 32 ++++---- .../about-the-tool-status-page.md | 20 ++--- .../codeql-query-suites.md | 8 +- ...guring-larger-runners-for-default-setup.md | 18 ++--- ...ing-your-configuration-of-default-setup.md | 18 ++--- .../set-code-scanning-merge-protection.md | 14 ++-- .../viewing-code-scanning-logs.md | 14 ++-- .../advanced-security-must-be-enabled.md | 4 +- .../analysis-takes-too-long.md | 14 ++-- .../automatic-build-failed.md | 6 +- .../c-sharp-compiler-unexpectedly-failing.md | 4 +- ...t-enable-codeql-in-a-private-repository.md | 4 +- .../default-setup-fails-with-a-language.md | 4 +- .../enabling-default-setup-takes-too-long.md | 2 +- .../fewer-lines-scanned-than-expected.md | 4 +- .../kotlin-detected-in-no-build.md | 10 +-- .../logs-not-detailed-enough.md | 6 +- .../no-source-code-seen-during-build.md | 10 +-- .../out-of-disk-or-memory.md | 6 +- .../resource-not-accessible.md | 6 +- .../results-different-than-expected.md | 2 +- .../some-languages-not-analyzed.md | 2 +- .../two-codeql-workflows.md | 4 +- .../unclear-what-triggered-a-workflow.md | 4 +- .../unnecessary-step-found.md | 2 +- .../file-too-large.md | 30 +++---- .../ghas-required.md | 2 +- .../missing-token.md | 2 +- .../results-exceed-limit.md | 18 ++--- .../sarif-invalid.md | 4 +- .../about-the-codeql-cli.md | 18 ++--- ...analyzing-your-code-with-codeql-queries.md | 38 ++++----- .../customizing-analysis-with-codeql-packs.md | 16 ++-- ...preparing-your-code-for-codeql-analysis.md | 22 ++--- .../setting-up-the-codeql-cli.md | 10 +-- ...ading-codeql-analysis-results-to-github.md | 24 +++--- .../about-codeql-workspaces.md | 8 +- .../advanced-setup-of-the-codeql-cli.md | 6 +- .../creating-and-working-with-codeql-packs.md | 16 ++-- .../creating-codeql-query-suites.md | 12 +-- .../csv-output.md | 2 +- .../exit-codes.md | 4 +- .../publishing-and-using-codeql-packs.md | 18 ++--- .../query-reference-files.md | 2 +- .../sarif-output.md | 2 +- .../testing-custom-queries.md | 14 ++-- .../testing-query-help-files.md | 8 +- ...sing-custom-queries-with-the-codeql-cli.md | 16 ++-- .../about-codeql-for-vs-code.md | 8 +- .../exploring-data-flow-with-path-queries.md | 8 +- .../installing-codeql-for-vs-code.md | 10 +-- .../managing-codeql-databases.md | 10 +-- ...-with-multi-repository-variant-analysis.md | 14 ++-- .../running-codeql-queries.md | 20 ++--- ...ning-problem-with-controller-repository.md | 2 +- .../configuring-access-to-the-codeql-cli.md | 6 +- .../creating-a-custom-query.md | 2 +- .../customizing-settings.md | 12 +-- .../managing-codeql-packs.md | 4 +- .../setting-up-a-codeql-workspace.md | 4 +- ...emetry-in-codeql-for-visual-studio-code.md | 8 +- .../testing-codeql-queries-in-vs-code.md | 10 +-- .../using-the-codeql-model-editor.md | 8 +- .../about-dependabot-alerts.md | 30 +++---- .../configuring-dependabot-alerts.md | 12 +-- ...ing-notifications-for-dependabot-alerts.md | 18 ++--- .../viewing-and-updating-dependabot-alerts.md | 36 ++++----- .../about-dependabot-auto-triage-rules.md | 10 +-- ...e-rules-to-prioritize-dependabot-alerts.md | 6 +- ...t-rules-to-prioritize-dependabot-alerts.md | 4 +- .../about-dependabot-security-updates.md | 20 ++--- ...configuring-dependabot-security-updates.md | 24 +++--- .../about-dependabot-version-updates.md | 10 +-- ...ion-options-for-the-dependabot.yml-file.md | 28 +++---- .../configuring-dependabot-version-updates.md | 12 +-- .../customizing-dependency-updates.md | 18 ++--- ...ndencies-configured-for-version-updates.md | 4 +- .../supported-ecosystems-and-repositories.md | 4 +- ...ut-dependabot-on-github-actions-runners.md | 24 +++--- ...tomating-dependabot-with-github-actions.md | 22 ++--- ...ss-to-private-registries-for-dependabot.md | 12 +-- ...on-of-private-registries-for-dependabot.md | 38 ++++----- ...your-actions-up-to-date-with-dependabot.md | 14 ++-- ...aging-dependabot-on-self-hosted-runners.md | 18 ++--- ...ng-pull-requests-for-dependency-updates.md | 10 +-- ...-dependabot-access-to-public-registries.md | 38 ++++----- .../troubleshooting-dependabot-errors.md | 34 ++++---- ...leshooting-dependabot-on-github-actions.md | 2 +- ...he-detection-of-vulnerable-dependencies.md | 24 +++--- ...ng-a-security-policy-to-your-repository.md | 10 +-- .../auditing-security-alerts.md | 18 ++--- ...venting-data-leaks-in-your-organization.md | 44 +++++----- .../dependabot-quickstart-guide.md | 34 ++++---- .../github-security-features.md | 32 ++++---- ...ickstart-for-securing-your-organization.md | 38 ++++----- ...quickstart-for-securing-your-repository.md | 34 ++++---- ...ing-ai-powered-generic-secret-detection.md | 2 +- ...m-patterns-with-copilot-secret-scanning.md | 2 +- .../responsible-ai-generic-secrets.md | 2 +- .../responsible-ai-regex-generator.md | 4 +- ...ing-push-protection-for-your-repository.md | 18 ++--- ...ing-secret-scanning-for-your-repository.md | 12 +-- ...ing-validity-checks-for-your-repository.md | 8 +- .../introduction/about-push-protection.md | 30 +++---- .../about-secret-scanning-for-partners.md | 8 +- .../introduction/about-secret-scanning.md | 40 +++++----- .../supported-secret-scanning-patterns.md | 20 ++--- .../about-alerts.md | 20 ++--- .../evaluating-alerts.md | 20 ++--- .../resolving-alerts.md | 12 +-- .../viewing-alerts.md | 16 ++-- .../secret-scanning-partner-program.md | 6 +- .../troubleshooting-secret-scanning.md | 4 +- ...ing-custom-patterns-for-secret-scanning.md | 32 ++++---- .../managing-custom-patterns.md | 6 +- ...ut-delegated-bypass-for-push-protection.md | 4 +- ...ng-delegated-bypass-for-push-protection.md | 18 ++--- ...ging-requests-to-bypass-push-protection.md | 8 +- ...-folders-and-files-from-secret-scanning.md | 2 +- ...cret-scanning-for-non-provider-patterns.md | 4 +- .../push-protection-for-users.md | 8 +- ...h-push-protection-from-the-command-line.md | 16 ++-- ...-with-push-protection-from-the-rest-api.md | 4 +- ...g-with-push-protection-in-the-github-ui.md | 8 +- ...pplying-a-custom-security-configuration.md | 6 +- ...rity-configuration-in-your-organization.md | 4 +- ...security-settings-for-your-organization.md | 22 ++--- ...reating-a-custom-security-configuration.md | 44 +++++----- .../about-security-campaigns.md | 4 +- .../best-practice-fix-alerts-at-scale.md | 6 +- .../creating-tracking-security-campaigns.md | 8 +- ...out-enabling-security-features-at-scale.md | 10 +-- ...ity-configuration-for-your-repositories.md | 4 +- ...eleting-a-custom-security-configuration.md | 2 +- ...ries-from-their-security-configurations.md | 6 +- ...editing-a-custom-security-configuration.md | 4 +- ...g-repositories-with-attachment-failures.md | 4 +- .../interpreting-security-findings.md | 24 +++--- ...-github-advanced-security-license-usage.md | 8 +- ...-using-advanced-setup-for-code-scanning.md | 4 +- ...nough-github-advanced-security-licenses.md | 4 +- ...-disclosure-of-security-vulnerabilities.md | 18 ++--- ...-writing-repository-security-advisories.md | 8 +- ...ately-reported-security-vulnerabilities.md | 4 +- ...tely-reporting-a-security-vulnerability.md | 8 +- .../about-global-security-advisories.md | 8 +- .../about-the-github-advisory-database.md | 12 +-- ...isories-in-the-github-advisory-database.md | 18 ++--- ...isories-in-the-github-advisory-database.md | 10 +-- .../about-repository-security-advisories.md | 16 ++-- ...rator-to-a-repository-security-advisory.md | 10 +-- ...lve-a-repository-security-vulnerability.md | 20 ++--- ...ulnerability-reporting-for-a-repository.md | 2 +- ...erability-reporting-for-an-organization.md | 6 +- ...creating-a-repository-security-advisory.md | 10 +-- ...deleting-a-repository-security-advisory.md | 2 +- .../editing-a-repository-security-advisory.md | 6 +- ...g-the-security-settings-of-a-repository.md | 4 +- ...vels-for-repository-security-advisories.md | 28 +++---- ...blishing-a-repository-security-advisory.md | 14 ++-- ...tor-from-a-repository-security-advisory.md | 4 +- .../about-security-overview.md | 40 +++++----- .../assessing-adoption-code-security.md | 20 ++--- .../assessing-code-security-risk.md | 8 +- ...rity-features-for-multiple-repositories.md | 14 ++-- .../filtering-alerts-in-security-overview.md | 8 +- ...wing-requests-to-bypass-push-protection.md | 6 +- ...viewing-metrics-for-pull-request-alerts.md | 2 +- ...ics-for-secret-scanning-push-protection.md | 6 +- .../viewing-security-insights.md | 20 ++--- .../end-to-end-supply-chain-overview.md | 8 +- .../securing-accounts.md | 36 ++++----- .../securing-builds.md | 14 ++-- .../end-to-end-supply-chain/securing-code.md | 24 +++--- .../about-dependency-review.md | 16 ++-- .../about-supply-chain-security.md | 38 ++++----- .../about-the-dependency-graph.md | 30 +++---- ...pendency-submission-for-your-repository.md | 20 ++--- .../configuring-the-dependency-graph.md | 12 +-- ...onfiguring-the-dependency-review-action.md | 2 +- ...-dependency-review-action-configuration.md | 8 +- ...ency-graph-supported-package-ecosystems.md | 8 +- ...ependency-review-across-an-organization.md | 10 +-- ...loring-the-dependencies-of-a-repository.md | 14 ++-- ...e-bill-of-materials-for-your-repository.md | 2 +- .../troubleshooting-the-dependency-graph.md | 12 +-- .../using-the-dependency-submission-api.md | 14 ++-- 215 files changed, 1505 insertions(+), 1505 deletions(-) diff --git a/content/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md index c5e0cf1a7ff8..775ec9f778e3 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md @@ -16,7 +16,7 @@ redirect_from: ## About these articles -{% data variables.product.prodname_GH_advanced_security %} (GHAS) helps teams build more secure code faster using integrated tooling such as secret scanning and code scanning using {% data variables.product.prodname_codeql %}. To understand the security features available through {% data variables.product.prodname_GH_advanced_security %}, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +{% data variables.product.prodname_GH_advanced_security %} (GHAS) helps teams build more secure code faster using integrated tooling such as secret scanning and code scanning using {% data variables.product.prodname_codeql %}. To understand the security features available through {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). GHAS is a suite of tools that requires active participation from developers across your enterprise. To realize the best return on your investment, you must learn how to use, apply, and maintain GHAS. @@ -38,11 +38,11 @@ Enabling GHAS across a large organization can be broken down into six core phase ## {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} -If you encounter any issues or have any questions during your implementation, you can search our documentation for solutions or engage with {% data variables.contact.github_support %}. For more information, see "[AUTOTITLE](/support/learning-about-github-support/about-github-support)." +If you encounter any issues or have any questions during your implementation, you can search our documentation for solutions or engage with {% data variables.contact.github_support %}. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support). If you prefer to have guidance throughout the rollout process, {% data variables.product.prodname_professional_services_team %} can partner with you for a successful rollout and implementation of {% data variables.product.prodname_GH_advanced_security %}. We offer a variety of {% data variables.product.prodname_professional_services %} options for guidance and support. We also have training and bootcamps available to help your company to optimize the value of {% data variables.product.prodname_GH_advanced_security %}. Speak with your sales representative for more information about all the {% data variables.product.prodname_professional_services %} options available. For more information, contact {% data variables.contact.contact_enterprise_sales %}. > [!NOTE] -> For the first article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals)." +> For the first article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md index 5ed2ae1fb12a..205eb0e3a8f2 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md @@ -10,7 +10,7 @@ shortTitle: 1. Align on strategy --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the introduction to this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the introduction to this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). ## Set clear goals for your company’s rollout @@ -59,4 +59,4 @@ If your company is interested in custom {% data variables.product.prodname_codeq When {% data variables.product.prodname_code_scanning %} is run from a pull request, the scan will include the full codebase and not just the changes made in the pull request. Scanning the entire codebase is an important step to ensure the change has been reviewed against all interactions in the codebase. > [!NOTE] -> For the next article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale)." +> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index 388b319fdc71..159ed7e8bcc3 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -10,11 +10,11 @@ shortTitle: 2. Preparation --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals). ## Preparing to enable {% data variables.product.prodname_code_scanning %} -{% data reusables.code-scanning.about-code-scanning %} For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." +{% data reusables.code-scanning.about-code-scanning %} For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning). Rolling {% data variables.product.prodname_code_scanning %} out across hundreds of repositories can be difficult, especially when done inefficiently. Following these steps will ensure your rollout is both efficient and successful.{% ifversion default-setup-ghas-enablement %}{% else %} As part of your preparation, you will work with your teams, use automation to collect data about your repositories, and enable {% data variables.product.prodname_code_scanning %}.{% endif %} @@ -26,9 +26,9 @@ Rolling {% data variables.product.prodname_code_scanning %} out across hundreds First, prepare your teams to use {% data variables.product.prodname_code_scanning %}. The more teams that use {% data variables.product.prodname_code_scanning %}, the more data you'll have to drive remediation plans and monitor progress on your rollout.{% ifversion default-setup-ghas-enablement %} For an introduction to {% data variables.product.prodname_code_scanning %}, see: -* "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)" +* [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository) {% else %} During this phase, you should focus on leveraging APIs and running internal enablement events.{% endif %} Your core focus should be preparing as many teams to use {% data variables.product.prodname_code_scanning %} as possible. You can also encourage teams to remediate appropriately, but we recommend prioritizing enablement and use of {% data variables.product.prodname_code_scanning %} over fixing issues during this phase. @@ -40,7 +40,7 @@ Your core focus should be preparing as many teams to use {% data variables.produ You can programmatically gather information about the different programming languages used in your repositories and use that data to enable {% data variables.product.prodname_code_scanning %} on all repositories that use the same language, using {% data variables.product.product_name %}'s GraphQL API. > [!NOTE] -> To gather this data without manually running the GraphQL queries described in this article, you can use our publicly available tool. For more information, see the "[ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement)" repository. +> To gather this data without manually running the GraphQL queries described in this article, you can use our publicly available tool. For more information, see the [ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement) repository. If you want to gather information from repositories belonging to multiple organizations in your enterprise, you can use the query below to obtain the names of your organizations and then feed those into repository query. Replace OCTO-ENTERPRISE with your enterprise name. @@ -86,7 +86,7 @@ query { } ``` -For more information about running GraphQL queries, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)." +For more information about running GraphQL queries, see [AUTOTITLE](/graphql/guides/forming-calls-with-graphql). Then, convert the data from the GraphQL query into a readable format, such as a table. @@ -116,7 +116,7 @@ An understanding of which repositories are using which languages will help you i ### Enabling {% data variables.product.prodname_code_scanning %} for your appliance -Before you can proceed with pilot programs and rolling out {% data variables.product.prodname_code_scanning %} across your enterprise, you must first enable {% data variables.product.prodname_code_scanning %} for your appliance. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance)." +Before you can proceed with pilot programs and rolling out {% data variables.product.prodname_code_scanning %} across your enterprise, you must first enable {% data variables.product.prodname_code_scanning %} for your appliance. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). {% endif %} @@ -125,9 +125,9 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro > [!NOTE] > When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} > -> Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %} +> Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).{% endif %} -If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." +If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning). {% ifversion ghec %}{% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.prodname_dotcom %}. @@ -145,17 +145,17 @@ Enabling {% data variables.product.prodname_secret_scanning %} for all repositor If you are enabling {% data variables.product.prodname_secret_scanning %} on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on {% data variables.product.prodname_secret_scanning %} across all repositories at once, plan for how you will respond to multiple alerts across the organization. -{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). ### Custom patterns for {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). -As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). ### Push protection for {% data variables.product.prodname_secret_scanning %} -Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). If a secret is detected in a push, that push is blocked. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. {% data reusables.secret-scanning.push-protection-custom-pattern %} @@ -167,7 +167,7 @@ Before enabling push protection, consider whether you need to create guidance fo Next, familiarize yourself with the different options for managing and monitoring alerts that are the result of a contributor bypassing push protection. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." +For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). > [!NOTE] -> For the next article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs)." +> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md index dcf6aaeb517f..95e4f5c37431 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md @@ -10,7 +10,7 @@ shortTitle: 3. Pilot programs --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). ## About pilot programs @@ -22,7 +22,7 @@ Before you start your pilot projects, we recommend that you schedule some meetin {% ifversion ghes %} -If you haven't already enabled GHAS for your {% data variables.product.prodname_ghe_server %} instance, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)." +If you haven't already enabled GHAS for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise). {% endif %} @@ -38,32 +38,32 @@ If you haven't already enabled GHAS for your {% data variables.product.prodname_ {% ifversion ghes %} -To enable {% data variables.product.prodname_code_scanning %} on your {% data variables.product.prodname_ghe_server %} instance, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance)." +To enable {% data variables.product.prodname_code_scanning %} on your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). {% endif %} {% ifversion default-setup-ghas-enablement %} -You can quickly configure default setup for {% data variables.product.prodname_code_scanning %} across multiple repositories in an organization using security overview. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-a-subset-of-repositories-in-an-organization)." +You can quickly configure default setup for {% data variables.product.prodname_code_scanning %} across multiple repositories in an organization using security overview. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-a-subset-of-repositories-in-an-organization). You can also choose to enable {% data variables.product.prodname_code_scanning %} for all repositories in an organization, but we recommend configuring {% data variables.product.prodname_code_scanning %} on a subset of high-impact repositories for your pilot program. {% data reusables.advanced-security.enable-default-setup-first %} {% else %} You can run {% data variables.product.prodname_code_scanning %} on a repository by creating a {% data variables.product.prodname_actions %} workflow to run the [{% data variables.product.prodname_codeql %} action](https://github.com/github/codeql-action/). For more information about {% data variables.product.prodname_actions %}, see: -* "[AUTOTITLE](/actions/learn-github-actions)" -* "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)" -* "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)" -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)" +* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions) +* [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows) +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet) -We recommend enabling {% data variables.product.prodname_code_scanning %} on a repository-by-repository basis as part of your pilot program. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +We recommend enabling {% data variables.product.prodname_code_scanning %} on a repository-by-repository basis as part of your pilot program. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). If you want to enable {% data variables.product.prodname_code_scanning %} for many repositories, you may want to script the process. For an example of a script that opens pull requests to add a {% data variables.product.prodname_actions %} workflow to multiple repositories, see the [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository for an example using PowerShell, or [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) for teams who do not have PowerShell and instead would like to use NodeJS. -When running initial code scans, you may find that no results are found or that an unusual number of results are returned. You may want to adjust what is flagged in future scans. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." +When running initial code scans, you may find that no results are found or that an unusual number of results are returned. You may want to adjust what is flagged in future scans. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). {% endif %} -If your company wants to use other third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %}, you can use actions to run those tools within {% data variables.product.prodname_dotcom %}. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning)." +If your company wants to use other third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %}, you can use actions to run those tools within {% data variables.product.prodname_dotcom %}. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning). ## Piloting {% data variables.product.prodname_secret_scanning %} @@ -71,7 +71,7 @@ If your company wants to use other third-party code analysis tools with {% data {% ifversion ghes %} -To enable secret scanning for your {% data variables.product.prodname_ghe_server %} instance, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)." +To enable secret scanning for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance). {% endif %} @@ -79,17 +79,17 @@ To enable secret scanning for your {% data variables.product.prodname_ghe_server {% ifversion security-configurations-cloud %} -You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% elsif security-configurations-ghes-only %} -You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with a {% data variables.product.prodname_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with a {% data variables.product.prodname_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} {% else %} -You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project, either by enabling the feature for each repository or for all repositories in any organizations taking part in the project. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project, either by enabling the feature for each repository or for all repositories in any organizations taking part in the project. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). Next, enable push protection for each pilot project. @@ -99,13 +99,13 @@ If you plan to configure a link to a resource in the message that's displayed wh {%- ifversion security-overview-push-protection-metrics-page %} -Start to review activity using the push protection metrics page in security overview. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." +Start to review activity using the push protection metrics page in security overview. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection). {%- endif %} -If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). -To learn how to view and close alerts for secrets checked into your repository, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +To learn how to view and close alerts for secrets checked into your repository, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). > [!NOTE] -> For the next article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation)." +> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md index ff4a4de30693..88b04445eb93 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md @@ -10,7 +10,7 @@ shortTitle: 4. Create internal documentation --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). Before enabling {% data variables.product.prodname_GH_advanced_security %}, you should create internal documentation that defines processes for teams to follow. Everyone needs to know what to do when they receive a security alert, even if the process simply asks the team to apply their best judgment. Documentation will also prevent developers from getting blocked when they have questions. You should put the documentation about GHAS with existing developer-focused documentation, such as your developer portal or custom knowledge base. @@ -21,4 +21,4 @@ If you skip creating internal documentation, your rollout won’t go at your int Education is probably the most crucial part of the rollout as it teaches developers what to do in different situations. You should ensure developers are empowered to maintain the security of their repository and that the security team are authorized to verify both what developers are doing and that it's in the best interest of security. In addition to internal documentation, education can take the form of online sessions, Q&As, etc. > [!NOTE] -> For the next article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning)." +> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md index fc005d69dcc8..645e11c6a71e 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md @@ -10,7 +10,7 @@ shortTitle: 5. Rollout code scanning --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). {% ifversion security-configurations %} @@ -21,15 +21,15 @@ shortTitle: 5. Rollout code scanning ## Enabling code scanning {% ifversion default-setup-ghas-enablement %} -After piloting {% data variables.product.prodname_code_scanning %} and creating internal documentation for best practices, you can enable {% data variables.product.prodname_code_scanning %} across your company. You can configure {% data variables.product.prodname_code_scanning %} default setup for all repositories in an organization from security overview. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-all-eligible-repositories-in-an-organization)." +After piloting {% data variables.product.prodname_code_scanning %} and creating internal documentation for best practices, you can enable {% data variables.product.prodname_code_scanning %} across your company. You can configure {% data variables.product.prodname_code_scanning %} default setup for all repositories in an organization from security overview. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-all-eligible-repositories-in-an-organization). {% data reusables.advanced-security.enable-default-setup-first %} {% else %} Using the data you collated in [Phase 2](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale), you can begin to enable GHAS and then {% data variables.product.prodname_code_scanning %} on your repositories, one language at a time. The step-by-step process for enabling GHAS should look like this: -1. Enable GHAS on the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." -1. Create a pull request against the repository's default branch with a `codeql-analysis.yml` file containing an example of how to run {% data variables.product.prodname_codeql %} for that language. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request)." -1. Create an issue in the repository to explain why a pull request has been raised. The issue you create can contain a link to the previous communication sent to all users, but can also explain what changes the pull request introduces, what next steps the team have to take, what the team's responsibilities are, and how the team should be using {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue)." +1. Enable GHAS on the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). +1. Create a pull request against the repository's default branch with a `codeql-analysis.yml` file containing an example of how to run {% data variables.product.prodname_codeql %} for that language. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request). +1. Create an issue in the repository to explain why a pull request has been raised. The issue you create can contain a link to the previous communication sent to all users, but can also explain what changes the pull request introduces, what next steps the team have to take, what the team's responsibilities are, and how the team should be using {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). There is a publicly available tool that completes the first two steps called the [ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement). You can re-run the ghas-enablement tool in batches of languages where it makes sense. For example, JavaScript, TypeScript, Python, and Go likely have a similar build process and could therefore use a similar {% data variables.product.prodname_codeql %} analysis file. The ghas-enablement tool can also be used for languages such as Java, C, and C++, but due to the varied nature of how these languages build and compile you may need to create more targeted {% data variables.product.prodname_codeql %} analysis files. @@ -46,9 +46,9 @@ You should capture the pull request URLs created by automation, and check each w {% ifversion default-setup-ghas-enablement %} To successfully manage and use {% data variables.product.prodname_code_scanning %} across your company, you should build internal subject matter expertise. For default setup for {% data variables.product.prodname_code_scanning %}, one of the most important areas for subject matter experts (SMEs) to understand is interpreting and fixing {% data variables.product.prodname_code_scanning %} alerts. For more information about {% data variables.product.prodname_code_scanning %} alerts, see: -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts)" +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts) You'll also need SMEs if you need to use advanced setup for {% data variables.product.prodname_code_scanning %}. These SMEs will need knowledge of {% data variables.product.prodname_code_scanning %} alerts, as well as topics like {% data variables.product.prodname_actions %} and customizing {% data variables.product.prodname_code_scanning %} workflows for particular frameworks. For custom configurations of advanced setup, consider running meetings on complicated topics to scale the knowledge of several SMEs at once. {% else %} @@ -65,15 +65,15 @@ You can use the data you have collected about the distribution of different lang {% ifversion security-overview-org-codeql-pr-alerts %} -For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts)." +For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts). {% endif %} {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} > [!NOTE] -> For the next article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning)." +> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning). diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index b75f5e15e965..5429f9dd8ba6 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -10,9 +10,9 @@ shortTitle: 6. Rollout secret scanning --- > [!NOTE] -> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning)." +> This article is part of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). -You can enable secret scanning for individual repositories or for all repositories in an organization or enterprise. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)", "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)", or "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +You can enable secret scanning for individual repositories or for all repositories in an organization or enterprise. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository), [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization), or [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise). {% ifversion security-configurations %} @@ -24,7 +24,7 @@ This article explains a high-level process focusing on enabling {% data variable {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_secret_scanning %} alerts in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_secret_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -34,7 +34,7 @@ When you enable {% data variables.product.prodname_secret_scanning %}, you shoul There are a few approaches for tackling newly committed credentials, but one example approach would be: -1. **Notify:** Use webhooks to ensure that any new secret alerts are seen by the right teams as quickly as possible. A webhook fires when a secret alert is either created, resolved, or reopened. You can then parse the webhook payload, and integrate it into any tools you and your team use such Slack, Teams, Splunk, or email. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks)" and "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#secret_scanning_alert)." +1. **Notify:** Use webhooks to ensure that any new secret alerts are seen by the right teams as quickly as possible. A webhook fires when a secret alert is either created, resolved, or reopened. You can then parse the webhook payload, and integrate it into any tools you and your team use such Slack, Teams, Splunk, or email. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks) and [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#secret_scanning_alert). 1. **Follow Up:** Create a high-level remediation process that works for all secret types. For example, you could contact the developer who committed the secret and their technical lead on that project, highlighting the dangers of committing secrets to {% data variables.product.prodname_dotcom %}, and asking the them to revoke, and update the detected secret. > [!NOTE] @@ -49,17 +49,17 @@ Repeat the last two steps for any new secrets leaked. This process encourages de ## 2. Enable push protection -Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." +Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository). Once enabled, you can do the following: -1. **Provide guidance:** Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." +1. **Provide guidance:** Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository). -1. **Notify:** Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +1. **Notify:** Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). {%- ifversion security-overview-push-protection-metrics-page %} -1. **Monitor:** Use security overview to view metrics on how push protection is performing in repositories across your organization, so you can quickly identify any repositories where you might need to take action. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." +1. **Monitor:** Use security overview to view metrics on how push protection is performing in repositories across your organization, so you can quickly identify any repositories where you might need to take action. For more information, see [AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection). {%- endif %} @@ -78,7 +78,7 @@ Once you have decided on the secret types, you can do the following: 1. When you have created the process that teams will follow for revoking credentials, you can collate information about the types of secrets and other metadata associated with the leaked secrets so you can discern who to communicate the new process to. - You can use security overview to collect this information. For more information about using security overview, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." + You can use security overview to collect this information. For more information about using security overview, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). Some information you may want to collect includes: @@ -89,7 +89,7 @@ Once you have decided on the secret types, you can do the following: * Maintainers on repository to contact > [!NOTE] - > Use the UI if you have few secrets leaked of that type. If you have hundreds of leaked secrets, use the API to collect information. For more information, see "[AUTOTITLE](/rest/secret-scanning)." + > Use the UI if you have few secrets leaked of that type. If you have hundreds of leaked secrets, use the API to collect information. For more information, see [AUTOTITLE](/rest/secret-scanning). 1. After you collect information about leaked secrets, create a targeted communication plan for the users who maintain the repositories affected by each secret type. You could use email, messaging, or even create GitHub issues in the affected repositories. If you can use APIs provided by these tools to send out the communications in an automated manner, this will make it easier for you to scale across multiple secret types. @@ -97,9 +97,9 @@ Once you have decided on the secret types, you can do the following: You can now expand beyond the five most critical secret types into a more comprehensive list, with an additional focus on education. You can repeat the previous step, remediating previously committed secrets, for the different secret types you have targeted. -You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). As you continue to build your remediation processes for other secret types, start to create proactive training material that can be shared with all developers of GitHub in your organization. Until this point, a lot of the focus has been reactive. It is an excellent idea to shift focus to being proactive and encourage developers not to push credentials to GitHub in the first place. This can be achieved in multiple ways but creating a short document explaining the risks and reasons would be a great place to start. > [!NOTE] -> This is the final article of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. If you have questions or need support, see the section on {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} in "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale#github-support-and-professional-services)." +> This is the final article of a series on adopting {% data variables.product.prodname_GH_advanced_security %} at scale. If you have questions or need support, see the section on {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} in [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale#github-support-and-professional-services). diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md index d5b19d6e5cba..07d9a53d3ce0 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md @@ -52,7 +52,7 @@ The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild {% ifversion codeql-dependency-caching %} -You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. For more information, see "[About dependency caching for {% data variables.product.prodname_codeql %}](#about-dependency-caching-for-codeql)" later in this article. +You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. For more information, see [About dependency caching for {% data variables.product.prodname_codeql %}](#about-dependency-caching-for-codeql) later in this article. {% endif %} @@ -122,18 +122,18 @@ steps: {% endif %} -For information about the languages, libraries, and frameworks that are supported in the latest version of {% data variables.product.prodname_codeql %}, see "[Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks)" in the {% data variables.product.prodname_codeql %} documentation. For information about the system requirements for running the latest version of {% data variables.product.prodname_codeql %}, see "[System requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/#additional-software-requirements)" in the {% data variables.product.prodname_codeql %} documentation. +For information about the languages, libraries, and frameworks that are supported in the latest version of {% data variables.product.prodname_codeql %}, see [Supported languages and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks) in the {% data variables.product.prodname_codeql %} documentation. For information about the system requirements for running the latest version of {% data variables.product.prodname_codeql %}, see [System requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/#additional-software-requirements) in the {% data variables.product.prodname_codeql %} documentation. {% ifversion codeql-dependency-caching %} ## About dependency caching for {% data variables.product.prodname_codeql %} -You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see "[AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows)." +You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows). Dependency caching works with all build modes, and is supported by {% data variables.code-scanning.codeql_dependency_caching_languages %}. >[!NOTE] -> Using dependency caching will store {% data variables.product.prodname_codeql %}-specific caches that will be subject to cache quotas for a repository. See "[AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy)." +> Using dependency caching will store {% data variables.product.prodname_codeql %}-specific caches that will be subject to cache quotas for a repository. See [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy). ### Enabling dependency caching for {% data variables.product.prodname_codeql %} @@ -172,7 +172,7 @@ Creating a {% data variables.product.prodname_codeql %} database without a build To use `autobuild` or manual build steps, you can use advanced setup. ->[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See "[Building Java and Kotlin](#building-java-and-kotlin)." +>[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See [Building Java and Kotlin](#building-java-and-kotlin). {% endif %} @@ -229,9 +229,9 @@ The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild ## About specifying build steps manually -You can only specify manual build steps if you have enabled advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository)." +You can only specify manual build steps if you have enabled advanced setup, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository). -{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." +{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow). {% ifversion codeql-no-build %} Update your workflow to define the `build-mode` as `manual`. @@ -268,7 +268,7 @@ When manual building is enabled, uncomment the `run` step in the workflow and ad make release ``` -For more information about the `run` keyword, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun)." +For more information about the `run` keyword, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). {% ifversion codeql-no-build %} {% elsif ghes %} @@ -288,14 +288,14 @@ For repositories with multiple compiled languages, you can specify language-spec make release ``` -For more information about the `if` conditional, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif)." +For more information about the `if` conditional, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif). {% endif %} If you added manual build steps for compiled languages and {% data variables.product.prodname_code_scanning %} is still not working on your repository, contact {% data variables.contact.contact_support %}. ## Autobuild steps for compiled languages -{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}-hosted runners are always run with the software required by `autobuild`.{% endif %} If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. {% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} For self-hosted runners, you should install dependencies directly in the runners themselves. We provide examples of common dependencies for C/C++, C#, and Java in each of the `autobuild` sections of this article for those languages. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)."{% endif %} +{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}-hosted runners are always run with the software required by `autobuild`.{% endif %} If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. {% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} For self-hosted runners, you should install dependencies directly in the runners themselves. We provide examples of common dependencies for C/C++, C#, and Java in each of the `autobuild` sections of this article for those languages. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).{% endif %} * [Building C/C++](#building-cc) * [Building C#](#building-c) @@ -338,7 +338,7 @@ On Linux and macOS, the `autobuild` step reviews the files present in the reposi #### Runner requirements for C/C++ {% ifversion codeql-cpp-autoinstall-dependencies %} -On Ubuntu Linux runners, `autobuild` may try to automatically install dependencies required by the detected configuration and build steps. By default, this behavior is enabled on {% data variables.product.prodname_dotcom %}-hosted runners and disabled on self-hosted runners. You can enable or disable this feature explicitly by setting `CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES` to `true` or `false` in the environment. For more information about defining environment variables, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow)." +On Ubuntu Linux runners, `autobuild` may try to automatically install dependencies required by the detected configuration and build steps. By default, this behavior is enabled on {% data variables.product.prodname_dotcom %}-hosted runners and disabled on self-hosted runners. You can enable or disable this feature explicitly by setting `CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES` to `true` or `false` in the environment. For more information about defining environment variables, see [AUTOTITLE](/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow). {% endif %} For self-hosted runners{% ifversion codeql-cpp-autoinstall-dependencies %}, unless automatic installation of dependencies is enabled{% endif %}, you will likely need to install the `gcc` compiler, and specific projects may also require access to `clang` or `msvc` executables. You will also need to install the build system (for example `msbuild`, `make`, `cmake`, `bazel`) and utilities (such as `python`, `perl`, `lex`, and `yacc`) that your projects depend on. @@ -395,7 +395,7 @@ The {% data variables.product.prodname_codeql %} tracer enables the extraction o #### `/p:MvcBuildViews=true` -When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see "[Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view)" in Microsoft Learn. +When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see [Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view) in Microsoft Learn. #### `/p:UseSharedCompilation=false` @@ -405,7 +405,7 @@ Setting this option to `false` disables the use of the shared compilation featur Setting this option to `true` will emit compiler-generated files during the build process. This option causes the compiler to generate additional source files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files. -For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing)." +For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing). ### Windows autodetection @@ -487,11 +487,11 @@ Additionally, `vendor` directories are excluded from {% data variables.product.p When you first enable default setup for a repository, if only Java code is detected then the build mode is set to `none`. If Kotlin or a combination of Java and Kotlin code is detected, then the build mode is set to `autobuild`. -If you later add Kotlin code to a repository that uses the `none` build mode, {% data variables.product.prodname_codeql %} analysis reports a warning message explaining that Kotlin is not supported. You will need to disable default setup and re-enable it. When you re-enable default setup, the build mode will change to `autobuild` so that both languages can be analyzed. Alternatively, you can change to an advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build)." +If you later add Kotlin code to a repository that uses the `none` build mode, {% data variables.product.prodname_codeql %} analysis reports a warning message explaining that Kotlin is not supported. You will need to disable default setup and re-enable it. When you re-enable default setup, the build mode will change to `autobuild` so that both languages can be analyzed. Alternatively, you can change to an advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build). ### No build for Java -{% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see "[Runner requirements for Java](#runner-requirements-for-java)." +{% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java). #### Accuracy of no build analysis for Java @@ -528,7 +528,7 @@ If you're using self-hosted runners, the required version(s) of Java should be p * If the runner will be used for analyzing repositories that need a single version of Java, then the appropriate JDK version needs to be installed, and needs to be present in the PATH variable (so that `java` and `javac` can be found). -* If the runner will be used for analyzing repositories that need multiple versions of Java, then the appropriate JDK versions need to be installed, and can be specified via the `toolchains.xml` file. This is a configuration file, typically used by Apache Maven, that allows you to specify the location of the tools, the version of the tools, and any additional configuration that is required to use the tools. For more information, see "[Guide to Using Toolchains](https://maven.apache.org/guides/mini/guide-using-toolchains.html)" in the Apache Maven documentation. +* If the runner will be used for analyzing repositories that need multiple versions of Java, then the appropriate JDK versions need to be installed, and can be specified via the `toolchains.xml` file. This is a configuration file, typically used by Apache Maven, that allows you to specify the location of the tools, the version of the tools, and any additional configuration that is required to use the tools. For more information, see [Guide to Using Toolchains](https://maven.apache.org/guides/mini/guide-using-toolchains.html) in the Apache Maven documentation. The following executables will likely be required for a range of Java projects, and should be present in the PATH variable, but they will not be essential in all cases: @@ -553,7 +553,7 @@ Windows runners require `powershell.exe` to be on the `PATH`. The `autobuild` process tries to build the biggest target from an Xcode project or workspace. -Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}Since {% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, we recommend that you build only the code that you want to analyze. For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %} +Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}Since {% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, we recommend that you build only the code that you want to analyze. For more information about pricing for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).{% endif %} {% data reusables.code-scanning.default-setup-swift-self-hosted-runners %} diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md index d550b79c8e43..8f40423f61e4 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md @@ -23,14 +23,14 @@ If you need to configure a highly customizable {% data variables.product.prodnam To enable advanced setup across multiple repositories, you can write a bulk configuration script. To successfully execute the script, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec %}organization or enterprise{% elsif ghes %}site{% endif %}. -Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." +Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale). ## Using a script to enable advanced setup For repositories that are not eligible for default setup, you can use a bulk configuration script to enable advanced setup across multiple repositories. 1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment. -1. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +1. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). 1. Use one of the example scripts or create a custom script to add the workflow to each repository in the group. * PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository * NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository @@ -42,8 +42,8 @@ For repositories that are not eligible for default setup, you can use a bulk con {% data reusables.code-scanning.beta-model-packs %} -If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs)." +If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs). -Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure model packs with {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)." +Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure model packs with {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup). {% endif %} diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md index fdfb976c6392..dc3557158859 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md @@ -23,19 +23,19 @@ allowTitleToDifferFromFilename: true ## About advanced setup for {% data variables.product.prodname_code_scanning %} -Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. For more information about {% data variables.product.prodname_actions %} workflows, see "[AUTOTITLE](/actions/using-workflows/about-workflows)." +Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. For more information about {% data variables.product.prodname_actions %} workflows, see [AUTOTITLE](/actions/using-workflows/about-workflows). {% ifversion fpt or ghec %} -You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %} using third-party actions](#configuring-code-scanning-using-third-party-actions)." +You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools. For more information, see [Configuring {% data variables.product.prodname_code_scanning %} using third-party actions](#configuring-code-scanning-using-third-party-actions). {% else %} -Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions)." +Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions). {% endif %} {% data reusables.code-scanning.about-multiple-configurations-link %} {% data reusables.code-scanning.codeql-action-version-ghes %} -If you do not need a highly customizable {% data variables.product.prodname_code_scanning %} configuration, consider using default setup for {% data variables.product.prodname_code_scanning %}. For more information on eligibility for default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#requirements-for-using-default-setup)." +If you do not need a highly customizable {% data variables.product.prodname_code_scanning %} configuration, consider using default setup for {% data variables.product.prodname_code_scanning %}. For more information on eligibility for default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#requirements-for-using-default-setup). ### Prerequisites @@ -47,12 +47,12 @@ Your repository is eligible for advanced setup if it meets these requirements. * {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %} {% ifversion ghes %} -If the server on which you are running {% data variables.product.prodname_ghe_server %} is not connected to the internet, your site administrator can enable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} by making the {% data variables.product.prodname_codeql %} analysis bundle available on the server. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access)." +If the server on which you are running {% data variables.product.prodname_ghe_server %} is not connected to the internet, your site administrator can enable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} by making the {% data variables.product.prodname_codeql %} analysis bundle available on the server. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access). {% endif %} ## Configuring advanced setup for {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} -You can customize your {% data variables.product.prodname_codeql %} analysis by creating and editing a workflow file. Selecting advanced setup generates a basic workflow file for you to customize using standard workflow syntax and specifying options for the {% data variables.product.prodname_codeql %} action. See "[AUTOTITLE](/actions/using-workflows/about-workflows)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." +You can customize your {% data variables.product.prodname_codeql %} analysis by creating and editing a workflow file. Selecting advanced setup generates a basic workflow file for you to customize using standard workflow syntax and specifying options for the {% data variables.product.prodname_codeql %} action. See [AUTOTITLE](/actions/using-workflows/about-workflows) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). {% data reusables.code-scanning.billing %} @@ -77,7 +77,7 @@ You can customize your {% data variables.product.prodname_codeql %} analysis by Generally, you can commit the {% data variables.code-scanning.codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing. - For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." + For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages). 1. Click **Commit changes...** to display the commit changes form. @@ -89,9 +89,9 @@ You can customize your {% data variables.product.prodname_codeql %} analysis by In the suggested {% data variables.code-scanning.codeql_workflow %}, {% data variables.product.prodname_code_scanning %} is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, {% data variables.product.prodname_code_scanning %} will now commence. -The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. See "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#configuring-frequency)" and "[AUTOTITLE](/actions/using-workflows/triggering-a-workflow)." +The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#configuring-frequency) and [AUTOTITLE](/actions/using-workflows/triggering-a-workflow). -For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale)." +For information on bulk enablement, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale). {% ifversion fpt or ghec %} @@ -115,21 +115,21 @@ For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scannin ![Screenshot showing a workflow template file open for editing. The "Documentation" button is highlighted with an orange outline.](/assets/images/help/security/actions-workflows-documentation.png) - For more information, see "[AUTOTITLE](/actions/learn-github-actions/using-starter-workflows#choosing-and-using-a-starter-workflow)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." + For more information, see [AUTOTITLE](/actions/learn-github-actions/using-starter-workflows#choosing-and-using-a-starter-workflow) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). {% endif %} ## Next steps -After your workflow runs successfully at least once, you are ready to start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)." +After your workflow runs successfully at least once, you are ready to start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) and [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository). -Learn how {% data variables.product.prodname_code_scanning %} runs behave as checks on pull requests, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-as-a-pull-request-check)." +Learn how {% data variables.product.prodname_code_scanning %} runs behave as checks on pull requests, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-as-a-pull-request-check). -You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." +You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). ### Further reading -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." -* "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#github-actions-notification-options)." -* "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." -* "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs)." +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). +* [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#github-actions-notification-options). +* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). +* [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs). diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md index 3e8297b1923d..2d465593e3c7 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md @@ -34,9 +34,9 @@ make sure that you also update the MS short link: https://aka.ms/code-scanning-d ## About {% data variables.product.prodname_code_scanning %} configuration -You can run {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}, using {% data variables.product.prodname_actions %}, or from your continuous integration (CI) system. For more information, see "[AUTOTITLE](/actions/learn-github-actions)" or "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." +You can run {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}, using {% data variables.product.prodname_actions %}, or from your continuous integration (CI) system. For more information, see [AUTOTITLE](/actions/learn-github-actions) or [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). -With advanced setup for {% data variables.product.prodname_code_scanning %}, you can customize a {% data variables.product.prodname_code_scanning %} workflow for granular control over your configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +With advanced setup for {% data variables.product.prodname_code_scanning %}, you can customize a {% data variables.product.prodname_code_scanning %} workflow for granular control over your configuration. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). {% data variables.product.prodname_codeql %} analysis is just one type of {% data variables.product.prodname_code_scanning %} you can do in {% data variables.product.prodname_dotcom %}. {% data variables.product.prodname_marketplace %}{% ifversion ghes %} on {% data variables.product.prodname_dotcom_the_website %}{% endif %} contains other {% data variables.product.prodname_code_scanning %} workflows you can use. {% ifversion fpt or ghec %}You can find a selection of these on the "Get started with {% data variables.product.prodname_code_scanning %}" page, which you can access from the **{% octicon "shield" aria-hidden="true" %} Security** tab.{% endif %} The specific examples given in this article relate to the {% data variables.code-scanning.codeql_workflow %} file. @@ -48,7 +48,7 @@ With advanced setup for {% data variables.product.prodname_code_scanning %}, you 1. In the upper right corner of the file view, to open the workflow editor, click {% octicon "pencil" aria-label="Edit file" %}. 1. After you have edited the file, click **Start commit** and complete the "Commit changes" form. You can choose to commit directly to the current branch, or create a new branch and start a pull request. -For more information about editing workflow files, see "[AUTOTITLE](/actions/learn-github-actions)." +For more information about editing workflow files, see [AUTOTITLE](/actions/learn-github-actions). ## Configuring frequency @@ -58,26 +58,26 @@ Scanning code when someone pushes a change, and whenever a pull request is creat ### Scanning on push -By default, the {% data variables.code-scanning.codeql_workflow %} uses the `on:push` event to trigger a code scan on every push to the default branch of the repository and any protected branches. For {% data variables.product.prodname_code_scanning %} to be triggered on a specified branch, the workflow must exist in that branch. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#on)." +By default, the {% data variables.code-scanning.codeql_workflow %} uses the `on:push` event to trigger a code scan on every push to the default branch of the repository and any protected branches. For {% data variables.product.prodname_code_scanning %} to be triggered on a specified branch, the workflow must exist in that branch. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#on). -If you scan on push, then the results appear in the **Security** tab for your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +If you scan on push, then the results appear in the **Security** tab for your repository. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). -Additionally, when an `on:push` scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on {% data variables.product.prodname_code_scanning %} alerts in pull requests, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +Additionally, when an `on:push` scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on {% data variables.product.prodname_code_scanning %} alerts in pull requests, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). ### Scanning pull requests -The default {% data variables.code-scanning.codeql_workflow %} uses the `pull_request` event to trigger a code scan on pull requests targeted against the default branch. {% ifversion ghes %}The `pull_request` event is not triggered if the pull request was opened from a private fork.{% else %}If a pull request is from a private fork, the `pull_request` event will only be triggered if you've selected the "Run workflows from fork pull requests" option in the repository settings. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks)."{% endif %} +The default {% data variables.code-scanning.codeql_workflow %} uses the `pull_request` event to trigger a code scan on pull requests targeted against the default branch. {% ifversion ghes %}The `pull_request` event is not triggered if the pull request was opened from a private fork.{% else %}If a pull request is from a private fork, the `pull_request` event will only be triggered if you've selected the "Run workflows from fork pull requests" option in the repository settings. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks).{% endif %} -For more information about the `pull_request` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request)." +For more information about the `pull_request` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request). -If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). -Using the `pull_request` trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the `on:push` trigger and {% data variables.product.prodname_code_scanning %} will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see "[Scanning on push](#scanning-on-push)." +Using the `pull_request` trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the `on:push` trigger and {% data variables.product.prodname_code_scanning %} will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see [Scanning on push](#scanning-on-push). {% ifversion fpt or ghec %} > [!NOTE] -> If your repository is configured with a merge queue, you need to include the `merge_group` event as an additional trigger for {% data variables.product.prodname_code_scanning %}. This will ensure that pull requests are also scanned when they are added to a merge queue. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue)." +> If your repository is configured with a merge queue, you need to include the `merge_group` event as an additional trigger for {% data variables.product.prodname_code_scanning %}. This will ensure that pull requests are also scanned when they are added to a merge queue. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue). {% endif %} @@ -97,13 +97,13 @@ on: ``` > [!NOTE] -> `on:pull_request:paths-ignore` and `on:pull_request:paths` set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions _are_ run. When a pull request contains any files that are not matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, unless the files have been excluded. For information on how to exclude files from analysis, see "[Specifying directories to scan](#specifying-directories-to-scan)." +> `on:pull_request:paths-ignore` and `on:pull_request:paths` set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions _are_ run. When a pull request contains any files that are not matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, unless the files have been excluded. For information on how to exclude files from analysis, see [Specifying directories to scan](#specifying-directories-to-scan). -For more information about using `on:pull_request:paths-ignore` and `on:pull_request:paths` to determine when a workflow will run for a pull request, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +For more information about using `on:pull_request:paths-ignore` and `on:pull_request:paths` to determine when a workflow will run for a pull request, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). ### Scanning on a schedule -If you use the default {% data variables.code-scanning.codeql_workflow %}, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the `cron` value in the workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onschedule)." +If you use the default {% data variables.code-scanning.codeql_workflow %}, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the `cron` value in the workflow. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onschedule). > [!NOTE] > {% data variables.product.prodname_dotcom %} only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch. @@ -130,7 +130,7 @@ This workflow scans: ## Specifying an operating system > [!NOTE] -> * Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift)." For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %} +> * Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift). For more information about pricing for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).{% endif %} > > * {% data reusables.code-scanning.default-setup-swift-self-hosted-runners %} @@ -152,11 +152,11 @@ jobs: runs-on: [self-hosted, ubuntu-latest] ``` -{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: `ubuntu-latest`, `windows-latest`, and `macos-latest`. For more information, see "[AUTOTITLE](/actions/using-jobs/choosing-the-runner-for-a-job)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)." +{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: `ubuntu-latest`, `windows-latest`, and `macos-latest`. For more information, see [AUTOTITLE](/actions/using-jobs/choosing-the-runner-for-a-job) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners). -{% ifversion ghes %}You must ensure that Git is in the PATH variable on your self-hosted runners.{% else %}If you use a self-hosted runner, you must ensure that Git is in the PATH variable.{% endif %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." +{% ifversion ghes %}You must ensure that Git is in the PATH variable on your self-hosted runners.{% else %}If you use a self-hosted runner, you must ensure that Git is in the PATH variable.{% endif %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). -For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis{% ifversion not ghes %} on self-hosted machines{% endif %}, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." +For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis{% ifversion not ghes %} on self-hosted machines{% endif %}, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). ## Specifying the location for {% data variables.product.prodname_codeql %} databases @@ -168,7 +168,7 @@ In general, you do not need to worry about where the {% data variables.code-scan db-location: {% raw %}'${{ github.runner_temp }}/my_location'{% endraw %} ``` -The {% data variables.code-scanning.codeql_workflow %} will expect the path provided in `db-location` to be writable, and either not exist, or be an empty directory. When using this parameter in a job running on a self-hosted runner or using a Docker container, it's the responsibility of the user to ensure that the chosen directory is cleared between runs, or that the databases are removed once they are no longer needed. This is not necessary for jobs running on {% data variables.product.prodname_dotcom %}-hosted runners, which obtain a fresh instance and a clean filesystem each time they run. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." +The {% data variables.code-scanning.codeql_workflow %} will expect the path provided in `db-location` to be writable, and either not exist, or be an empty directory. When using this parameter in a job running on a self-hosted runner or using a Docker container, it's the responsibility of the user to ensure that the chosen directory is cleared between runs, or that the databases are removed once they are no longer needed. This is not necessary for jobs running on {% data variables.product.prodname_dotcom %}-hosted runners, which obtain a fresh instance and a clean filesystem each time they run. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners). If this parameter is not used, the {% data variables.code-scanning.codeql_workflow %} will create databases in a temporary location of its own choice. Currently the default value is {% raw %}`${{ github.runner_temp }}/codeql_databases`{% endraw %}. @@ -182,7 +182,7 @@ If this parameter is not used, the {% data variables.code-scanning.codeql_workfl {% data reusables.code-scanning.codeql-language-identifiers-table %} -The default {% data variables.code-scanning.codeql_workflow %} file contains a matrix called `language` which lists the languages in your repository that are analyzed. {% data variables.product.prodname_codeql %} automatically populates this matrix when you add {% data variables.product.prodname_code_scanning %} to a repository. Using the `language` matrix optimizes {% data variables.product.prodname_codeql %} to run each analysis in parallel. We recommend that all workflows adopt this configuration due to the performance benefits of parallelizing builds. For more information about matrices, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +The default {% data variables.code-scanning.codeql_workflow %} file contains a matrix called `language` which lists the languages in your repository that are analyzed. {% data variables.product.prodname_codeql %} automatically populates this matrix when you add {% data variables.product.prodname_code_scanning %} to a repository. Using the `language` matrix optimizes {% data variables.product.prodname_codeql %} to run each analysis in parallel. We recommend that all workflows adopt this configuration due to the performance benefits of parallelizing builds. For more information about matrices, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). {% data reusables.code-scanning.specify-language-to-analyze %} @@ -215,13 +215,13 @@ You can use rulesets to prevent pull requests from being merged when one of the {% data reusables.code-scanning.merge-protection-rulesets-conditions %} -For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection)." For more general information about rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). {% else %} {% data reusables.code-scanning.pull-request-checks %} -You can edit which severity and security severity alert levels cause a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request)." +You can edit which severity and security severity alert levels cause a check failure. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request). {% endif %} @@ -245,7 +245,7 @@ If you don't specify a `category` parameter in your workflow, {% data variables. * The `.github/workflows/codeql-analysis.yml` workflow and the `analyze` action will produce the category `.github/workflows/codeql.yml:analyze`. * The `.github/workflows/codeql-analysis.yml` workflow, the `analyze` action, and the `{language: {% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}, os: linux}` matrix variables will produce the category `.github/workflows/codeql-analysis.yml:analyze/language:{% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %}/os:linux`. -The `category` value will appear as the `.automationDetails.id` property in SARIF v2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object)." +The `category` value will appear as the `.automationDetails.id` property in SARIF v2.1.0. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object). Your specified category will not overwrite the details of the `runAutomationDetails` object in the SARIF file, if included. @@ -253,7 +253,7 @@ Your specified category will not overwrite the details of the `runAutomationDeta ## Extending {% data variables.product.prodname_codeql %} coverage with {% data variables.product.prodname_codeql %} model packs -If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your {% data variables.product.prodname_code_scanning %} workflow by specifying published {% data variables.product.prodname_codeql %} model packs. For more information about creating your own model packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-model-pack)." +If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your {% data variables.product.prodname_code_scanning %} workflow by specifying published {% data variables.product.prodname_codeql %} model packs. For more information about creating your own model packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-model-pack). {% data reusables.code-scanning.beta-model-packs %} @@ -263,7 +263,7 @@ If your codebase depends on a library or framework that is not recognized by the {% endif %} -To add one or more published {% data variables.product.prodname_codeql %} model packs, specify them inside the `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" and "[AUTOTITLE](/actions/security-guides/encrypted-secrets)." +To add one or more published {% data variables.product.prodname_codeql %} model packs, specify them inside the `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication) and [AUTOTITLE](/actions/security-guides/encrypted-secrets). ``` yaml copy - uses: {% data reusables.actions.action-codeql-action-init %} @@ -283,10 +283,10 @@ In this example, the default queries will be run for Java, as well as the querie ### Using query packs -To add one or more {% data variables.product.prodname_codeql %} query packs, add a `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" and "[AUTOTITLE](/actions/security-guides/encrypted-secrets)." +To add one or more {% data variables.product.prodname_codeql %} query packs, add a `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication) and [AUTOTITLE](/actions/security-guides/encrypted-secrets). > [!NOTE] -> For workflows that generate {% data variables.product.prodname_codeql %} databases for multiple languages, you must instead specify the {% data variables.product.prodname_codeql %} query packs in a configuration file. For more information, see "[Specifying {% data variables.product.prodname_codeql %} query packs](#specifying-codeql-query-packs)" below. +> For workflows that generate {% data variables.product.prodname_codeql %} databases for multiple languages, you must instead specify the {% data variables.product.prodname_codeql %} query packs in a configuration file. For more information, see [Specifying {% data variables.product.prodname_codeql %} query packs](#specifying-codeql-query-packs) below. In the example below, `scope` is the organization or personal account that published the package. When the workflow runs, the four {% data variables.product.prodname_codeql %} query packs are downloaded from {% data variables.product.product_name %} and the default queries or query suite for each pack run: * The latest version of `pack1` is downloaded and all default queries are run. @@ -304,7 +304,7 @@ In the example below, `scope` is the organization or personal account that publi > [!NOTE] > If you specify a particular version of a query pack to use, beware that the version you specify may eventually become too old to be used efficiently by the default {% data variables.product.prodname_codeql %} engine used by the {% data variables.product.prodname_codeql %} action. To ensure optimal performance, if you need to specify exact query pack versions, you should consider reviewing periodically whether the pinned version of the query pack needs to be moved forward. > -> For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)." +> For more information about pack compatibility, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility). ### Downloading {% data variables.product.prodname_codeql %} packs from {% data variables.product.prodname_ghe_server %} @@ -359,7 +359,7 @@ You can also specify query suites in the value of `queries`. Query suites are co ### Working with custom configuration files -If you also use a configuration file for custom settings, any additional packs or queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional packs or queries, prefix the value of `packs` or `queries` in the workflow with the `+` symbol. For more information, see "[Using a custom configuration file](#using-a-custom-configuration-file)." +If you also use a configuration file for custom settings, any additional packs or queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional packs or queries, prefix the value of `packs` or `queries` in the workflow with the `+` symbol. For more information, see [Using a custom configuration file](#using-a-custom-configuration-file). In the following example, the `+` symbol ensures that the specified additional packs and queries are used together with any specified in the referenced configuration file. @@ -465,7 +465,7 @@ queries: - uses: ./query-suites/my-security-queries.qls ``` -Optionally, you can give each array element a name, as shown in the example configuration files below. For more information about additional queries, see "[Running additional queries](#running-additional-queries)" above. +Optionally, you can give each array element a name, as shown in the example configuration files below. For more information about additional queries, see [Running additional queries](#running-additional-queries) above. ### Disabling the default queries @@ -490,15 +490,15 @@ query-filters: id: js/useless-assignment-to-local ``` -To find the id of a query, you can click the alert in the list of alerts in the **Security** tab. This opens the alert details page. The `Rule ID` field contains the query id. For more information about the alert details page, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details)." +To find the id of a query, you can click the alert in the list of alerts in the **Security** tab. This opens the alert details page. The `Rule ID` field contains the query id. For more information about the alert details page, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details). > [!TIP] > * The order of the filters is important. The first filter instruction that appears after the instructions about the queries and query packs determines whether the queries are included or excluded by default. > * Subsequent instructions are executed in order and the instructions that appear later in the file take precedence over the earlier instructions. -You can find another example illustrating the use of these filters in the "[Example configuration files](#example-configuration-files)" section. +You can find another example illustrating the use of these filters in the [Example configuration files](#example-configuration-files) section. -For more information about using `exclude` and `include` filters in your custom configuration file, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites#filtering-the-queries-in-a-query-suite)." For information on the query metadata you can filter on, see "[Metadata for CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/)." +For more information about using `exclude` and `include` filters in your custom configuration file, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites#filtering-the-queries-in-a-query-suite). For information on the query metadata you can filter on, see [Metadata for CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/). ### Specifying directories to scan @@ -513,11 +513,11 @@ paths-ignore: ``` > [!NOTE] -> * The `paths` and `paths-ignore` keywords, used in the context of the {% data variables.product.prodname_code_scanning %} configuration file, should not be confused with the same keywords when used for `on..paths` in a workflow. When they are used to modify `on.` in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +> * The `paths` and `paths-ignore` keywords, used in the context of the {% data variables.product.prodname_code_scanning %} configuration file, should not be confused with the same keywords when used for `on..paths` in a workflow. When they are used to modify `on.` in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). > * The filter pattern characters `?`, `+`, `[`, `]`, and `!` are not supported and will be matched literally. > * `**` characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix `**` and other characters. For example, `foo/**`, `**/foo`, and `foo/**/bar` are all allowed syntax, but `**foo` isn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a `*` character. -For analysis where code is built, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +For analysis where code is built, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language). You can quickly analyze small portions of a monorepo when you modify code in specific directories. You'll need to both exclude directories in your build steps and use the `paths-ignore` and `paths` keywords for [`on.`](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore) in your workflow. @@ -527,7 +527,7 @@ You can quickly analyze small portions of a monorepo when you modify code in spe ## Specifying configuration details using the `config` input -If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](#using-a-custom-configuration-file)" above. +If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at [Using a custom configuration file](#using-a-custom-configuration-file) above. ### Example configuration @@ -551,7 +551,7 @@ You can use the same approach to specify any valid configuration options in the > [!TIP] > You can share one configuration across multiple repositories using {% data variables.product.prodname_actions %} variables. One benefit of this approach is that you can update the configuration in a single place without editing the workflow file. > -> In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)." +> In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows). > > ```yaml > - uses: {% data reusables.actions.action-codeql-action-init %} @@ -564,14 +564,14 @@ You can use the same approach to specify any valid configuration options in the {% ifversion codeql-no-build %} -For compiled languages, you can decide how the {% data variables.product.prodname_codeql %} action creates a {% data variables.product.prodname_codeql %} database for analysis. For information about the build options available, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." +For compiled languages, you can decide how the {% data variables.product.prodname_codeql %} action creates a {% data variables.product.prodname_codeql %} database for analysis. For information about the build options available, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages). {% else %} -For compiled languages, the {% data variables.product.prodname_codeql %} action builds the codebase to create a {% data variables.product.prodname_codeql %} database for analysis. By default, {% data variables.product.prodname_codeql %} uses `autobuild` steps to identify the most likely build method for the codebase. {% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." +For compiled languages, the {% data variables.product.prodname_codeql %} action builds the codebase to create a {% data variables.product.prodname_codeql %} database for analysis. By default, {% data variables.product.prodname_codeql %} uses `autobuild` steps to identify the most likely build method for the codebase. {% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages). {% endif %} ## Uploading {% data variables.product.prodname_code_scanning %} data to {% data variables.product.prodname_dotcom %} -{% data variables.product.prodname_dotcom %} can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the `upload-sarif` action. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +{% data variables.product.prodname_dotcom %} can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the `upload-sarif` action. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md index a9f72a4760f0..9a42cd19caf6 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md @@ -28,7 +28,7 @@ topics: If you're configuring {% data variables.product.prodname_code_scanning %} for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message "No source code was seen during the build." This indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code as it was compiled. -You must run {% data variables.product.prodname_codeql %} inside the container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_cli %} or {% data variables.product.prodname_actions %}. For the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)" for more information. If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see "[Example workflow](#example-workflow)." +You must run {% data variables.product.prodname_codeql %} inside the container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_cli %} or {% data variables.product.prodname_actions %}. For the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system) for more information. If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see [Example workflow](#example-workflow). > [!NOTE] > {% data reusables.code-scanning.non-glibc-linux-support %} @@ -45,7 +45,7 @@ You may have difficulty running {% data variables.product.prodname_code_scanning {% data reusables.code-scanning.codeql-action-version-ghes %} -This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer)." +This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer). ```yaml name: "{% data variables.product.prodname_codeql %}" diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md index cec2d49f25d9..ea2eac01248e 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md @@ -23,21 +23,21 @@ With default setup for {% data variables.product.prodname_code_scanning %}, you You can enable {% data variables.product.prodname_code_scanning %} for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in repositories in the organization will be scanned: -* On each push to the repository's default branch, or any protected branch. For more information on protected branches, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." +* On each push to the repository's default branch, or any protected branch. For more information on protected branches, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). * When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.{% ifversion default-setup-scan-on-schedule %} * On a weekly schedule.{% endif %} -For more information, see "[Configuring default setup for all eligible repositories in an organization](#configuring-default-setup-for-all-eligible-repositories-in-an-organization)." +For more information, see [Configuring default setup for all eligible repositories in an organization](#configuring-default-setup-for-all-eligible-repositories-in-an-organization). {% ifversion code-security-multi-repo-enablement %} -You can also use security overview to find a set of repositories in your organization and enable or disable default setup for all of them at the same time. For more information, see "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization)." +You can also use security overview to find a set of repositories in your organization and enable or disable default setup for all of them at the same time. For more information, see [Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization). {% endif %} -You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale)." +For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale). @@ -74,9 +74,9 @@ If the code in a repository changes to include {% ifversion code-scanning-defaul ## Configuring default setup for all eligible repositories in an organization -{% ifversion security-configurations %} You can enable default setup for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +{% ifversion security-configurations %} You can enable default setup for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). {% else %} -Through the "Code security and analysis" page of your organization's settings, you can enable default setup for all eligible repositories in your organization. For more information on repository eligibility, see "[Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup)." +Through the "Code security and analysis" page of your organization's settings, you can enable default setup for all eligible repositories in your organization. For more information on repository eligibility, see [Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup). {% data reusables.code-scanning.beta-org-enable-all %} @@ -84,14 +84,14 @@ Through the "Code security and analysis" page of your organization's settings, y {% data reusables.profile.org_settings %} {% data reusables.organizations.security-and-analysis %} 1. Click **Enable all** next to "{% data variables.product.prodname_code_scanning_caps %}".{% ifversion bulk-code-scanning-query-suite %} -1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." +1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites). 1. To enable your configuration of default setup, click **Enable for eligible repositories**. 1. Optionally, to recommend the "Extended" query suite throughout your organization when enabling default setup, select "Recommend the extended query suite for repositories enabling default setup."{% else %} 1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" dialog box displayed, click **Enable for eligible repositories** to enable your configuration of default setup.{% endif %} > [!NOTE] > * {% data reusables.code-scanning.limitation-org-enable-all %} -> * Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}."{% ifversion default-setup-pre-enablement %} +> * Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %} and [Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}.{% ifversion default-setup-pre-enablement %} > * Enabling default setup for all eligible repositories in an organization includes eligible repositories without {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.{% endif %} {% endif %} @@ -100,7 +100,7 @@ Through the "Code security and analysis" page of your organization's settings, y ### Extending {% data variables.product.prodname_codeql %} coverage in default setup -Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization)." +Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization). {% endif %} {% ifversion code-security-multi-repo-enablement %} @@ -109,11 +109,11 @@ Through your organization's security settings page, you can extend coverage in d {% ifversion security-configurations %} -You can filter for specific repositories you would like to configure default setup for. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration)." +You can filter for specific repositories you would like to configure default setup for. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). {% endif %} -Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see "[Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup)." +Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see [Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup). ### Finding repositories that are eligible for default setup @@ -144,7 +144,7 @@ Through security overview for your organization, you can find eligible repositor {% ifversion pre-security-configurations %} -You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see step 5 of "[Configuring default setup at scale for multiple repositories in an organization](#configuring-default-setup-at-scale-for-multiple-repositories-in-an-organization)." +You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see step 5 of [Configuring default setup at scale for multiple repositories in an organization](#configuring-default-setup-at-scale-for-multiple-repositories-in-an-organization). ### Configuring default setup at scale for multiple repositories in an organization @@ -157,7 +157,7 @@ You can select all of the displayed repositories, or a subset of them, and enabl * To enable {% data variables.product.prodname_code_scanning %} for all repositories that match the current search, select the checkbox next to **NUMBER Active**, then click **Select all NUMBER repos**. 1. Click **Security settings** next to **NUMBER selected**. 1. In the side panel, in the "{% data variables.product.prodname_codeql %} Default Setup" section, select **No change**, then click **Enable**.{% ifversion bulk-code-scanning-query-suite %} -1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% endif %} +1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites).{% endif %} 1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes. > [!NOTE] @@ -170,7 +170,7 @@ You can select all of the displayed repositories, or a subset of them, and enabl ![Screenshot of the "Security coverage" view with the side panel open. The "Apply changes" button is highlighted in a dark orange outline.](/assets/images/help/security-overview/security-coverage-view-multi-repo-side-panel.png) - If you're blocked from enabling {% data variables.product.prodname_code_scanning %} due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the **{% octicon "gear" aria-hidden="true" %} Security settings** button. However, you will see a message in the side panel indicating that you cannot enable {% data variables.product.prodname_code_scanning %} for the selected repositories. For more information about enterprise policies, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." + If you're blocked from enabling {% data variables.product.prodname_code_scanning %} due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the **{% octicon "gear" aria-hidden="true" %} Security settings** button. However, you will see a message in the side panel indicating that you cannot enable {% data variables.product.prodname_code_scanning %} for the selected repositories. For more information about enterprise policies, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). {% endif %} @@ -185,7 +185,7 @@ You can use rulesets to prevent pull requests from being merged when one of the {% data reusables.code-scanning.merge-protection-rulesets-conditions %} -For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection#creating-a-merge-protection-ruleset-for-all-repositories-in-an-organization)." For more general information about rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection#creating-a-merge-protection-ruleset-for-all-repositories-in-an-organization). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). {% endif %} {% endif %} diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md index 099243606867..ed9c87e385ec 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md @@ -29,7 +29,7 @@ versions: ## About default setup Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in your repository will be scanned: -* On each push to the repository's default branch, or any protected branch. For more information on protected branches, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." +* On each push to the repository's default branch, or any protected branch. For more information on protected branches, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). * When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.{% ifversion default-setup-scan-on-schedule %} * On a weekly schedule. @@ -41,9 +41,9 @@ Default setup for {% data variables.product.prodname_code_scanning %} is the qui {% endif %} {% endif %} -You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." +You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale). -If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). ### Requirements for using default setup @@ -59,16 +59,16 @@ Your repository is eligible for default setup for {% data variables.product.prod {% ifversion default-setup-pre-enablement %} {% data reusables.code-scanning.default-setup-pre-enablement-explanation %} {% else %} -If your repository includes at least one {% data variables.product.prodname_codeql %}-supported language, you can use default setup even if your repository also includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. Unsupported languages will not be scanned by default setup. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." +If your repository includes at least one {% data variables.product.prodname_codeql %}-supported language, you can use default setup even if your repository also includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. Unsupported languages will not be scanned by default setup. For more information on {% data variables.product.prodname_codeql %}-supported languages, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql). {% endif %} -You can use default setup for all {% data variables.product.prodname_codeql %}-supported languages{% ifversion codeql-swift-advanced-setup %} except Swift{% endif %} for self-hosted runners or {% data variables.product.prodname_dotcom %}-hosted runners. See "[Assigning labels to runners](#assigning-labels-to-runners)", later in this article. +You can use default setup for all {% data variables.product.prodname_codeql %}-supported languages{% ifversion codeql-swift-advanced-setup %} except Swift{% endif %} for self-hosted runners or {% data variables.product.prodname_dotcom %}-hosted runners. See [Assigning labels to runners](#assigning-labels-to-runners), later in this article. {% ifversion codeql-no-build %}Default setup uses the `none` build mode for {% data variables.code-scanning.no_build_support %} and uses the `autobuild` build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% else %}Default setup runs the `autobuild` action, so you should configure your self-hosted runners to make sure they can run all the necessary commands for {% data variables.code-scanning.compiled_languages %} analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% endif %} ### Customizing default setup -We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning)." +We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning). {% ifversion code-scanning-default-setup-recommended-languages %} @@ -121,14 +121,14 @@ When you initially configure default setup for {% data variables.product.prodnam ![Screenshot of the modal for default setup. A button labeled "Default", with an arrow indicating a dropdown menu, is outlined in dark orange.](/assets/images/help/security/default-setup-query-suite-dropdown.png) - If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." + If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites). > [!NOTE] > If you configure {% data variables.product.prodname_code_scanning %} to use the **Extended** query suite, you may experience a higher rate of false positive alerts. {% ifversion code-scanning-default-setup-customize-labels %} -1. Optionally, to use labeled runners, in the "Runner type" section, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. See "[Assigning labels to runners](#assigning-labels-to-runners)", later in this article. +1. Optionally, to use labeled runners, in the "Runner type" section, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. See [Assigning labels to runners](#assigning-labels-to-runners), later in this article. {%- endif %} {%- endif %} @@ -144,7 +144,7 @@ When you initially configure default setup for {% data variables.product.prodnam >[!NOTE]{% data variables.product.prodname_code_scanning_caps %} sees assigned runners when default setup is enabled. If a runner is assigned to a repository that is already running default setup, you must disable and re-enable default setup to start using the runner. If you add a runner and want to start using it, you can change the configuration manually without needing to disable and re-enable default setup. -You can also assign self-hosted runners{% ifversion code-scanning-default-setup-customize-labels %} with the default `code-scanning` label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}with the `code-scanning` label.{% endif %} For information about assigning labels to self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)." +You can also assign self-hosted runners{% ifversion code-scanning-default-setup-customize-labels %} with the default `code-scanning` label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}with the `code-scanning` label.{% endif %} For information about assigning labels to self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners). {% ifversion code-scanning-default-setup-customize-labels %} @@ -154,9 +154,9 @@ Specifying custom labels for self-hosted runners is optional. Unless you have a * Run your {% data variables.product.prodname_code_scanning %} analyses on a particular platform (for example, macOS). * Have granular control over the workload for your {% data variables.product.prodname_dotcom %}-hosted runners and self-hosted runners. -Once you've assigned custom labels to self-hosted runners, your repositories can use those runners for {% data variables.product.prodname_code_scanning %} default setup. For more information, see "[Configuring default setup for a repository](#configuring-default-setup-for-a-repository)", earlier in this article. +Once you've assigned custom labels to self-hosted runners, your repositories can use those runners for {% data variables.product.prodname_code_scanning %} default setup. For more information, see [Configuring default setup for a repository](#configuring-default-setup-for-a-repository), earlier in this article. -You can also use {% data variables.product.prodname_security_configurations %} to assign labels to self-hosted runners for {% data variables.product.prodname_code_scanning %}. See "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration#creating-a-custom-security-configuration)." +You can also use {% data variables.product.prodname_security_configurations %} to assign labels to self-hosted runners for {% data variables.product.prodname_code_scanning %}. See [AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration#creating-a-custom-security-configuration). {% endif %} @@ -164,16 +164,16 @@ You can also use {% data variables.product.prodname_security_configurations %} t ### Assigning {% data variables.actions.hosted_runners %} -To assign a {% data variables.actions.hosted_runner %}, name the runner `code-scanning`. This will automatically add the `code-scanning` label to the {% data variables.actions.hosted_runner %}. An organization can only have one {% data variables.actions.hosted_runner %} with the `code-scanning` label, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs from repositories within your organization with access to the runner's group. See "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup#provisioning-organization-level-larger-runners-for-default-setup)." +To assign a {% data variables.actions.hosted_runner %}, name the runner `code-scanning`. This will automatically add the `code-scanning` label to the {% data variables.actions.hosted_runner %}. An organization can only have one {% data variables.actions.hosted_runner %} with the `code-scanning` label, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs from repositories within your organization with access to the runner's group. See [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup#provisioning-organization-level-larger-runners-for-default-setup). {% endif %} ## Next steps -After your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)." +After your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) and [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository). -After you've configured default setup for {% data variables.product.prodname_code_scanning %}, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning)." +After you've configured default setup for {% data variables.product.prodname_code_scanning %}, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning). -You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." +You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). -When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." +When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning). diff --git a/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md index 0a6fa6184b9f..6561ce3f96ad 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md @@ -17,13 +17,13 @@ When you first start using {% data variables.product.prodname_code_scanning %}, ## Customizing {% data variables.product.prodname_code_scanning %} -When you first configure default setup, or after an initial analysis of your code, you can edit which languages default setup will analyze and the query suite run during analysis. The `default` query suite contains a set of queries that are carefully designed to look for the most relevant security issues, while minimizing false positive results. However, you can use the `security-extended` suite to run additional queries, which have slightly lower precision. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." +When you first configure default setup, or after an initial analysis of your code, you can edit which languages default setup will analyze and the query suite run during analysis. The `default` query suite contains a set of queries that are carefully designed to look for the most relevant security issues, while minimizing false positive results. However, you can use the `security-extended` suite to run additional queries, which have slightly lower precision. For more information on the available query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites). -For more information about customizing default setup, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)." +For more information about customizing default setup, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup). ### Using advanced setup -If you've found that you still need more granular control over {% data variables.product.prodname_code_scanning %}, you can use advanced setup. Advanced setup requires significantly more effort to configure, customize, and maintain, so we recommend enabling default setup first. For more information about advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." +If you've found that you still need more granular control over {% data variables.product.prodname_code_scanning %}, you can use advanced setup. Advanced setup requires significantly more effort to configure, customize, and maintain, so we recommend enabling default setup first. For more information about advanced setup, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). ## Evaluating {% data variables.product.prodname_code_scanning %} with the {% data variables.code-scanning.tool_status_page %} @@ -31,6 +31,6 @@ The {% data variables.code-scanning.tool_status_page %} shows useful information Using the {% data variables.code-scanning.tool_status_page %}, you can download the list of rules that {% data variables.product.prodname_code_scanning %} is checking against, in CSV format. For integrated tools like {% data variables.product.prodname_codeql %}, you can also see more detailed information, including a percentage of files scanned and specific error messages. -If you find that default setup doesn't scan all your files, you may need to customize {% data variables.product.prodname_code_scanning %}. For more information, see "[Customizing code scanning](#customizing-code-scanning)" in this article. Alternatively, or if something else isn't working as you expect, you may find our dedicated troubleshooting documentation useful. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)". +If you find that default setup doesn't scan all your files, you may need to customize {% data variables.product.prodname_code_scanning %}. For more information, see [Customizing code scanning](#customizing-code-scanning) in this article. Alternatively, or if something else isn't working as you expect, you may find our dedicated troubleshooting documentation useful. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning). -For more detailed information about the {% data variables.code-scanning.tool_status_page %}, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository)." +For more detailed information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository). diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md b/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md index d8a21d0c762e..3da0624ff067 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md @@ -24,16 +24,16 @@ topics: {% data reusables.code-scanning.enterprise-enable-code-scanning %} -As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere, using the CodeQL CLI or another static analysis tool, and then upload the results. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." +As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere, using the CodeQL CLI or another static analysis tool, and then upload the results. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). {% data reusables.code-scanning.about-multiple-configurations-link %} ## Integrations with webhooks -You can use {% data variables.product.prodname_code_scanning %} webhooks to build or configure integrations, such as [{% data variables.product.prodname_github_apps %}](/apps/creating-github-apps/setting-up-a-github-app) or [{% data variables.product.prodname_oauth_apps %}](/apps/oauth-apps/building-oauth-apps), that subscribe to {% data variables.product.prodname_code_scanning %} events in your repository. For example, you could build an integration that creates an issue on {% data variables.product.product_name %} or sends you a Slack notification when a new {% data variables.product.prodname_code_scanning %} alert is added in your repository. For more information, see "[AUTOTITLE](/webhooks)" and "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)." +You can use {% data variables.product.prodname_code_scanning %} webhooks to build or configure integrations, such as [{% data variables.product.prodname_github_apps %}](/apps/creating-github-apps/setting-up-a-github-app) or [{% data variables.product.prodname_oauth_apps %}](/apps/oauth-apps/building-oauth-apps), that subscribe to {% data variables.product.prodname_code_scanning %} events in your repository. For example, you could build an integration that creates an issue on {% data variables.product.product_name %} or sends you a Slack notification when a new {% data variables.product.prodname_code_scanning %} alert is added in your repository. For more information, see [AUTOTITLE](/webhooks) and [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert). ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)" -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system) +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md b/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md index 459fa08933d3..fe9f198906aa 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md @@ -25,11 +25,11 @@ topics: SARIF (Static Analysis Results Interchange Format) is an [OASIS Standard](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) that defines an output file format. The SARIF standard is used to streamline how static analysis tools share their results. {% data variables.product.prodname_code_scanning_caps %} supports a subset of the SARIF 2.1.0 JSON schema. -To upload a SARIF file from a third-party static code analysis engine, you'll need to ensure that uploaded files use the SARIF 2.1.0 version. {% data variables.product.prodname_dotcom %} will parse the SARIF file and show alerts using the results in your repository as a part of the {% data variables.product.prodname_code_scanning %} experience. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." For more information about the SARIF 2.1.0 JSON schema, see [`sarif-schema-2.1.0.json`](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). +To upload a SARIF file from a third-party static code analysis engine, you'll need to ensure that uploaded files use the SARIF 2.1.0 version. {% data variables.product.prodname_dotcom %} will parse the SARIF file and show alerts using the results in your repository as a part of the {% data variables.product.prodname_code_scanning %} experience. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). For more information about the SARIF 2.1.0 JSON schema, see [`sarif-schema-2.1.0.json`](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). -If you're using {% data variables.product.prodname_actions %} with the {% data variables.code-scanning.codeql_workflow %} or using the {% data variables.product.prodname_codeql_cli %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." +If you're using {% data variables.product.prodname_actions %} with the {% data variables.code-scanning.codeql_workflow %} or using the {% data variables.product.prodname_codeql_cli %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning) or [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). -{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." +{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts). If you're new to SARIF and want to learn more, see Microsoft's [`SARIF tutorials`](https://github.com/microsoft/sarif-tutorials) repository. @@ -43,11 +43,11 @@ The filepath has to be consistent across the runs to enable a computation of a s ### Including data for fingerprint generation -{% data variables.product.prodname_dotcom %} uses the `partialFingerprints` property in the OASIS standard to detect when two results are logically identical. For more information, see the "[partialFingerprints property](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012611)" entry in the OASIS documentation. +{% data variables.product.prodname_dotcom %} uses the `partialFingerprints` property in the OASIS standard to detect when two results are logically identical. For more information, see the [partialFingerprints property](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012611) entry in the OASIS documentation. -SARIF files created by the {% data variables.code-scanning.codeql_workflow %}, or using the {% data variables.product.prodname_codeql_cli %} include fingerprint data. If you upload a SARIF file using the `upload-sarif` action and this data is missing, {% data variables.product.prodname_dotcom %} attempts to populate the `partialFingerprints` field from the source files. For more information about uploading results, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +SARIF files created by the {% data variables.code-scanning.codeql_workflow %}, or using the {% data variables.product.prodname_codeql_cli %} include fingerprint data. If you upload a SARIF file using the `upload-sarif` action and this data is missing, {% data variables.product.prodname_dotcom %} attempts to populate the `partialFingerprints` field from the source files. For more information about uploading results, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). -If you upload a SARIF file without fingerprint data using the `/code-scanning/sarifs` API endpoint, the {% data variables.product.prodname_code_scanning %} alerts will be processed and displayed, but users may see duplicate alerts. To avoid seeing duplicate alerts, you should calculate fingerprint data and populate the `partialFingerprints` property before you upload the SARIF file. You may find the script that the `upload-sarif` action uses a helpful starting point: https://github.com/github/codeql-action/blob/main/src/fingerprints.ts. For more information about the API, see "[AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)." +If you upload a SARIF file without fingerprint data using the `/code-scanning/sarifs` API endpoint, the {% data variables.product.prodname_code_scanning %} alerts will be processed and displayed, but users may see duplicate alerts. To avoid seeing duplicate alerts, you should calculate fingerprint data and populate the `partialFingerprints` property before you upload the SARIF file. You may find the script that the `upload-sarif` action uses a helpful starting point: https://github.com/github/codeql-action/blob/main/src/fingerprints.ts. For more information about the API, see [AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data). ## Understanding rules and results @@ -72,7 +72,7 @@ For display in a pull request check, an alert must meet all the following condit * All the lines of code identified by the alert exist in the pull request diff, including the first line of the alert. * The alert must exist in the lines of code added or edited in the pull request, not lines that were deleted. -The `physicalLocation` object in a submitted SARIF file identifies the lines of code for an alert. For more information, see "[`physicalLocation` object](#physicallocation-object)." +The `physicalLocation` object in a submitted SARIF file identifies the lines of code for an alert. For more information, see [`physicalLocation` object](#physicallocation-object). ### Specifying the root for source files @@ -81,7 +81,7 @@ The `physicalLocation` object in a submitted SARIF file identifies the lines of You can provide the source root for conversion from absolute to relative URIs in one of the following ways. * [`checkout_path`](https://github.com/github/codeql-action/blob/c2c0a2908e95769d01b907f9930050ecb5cf050d/analyze/action.yml#L44-L47) input to the `github/codeql-action/analyze` action -* `checkout_uri` parameter to the SARIF upload API endpoint. For more information, see "[AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)." +* `checkout_uri` parameter to the SARIF upload API endpoint. For more information, see [AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data). * [`invocations[0].workingDirectory.uri`](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc9244365) property in the `run` object in the SARIF file If you provide a source root, any location of an artifact specified using an absolute URI must use the same URI scheme. If there is a mismatch between the URI scheme for the source root and one or more of the absolute URIs, the upload is rejected. @@ -107,21 +107,21 @@ If the relative URI for a result is matched against a file defined using a symli You can check a SARIF file is compatible with {% data variables.product.prodname_code_scanning %} by testing it against the {% data variables.product.prodname_dotcom %} ingestion rules. For more information, visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/). -For each gzip-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large)." +For each gzip-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large). -{% data variables.product.prodname_code_scanning_caps %} supports uploading a maximum number of entries for the data objects in the following table. If any of these objects exceeds its maximum value the SARIF file is rejected. For some objects, there is also an additional limit on the number of values that will be displayed. Whenever possible the most important values are shown. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration (for example, for the {% data variables.product.prodname_codeql %} tool, identify and disable the most noisy queries). For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit)." +{% data variables.product.prodname_code_scanning_caps %} supports uploading a maximum number of entries for the data objects in the following table. If any of these objects exceeds its maximum value the SARIF file is rejected. For some objects, there is also an additional limit on the number of values that will be displayed. Whenever possible the most important values are shown. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration (for example, for the {% data variables.product.prodname_codeql %} tool, identify and disable the most noisy queries). For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit). {% data reusables.code-scanning.sarif-limits %} -For information about other errors, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads)" +For information about other errors, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads) ## Uploading more than one SARIF file for a commit You can upload multiple SARIF files for the same commit, and display the data from each file as {% data variables.product.prodname_code_scanning %} results. When you upload multiple SARIF files for a commit, you must indicate a "category" for each analysis. The way to specify a category varies according to the analysis method: -* Using the {% data variables.product.prodname_codeql_cli %} directly, pass the `--sarif-category` argument to the `codeql database analyze` command when you generate SARIF files. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli#about-generating-code-scanning-results-with-the-codeql-cli)." +* Using the {% data variables.product.prodname_codeql_cli %} directly, pass the `--sarif-category` argument to the `codeql database analyze` command when you generate SARIF files. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli#about-generating-code-scanning-results-with-the-codeql-cli). * Using {% data variables.product.prodname_actions %} with `codeql-action/analyze`, the category is set automatically from the workflow name and any matrix variables (typically, `language`). You can override this by specifying a `category` input for the action, which is useful when you analyze different sections of a monorepo in a single workflow. -* Using {% data variables.product.prodname_actions %} to upload results from other static analysis tools, then you must specify a `category` input if you upload more than one file of results for the same tool in one workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions)." -* If you are not using either of these approaches, you must specify a unique `runAutomationDetails.id` in each SARIF file to upload. For more information about this property, see "[`runAutomationDetails` object](#runautomationdetails-object)." +* Using {% data variables.product.prodname_actions %} to upload results from other static analysis tools, then you must specify a `category` input if you upload more than one file of results for the same tool in one workflow. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions). +* If you are not using either of these approaches, you must specify a unique `runAutomationDetails.id` in each SARIF file to upload. For more information about this property, see [`runAutomationDetails` object](#runautomationdetails-object). If you upload a second SARIF file for a commit with the same category and from the same tool, the earlier results are overwritten. However, if you try to upload multiple SARIF files for the same tool and category in a single {% data variables.product.prodname_actions %} workflow run, the misconfiguration is detected and the run will fail. @@ -150,7 +150,7 @@ Any valid SARIF 2.1.0 output file can be uploaded, however, {% data variables.pr |----|----|----| | `tool.driver` | {% octicon "check" aria-label="Required" %} | A `toolComponent` object that describes the analysis tool. For more information, see the [`toolComponent` object](#toolcomponent-object). | | `tool.extensions[]` | {% octicon "x" aria-label="Optional" %} | An array of `toolComponent` objects that represent any plugins or extensions used by the tool during analysis. For more information, see the [`toolComponent` object](#toolcomponent-object). | -| `invocation.workingDirectory.uri` | {% octicon "x" aria-label="Optional" %} | This field is used only when `checkout_uri` (SARIF upload API only) or `checkout_path` ({% data variables.product.prodname_actions %} only) are not provided. The value is used to convert absolute URIs used in [`physicalLocation` objects](#physicallocation-object) to relative URIs. For more information, see "[Specifying the root for source files](#specifying-the-root-for-source-files)."| +| `invocation.workingDirectory.uri` | {% octicon "x" aria-label="Optional" %} | This field is used only when `checkout_uri` (SARIF upload API only) or `checkout_path` ({% data variables.product.prodname_actions %} only) are not provided. The value is used to convert absolute URIs used in [`physicalLocation` objects](#physicallocation-object) to relative URIs. For more information, see [Specifying the root for source files](#specifying-the-root-for-source-files).| | `results[]` | {% octicon "check" aria-label="Required" %} | The results of the analysis tool. {% data variables.product.prodname_code_scanning_caps %} displays the results on {% data variables.product.prodname_dotcom %}. For more information, see the [`result` object](#result-object). ### `toolComponent` object @@ -159,12 +159,12 @@ Any valid SARIF 2.1.0 output file can be uploaded, however, {% data variables.pr |----|----|----| | `name` | {% octicon "check" aria-label="Required" %} | The name of the analysis tool. {% data variables.product.prodname_code_scanning_caps %} displays the name on {% data variables.product.prodname_dotcom %} to allow you to filter results by tool. | | `version` | {% octicon "x" aria-label="Optional" %} | The version of the analysis tool. {% data variables.product.prodname_code_scanning_caps %} uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by {% data variables.product.prodname_code_scanning %}. | -| `semanticVersion` | {% octicon "x" aria-label="Optional" %} | The version of the analysis tool, specified by the Semantic Versioning 2.0 format. {% data variables.product.prodname_code_scanning_caps %} uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by {% data variables.product.prodname_code_scanning %}. For more information, see "[Semantic Versioning 2.0.0](https://semver.org/)" in the Semantic Versioning documentation. | +| `semanticVersion` | {% octicon "x" aria-label="Optional" %} | The version of the analysis tool, specified by the Semantic Versioning 2.0 format. {% data variables.product.prodname_code_scanning_caps %} uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by {% data variables.product.prodname_code_scanning %}. For more information, see [Semantic Versioning 2.0.0](https://semver.org/) in the Semantic Versioning documentation. | | `rules[]` | {% octicon "check" aria-label="Required" %} | An array of `reportingDescriptor` objects that represent rules. The analysis tool uses rules to find problems in the code being analyzed. For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). | ### `reportingDescriptor` object -This is where you store details of the rules that are run during analysis. Information in these objects should change infrequently, typically when you update the tool. For more information, see "[Understanding rules and results](#understanding-rules-and-results)" above. +This is where you store details of the rules that are run during analysis. Information in these objects should change infrequently, typically when you update the tool. For more information, see [Understanding rules and results](#understanding-rules-and-results) above. | Name | Required | Description | |----|----|----| @@ -182,7 +182,7 @@ This is where you store details of the rules that are run during analysis. Infor ### `result` object -Each `result` object contains details for one alert in the codebase. Within the `results` object, you can reference the rule that detected the alert. For more information, see "[Understanding rules and results](#understanding-rules-and-results)" above. +Each `result` object contains details for one alert in the codebase. Within the `results` object, you can reference the rule that detected the alert. For more information, see [Understanding rules and results](#understanding-rules-and-results) above. {% data reusables.code-scanning.upload-sarif-alert-limit %} @@ -194,7 +194,7 @@ Each `result` object contains details for one alert in the codebase. Within the | `level`| {% octicon "x" aria-label="Optional" %} | The severity of the result. This level overrides the default severity defined by the rule. {% data variables.product.prodname_code_scanning_caps %} uses the level to filter results by severity on {% data variables.product.prodname_dotcom %}. | `message.text`| {% octicon "check" aria-label="Required" %} | A message that describes the result. {% data variables.product.prodname_code_scanning_caps %} displays the message text as the title of the result. Only the first sentence of the message will be displayed when visible space is limited. | `locations[]`| {% octicon "check" aria-label="Required" %} | The set of locations where the result was detected up to a maximum of 10. Only one location should be included unless the problem can only be corrected by making a change at every specified location. **Note:** At least one location is required for {% data variables.product.prodname_code_scanning %} to display a result. {% data variables.product.prodname_code_scanning_caps %} will use this property to decide which file to annotate with the result. Only the first value of this array is used. All other values are ignored. -| `partialFingerprints`| {% octicon "check" aria-label="Required" %} | A set of strings used to track the unique identity of the result. {% data variables.product.prodname_code_scanning_caps %} uses `partialFingerprints` to accurately identify which results are the same across commits and branches. {% data variables.product.prodname_code_scanning_caps %} will attempt to use `partialFingerprints` if they exist. If you are uploading third-party SARIF files with the `upload-action`, the action will create `partialFingerprints` for you when they are not included in the SARIF file. For more information, see "[Providing data to track code scanning alerts across runs](#providing-data-to-track-code-scanning-alerts-across-runs)." **Note:** {% data variables.product.prodname_code_scanning_caps %} only uses the `primaryLocationLineHash`. +| `partialFingerprints`| {% octicon "check" aria-label="Required" %} | A set of strings used to track the unique identity of the result. {% data variables.product.prodname_code_scanning_caps %} uses `partialFingerprints` to accurately identify which results are the same across commits and branches. {% data variables.product.prodname_code_scanning_caps %} will attempt to use `partialFingerprints` if they exist. If you are uploading third-party SARIF files with the `upload-action`, the action will create `partialFingerprints` for you when they are not included in the SARIF file. For more information, see [Providing data to track code scanning alerts across runs](#providing-data-to-track-code-scanning-alerts-across-runs). **Note:** {% data variables.product.prodname_code_scanning_caps %} only uses the `primaryLocationLineHash`. | `codeFlows[].threadFlows[].locations[]`| {% octicon "x" aria-label="Optional" %} | An array of `location` objects for a `threadFlow` object, which describes the progress of a program through a thread of execution. A `codeFlow` object describes a pattern of code execution used to detect a result. If code flows are provided, {% data variables.product.prodname_code_scanning %} will expand code flows on {% data variables.product.prodname_dotcom %} for the relevant result. For more information, see the [`location` object](#location-object). | `relatedLocations[]`| {% octicon "x" aria-label="Optional" %} | A set of locations relevant to this result. {% data variables.product.prodname_code_scanning_caps %} will link to related locations when they are embedded in the result message. For more information, see the [`location` object](#location-object). @@ -212,7 +212,7 @@ A location within a programming artifact, such as a file in the repository or a | Name | Required | Description | |----|----|----| -| `artifactLocation.uri`| {% octicon "check" aria-label="Required" %} | A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. For the best results we recommend that this is a relative path from the root of the GitHub repository being analyzed. For example, `src/main.js`. For more information about artifact URIs, see "[Specifying the root for source files](#specifying-the-root-for-source-files)."| +| `artifactLocation.uri`| {% octicon "check" aria-label="Required" %} | A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. For the best results we recommend that this is a relative path from the root of the GitHub repository being analyzed. For example, `src/main.js`. For more information about artifact URIs, see [Specifying the root for source files](#specifying-the-root-for-source-files).| | `region.startLine` | {% octicon "check" aria-label="Required" %} | The line number of the first character in the region. | `region.startColumn` | {% octicon "check" aria-label="Required" %} | The column number of the first character in the region. | `region.endLine` | {% octicon "check" aria-label="Required" %} | The line number of the last character in the region. diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md b/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md index efe91bf96d1d..0057183bec3b 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md @@ -29,27 +29,27 @@ topics: ## About SARIF file uploads for {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." +{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). -You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." +You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). You can upload the results using {% data variables.product.prodname_actions %}, the {% data variables.product.prodname_code_scanning %} API, or the {% data variables.product.prodname_codeql_cli %}. The best upload method will depend on how you generate the SARIF file, for example, if you use: * {% data variables.product.prodname_actions %} to run the {% data variables.product.prodname_codeql %} action, there is no further action required. The {% data variables.product.prodname_codeql %} action uploads the SARIF file automatically when it completes analysis. * {% data variables.product.prodname_actions %} to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results (see below). -* The {% data variables.product.prodname_codeql_cli %} to run {% data variables.product.prodname_code_scanning %} in your CI system, you can use the CLI to upload results to {% data variables.product.prodname_dotcom %} (for more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)"). -* A tool that generates results as an artifact outside of your repository, you can use the {% data variables.product.prodname_code_scanning %} API to upload the file (for more information, see "[AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)"). +* The {% data variables.product.prodname_codeql_cli %} to run {% data variables.product.prodname_code_scanning %} in your CI system, you can use the CLI to upload results to {% data variables.product.prodname_dotcom %} (for more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)). +* A tool that generates results as an artifact outside of your repository, you can use the {% data variables.product.prodname_code_scanning %} API to upload the file (for more information, see [AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)). {% ifversion fpt or ghec %} > [!NOTE] -> For private and internal repositories, {% data variables.product.prodname_code_scanning %} is available when {% data variables.product.prodname_GH_advanced_security %} features are enabled for the repository. If you see the error `Advanced Security must be enabled for this repository to use code scanning`, check that {% data variables.product.prodname_GH_advanced_security %} is enabled. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." +> For private and internal repositories, {% data variables.product.prodname_code_scanning %} is available when {% data variables.product.prodname_GH_advanced_security %} features are enabled for the repository. If you see the error `Advanced Security must be enabled for this repository to use code scanning`, check that {% data variables.product.prodname_GH_advanced_security %} is enabled. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). {% endif %} ## Uploading a {% data variables.product.prodname_code_scanning %} analysis with {% data variables.product.prodname_actions %} -To use {% data variables.product.prodname_actions %} to upload a third-party SARIF file to a repository, you'll need a workflow. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +To use {% data variables.product.prodname_actions %} to upload a third-party SARIF file to a repository, you'll need a workflow. For more information, see [AUTOTITLE](/actions/learn-github-actions). Your workflow will need to use the `upload-sarif` action, which is part of the `github/codeql-action` repository. It has input parameters that you can use to configure the upload. The main input parameters you'll use are: @@ -58,9 +58,9 @@ Your workflow will need to use the `upload-sarif` action, which is part of the ` For more information, see the {% ifversion codeql-action-node16-deprecated %}[`upload-sarif` action](https://github.com/github/codeql-action/tree/v3/upload-sarif){% else %}[`upload-sarif` action](https://github.com/github/codeql-action/tree/v2/upload-sarif){% endif %}. -The `upload-sarif` action can be configured to run when the `push` and `scheduled` event occur. For more information about {% data variables.product.prodname_actions %} events, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +The `upload-sarif` action can be configured to run when the `push` and `scheduled` event occur. For more information about {% data variables.product.prodname_actions %} events, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). -If your SARIF file doesn't include `partialFingerprints`, the `upload-sarif` action will calculate the `partialFingerprints` field for you and attempt to prevent duplicate alerts. {% data variables.product.prodname_dotcom %} can only create `partialFingerprints` when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs)." +If your SARIF file doesn't include `partialFingerprints`, the `upload-sarif` action will calculate the `partialFingerprints` field for you and attempt to prevent duplicate alerts. {% data variables.product.prodname_dotcom %} can only create `partialFingerprints` when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs). {% data reusables.code-scanning.upload-sarif-alert-limit %} @@ -68,11 +68,11 @@ If your SARIF file doesn't include `partialFingerprints`, the `upload-sarif` act You can create a new workflow that uploads SARIF files after you commit them to your repository. This is useful when the SARIF file is generated as an artifact outside of your repository. -This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). -This workflow uploads the `results.sarif` file located in the root of the repository. For more information about creating a workflow file, see "[AUTOTITLE](/actions/learn-github-actions)." +This workflow uploads the `results.sarif` file located in the root of the repository. For more information about creating a workflow file, see [AUTOTITLE](/actions/learn-github-actions). -Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called `sarif-output` and set the action's input parameter `sarif_file` to `sarif-output`. Note that if you upload a directory, each SARIF file must include a unique `runAutomationDetails.id` to define the category for the results. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object)." +Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called `sarif-output` and set the action's input parameter `sarif_file` to `sarif-output`. Note that if you upload a directory, each SARIF file must include a unique `runAutomationDetails.id` to define the category for the results. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object). ```yaml name: "Upload SARIF" @@ -109,11 +109,11 @@ jobs: ### Example workflow that runs the ESLint analysis tool -If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the `upload-sarif` action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a {% data variables.product.prodname_actions %} template. For more information, see the "[AUTOTITLE](/actions/quickstart)." +If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the `upload-sarif` action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a {% data variables.product.prodname_actions %} template. For more information, see the [AUTOTITLE](/actions/quickstart). -This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). -The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The `Run ESLint` step runs the ESLint tool and outputs the `results.sarif` file. The workflow then uploads the `results.sarif` file to {% data variables.product.prodname_dotcom %} using the `upload-sarif` action. For more information about creating a workflow file, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The `Run ESLint` step runs the ESLint tool and outputs the `results.sarif` file. The workflow then uploads the `results.sarif` file to {% data variables.product.prodname_dotcom %} using the `upload-sarif` action. For more information about creating a workflow file, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ```yaml name: "ESLint analysis" @@ -151,8 +151,8 @@ jobs: ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads)" -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" -* "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)" -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)" -* "[AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)" +* [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads) +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history) +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system) +* [AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data) diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system.md b/content/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system.md index 79c8eceaed2d..a29f9a758162 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system.md @@ -29,9 +29,9 @@ topics: As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %} using {% data variables.product.prodname_actions %}, you can analyze code in an external continuous integration or continuous delivery/deployment (CI/CD) system, then upload the results to {% data variables.product.product_name %}. -You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information about the supported SARIF format, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." +You can add the {% data variables.product.prodname_codeql_cli %} to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information about the supported SARIF format, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). -The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli)." +The {% data variables.product.prodname_codeql_cli %} is a standalone, command-line tool that you can use to analyze code. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli). Alerts for {% data variables.product.prodname_code_scanning %} that you generate externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you generate within {% data variables.product.prodname_dotcom %}. {% data reusables.code-scanning.about-multiple-configurations-link %} @@ -41,7 +41,7 @@ Alerts for {% data variables.product.prodname_code_scanning %} that you generate You will first need to download your analysis tool of choice and set it up with your CI system. -If you are using the {% data variables.product.prodname_codeql_cli %}, you need to make the full contents of the {% data variables.product.prodname_codeql_cli %} bundle available to every CI server that you want to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis on. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)." +If you are using the {% data variables.product.prodname_codeql_cli %}, you need to make the full contents of the {% data variables.product.prodname_codeql_cli %} bundle available to every CI server that you want to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis on. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). Once you've made your analysis tool available to servers in your CI system, you're ready to generate data. @@ -51,18 +51,18 @@ To analyze code with the {% data variables.product.prodname_codeql_cli %} or ano You can then complete the steps to analyze your codebase and produce results, which will differ based on the static analysis tool you are using. -If you are using the {% data variables.product.prodname_codeql_cli %}, you will first need to create a {% data variables.product.prodname_codeql %} database from your code, then analyze the database to produce SARIF results. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis)" and "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." +If you are using the {% data variables.product.prodname_codeql_cli %}, you will first need to create a {% data variables.product.prodname_codeql %} database from your code, then analyze the database to produce SARIF results. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis) and [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). ## Generating a token for authentication with {% data variables.product.product_name %} -Each CI server needs a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to use to upload results to {% data variables.product.product_name %}, whether you are using the {% data variables.product.prodname_codeql_cli %}, the REST API, or another method. You must use an access token or a {% data variables.product.prodname_github_app %} with the `security_events` write permission. If CI servers already use a token with this scope to checkout repositories from {% data variables.product.product_name %}, you could potentially use the same token. Otherwise, you should create a new token with the `security_events` write permission and add this to the CI system's secret store. For information, see "[AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps)" and "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +Each CI server needs a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to use to upload results to {% data variables.product.product_name %}, whether you are using the {% data variables.product.prodname_codeql_cli %}, the REST API, or another method. You must use an access token or a {% data variables.product.prodname_github_app %} with the `security_events` write permission. If CI servers already use a token with this scope to checkout repositories from {% data variables.product.product_name %}, you could potentially use the same token. Otherwise, you should create a new token with the `security_events` write permission and add this to the CI system's secret store. For information, see [AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) and [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). -For more information on the different methods for uploading results to {% data variables.product.product_name %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +For more information on the different methods for uploading results to {% data variables.product.product_name %}, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). ## Uploading your results to {% data variables.product.product_name %} -Once you have analyzed your code, produced SARIF results, and ensured you can authenticate with {% data variables.product.product_name %}, you can upload the results to {% data variables.product.product_name %}. For more information on the different methods you can use to upload your results, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +Once you have analyzed your code, produced SARIF results, and ensured you can authenticate with {% data variables.product.product_name %}, you can upload the results to {% data variables.product.product_name %}. For more information on the different methods you can use to upload your results, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). -For specific details on uploading your results to {% data variables.product.product_name %} using the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github)." +For specific details on uploading your results to {% data variables.product.product_name %} using the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github). -By default, {% data variables.product.prodname_code_scanning %} expects one SARIF results file per analysis for a repository. Consequently, when you upload a second SARIF results file for a commit, it is treated as a replacement for the original set of data. You may want to upload two different SARIF files for one analysis if, for example, your analysis tool generates a different SARIF file for each language it analyzes or each set of rules it uses. If you want to upload more than one set of results for a commit in a repository, you must identify each set of results as a unique set. The way to specify a category for a SARIF upload varies according to the analysis method. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)." +By default, {% data variables.product.prodname_code_scanning %} expects one SARIF results file per analysis for a repository. Consequently, when you upload a second SARIF results file for a commit, it is treated as a replacement for the original set of data. You may want to upload two different SARIF files for one analysis if, for example, your analysis tool generates a different SARIF file for each language it analyzes or each set of rules it uses. If you want to upload more than one set of results for a commit in a repository, you must identify each set of results as a unique set. The way to specify a category for a SARIF upload varies according to the analysis method. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit). diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md index 7429d7b8c337..b69d87dfa50e 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md @@ -23,10 +23,10 @@ topics: There are three main ways to use {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %}: -* Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run and languages to analyze. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." -* Use advanced setup to add the {% data variables.product.prodname_codeql %} workflow to your repository. This generates a customizable workflow file which uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +* Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run and languages to analyze. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). +* Use advanced setup to add the {% data variables.product.prodname_codeql %} workflow to your repository. This generates a customizable workflow file which uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). -* Run the {% data variables.product.prodname_codeql_cli %} directly in an external CI system and upload the results to {% data variables.product.github %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." +* Run the {% data variables.product.prodname_codeql_cli %} directly in an external CI system and upload the results to {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). {% ifversion ghes %} @@ -35,7 +35,7 @@ There are three main ways to use {% data variables.product.prodname_codeql %} an {% endif %} -For information about {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." +For information about {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts). ## About {% data variables.product.prodname_codeql %} @@ -53,17 +53,17 @@ For information about {% data variables.product.prodname_code_scanning %} alerts ## Modeling custom or niche frameworks -{% data variables.product.github %} experts, security researchers, and community contributors write libraries to model the flow of data in popular frameworks and libraries. If you use custom dependencies that aren't modeled, then you can use the {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %} to create models for these dependencies and use them to extend your analysis. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor)." +{% data variables.product.github %} experts, security researchers, and community contributors write libraries to model the flow of data in popular frameworks and libraries. If you use custom dependencies that aren't modeled, then you can use the {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %} to create models for these dependencies and use them to extend your analysis. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). {% endif %} ## {% data variables.product.prodname_codeql %} queries -{% data variables.product.github %} experts, security researchers, and community contributors write and maintain the default {% data variables.product.prodname_codeql %} queries used for {% data variables.product.prodname_code_scanning %}. The queries are regularly updated to improve analysis and reduce any false positive results.{% ifversion ghes %} For details of the queries available in the default and extended packs, see "[Queries included in the default and security-extended query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#queries-included-in-the-default-and-security-extended-query-suites)."{% endif %} +{% data variables.product.github %} experts, security researchers, and community contributors write and maintain the default {% data variables.product.prodname_codeql %} queries used for {% data variables.product.prodname_code_scanning %}. The queries are regularly updated to improve analysis and reduce any false positive results.{% ifversion ghes %} For details of the queries available in the default and extended packs, see [Queries included in the default and security-extended query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#queries-included-in-the-default-and-security-extended-query-suites).{% endif %} ### Writing your own queries -The queries are open source, so you can view and contribute to the queries in the [github/codeql](https://github.com/github/codeql) repository. For more information, see "[About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)" in the {% data variables.product.prodname_codeql %} documentation. +The queries are open source, so you can view and contribute to the queries in the [github/codeql](https://github.com/github/codeql) repository. For more information, see [About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/) in the {% data variables.product.prodname_codeql %} documentation. ### Running additional queries @@ -73,6 +73,6 @@ These queries must belong to a published {% data variables.product.prodname_code * When a {% data variables.product.prodname_codeql %} query pack is published to the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}, all the transitive dependencies required by the queries and a compilation cache are included in the package. This improves performance and ensures that running the queries in the pack gives identical results every time until you upgrade to a new version of the pack or the CLI. -* {% data variables.product.prodname_codeql %} query packs can be downloaded from multiple {% data variables.product.prodname_dotcom %} container registries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#downloading-codeql-packs-from-github-enterprise-server)." +* {% data variables.product.prodname_codeql %} query packs can be downloaded from multiple {% data variables.product.prodname_dotcom %} container registries. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#downloading-codeql-packs-from-github-enterprise-server). -For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." +For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md index 09457357f28e..b9a7f0d3593f 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md @@ -25,24 +25,24 @@ topics: You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_caps %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. -If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts)." +If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts). {% ifversion code-scanning-autofix %} -{% data variables.product.prodname_copilot_autofix %} will suggest fixes for alerts from {% data variables.product.prodname_code_scanning %} analysis in private repositories, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +{% data variables.product.prodname_copilot_autofix %} will suggest fixes for alerts from {% data variables.product.prodname_code_scanning %} analysis in private repositories, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). {% endif %} To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see -"[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[AUTOTITLE](/rest/code-scanning)." +[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert). For information about API endpoints, see [AUTOTITLE](/rest/code-scanning). -To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +To get started with {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). {% ifversion fpt or ghec %} ## About billing for {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_code_scanning_caps %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." +{% data variables.product.prodname_code_scanning_caps %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions). To use {% data variables.product.prodname_code_scanning %} on a private repository, you will also need a license for {% data variables.product.prodname_GH_advanced_security %}. {% data reusables.advanced-security.ghas-trial %} @@ -54,14 +54,14 @@ You can configure {% data variables.product.prodname_code_scanning %} to use the ### About {% data variables.product.prodname_codeql %} analysis -{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." +{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). ### About third-party {% data variables.product.prodname_code_scanning %} tools {% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %} -You can run third-party analysis tools within {% data variables.product.product_name %} using actions or within an external CI system. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)" or "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +You can run third-party analysis tools within {% data variables.product.product_name %} using actions or within an external CI system. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions) or [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). ## About the {% data variables.code-scanning.tool_status_page %} -The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the {% data variables.code-scanning.tool_status_page %} is a good starting point for debugging problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)". +The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the {% data variables.code-scanning.tool_status_page %} is a good starting point for debugging problems. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md index 1707d3ece86c..140e60d43a13 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md @@ -20,25 +20,25 @@ topics: ## About alerts from {% data variables.product.prodname_code_scanning %} -You can configure {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +You can configure {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). -By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). {% ifversion code-scanning-autofix %} -You can use {% data variables.product.prodname_copilot_autofix %} to generate fixes automatically for {% data variables.product.prodname_code_scanning %} alerts, including {% data variables.product.prodname_codeql %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts)." +You can use {% data variables.product.prodname_copilot_autofix %} to generate fixes automatically for {% data variables.product.prodname_code_scanning %} alerts, including {% data variables.product.prodname_codeql %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts). {% endif %} {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} {% ifversion security-overview-org-codeql-pr-alerts %} -For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts)." +For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts). {% endif %} @@ -62,7 +62,7 @@ You can run multiple configurations of code analysis on a repository, using diff If you use multiple configurations to analyze a file, any problems detected by the same query are reported as alerts generated by multiple configurations. If an alert exists in more than one configuration, the number of configurations appears next to the branch name in the "Affected branches" section on the right-hand side of the alert page. To view the configurations for an alert, in the "Affected branches" section, click a branch. A "Configurations analyzing" modal appears with the names of each configuration generating the alert for that branch. Below each configuration, you can see when that configuration's alert was last updated. -An alert may display different statuses from different configurations. To update the alert statuses, re-run each out-of-date configuration. Alternatively, you can delete stale configurations from a branch to remove outdated alerts. For more information on deleting stale configurations and alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch)." +An alert may display different statuses from different configurations. To update the alert statuses, re-run each out-of-date configuration. Alternatively, you can delete stale configurations from a branch to remove outdated alerts. For more information on deleting stale configurations and alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch). ### About labels for alerts that are not found in application code @@ -107,13 +107,13 @@ You can use rulesets to prevent pull requests from being merged when one of the {% data reusables.code-scanning.merge-protection-rulesets-conditions %} -For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection)." For more general information about rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). {% else %} {% data reusables.code-scanning.pull-request-checks %} -You can edit which severity and security severity alert levels cause a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request)." +You can edit which severity and security severity alert levels cause a check failure. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request). {% endif %} diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md b/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md index 6210adb17419..3fc21f3b2f2f 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md @@ -15,7 +15,7 @@ topics: - Repositories --- -Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). ## Viewing the alerts for a repository @@ -38,16 +38,16 @@ By default, the {% data variables.product.prodname_code_scanning %} alerts page 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code. -For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." +For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts). > [!NOTE] -> You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." +> You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). {% ifversion copilot-chat-ghas-alerts %} ## Asking {% data variables.product.prodname_copilot_chat %} about {% data variables.product.prodname_code_scanning %} alerts -With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_code_scanning %} alerts, in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_code_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -55,7 +55,7 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can ## Viewing metrics for {% data variables.product.prodname_codeql %} pull request alerts for an organization -For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories where you have write access across your organization, and to identify repositories where you may need to take action. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts)." +For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories where you have write access across your organization, and to identify repositories where you may need to take action. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts). {% endif %} @@ -75,7 +75,7 @@ You can prefix the `tag` filter with `-` to exclude results with that tag. For e ### Restricting results to application code only -You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. For more information about the types of code that are automatically labeled as not application code, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-labels-for-alerts-that-are-not-found-in-application-code)." +You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. For more information about the types of code that are automatically labeled as not application code, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-labels-for-alerts-that-are-not-found-in-application-code). ## Searching {% data variables.product.prodname_code_scanning %} alerts @@ -110,7 +110,7 @@ You can search the list of alerts. This is useful if there is a large number of To quickly create an issue to track the status of a specific {% data variables.product.prodname_code_scanning %} alert, on the {% data variables.product.prodname_code_scanning %} alerts page, click the alert you would like to track. On the detailed page for that alert, click **Create issue**. Customize the autogenerated issue as desired, then click **Submit new issue**. -Alternatively, to track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "[AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists)." +Alternatively, to track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists). {% data reusables.code-scanning.alert-tracking-link %} @@ -122,7 +122,7 @@ Alternatively, to track a {% data variables.product.prodname_code_scanning %} al ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" -* "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests) +* [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning) diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md b/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md index 91bec61695c2..62ee2b40a1c8 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md @@ -16,7 +16,7 @@ topics: ## About disabling {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_copilot_autofix %} is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %}. It provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts (including {% data variables.product.prodname_codeql %} alerts) so they can avoid introducing new security vulnerabilities. To learn more about {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +{% data variables.product.prodname_copilot_autofix %} is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %}. It provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts (including {% data variables.product.prodname_codeql %} alerts) so they can avoid introducing new security vulnerabilities. To learn more about {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). {% data reusables.rai.code-scanning.copilot-autofix-note %} @@ -48,7 +48,7 @@ Note that disabling {% data variables.product.prodname_copilot_autofix_short %} 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **{% data variables.product.prodname_copilot_autofix_short %}** or **{% data variables.product.prodname_copilot_autofix_short %} for third-party tools**. -For more information about configuring global {% data variables.product.prodname_code_scanning %} settings, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-code-scanning-settings)." +For more information about configuring global {% data variables.product.prodname_code_scanning %} settings, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-code-scanning-settings). ## Disabling {% data variables.product.prodname_copilot_autofix_short %} for a repository diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md b/content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md index 5f30adfeedd1..a817e89bc2f0 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md @@ -71,7 +71,7 @@ If you have access to {% data variables.product.prodname_copilot_chat_short %} t To get the most out of {% data variables.product.prodname_copilot_chat_short %} when you're working on code security, you should consider: -1. Indexing your repositories to give {% data variables.product.prodname_copilot_chat_short %} more context to answer questions about the repository code, see "[AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/customizing-copilot-for-your-organization/indexing-repositories-for-copilot-chat)." +1. Indexing your repositories to give {% data variables.product.prodname_copilot_chat_short %} more context to answer questions about the repository code, see [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/customizing-copilot-for-your-organization/indexing-repositories-for-copilot-chat). 1. Explicitly asking {% data variables.product.prodname_copilot_chat_short %} to use the {% data variables.product.prodname_GH_advanced_security %} skill to answer your questions, for example: "Use the GitHub Advanced Security skill to explain how this alert introduces a vulnerability into the code." {% endif %} diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts.md b/content/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts.md index 5ee3830cfc73..7961a6ea927c 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts.md @@ -28,7 +28,7 @@ topics: ## Asking {% data variables.product.prodname_copilot_chat %} about {% data variables.product.prodname_code_scanning %} alerts -With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_code_scanning %} alerts, in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_code_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -36,7 +36,7 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can ## Generating suggested fixes for {% data variables.product.prodname_code_scanning %} alerts -{% data variables.product.prodname_copilot_autofix %} can generate fixes for alerts identified by {% data variables.product.prodname_code_scanning %} analysis. Most {% data variables.product.prodname_codeql %} alert types are supported and also some alerts from third-party tools. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +{% data variables.product.prodname_copilot_autofix %} can generate fixes for alerts identified by {% data variables.product.prodname_code_scanning %} analysis. Most {% data variables.product.prodname_codeql %} alert types are supported and also some alerts from third-party tools. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). {% data reusables.rai.code-scanning.copilot-autofix-note %} @@ -54,7 +54,7 @@ For information about the limitations of automatically generated fixes, see "[Li ## Fixing an alert {% ifversion code-scanning-autofix %}manually{% endif %} -Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests). You can use the free text search or the filters to display a subset of alerts and then in turn mark all matching alerts as closed. @@ -65,7 +65,7 @@ Alerts may be fixed in one branch but not in another. You can use the "Branch" f {% data reusables.code-scanning.filter-non-default-branches %} > [!NOTE] -> If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, the same alert will sometimes be generated by more than one configuration. Unless you run all configurations regularly, you may see alerts that are fixed in one configuration but not in another. These stale configurations and alerts can be removed from a branch. For more information, see "[Removing stale configurations and alerts from a branch](#removing-stale-configurations-and-alerts-from-a-branch)." +> If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, the same alert will sometimes be generated by more than one configuration. Unless you run all configurations regularly, you may see alerts that are fixed in one configuration but not in another. These stale configurations and alerts can be removed from a branch. For more information, see [Removing stale configurations and alerts from a branch](#removing-stale-configurations-and-alerts-from-a-branch). ## Dismissing alerts @@ -104,7 +104,7 @@ If you dismiss an alert but later realize that you need to fix the alert, you ca ## Removing stale configurations and alerts from a branch -You may have multiple code scanning configurations on a single repository. When run, multiple configurations can generate the same alert. Additionally, if the configurations are run on different schedules, the alert statuses may become out-of-date for infrequent or stale configurations. For more information on alerts from multiple configurations, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alerts-from-multiple-configurations)." +You may have multiple code scanning configurations on a single repository. When run, multiple configurations can generate the same alert. Additionally, if the configurations are run on different schedules, the alert statuses may become out-of-date for infrequent or stale configurations. For more information on alerts from multiple configurations, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alerts-from-multiple-configurations). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -119,7 +119,7 @@ You may have multiple code scanning configurations on a single repository. When 1. Once you have removed any unwanted configurations and confirmed the expected configurations are displayed, click **Save changes**. - If you save your changes after accidentally deleting a configuration, re-run the configuration to update the alert. For more information on re-running configurations that use {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow)." + If you save your changes after accidentally deleting a configuration, re-run the configuration to update the alert. For more information on re-running configurations that use {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow). > [!NOTE] > * If you remove all {% data variables.product.prodname_code_scanning %} configurations for the default branch of your repository, the default branch will remain in the "Affected branches" sidebar, but it will not be analyzed by any configurations. @@ -127,6 +127,6 @@ You may have multiple code scanning configurations on a single repository. When ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" -* "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests) +* [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning) diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md b/content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md index 130c060c8593..47977a79f519 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md @@ -24,9 +24,9 @@ redirect_from: {% data variables.product.prodname_copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.product.prodname_copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model GPT-4o from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes. -{% data variables.product.prodname_copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.product.prodname_copilot_autofix_short %}. To learn how to disable {% data variables.product.prodname_copilot_autofix_short %} at the enterprise, organization and repository levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)." +{% data variables.product.prodname_copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.product.prodname_copilot_autofix_short %}. To learn how to disable {% data variables.product.prodname_copilot_autofix_short %} at the enterprise, organization and repository levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning). -In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see [AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions) in the {% data variables.product.prodname_ghe_cloud %} documentation. ## Developer experience @@ -38,7 +38,7 @@ After committing a suggested fix or modified fix, the developer should always ve ## Supported languages for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_copilot_autofix_short %} supports fix generation for a subset of queries included in the default and security-extended {% data variables.product.prodname_codeql %} query suites for {% data variables.code-scanning.codeql_autofix_languages %}. For more information on these query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites)." +{% data variables.product.prodname_copilot_autofix_short %} supports fix generation for a subset of queries included in the default and security-extended {% data variables.product.prodname_codeql %} query suites for {% data variables.code-scanning.codeql_autofix_languages %}. For more information on these query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites). ## Suggestion generation process @@ -54,7 +54,7 @@ When {% data variables.product.prodname_copilot_autofix_short %} is enabled for Any {% data variables.product.prodname_copilot_autofix_short %} suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestions. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating a pull request. -The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with {% data variables.product.prodname_GH_advanced_security %}. Moreover, data handled by {% data variables.product.prodname_copilot_autofix_short %} is strictly not employed for LLM training purposes. For more information on {% data variables.product.prodname_GH_advanced_security %} terms and conditions, see "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}."{% else %} in the Free, Pro, & Team documentation.{% endif %} +The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with {% data variables.product.prodname_GH_advanced_security %}. Moreover, data handled by {% data variables.product.prodname_copilot_autofix_short %} is strictly not employed for LLM training purposes. For more information on {% data variables.product.prodname_GH_advanced_security %} terms and conditions, see [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}.{% else %} in the Free, Pro, & Team documentation.{% endif %} ## Quality of suggestions @@ -90,7 +90,7 @@ However, each project and codebase is unique, so developers may need to edit a l ## Limitations of suggestions -When you review a suggestion from {% data variables.product.prodname_copilot_autofix_short %}, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}. For more information, see "[Mitigating the limitations of suggestions](#mitigating-the-limitations-of-suggestions)." +When you review a suggestion from {% data variables.product.prodname_copilot_autofix_short %}, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}. For more information, see [Mitigating the limitations of suggestions](#mitigating-the-limitations-of-suggestions). ### Limitations of code suggestions @@ -119,7 +119,7 @@ It is important to remember that the author of a pull request retains responsibi ## Next steps -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts) -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts) +* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning) diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md b/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md index 32da76747c49..365e368c05b8 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md @@ -20,11 +20,11 @@ topics: ## About tracking {% data variables.product.prodname_code_scanning %} alerts in issues -{% data variables.product.prodname_code_scanning_caps %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to allow you to prioritize and track alerts with all your development work. To track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "[AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists)." +{% data variables.product.prodname_code_scanning_caps %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to allow you to prioritize and track alerts with all your development work. To track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists). You can also quickly create a new issue to track an alert: -* From a {% data variables.product.prodname_code_scanning %} alert. For more information, see "[Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert)." -* From the API. For more information, see "[Creating a tracking issue from the API](#creating-a-tracking-issue-from-the-api)." +* From a {% data variables.product.prodname_code_scanning %} alert. For more information, see [Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert). +* From the API. For more information, see [Creating a tracking issue from the API](#creating-a-tracking-issue-from-the-api). You can use more than one issue to track the same {% data variables.product.prodname_code_scanning %} alert, and issues can belong to different repositories from the repository where the {% data variables.product.prodname_code_scanning %} alert was found. @@ -59,7 +59,7 @@ Instead of tracking a {% data variables.product.prodname_code_scanning %} alert {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-code-scanning-alerts %} {% data reusables.code-scanning.explore-alert %} -1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts)." +1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts). 1. Towards the top of the page, on the right side, click **Create issue**. ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Create issue" button is outlined in dark orange.](/assets/images/help/repository/code-scanning-create-issue-for-alert.png) @@ -77,7 +77,7 @@ Instead of tracking a {% data variables.product.prodname_code_scanning %} alert ### Creating a tracking issue from the API -1. Begin creating an issue through the API. For more information, see "[Create an issue](/rest/issues/issues#create-an-issue)." +1. Begin creating an issue through the API. For more information, see [Create an issue](/rest/issues/issues#create-an-issue). 1. Provide the code scanning link within the body of the issue. You must use the following task list syntax to create the tracked relationship: `- [ ] FULL-URL-TO-THE-CODE-SCANNING-ALERT`. For example, if you add `- [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17` to an issue, the issue will track the {% data variables.product.prodname_code_scanning %} alert that has an ID number of 17 in the **Security** tab of the `octocat-repo` repository in the `octocat-org` organization. diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md index a537aee8fb5a..3b550147b5b0 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md @@ -34,23 +34,23 @@ If the lines of code changed in the pull request generate {% data variables.prod * The **Files changed** tab of the pull request > [!NOTE] -> {% data variables.product.prodname_code_scanning_caps %} displays alerts in pull requests only when all the lines of code identified by the alert exist in the pull request diff. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files)." +> {% data variables.product.prodname_code_scanning_caps %} displays alerts in pull requests only when all the lines of code identified by the alert exist in the pull request diff. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files). {% ifversion code-scanning-autofix %} -{% data variables.product.prodname_copilot_autofix %} will suggest fixes for alerts from {% data variables.product.prodname_code_scanning %} analysis (including {% data variables.product.prodname_codeql %} analysis) in private repositories. For more information on working with suggestions from {% data variables.product.prodname_copilot_autofix_short %} in pull requests, see "[Working with {% data variables.product.prodname_copilot_autofix_short %} suggestions for alerts on a pull request](#working-with-copilot-autofix-suggestions-for-alerts-on-a-pull-request)." +{% data variables.product.prodname_copilot_autofix %} will suggest fixes for alerts from {% data variables.product.prodname_code_scanning %} analysis (including {% data variables.product.prodname_codeql %} analysis) in private repositories. For more information on working with suggestions from {% data variables.product.prodname_copilot_autofix_short %} in pull requests, see [Working with {% data variables.product.prodname_copilot_autofix_short %} suggestions for alerts on a pull request](#working-with-copilot-autofix-suggestions-for-alerts-on-a-pull-request). {% endif %} -If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)." +If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository). -In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push)." +In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push). -If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "{% data variables.product.prodname_code_scanning_caps %} results" check must pass before you can merge the pull request. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)." +If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "{% data variables.product.prodname_code_scanning_caps %} results" check must pass before you can merge the pull request. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging). {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -62,7 +62,7 @@ There are many options for configuring {% data variables.product.prodname_code_s For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **{% data variables.product.prodname_code_scanning_caps %} results**. The results for each analysis tool used are shown separately. Any new alerts on lines of code changed in the pull request are shown as annotations. -To see the full set of alerts for the analyzed branch, click **View all branch alerts**. This opens the full alert view where you can filter all the alerts on the branch by type, severity, tag, etc. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#filtering-and-searching-for-code-scanning-alerts)." +To see the full set of alerts for the analyzed branch, click **View all branch alerts**. This opens the full alert view where you can filter all the alerts on the branch by type, severity, tag, etc. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#filtering-and-searching-for-code-scanning-alerts). ![Screenshot of the {% data variables.product.prodname_code_scanning_caps %} results check on a pull request. The "View all branch alerts" link is highlighted with a dark orange outline.](/assets/images/help/repository/code-scanning-results-check.png) @@ -72,7 +72,7 @@ If the {% data variables.product.prodname_code_scanning %} results check finds a ![Screenshot of the merge box for a pull request. The "Code scanning results / CodeQL" check has "1 new alert including 1 high severity security v..."](/assets/images/help/repository/code-scanning-check-failure.png) -You can override the default behavior in your repository settings, by specifying the level of severities and security severities that will cause a pull request check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#defining-the-severities-causing-pull-request-check-failure)". +You can override the default behavior in your repository settings, by specifying the level of severities and security severities that will cause a pull request check failure. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#defining-the-severities-causing-pull-request-check-failure). ### Other {% data variables.product.prodname_code_scanning %} checks @@ -80,7 +80,7 @@ Depending on your configuration, you may see additional checks running on pull r For example, if the repository uses the {% data variables.code-scanning.codeql_workflow %} a **{% data variables.product.prodname_codeql %} / Analyze (LANGUAGE)** check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis compiles (for example, {% data variables.code-scanning.compiled_languages %}). -As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." +As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning) or [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning). ## Viewing an alert on your pull request @@ -90,9 +90,9 @@ You can see any {% data variables.product.prodname_code_scanning %} alerts that You can also view all {% data variables.product.prodname_code_scanning %} alerts that are inside the diff of the changes introduced in the pull request in the **Files changed** tab. -If you add a new code scanning configuration in your pull request, you will see a comment on your pull request directing you to the **Security** tab of the repository so you can view all the alerts on the pull request branch. For more information about viewing the alerts for a repository, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +If you add a new code scanning configuration in your pull request, you will see a comment on your pull request directing you to the **Security** tab of the repository so you can view all the alerts on the pull request branch. For more information about viewing the alerts for a repository, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). -If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from {% data variables.product.prodname_codeql %} analysis, you can click **user-provided value** to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking **Show paths**. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using {% data variables.product.prodname_codeql %}, see "[About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)." +If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from {% data variables.product.prodname_codeql %} analysis, you can click **user-provided value** to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking **Show paths**. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using {% data variables.product.prodname_codeql %}, see [About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/). To see more information about an alert, users with write permission can click the **Show more details** link shown in the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem. @@ -106,7 +106,7 @@ In the detailed view for an alert, some {% data variables.product.prodname_code_ You can comment on any {% data variables.product.prodname_code_scanning %} alert that appears in a pull request. Alerts appear as annotations in the **Conversation** tab of a pull request, as part of a pull request review, and also are shown in the **Files changed** tab. -You can choose to require all conversations in a pull request, including those on {% data variables.product.prodname_code_scanning %} alerts, to be resolved before a pull request can be merged. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging)." +You can choose to require all conversations in a pull request, including those on {% data variables.product.prodname_code_scanning %} alerts, to be resolved before a pull request can be merged. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging). ## Fixing an alert on your pull request @@ -124,10 +124,10 @@ Anyone with push access to a pull request can fix a {% data variables.product.pr ### Generating {% data variables.product.prodname_copilot_autofix_short %} suggestions and publishing to a pull request -When {% data variables.product.prodname_copilot_autofix_short %} is enabled for a repository, alerts are displayed in pull requests as normal and information from any alerts found by {% data variables.product.prodname_code_scanning %} is automatically sent to the LLM for processing. When LLM analysis is complete, any results are published as comments on relevant alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +When {% data variables.product.prodname_copilot_autofix_short %} is enabled for a repository, alerts are displayed in pull requests as normal and information from any alerts found by {% data variables.product.prodname_code_scanning %} is automatically sent to the LLM for processing. When LLM analysis is complete, any results are published as comments on relevant alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). > [!NOTE] -> * {% data variables.product.prodname_copilot_autofix_short %} supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of {% data variables.product.prodname_copilot_autofix_short %}, see the query tables linked from "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)." +> * {% data variables.product.prodname_copilot_autofix_short %} supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of {% data variables.product.prodname_copilot_autofix_short %}, see the query tables linked from [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites). > * When analysis is complete, all relevant results are published to the pull request at once. If at least one alert in your pull request has an {% data variables.product.prodname_copilot_autofix_short %} suggestion, you should assume that the LLM has finished identifying potential fixes for your code. > * On alerts generated from queries that are not supported by {% data variables.product.prodname_copilot_autofix_short %}, you will see a note telling you that the query is not supported. If a suggestion for a supported query fails to generate, you will see a note on the alert prompting you to try pushing another commit or to contact support. @@ -137,7 +137,7 @@ Usually, when you suggest changes to a pull request, your comment contains chang ### Assessing and committing an {% data variables.product.prodname_copilot_autofix_short %} suggestion -Each {% data variables.product.prodname_copilot_autofix_short %} suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of {% data variables.product.prodname_copilot_autofix_short %} suggestions, see "[Limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning#limitations-of-suggestions)" and "[Mitigating the limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning#mitigating-the-limitations-of-suggestions)" in "Responsible use of {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}." +Each {% data variables.product.prodname_copilot_autofix_short %} suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of {% data variables.product.prodname_copilot_autofix_short %} suggestions, see [Limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning#limitations-of-suggestions) and [Mitigating the limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning#mitigating-the-limitations-of-suggestions) in "Responsible use of {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %}." 1. Click **Edit** to display the editing options and select your preferred method. * Under **Edit with {% data variables.product.prodname_cli %}**, follow the instructions for checking out the pull request locally and applying the suggested fix. @@ -168,4 +168,4 @@ An alternative way of closing an alert is to dismiss it. You can dismiss an aler {% data reusables.code-scanning.false-positive-fix-codeql %} -For more information about dismissing alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#dismissing--alerts)." +For more information about dismissing alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#dismissing--alerts). diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md index a0e2052b18f6..7f777bd81894 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md @@ -47,7 +47,7 @@ In the {% data variables.code-scanning.tool_status_page %}, you'll see a summary ![Screenshot showing the tool status page, with the CodeQL tool selected.](/assets/images/help/repository/code-scanning-tool-status-page.png) -For integrated tools such as {% data variables.product.prodname_codeql %}, you can see a percentage total of all the files most recently scanned in your repository, organized by programming language. For information about what files are considered to have been scanned by {% data variables.product.prodname_codeql %}, see "[How {% data variables.product.prodname_codeql %} defines scanned files](#how-codeql-defines-scanned-files)." You can also download detailed language reports in CSV format. For more information, see "[Downloading details of the files analyzed](#downloading-details-of-the-files-analyzed)." +For integrated tools such as {% data variables.product.prodname_codeql %}, you can see a percentage total of all the files most recently scanned in your repository, organized by programming language. For information about what files are considered to have been scanned by {% data variables.product.prodname_codeql %}, see [How {% data variables.product.prodname_codeql %} defines scanned files](#how-codeql-defines-scanned-files). You can also download detailed language reports in CSV format. For more information, see [Downloading details of the files analyzed](#downloading-details-of-the-files-analyzed). The three possible tool statuses are: all configurations are working, some configurations need attention, and some configurations are not working. @@ -55,17 +55,17 @@ The three possible tool statuses are: all configurations are working, some confi When you want to see more detailed information for the currently displayed tool, you can select a specific setup under "Setup types". -Under "Configurations" on the left of the screen, you can see information for each analysis run by this setup type, and any relevant error messages. To see detailed information about the most recent analysis run, select a configuration in the sidebar. You can download details of exactly which rules were run in that scan of the code and how many alerts were found by each rule. For more information, see "[Downloading lists of rules used](#downloading-lists-of-rules-used)." +Under "Configurations" on the left of the screen, you can see information for each analysis run by this setup type, and any relevant error messages. To see detailed information about the most recent analysis run, select a configuration in the sidebar. You can download details of exactly which rules were run in that scan of the code and how many alerts were found by each rule. For more information, see [Downloading lists of rules used](#downloading-lists-of-rules-used). ![Screenshot showing detailed information about CodeQL in the tool status page.](/assets/images/help/repository/code-scanning-tool-status-page-detailed.png) -This view will also show error messages. For more information, see "[Debugging using the tool status page](#debugging-using-the-tool-status-page)." +This view will also show error messages. For more information, see [Debugging using the tool status page](#debugging-using-the-tool-status-page). ### How {% data variables.product.prodname_codeql %} defines scanned files -A file is reported as scanned by {% data variables.product.prodname_codeql %} if some of the lines of code in that file were processed. If you're using a standard configuration of the {% data variables.product.prodname_codeql %} action, the scanned files shown in the {% data variables.code-scanning.tool_status_page %} will include source code files for all languages that {% data variables.product.prodname_codeql %} can analyze. If you use advanced setup, you can optionally define which files for interpreted languages should be scanned using the `paths` and `paths-ignore` configuration properties. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." +A file is reported as scanned by {% data variables.product.prodname_codeql %} if some of the lines of code in that file were processed. If you're using a standard configuration of the {% data variables.product.prodname_codeql %} action, the scanned files shown in the {% data variables.code-scanning.tool_status_page %} will include source code files for all languages that {% data variables.product.prodname_codeql %} can analyze. If you use advanced setup, you can optionally define which files for interpreted languages should be scanned using the `paths` and `paths-ignore` configuration properties. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). -For compiled languages, the {% data variables.code-scanning.tool_status_page %} reports files that were present before running autobuild or any manual build steps. This means that files generated during the build process are not shown in the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql)." +For compiled languages, the {% data variables.code-scanning.tool_status_page %} reports files that were present before running autobuild or any manual build steps. This means that files generated during the build process are not shown in the {% data variables.code-scanning.tool_status_page %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql). The tool status page will calculate the percentage of files that were scanned by {% data variables.product.prodname_codeql %} for each language supported by {% data variables.product.prodname_codeql %}. This percentage respects any files excluded by the `paths` and `paths-ignore` configuration properties. @@ -98,19 +98,19 @@ You can remove stale, duplicate, or unwanted configurations for the default bran To remove a configuration, select the configuration you want to delete. Then click **{% octicon "kebab-horizontal" aria-label="Configuration menu" %}** on the top right of the page, and select **{% octicon "trash" aria-hidden="true" %} Delete configuration**. Once you have read the warning about alerts, to confirm the deletion, click the **Delete** button. > [!NOTE] -> You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch)." +> You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch). ## Debugging using the {% data variables.code-scanning.tool_status_page %} -If you see that there is a problem with your analysis from the {% data variables.product.prodname_code_scanning %} alerts page, you can use the {% data variables.code-scanning.tool_status_page %} to identify the problem. For integrated tools, you can see specific error messages in the detailed information section, related to specific {% data variables.product.prodname_code_scanning %} tools. These error messages contain information about why the tool may not be performing as expected, and actions you can take. For more information about how to access this section of the {% data variables.code-scanning.tool_status_page %}, see "[Accessing detailed information about tools](#accessing-detailed-information-about-tools)." +If you see that there is a problem with your analysis from the {% data variables.product.prodname_code_scanning %} alerts page, you can use the {% data variables.code-scanning.tool_status_page %} to identify the problem. For integrated tools, you can see specific error messages in the detailed information section, related to specific {% data variables.product.prodname_code_scanning %} tools. These error messages contain information about why the tool may not be performing as expected, and actions you can take. For more information about how to access this section of the {% data variables.code-scanning.tool_status_page %}, see [Accessing detailed information about tools](#accessing-detailed-information-about-tools). For integrated tools such as {% data variables.product.prodname_codeql %}, you can also use file coverage information to improve your analysis. For each language displayed on the {% data variables.code-scanning.tool_status_page %}: * If the language has a high scanned percentage, this shows that code scanning is scanning that language as expected. -* If the language has a low scanned percentage, you may wish to investigate diagnostic output produced by {% data variables.product.prodname_codeql %} for that language: for more information see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected)." -* If the language has a scanned percentage of zero, you may have source code in your repository written in languages supported by {% data variables.product.prodname_codeql %} but not currently being analyzed with {% data variables.product.prodname_codeql %}. In this case, you may wish to update your setup to start analyzing these additional languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed)." +* If the language has a low scanned percentage, you may wish to investigate diagnostic output produced by {% data variables.product.prodname_codeql %} for that language: for more information see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected). +* If the language has a scanned percentage of zero, you may have source code in your repository written in languages supported by {% data variables.product.prodname_codeql %} but not currently being analyzed with {% data variables.product.prodname_codeql %}. In this case, you may wish to update your setup to start analyzing these additional languages. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed). > [!NOTE] > If you have set up {% data variables.product.prodname_codeql %} using advanced setup and then set up default setup on the same repository, the {% data variables.code-scanning.tool_status_page %} will only show default setup. -For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads)." +For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning) and [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads). diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md index c5f50b88b29c..d32a202306c4 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md @@ -23,13 +23,13 @@ With {% data variables.product.prodname_codeql %} {% data variables.product.prod * `default` query suite. * `security-extended` query suite. This suite is referred to as the "Extended" query suite on {% data variables.product.prodname_dotcom %}. -Currently, both the `default` query suite and the `security-extended` query suite are available for default setup for {% data variables.product.prodname_code_scanning %}. {% ifversion bulk-code-scanning-query-suite %}Additionally, organization owners and security managers can recommend a query suite for use with default setup throughout their organization. For more information on configuring default setup for individual repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." For more information on configuring default setup at scale and recommending a query suite, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% else %}For more information on default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} +Currently, both the `default` query suite and the `security-extended` query suite are available for default setup for {% data variables.product.prodname_code_scanning %}. {% ifversion bulk-code-scanning-query-suite %}Additionally, organization owners and security managers can recommend a query suite for use with default setup throughout their organization. For more information on configuring default setup for individual repositories, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). For more information on configuring default setup at scale and recommending a query suite, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale).{% else %}For more information on default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale).{% endif %} -To use a custom query suite, you must configure advanced setup for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information on advanced setups and creating a query suite, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." +To use a custom query suite, you must configure advanced setup for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information on advanced setups and creating a query suite, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql) and [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites). ## Built-in {% data variables.product.prodname_codeql %} query suites -The built-in {% data variables.product.prodname_codeql %} query suites, `default` and `security-extended`, are created and maintained by {% data variables.product.prodname_dotcom %}. Both of these query suites are available for every {% data variables.product.prodname_codeql %}-supported language. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." +The built-in {% data variables.product.prodname_codeql %} query suites, `default` and `security-extended`, are created and maintained by {% data variables.product.prodname_dotcom %}. Both of these query suites are available for every {% data variables.product.prodname_codeql %}-supported language. For more information on {% data variables.product.prodname_codeql %}-supported languages, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql). ### `default` query suite @@ -51,4 +51,4 @@ For each language, the following article lists which queries are included in the ## Further reading -* "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)" +* [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites) diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md index 3276cf91b9f0..1bec77e0582a 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md @@ -15,7 +15,7 @@ topics: ## About {% data variables.actions.hosted_runners %} for default setup -{% data reusables.actions.about-larger-runners %} For more information about {% data variables.actions.hosted_runners %}, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners)." +{% data reusables.actions.about-larger-runners %} For more information about {% data variables.actions.hosted_runners %}, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners). Consider configuring {% data variables.actions.hosted_runners %} for default setup if: * Your scans with standard {% data variables.product.prodname_dotcom %}-hosted runners are taking too long. @@ -24,25 +24,25 @@ Consider configuring {% data variables.actions.hosted_runners %} for default set > [!WARNING] > Currently, Swift analysis is not available on {% data variables.actions.hosted_runners %} for default setup. Additionally, if your repository has access to a runner with the `code-scanning` label, such as a {% data variables.actions.hosted_runner %} provisioned for default setup, default setup workflows will _only_ use runners labeled `code-scanning`. If you would like to configure default setup on {% data variables.actions.hosted_runners %} _and_ analyze Swift, you have two options: -> * Provision a self-hosted macOS runner with the `code-scanning` label in addition to your {% data variables.actions.hosted_runner %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance)."{% else %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."{% endif %} +> * Provision a self-hosted macOS runner with the `code-scanning` label in addition to your {% data variables.actions.hosted_runner %}. For more information, see {% ifversion ghec %}[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance).{% else %}[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository).{% endif %} > * Ensure any repositories containing Swift _do not_ have access to runners with the label `code-scanning`. Default setup workflows for that repository will only use standard runners. {% ifversion ghec %} ## Provisioning enterprise-level {% data variables.actions.hosted_runners %} for default setup -1. Add a {% data variables.actions.hosted_runner %} to your enterprise. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise)." +1. Add a {% data variables.actions.hosted_runner %} to your enterprise. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise). * To add the `code-scanning` label to your {% data variables.actions.hosted_runner %}, name the runner `code-scanning`. An enterprise can only have one {% data variables.actions.hosted_runner %} named `code-scanning`, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs for all organizations and repositories within your enterprise that: * _Have access_ to the enterprise-level runner, and * _Don't have access_ to an organization-level {% data variables.actions.hosted_runner %} named `code-scanning`. If an organization or repository also has access to an organization-level {% data variables.actions.hosted_runner %} named `code-scanning`, each {% data variables.product.prodname_code_scanning %} job will be randomly assigned to either the organization-level or enterprise-level runner. {% data reusables.actions.org-access-to-github-hosted-runners %} -1. To analyze repositories with default setup, grant the desired repositories access to the runner group your {% data variables.actions.hosted_runner %} is assigned to. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners)." -1. You can now configure default setup for your enterprise, organizations, and repositories, and your {% data variables.actions.hosted_runner %} will automatically pick up {% data variables.product.prodname_code_scanning %} jobs as previously specified. For more information on configuring default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." +1. To analyze repositories with default setup, grant the desired repositories access to the runner group your {% data variables.actions.hosted_runner %} is assigned to. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners). +1. You can now configure default setup for your enterprise, organizations, and repositories, and your {% data variables.actions.hosted_runner %} will automatically pick up {% data variables.product.prodname_code_scanning %} jobs as previously specified. For more information on configuring default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale). {% endif %} ## Provisioning organization-level {% data variables.actions.hosted_runners %} for default setup -1. Add a {% data variables.actions.hosted_runner %} to your organization. See "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)." - * To add a custom label to your {% data variables.actions.hosted_runner %}, give the runner a name that matches that label. You can use this custom label when you configure default setup with {% data variables.actions.hosted_runners %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners)." -1. By default, all repositories in your organization have access to organization-level runners, meaning every repository can use your {% data variables.actions.hosted_runner %}. For information on granting only select repositories access to a {% data variables.actions.hosted_runner %}, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners)." -1. You can now configure default setup for your organization and repositories, and your {% data variables.actions.hosted_runner %} will automatically pick up {% data variables.product.prodname_code_scanning %} jobs. For more information on configuring default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." +1. Add a {% data variables.actions.hosted_runner %} to your organization. See [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). + * To add a custom label to your {% data variables.actions.hosted_runner %}, give the runner a name that matches that label. You can use this custom label when you configure default setup with {% data variables.actions.hosted_runners %}. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). +1. By default, all repositories in your organization have access to organization-level runners, meaning every repository can use your {% data variables.actions.hosted_runner %}. For information on granting only select repositories access to a {% data variables.actions.hosted_runner %}, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners). +1. You can now configure default setup for your organization and repositories, and your {% data variables.actions.hosted_runner %} will automatically pick up {% data variables.product.prodname_code_scanning %} jobs. For more information on configuring default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale). diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md index 997abc28bef8..56aa90221b35 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -17,17 +17,17 @@ topics: After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit: * Which languages default setup will analyze. -* The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% ifversion codeql-threat-models %} -* The threat models ({% data variables.release-phases.public_preview %}) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the {% data variables.release-phases.public_preview %}, threat models are supported only for analysis of {% data variables.code-scanning.code_scanning_threat_model_support %}. For more information about threat models, see "[Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup)." +* The query suite run during analysis. For more information on the available query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites).{% ifversion codeql-threat-models %} +* The threat models ({% data variables.release-phases.public_preview %}) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the {% data variables.release-phases.public_preview %}, threat models are supported only for analysis of {% data variables.code-scanning.code_scanning_threat_model_support %}. For more information about threat models, see [Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup). {% endif %} {% ifversion codeql-model-packs %} -If your codebase depends on a library or framework that is not recognized by the standard libraries included with {% data variables.product.prodname_codeql %}, you can also extend the {% data variables.product.prodname_codeql %} coverage in default setup using {% data variables.product.prodname_codeql %} model packs. For more information, see "[Extending CodeQL coverage with CodeQL model packs in default setup](#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)." +If your codebase depends on a library or framework that is not recognized by the standard libraries included with {% data variables.product.prodname_codeql %}, you can also extend the {% data variables.product.prodname_codeql %} coverage in default setup using {% data variables.product.prodname_codeql %} model packs. For more information, see [Extending CodeQL coverage with CodeQL model packs in default setup](#extending-codeql-coverage-with-codeql-model-packs-in-default-setup). {% endif %} -If you need to change any other aspects of your {% data variables.product.prodname_code_scanning %} configuration, consider configuring advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +If you need to change any other aspects of your {% data variables.product.prodname_code_scanning %} configuration, consider configuring advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). ## Customizing your existing configuration of default setup @@ -41,7 +41,7 @@ If you need to change any other aspects of your {% data variables.product.prodna {% ifversion code-scanning-default-setup-customize-labels %} -1. Optionally, to use labeled runners, in the "Runner type" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} to open a dropdown menu, then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners)." +1. Optionally, to use labeled runners, in the "Runner type" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} to open a dropdown menu, then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). {% endif %} @@ -57,7 +57,7 @@ You can use rulesets to prevent pull requests from being merged when one of the {% data reusables.code-scanning.merge-protection-rulesets-conditions %} -For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection)." For more general information about rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). {% else %} @@ -79,7 +79,7 @@ For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-you If your codebase only considers remote network requests to be potential sources of tainted data, then we recommend using the default threat model. If your codebase considers sources other than network requests to potentially contain tainted data, then you can use threat models to add these additional sources to your {% data variables.product.prodname_codeql %} analysis. During the {% data variables.release-phases.public_preview %}, you can add local sources (for example: command-line arguments, environment variables, file systems, and databases) that your codebase may consider to be additional sources of tainted data. -You can edit the threat model used in a default setup configuration. For more information, see "[Customizing your existing configuration of default setup](#customizing-your-existing-configuration-of-default-setup)." +You can edit the threat model used in a default setup configuration. For more information, see [Customizing your existing configuration of default setup](#customizing-your-existing-configuration-of-default-setup). {% endif %} @@ -93,7 +93,7 @@ If {% ifversion ghec %}your enterprise is hosted on {% data variables.product.pr For default setup, you need to define the models of your additional dependencies in {% data variables.product.prodname_codeql %} model packs. You can extend coverage in default setup with {% data variables.product.prodname_codeql %} model packs for individual repositories, or at scale for all repositories in an organization. -For more information about {% data variables.product.prodname_codeql %} model packs and writing your own, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor)." +For more information about {% data variables.product.prodname_codeql %} model packs and writing your own, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). ### Extending coverage for a repository @@ -106,7 +106,7 @@ For more information about {% data variables.product.prodname_codeql %} model pa ### Extending coverage for all repositories in an organization >[!NOTE] -> If you extend coverage with {% data variables.product.prodname_codeql %} model packs for all repositories in an organization, the model packs that you specify must be published to the {% ifversion ghes %}container registry associated with the {% data variables.product.prodname_ghe_server %} instance (`https://containers.HOSTNAME`){% else %}{% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}{% endif %} and be accessible to the repositories that run {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry)." +> If you extend coverage with {% data variables.product.prodname_codeql %} model packs for all repositories in an organization, the model packs that you specify must be published to the {% ifversion ghes %}container registry associated with the {% data variables.product.prodname_ghe_server %} instance (`https://containers.HOSTNAME`){% else %}{% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}{% endif %} and be accessible to the repositories that run {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry). {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md index 468dd6eed250..ecf04387a003 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection.md @@ -15,7 +15,7 @@ topics: ## About using rulesets for {% data variables.product.prodname_code_scanning %} merge protection > [!NOTE] -> * Merge protection with rulesets is not related to status checks. For more information about status checks, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks)." +> * Merge protection with rulesets is not related to status checks. For more information about status checks, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks). > * Merge protection with rulesets will not apply to merge queue groups or {% data variables.product.prodname_dependabot %} pull requests analyzed by default setup. You can use rulesets to prevent pull requests from being merged when one of the following conditions is met: @@ -24,13 +24,13 @@ You can use rulesets to prevent pull requests from being merged when one of the Typically you should use rulesets target long-lived feature branches, where you would like to guarantee that code has been analyzed before pull requests can be merged. -Configuring a {% data variables.product.prodname_code_scanning %} rule will not automatically enable {% data variables.product.prodname_code_scanning %}. For more information about how to enable code scanning, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +Configuring a {% data variables.product.prodname_code_scanning %} rule will not automatically enable {% data variables.product.prodname_code_scanning %}. For more information about how to enable code scanning, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -For more information about {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." +For more information about {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts). You can set merge protection with rulesets at the repository {% ifversion ghec or ghes %}or organization levels{% else %}level{% endif %}, and for repositories configured with either default setup or advanced setup. You can also use the REST API to set merge protection with rulesets. -For more information about rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). ## Creating a merge protection ruleset for a repository @@ -42,7 +42,7 @@ For more information about rulesets, see "[AUTOTITLE](/repositories/configuring- {% data reusables.repositories.rulesets-general-step %} {% data reusables.repositories.rulesets-require-code-scanning-results %} -For more information about managing rulesets in a repository, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/)." +For more information about managing rulesets in a repository, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/). {% ifversion ghec or ghes %} @@ -56,10 +56,10 @@ For more information about managing rulesets in a repository, see "[AUTOTITLE](/ {% data reusables.repositories.rulesets-general-step %} {% data reusables.repositories.rulesets-require-code-scanning-results %} -For more information about managing rulesets for repositories in an organization, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization)." +For more information about managing rulesets for repositories in an organization, see [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization). {% endif %} ## Creating a merge protection ruleset with the REST API -You can use the REST API to create a ruleset with the `code_scanning` rule, which allows you to define specific tools and set alert thresholds. For more information, see "[AUTOTITLE](/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset)." +You can use the REST API to create a ruleset with the `code_scanning` rule, which allows you to define specific tools and set alert thresholds. For more information, see [AUTOTITLE](/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset). diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md index 58d431f731da..9362ffa147a9 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md @@ -18,21 +18,21 @@ shortTitle: View code scanning logs ## About your {% data variables.product.prodname_code_scanning %} configuration -You can use a variety of tools to configure {% data variables.product.prodname_code_scanning %} in your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +You can use a variety of tools to configure {% data variables.product.prodname_code_scanning %} in your repository. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). -The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). ## About analysis and diagnostic information You can see analysis and diagnostic information for {% data variables.product.prodname_code_scanning %} run using {% data variables.product.prodname_codeql %} analysis on {% data variables.product.prodname_dotcom %}. -Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). -Diagnostic information is displayed in the Action workflow logs and consists of summary metrics and extractor diagnostics. For information about accessing {% data variables.product.prodname_code_scanning %} logs on {% data variables.product.prodname_dotcom %}, see "[Viewing the logging output from {% data variables.product.prodname_code_scanning %}](#viewing-the-logging-output-from-code-scanning)" below. +Diagnostic information is displayed in the Action workflow logs and consists of summary metrics and extractor diagnostics. For information about accessing {% data variables.product.prodname_code_scanning %} logs on {% data variables.product.prodname_dotcom %}, see [Viewing the logging output from {% data variables.product.prodname_code_scanning %}](#viewing-the-logging-output-from-code-scanning) below. If you're using the {% data variables.product.prodname_codeql_cli %} outside {% data variables.product.prodname_dotcom %}, you'll see diagnostic information in the output generated during database analysis. This information is also included in the SARIF results file you upload to {% data variables.product.prodname_dotcom %} with the {% data variables.product.prodname_code_scanning %} results. -For information about the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#viewing-log-and-diagnostic-information)." +For information about the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#viewing-log-and-diagnostic-information). ### About summary metrics @@ -42,7 +42,7 @@ For information about the {% data variables.product.prodname_codeql_cli %}, see {% data reusables.code-scanning.extractor-diagnostics %} -You can see more detailed information about {% data variables.product.prodname_codeql %} extractor errors and warnings that occurred during database creation by enabling debug logging. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-are-not-detailed-enough#creating-codeql-debugging-artifacts-by-re-running-jobs-with-debug-logging-enabled)." +You can see more detailed information about {% data variables.product.prodname_codeql %} extractor errors and warnings that occurred during database creation by enabling debug logging. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-are-not-detailed-enough#creating-codeql-debugging-artifacts-by-re-running-jobs-with-debug-logging-enabled). ## Viewing the logging output from {% data variables.product.prodname_code_scanning %} @@ -69,4 +69,4 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r 1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. -1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled.md b/content/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled.md index cf57d472313d..dc78185375ed 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled.md @@ -28,7 +28,7 @@ This error is reported if you try to run {% data variables.product.prodname_code ## Confirming the cause of the error {% ifversion fpt %} -If you are on a free, pro, or team plan, you can only use {% data variables.product.prodname_code_scanning %} on repositories that are publicly available. To enable {% data variables.product.prodname_code_scanning %} for private or internal repositories, you must upgrade to GitHub Enterprise with {% data variables.product.prodname_GH_advanced_security %} and enable {% data variables.product.prodname_GH_advanced_security %} for the repository. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-products#github-enterprise)" and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +If you are on a free, pro, or team plan, you can only use {% data variables.product.prodname_code_scanning %} on repositories that are publicly available. To enable {% data variables.product.prodname_code_scanning %} for private or internal repositories, you must upgrade to GitHub Enterprise with {% data variables.product.prodname_GH_advanced_security %} and enable {% data variables.product.prodname_GH_advanced_security %} for the repository. For more information, see [AUTOTITLE](/get-started/learning-about-github/githubs-products#github-enterprise) and [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). {% else %} @@ -47,7 +47,7 @@ If {% data variables.product.prodname_GH_advanced_security %} is available to yo ### Requesting access to {% data variables.product.prodname_GH_advanced_security %} -1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click the enterprise name to display a list of users with access to edit the policy that controls access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-for-the-use-of-github-advanced-security-in-your-enterprises-organizations)." +1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click the enterprise name to display a list of users with access to edit the policy that controls access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-for-the-use-of-github-advanced-security-in-your-enterprises-organizations). 1. Follow your company's policy for requesting access to additional features. ### Enabling {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long.md b/content/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long.md index 4236223d19a1..0ca7fad654b7 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long.md @@ -19,21 +19,21 @@ There are several approaches you can try to reduce the build time in a {% data v {% ifversion fpt or ghec %} -If you're using {% data variables.product.company_short %}-hosted runners for your {% data variables.product.prodname_code_scanning %} analysis, consider upgrading to {% data variables.actions.hosted_runners %}. These are {% data variables.product.company_short %}-hosted runners with more RAM, CPU, and disk space than standard runners. For more information about {% data variables.actions.hosted_runners %} and {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)" and "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup)." +If you're using {% data variables.product.company_short %}-hosted runners for your {% data variables.product.prodname_code_scanning %} analysis, consider upgrading to {% data variables.actions.hosted_runners %}. These are {% data variables.product.company_short %}-hosted runners with more RAM, CPU, and disk space than standard runners. For more information about {% data variables.actions.hosted_runners %} and {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners) and [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup). -If you're using self-hosted runners to run {% data variables.product.prodname_code_scanning %} analysis, you can increase the memory or the number of cores on those runners. If you're using {% data variables.product.prodname_codeql %} with advanced setup for your analysis, review the recommended hardware resources for {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." +If you're using self-hosted runners to run {% data variables.product.prodname_code_scanning %} analysis, you can increase the memory or the number of cores on those runners. If you're using {% data variables.product.prodname_codeql %} with advanced setup for your analysis, review the recommended hardware resources for {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). {% elsif ghes %} -You can increase the memory or disk space available on your runners. If you're using {% data variables.product.prodname_codeql %} for your {% data variables.product.prodname_code_scanning %} analysis, you can review the recommended hardware resources for {% data variables.product.prodname_codeql %} to make sure your runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." +You can increase the memory or disk space available on your runners. If you're using {% data variables.product.prodname_codeql %} for your {% data variables.product.prodname_code_scanning %} analysis, you can review the recommended hardware resources for {% data variables.product.prodname_codeql %} to make sure your runners meet those requirements. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). {% endif %} ## Use matrix builds to parallelize the analysis -To speed up analysis of workflows that involve multiple jobs, you can modify your workflow to use a matrix. For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +To speed up analysis of workflows that involve multiple jobs, you can modify your workflow to use a matrix. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). -The default {% data variables.code-scanning.codeql_workflow %} uses a matrix of languages, which causes the analysis of each language to run in parallel. However, if you're using {% data variables.product.prodname_codeql %} with advanced setup and you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. In this configuration, you can speed up your analysis by modifying your advanced setup workflow to use a matrix. For an example, see the workflow extract in "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed)." +The default {% data variables.code-scanning.codeql_workflow %} uses a matrix of languages, which causes the analysis of each language to run in parallel. However, if you're using {% data variables.product.prodname_codeql %} with advanced setup and you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. In this configuration, you can speed up your analysis by modifying your advanced setup workflow to use a matrix. For an example, see the workflow extract in [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed). ## Reduce the amount of code being analyzed in a single workflow @@ -45,7 +45,7 @@ If you split your {% data variables.product.prodname_codeql %} analysis into mul ## Run only during a `schedule` event -You may find that your analysis is slow during `push` or `pull_request` events. If so, you can set your analysis to only trigger on the `schedule` event. If you're using {% data variables.product.prodname_codeql %} for your {% data variables.product.prodname_code_scanning %} analysis, you can configure this with an advanced setup workflow, but not in default setup. For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#events)." +You may find that your analysis is slow during `push` or `pull_request` events. If so, you can set your analysis to only trigger on the `schedule` event. If you're using {% data variables.product.prodname_codeql %} for your {% data variables.product.prodname_code_scanning %} analysis, you can configure this with an advanced setup workflow, but not in default setup. For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#events). ## Check which queries or rules the workflow runs @@ -53,4 +53,4 @@ Another option to reduce analysis time is to run only the queries or rules that In {% data variables.product.prodname_codeql %}, there are two main query suites available for each language. If you have optimized the {% data variables.product.prodname_codeql %} database build and the process is still too long, you could reduce the number of queries you run. The default query suite is run automatically: it provides the best possible compromise between quality and speed. -If you're using {% data variables.product.prodname_codeql %} with advanced setup, you may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the `queries` element. You can experiment with disabling the additional query suite or queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." +If you're using {% data variables.product.prodname_codeql %} with advanced setup, you may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the `queries` element. You can experiment with disabling the additional query suite or queries. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed.md b/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed.md index 74cdd58ecc24..9414d05398d3 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed.md @@ -17,6 +17,6 @@ If an automatic build of code for a compiled language within your project fails, ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning)."{% ifversion codeql-no-build %} -* "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)"{% elsif ghes %} -* "[Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)."{% endif %} +* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning).{% ifversion codeql-no-build %} +* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes){% elsif ghes %} +* [Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language).{% endif %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing.md b/content/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing.md index 75329811bae0..a77b97db3768 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing.md @@ -11,7 +11,7 @@ versions: ## About these errors -The {% data variables.product.prodname_codeql %} tracer injects some flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build differently to what you expect during {% data variables.product.prodname_codeql %} analysis. See "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." +The {% data variables.product.prodname_codeql %} tracer injects some flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build differently to what you expect during {% data variables.product.prodname_codeql %} analysis. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages). `/p:EmitCompilerGeneratedFiles=true` is one of the injected properties, and emits compiler-generated files during the build process. This option causes the compiler to generate additional files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files. @@ -23,4 +23,4 @@ If you have set the "treat warnings as errors" flag, then `msbuild` will produce ## Fixing the problem -You should add the `` element to the application's project file. For more information, see "[Understanding the project file](https://learn.microsoft.com/en-us/aspnet/web-forms/overview/deployment/web-deployment-in-the-enterprise/understanding-the-project-file)" in Microsoft Learn. +You should add the `` element to the application's project file. For more information, see [Understanding the project file](https://learn.microsoft.com/en-us/aspnet/web-forms/overview/deployment/web-deployment-in-the-enterprise/understanding-the-project-file) in Microsoft Learn. diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/cannot-enable-codeql-in-a-private-repository.md b/content/code-security/code-scanning/troubleshooting-code-scanning/cannot-enable-codeql-in-a-private-repository.md index 840a8e9ecb18..008d3d9b8d32 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/cannot-enable-codeql-in-a-private-repository.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/cannot-enable-codeql-in-a-private-repository.md @@ -14,7 +14,7 @@ versions: --- {% ifversion fpt %} -If you are on a free, pro, or team plan, you can only use {% data variables.product.prodname_code_scanning %} on repositories that are publicly available. To enable {% data variables.product.prodname_code_scanning %} for private or internal repositories, you must upgrade to GitHub Enterprise with {% data variables.product.prodname_GH_advanced_security %} and enable {% data variables.product.prodname_GH_advanced_security %} for the repository. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-products#github-enterprise)" and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +If you are on a free, pro, or team plan, you can only use {% data variables.product.prodname_code_scanning %} on repositories that are publicly available. To enable {% data variables.product.prodname_code_scanning %} for private or internal repositories, you must upgrade to GitHub Enterprise with {% data variables.product.prodname_GH_advanced_security %} and enable {% data variables.product.prodname_GH_advanced_security %} for the repository. For more information, see [AUTOTITLE](/get-started/learning-about-github/githubs-products#github-enterprise) and [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). {% else %} @@ -31,7 +31,7 @@ If you are on a free, pro, or team plan, you can only use {% data variables.prod ### Requesting access to {% data variables.product.prodname_GH_advanced_security %} -1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click the enterprise name to display a list of users with access to edit the policy that controls access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-for-the-use-of-github-advanced-security-in-your-enterprises-organizations)." +1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click the enterprise name to display a list of users with access to edit the policy that controls access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-for-the-use-of-github-advanced-security-in-your-enterprises-organizations). 1. Follow your company's policy for requesting access to additional features. ### Enabling {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/default-setup-fails-with-a-language.md b/content/code-security/code-scanning/troubleshooting-code-scanning/default-setup-fails-with-a-language.md index 20c8d2154aee..ab9964ca1335 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/default-setup-fails-with-a-language.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/default-setup-fails-with-a-language.md @@ -15,6 +15,6 @@ To enable default setup when a language previously failed, you must reconfigure 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security and analysis**. 1. Navigate to the "{% data variables.product.prodname_code_scanning_caps %}" section. Then, in the error message reading "{% data variables.product.prodname_codeql %} default configuration **failed**", click **failed**. 1. In the "Jobs" section of the workflow run summary for default setup, identify any failing jobs associated with specific languages. These jobs will be labeled **{% octicon "x-circle-fill" aria-hidden="true" %} Analyze (LANGUAGE)**. -1. Once you have determined which language-specific jobs are failing, configure default setup once more and deselect the failing languages for analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +1. Once you have determined which language-specific jobs are failing, configure default setup once more and deselect the failing languages for analysis. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). - Alternatively, if you would like to analyze every language in your repository, you can configure advanced setup for {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." + Alternatively, if you would like to analyze every language in your repository, you can configure advanced setup for {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md b/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md index ab1142aae181..4282df46ce52 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md @@ -13,4 +13,4 @@ When you enable default setup, a workflow is triggered with the automatically ge You can check on the progress of the test run for default setup on the **Actions** tab. If the run is taking too long, try canceling the workflow run and restarting the configuration process. -To restart your configuration, navigate to the main page of your repository, then click **{% octicon "play" aria-hidden="true" %} Actions**. Click the **{% data variables.product.prodname_codeql %}** workflow run that's in progress, then click **Cancel workflow**. Once {% octicon "stop" aria-label="cancelled" %} appears beside the workflow run name, navigate back to the {% ifversion code-security-wording-only %}**Code security**{% else %}**Code security and analysis**{% endif %} settings and re-enable default setup. If default setup continues to stall, please contact {% data variables.contact.contact_support %} or try enabling advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +To restart your configuration, navigate to the main page of your repository, then click **{% octicon "play" aria-hidden="true" %} Actions**. Click the **{% data variables.product.prodname_codeql %}** workflow run that's in progress, then click **Cancel workflow**. Once {% octicon "stop" aria-label="cancelled" %} appears beside the workflow run name, navigate back to the {% ifversion code-security-wording-only %}**Code security**{% else %}**Code security and analysis**{% endif %} settings and re-enable default setup. If default setup continues to stall, please contact {% data variables.contact.contact_support %} or try enabling advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/fewer-lines-scanned-than-expected.md b/content/code-security/code-scanning/troubleshooting-code-scanning/fewer-lines-scanned-than-expected.md index f778bda4412b..4c4a4d7f2b8f 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/fewer-lines-scanned-than-expected.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/fewer-lines-scanned-than-expected.md @@ -24,7 +24,7 @@ If your {% data variables.product.prodname_codeql %} analysis scans fewer lines ## {% ifversion codeql-no-build %}Change to a `manual` build process{% elsif ghes %}Replace the `autobuild` step{% endif %} Replace the `autobuild` process with the same build commands you would use in production. This makes sure that {% data variables.product.prodname_codeql %} knows exactly how to compile all of the source files you want to scan. -For more information about defining build steps, see {% ifversion codeql-no-build %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}." +For more information about defining build steps, see {% ifversion codeql-no-build %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}. ## Inspect the copy of the source files in the {% data variables.product.prodname_codeql %} database @@ -37,6 +37,6 @@ You may be able to understand why some source files haven't been analyzed by ins debug: true ``` -This uploads the database as an actions artifact that you can download to your local machine. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +This uploads the database as an actions artifact that you can download to your local machine. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). The artifact will contain an archived copy of the source files scanned by {% data variables.product.prodname_codeql %} called _src.zip_. If you compare the source code files in the repository and the files in _src.zip_, you can see which types of file are missing. Once you know what types of file are not being analyzed, it is easier to understand how you may need to change the workflow for {% data variables.product.prodname_codeql %} analysis. diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build.md b/content/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build.md index cc8ac3566194..ca0c7c65b316 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build.md @@ -38,13 +38,13 @@ If you want to update the analysis to also include Kotlin files, then {% data va 1. Wait until the Kotlin code is merged into the default branch for the repository. 1. Disable and then re-enable default setup on the "Settings" page for your repository. -This will trigger a new analysis using automatic build detection. See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin)." +This will trigger a new analysis using automatic build detection. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) and [Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin). If the automatic build detection fails, you will need to use advanced setup with the correct build commands for the project to analyze both languages. ### {% data variables.product.prodname_code_scanning_caps %} advanced setup -If you already use advanced setup, you can edit the {% data variables.product.prodname_codeql %} workflow and change the build mode for `java-kotlin` from `none` to either `autobuild` to automatically build your project, or `manual` to specify your own build steps. "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin)." +If you already use advanced setup, you can edit the {% data variables.product.prodname_codeql %} workflow and change the build mode for `java-kotlin` from `none` to either `autobuild` to automatically build your project, or `manual` to specify your own build steps. [Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin). If you need to convert from default setup to advanced setup, you need enable advanced setup on the on the "Settings" page for your repository and create a {% data variables.product.prodname_codeql %} workflow. Then you can define a `manual` build mode for `java-kotlin` and define the build commands for the project. @@ -54,7 +54,7 @@ Update your calls to run the {% data variables.product.prodname_codeql_cli %} fo ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning) * "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin){% ifversion codeql-no-build %} -* "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)"{% elsif ghes %} -* "[Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)"{% endif %} +* [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes){% elsif ghes %} +* [Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough.md b/content/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough.md index 3e33b62cc479..ed004eccd3e8 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough.md @@ -15,18 +15,18 @@ If your logs are not detailed enough, there are several steps you can take to ma ## Enable step debug logging -You can enable step debug logging in {% data variables.product.prodname_actions %} to increase the verbosity of a job's logs during and after a job's execution. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging)." +You can enable step debug logging in {% data variables.product.prodname_actions %} to increase the verbosity of a job's logs during and after a job's execution. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging). ## Creating {% data variables.product.prodname_codeql %} debugging artifacts You can obtain artifacts to help you debug {% data variables.product.prodname_codeql %}. -The debug artifacts will be uploaded to the workflow run as an artifact named `debug-artifacts`. The data contains the {% data variables.product.prodname_codeql %} logs, {% data variables.product.prodname_codeql %} database(s), extracted source code files, and any SARIF file(s) produced by the workflow. For more information about downloading {% data variables.product.prodname_codeql %} artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)." +The debug artifacts will be uploaded to the workflow run as an artifact named `debug-artifacts`. The data contains the {% data variables.product.prodname_codeql %} logs, {% data variables.product.prodname_codeql %} database(s), extracted source code files, and any SARIF file(s) produced by the workflow. For more information about downloading {% data variables.product.prodname_codeql %} artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). These artifacts will help you debug problems with {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. If you contact GitHub support, they might ask for this data. ### Creating {% data variables.product.prodname_codeql %} debugging artifacts by re-running jobs with debug logging enabled -You can create {% data variables.product.prodname_codeql %} debugging artifacts by enabling debug logging and re-running the jobs. For more information about re-running {% data variables.product.prodname_actions %} workflows and jobs, see "[AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs)." +You can create {% data variables.product.prodname_codeql %} debugging artifacts by enabling debug logging and re-running the jobs. For more information about re-running {% data variables.product.prodname_actions %} workflows and jobs, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). You need to ensure that you select **Enable debug logging**. This option enables runner diagnostic logging and step debug logging for the run. You'll then be able to download `debug-artifacts` to investigate further. You do not need to modify the workflow file when creating {% data variables.product.prodname_codeql %} debugging artifacts by re-running jobs. diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md index a0121acafe7c..c2dcabf8ef2e 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md @@ -13,7 +13,7 @@ versions: If your workflow fails with `Error: "No source code was seen during the build"` or `The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32`, this indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code. There are six possible reasons for this: -1. _No supported languages:_ The repository may not contain source code that is written in languages supported by {% data variables.product.prodname_codeql %}. Check the list of supported languages and, if this is the case, remove the {% data variables.product.prodname_codeql %} workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." +1. _No supported languages:_ The repository may not contain source code that is written in languages supported by {% data variables.product.prodname_codeql %}. Check the list of supported languages and, if this is the case, remove the {% data variables.product.prodname_codeql %} workflow. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql). 1. _No analyzable code of the detected languages:_ Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the `language` matrix. For example, the following configuration will analyze only Go, and JavaScript. @@ -26,9 +26,9 @@ If your workflow fails with `Error: "No source code was seen during the build"` language: ['go', {% ifversion codeql-language-identifiers-311 %}'javascript-typescript'{% else %}'javascript' {% endif %}] ``` - For more information, see the workflow extract in "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed)". + For more information, see the workflow extract in [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed). -1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#, Go, or Java), but the code was not compiled. {% ifversion codeql-no-build %}When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step,{% elsif ghes %}By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step and{% endif %} {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see {% ifversion codeql-no-build %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}." +1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#, Go, or Java), but the code was not compiled. {% ifversion codeql-no-build %}When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step,{% elsif ghes %}By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step and{% endif %} {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see {% ifversion codeql-no-build %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}. 1. _Cached components not detected:_ Your workflow builds a compiled language (C, C++, C#, Go, or Java) to create a {% data variables.product.prodname_codeql %} database for analysis, but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis. @@ -36,10 +36,10 @@ If your workflow fails with `Error: "No source code was seen during the build"` 1. _Compilation not detected by {% data variables.product.prodname_codeql %}:_ Your compiled code (in C, C++, C#, Go, or Java) was compiled successfully, but {% data variables.product.prodname_codeql %} was unable to detect the compiler invocations. The most common causes are: - * Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container)." + * Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container). * Building using a distributed build system external to GitHub Actions, using a daemon process. * {% data variables.product.prodname_codeql %} isn't aware of the specific compiler you are using. If you encounter another problem with your specific compiler or configuration, contact {% data variables.contact.contact_support %}. -For more information about specifying build steps, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +For more information about specifying build steps, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md b/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md index f49a03173c40..25047ffa4632 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md @@ -25,7 +25,7 @@ You may see these errors when running {% data variables.product.prodname_code_sc ## Confirming the cause of the problem -You can review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure the runners that you use for {% data variables.product.prodname_code_scanning %} meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." +You can review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure the runners that you use for {% data variables.product.prodname_code_scanning %} meet those requirements. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). ## Fixing the problem @@ -37,7 +37,7 @@ You may need to increase the memory or disk space available on the runners used If the runners you're using don't meet the recommended hardware requirements, consider using either {% data variables.actions.hosted_runners %} or self-hosted runners. -{% data variables.actions.hosted_runner_caps %}s are {% data variables.product.company_short %}-hosted runners with more RAM, CPU, and disk space than standard runners. These runners have the runner application and other tools preinstalled. For more information about {% data variables.actions.hosted_runners %} and {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)" and "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup)." +{% data variables.actions.hosted_runner_caps %}s are {% data variables.product.company_short %}-hosted runners with more RAM, CPU, and disk space than standard runners. These runners have the runner application and other tools preinstalled. For more information about {% data variables.actions.hosted_runners %} and {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners) and [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup). -Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.company_short %}-hosted runners can provide. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.company_short %}-hosted runners can provide. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). {% endif %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/resource-not-accessible.md b/content/code-security/code-scanning/troubleshooting-code-scanning/resource-not-accessible.md index b3dbcec8b8f4..1be196225fe9 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/resource-not-accessible.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/resource-not-accessible.md @@ -11,7 +11,7 @@ redirect_from: --- >[!NOTE] ->This troubleshooting article is _only_ relevant if you're seeing this error with {% data variables.product.prodname_dependabot %}. If you see this error with other {% data variables.product.company_short %} products and have difficulty troubleshooting it, you can contact {% data variables.contact.github_support %}. For more information, see "[AUTOTITLE](/support/contacting-github-support)." +>This troubleshooting article is _only_ relevant if you're seeing this error with {% data variables.product.prodname_dependabot %}. If you see this error with other {% data variables.product.company_short %} products and have difficulty troubleshooting it, you can contact {% data variables.contact.github_support %}. For more information, see [AUTOTITLE](/support/contacting-github-support). ## About this error @@ -51,7 +51,7 @@ on: pull_request: ``` -For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." +For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow). ### Analysis still failing on the default branch @@ -60,4 +60,4 @@ If the {% data variables.code-scanning.codeql_workflow %} still fails on a commi * whether {% data variables.product.prodname_dependabot %} authored the commit * whether the pull request that includes the commit has been merged using `@dependabot squash and merge` -This type of merge commit is authored by {% data variables.product.prodname_dependabot %} and therefore, any workflows running on the commit will have read-only permissions. If you enabled {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} security updates or version updates on your repository, we recommend you avoid using the {% data variables.product.prodname_dependabot %} `@dependabot squash and merge` command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge)." +This type of merge commit is authored by {% data variables.product.prodname_dependabot %} and therefore, any workflows running on the commit will have read-only permissions. If you enabled {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} security updates or version updates on your repository, we recommend you avoid using the {% data variables.product.prodname_dependabot %} `@dependabot squash and merge` command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/results-different-than-expected.md b/content/code-security/code-scanning/troubleshooting-code-scanning/results-different-than-expected.md index de7964084175..2e2dd30abcd4 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/results-different-than-expected.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/results-different-than-expected.md @@ -15,6 +15,6 @@ If your {% data variables.product.prodname_code_scanning %} results are differen To check if default setup is enabled, navigate to the main page of the repository, then click **{% octicon "gear" aria-hidden="true" %} Settings**. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} {% ifversion code-security-wording-only %}Code security{% else %}Code security and analysis{% endif %}**. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the page, next to "{% data variables.product.prodname_codeql %} analysis", click {% octicon "kebab-horizontal" aria-label="Menu" %}. If there is a **{% octicon "workflow" aria-hidden="true" %} Switch to advanced** option, you are currently using default setup. -If you want to return to using advanced setup and get {% data variables.product.prodname_code_scanning %} results from your custom workflow file, click **{% octicon "stop" aria-hidden="true" %} Disable {% data variables.product.prodname_codeql %}** to disable default setup. Then you should re-enable your pre-existing workflows to start triggering and uploading results from advanced setup. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." +If you want to return to using advanced setup and get {% data variables.product.prodname_code_scanning %} results from your custom workflow file, click **{% octicon "stop" aria-hidden="true" %} Disable {% data variables.product.prodname_codeql %}** to disable default setup. Then you should re-enable your pre-existing workflows to start triggering and uploading results from advanced setup. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning). {% data reusables.code-scanning.troubleshooting-multiple-configurations %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/some-languages-not-analyzed.md b/content/code-security/code-scanning/troubleshooting-code-scanning/some-languages-not-analyzed.md index e8cb68ac53ac..de497e1cdff1 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/some-languages-not-analyzed.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/some-languages-not-analyzed.md @@ -38,4 +38,4 @@ If you're using advanced setup and your workflow doesn't explicitly specify the languages: {% raw %}${{ matrix.language }}{% endraw %} ``` - For more information about editing the workflow, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." + For more information about editing the workflow, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/two-codeql-workflows.md b/content/code-security/code-scanning/troubleshooting-code-scanning/two-codeql-workflows.md index 1c3e218edf1e..7fd41f4e0b02 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/two-codeql-workflows.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/two-codeql-workflows.md @@ -10,8 +10,8 @@ versions: {% data reusables.code-scanning.codeql-action-version-ghes %} -Default setup overrides existing {% data variables.product.prodname_codeql %} setups by disabling any existing {% data variables.product.prodname_codeql %} workflows, and blocking any {% data variables.product.prodname_codeql %} analysis API uploads. This behavior stops you using {% data variables.product.prodname_actions %} minutes to run workflows for {% data variables.product.prodname_codeql %} advanced setup when only the results from default setup will be used. For more information about switching between advanced and default setups, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected)." +Default setup overrides existing {% data variables.product.prodname_codeql %} setups by disabling any existing {% data variables.product.prodname_codeql %} workflows, and blocking any {% data variables.product.prodname_codeql %} analysis API uploads. This behavior stops you using {% data variables.product.prodname_actions %} minutes to run workflows for {% data variables.product.prodname_codeql %} advanced setup when only the results from default setup will be used. For more information about switching between advanced and default setups, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected). -Optionally, if you are certain you no longer need the pre-existing workflow file, you can delete the file from your repository. For more information, see "[AUTOTITLE](/repositories/working-with-files/managing-files/deleting-files-in-a-repository)." +Optionally, if you are certain you no longer need the pre-existing workflow file, you can delete the file from your repository. For more information, see [AUTOTITLE](/repositories/working-with-files/managing-files/deleting-files-in-a-repository). {% data reusables.code-scanning.troubleshooting-multiple-configurations %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow.md b/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow.md index f7bac48779be..71ec314ac42c 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow.md @@ -11,6 +11,6 @@ redirect_from: - /code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow-run --- -The {% data variables.code-scanning.tool_status_page %} shows you how well {% data variables.product.prodname_code_scanning %} tools are working for a repository, when files in the repository were first scanned and most recently scanned, and when scans are scheduled. For integrated tools like {% data variables.product.prodname_codeql %}, you can also see more detailed information, including a percentage of files scanned and specific error messages. For more information about the {% data variables.code-scanning.tool_status_page %}, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." +The {% data variables.code-scanning.tool_status_page %} shows you how well {% data variables.product.prodname_code_scanning %} tools are working for a repository, when files in the repository were first scanned and most recently scanned, and when scans are scheduled. For integrated tools like {% data variables.product.prodname_codeql %}, you can also see more detailed information, including a percentage of files scanned and specific error messages. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). -You can also view the logging output from {% data variables.product.prodname_code_scanning %} runs using {% data variables.product.prodname_actions %} ({% data variables.product.prodname_codeql %} or third-party). For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#viewing-the-logging-output-from-code-scanning)." +You can also view the logging output from {% data variables.product.prodname_code_scanning %} runs using {% data variables.product.prodname_actions %} ({% data variables.product.prodname_codeql %} or third-party). For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#viewing-the-logging-output-from-code-scanning). diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md b/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md index b9e4f6fa3313..015173768f81 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md @@ -51,4 +51,4 @@ Remove the lines from the {% data variables.product.prodname_codeql %} workflow. # ... ``` -For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." +For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow). diff --git a/content/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large.md b/content/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large.md index ec3c15d51af7..aa5a6976dee0 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large.md +++ b/content/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large.md @@ -30,7 +30,7 @@ A fatal error occurred: SARIF file is too large One of these errors is reported if a process attempts to upload a SARIF file that is larger than the maximum size of 10 MB. {% data variables.product.prodname_code_scanning_caps %} does not accept files above this size. There are several different ways to reduce the number of results generated for upload to {% data variables.product.prodname_code_scanning %}. -You could see this error for SARIF files generated by {% data variables.product.prodname_codeql %} or by third-party analysis tools. For information about the limits on uploads, see {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file)." +You could see this error for SARIF files generated by {% data variables.product.prodname_codeql %} or by third-party analysis tools. For information about the limits on uploads, see {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file). ## Confirming the cause of the error @@ -49,19 +49,19 @@ If the file wasn't compressed using gzip, try compressing the file before rerunn If you have too many results, you should configure analysis to analyze only the most important code. - * For interpreted languages, check if the repository contains many tests, demos, or vendored dependencies where fixing alerts is a lower priority. Try excluding this code from analysis. For more information, see "[Excluding code from analysis for interpreted languages](#excluding-code-from-analysis-for-interpreted-languages)." - * For compiled languages, check if the build process generates more than one variant of the code (for example, targets for multiple operating environments or architectures). Try analyzing just one variant of the code initially. For more information, see "[Optimizing the build command](#optimizing-the-build-command)." + * For interpreted languages, check if the repository contains many tests, demos, or vendored dependencies where fixing alerts is a lower priority. Try excluding this code from analysis. For more information, see [Excluding code from analysis for interpreted languages](#excluding-code-from-analysis-for-interpreted-languages). + * For compiled languages, check if the build process generates more than one variant of the code (for example, targets for multiple operating environments or architectures). Try analyzing just one variant of the code initially. For more information, see [Optimizing the build command](#optimizing-the-build-command). ### Number of queries run -If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for {% data variables.product.prodname_codeql %} analysis you could run just the default suite of queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." +If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for {% data variables.product.prodname_codeql %} analysis you could run just the default suite of queries. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs). ### Number of results found by queries Sometimes a single query reports many results because the codebase has a specific coding style, or because the analysis does not understand a particular library. You can review the results file in a SARIF viewer to see the distribution of results. For example, https://microsoft.github.io/sarif-web-component/. - * Check if the results are dominated by alerts identified by a single query. Try excluding that query from analysis. You can reintroduce it when other alerts are fixed. For more information about {% data variables.product.prodname_codeql %} query configuration, see "[Excluding a query from analysis](#excluding-a-query-from-analysis)." - * Check if there are dataflow queries with many deep paths. Try omitting dataflow paths from the output. For more information about {% data variables.product.prodname_codeql %} analysis configuration, see "[Omitting dataflow paths from the output](#omitting-dataflow-paths-from-the-output)." + * Check if the results are dominated by alerts identified by a single query. Try excluding that query from analysis. You can reintroduce it when other alerts are fixed. For more information about {% data variables.product.prodname_codeql %} query configuration, see [Excluding a query from analysis](#excluding-a-query-from-analysis). + * Check if there are dataflow queries with many deep paths. Try omitting dataflow paths from the output. For more information about {% data variables.product.prodname_codeql %} analysis configuration, see [Omitting dataflow paths from the output](#omitting-dataflow-paths-from-the-output). ## Fixing the problem @@ -71,29 +71,29 @@ The following options are listed in order of complexity. You need to revise the Excluding non-production code from analysis is a simple way to reduce the size of the results file. -* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use `paths` and `paths-ignore` in the workflow file to specify what code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." -* {% data variables.product.prodname_codeql_cli %} `database create`: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the `database create` command to call this configuration file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." +* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use `paths` and `paths-ignore` in the workflow file to specify what code to analyze. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan). +* {% data variables.product.prodname_codeql_cli %} `database create`: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the `database create` command to call this configuration file using the `--codescanning-config` option. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan). ### Optimizing the build command Using a build command that compiles only one variant is a simple way to reduce the size of the results file. -* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: update the workflow file to specify your chosen build command. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." -* {% data variables.product.prodname_codeql_cli %} `database create`: specify your chosen build command either by calling the `database create` command with the `--command` option, or by defining the build command in a YAML configuration file for code scanning and calling the file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)." +* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: update the workflow file to specify your chosen build command. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language). +* {% data variables.product.prodname_codeql_cli %} `database create`: specify your chosen build command either by calling the `database create` command with the `--command` option, or by defining the build command in a YAML configuration file for code scanning and calling the file using the `--codescanning-config` option. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands). ### Defining the query suite to run You may already be running only the default security queries, but it is worth checking. -* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: check the workflow file for the `queries` keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." -* {% data variables.product.prodname_codeql_cli %} `database analyze`: check the database analysis command for any paths that specify queries, query suites, or query packs. If none are present, then only the default query suite is run. If any are present, they define which queries to run, you can try removing them from the call. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-codeql-query-pack)." +* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: check the workflow file for the `queries` keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs). +* {% data variables.product.prodname_codeql_cli %} `database analyze`: check the database analysis command for any paths that specify queries, query suites, or query packs. If none are present, then only the default query suite is run. If any are present, they define which queries to run, you can try removing them from the call. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-codeql-query-pack). ### Excluding a query from analysis If the results are dominated by the results for a single rule, excluding the rule from the analysis may be the best solution. -* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use the `query-filters` keyword to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#excluding-specific-queries-from-analysis)." -* {% data variables.product.prodname_codeql_cli %} `database analyze`: update the database analysis command to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-subset-of-queries-in-a-codeql-pack)." +* {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use the `query-filters` keyword to exclude one or more queries from analysis. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#excluding-specific-queries-from-analysis). +* {% data variables.product.prodname_codeql_cli %} `database analyze`: update the database analysis command to exclude one or more queries from analysis. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-subset-of-queries-in-a-codeql-pack). Alternatively, you can use a tool like the [filter-sarif](https://github.com/advanced-security/filter-sarif) action to rewrite the SARIF file to exclude specific detections via an exclusion pattern. @@ -105,4 +105,4 @@ If there are many deep code paths highlighted in the SARIF results, you can redu ## Further reading -* "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)" +* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) diff --git a/content/code-security/code-scanning/troubleshooting-sarif-uploads/ghas-required.md b/content/code-security/code-scanning/troubleshooting-sarif-uploads/ghas-required.md index 2bca384d6a10..3c9bbea3cd87 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif-uploads/ghas-required.md +++ b/content/code-security/code-scanning/troubleshooting-sarif-uploads/ghas-required.md @@ -29,4 +29,4 @@ This error is reported if a process attempts to upload a SARIF file to a reposit You will only see this error for SARIF files that contain results created using {% data variables.product.prodname_codeql %}{% ifversion fpt or ghec %} and for uploads to repositories with private or internal visibility. {% data variables.product.prodname_GH_advanced_security %} is enabled by default for all public repositories{% endif %}. -For information on how to confirm this error and fix the problem, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled)." +For information on how to confirm this error and fix the problem, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled). diff --git a/content/code-security/code-scanning/troubleshooting-sarif-uploads/missing-token.md b/content/code-security/code-scanning/troubleshooting-sarif-uploads/missing-token.md index ccbdbf4be5bf..80c7951c63ef 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif-uploads/missing-token.md +++ b/content/code-security/code-scanning/troubleshooting-sarif-uploads/missing-token.md @@ -33,4 +33,4 @@ You could see this error for SARIF files created using any tool and uploaded usi ## Fixing the problem -Create a new {% data variables.product.pat_generic %} or {% data variables.product.prodname_github_app %} with the correct permission. For more information see, "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)", or "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app)" and "[AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app)." +Create a new {% data variables.product.pat_generic %} or {% data variables.product.prodname_github_app %} with the correct permission. For more information see, [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens), or [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app) and [AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app). diff --git a/content/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit.md b/content/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit.md index 41dd0bd80e21..a1b4c8505f1d 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit.md +++ b/content/code-security/code-scanning/troubleshooting-sarif-uploads/results-exceed-limit.md @@ -47,7 +47,7 @@ You could see these errors for SARIF files generated by {% data variables.produc {% data reusables.code-scanning.sarif-limits %} -For information about validating your SARIF file, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file)." +For information about validating your SARIF file, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file). ## Fixing soft limit errors @@ -55,7 +55,7 @@ When soft limits are exceeded, {% data variables.product.prodname_code_scanning ## Fixing "Analysis SARIF file rejected due to results limits" -There are many considerations and potential solutions for reducing the number of results included in a SARIF results file. For guidance, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large)." +There are many considerations and potential solutions for reducing the number of results included in a SARIF results file. For guidance, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large). ## Fixing "Alert(s) in SARIF file exceeded thread flow location limits" @@ -65,28 +65,28 @@ You can configure the analysis to limit the number of dataflow paths included in ## Fixing "Analysis SARIF file rejected due to run limits" -The simplest approach is generate a new SARIF file for each run and upload each file separately. You add a "category" to each results and this enables {% data variables.product.prodname_code_scanning %} to store and display the results appropriately. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)." +The simplest approach is generate a new SARIF file for each run and upload each file separately. You add a "category" to each results and this enables {% data variables.product.prodname_code_scanning %} to store and display the results appropriately. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit). ## Fixing "Analysis SARIF file rejected due to rule limits" There are two possible approaches here. -1. Reduce the number of rules you use to analyze the code. For more information, see "[Defining the query suite to run](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#defining-the-query-suite-to-run)" and "[Excluding a query from analysis](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#excluding-a-query-from-analysis)" in "SARIF results file too large." -1. Run the analysis twice, each time with a different set of rules, and upload both results files to {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)." +1. Reduce the number of rules you use to analyze the code. For more information, see [Defining the query suite to run](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#defining-the-query-suite-to-run) and [Excluding a query from analysis](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#excluding-a-query-from-analysis) in "SARIF results file too large." +1. Run the analysis twice, each time with a different set of rules, and upload both results files to {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit). ## Fixing "Analysis SARIF file rejected due to extension limits" -The simplest approach is to create a separate SARIF file each time you run the tool and upload each file separately. You may also need to contact the maintainer of the tool. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)." +The simplest approach is to create a separate SARIF file each time you run the tool and upload each file separately. You may also need to contact the maintainer of the tool. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit). -{% data variables.product.prodname_codeql %} analysis should not generate this error. If you see this error while using the {% data variables.product.prodname_codeql %} action or {% data variables.product.prodname_codeql_cli %}, you should contact {% data variables.contact.github_support %} to let us know. For more information, see "[AUTOTITLE](/support/contacting-github-support)." +{% data variables.product.prodname_codeql %} analysis should not generate this error. If you see this error while using the {% data variables.product.prodname_codeql %} action or {% data variables.product.prodname_codeql_cli %}, you should contact {% data variables.contact.github_support %} to let us know. For more information, see [AUTOTITLE](/support/contacting-github-support). ## Fixing "Analysis SARIF file rejected due to location limit" -The best way to resolve this problem is usually to identify the query that reports too many locations and exclude it from analysis. For information on how to do this, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#excluding-a-query-from-analysis)." +The best way to resolve this problem is usually to identify the query that reports too many locations and exclude it from analysis. For information on how to do this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads/file-too-large#excluding-a-query-from-analysis). ## Fixing "Analysis SARIF file rejected due to rule tag limits" -You need to update the SARIF file or the generator so that the array of tags reported for each `reportingDescriptor` object is fewer than 10. For more information, see `properties.tags[]` in "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object)." +You need to update the SARIF file or the generator so that the array of tags reported for each `reportingDescriptor` object is fewer than 10. For more information, see `properties.tags[]` in [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object). ## Fixing "Repository is at risk of exceeding the alert limit" & "All analysis uploads blocked due to alert limit" diff --git a/content/code-security/code-scanning/troubleshooting-sarif-uploads/sarif-invalid.md b/content/code-security/code-scanning/troubleshooting-sarif-uploads/sarif-invalid.md index 4243eb892576..24f668112f4b 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif-uploads/sarif-invalid.md +++ b/content/code-security/code-scanning/troubleshooting-sarif-uploads/sarif-invalid.md @@ -32,8 +32,8 @@ You are unlikely to see this error when using {% data variables.product.prodname ## Confirming the cause of the error -You can investigate the underlying cause of the error by looking at the log for the workflow run that uploaded the analysis and by checking the SARIF file in a validator. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)" and visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/). +You can investigate the underlying cause of the error by looking at the log for the workflow run that uploaded the analysis and by checking the SARIF file in a validator. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs) and visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/). ## Fixing the problem -After you identify the invalid parts of the SARIF file, you may be able to resolve smaller issues manually, but you may need to talk to the maintainers of the tool. For information about validation and the format supported by {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." +After you identify the invalid parts of the SARIF file, you may be able to resolve smaller issues manually, but you may need to talk to the maintainers of the tool. For information about validation and the format supported by {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli.md index 2247afd76641..dc92537ce0e1 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli.md @@ -25,7 +25,7 @@ redirect_from: --- Software developers and security researchers can secure their code -using {% data variables.product.prodname_codeql %} analysis. For more information about {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." +using {% data variables.product.prodname_codeql %} analysis. For more information about {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql). {% data reusables.code-scanning.what-is-codeql-cli %} @@ -43,27 +43,27 @@ The {% data variables.product.prodname_codeql_cli %} can analyze: * Codebases written in a mixture of languages. For information about setting up the {% data variables.product.prodname_codeql_cli %}, see -"[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)." +[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). ## About using the {% data variables.product.prodname_codeql_cli %} for {% data variables.product.prodname_code_scanning %} -You can use the {% data variables.product.prodname_codeql_cli %} to run {% data variables.product.prodname_code_scanning %} on code that you're processing in a third-party continuous integration (CI) system. {% data reusables.code-scanning.about-code-scanning %} For an overview of using code scanning with external CI systems, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." +You can use the {% data variables.product.prodname_codeql_cli %} to run {% data variables.product.prodname_code_scanning %} on code that you're processing in a third-party continuous integration (CI) system. {% data reusables.code-scanning.about-code-scanning %} For an overview of using code scanning with external CI systems, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system). For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql). -Alternatively, you can use {% data variables.product.prodname_actions %} or Azure DevOps pipelines to scan code using the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" or [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. +Alternatively, you can use {% data variables.product.prodname_actions %} or Azure DevOps pipelines to scan code using the {% data variables.product.prodname_codeql_cli %}. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) or [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. -For an overview of all the options for using {% data variables.product.prodname_codeql %} analysis for code scanning, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." +For an overview of all the options for using {% data variables.product.prodname_codeql %} analysis for code scanning, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). {% data reusables.code-scanning.licensing-note %} ## About generating code scanning results with the {% data variables.product.prodname_codeql_cli %} -If you choose to run the {% data variables.product.prodname_codeql_cli %} directly, you first have to install the {% data variables.product.prodname_codeql_cli %} locally. If you are planning to use the {% data variables.product.prodname_codeql_cli %} with an external CI system, you need to make the {% data variables.product.prodname_codeql_cli %} available to servers in your CI system. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)." +If you choose to run the {% data variables.product.prodname_codeql_cli %} directly, you first have to install the {% data variables.product.prodname_codeql_cli %} locally. If you are planning to use the {% data variables.product.prodname_codeql_cli %} with an external CI system, you need to make the {% data variables.product.prodname_codeql_cli %} available to servers in your CI system. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). Once the {% data variables.product.prodname_codeql_cli %} is set up, you can use three different commands to generate results and upload them to {% data variables.product.product_name %}: -1. `database create` to create a {% data variables.product.prodname_codeql %} database to represent the hierarchical structure of each supported programming language in the repository. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis)." -1. `database analyze` to run queries to analyze each {% data variables.product.prodname_codeql %} database and summarize the results in a SARIF file. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." -1. `github upload-results` to upload the resulting SARIF files to {% data variables.product.product_name %} where the results are matched to a branch or pull request and displayed as {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github)." +1. `database create` to create a {% data variables.product.prodname_codeql %} database to represent the hierarchical structure of each supported programming language in the repository. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis). +1. `database analyze` to run queries to analyze each {% data variables.product.prodname_codeql %} database and summarize the results in a SARIF file. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). +1. `github upload-results` to upload the resulting SARIF files to {% data variables.product.product_name %} where the results are matched to a branch or pull request and displayed as {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github). {% data reusables.code-scanning.upload-sarif-ghas %} diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md index 4b218336d2eb..0ab008c51268 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md @@ -62,16 +62,16 @@ You must specify ``, `--format`, and `--output`. You can specify addit |--------|:--------:|-----| | `` | {% octicon "check" aria-label="Required" %} | Specify the path for the directory that contains the {% data variables.product.prodname_codeql %} database to analyze. | | `` | {% octicon "x" aria-label="Optional" %} | Specify {% data variables.product.prodname_codeql %} packs or queries to run. To run the standard queries used for {% data variables.product.prodname_code_scanning %}, omit this parameter. To see the other query suites included in the {% data variables.product.prodname_codeql_cli %} bundle, look in `//qlpacks/codeql/-queries/codeql-suites`. For information about creating your own query suite, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites) in the documentation for the {% data variables.product.prodname_codeql_cli %}. | -| --format | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated during analysis. A number of different formats are supported, including CSV, [SARIF](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#sarif-file), and graph formats. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." | +| --format | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated during analysis. A number of different formats are supported, including CSV, [SARIF](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#sarif-file), and graph formats. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). | | --output | {% octicon "check" aria-label="Required" %} | Specify the location where you want to save the SARIF results file, including the desired filename with the `.sarif` extension. | | --sarif-category | {% octicon "question" aria-label="Required with multiple results sets" %} | Optional for single database analysis. Required to define the language when you analyze multiple databases for a single commit in a repository.

Specify a category to include in the SARIF results file for this analysis. A category is used to distinguish multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. | -| --sarif-add-baseline-file-info | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." | -| --sarif-include-query-help | {% octicon "x" aria-label="Optional" %} | Specify whether to include query help in the SARIF output. One of: `always`: Include query help for all queries. `custom_queries_only` (default): Include query help only for custom queries, that is, queries in query packs which are not of the form `codeql/-queries`. `never`: Do not include query help for any queries. Any query help for custom queries included in the SARIF output will be displayed in any code scanning alerts for the query. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli#including-query-help-for-custom-codeql-queries-in-sarif-files)." | -| `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see "[Downloading and using {% data variables.product.prodname_codeql %} packs](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#downloading-and-using-codeql-query-packs)." | +| --sarif-add-baseline-file-info | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files). | +| --sarif-include-query-help | {% octicon "x" aria-label="Optional" %} | Specify whether to include query help in the SARIF output. One of: `always`: Include query help for all queries. `custom_queries_only` (default): Include query help only for custom queries, that is, queries in query packs which are not of the form `codeql/-queries`. `never`: Do not include query help for any queries. Any query help for custom queries included in the SARIF output will be displayed in any code scanning alerts for the query. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli#including-query-help-for-custom-codeql-queries-in-sarif-files). | +| `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see [Downloading and using {% data variables.product.prodname_codeql %} packs](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#downloading-and-using-codeql-query-packs). | | --download | {% octicon "x" aria-label="Optional" %} | Use if some of your {% data variables.product.prodname_codeql %} query packs are not yet on disk and need to be downloaded before running queries. | | --threads | {% octicon "x" aria-label="Optional" %} | Use if you want to use more than one thread to run queries. The default value is `1`. You can specify more threads to speed up query execution. To set the number of threads to the number of logical processors, specify `0`. | | --verbose | {% octicon "x" aria-label="Optional" %} | Use to get more detailed information about the analysis process and diagnostic data from the database creation process. | -| --threat-model | {% octicon "x" aria-label="Optional" %} | ({% data variables.release-phases.public_preview_caps %}) Use to add threat models to configure additional sources in your {% data variables.product.prodname_codeql %} analysis. During the {% data variables.release-phases.public_preview %}, threat models are supported only by Java analysis. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze#--threat-modelname)." | +| --threat-model | {% octicon "x" aria-label="Optional" %} | ({% data variables.release-phases.public_preview_caps %}) Use to add threat models to configure additional sources in your {% data variables.product.prodname_codeql %} analysis. During the {% data variables.release-phases.public_preview %}, threat models are supported only by Java analysis. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze#--threat-modelname). | > [!NOTE] > **Upgrading databases** @@ -82,7 +82,7 @@ that your database needs to be upgraded when you run `database analyze`. > > For databases that were created by {% data variables.product.prodname_codeql_cli %} v2.3.4 or later, the CLI will implicitly run any required upgrades. Explicitly running the upgrade command is not necessary. -For full details of all the options you can use when analyzing databases, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze)." +For full details of all the options you can use when analyzing databases, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze). ### Basic example of analyzing a {% data variables.product.prodname_codeql %} database @@ -102,7 +102,7 @@ $ codeql database analyze /codeql-dbs/example-repo \ ### Adding file coverage information to your results for monitoring -You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." +You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files). To include file coverage information with your {% data variables.product.prodname_code_scanning %} results, add the `--sarif-add-baseline-file-info` flag to the `codeql database analyze` invocation in your CI system, for example: @@ -125,7 +125,7 @@ To run an existing {% data variables.product.prodname_codeql %} query pack from codeql database analyze microsoft/coding-standards@1.0.0 github/security-queries --format=sarifv2.1.0 --output=query-results.sarif --download ``` -This command runs the default query suite of two {% data variables.product.prodname_codeql %} query packs: `microsoft/coding-standards` version 1.0.0 and the latest version of `github/security-queries` on the specified database. For further information about default suites, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)." +This command runs the default query suite of two {% data variables.product.prodname_codeql %} query packs: `microsoft/coding-standards` version 1.0.0 and the latest version of `github/security-queries` on the specified database. For further information about default suites, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). The `--download` flag is optional. Using it will ensure the query pack is downloaded if it isn’t yet available locally. @@ -153,7 +153,7 @@ codeql database analyze ../ql/javascript/ql/src/Declaratio You can also run your own custom queries with the `database analyze` command. For more information about preparing your queries to use with the {% data variables.product.prodname_codeql_cli %}, -see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli)." +see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli). ### Running all queries in a directory @@ -249,16 +249,16 @@ codeql database analyze codeql/cpp-queries:codeql-suites/cpp-code ``` This command downloads the `codeql/cpp-queries` {% data variables.product.prodname_codeql %} query pack, runs the analysis, and generates a file in the SARIF version 2.1.0 format that is supported by all versions of {% data variables.product.prodname_dotcom %}. This file can be uploaded to {% data variables.product.prodname_dotcom %} by executing `codeql github upload-results` or the code scanning API. -For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github)" -or "[AUTOTITLE](/rest/code-scanning)". +For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github) +or [AUTOTITLE](/rest/code-scanning). {% data variables.product.prodname_codeql %} query suites are `.qls` files that use directives to select queries to run based on certain metadata properties. The standard {% data variables.product.prodname_codeql %} packs have metadata that specify the location of the query suites used by code scanning, so the {% data variables.product.prodname_codeql_cli %} knows where to find these suite files automatically, and you don’t have to specify the full path on the command line. -For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." +For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites). -For information about creating custom query suites, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." +For information about creating custom query suites, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites). {% ifversion codeql-cli-threat-models %} @@ -266,7 +266,7 @@ For information about creating custom query suites, see "[AUTOTITLE](/code-secur {% data reusables.code-scanning.beta-threat-models-cli %} -You can configure threat models in a {% data variables.product.prodname_code_scanning %} analysis. For more information, see "[Threat models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#threat-models)" and "[Threat models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/#threat-models)" in the {% data variables.product.prodname_codeql %} documentation. +You can configure threat models in a {% data variables.product.prodname_code_scanning %} analysis. For more information, see [Threat models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#threat-models) and [Threat models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/#threat-models) in the {% data variables.product.prodname_codeql %} documentation. ```shell $ codeql database analyze /codeql-dbs/my-company --format=sarif-latest \ @@ -282,9 +282,9 @@ In this example, the relevant queries in the standard query pack `codeql/java-qu You can save analysis results in a number of different formats, including SARIF and CSV. -The SARIF format is designed to represent the output of a broad range of static analysis tools. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output)." +The SARIF format is designed to represent the output of a broad range of static analysis tools. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output). -For more information about what the results look like in CSV format, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output)." +For more information about what the results look like in CSV format, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output). Results files can be integrated into your own code-review or debugging infrastructure. For example, SARIF file output can be used to highlight alerts in the correct location in your source code using a SARIF viewer plugin for your IDE. @@ -292,10 +292,10 @@ Results files can be integrated into your own code-review or debugging infrastru When you analyze a {% data variables.product.prodname_codeql %} database using a {% data variables.product.prodname_code_scanning %} query suite, in addition to generating detailed information about alerts, the CLI reports diagnostic data from the database generation step and summary metrics. If you choose to generate SARIF output, the additional data is also included in the SARIF file. For repositories with few alerts, you may find this information useful for determining if there are genuinely few problems in the code, or if there were errors generating the {% data variables.product.prodname_codeql %} database. For more detailed output from `codeql database analyze`, use the `--verbose` option. -For more information about the type of diagnostic information available, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#about-analysis-and-diagnostic-information)". +For more information about the type of diagnostic information available, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#about-analysis-and-diagnostic-information). -You can choose to export and upload diagnostic information to {% data variables.product.product_name %} even if a {% data variables.product.prodname_codeql %} analysis fails. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-diagnostic-information-to-github-if-the-analysis-fails)." +You can choose to export and upload diagnostic information to {% data variables.product.product_name %} even if a {% data variables.product.prodname_codeql %} analysis fails. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-diagnostic-information-to-github-if-the-analysis-fails). ## Next steps -* To learn how to upload your {% data variables.product.prodname_codeql %} analysis results to {% data variables.product.product_name %}, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github)." +* To learn how to upload your {% data variables.product.prodname_codeql %} analysis results to {% data variables.product.product_name %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github). diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md index bf2ce1cea8e4..ca6dedd13122 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md @@ -28,7 +28,7 @@ There are{% ifversion codeql-model-packs %} three{% else %} two{% endif %} types * Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.{% ifversion codeql-model-packs %} -* Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs are currently in {% data variables.release-phases.public_preview %} and subject to change. During the {% data variables.release-phases.public_preview %}, model packs are available for {% data variables.code-scanning.codeql_model_packs_support %} analysis. For more information about creating your own model packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)." +* Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs are currently in {% data variables.release-phases.public_preview %} and subject to change. During the {% data variables.release-phases.public_preview %}, model packs are available for {% data variables.code-scanning.codeql_model_packs_support %} analysis. For more information about creating your own model packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). {% endif %} @@ -43,15 +43,15 @@ The standard {% data variables.product.prodname_codeql %} packs for all supporte * `codeql/ruby-queries` * `codeql/swift-queries` -You can also use the {% data variables.product.prodname_codeql_cli %} to create your own {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-and-working-with-codeql-packs)." +You can also use the {% data variables.product.prodname_codeql_cli %} to create your own {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-and-working-with-codeql-packs). -You can publish {% data variables.product.prodname_codeql %} packs that you have created, using the {% data variables.product.prodname_codeql_cli %}. For more information on publishing and downloading {% data variables.product.prodname_codeql %} packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)." +You can publish {% data variables.product.prodname_codeql %} packs that you have created, using the {% data variables.product.prodname_codeql_cli %}. For more information on publishing and downloading {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). ## Downloading and using {% data variables.product.prodname_codeql %} query packs -The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries{% ifversion codeql-model-packs %}, while model packs ({% data variables.release-phases.public_preview %}) can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default{% endif %}. For more information about query packs, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries)." {% ifversion codeql-model-packs %} For information about writing your own model packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-model-pack)."{% endif %} +The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries{% ifversion codeql-model-packs %}, while model packs ({% data variables.release-phases.public_preview %}) can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default{% endif %}. For more information about query packs, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries). {% ifversion codeql-model-packs %} For information about writing your own model packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-model-pack).{% endif %} -Before you can use a {% data variables.product.prodname_codeql %} query pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command, or running `codeql pack download`. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-results-to-github)." +Before you can use a {% data variables.product.prodname_codeql %} query pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command, or running `codeql pack download`. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-results-to-github). | Option | Required | Usage | |--------|:--------:|-----| @@ -61,7 +61,7 @@ Before you can use a {% data variables.product.prodname_codeql %} query pack to > [!NOTE] > If you specify a particular version of a query pack to use, be aware that the version you specify may eventually become too old for the latest version of {% data variables.product.prodname_codeql %} to make efficient use of. To ensure optimal performance, if you need to specify exact query pack versions, you should reevaluate which versions you pin to whenever you upgrade the {% data variables.product.prodname_codeql_cli %} you're using. > -> For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)." +> For more information about pack compatibility, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility). ### Basic example of downloading and using query packs @@ -103,7 +103,7 @@ echo $OCTO-ORG_ACCESS_TOKEN | codeql pack download --command | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from --source-root. Not needed for Python and JavaScript/TypeScript analysis. | | {% ifversion codeql-no-build %} | -| --build-mode | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)." | +| --build-mode | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). | | {% endif %} | | --db-cluster | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by --language. | | --no-run-unnecessary-builds | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). | | --source-root | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. | -| --codescanning-config | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file)" and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile)." | +| --codescanning-config | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file) and [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile). | You can specify extractor options to customize the behavior of extractors that create {% data variables.product.prodname_codeql %} databases. For more information, see -"[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options)." +[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options). -For full details of all the options you can use when creating databases, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create)." +For full details of all the options you can use when creating databases, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create). ### Single language example @@ -193,16 +193,16 @@ Here, we have specified a `--source-root` path, which is the location where data For {% ifversion codeql-no-build %}most{% endif %} compiled languages, {% data variables.product.prodname_codeql %} needs to invoke the required build system to generate a database, therefore the build method must be available to the CLI. This approach creates databases that include generated code. {% data variables.product.prodname_codeql %} has two methods for building codebases: -* "[Automatic build detection (autobuild)](#automatically-detecting-the-build-system)" -* "[User-specified build commands](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)" +* [Automatic build detection (autobuild)](#automatically-detecting-the-build-system) +* [User-specified build commands](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands) {% ifversion codeql-no-build %} -In addition, for {% data variables.code-scanning.no_build_support %}, there is an option to generate a database without building the code. This is particularly useful when you want to enable {% data variables.product.prodname_code_scanning %} for many repositories. For more information, see "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)." +In addition, for {% data variables.code-scanning.no_build_support %}, there is an option to generate a database without building the code. This is particularly useful when you want to enable {% data variables.product.prodname_code_scanning %} for many repositories. For more information, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). {% endif %} ### Automatically detecting the build system -The {% data variables.product.prodname_codeql_cli %} includes autobuilders for {% data variables.code-scanning.compiled_languages %} code. {% data variables.product.prodname_codeql %} autobuilders allow you to build projects for compiled languages without specifying any build commands. When an autobuilder is invoked, {% data variables.product.prodname_codeql %} examines the source for evidence of a build system and attempts to run the optimal set of commands required to extract a database. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild)." +The {% data variables.product.prodname_codeql_cli %} includes autobuilders for {% data variables.code-scanning.compiled_languages %} code. {% data variables.product.prodname_codeql %} autobuilders allow you to build projects for compiled languages without specifying any build commands. When an autobuilder is invoked, {% data variables.product.prodname_codeql %} examines the source for evidence of a build system and attempts to run the optimal set of commands required to extract a database. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild). An autobuilder is invoked automatically when you execute `codeql database create` for a compiled language if you don’t include a `--command` option{% ifversion codeql-no-build %} or set `--build-mode none`{% endif %}. For example, for a C/C++ codebase, you could simply run: @@ -450,4 +450,4 @@ steps: ## Next steps -* To learn how to use the {% data variables.product.prodname_codeql_cli %} to analyze the database you created from your code, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." +* To learn how to use the {% data variables.product.prodname_codeql_cli %} to analyze the database you created from your code, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli.md index 82585e7feeed..19deb6e71f96 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli.md @@ -28,9 +28,9 @@ the tools, queries, and libraries required to create and analyze databases. The {% data variables.product.prodname_codeql_cli %} can be set up to support many different use cases and directory structures. To get started quickly, we recommend adopting a relatively simple setup, as outlined in the steps below. -If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may want a more advanced setup of {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli)." +If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may want a more advanced setup of {% data variables.product.prodname_codeql_cli %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli). -If you are setting up the {% data variables.product.prodname_codeql_cli %} in your CI system, you need to make the full contents of the {% data variables.product.prodname_codeql_cli %} bundle available to every CI server that you want to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from {% data variables.product.prodname_dotcom %}, ensuring that you benefit from the latest improvements to queries. For more information, see "[AUTOTITLE](/rest/releases)" in the REST API documentation. +If you are setting up the {% data variables.product.prodname_codeql_cli %} in your CI system, you need to make the full contents of the {% data variables.product.prodname_codeql_cli %} bundle available to every CI server that you want to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from {% data variables.product.prodname_dotcom %}, ensuring that you benefit from the latest improvements to queries. For more information, see [AUTOTITLE](/rest/releases) in the REST API documentation. If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the [Xcode command-line developer tools](https://developer.apple.com/downloads/index.action) and [Rosetta 2](https://support.apple.com/en-us/HT211861) are installed. @@ -51,7 +51,7 @@ Extract the {% data variables.product.prodname_codeql_cli %} tar archive to a di {% data reusables.codeql-cli.launch-codeql %} > [!NOTE] -> If you add `codeql` to your `PATH`, it can be accessed by {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} to compile and run queries. For more information about configuring {% data variables.product.prodname_vscode_shortname %} to access the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli)." +> If you add `codeql` to your `PATH`, it can be accessed by {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} to compile and run queries. For more information about configuring {% data variables.product.prodname_vscode_shortname %} to access the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli). ## Testing the {% data variables.product.prodname_codeql_cli %} configuration @@ -86,7 +86,7 @@ You should check that the output contains the expected languages and also that t You can also run `codeql resolve languages` to show which languages are available for database creation. This will list the languages supported by default in your {% data variables.product.prodname_codeql_cli %} package. -Optionally, you can download some CodeQL packs containing pre-compiled queries you would like to run. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." +Optionally, you can download some CodeQL packs containing pre-compiled queries you would like to run. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). The `codeql resolve packs` command is useful for diagnosing problems when the {% data variables.product.prodname_codeql_cli %} is unable to locate query packs that you expect to be available for analysis. @@ -94,4 +94,4 @@ The `codeql resolve packs` command is useful for diagnosing problems when the {% ## Next steps -To learn how to prepare your code to be analyzed by the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis)." +To learn how to prepare your code to be analyzed by the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis). diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md index 2fc0ad7400cb..7645051a3870 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md @@ -16,11 +16,11 @@ topics: ## About SARIF output -{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF is designed to represent the output of a broad range of static analysis tools, and there are many features in the SARIF specification that are considered "optional". The results must use SARIF version 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." +{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF is designed to represent the output of a broad range of static analysis tools, and there are many features in the SARIF specification that are considered "optional". The results must use SARIF version 2.1.0. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). -After analyzing a {% data variables.product.prodname_codeql %} database using the {% data variables.product.prodname_codeql_cli %}, you will have a SARIF file that contains the results. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." You can then use the {% data variables.product.prodname_codeql_cli %} to upload results to {% data variables.product.prodname_dotcom %}. +After analyzing a {% data variables.product.prodname_codeql %} database using the {% data variables.product.prodname_codeql_cli %}, you will have a SARIF file that contains the results. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). You can then use the {% data variables.product.prodname_codeql_cli %} to upload results to {% data variables.product.prodname_dotcom %}. -If you used a method other than the {% data variables.product.prodname_codeql_cli %} to generate results, you can use other upload methods. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +If you used a method other than the {% data variables.product.prodname_codeql_cli %} to generate results, you can use other upload methods. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). {% data reusables.code-scanning.upload-sarif-ghas %} @@ -31,9 +31,9 @@ Before you can upload your results to {% data variables.product.product_name %}, * **{% data variables.product.pat_v1_caps %}** requires "{% data variables.product.prodname_code_scanning_caps %} alerts" **Read and write** access for the required repositories. * **{% data variables.product.pat_v2_caps %}** requires "repo" **security_events** access. -For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). -If you have installed the {% data variables.product.prodname_codeql_cli %} in a third-party CI system to create results to display in {% data variables.product.prodname_dotcom %} as code scanning alerts, you can use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to upload results to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#generating-a-token-for-authentication-with-github)." +If you have installed the {% data variables.product.prodname_codeql_cli %} in a third-party CI system to create results to display in {% data variables.product.prodname_dotcom %} as code scanning alerts, you can use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to upload results to {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#generating-a-token-for-authentication-with-github). ## Uploading results to {% data variables.product.product_name %} @@ -65,7 +65,7 @@ codeql github upload-results \ | Option | Required | Usage | | ------ | :------: | ----- | -| --repository | {% octicon "check" aria-label="Required" %} | Specify the _OWNER/NAME_ of the repository to upload data to. The owner must be an organization within an enterprise that has a license for {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_GH_advanced_security %} must be enabled for the repository{% ifversion fpt or ghec %}, unless the repository is public{% endif %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." | +| --repository | {% octicon "check" aria-label="Required" %} | Specify the _OWNER/NAME_ of the repository to upload data to. The owner must be an organization within an enterprise that has a license for {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_GH_advanced_security %} must be enabled for the repository{% ifversion fpt or ghec %}, unless the repository is public{% endif %}. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). | | --ref | {% octicon "check" aria-label="Required" %} | Specify the name of the `ref` you checked out and analyzed so that the results can be matched to the correct code. For a branch use: `refs/heads/BRANCH-NAME`, for the head commit of a pull request use `refs/pull/NUMBER/head`, or for the {% data variables.product.prodname_dotcom %}-generated merge commit of a pull request use `refs/pull/NUMBER/merge`. | | --commit | {% octicon "check" aria-label="Required" %} | Specify the full SHA of the commit you analyzed. | | --sarif | {% octicon "check" aria-label="Required" %} | Specify the SARIF file to load. | @@ -74,10 +74,10 @@ codeql github upload-results \ | {% endif %} | | --github-auth-stdin | {% octicon "x" aria-label="Optional" %} | Pass the CLI the {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} created for authentication with {% data variables.product.company_short %}'s REST API from your secret store via standard input. This is not needed if the command has access to a `GITHUB_TOKEN` environment variable set with this token. | -For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results)." +For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results). > [!NOTE] -> If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze)." +> If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze). ### Basic example of uploading results to {% data variables.product.product_name %} @@ -91,11 +91,11 @@ codeql github upload-results \ {% endif %} ``` -There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)." +There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests) and [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository). ## Uploading diagnostic information to {% data variables.product.product_name %} if the analysis fails -When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." +When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). However, if `codeql database analyze` fails for any reason there is no SARIF file to upload to {% data variables.product.company_short %} and no diagnostic information to show on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository. This makes it difficult for users to troubleshoot analysis unless they have access to log files in your CI system. @@ -103,7 +103,7 @@ We recommend that you configure your CI workflow to export and upload diagnostic ### Exporting diagnostic information if the analysis fails -You can create a SARIF file for the failed analysis using "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-export-diagnostics)", for example: +You can create a SARIF file for the failed analysis using [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-export-diagnostics), for example: ```shell $ codeql database export-diagnostics codeql-dbs/example-repo \ @@ -115,7 +115,7 @@ This SARIF file will contain diagnostic information for the failed analysis, inc ### Uploading diagnostic information if the analysis fails -You can make this diagnostic information available on the {% data variables.code-scanning.tool_status_page %} by uploading the SARIF file to {% data variables.product.product_name %} using "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results)", for example: +You can make this diagnostic information available on the {% data variables.code-scanning.tool_status_page %} by uploading the SARIF file to {% data variables.product.product_name %} using [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results), for example: ```shell codeql github upload-results \ diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces.md index 81761611ad5b..a2a49177d6de 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces.md @@ -19,7 +19,7 @@ redirect_from: {% data reusables.code-scanning.codeql-action-version-ghes %} -You use a {% data variables.product.prodname_codeql %} workspace when you want to group multiple {% data variables.product.prodname_codeql %} packs together. A typical use case for a {% data variables.product.prodname_codeql %} workspace is to develop a set of {% data variables.product.prodname_codeql %} library and query packs that are mutually dependent. For more information on {% data variables.product.prodname_codeql %} packs, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." +You use a {% data variables.product.prodname_codeql %} workspace when you want to group multiple {% data variables.product.prodname_codeql %} packs together. A typical use case for a {% data variables.product.prodname_codeql %} workspace is to develop a set of {% data variables.product.prodname_codeql %} library and query packs that are mutually dependent. For more information on {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). The main benefit of a {% data variables.product.prodname_codeql %} workspace is that it makes it easier for you to develop and maintain multiple {% data variables.product.prodname_codeql %} packs. When you use a {% data variables.product.prodname_codeql %} workspace, all the {% data variables.product.prodname_codeql %} packs in the workspace are available as _source dependencies_ for each other when you run a {% data variables.product.prodname_codeql %} command that resolves queries. This makes it easier to develop, maintain, and publish multiple, related {% data variables.product.prodname_codeql %} packs. @@ -33,9 +33,9 @@ A {% data variables.product.prodname_codeql %} workspace is defined by a `codeql * The `ignore` block contains a list of glob patterns that define {% data variables.product.prodname_codeql %} packs that are not available in the workspace. -* The `registries` block contains a list of GHES URLs and package patterns that control which container registry is used for publishing {% data variables.product.prodname_codeql %} packs. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#working-with-codeql-packs-on-ghes)." +* The `registries` block contains a list of GHES URLs and package patterns that control which container registry is used for publishing {% data variables.product.prodname_codeql %} packs. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#working-with-codeql-packs-on-ghes). -Each entry in the `provide` or `ignore` section must map to the location of a `qlpack.yml` file. All glob patterns are defined relative to the directory that contains the workspace file. For a list of patterns accepted in this file, see "[@actions/glob](https://github.com/actions/toolkit/tree/main/packages/glob#patterns)." +Each entry in the `provide` or `ignore` section must map to the location of a `qlpack.yml` file. All glob patterns are defined relative to the directory that contains the workspace file. For a list of patterns accepted in this file, see [@actions/glob](https://github.com/actions/toolkit/tree/main/packages/glob#patterns). For example, the following `codeql-workspace.yml` file defines a workspace that contains all the {% data variables.product.prodname_codeql %} packs recursively found in the `codeql-packs` directory, except for the packs in the `experimental` directory. The `registries` block specifies that `codeql/\*` packs should be downloaded from `https://ghcr.io/v2/`, which is {% data variables.product.prodname_dotcom %}’s default container registry. All other packs should be downloaded from and published to the registry at `GHE_HOSTNAME`. @@ -67,7 +67,7 @@ This is particularly useful in the following situations: ## {% data variables.product.prodname_codeql %} workspaces and query resolution -All {% data variables.product.prodname_codeql %} packs in a workspace are available as source dependencies for each other when you run any {% data variables.product.prodname_codeql %} command that resolves queries or packs. For example, when you run `codeql pack install` in a pack directory in a workspace, any dependency that can be found in the workspace will be used instead of downloading that dependency to the package cache and adding it to the `codeql-pack.lock.yml` file. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#adding-and-installing-dependencies)." +All {% data variables.product.prodname_codeql %} packs in a workspace are available as source dependencies for each other when you run any {% data variables.product.prodname_codeql %} command that resolves queries or packs. For example, when you run `codeql pack install` in a pack directory in a workspace, any dependency that can be found in the workspace will be used instead of downloading that dependency to the package cache and adding it to the `codeql-pack.lock.yml` file. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#adding-and-installing-dependencies). Similarly, when you publish a {% data variables.product.prodname_codeql %} query pack to the {% data variables.product.prodname_dotcom %} container registry using `codeql pack publish` the command will always use the dependencies from the workspace instead of using dependencies found in the local package cache. diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli.md index 236f0d4ccbbf..a8c4f3c2db5d 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli.md @@ -20,7 +20,7 @@ If you plan to use {% data variables.product.prodname_codeql %} for more than ju * If you want to use the latest {% data variables.product.prodname_codeql %} features to generate code scanning alerts for a codebase, but also want to analyze another codebase that is only compatible with a specific version of the {% data variables.product.prodname_codeql_cli %}, you may want to install multiple versions of the {% data variables.product.prodname_codeql_cli %}. * If you are researching or developing queries, you may want to download interesting or unique databases from {% data variables.product.prodname_dotcom_the_website %}. -For information on the most simple setup of the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)." +For information on the most simple setup of the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). ## Checking out the {% data variables.product.prodname_codeql %} source code directly @@ -55,7 +55,7 @@ clone and rename the repository in a single step by running Within this repository, the queries and libraries are organized into {% data variables.product.prodname_codeql %} packs. Along with the queries themselves, {% data variables.product.prodname_codeql %} packs contain important metadata that tells the {% data variables.product.prodname_codeql_cli %} how to process the query files. For more information, -see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)." +see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs). > [!NOTE] > There are different versions of the {% data variables.product.prodname_codeql %} queries available for different users. Check out the correct version for your use case: @@ -93,7 +93,7 @@ If you want to use the latest {% data variables.product.prodname_codeql %} featu {% data variables.product.github %} stores {% data variables.product.prodname_codeql %} databases for over 200,000 repositories on {% data variables.product.prodname_dotcom_the_website %}, which you can download using the REST API. The list of repositories is constantly growing and evolving to make sure that it includes the most interesting codebases for security research. -You can also analyze databases from {% data variables.product.prodname_dotcom_the_website %} using the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries)." +You can also analyze databases from {% data variables.product.prodname_dotcom_the_website %} using the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries). You can check if a repository has any {% data variables.product.prodname_codeql %} databases available for download using the `/repos///code-scanning/codeql/databases` endpoint. For example, to check for {% data variables.product.prodname_codeql %} databases using the [{% data variables.product.prodname_cli %}](https://cli.github.com/manual/gh_api) you would run: diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs.md index 5b43ee284c8d..1965228125eb 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs.md @@ -27,11 +27,11 @@ There are{% ifversion codeql-model-packs %} three{% else %} two{% endif %} types * Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.{% ifversion codeql-model-packs %} -* Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to include dependencies that are not supported by default. Model packs are currently in {% data variables.release-phases.public_preview %} and subject to change. During the {% data variables.release-phases.public_preview %}, model packs are available for {% data variables.code-scanning.codeql_model_packs_support %} analysis. For more information about creating your own model packs, see "[Creating a {% data variables.product.prodname_codeql %} model pack](#creating-a-codeql-model-pack)."{% endif %} +* Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to include dependencies that are not supported by default. Model packs are currently in {% data variables.release-phases.public_preview %} and subject to change. During the {% data variables.release-phases.public_preview %}, model packs are available for {% data variables.code-scanning.codeql_model_packs_support %} analysis. For more information about creating your own model packs, see [Creating a {% data variables.product.prodname_codeql %} model pack](#creating-a-codeql-model-pack).{% endif %} -You can use the `pack` command in the {% data variables.product.prodname_codeql_cli %} to create {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies. You can also publish and download {% data variables.product.prodname_codeql %} packs using the `pack` command. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)." +You can use the `pack` command in the {% data variables.product.prodname_codeql_cli %} to create {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies. You can also publish and download {% data variables.product.prodname_codeql %} packs using the `pack` command. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). -For more information about compatibility between published query packs and different {% data variables.product.prodname_codeql %} releases, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)." +For more information about compatibility between published query packs and different {% data variables.product.prodname_codeql %} releases, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility). The standard {% data variables.product.prodname_codeql %} packages for all supported languages are published in the [{% data variables.product.prodname_container_registry %}](https://github.com/orgs/codeql/packages). The [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql) contains source files for the standard {% data variables.product.prodname_codeql %} packs for all supported languages. The core query packs, which are included in the {% data variables.product.prodname_codeql %} CLI bundle, but you can otherwise download, are: @@ -76,7 +76,7 @@ The `codeql pack init` command creates the directory structure and configuration {% data reusables.code-scanning.beta-model-packs %} -Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs use data extensions, which are implemented as YAML and describe how to add data for new dependencies. When a model pack is specified, the data extensions in that pack will be added to the {% data variables.product.prodname_code_scanning %} analysis automatically. For more information about {% data variables.product.prodname_codeql %} model packs and data extensions, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor)." +Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs use data extensions, which are implemented as YAML and describe how to add data for new dependencies. When a model pack is specified, the data extensions in that pack will be added to the {% data variables.product.prodname_code_scanning %} analysis automatically. For more information about {% data variables.product.prodname_codeql %} model packs and data extensions, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). A model pack is a {% data variables.product.prodname_codeql %} pack with the following characteristics in the `qlpack.yml` file: @@ -97,9 +97,9 @@ dataExtensions: - models/**/*.yml ``` -In this example, the model pack will inject all the data extensions in `models/**/` into a `codeql/java-all` query pack that is at a version from `1.2.3` up to and including `1.3.0`, and a `codeql/util` query pack that is at a version from `4.5.6` up to and including `4.6.0`. For more information, see "[Using semantic versioning](https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept)" in the npm documentation and the "[Semantic versioning specification](https://semver.org/)." +In this example, the model pack will inject all the data extensions in `models/**/` into a `codeql/java-all` query pack that is at a version from `1.2.3` up to and including `1.3.0`, and a `codeql/util` query pack that is at a version from `4.5.6` up to and including `4.6.0`. For more information, see [Using semantic versioning](https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept) in the npm documentation and the [Semantic versioning specification](https://semver.org/). -Once you've created a model pack, you can publish it in the same way as other {% data variables.product.prodname_codeql %} packs. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)." You can then use published model packs in a {% data variables.product.prodname_code_scanning %} analysis with the `--model-packs` option. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies)." +Once you've created a model pack, you can publish it in the same way as other {% data variables.product.prodname_codeql %} packs. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). You can then use published model packs in a {% data variables.product.prodname_code_scanning %} analysis with the `--model-packs` option. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies). {% endif %} @@ -127,8 +127,8 @@ codeql pack install This command downloads all dependencies to the shared cache on the local disk. > [!NOTE] -> * Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see "[About codeql-pack.lock.yml files](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs##about-codeql-packlockyml-files)." -> * By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see "[AUTOTITLE](/enterprise-server@latest/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)" in the {% data variables.product.prodname_ghe_server %} documentation. +> * Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see [About codeql-pack.lock.yml files](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs##about-codeql-packlockyml-files). +> * By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see [AUTOTITLE](/enterprise-server@latest/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs) in the {% data variables.product.prodname_ghe_server %} documentation. ## Customizing a downloaded {% data variables.product.prodname_codeql %} pack diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites.md index 54f485a44eb3..75db41d1229f 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites.md @@ -30,7 +30,7 @@ they appear in the query suite definition. After all the instructions in the suite definition have been executed, the result is a set of selected queries. > [!NOTE] -> Any custom queries that you want to add to a query suite must be in a "[{% data variables.product.prodname_codeql %} pack](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)" and contain the correct query metadata. For more information, see "[Using custom queries with the {% data variables.product.prodname_codeql_cli %}](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli)." +> Any custom queries that you want to add to a query suite must be in a [{% data variables.product.prodname_codeql %} pack](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs) and contain the correct query metadata. For more information, see [Using custom queries with the {% data variables.product.prodname_codeql_cli %}](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli). ## Locating queries to add to a query suite @@ -132,7 +132,7 @@ regular expressions. When there is more than one metadata key, each key must be The standard metadata keys available to match on are: `description`, `id`, `kind`, `name`, `tags`, `precision`, and `problem.severity`. For more information about query metadata properties, see -"[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)." +[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries). In addition to metadata tags, the keys in the constraint block can also be: @@ -239,7 +239,7 @@ use: ``` > [!NOTE] -> You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-queries)." +> You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-queries). ## Reusing existing query suite definitions @@ -365,7 +365,7 @@ instruction: ## Saving a query suite Save your query suite in a file with a `.qls` extension and add it to a {% data variables.product.prodname_codeql %} -pack. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#custom-codeql-packs)." +pack. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#custom-codeql-packs). ## Using query suites with {% data variables.product.prodname_codeql %} @@ -373,8 +373,8 @@ You can specify query suites on the command line for any command that accepts `.qls` files. For example, you can compile the queries selected by a suite definition using `query compile`, or use the queries in an analysis using `database analyze`. For more information about analyzing {% data variables.product.prodname_codeql %} databases, see -"[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." +[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). ## Further reading -* "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)" +* [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries) diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output.md index 0776af792025..04e94114d7de 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output.md @@ -15,7 +15,7 @@ topics: ## About CSV output -You can save analysis results from the {% data variables.product.prodname_codeql_cli %} in a number of different formats, including SARIF and CSV. We do generally recommend SARIF because it is a standard output for static analysis tools and easier to parse. You can also upload SARIF files to {% data variables.product.product_name %}. However, CSV format may be useful if you need to further process the analysis results using your own tools. For more information on selecting a file format for your analysis results, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze)." +You can save analysis results from the {% data variables.product.prodname_codeql_cli %} in a number of different formats, including SARIF and CSV. We do generally recommend SARIF because it is a standard output for static analysis tools and easier to parse. You can also upload SARIF files to {% data variables.product.product_name %}. However, CSV format may be useful if you need to further process the analysis results using your own tools. For more information on selecting a file format for your analysis results, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze). For more information about the SARIF format, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output). diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes.md index 41ee61c75c68..886afde02790 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes.md @@ -28,7 +28,7 @@ Success, normal termination. The command successfully determined that the answer to your question is "no". -This exit code is only used by a few commands, such as "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run)", "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/dataset-check)", "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/query-format)",and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-extractor)." +This exit code is only used by a few commands, such as [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run), [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/dataset-check), [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/query-format),and [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-extractor). For more details, see the documentation for those commands. ## 2 @@ -46,7 +46,7 @@ In this case, the launcher can’t start the Java code for the {% data variables ## 32 -The extractor didn’t find any code to analyze when running "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create)" or "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-finalize)." +The extractor didn’t find any code to analyze when running [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create) or [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-finalize). ## 33 diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md index 0674c522c59d..ceaad9b38c79 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md @@ -39,7 +39,7 @@ registries: The {% data variables.product.prodname_codeql_cli %} will determine which registry to use for a given package name by finding the first item in the `registries` list with a `packages` property that matches that package name. This means that you’ll generally want to define the most specific package name patterns first. The `packages` property may be a single package name, a glob pattern, or a YAML list of package names and glob patterns. -The `registries` list can also be placed inside a `codeql-workspace.yml` file. Doing so will allow you to define the registries to be used within a specific workspace, so that it can be shared amongst other {% data variables.product.prodname_codeql %} users of the workspace. The `registries` list in `codeql-workspace.yml` will be merged with and take precedence over the list in the global `qlconfig.yml`. For more information about `codeql-workspace.yml`, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#about-codeql-workspaces)." +The `registries` list can also be placed inside a `codeql-workspace.yml` file. Doing so will allow you to define the registries to be used within a specific workspace, so that it can be shared amongst other {% data variables.product.prodname_codeql %} users of the workspace. The `registries` list in `codeql-workspace.yml` will be merged with and take precedence over the list in the global `qlconfig.yml`. For more information about `codeql-workspace.yml`, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#about-codeql-workspaces). You can now use `codeql pack publish`, `codeql pack download`, and `codeql database analyze` to manage packs on {% data variables.enterprise.gh_enterprise %}. @@ -116,7 +116,7 @@ codeql pack publish The published package will be displayed in the packages section of {% data variables.product.prodname_dotcom %} organization specified by the scope in the `qlpack.yml` file. > [!NOTE] -> If you're publishing model packs to the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %} in order to extend coverage to all repositories in an organization as part of a default setup configuration, then you need to ensure that repositories running code scanning can access those model packs. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)" and "[AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility)." +> If you're publishing model packs to the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %} in order to extend coverage to all repositories in an organization as part of a default setup configuration, then you need to ensure that repositories running code scanning can access those model packs. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup) and [AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility). ## Running `codeql pack download /` @@ -162,7 +162,7 @@ codeql analyze / / ``` > [!NOTE] -> The `codeql pack download` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)." +> The `codeql pack download` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs). ## About {% data variables.product.prodname_codeql %} pack compatibility @@ -247,7 +247,7 @@ The following properties are supported in `qlpack.yml` files. If you are unsure or it does not matter which version should be used, then you can use `"*"`, which indicates that any version of this dependency is compatible with this pack. In practice, this will usually resolve to the highest published version of the dependency. - There is a special version placeholder, `${workspace}`, which indicates that this {% data variables.product.prodname_codeql %} pack depends on whatever version of the dependency is in the same workspace. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#using-workspace-as-a-version-range-in-qlpackyml-files)." + There is a special version placeholder, `${workspace}`, which indicates that this {% data variables.product.prodname_codeql %} pack depends on whatever version of the dependency is in the same workspace. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#using-workspace-as-a-version-range-in-qlpackyml-files). #### `defaultSuiteFile` @@ -323,7 +323,7 @@ The following properties are supported in `qlpack.yml` files. #### `extractor` * Required by all packs containing {% data variables.product.prodname_codeql %} tests. -* Defines the {% data variables.product.prodname_codeql %} language extractor to use when running the {% data variables.product.prodname_codeql %} tests in the pack. For more information about testing queries, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries)." For example: +* Defines the {% data variables.product.prodname_codeql %} language extractor to use when running the {% data variables.product.prodname_codeql %} tests in the pack. For more information about testing queries, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries). For example: ```yaml extractor: {% ifversion codeql-language-identifiers-311 %}javascript-typescript{% else %}javascript{% endif %} @@ -417,13 +417,13 @@ dependencies: version: 1.2.4 ``` -The `codeql/cpp-all` dependency is locked to version 0.1.4. The `my-user/my-lib` dependency is locked to version 0.2.4. The `my-user/transitive-dependency`, which is a transitive dependency and is not specified in the `qlpack.yml` file, is locked to version 1.2.4. The `other-dependency/from-source` is absent from the lock file since it is resolved from source. This dependency must be available in the same {% data variables.product.prodname_codeql %} workspace as the pack. For more information about {% data variables.product.prodname_codeql %} workspaces and resolving dependencies from source, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces)." +The `codeql/cpp-all` dependency is locked to version 0.1.4. The `my-user/my-lib` dependency is locked to version 0.2.4. The `my-user/transitive-dependency`, which is a transitive dependency and is not specified in the `qlpack.yml` file, is locked to version 1.2.4. The `other-dependency/from-source` is absent from the lock file since it is resolved from source. This dependency must be available in the same {% data variables.product.prodname_codeql %} workspace as the pack. For more information about {% data variables.product.prodname_codeql %} workspaces and resolving dependencies from source, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces). In most cases, the `codeql-pack.lock.yml` file is only relevant for query packs since library packs are non-executable and usually do not need their transitive dependencies to be fixed. The exception to this is for library packs that contain tests. In this case, the `codeql-pack.lock.yml` file is used to ensure that the tests are always run with the same versions of dependencies to avoid spurious failures when there are mismatched dependencies. ## Examples of custom {% data variables.product.prodname_codeql %} packs -When you write custom queries or tests, you should save them in custom {% data variables.product.prodname_codeql %} packs. For simplicity, try to organize each pack logically. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#codeql-pack-structure)." Save files for queries and tests in separate packs and, where possible, organize custom packs into specific folders for each target language. This is particularly useful if you intend to publish your {% data variables.product.prodname_codeql %} packs so they can be shared with others or used in code scanning. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." +When you write custom queries or tests, you should save them in custom {% data variables.product.prodname_codeql %} packs. For simplicity, try to organize each pack logically. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#codeql-pack-structure). Save files for queries and tests in separate packs and, where possible, organize custom packs into specific folders for each target language. This is particularly useful if you intend to publish your {% data variables.product.prodname_codeql %} packs so they can be shared with others or used in code scanning. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). ### {% data variables.product.prodname_codeql %} packs for custom libraries @@ -463,7 +463,7 @@ databases. You may also wish to specify the `tests` property. {% data reusables.codeql-cli.test-qlpack %} -For more information about running tests, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries)." +For more information about running tests, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries). ## Examples of {% data variables.product.prodname_codeql %} packs in the {% data variables.product.prodname_codeql %} repository @@ -515,7 +515,7 @@ defaultSuiteFile: codeql-suites/cpp-code-scanning.qls Some extra notes on the following properties: -* `dependencies`: This query pack depends on `codeql/cpp-all` and `codeql/suite-helpers`. Since these dependencies are resolved from source, it does not matter what version of the {% data variables.product.prodname_codeql %} pack they are compatible with. For more information about resolving dependencies from source, see "[Source Dependencies](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#source-dependencies)." +* `dependencies`: This query pack depends on `codeql/cpp-all` and `codeql/suite-helpers`. Since these dependencies are resolved from source, it does not matter what version of the {% data variables.product.prodname_codeql %} pack they are compatible with. For more information about resolving dependencies from source, see [Source Dependencies](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/about-codeql-workspaces#source-dependencies). * `suites`: Indicates the directory containing "well-known" query suites. diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files.md index b16ada3d58a3..644f6c78bca7 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files.md @@ -58,4 +58,4 @@ to the `codeql/javascript-queries` {% data variables.product.prodname_codeql %} AngularJS/DeadAngularJSEventListener.ql ``` -For another example, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries)." +For another example, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries). diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output.md index 2cbddbf6b20c..aa7c8fac0c90 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output.md @@ -19,7 +19,7 @@ redirect_from: ## About SARIF output SARIF is designed to represent the output of a broad range of static analysis tools, and there are many features in the SARIF specification that are -considered "optional". This document details the output produced when using the format type `sarifv2.1.0`, which corresponds to the SARIF v2.1.0.csd1 specification. For more information on selecting a file format for your analysis results, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze)." +considered "optional". This document details the output produced when using the format type `sarifv2.1.0`, which corresponds to the SARIF v2.1.0.csd1 specification. For more information on selecting a file format for your analysis results, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze). ## SARIF specification and schema diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries.md index df278e4784f5..11e6ebbaa6e1 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries.md @@ -41,7 +41,7 @@ extractor: The `dependencies` value specifies the {% data variables.product.prodname_codeql %} packs containing queries to test. Typically, these packs will be resolved from source, and so it is not necessary -to specify a fixed version of the pack. The `extractor` defines which language the CLI will use to create test databases from the code files stored in this {% data variables.product.prodname_codeql %} pack. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." +to specify a fixed version of the pack. The `extractor` defines which language the CLI will use to create test databases from the code files stored in this {% data variables.product.prodname_codeql %} pack. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). You may find it useful to look at the way query tests are organized in the [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql). Each language has a `src` directory, `ql//ql/src`, that contains libraries and queries for analyzing codebases. Alongside the `src` directory, there is a `test` directory with tests for these libraries and queries. @@ -64,7 +64,7 @@ This will generate a `codeql-pack.lock.yml` file that specifies all of the trans For each query you want to test, you should create a sub-directory in the test {% data variables.product.prodname_codeql %} pack. Then add the following files to the subdirectory before you run the test command: -* A query reference file (`.qlref` file) defining the location of the query to test. The location is defined relative to the root of the {% data variables.product.prodname_codeql %} pack that contains the query. Usually, this is a {% data variables.product.prodname_codeql %} pack specified in the `dependencies` block of the test pack. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files)." +* A query reference file (`.qlref` file) defining the location of the query to test. The location is defined relative to the root of the {% data variables.product.prodname_codeql %} pack that contains the query. Usually, this is a {% data variables.product.prodname_codeql %} pack specified in the `dependencies` block of the test pack. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/query-reference-files). You do not need to add a query reference file if the query you want to test is stored in the test directory, but it is generally good practice to store queries separately from tests. The only exception is unit tests for QL libraries, which tend to be stored in test packs, separate from queries that generate alerts or paths. @@ -100,7 +100,7 @@ You can also specify: * `--threads:` optionally, the number of threads to use when running queries. The default option is `1`. You can specify more threads to speed up query execution. Specifying `0` matches the number of threads to the number of logical processors. -For full details of all the options you can use when testing queries, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run)." +For full details of all the options you can use when testing queries, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run). ## Example @@ -135,7 +135,7 @@ other custom queries. For example, `custom-queries/java/queries/EmptyThen.ql`. codeql/java-queries: "*" ``` - For more information about {% data variables.product.prodname_codeql %} packs, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." + For more information about {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). 1. Create a {% data variables.product.prodname_codeql %} pack for your Java tests by adding a `qlpack.yml` file with the following contents to `custom-queries/java/tests`, updating the `dependencies` to match the name of your {% data variables.product.prodname_codeql %} pack of custom queries: @@ -188,7 +188,7 @@ When the test runs, it: `codeql test run --search-path=java java/tests/EmptyThen` - For information about saving the search path as part of your configuration, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/specifying-command-options-in-a-codeql-configuration-file)." + For information about saving the search path as part of your configuration, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/specifying-command-options-in-a-codeql-configuration-file). 1. Executes the test by running the query and generating an `EmptyThen.actual` results file. @@ -224,9 +224,9 @@ This information may be sufficient to debug trivial test failures. For failures that are harder to debug, you can import `EmptyThen.testproj` into {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %}, execute `EmptyThen.ql`, and view the results in the -`Test.java` example code. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases#choosing-a-database-to-analyze)." +`Test.java` example code. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases#choosing-a-database-to-analyze). ## Further reading * [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries) -* "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code)." +* [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code). diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files.md index b3db92660a84..27f3f98512d4 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files.md @@ -24,7 +24,7 @@ Test query help files by rendering them as Markdown to ensure they are valid bef Query help is documentation that accompanies a query to explain how the query works, as well as providing information about the potential problem that the query identifies. It is good practice to write query help for all new queries. For more information, see [Contributing to {% data variables.product.prodname_codeql %}](https://github.com/github/codeql/blob/main/CONTRIBUTING.md) in the {% data variables.product.prodname_codeql %} repository. The {% data variables.product.prodname_codeql_cli %} includes a command to test query help and render the content as markdown, so that you can easily preview the content in your IDE. Use the command to validate query help files before uploading them to the {% data variables.product.prodname_codeql %} repository or sharing them with other users. From {% data variables.product.prodname_codeql_cli %} 2.7.1 onwards, you can also include the markdown-rendered query help in SARIF files -generated during {% data variables.product.prodname_codeql %} analyses so that the query help can be displayed in the code scanning UI. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries)." +generated during {% data variables.product.prodname_codeql %} analyses so that the query help can be displayed in the code scanning UI. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). ## Prerequisites @@ -48,7 +48,7 @@ The `--output` option defines a file path where the rendered query help will be * For directories containing `.qhelp` files or a query suites defining one or more `.qhelp` files, you must specify an `--output` directory. Filenames within the output directory will be derived from the `.qhelp` file names. * For single `.qhelp` or `.ql` files, you may specify an `--output` option. If you don’t specify an output path, the rendered query help is written to `stdout`. -For full details of all the options you can use when testing query help files, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/generate-query-help)." +For full details of all the options you can use when testing query help files, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/generate-query-help). ## Results @@ -60,8 +60,8 @@ By default, the {% data variables.product.prodname_codeql_cli %} will print a wa * Any `.qhelp` files specified in the command don’t have the same base name as an accompanying `.ql` file * Any `.ql` files specified in the command don’t have the same base name as an accompanying `.qhelp` file -You can tell the {% data variables.product.prodname_codeql_cli %} how to handle these warnings by including a `--warnings` option in your command. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/generate-query-help#--warningsmode)." +You can tell the {% data variables.product.prodname_codeql_cli %} how to handle these warnings by including a `--warnings` option in your command. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/generate-query-help#--warningsmode). ## Further reading -* "[Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/#query-help-files)" +* [Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/#query-help-files) diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli.md index 8f47129b6a9c..e1414f268f59 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli.md @@ -29,7 +29,7 @@ This topic is specifically about writing queries to use with the [AUTOTITLE](/co ## Writing a valid query -Before running a custom analysis you need to write a valid query, and save it in a file with a `.ql` extension. There is extensive documentation available to help you write queries. For more information, see "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)." +Before running a custom analysis you need to write a valid query, and save it in a file with a `.ql` extension. There is extensive documentation available to help you write queries. For more information, see [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries). ## Including query metadata @@ -41,20 +41,20 @@ When running queries with the `database analyze` command, you must include the f * Query type (`@kind`): identifies the query as a simple alert (`@kind problem`), an alert documented by a sequence of code locations (`@kind path-problem`), for extractor troubleshooting (`@kind diagnostic`), or a summary metric (`@kind metric` and `@tags summary`). -For more information about these metadata properties, see "[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)" and the [Query metadata style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md). +For more information about these metadata properties, see [Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries) and the [Query metadata style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md). > [!NOTE] -> Metadata requirements may differ if you want to use your query with other applications. For more information, see "[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)." +> Metadata requirements may differ if you want to use your query with other applications. For more information, see [Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries). ## Packaging custom QL queries -When you write your own queries with the intention to share them with others, you should save them in a custom {% data variables.product.prodname_codeql %} pack. You can publish the pack as a {% data variables.product.prodname_codeql %} pack to {% data variables.product.prodname_registry %} - the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." +When you write your own queries with the intention to share them with others, you should save them in a custom {% data variables.product.prodname_codeql %} pack. You can publish the pack as a {% data variables.product.prodname_codeql %} pack to {% data variables.product.prodname_registry %} - the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). {% data variables.product.prodname_codeql %} packs organize the files used in {% data variables.product.prodname_codeql %} analysis and can store queries, library files, query suites, and important metadata. Their root directory must contain a file named `qlpack.yml`. Your custom queries should be saved in the {% data variables.product.prodname_codeql %} pack root, or its subdirectories. -For each {% data variables.product.prodname_codeql %} pack, the `qlpack.yml` file includes information that tells the {% data variables.product.prodname_codeql_cli %} how to compile the queries, which other {% data variables.product.prodname_codeql %} packs and libraries the pack depends on, and where to find query suite definitions. For more information about what to include in this file, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#codeqlpack-yml-properties)." +For each {% data variables.product.prodname_codeql %} pack, the `qlpack.yml` file includes information that tells the {% data variables.product.prodname_codeql_cli %} how to compile the queries, which other {% data variables.product.prodname_codeql %} packs and libraries the pack depends on, and where to find query suite definitions. For more information about what to include in this file, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#codeqlpack-yml-properties). ## Including query help for custom {% data variables.product.prodname_codeql %} queries in SARIF files @@ -72,8 +72,8 @@ corresponding query. Alternatively, for consistency with the standard {% data va you can write query help in the `.qhelp` format. Query help written in `.qhelp` files can’t be included in SARIF files, and they can’t be processed by code scanning so must be converted to markdown before running -the analysis. For more information, see "[Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/#query-help-files)" -and "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files)." +the analysis. For more information, see [Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/#query-help-files) +and [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-query-help-files). ## Contributing to the {% data variables.product.prodname_codeql %} repository @@ -83,4 +83,4 @@ If you would like to share your query with other {% data variables.product.prodn ## Further reading -* "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)" +* [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries) diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/about-codeql-for-vs-code.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/about-codeql-for-vs-code.md index da7e73b023c4..a3ec762123dc 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/about-codeql-for-vs-code.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/about-codeql-for-vs-code.md @@ -18,7 +18,7 @@ redirect_from: ## About {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} -You can run {% data variables.product.prodname_codeql %} queries on databases generated from source code, in order to find errors and security vulnerabilities in a codebase. For more information about {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." +You can run {% data variables.product.prodname_codeql %} queries on databases generated from source code, in order to find errors and security vulnerabilities in a codebase. For more information about {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). With the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension, you can: @@ -47,14 +47,14 @@ You can also use the {% data variables.product.prodname_vscode_shortname %} **Fo ### The {% data variables.product.prodname_vscode_command_palette_shortname %} -You can run commands for the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension from the {% data variables.product.prodname_vscode_command_palette_shortname %}. For more information about the {% data variables.product.prodname_vscode_command_palette_shortname %}, see "[User Interface](https://code.visualstudio.com/docs/getstarted/userinterface#_command-palette)" in the {% data variables.product.prodname_vscode_shortname %} documentation. +You can run commands for the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension from the {% data variables.product.prodname_vscode_command_palette_shortname %}. For more information about the {% data variables.product.prodname_vscode_command_palette_shortname %}, see [User Interface](https://code.visualstudio.com/docs/getstarted/userinterface#_command-palette) in the {% data variables.product.prodname_vscode_shortname %} documentation. ## Data and telemetry -If you specifically opt in to permit {% data variables.product.prodname_dotcom %} to do so, {% data variables.product.prodname_dotcom %} will collect usage data and metrics for the purposes of helping the core developers to improve the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code)." +If you specifically opt in to permit {% data variables.product.prodname_dotcom %} to do so, {% data variables.product.prodname_dotcom %} will collect usage data and metrics for the purposes of helping the core developers to improve the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code). {% data reusables.code-scanning.codeql-license %} ## Next steps -To learn about how to install the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code)." +To learn about how to install the {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} extension, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code). diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries.md index 16950909355f..533274a7c0cd 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries.md @@ -19,9 +19,9 @@ redirect_from: A path query is a {% data variables.product.prodname_codeql %} query with the property `@kind path-problem`. You can find a number of these in the standard {% data variables.product.prodname_codeql %} libraries. -You can run the standard {% data variables.product.prodname_codeql %} path queries to identify security vulnerabilities and manually look through the results. For more information about how {% data variables.product.prodname_codeql %} tracks data flow, see "[About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)" in the {% data variables.product.prodname_codeql %} documentation. +You can run the standard {% data variables.product.prodname_codeql %} path queries to identify security vulnerabilities and manually look through the results. For more information about how {% data variables.product.prodname_codeql %} tracks data flow, see [About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/) in the {% data variables.product.prodname_codeql %} documentation. -Once you're familiar with data flow analysis and existing queries, you can write your own path queries in {% data variables.product.prodname_codeql %}. For more information, see "[Next steps](#next-steps)." +Once you're familiar with data flow analysis and existing queries, you can write your own path queries in {% data variables.product.prodname_codeql %}. For more information, see [Next steps](#next-steps). ## Running path queries in {% data variables.product.prodname_vscode_shortname %} locally @@ -35,8 +35,8 @@ Once you're familiar with data flow analysis and existing queries, you can write {% ifversion codeql-vs-code-mrva %} -When you are ready to run a path query at scale, you can use the "Variant Analysis Repositories" view to run the query against up to 1,000 repositories on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis)." +When you are ready to run a path query at scale, you can use the "Variant Analysis Repositories" view to run the query against up to 1,000 repositories on {% data variables.product.prodname_dotcom_the_website %}. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis). {% endif %} -For information about how to use the correct format and metadata for your own path queries, see "[Creating path queries](https://codeql.github.com/docs/writing-codeql-queries/creating-path-queries/#creating-path-queries)" in the {% data variables.product.prodname_codeql %} documentation. The {% data variables.product.prodname_codeql %} documentation also contains detailed information about how to define new sources and sinks, as well as templates and examples of how to extend the standard {% data variables.product.prodname_codeql %} libraries to suit your analysis. +For information about how to use the correct format and metadata for your own path queries, see [Creating path queries](https://codeql.github.com/docs/writing-codeql-queries/creating-path-queries/#creating-path-queries) in the {% data variables.product.prodname_codeql %} documentation. The {% data variables.product.prodname_codeql %} documentation also contains detailed information about how to define new sources and sinks, as well as templates and examples of how to extend the standard {% data variables.product.prodname_codeql %} libraries to suit your analysis. diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code.md index 7900bb7323fa..e5a3554dc626 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/installing-codeql-for-vs-code.md @@ -55,16 +55,16 @@ You can install the {% data variables.product.prodname_codeql %} for {% data var ## Next steps -To learn how to work with {% data variables.product.prodname_codeql %} databases in the extension, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases)." +To learn how to work with {% data variables.product.prodname_codeql %} databases in the extension, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases). -If you have already found, downloaded, or created a {% data variables.product.prodname_codeql %} database, you can learn how to use the extension to run queries on {% data variables.product.prodname_codeql %} databases and view the results. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries)." +If you have already found, downloaded, or created a {% data variables.product.prodname_codeql %} database, you can learn how to use the extension to run queries on {% data variables.product.prodname_codeql %} databases and view the results. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries). {% ifversion codeql-model-packs %} -To learn how to model additional dependencies of a codebase and improve your {% data variables.product.prodname_code_scanning %} results, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor)." +To learn how to model additional dependencies of a codebase and improve your {% data variables.product.prodname_code_scanning %} results, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). {% endif %} -To learn how to configure access to a different version of the {% data variables.product.prodname_codeql_cli %} than the one installed with the extension, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli)." +To learn how to configure access to a different version of the {% data variables.product.prodname_codeql_cli %} than the one installed with the extension, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli). -To learn how to set up a {% data variables.product.prodname_codeql %} workspace, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace)." +To learn how to set up a {% data variables.product.prodname_codeql %} workspace, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace). diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases.md index 95edce9d633a..644668c599e4 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases.md @@ -15,14 +15,14 @@ intro: 'You can work with {% data variables.product.prodname_codeql %} databases ## About {% data variables.product.prodname_codeql %} databases -To analyze a project, you need to select a {% data variables.product.prodname_codeql %} database for that project. You can select a database locally (from a ZIP archive or an unarchived folder){% ifversion fpt or ghec %}, from a public URL,{% endif %} or from a project's URL on {% data variables.product.github %}. Alternatively, you can create a database using the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases)." +To analyze a project, you need to select a {% data variables.product.prodname_codeql %} database for that project. You can select a database locally (from a ZIP archive or an unarchived folder){% ifversion fpt or ghec %}, from a public URL,{% endif %} or from a project's URL on {% data variables.product.github %}. Alternatively, you can create a database using the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases). ### Downloading a database from {% data variables.product.github %} -{% data variables.product.prodname_dotcom_the_website %} stores {% data variables.product.prodname_codeql %} databases for over 200,000 open source repositories that you can use to test your analysis on. {% ifversion ghec %}You can also access databases for repositories hosted on {% data variables.enterprise.data_residency %} by editing your settings and defining the URL for your system, see "[Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension)."{% endif %} +{% data variables.product.prodname_dotcom_the_website %} stores {% data variables.product.prodname_codeql %} databases for over 200,000 open source repositories that you can use to test your analysis on. {% ifversion ghec %}You can also access databases for repositories hosted on {% data variables.enterprise.data_residency %} by editing your settings and defining the URL for your system, see [Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension).{% endif %} {% ifversion fpt or ghec %} -You can check if a repository has any {% data variables.product.prodname_codeql %} databases available for download, and if so download it, using the REST API. For more information, see "[List {% data variables.product.prodname_codeql %} databases for a repository](/rest/code-scanning/code-scanning#list-codeql-databases-for-a-repository)" and "[Get a {% data variables.product.prodname_codeql %} database for a repository](/rest/code-scanning/code-scanning#get-a-codeql-database-for-a-repository)" in the {% data variables.product.prodname_dotcom %} REST API documentation. +You can check if a repository has any {% data variables.product.prodname_codeql %} databases available for download, and if so download it, using the REST API. For more information, see [List {% data variables.product.prodname_codeql %} databases for a repository](/rest/code-scanning/code-scanning#list-codeql-databases-for-a-repository) and [Get a {% data variables.product.prodname_codeql %} database for a repository](/rest/code-scanning/code-scanning#get-a-codeql-database-for-a-repository) in the {% data variables.product.prodname_dotcom %} REST API documentation. {% endif %} ## Choosing a database to analyze @@ -32,7 +32,7 @@ You can check if a repository has any {% data variables.product.prodname_codeql 1. Once you've chosen a database, it will be displayed in the "Databases" view. To see the menu options for interacting with a database, right-click an entry in the list. You can select multiple databases at once. > [!NOTE] -> You can also analyze test databases. Test databases (folders with a `.testproj` extension) are generated when you run regression tests on custom queries using the {% data variables.product.prodname_codeql_cli %}. If a query fails a regression test, you may want to import the test database into {% data variables.product.prodname_vscode %} to debug the failure. For more information about running query tests, see "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries)." +> You can also analyze test databases. Test databases (folders with a `.testproj` extension) are generated when you run regression tests on custom queries using the {% data variables.product.prodname_codeql_cli %}. If a query fails a regression test, you may want to import the test database into {% data variables.product.prodname_vscode %} to debug the failure. For more information about running query tests, see [AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries). ## Filtering databases and queries by language @@ -44,4 +44,4 @@ Optionally, to see databases containing a specific language and queries written ## Next steps -To learn how to use the extension to analyze your projects by running queries on {% data variables.product.prodname_codeql %} databases, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries)." +To learn how to use the extension to analyze your projects by running queries on {% data variables.product.prodname_codeql %} databases, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries). diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis.md index c03717e9f266..4b3a102f1ad8 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis.md @@ -19,7 +19,7 @@ With multi-repository variant analysis (MRVA), you can run {% data variables.pro When you run MRVA against a list of repositories, your query is run against each repository that has a {% data variables.product.prodname_codeql %} database available to analyze. {% data variables.product.github %} creates and stores the latest {% data variables.product.prodname_codeql %} database for the default branch of thousands of public repositories, including every repository that runs {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}. -You need to enable {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %} on {% data variables.product.github %}, using either default setup or advanced setup, before adding your repository to a list for analysis. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)." +You need to enable {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %} on {% data variables.product.github %}, using either default setup or advanced setup, before adding your repository to a list for analysis. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically). ### How MRVA runs queries against {% data variables.product.prodname_codeql %} databases on {% data variables.product.prodname_dotcom_the_website %} @@ -34,14 +34,14 @@ The {% data variables.product.prodname_codeql %} extension builds a {% data vari * Controller repositories can be empty, but they must have at least one commit. {% ifversion ghec %} -* The controller repository must be hosted on the same site as the repositories that you want to analyze using MRVA, that is: {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_domain %}. If you want to run MRVA on {% data variables.enterprise.data_residency %}, see "[Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension)." +* The controller repository must be hosted on the same site as the repositories that you want to analyze using MRVA, that is: {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_domain %}. If you want to run MRVA on {% data variables.enterprise.data_residency %}, see [Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension). {% endif %} * On {% data variables.product.prodname_dotcom_the_website %}, the controller repository visibility can be "public" if you plan to analyze only public repositories. The variant analysis will be free. * The controller repository visibility must be "private" if you need to analyze any private or internal repositories on {% data variables.product.prodname_dotcom_the_website %}. {% ifversion fpt or ghec %} -Any actions minutes that you use to run variant analysis on private or internal repositories, above the free limit, is charged to the repository owner. For more information about free minutes and billing, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %} +Any actions minutes that you use to run variant analysis on private or internal repositories, above the free limit, is charged to the repository owner. For more information about free minutes and billing, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).{% endif %} ## Setting up a controller repository for MRVA @@ -49,11 +49,11 @@ Any actions minutes that you use to run variant analysis on private or internal ![Screenshot of the "Variant Analysis Repositories" view. The button to "Set up controller repository" is highlighted in dark orange.](/assets/images/help/security/codeql-for-vs-code-controller-repository.png) -1. Type the owner and name of the repository on {% data variables.product.github %} that you want to use as your controller repository and press the **Enter** key. {% ifversion ghec %}This repository must be on the same instance of {% data variables.product.github %} as the repositories that you want to analyze, see "[Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension)."{% endif %} +1. Type the owner and name of the repository on {% data variables.product.github %} that you want to use as your controller repository and press the **Enter** key. {% ifversion ghec %}This repository must be on the same instance of {% data variables.product.github %} as the repositories that you want to analyze, see [Changing the {% data variables.product.github %} URL used by the extension](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#changing-the-github-url-used-by-the-extension).{% endif %} 1. If you are prompted to authenticate with {% data variables.product.github %}, follow the instructions and sign in to your account. When you have finished, a prompt from {% data variables.product.github %} Authentication may ask for permission to open in {% data variables.product.prodname_vscode %}, click **Open**. -The name of the controller repository is saved in your settings for the {% data variables.product.prodname_codeql %} extension. For information on how to edit the controller repository, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." +The name of the controller repository is saved in your settings for the {% data variables.product.prodname_codeql %} extension. For information on how to edit the controller repository, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). ## Running a query at scale using MRVA @@ -125,7 +125,7 @@ You can export your results for further analysis or to discuss them with collabo ## Creating a custom list of repositories > [!NOTE] -> {% data variables.product.prodname_codeql %} analysis always requires a {% data variables.product.prodname_codeql %} database to run queries against. When you run variant analysis against a list of repositories, your query will only be executed against the repositories that currently have a {% data variables.product.prodname_codeql %} database available to download. The best way to make a repository available for variant analysis is to enable {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)." +> {% data variables.product.prodname_codeql %} analysis always requires a {% data variables.product.prodname_codeql %} database to run queries against. When you run variant analysis against a list of repositories, your query will only be executed against the repositories that currently have a {% data variables.product.prodname_codeql %} database available to download. The best way to make a repository available for variant analysis is to enable {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically). 1. In the "Variant Analysis Repositories" view, click the "Add list" icon. @@ -159,7 +159,7 @@ You can then insert the `new-repo-list` of repositories into `databases.json`for ### Using {% data variables.product.github %} code search to add repositories to a custom list > [!NOTE] -> This feature uses the legacy code search via the {% data variables.product.github %} code search API. For more information on the syntax to use, see "[AUTOTITLE](/search-github/searching-on-github/searching-code)." +> This feature uses the legacy code search via the {% data variables.product.github %} code search API. For more information on the syntax to use, see [AUTOTITLE](/search-github/searching-on-github/searching-code). You can use code search directly in the {% data variables.product.prodname_codeql %} extension to add a subset of repositories from {% data variables.product.github %} to a custom list. diff --git a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries.md b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries.md index 69405fdf9c6a..f9a7a05331c3 100644 --- a/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries.md +++ b/content/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries.md @@ -22,7 +22,7 @@ The [`github/codeql`](https://github.com/github/codeql) repository contains a la ### Prerequisites -To analyze a codebase, you run queries against a {% data variables.product.prodname_codeql %} database extracted from the code, so you'll need to select a database to work with in the extension. You can select a database locally (from a ZIP archive or an unarchived folder), from a public URL, or from a project's URL on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases)." +To analyze a codebase, you run queries against a {% data variables.product.prodname_codeql %} database extracted from the code, so you'll need to select a database to work with in the extension. You can select a database locally (from a ZIP archive or an unarchived folder), from a public URL, or from a project's URL on {% data variables.product.prodname_dotcom_the_website %}. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases). ## Running a single query @@ -58,9 +58,9 @@ You can run multiple queries with a single command. When working on a new query, you can open a "Quick Query" tab to easily execute your code and view the results, without having to save a `.ql` file in your workspace. Select **{% data variables.product.prodname_codeql %}: Quick Query** from the {% data variables.product.prodname_vscode_command_palette_shortname %}, then to run the query use **{% data variables.product.prodname_codeql %}: Run Query on Selected Database**. -You can see all quick queries that you've run in the current session in the "Query History" view. Click an entry to see the exact text of the quick query that produced the results. For more information, see "[Viewing your query history](#viewing-your-query-history)." +You can see all quick queries that you've run in the current session in the "Query History" view. Click an entry to see the exact text of the quick query that produced the results. For more information, see [Viewing your query history](#viewing-your-query-history). -Once you're happy with your quick query, you should save it in a {% data variables.product.prodname_codeql %} pack so you can access it later. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs)." +Once you're happy with your quick query, you should save it in a {% data variables.product.prodname_codeql %} pack so you can access it later. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs). ## Running a specific part of a query or library @@ -100,7 +100,7 @@ The "Query History" view contains information including the date and time when t * To customize the information that is displayed, right-click an entry and select **Rename**. -* Optionally, filter the view by language using the language selector. For more information, see "[Filtering databases and queries by language](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases#filtering-databases-and-queries-by-language)." +* Optionally, filter the view by language using the language selector. For more information, see [Filtering databases and queries by language](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/managing-codeql-databases#filtering-databases-and-queries-by-language). * Click an entry to display the corresponding results, and double-click to display the query itself in the editor (or right-click and select **View Query**). @@ -113,7 +113,7 @@ The "Query History" view contains information including the date and time when t 1. Click a query in the "Query History" view to display its results in the "Results" view. > [!NOTE] - > Depending on the query, you can also choose different views such as CSV, [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/sarif-output), or [DIL format](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#dil). For example, to view the DIL format, right-click a result and select **View DIL**. The available output views are determined by the format and the metadata of the query. For more information, see "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)." + > Depending on the query, you can also choose different views such as CSV, [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/sarif-output), or [DIL format](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#dil). For example, to view the DIL format, right-click a result and select **View DIL**. The available output views are determined by the format and the metadata of the query. For more information, see [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries). 1. Use the dropdown menu in the "Results" view to choose which results to display, and in what form to display them, such as a formatted alert message or a table of raw results. @@ -124,7 +124,7 @@ If a result links to a source code element, you can click it to display it in th To use standard code navigation features in the source code, you can right-click an element and use the commands **Go to Definition** or **Go to References**. This runs a {% data variables.product.prodname_codeql %} query over the active file, which may take a few seconds. This query needs to run once for every file, so any additional references from the same file will be fast. > [!NOTE] -> If you're using an older database, code navigation commands such as **Go to Definition** and **Go to References** may not work. To use code navigation, try unzipping the database and running `codeql database cleanup ` on the unzipped database using the {% data variables.product.prodname_codeql_cli %}. Then, re-add the database to {% data variables.product.prodname_vscode %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-cleanup)." +> If you're using an older database, code navigation commands such as **Go to Definition** and **Go to References** may not work. To use code navigation, try unzipping the database and running `codeql database cleanup ` on the unzipped database using the {% data variables.product.prodname_codeql_cli %}. Then, re-add the database to {% data variables.product.prodname_vscode %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-cleanup). ### Comparing query results @@ -140,18 +140,18 @@ When you're writing or debugging a query, it's useful to see how your changes af To see the logs from running a particular query, right-click the query in the "Query History" view and select **Show Query Log**. If the log file is too large for the extension to open in {% data variables.product.prodname_vscode_shortname %}, the file will be displayed in your file explorer so you can open it with an external program. -For details about compiling and running queries, as well as information about database upgrades, check the {% data variables.product.prodname_codeql %} Query Server log. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs)." +For details about compiling and running queries, as well as information about database upgrades, check the {% data variables.product.prodname_codeql %} Query Server log. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs). -By default, the extension deletes logs after each workspace session. To override this behavior, you can specify a custom directory for query server logs. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." +By default, the extension deletes logs after each workspace session. To override this behavior, you can specify a custom directory for query server logs. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). You can use the **{% data variables.product.prodname_codeql %}: Restart Query Server** command to restart the query server. This restarts the server without affecting your {% data variables.product.prodname_codeql %} session history. You are most likely to need to restart the query server if you make external changes to files that the extension is using. For example, regenerating a {% data variables.product.prodname_codeql %} database that’s open in {% data variables.product.prodname_vscode_shortname %}. In addition to problems in the log, you might also see: errors in code highlighting, incorrect results totals, or duplicate notifications that a query is running. ## Next steps -You can optionally use the extension to create your own custom queries. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query)." +You can optionally use the extension to create your own custom queries. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query). {% ifversion codeql-vs-code-mrva %} -For information on running analysis at scale across many {% data variables.product.prodname_codeql %} databases, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis)." +For information on running analysis at scale across many {% data variables.product.prodname_codeql %} databases, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis). {% endif %} diff --git a/content/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/warning-problem-with-controller-repository.md b/content/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/warning-problem-with-controller-repository.md index 576eed88a69f..0caf3cd3f6d5 100644 --- a/content/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/warning-problem-with-controller-repository.md +++ b/content/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/warning-problem-with-controller-repository.md @@ -27,4 +27,4 @@ When you run variant analysis, you'll see any errors and warnings displayed in t ## Fixing the problem -To analyze private repositories, you should edit your settings to update your controller repository to a private repository. For information on how to edit the controller repository, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#configuring-settings-for-variant-analysis)." +To analyze private repositories, you should edit your settings to update your controller repository to a private repository. For information on how to edit the controller repository, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#configuring-settings-for-variant-analysis). diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli.md index 2e98e89aba77..0732d8cd7f86 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli.md @@ -16,16 +16,16 @@ allowTitleToDifferFromFilename: true ## Configuring access to the {% data variables.product.prodname_codeql_cli %} -If you already have the {% data variables.product.prodname_codeql_cli %} installed and added to your `PATH`, the extension will use that version. This might be the case if you create your own {% data variables.product.prodname_codeql %} databases instead of downloading them from {% data variables.product.github %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis)." +If you already have the {% data variables.product.prodname_codeql_cli %} installed and added to your `PATH`, the extension will use that version. This might be the case if you create your own {% data variables.product.prodname_codeql %} databases instead of downloading them from {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis). Otherwise, the extension automatically manages access to the executable of the {% data variables.product.prodname_codeql_cli %} for you. This ensures that the {% data variables.product.prodname_codeql_cli %} is compatible with the {% data variables.product.prodname_codeql %} extension. You can also check for updates with the **{% data variables.product.prodname_codeql %}: Check for CLI Updates** command from the {% data variables.product.prodname_vscode_command_palette_shortname %}. > [!NOTE] > * The extension-managed {% data variables.product.prodname_codeql_cli %} is not accessible from the terminal. If you intend to use the CLI outside of the extension (for example to create databases), we recommend that you install your own copy of the {% data variables.product.prodname_codeql_cli %}." -> * To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} **Executable Path** in the extension settings. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." +> * To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} **Executable Path** in the extension settings. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). ## Troubleshooting -If you have any difficulty setting up access to the {% data variables.product.prodname_codeql_cli %}, check the {% data variables.product.prodname_codeql %} Extension log for error messages or to see the location of the {% data variables.product.prodname_codeql_cli %} being used. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs)." In particular, in the Extension log you can see the location of the {% data variables.product.prodname_codeql_cli %} that is being used. This is useful if you want to see whether this is an extension-managed CLI or an external one. +If you have any difficulty setting up access to the {% data variables.product.prodname_codeql_cli %}, check the {% data variables.product.prodname_codeql %} Extension log for error messages or to see the location of the {% data variables.product.prodname_codeql_cli %} being used. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs). In particular, in the Extension log you can see the location of the {% data variables.product.prodname_codeql_cli %} that is being used. This is useful if you want to see whether this is an extension-managed CLI or an external one. If you use the extension-managed {% data variables.product.prodname_codeql_cli %}, the extension checks for updates automatically (or with the **{% data variables.product.prodname_codeql %}: Check for CLI Updates** command) and prompts you to accept the updated version. If you use an external CLI, you need to update it manually (when updates are necessary). diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query.md index ce16f8b48352..eba17d9b7508 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query.md @@ -18,7 +18,7 @@ intro: 'You can work from a template to write your own code to create a custom q > [!NOTE] > Creating a custom query is optional, and the [`github/codeql`](https://github.com/github/codeql) repository contains a large number of example queries you can use instead. -You create a new query file from a template for a given language, which imports the standard libraries for analyzing that language. For more information, see "[About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)" in the {% data variables.product.prodname_codeql %} documentation. +You create a new query file from a template for a given language, which imports the standard libraries for analyzing that language. For more information, see [About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/) in the {% data variables.product.prodname_codeql %} documentation. ## Creating a custom query diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings.md index fe2d9d06b006..af98c60f21b5 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings.md @@ -38,7 +38,7 @@ You can change numerous settings for the {% data variables.product.prodname_code ### Choosing a version of the {% data variables.product.prodname_codeql_cli %} -To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} "Executable Path" in the extension settings, and point it to your existing copy of the {% data variables.product.prodname_codeql_cli %}. That is, the file named `codeql` (Linux and macOS), or `codeql.exe` (Windows). For more information about the default behavior, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli)." +To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} "Executable Path" in the extension settings, and point it to your existing copy of the {% data variables.product.prodname_codeql_cli %}. That is, the file named `codeql` (Linux and macOS), or `codeql.exe` (Windows). For more information about the default behavior, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli). ### Changing the labels of query history items @@ -66,7 +66,7 @@ To save query server logs in a custom location, edit the "Running Queries: Custo {% ifversion codeql-vs-code-mrva %} -There are a number of settings under "Variant Analysis" that you can use to define or edit lists of {% data variables.product.company_short %} repositories for variant analysis, and change to a different controller repository. For information on the purpose and requirements for a controller repository, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis)." +There are a number of settings under "Variant Analysis" that you can use to define or edit lists of {% data variables.product.company_short %} repositories for variant analysis, and change to a different controller repository. For information on the purpose and requirements for a controller repository, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis). {% endif %} @@ -108,7 +108,7 @@ You can change the items shown in the view or add new items by directly editing To automatically add database source folders to your workspace, you can enable the "Adding Databases: Add Database Source to Workspace" setting. -This setting is disabled by default. You may want to enable the setting if you regularly browse the source code of databases (for example, to view the abstract syntax tree of the code). For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code)." +This setting is disabled by default. You may want to enable the setting if you regularly browse the source code of databases (for example, to view the abstract syntax tree of the code). For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code). > [!NOTE] > If you are in a single-folder workspace, adding database source folders will cause the workspace to reload as a multi-root workspace. This may cause query history and database lists to reset. @@ -119,11 +119,11 @@ This setting is disabled by default. You may want to enable the setting if you r To increase the number of threads used for testing queries, you can update the "Running Tests: Number Of Threads" setting. -To pass additional arguments to the {% data variables.product.prodname_codeql_cli %} when running tests, you can update the "Running Tests: Additional Test Arguments" setting. For more information about the available arguments, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run/)." +To pass additional arguments to the {% data variables.product.prodname_codeql_cli %} when running tests, you can update the "Running Tests: Additional Test Arguments" setting. For more information about the available arguments, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/test-run/). ### Configuring settings for telemetry and data collection -You can configure whether the {% data variables.product.prodname_codeql %} extension collects telemetry data. This is disabled by default. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code)." +You can configure whether the {% data variables.product.prodname_codeql %} extension collects telemetry data. This is disabled by default. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code). {% ifversion ghec %} @@ -153,7 +153,7 @@ When {% data variables.product.github %} Enterprise URI (`github-enterprise.uri` * Creating a list of repositories for variant analysis > [!NOTE] -> {% data variables.enterprise.data_residency %} requires authentication to see all repositories, so you will need to authenticate before you can download or analyze data. In addition, you will not see any "Top XX repositories" lists for variant analysis, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis)." +> {% data variables.enterprise.data_residency %} requires authentication to see all repositories, so you will need to authenticate before you can download or analyze data. In addition, you will not see any "Top XX repositories" lists for variant analysis, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis). {% endif %} diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/managing-codeql-packs.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/managing-codeql-packs.md index d35a82de0ca9..61c686d2a738 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/managing-codeql-packs.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/managing-codeql-packs.md @@ -28,7 +28,7 @@ With the {% data variables.product.prodname_codeql %} for {% data variables.prod * View a {% data variables.product.prodname_codeql %} query pack and all of its dependencies. -For more information about creating and editing {% data variables.product.prodname_codeql %} query and library packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)." +For more information about creating and editing {% data variables.product.prodname_codeql %} query and library packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs). ## Installing dependencies for {% data variables.product.prodname_codeql %} query packs @@ -62,6 +62,6 @@ For more information about creating and editing {% data variables.product.prodna {% data reusables.code-scanning.beta-model-packs %} -{% data variables.product.prodname_codeql %} model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to include dependencies that are not supported by default. The {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %} includes a dedicated editor for creating and editing model packs. For information on using the model editor, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor)." +{% data variables.product.prodname_codeql %} model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to include dependencies that are not supported by default. The {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %} includes a dedicated editor for creating and editing model packs. For information on using the model editor, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). {% endif %} diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace.md index 952897f60dc4..154aacd4a42a 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/setting-up-a-codeql-workspace.md @@ -49,11 +49,11 @@ There are several different ways to give the extension access to the standard li libraryPathDependencies: codeql/cpp-all ``` - For more information about why you need to add a `qlpack.yml` file, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs)." + For more information about why you need to add a `qlpack.yml` file, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs). ### Option 3: Open the directory containing the extracted {% data variables.product.prodname_codeql_cli %} archive > [!NOTE] -> For this option, you need to set up the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)." +> For this option, you need to set up the {% data variables.product.prodname_codeql_cli %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli). In {% data variables.product.prodname_vscode_shortname %}, open the directory where you extracted the {% data variables.product.prodname_codeql_cli %} .zip archive to create a {% data variables.product.prodname_codeql %} directory (for example `codeql-home`). diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code.md index 1163bbcda58a..9dd459694a6f 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/telemetry-in-codeql-for-visual-studio-code.md @@ -41,7 +41,7 @@ If you opt in, {% data variables.product.company_short %} collects the following * IP address of the client sending the telemetry data. This is discarded before aggregation. -* Whether any {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension settings are configured. For more information about customizing settings, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." +* Whether any {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode_shortname %} extension settings are configured. For more information about customizing settings, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). ## How long data is retained @@ -69,11 +69,11 @@ We only collect the minimal amount of data we need to answer the questions about ## Disabling telemetry reporting -You can disable telemetry collection by setting `codeQL.telemetry.enableTelemetry` to `false` in your settings. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." +You can disable telemetry collection by setting `codeQL.telemetry.enableTelemetry` to `false` in your settings. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). Additionally, telemetry collection will be disabled if the global `telemetry.telemetryLevel` setting is set to `off`. For more information about global telemetry collection, see [Visual Studio Code FAQ](https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting) in the {% data variables.product.prodname_vscode %} documentation. ## Further reading -* "[AUTOTITLE](/free-pro-team@latest/site-policy/privacy-policies/github-general-privacy-statement)" -* "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-of-service)" +* [AUTOTITLE](/free-pro-team@latest/site-policy/privacy-policies/github-general-privacy-statement) +* [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-of-service) diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code.md index 59b51edb84f3..3573cd96b21e 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/testing-codeql-queries-in-vs-code.md @@ -22,9 +22,9 @@ To ensure that your {% data variables.product.prodname_codeql %} queries produce The {% data variables.product.prodname_codeql %} extension automatically registers itself with the "Testing" view. This view displays all tests found in your current workspace and provides a UI for exploring and running tests in your workspace. -For more information about creating {% data variables.product.prodname_codeql %} tests, see "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries)". +For more information about creating {% data variables.product.prodname_codeql %} tests, see [AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries). -To see more detailed output from running unit tests, open the {% data variables.product.prodname_codeql %} Tests log. For information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs)." +To see more detailed output from running unit tests, open the {% data variables.product.prodname_codeql %} Tests log. For information, see [AUTOTITLE](/code-security/codeql-for-vs-code/troubleshooting-codeql-for-vs-code/accessing-logs). ## Testing the results of your queries @@ -44,16 +44,16 @@ To see more detailed output from running unit tests, open the {% data variables. Query performance is important when you want to run a query on large databases, or as part of your continuous integration system. -If you want to examine query performance, enable the "Running Queries: Debug" setting to include timing and tuple counts. This will then be shown in the logs in the {% data variables.product.prodname_codeql %} "Query Server" tab of the "Output" view. The tuple count is useful because it indicates the size of the [predicates](https://codeql.github.com/docs/ql-language-reference/predicates/#predicates) computed by the query. For more information about changing settings, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#configuring-settings-for-running-queries-locally)." +If you want to examine query performance, enable the "Running Queries: Debug" setting to include timing and tuple counts. This will then be shown in the logs in the {% data variables.product.prodname_codeql %} "Query Server" tab of the "Output" view. The tuple count is useful because it indicates the size of the [predicates](https://codeql.github.com/docs/ql-language-reference/predicates/#predicates) computed by the query. For more information about changing settings, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings#configuring-settings-for-running-queries-locally). When a query is evaluated, the query server caches the predicates that it calculates. So when you want to compare the performance of two evaluations, you should run **{% data variables.product.prodname_codeql %}: Clear Cache** to clear the query server's cache before each run. This ensures that you're comparing equivalent data. -For more information about monitoring the performance of your {% data variables.product.prodname_codeql %} queries, see "[Troubleshooting query performance](https://codeql.github.com/docs/writing-codeql-queries/troubleshooting-query-performance/#troubleshooting-query-performance)" and "[Evaluation of QL programs](https://codeql.github.com/docs/ql-language-reference/evaluation-of-ql-programs/#evaluation-of-ql-programs)" in the {% data variables.product.prodname_codeql %} documentation. +For more information about monitoring the performance of your {% data variables.product.prodname_codeql %} queries, see [Troubleshooting query performance](https://codeql.github.com/docs/writing-codeql-queries/troubleshooting-query-performance/#troubleshooting-query-performance) and [Evaluation of QL programs](https://codeql.github.com/docs/ql-language-reference/evaluation-of-ql-programs/#evaluation-of-ql-programs) in the {% data variables.product.prodname_codeql %} documentation. {% ifversion codeql-vs-code-mrva %} ## Next steps -When you are sure that your query finds the results you want to identify, you can use variant analysis to run it at scale. For information on running analysis at scale across many {% data variables.product.prodname_codeql %}databases, see "[AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis)." +When you are sure that your query finds the results you want to identify, you can use variant analysis to run it at scale. For information on running analysis at scale across many {% data variables.product.prodname_codeql %}databases, see [AUTOTITLE](/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/running-codeql-queries-at-scale-with-multi-repository-variant-analysis). {% endif %} diff --git a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor.md b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor.md index 2be02933cdcb..05865988b319 100644 --- a/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor.md +++ b/content/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor.md @@ -19,7 +19,7 @@ redirect_from: With {% data variables.product.prodname_codeql %} model packs, you can expand your {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis to recognize custom libraries and frameworks used by your codebase that are not supported by default. With the {% data variables.product.prodname_codeql %} model editor, you can create your own model packs. The model editor guides you through modeling the calls to external dependencies in your application, or fully modeling all the public entry and exit points in an external dependency. -For more information about customizing {% data variables.product.prodname_code_scanning %} analysis with model packs, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs)." +For more information about customizing {% data variables.product.prodname_code_scanning %} analysis with model packs, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs). When you open the model editor, it analyzes the currently selected {% data variables.product.prodname_codeql %} database and identifies where the application uses external APIs and all public methods. An external (or third-party) API is any API that is not part of the {% data variables.product.prodname_codeql %} database you have selected. @@ -83,7 +83,7 @@ This section uses an open source Java project called "sofa-jraft" as an example. 1. When you have finished modeling, display the main model editor and click **Save all** or **Save** (shown at the bottom-right of each expanded list of methods). The percentage of methods modeled in the editor is updated. -The models are stored in your workspace at `.github/codeql/extensions/CODEQL-MODEl-PACK`, where `CODEQL-MODEL-PACK` is the name of the {% data variables.product.prodname_codeql %} database that you selected. That is, the name of the repository, hyphen, the language analyzed by {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)." +The models are stored in your workspace at `.github/codeql/extensions/CODEQL-MODEl-PACK`, where `CODEQL-MODEL-PACK` is the name of the {% data variables.product.prodname_codeql %} database that you selected. That is, the name of the repository, hyphen, the language analyzed by {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). The models are stored in a series of YAML data extension files, one for each external API. For example: @@ -124,7 +124,7 @@ This section uses an open source Java project called "sofa-jraft" as an example. 1. When you have finished modeling, click **Save all** or **Save** (shown at the bottom-right of each expanded list of calls). The percentage of calls modeled in the editor is updated. -The models are stored in your workspace at `.github/codeql/extensions/CODEQL-MODEL-PACK`, where `CODEQL-MODEL-PACK` is the name of the {% data variables.product.prodname_codeql %} database that you selected. That is, the name of the repository, hyphen, the language analyzed by {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)." +The models are stored in your workspace at `.github/codeql/extensions/CODEQL-MODEL-PACK`, where `CODEQL-MODEL-PACK` is the name of the {% data variables.product.prodname_codeql %} database that you selected. That is, the name of the repository, hyphen, the language analyzed by {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). The models are stored in a series of YAML data extension files, one for each public method. For example: @@ -145,7 +145,7 @@ Some methods support more than one data flow. It is important to model all the d ## Testing {% data variables.product.prodname_codeql %} model packs in {% data variables.product.prodname_vscode_shortname %} -You can test any {% data variables.product.prodname_codeql %} model packs you create in {% data variables.product.prodname_vscode_shortname %} with the "Running Queries: Use Extension Packs" setting. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)." This method works for both databases and for variant analysis repositories. +You can test any {% data variables.product.prodname_codeql %} model packs you create in {% data variables.product.prodname_vscode_shortname %} with the "Running Queries: Use Extension Packs" setting. For more information, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings). This method works for both databases and for variant analysis repositories. * To run queries on a {% data variables.product.prodname_codeql %} database with any model packs that are stored within the `.github/codeql/extensions` directory of the workspace, update your `settings.json` file with: `"codeQL.runningQueries.useExtensionPacks": "all",` diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md index 5565b75ef043..9c88c9602ee8 100644 --- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md @@ -36,21 +36,21 @@ If your code depends on a package with a security vulnerability, this can cause {% data variables.product.prodname_dependabot %} performs a scan of the default branch of your repository to detect insecure dependencies, and sends {% data variables.product.prodname_dependabot_alerts %} when: {% ifversion fpt or ghec %} -* A new advisory is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."{% else %} +* A new advisory is added to the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database).{% else %} * New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %} > [!NOTE] > Only advisories that have been reviewed by {% data variables.product.company_short %} will trigger {% data variables.product.prodname_dependabot_alerts %}. -* The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% ifversion fpt or ghec %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." +* The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% ifversion fpt or ghec %}, or when the code of one of the dependencies changes{% endif %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). > [!NOTE] > {% data variables.product.prodname_dependabot %} doesn't scan archived repositories. {% data reusables.repositories.dependency-review %} -As {% data variables.product.prodname_dependabot_alerts %} rely on the dependency graph, the ecosystems that are supported by {% data variables.product.prodname_dependabot_alerts %} are the same as those supported by the dependency graph. For a list of these ecosystems, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)." +As {% data variables.product.prodname_dependabot_alerts %} rely on the dependency graph, the ecosystems that are supported by {% data variables.product.prodname_dependabot_alerts %} are the same as those supported by the dependency graph. For a list of these ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). > [!NOTE] > It is important to keep your manifest and lock files up to date. If the dependency graph doesn't accurately reflect your current dependencies and versions, then you could miss alerts for insecure dependencies that you use. You may also get alerts for dependencies that you no longer use. @@ -63,16 +63,16 @@ As {% data variables.product.prodname_dependabot_alerts %} rely on the dependenc {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and displays the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for public repositories. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. -You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)." +You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). -For information about access requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#access-requirements-for-security-features)." +For information about access requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#access-requirements-for-security-features). -{% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any insecure dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories)." +{% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any insecure dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories). {% endif %} When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the **Security** tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version. -{% data variables.product.product_name %} may also notify the maintainers of affected repositories about new alerts according to their notification preferences.{% ifversion dependabot-suppressed-notifications %} When {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.product_name %} does not send notifications for all vulnerable dependencies found in your repository, only for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled.{% endif %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)." +{% data variables.product.product_name %} may also notify the maintainers of affected repositories about new alerts according to their notification preferences.{% ifversion dependabot-suppressed-notifications %} When {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.product_name %} does not send notifications for all vulnerable dependencies found in your repository, only for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts). {% data reusables.dependabot.dependabot-alert-create-PR %} @@ -87,13 +87,13 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc ## Access to {% data variables.product.prodname_dependabot_alerts %} -You can see all of the alerts that affect a particular project{% ifversion fpt or ghec %} on the repository's **Security** tab or{% endif %} in the repository's dependency graph. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)." +You can see all of the alerts that affect a particular project{% ifversion fpt or ghec %} on the repository's **Security** tab or{% endif %} in the repository's dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). -By default, we notify people with write, maintain, or admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}. {% ifversion fpt or ghec %}{% data variables.product.product_name %} never publicly discloses insecure dependencies for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working with repositories that you own or have admin permissions for. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." +By default, we notify people with write, maintain, or admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}. {% ifversion fpt or ghec %}{% data variables.product.product_name %} never publicly discloses insecure dependencies for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working with repositories that you own or have admin permissions for. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts). {% endif %} {% data reusables.notifications.vulnerable-dependency-notification-enable %} -{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization2 %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)." +{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization2 %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts). You can also see all the {% data variables.product.prodname_dependabot_alerts %} that correspond to a particular advisory in the {% data variables.product.prodname_advisory_database %}. {% data reusables.security-advisory.link-browsing-advisory-db %} @@ -101,13 +101,13 @@ You can also see all the {% data variables.product.prodname_dependabot_alerts %} ## Asking {% data variables.product.prodname_copilot_chat %} about {% data variables.product.prodname_dependabot_alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_dependabot_alerts %}, in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_dependabot_alerts %}, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} ## Further reading -* "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)" -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)" -* "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)" -{% ifversion fpt or ghec %}- "[AUTOTITLE](/get-started/privacy-on-github)"{% endif %} +* [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) +* [AUTOTITLE](/code-security/getting-started/auditing-security-alerts) +{% ifversion fpt or ghec %}- [AUTOTITLE](/get-started/privacy-on-github){% endif %} diff --git a/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md index 93f8e75b3298..fc2d3d4a710b 100644 --- a/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md @@ -21,7 +21,7 @@ topics: {% data reusables.repositories.a-vulnerability-is %} -{% data variables.product.prodname_dependabot %} scans code when a new advisory is added to the {% data variables.product.prodname_advisory_database %} or the dependency graph for a repository changes. When vulnerable dependencies are detected, {% data variables.product.prodname_dependabot_alerts %} are generated. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +{% data variables.product.prodname_dependabot %} scans code when a new advisory is added to the {% data variables.product.prodname_advisory_database %} or the dependency graph for a repository changes. When vulnerable dependencies are detected, {% data variables.product.prodname_dependabot_alerts %} are generated. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). {% data reusables.dependabot.dependabot-alert-create-PR %} @@ -60,7 +60,7 @@ When you enable {% data variables.product.prodname_dependabot_alerts %} for exis 1. Under {% ifversion code-security-wording-only %}"Code security"{% else %}"Code security and analysis"{% endif %}, to the right of {% data variables.product.prodname_dependabot_alerts %}, select **Automatically enable for new repositories**. {% else %} -{% data variables.product.prodname_dependabot_alerts %} for your repositories can be enabled or disabled by your enterprise owner. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." +{% data variables.product.prodname_dependabot_alerts %} for your repositories can be enabled or disabled by your enterprise owner. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} @@ -73,7 +73,7 @@ By default, we notify people with write, maintain, or admin permissions in the a {% data reusables.security.security-and-analysis-features-enable-read-only %} {% ifversion dependabot-alerts-ghes-enablement %} -An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %} +An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} ### Enabling or disabling {% data variables.product.prodname_dependabot_alerts %} for a repository @@ -84,19 +84,19 @@ An enterprise owner must first set up {% data variables.product.prodname_dependa ## Managing {% data variables.product.prodname_dependabot_alerts %} for your organization -{% ifversion security-configurations %} You can enable {% data variables.product.prodname_dependabot_alerts %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +{% ifversion security-configurations %} You can enable {% data variables.product.prodname_dependabot_alerts %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). {% else %} You can enable or disable {% data variables.product.prodname_dependabot_alerts %} for some or all repositories owned by your organization. {% data reusables.security.note-securing-your-org %} {% ifversion dependabot-alerts-ghes-enablement %} -An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %} +An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} ### Enabling or disabling {% data variables.product.prodname_dependabot_alerts %} for all existing repositories {% ifversion code-security-multi-repo-enablement %} -You can use security overview to find a set of repositories and enable or disable {% data variables.product.prodname_dependabot_alerts %} for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)." +You can use security overview to find a set of repositories and enable or disable {% data variables.product.prodname_dependabot_alerts %} for them all at the same time. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories). You can also use the organization settings page for {% ifversion code-security-wording-only %}"Code security"{% else %}"Code security and analysis"{% endif %} to enable or disable {% data variables.product.prodname_dependabot_alerts %} for all existing repositories in an organization. {% else %} diff --git a/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md index eb7500fb1ecc..485393720b1f 100644 --- a/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md @@ -29,20 +29,20 @@ When {% data variables.product.prodname_dependabot %} detects vulnerable depende {% ifversion dependabot-suppressed-notifications %}Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.product_name %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.{% endif %} -{% ifversion fpt or ghec %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether {% data variables.product.prodname_dependabot_alerts %} will be enabled or disabled for newly-created repositories. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)." +{% ifversion fpt or ghec %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether {% data variables.product.prodname_dependabot_alerts %} will be enabled or disabled for newly-created repositories. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added). {% endif %} {% ifversion ghes %} By default, if your enterprise owner has configured email for notifications on your enterprise, you will receive {% data variables.product.prodname_dependabot_alerts %} by email. -Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." +Enterprise owners can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} ## Configuring notifications for {% data variables.product.prodname_dependabot_alerts %} -When a new {% data variables.product.prodname_dependabot %} alert is detected, {% data variables.product.product_name %} notifies all users with access to {% data variables.product.prodname_dependabot_alerts %} for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#configuring-your-watch-settings-for-an-individual-repository)." +When a new {% data variables.product.prodname_dependabot %} alert is detected, {% data variables.product.product_name %} notifies all users with access to {% data variables.product.prodname_dependabot_alerts %} for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#configuring-your-watch-settings-for-an-individual-repository). -You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#choosing-your-notification-settings)." +You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#choosing-your-notification-settings). {% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization2 %} {% data reusables.notifications.vulnerable-dependency-notification-options %} @@ -52,15 +52,15 @@ You can configure notification settings for yourself or your organization from t ![Screenshot of the notification options for {% data variables.product.prodname_dependabot_alerts %}.](/assets/images/help/enterprises/dependabot-alerts-options-no-ui.png){% endif %} > [!NOTE] -> You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters)." +> You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters). -{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#filtering-email-notifications)." +{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#filtering-email-notifications). ## How to reduce the noise from notifications for {% data variables.product.prodname_dependabot_alerts %} -If you are concerned about receiving too many notifications for {% data variables.product.prodname_dependabot_alerts %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. You can still navigate to see your {% data variables.product.prodname_dependabot_alerts %} in your repository's **Security** tab. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)." +If you are concerned about receiving too many notifications for {% data variables.product.prodname_dependabot_alerts %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. You can still navigate to see your {% data variables.product.prodname_dependabot_alerts %} in your repository's **Security** tab. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). ## Further reading -* "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications)" -* "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#supported-is-queries)" +* [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications) +* [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#supported-is-queries) diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md index 2c46ee5f04d0..a5574a9e4c10 100644 --- a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -24,9 +24,9 @@ topics: {% data reusables.dependabot.enterprise-enable-dependabot %} -Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). ## About updates for vulnerable dependencies in your repository @@ -36,9 +36,9 @@ You can enable automatic security updates for any repository that uses {% data v Each {% data variables.product.prodname_dependabot %} alert has a unique numeric identifier and the {% data variables.product.prodname_dependabot_alerts %} tab lists an alert for every detected vulnerability. Legacy {% data variables.product.prodname_dependabot_alerts %} grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy {% data variables.product.prodname_dependabot %} alert, you will be redirected to a {% data variables.product.prodname_dependabot_alerts %} tab filtered for that package. -You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)" below. +You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts) below. -You can also audit actions taken in response to {% data variables.product.prodname_dependabot %} alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +You can also audit actions taken in response to {% data variables.product.prodname_dependabot %} alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). ## Prioritizing {% data variables.product.prodname_dependabot_alerts %} @@ -51,7 +51,7 @@ You can also use {% data variables.dependabot.auto_triage_rules %} to prioritize In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. -The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to "[PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7)" as the search string appears in the advisory description. +The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to [PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7) as the search string appears in the advisory description. ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png) @@ -91,7 +91,7 @@ For alerts where vulnerable calls are detected, the alert details page shows add ![Screenshot showing a {% data variables.product.prodname_dependabot %} alert with a "Vulnerable call" label. A code block, showing "Vulnerable function called", and a link, titled "See all your affected repositories", are highlighted with a dark orange outline.](/assets/images/help/repository/review-calls-to-vulnerable-functions.png) -For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-alerts)" below. +For more information, see [Reviewing and fixing alerts](#reviewing-and-fixing-alerts) below. {% endif %} @@ -99,16 +99,16 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a {% data reusables.dependabot.where-to-view-dependabot-alerts %} You can sort and filter {% data variables.product.prodname_dependabot_alerts %} by selecting a filter from the dropdown menu. -{% ifversion ghec or ghes %}To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview#about-security-overview-for-organizations)."{% endif %} +{% ifversion ghec or ghes %}To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview#about-security-overview-for-organizations).{% endif %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-dependabot-alerts %} -1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)." +1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts). ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png) 1. Click the alert that you would like to view. -1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) @@ -128,13 +128,13 @@ For supported languages, {% data variables.product.prodname_dependabot %} detect {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_dependabot_alerts %} in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand {% data variables.product.prodname_dependabot_alerts %} in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} ### Fixing vulnerable dependencies -1. View the details for an alert. For more information, see "[Viewing {% data variables.product.prodname_dependabot_alerts %}](#viewing-dependabot-alerts)" (above). +1. View the details for an alert. For more information, see [Viewing {% data variables.product.prodname_dependabot_alerts %}](#viewing-dependabot-alerts) (above). 1. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click **Create {% data variables.product.prodname_dependabot %} security update** at the top of the alert details page to create a pull request. ![Screenshot of a {% data variables.product.prodname_dependabot %} alert with the "Create {% data variables.product.prodname_dependabot %} security update" button highlighted with a dark orange outline.](/assets/images/help/repository/create-dependabot-security-update-button-ungrouped.png) @@ -142,7 +142,7 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can 1. Optionally, if you do not use {% data variables.product.prodname_dependabot_security_updates %}, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version. 1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. - Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." + Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). ## Dismissing {% data variables.product.prodname_dependabot_alerts %} @@ -151,9 +151,9 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear. -1. View the details for an alert. For more information, see "[Viewing vulnerable dependencies](#viewing-dependabot-alerts)" (above). +1. View the details for an alert. For more information, see [Viewing vulnerable dependencies](#viewing-dependabot-alerts) (above). 1. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later. -1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see "[AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert)" in the GraphQL API documentation. +1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation. ![Screenshot of the page for a Dependabot alert, with the "Dismiss" dropdown and the option to add a dismissal comment highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-dismissal-comment.png) @@ -161,7 +161,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert ### Dismissing multiple alerts at once -1. View the open {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts)". +1. View the open {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts). 1. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar. 1. To the left of each alert title, select the alerts that you want to dismiss. ![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. Two alerts are selected and these check boxes are highlighted with an orange outline.](/assets/images/help/graphs/select-multiple-alerts.png) @@ -188,7 +188,7 @@ You can view all open alerts, and you can reopen alerts that have been previousl ### Reopening multiple alerts at once -1. View the closed {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-updating-closed-alerts)" (above). +1. View the closed {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-updating-closed-alerts) (above). 1. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert. 1. Optionally, at the top of the list of alerts, select all closed alerts on the page. ![Screenshot of alerts in the "Closed" tab. The "Select all" checkbox is highlighted with a dark orange outline.](/assets/images/help/graphs/select-all-closed-alerts.png) @@ -196,8 +196,8 @@ You can view all open alerts, and you can reopen alerts that have been previousl ## Reviewing the audit logs for {% data variables.product.prodname_dependabot_alerts %} -When a member of your organization {% ifversion not fpt %}or enterprise {% endif %}performs an action related to {% data variables.product.prodname_dependabot_alerts %}, you can review the actions in the audit log. For more information about accessing the log, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log){% ifversion not fpt %}" and "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)."{% else %}."{% endif %} +When a member of your organization {% ifversion not fpt %}or enterprise {% endif %}performs an action related to {% data variables.product.prodname_dependabot_alerts %}, you can review the actions in the audit log. For more information about accessing the log, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise).{% else %}.{% endif %} ![Screenshot of the audit log showing Dependabot alerts.](/assets/images/help/dependabot/audit-log-ui-dependabot-alert.png) -Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %}" and "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert)."{% else %}."{% endif %} +Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert).{% else %}."{% endif %} diff --git a/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md b/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md index 1978dd84b6da..10ad928edc54 100644 --- a/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md +++ b/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md @@ -33,26 +33,26 @@ There are two types of {% data variables.dependabot.auto_triage_rules %}: {% data variables.dependabot.github_presets %} are rules curated by {% data variables.product.company_short %}. {% data reusables.dependabot.dismiss-low-impact-rule %} -The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the **Settings** tab for the repository. For more information, see "[Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository)." +The rule is enabled by default for public repositories and can be opted into for private repositories. You can enable the rule for a private repository via the **Settings** tab for the repository. For more information, see [Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository). ### About {% data variables.dependabot.custom_rules %} > [!NOTE] > {% data reusables.gated-features.dependabot-custom-auto-triage-rules %} -With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts)." +With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which alerts you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts). -You can create custom rules from the **Settings** tab of the repository{% ifversion ghec or ghes %}, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}. For more information, see "[Adding custom auto-triage rules to your repository](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-repository)." +You can create custom rules from the **Settings** tab of the repository{% ifversion ghec or ghes %}, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}. For more information, see [Adding custom auto-triage rules to your repository](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-repository). ### About auto-dismissing alerts -Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/managing-automatically-dismissed-alerts)." +Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/managing-automatically-dismissed-alerts). Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example: * If you change the scope of a dependency from development to production. * If {% data variables.product.company_short %} modifies certain metadata for the related advisory. -Auto-dismissed alerts are defined by the `resolution:auto-dismiss` close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see "[AUTOTITLE](/rest/dependabot/alerts)," and the "`repository_vulnerability_alert`" section in "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#repository_vulnerability_alert-category-actions)." +Auto-dismissed alerts are defined by the `resolution:auto-dismiss` close reason. Automatic dismissal activity is included in alert webhooks, REST and GraphQL APIs, and the audit log. For more information, see [AUTOTITLE](/rest/dependabot/alerts), and the "`repository_vulnerability_alert`" section in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#repository_vulnerability_alert-category-actions). ## Further reading diff --git a/content/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts.md b/content/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts.md index fb043eab08c7..633c0796a989 100644 --- a/content/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts.md @@ -50,7 +50,7 @@ You can use {% data variables.dependabot.custom_rules %} to tailor which alerts When {% data variables.product.prodname_dependabot_security_updates %} are enabled for a repository, {% data variables.product.prodname_dependabot %} will automatically try to open pull requests to resolve **every** open {% data variables.product.prodname_dependabot %} alert that has an available patch. If you prefer to customize this behavior using a rule, you must leave {% data variables.product.prodname_dependabot_security_updates %} disabled. -For more information about enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for a repository, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories)." +For more information about enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for a repository, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). ## Adding {% data variables.dependabot.custom_rules %} to your repository @@ -72,7 +72,7 @@ For more information about enabling or disabling {% data variables.product.prodn ## Adding {% data variables.dependabot.custom_rules %} to your organization -{% ifversion security-configurations %} You can add {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)." +{% ifversion security-configurations %} You can add {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules). {% else %} @@ -109,7 +109,7 @@ For more information about enabling or disabling {% data variables.product.prodn ## Editing or deleting {% data variables.dependabot.custom_rules %} for your organization -{% ifversion security-configurations %} You can edit or delete {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)." +{% ifversion security-configurations %} You can edit or delete {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules). {% else %} diff --git a/content/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts.md b/content/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts.md index aa7d7ad2e932..5a6be790b1b7 100644 --- a/content/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts.md @@ -29,7 +29,7 @@ The `Dismiss low impact issues for development-scoped dependencies` rule is a {% > [!NOTE] > Automatic dismissal of low impact development alerts is currently only supported for npm. -The `Dismiss low impact issues for development-scoped dependencies` rule includes vulnerabilities relating to resource management, programming and logic, and information disclosure issues. For more information, see "[Publicly disclosed CWEs used by the `Dismiss low impact issues for development-scoped dependencies` rule](#publicly-disclosed-cwes-used-by-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule)." +The `Dismiss low impact issues for development-scoped dependencies` rule includes vulnerabilities relating to resource management, programming and logic, and information disclosure issues. For more information, see [Publicly disclosed CWEs used by the `Dismiss low impact issues for development-scoped dependencies` rule](#publicly-disclosed-cwes-used-by-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule). Filtering out these low impact alerts allows you to focus on alerts that matter to you, without having to worry about missing potentially high-risk development-scoped alerts. @@ -37,7 +37,7 @@ The `Dismiss low impact issues for development-scoped dependencies` rule is enab ## Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository -{% ifversion fpt or ghec %}You first need to enable {% data variables.product.prodname_dependabot_alerts %} for the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-repository)."{% elsif ghes %}{% data variables.product.prodname_dependabot_alerts %} for your repository can be enabled or disabled by your enterprise owner. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %} +{% ifversion fpt or ghec %}You first need to enable {% data variables.product.prodname_dependabot_alerts %} for the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-repository).{% elsif ghes %}{% data variables.product.prodname_dependabot_alerts %} for your repository can be enabled or disabled by your enterprise owner. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md index ae354cbe09ee..85bed65e8ce9 100644 --- a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md @@ -32,7 +32,7 @@ topics: {% data reusables.dependabot.dependabot-updates-supported-repos-ecosystems %} -If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). > [!NOTE] > There is no interaction between the settings specified in the `dependabot.yml` file and {% data variables.product.prodname_dependabot %} security alerts, other than the fact that alerts will be closed when related pull requests generated by {% data variables.product.prodname_dependabot %} for security updates are merged. @@ -43,22 +43,22 @@ If you enable {% data variables.product.prodname_dependabot_security_updates %}, {% data variables.product.prodname_dotcom %} may send {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %} -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)." +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). -The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included)." +The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included). > [!NOTE] -> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert)." +> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). -You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." +You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). {% data reusables.dependabot.pull-request-security-vs-version-updates %} -If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file)." +If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file). {% data reusables.dependabot.dependabot-updates-prs-and-actions %} -{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %} +{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).{% endif %} {% data reusables.dependabot.dependabot-actions-support %} @@ -66,7 +66,7 @@ If you enable _{% data variables.product.prodname_dependabot_security_updates %} Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository. -When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)." +When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates). {% data reusables.dependabot.automated-tests-note %} @@ -81,7 +81,7 @@ For security updates, {% data variables.product.prodname_dependabot %} will only {% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %} {% data reusables.dependabot.dependabot-grouped-security-updates-order %} - For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request)." + For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request). {% endif %} @@ -99,4 +99,4 @@ For security updates, {% data variables.product.prodname_dependabot %} will only ## About notifications for {% data variables.product.prodname_dependabot %} security updates -You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters)." +You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters). diff --git a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md index 2c284f76de59..c927fcdc33c2 100644 --- a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md @@ -30,9 +30,9 @@ topics: ## About configuring {% data variables.product.prodname_dependabot_security_updates %} -You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). -You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository{% ifversion code-security-multi-repo-enablement %}, for a selection of repositories in an organization,{% endif %} or for all repositories owned by your personal account or organization. For more information about enabling security features in an organization, see {% ifversion security-configurations %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} +You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository{% ifversion code-security-multi-repo-enablement %}, for a selection of repositories in an organization,{% endif %} or for all repositories owned by your personal account or organization. For more information about enabling security features in an organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization).{% else %}[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization).{% endif %} {% data reusables.dependabot.dependabot-security-updates-disable-for-alert-rules %} @@ -40,7 +40,7 @@ You can enable or disable {% data variables.product.prodname_dependabot_security ## Supported repositories -{% data variables.product.prodname_dotcom %} automatically enables {% data variables.product.prodname_dependabot_security_updates %} for newly created repositories if your personal account or organization has enabled **Automatically enable for new repositories** for {% data variables.product.prodname_dependabot_security_updates %}. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)." +{% data variables.product.prodname_dotcom %} automatically enables {% data variables.product.prodname_dependabot_security_updates %} for newly created repositories if your personal account or organization has enabled **Automatically enable for new repositories** for {% data variables.product.prodname_dependabot_security_updates %}. For more information, see [Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories). If you create a fork of a repository that has security updates enabled, {% data variables.product.prodname_dotcom %} will automatically disable {% data variables.product.prodname_dependabot_security_updates %} for the fork. You can then decide whether to enable {% data variables.product.prodname_dependabot_security_updates %} on the specific fork. @@ -48,7 +48,7 @@ If security updates are not enabled for your repository and you don't know why, ## Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories -You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository. @@ -65,9 +65,9 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec To reduce the number of pull requests you may be seeing, you can enable grouped security updates for your repository or organization. When this is enabled, {% data variables.product.prodname_dependabot %} will group security updates into one pull request for each package ecosystem. In order to use grouped security updates, you must first enable the following features: -* **Dependency graph**. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph)." -* **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)." -* **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +* **Dependency graph**. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). +* **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). +* **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). > [!NOTE] > When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones. @@ -86,7 +86,7 @@ Repository administrators can enable or disable grouped security updates for the ### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization -{% ifversion security-configurations %} You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates)." +{% ifversion security-configurations %} You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates). {% else %} @@ -113,7 +113,7 @@ Use the `groups` option with the `applies-to: security-updates` key to create se If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`. -For more information about the configuration options available for security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). ```yaml # Example configuration file that: @@ -153,6 +153,6 @@ updates: ## Further reading -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)" -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)" +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts) +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems) diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md index 7f813273919d..a809edb1b1b3 100644 --- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md @@ -34,9 +34,9 @@ shortTitle: Dependabot version updates You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. -When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). -If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). {% data reusables.dependabot.pull-request-security-vs-version-updates %} @@ -44,7 +44,7 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot {% data reusables.dependabot.dependabot-updates-prs-and-actions %} -{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."{% endif %} +{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).{% endif %} {% data reusables.dependabot.dependabot-tos %} @@ -52,7 +52,7 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly. -{% data reusables.dependabot.initial-updates %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates)." +{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. @@ -66,4 +66,4 @@ If you've enabled security updates, you'll sometimes see extra pull requests for ## About notifications for {% data variables.product.prodname_dependabot %} version updates -You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox)." +You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox). diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md index ff14867bd7aa..c51b26be00bb 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md @@ -25,11 +25,11 @@ shortTitle: Configure dependabot.yml ## About the `dependabot.yml` file -The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see "[Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)." +The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). -You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates)." +You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). -Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). > [!NOTE] > You cannot configure {% data variables.product.prodname_dependabot_alerts %} using the `dependabot.yml` file. @@ -63,7 +63,7 @@ In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option > > Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options. > -> In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +> In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). ### `package-ecosystem` @@ -230,7 +230,7 @@ updates: interval: "weekly" ``` -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about grouping, see "[`groups`](#groups)." +{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about grouping, see [`groups`](#groups). {% endif %} @@ -268,7 +268,7 @@ updates: ``` > [!NOTE] -> `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +> `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). > > {% data reusables.dependabot.version-updates-skip-scheduled-runs %} @@ -433,20 +433,20 @@ The `applies-to` key is used to specify whether a set of grouping rules is inten {% data reusables.dependabot.dependabot-version-updates-groups-match-first %} -If a dependency doesn't belong to any group, {% data variables.product.prodname_dependabot %} will continue to raise single pull requests to update the dependency to its latest version as normal. {% data variables.product.prodname_dotcom %} reports in the logs if a group is empty. For more information, see "[{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-fails-to-group-a-set-of-dependencies-into-a-single-pull-request)." +If a dependency doesn't belong to any group, {% data variables.product.prodname_dependabot %} will continue to raise single pull requests to update the dependency to its latest version as normal. {% data variables.product.prodname_dotcom %} reports in the logs if a group is empty. For more information, see [{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-fails-to-group-a-set-of-dependencies-into-a-single-pull-request). When a scheduled update runs, {% data variables.product.prodname_dependabot %} will refresh pull requests for grouped updates using the following rules: * If all the same dependencies need to be updated to the same versions, {% data variables.product.prodname_dependabot %} will rebase the branch. * If all the same dependencies need to be updated, but a newer version has become available for one (or more) of the dependencies, {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. * If the dependencies to be updated have changed - for example, if another dependency in the group now has an update available - {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. -You can also manage pull requests for grouped version updates and security updates using comment commands, which are short comments you can make on a pull request to give instructions to {% data variables.product.prodname_dependabot %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands)." +You can also manage pull requests for grouped version updates and security updates using comment commands, which are short comments you can make on a pull request to give instructions to {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands). {% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} {% ifversion dependabot-grouped-security-updates-config %} -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about multidirectory support, see "[`directories`](#directories)." +{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about multidirectory support, see [`directories`](#directories). {% endif %} @@ -459,7 +459,7 @@ You can also manage pull requests for grouped version updates and security updat Dependencies can be ignored either by adding them to `ignore` or by using the `@dependabot ignore` command on a pull request opened by {% data variables.product.prodname_dependabot %}. > [!WARNING] -> * We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)." +> * We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). > * For {% data variables.product.prodname_actions %} and Docker, you may use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. #### Creating `ignore` conditions from `@dependabot ignore` @@ -468,7 +468,7 @@ Dependencies ignored by using the `@dependabot ignore` command are stored centra You can check whether a repository has stored `ignore` preferences by searching the repository for `"@dependabot ignore" in:comments`, or by using the `@dependabot show DEPENDENCY_NAME ignore conditions` comment command. If you wish to unblock updates for a dependency ignored this way, re-open the pull request. This clears the `ignore` conditions that were set when the pull request was closed and resumes those {% data variables.product.prodname_dependabot %} updates for the dependency. To update the dependency to a newer version, merge the pull request. {% ifversion dependabot-version-updates-groups %}In pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use the `@dependabot unignore` commands to clear `ignore` settings for dependencies.{% endif %} -For more information about the `@dependabot ignore` commands, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." +For more information about the `@dependabot ignore` commands, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). #### Specifying dependencies and versions to ignore @@ -513,7 +513,7 @@ updates: ``` > [!NOTE] -> {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)." +> {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files). > [!NOTE] > For the `pub` ecosystem, {% data variables.product.prodname_dependabot %} won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available. @@ -720,7 +720,7 @@ Available rebase strategies When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_dependabot %} attempts to rebase pull requests in the following cases. * When you use {% data variables.product.prodname_dependabot_version_updates %}, for any open {% data variables.product.prodname_dependabot %} pull request when your schedule runs. * When you reopen a closed {% data variables.product.prodname_dependabot %} pull request. -* When you change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file. For more information about this field, see "[`target-branch`](#target-branch)." +* When you change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file. For more information about this field, see [`target-branch`](#target-branch). * When {% data variables.product.prodname_dependabot %} detects that a {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. @@ -749,7 +749,7 @@ To allow {% data variables.product.prodname_dependabot %} to access a private pa {% data reusables.dependabot.dependabot-updates-registries %} -For more information, see "[Configuration options for private registries](#configuration-options-for-private-registries)" below. +For more information, see [Configuration options for private registries](#configuration-options-for-private-registries) below. {% data reusables.dependabot.advanced-private-registry-config-link %} diff --git a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md index 658b3f56545c..8887c350bb8e 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md @@ -25,15 +25,15 @@ shortTitle: Configure version updates ## About version updates for dependencies -You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). -{% data reusables.dependabot.initial-updates %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates)." +{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). {% data reusables.dependabot.version-updates-skip-scheduled-runs %} -By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow)." +By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow). -{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories)" and "[AUTOTITLE](/get-started/learning-about-github/github-language-support)." +{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). ## Enabling {% data variables.product.prodname_dependabot_version_updates %} @@ -118,7 +118,7 @@ After you enable version updates, the **Dependabot** tab in the dependency graph ![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png) -For information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates)." +For information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). ## Disabling {% data variables.product.prodname_dependabot_version_updates %} @@ -165,4 +165,4 @@ updates: update-types: ["version-update:semver-patch"] ``` -For more information about checking for existing ignore preferences, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." +For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md index 1eb499d4f585..dbef8ac1f814 100644 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md @@ -35,20 +35,20 @@ After you've enabled version updates, you can customize how {% data variables.pr * Change the maximum number of open pull requests for version updates from the default of 5: `open-pull-requests-limit` * Open pull requests for version updates to target a specific branch, instead of the default branch: `target-branch` -For more information about the configuration options, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +For more information about the configuration options, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). -When you update the `dependabot.yml` file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates)." +When you update the `dependabot.yml` file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). ## Impact of configuration changes on security updates If you customize the `dependabot.yml` file, you may notice some changes to the pull requests raised for security updates. These pull requests are always triggered by a security advisory for a dependency, rather than by the {% data variables.product.prodname_dependabot %} schedule. However, they inherit relevant configuration settings from the `dependabot.yml` file unless you specify a different target branch for version updates. -For an example, see "[Setting custom labels](#setting-custom-labels)" below. +For an example, see [Setting custom labels](#setting-custom-labels) below. {% ifversion dependabot-grouped-security-updates-config %} > [!NOTE] -> If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates)." +> If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). {% endif %} @@ -161,7 +161,7 @@ You must configure groups per package ecosystem. {% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} -For more information about configuring dependency groups in the `dependabot.yml` file, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups)." +For more information about configuring dependency groups in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). {% endif %} @@ -169,8 +169,8 @@ For more information about configuring dependency groups in the `dependabot.yml` If you are not ready to adopt changes from dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods. -* Configure the `ignore` option for the dependency in your `dependabot.yml` file. You can use this to ignore updates for specific dependencies, versions, and types of updates. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." -* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can use comment commands to ignore updates for specific dependencies and versions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." +* Configure the `ignore` option for the dependency in your `dependabot.yml` file. You can use this to ignore updates for specific dependencies, versions, and types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can use comment commands to ignore updates for specific dependencies and versions. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). If you would like to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request. @@ -187,8 +187,8 @@ If you would like to un-ignore a dependency or ignore condition, you can delete {% endif %} -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands)."{% endif %} +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).{% endif %} ## More examples -For more examples, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +For more examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). diff --git a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md index ae388212157e..407b1e0107dd 100644 --- a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md @@ -23,7 +23,7 @@ shortTitle: List configured dependencies ## Viewing dependencies monitored by {% data variables.product.prodname_dependabot %} -After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -45,7 +45,7 @@ To view the full logs files for a particular job, to the right of the log entry ![Screenshot of a Dependabot job log entry for the Gemfile package manager. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-logs.png) -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)." +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). {% else %} diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index e28484af7434..9e43640d73f7 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -22,7 +22,7 @@ versions: {% data reusables.dependabot.dependabot-overview %} -For more information about {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide)." +For more information about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide). In this article, you can see what the supported ecosystems and repositories are. @@ -41,6 +41,6 @@ You can configure updates for repositories that contain a dependency manifest or > * {% data reusables.dependabot.private-dependencies-note %} > * {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below. -If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see "[AUTOTITLE](/get-started/exploring-integrations/about-integrations)."{% endif %} +If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 55f7d09fb645..25a6b2111d56 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -21,21 +21,21 @@ topics: {% data reusables.dependabot.dependabot-on-actions-future-note %} -Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)." +Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see [AUTOTITLE](/rest/actions) and [AUTOTITLE](/webhooks/webhook-events-and-payloads). > [!NOTE] -> Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." +> Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions). You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using: * {% data variables.product.prodname_dotcom %}-hosted runners -* {% data variables.actions.hosted_runners_caps %}. These runners are {% data variables.product.prodname_dotcom %}-hosted, with advanced features, such as more RAM, CPU, and disk space. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)." +* {% data variables.actions.hosted_runners_caps %}. These runners are {% data variables.product.prodname_dotcom %}-hosted, with advanced features, such as more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners). * Self-hosted runners {% data reusables.dependabot.vnet-arc-note %} Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative. -If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see "[AUTOTITLE](/rest/meta)." +If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta). {% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %} @@ -53,7 +53,7 @@ Future releases of {% data variables.product.product_name %} will remove the abi If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint. ->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)." +>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners). Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run. @@ -82,22 +82,22 @@ If a repository in your organization has {% data variables.product.prodname_depe 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it. -For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#enabling-dependency-updates-on-github-actions-runners)." +For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#enabling-dependency-updates-on-github-actions-runners). ## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %} If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources. -> [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates)." +> [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates). -1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)." -1. Opt in the organization to self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization)." This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. +1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). +1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. ## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners -When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)." +When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). -You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). To re-run a {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} job, use the appropriate procedure below. You cannot re-run a {% data variables.product.prodname_dependabot %} job on {% data variables.product.prodname_actions %} as you would for other {% data variables.product.prodname_actions %} workflows and jobs, that is, by using the **Actions** tab in a repository. You cannot view usage data for {% data variables.product.prodname_dependabot_updates %} workflows and jobs in your organization's {% data variables.product.prodname_actions %} usage metrics. @@ -120,4 +120,4 @@ To re-run a {% data variables.product.prodname_dependabot_version_updates %} or ## Further reading -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions)" +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 0f6edaa16ca4..6940670b63aa 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -27,7 +27,7 @@ redirect_from: {% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request. {% ifversion dependabot-on-actions-opt-in %} ->[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" instead. +>[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead. {% endif %} ## Responding to events @@ -43,7 +43,7 @@ For workflows initiated by {% data variables.product.prodname_dependabot %} (`gi These restrictions apply even if the workflow is re-run by a different actor. -For more information, see "[Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)." +For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). ### Changing `GITHUB_TOKEN` permissions @@ -68,15 +68,15 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token)." +For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). ### Accessing secrets -When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)." +When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). -{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow)." +{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). -If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see "[Common automations](#common-dependabot-automations)" below. +If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see [Common automations](#common-dependabot-automations) below. To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. In the example below, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. @@ -106,7 +106,7 @@ jobs: ### Manually re-running a workflow -When you manually re-run a Dependabot workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs)." +When you manually re-run a Dependabot workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). ## Common Dependabot automations @@ -219,12 +219,12 @@ jobs: ### Enable auto-merge on a pull request -If you want to allow maintainers to mark certain pull requests for auto-merge, you can use {% data variables.product.prodname_dotcom %}'s auto-merge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request)" and "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)." +If you want to allow maintainers to mark certain pull requests for auto-merge, you can use {% data variables.product.prodname_dotcom %}'s auto-merge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). -{% ifversion repo-rules %}As an alternative to branch protection rules, you can create rulesets. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)."{% endif %} +{% ifversion repo-rules %}As an alternative to branch protection rules, you can create rulesets. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).{% endif %} > [!NOTE] -> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)." +> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that auto merges all patch updates to `my-dependency`: @@ -267,4 +267,4 @@ If your workflow run fails, check the following: * Your secrets are available in {% data variables.product.prodname_dependabot %} secrets rather than as {% data variables.product.prodname_actions %} secrets. * You have a `GITHUB_TOKEN` with the correct permissions. -For information on writing and debugging {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions)." +For information on writing and debugging {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). diff --git a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md index 905e854079e8..7c58d1741a70 100644 --- a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md @@ -27,9 +27,9 @@ shortTitle: Configure access to private registries In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication. -For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)." +For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). -{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)."{% endif %} +{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners).{% endif %} ## Configuring private registries @@ -40,7 +40,7 @@ The top-level `registries` key is optional and specifies authentication details. {% data reusables.dependabot.dependabot-updates-registries-options %} -For more information about the configuration options that are available, how to use them, and about the supported types, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)." +For more information about the configuration options that are available, how to use them, and about the supported types, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). ## Storing credentials for Dependabot to use @@ -51,7 +51,7 @@ To give {% data variables.product.prodname_dependabot %} access to the private r {% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret, it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry. -{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)." +{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets). After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the `dependabot.yml` configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example: @@ -63,7 +63,7 @@ password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} {% endraw %} -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). #### Naming your secrets @@ -115,6 +115,6 @@ When creating a secret in an organization, you can use a policy to limit which r You can add {% data variables.product.prodname_dependabot %}-related IP addresses to your registries IP allow list. -If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. If you run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, you should instead use the IP addresses under the `actions` key. For more information, see "[AUTOTITLE](/rest/meta/meta)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. If you run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, you should instead use the IP addresses under the `actions` key. For more information, see [AUTOTITLE](/rest/meta/meta) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% endif %} diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index 50a15135b959..4307c496ee0c 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -56,7 +56,7 @@ You'll also find recommendations for the setup of the following registry hosts: Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server)." +You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). Snippet of a `dependabot.yml` file using a username and password. @@ -95,7 +95,7 @@ registries: ### Cargo -Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cargo-registry)." +Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cargo-registry). The snippet below shows a `dependabot.yml` file configuration that uses a token. @@ -105,7 +105,7 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token. ### Docker -Docker supports using a username and password for registries. For more information, see `docker-registry` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." +Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). Snippet of `dependabot.yml` file using a username and password. @@ -147,14 +147,14 @@ registries: * Image names may not always be detected in Containerfiles, Helm files, or yaml files. * Dockerfiles may only receive a version update to the first `FROM` directive. -* Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see "[{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920)" in the `dependabot/dependabot-core` repository. -* {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see "[Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640)" in the `dependabot/dependabot-core` repository. +* Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository. +* {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository. ### Gradle -{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle)." +{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle). -Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)." +Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} @@ -184,7 +184,7 @@ updates: ### Maven -Maven supports username and password authentication. For more information, see `maven-repository` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)." +Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). {% raw %} @@ -232,7 +232,7 @@ You can define the configuration in the `dependabot.yml` file using the `npm-reg #### Using the `npm-registry` type in the configuration file -You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). The snippet of a `dependabot.yml` file below uses a token. {% data reusables.dependabot.token-is-github-pat %} @@ -313,7 +313,7 @@ If you use a monorepo, the `.npmrc` file should live in the project's root direc You can configure {% data variables.product.prodname_dependabot %} to send all registry requests through a specified base URL. In order for {% data variables.product.prodname_dependabot %} to access a public dependency, the registry must either have a cloned copy of the dependency with the requested version, or allow traffic to fetch from a public registry if the dependency is not available. -If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)." +If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). #### Notes @@ -327,7 +327,7 @@ Registries should be configured using the `https` protocol. Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)." +The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). {% raw %} @@ -375,7 +375,7 @@ registries: ### pub -You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pub-repository)." +You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pub-repository). {% raw %} @@ -410,7 +410,7 @@ pub supports URL and token authentication. The URL used for the registry should Supported by Artifactory, Azure Artifacts, Cloudsmith, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported. -The `python-index` type supports username and password, or token. For more information, see `python-index` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)." +The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). {% raw %} @@ -457,7 +457,7 @@ registries: ### Yarn -The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). {% raw %} @@ -481,7 +481,7 @@ You can either specify the private registry configuration in the `dependabot.yml ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). To ensure that the private registry is listed as the dependency source in the project's `yarn.lock` file, you need to run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -518,7 +518,7 @@ As with Yarn Classic, you can either specify the private registry configuration ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -629,7 +629,7 @@ For information about Cloudsmith and instructions on how to configure {% data va ### {% data variables.product.prodname_registry %} registry -For information about {% data variables.product.prodname_registry %} registries, see "[AUTOTITLE](/packages/working-with-a-github-packages-registry)." From that article, you can access pages describing how to configure the following registries. +For information about {% data variables.product.prodname_registry %} registries, see [AUTOTITLE](/packages/working-with-a-github-packages-registry). From that article, you can access pages describing how to configure the following registries. * Bundler (rubygems) * Docker (containers) @@ -683,14 +683,14 @@ registries: If you are running Nexus behind a reverse proxy, you need to ensure that the server is accessible using an Auth token by using `curl -v -H 'Authorization: Bearer ' 'https:///repository//@%2'`. For more information, see [Run Behind a Reverse Proxy](https://help.sonatype.com/repomanager3/planning-your-implementation/run-behind-a-reverse-proxy) in the Sonatype documentation. If you are restricting which IPs can reach your Nexus host, you need to add the {% data variables.product.prodname_dependabot %} IPs to the allowlist. - * You can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the dependabot key. For more information, see "[AUTOTITLE](/rest/meta)." + * You can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the dependabot key. For more information, see [AUTOTITLE](/rest/meta). * These are the current IPs: * "18.213.123.130/32" * "3.217.79.163/32" * "3.217.93.44/32" For more information, see [Securing Nexus Repository Manager](https://help.sonatype.com/repomanager3/planning-your-implementation/securing-nexus-repository-manager) in the Sonatype documentation. - Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see "[Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm)" in the Sonatype documentation, and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)." + Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). ### ProGet diff --git a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md index 3eca96596a46..ee2fcfd2610e 100644 --- a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md @@ -26,11 +26,11 @@ shortTitle: Auto-update actions Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's _workflow.yml_ file and reusable workflows used inside workflows are kept up to date. -For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. For information about how action creators version their actions, see "[Using release management for your custom actions](/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions)." +For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. For information about how action creators version their actions, see [Using release management for your custom actions](/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions). -If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions)." +If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). For more information about configuring workflows for {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). -{% data variables.product.prodname_dependabot %} also checks workflow files for uses of reusable workflows, and updates the git reference for these called reusable workflows. For more information about reusable workflows, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +{% data variables.product.prodname_dependabot %} also checks workflow files for uses of reusable workflows, and updates the git reference for these called reusable workflows. For more information about reusable workflows, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). {% ifversion fpt or ghec %} @@ -43,13 +43,13 @@ If a more recent version of the action is available, {% data variables.product.p You can configure {% data variables.product.prodname_dependabot_version_updates %} to maintain your actions as well as the libraries and packages you depend on. -1. If you have already enabled {% data variables.product.prodname_dependabot_version_updates %} for other ecosystems or package managers, simply open the existing `dependabot.yml` file. Otherwise, create a `dependabot.yml` configuration file in the `.github` directory of your repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates)." +1. If you have already enabled {% data variables.product.prodname_dependabot_version_updates %} for other ecosystems or package managers, simply open the existing `dependabot.yml` file. Otherwise, create a `dependabot.yml` configuration file in the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). 1. Specify `"github-actions"` as a `package-ecosystem` to monitor. 1. Set the `directory` to `"/"` to check for workflow files in `.github/workflows`. 1. Set a `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} If you have edited an existing file, save your changes. -You can also enable {% data variables.product.prodname_dependabot_version_updates %} on forks. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-version-updates-on-forks)." +You can also enable {% data variables.product.prodname_dependabot_version_updates %} on forks. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-version-updates-on-forks). ### Example `dependabot.yml` file for {% data variables.product.prodname_actions %} @@ -70,8 +70,8 @@ updates: ## Configuring {% data variables.product.prodname_dependabot_version_updates %} for actions -When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). ## Further reading -* "[AUTOTITLE](/actions/learn-github-actions)" +* [AUTOTITLE](/actions/learn-github-actions) diff --git a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md b/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md index f6fd7b8d9b3e..148380121511 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md @@ -17,7 +17,7 @@ topics: ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners -{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% data reusables.dependabot.dependabot-on-actions-future-note %} @@ -29,13 +29,13 @@ To have greater control over {% data variables.product.prodname_dependabot %} ac For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories. -For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot)." For information about which ecosystems are supported as private registries, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries)." +For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). ## Prerequisites -You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). -Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)." +Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization). {% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %} @@ -57,7 +57,7 @@ If {% data variables.product.prodname_dependabot %} needs to interact with regis ### Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates -1. Provision self-hosted runners, at the repository or organization level. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." +1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). 1. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would: * Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation. @@ -67,9 +67,9 @@ If {% data variables.product.prodname_dependabot %} needs to interact with regis * Verify that the runners have access to the public internet and can only access the internal networks that {% data variables.product.prodname_dependabot %} needs. * Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with. -1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner)." +1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner). -1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)." +1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events). ## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %} @@ -90,11 +90,11 @@ You can manage {% data variables.product.prodname_dependabot %} on self-hosted r You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered. -> [!NOTE] You need to enable self-hosted runners for your organization if you use {% data variables.actions.hosted_runners %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners)." +> [!NOTE] You need to enable self-hosted runners for your organization if you use {% data variables.actions.hosted_runners %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners). {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization. -For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)." +For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization). diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index 3661409dc86d..c13f079b85a3 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -28,12 +28,12 @@ shortTitle: Manage Dependabot PRs {% data reusables.dependabot.pull-request-introduction %} When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. -{% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."{% endif %} +{% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% endif %} -If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates){% ifversion dependabot-grouped-security-updates-config %}" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request)."{% else %}" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request)."{% endif %} +If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %} > [!NOTE] -> If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)." +> If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates). ## Viewing {% data variables.product.prodname_dependabot %} pull requests @@ -45,7 +45,7 @@ If you have many dependencies to manage, you may want to customize the configura ## Changing the rebase strategy for {% data variables.product.prodname_dependabot %} pull requests -By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy)." +By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy). ## Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits @@ -74,7 +74,7 @@ You can use any of the following commands on a {% data variables.product.prodnam If you run any of the commands for ignoring dependencies or versions, {% data variables.product.prodname_dependabot %} stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically. -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). {% ifversion dependabot-grouped-security-updates-config %} diff --git a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md b/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md index 78d41777e3bd..96daffbc9527 100644 --- a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md +++ b/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md @@ -17,7 +17,7 @@ redirect_from: ## About configuring {% data variables.product.prodname_dependabot %} to only access private registries -{% data reusables.dependabot.private-registry-support %} For more information about private registry support and configuration, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)." {% data reusables.dependabot.advanced-private-registry-config-link %} +{% data reusables.dependabot.private-registry-support %} For more information about private registry support and configuration, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). {% data reusables.dependabot.advanced-private-registry-config-link %} {% data reusables.dependabot.dependabot-on-actions-self-hosted-link %} @@ -26,13 +26,13 @@ You can configure {% data variables.product.prodname_dependabot %} to access _on {% ifversion dependabot-ghes-no-public-internet %} > [!NOTE] -> Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access)." +> Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access). {% endif %} ## Bundler -To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server)." +To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). The Bundler ecosystem additionally requires a `Gemfile` file with the private registry URL to be checked into the repository. @@ -48,7 +48,7 @@ To configure the Docker ecosystem to only access private registries, you can use **Option 1** -Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." +Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. @@ -71,13 +71,13 @@ In the `Dockerfile` file, add the image name in the format of `IMAGE[:TAG]`, whe **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. ## Gradle To configure the Gradle ecosystem to only access private registries, you can use these configuration methods. -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). > [!NOTE] > Remove replaces-base: true from the configuration file. @@ -100,7 +100,7 @@ To configure the Maven ecosystem to only access private registries, you can use **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)." +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). **Option 2** @@ -127,7 +127,7 @@ To configure the npm ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. @@ -140,7 +140,7 @@ The npm ecosystem additionally requires a `.npmrc` file with the private registr **Option 2** -If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -155,7 +155,7 @@ To configure the Yarn Classic ecosystem to only access private registries, you c **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -183,7 +183,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour **Option 3** -If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -194,7 +194,7 @@ To configure the Yarn Berry ecosystem to only access private registries, you can **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -228,7 +228,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour ## NuGet -To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)." +To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). The NuGet ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. @@ -289,7 +289,7 @@ To configure the Pip ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -304,7 +304,7 @@ Add the private registry URL to the `[global]` section of the `pip.conf` file an **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)." +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). ### Pip-compile @@ -312,11 +312,11 @@ To configure the Pip-compile ecosystem to only access private registries, you ca **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)." +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). **Option 2** -Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)." +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -329,7 +329,7 @@ Add the private registry URL to the `requirements.txt` file and check the file i ### Pipenv -To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)." +To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -345,7 +345,7 @@ name = "pypi" ### Poetry -To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)." +To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). Add the private registry url to the `[[tool.poetry.source]]` section of the `pyproject.toml` file and checked it in the repository. diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md index 345185eb7d45..3a1b57660d4f 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md @@ -32,10 +32,10 @@ topics: If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error. > [!NOTE] -> {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)," for security and version updates, respectively. +> {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively. {% ifversion dependabot-on-actions-opt-in %} -For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% endif %} ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} @@ -64,7 +64,7 @@ To view the full logs files for a particular job, to the right of the log entry ![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png) -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs)." +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). {% else %} @@ -86,7 +86,7 @@ Pull requests for security updates act to upgrade a vulnerable dependency to the Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. -The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). ### {% data variables.product.prodname_dependabot %} tries to update dependencies without an alert @@ -114,13 +114,13 @@ If a security vulnerability is released for `B` versions `<2.0.0` and a patch is Either comment will trigger {% data variables.product.prodname_dependabot %} to check if the dependency is no longer upgradable or vulnerable. If {% data variables.product.prodname_dependabot %} detects that the pull request is no longer required, it will close the pull request in this particular case. -For more information about {% data variables.product.prodname_dependabot %} comment commands, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." +For more information about {% data variables.product.prodname_dependabot %} comment commands, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). ### {% data variables.product.prodname_dependabot %} cannot update to the required version as there is already an open pull request for the latest version **Security updates only.** {% data variables.product.prodname_dependabot %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version. -There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." +There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see [Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually). ### No security update is needed as DEPENDENCY is no longer vulnerable @@ -128,7 +128,7 @@ There are two options: you can review the open pull request and merge it as soon To debug the problem, we recommend you first examine the dependency graph for your repository, review what version it has detected for the dependency, and check if the identified version matches what is being used in your repository. -If you suspect your dependency graph data is out of date, you may need to manually update the dependency graph for your repository or investigate your dependency information further. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)." +If you suspect your dependency graph data is out of date, you may need to manually update the dependency graph for your repository or investigate your dependency information further. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). If you are able to confirm the dependency version is no longer vulnerable, you can close the {% data variables.product.prodname_dependabot %} pull request. @@ -138,15 +138,15 @@ If you are able to confirm the dependency version is no longer vulnerable, you c This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot %} to review the version update and generate the pull request in the time available. -If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). ### {% data variables.product.prodname_dependabot %} cannot open any more pull requests There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit)." +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). -The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." +The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see [Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually). ### {% data variables.product.prodname_dependabot %} can't resolve or access your dependencies @@ -165,7 +165,7 @@ Similarly, if {% data variables.product.prodname_dependabot %} can't access a pr To allow {% data variables.product.prodname_dependabot %} to update the dependency references successfully, make sure that all of the referenced dependencies are hosted at accessible locations. -**Version updates only.** {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories)." +**Version updates only.** {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories). {% ifversion dependabot-version-updates-groups %} @@ -175,7 +175,7 @@ To allow {% data variables.product.prodname_dependabot %} to update the dependen {% data reusables.dependabot.dependabot-grouped-updates-applies-to %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} -When you configure grouped version updates, you must configure groups per package ecosystem. To debug the problem, we recommend you look at the logs. For information about accessing the logs for a manifest, see "[Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}](#investigating-errors-with-dependabot-version-updates)" above. +When you configure grouped version updates, you must configure groups per package ecosystem. To debug the problem, we recommend you look at the logs. For information about accessing the logs for a manifest, see [Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}](#investigating-errors-with-dependabot-version-updates) above. You may have unintentionally created empty groups. This happens, for example, when you set a `dependency-type` in the `allow` key for the overall job. @@ -197,7 +197,7 @@ In this example, {% data variables.product.prodname_dependabot %} will: You need to ensure that configuration settings don't cancel each other, and update them appropriately in your configuration file. -For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups)." +For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). {% ifversion dependabot-grouped-security-updates-config %} @@ -214,7 +214,7 @@ For grouped security updates, {% data variables.product.prodname_dependabot %} u * {% data variables.product.prodname_dependabot %} **will not** group dependencies from different package ecosystems together. * {% data variables.product.prodname_dependabot %} **will not** group security updates with version updates. -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#impact-of-configuration-changes-on-security-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#impact-of-configuration-changes-on-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). {% endif %} @@ -224,7 +224,7 @@ For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-vers #### Handling failures in grouped version updates{% endif %} -**Version updates only.** {% data variables.product.prodname_dependabot %} will show the failed update in your logs, as well as in the job summary at the end of your logs. You should use the `@dependabot recreate` comment on the pull request to build the group again. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." +**Version updates only.** {% data variables.product.prodname_dependabot %} will show the failed update in your logs, as well as in the job summary at the end of your logs. You should use the `@dependabot recreate` comment on the pull request to build the group again. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). If the dependency still fails to update, you should use the `exclude-patterns` configuration so that the dependency is excluded from the group. {% data variables.product.prodname_dependabot %} will then raise a separate pull request to update the dependency. @@ -261,5 +261,5 @@ If you unblock {% data variables.product.prodname_dependabot %}, you can manuall ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md index f0206fe28ef5..20f6ac748896 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md @@ -18,4 +18,4 @@ shortTitle: Troubleshoot Dependabot on Actions ## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows -{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)." +{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 9f9ebbe7a773..4d85ea83157e 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -30,11 +30,11 @@ topics: {% data variables.product.prodname_dotcom %} generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following: * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies and malware. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} -* The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" and "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)." -* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)." +* The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). +* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). - {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies)." + {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies). ## Do {% data variables.product.prodname_dependabot_alerts %} only relate to insecure dependencies in manifests and lockfiles? @@ -46,7 +46,7 @@ topics: ## Why don't I get {% data variables.product.prodname_dependabot_alerts %} for some ecosystems? -{% data variables.product.prodname_dependabot_alerts %} are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% ifversion fpt or ghec %}{% data variables.product.prodname_dependabot %} security updates, {% endif %}and {% data variables.product.prodname_dependabot_alerts %} are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)." +{% data variables.product.prodname_dependabot_alerts %} are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% ifversion fpt or ghec %}{% data variables.product.prodname_dependabot %} security updates, {% endif %}and {% data variables.product.prodname_dependabot_alerts %} are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). It's worth noting that security advisories may exist for other ecosystems. The information in an unreviewed security advisory is provided by the maintainers of a particular repository. This data is not curated by {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.link-browsing-advisory-db %} @@ -85,13 +85,13 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var ## Can Dependabot ignore specific dependencies? -You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file)" to prevent version updates from being activated. For information about ignoring dependencies, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." +You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). ## Further reading -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)" -* "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)"{% ifversion dependabot-on-actions-opt-in %} -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)"{% endif %} +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) +* [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners){% endif %} diff --git a/content/code-security/getting-started/adding-a-security-policy-to-your-repository.md b/content/code-security/getting-started/adding-a-security-policy-to-your-repository.md index a88201555ba2..37500ae21949 100644 --- a/content/code-security/getting-started/adding-a-security-policy-to-your-repository.md +++ b/content/code-security/getting-started/adding-a-security-policy-to-your-repository.md @@ -22,13 +22,13 @@ shortTitle: Add a security policy To give people instructions for reporting security vulnerabilities in your project, you can add a `SECURITY.md` file to your repository's root, `docs`, or `.github` folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy. -You can create a default security policy for your organization or personal account. For more information, see "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)." +You can create a default security policy for your organization or personal account. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file). > [!TIP] -> To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes)." +> To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes). {% ifversion fpt or ghec %} -After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)." +After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). {% data reusables.repositories.github-security-lab %} {% endif %} @@ -53,6 +53,6 @@ For an example of a real `SECURITY.md` file, see [https://github.com/electron/el ## Further reading -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" -* "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions)"{% ifversion fpt or ghec %} +* [AUTOTITLE](/code-security/getting-started/securing-your-repository) +* [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions){% ifversion fpt or ghec %} * [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %} diff --git a/content/code-security/getting-started/auditing-security-alerts.md b/content/code-security/getting-started/auditing-security-alerts.md index 4e1d5c73c597..2fe202bc8a4d 100644 --- a/content/code-security/getting-started/auditing-security-alerts.md +++ b/content/code-security/getting-started/auditing-security-alerts.md @@ -25,7 +25,7 @@ Security auditors can use these tools to ensure the appropriate actions are bein Each security alert has a historical timeline that shows when the alert was created or when a problem was detected. When the status of an alert changes this is recorded on the timeline, regardless of what caused the change, for example, {% data variables.product.prodname_dependabot %} closing a fixed alert and a developer reopening an alert. You can see the historical timeline for an alert on the alert page under the description of the problem. -Many of the events in the timeline also create an event in the audit log, which you can query using the audit log UI or the API. For more information, see "[Audit log](/code-security/getting-started/auditing-security-alerts#audit-log)." +Many of the events in the timeline also create an event in the audit log, which you can query using the audit log UI or the API. For more information, see [Audit log](/code-security/getting-started/auditing-security-alerts#audit-log). ## Security overview page @@ -33,7 +33,7 @@ Security overview consolidates information about security alerts and provides hi In security overview you can see repositories with open security alerts{% ifversion security-overview-org-risk-coverage %}, as well as which repositories have enabled specific security features{% endif %}. You can also use security overview to filter and sort security alerts using interactive views. -For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). ## Audit log @@ -43,13 +43,13 @@ You can access and search audit logs using the API or the audit log UI. The audi * {% data variables.product.prodname_dependabot %} events track when an alert is created, dismissed, or resolved. * {% data variables.product.prodname_code_scanning_caps %} does not create timeline events in an audit log. -For a list of audit log events, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization)." +For a list of audit log events, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise) and [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization). -For information on how to access the audit log for your enterprise or organization, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)." +For information on how to access the audit log for your enterprise or organization, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise) and [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization). {% ifversion audit-log-streaming %} -You can also stream audit data from {% data variables.product.prodname_dotcom %} to an external data management system, which enables you to analyze and collect data for internal charts. Enterprise owners can configure audit log streaming. For more information, see "[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)." +You can also stream audit data from {% data variables.product.prodname_dotcom %} to an external data management system, which enables you to analyze and collect data for internal charts. Enterprise owners can configure audit log streaming. For more information, see [Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise). {% endif %} @@ -57,7 +57,7 @@ You can also stream audit data from {% data variables.product.prodname_dotcom %} You can set up `code_scanning_alert`, `dependabot_alert`, and `secret_scanning_alert` webhooks to receive payloads whenever there is a response to a security alert in an organization or repository. You can also define which responses to act on, for example, you might want to define a webhook that tracks {% data variables.product.prodname_secret_scanning %} alerts created when someone bypasses push protection using the alert property `"push_protection_bypassed": true`. -You can also integrate webhook payloads into other tools you use to monitor and inform security behaviors. For example, a webhook fires when a secret alert is either created, resolved, {% ifversion secret-scanning-validity-check-partner-patterns %}revoked, reopened, or when a secret's validity status changes{% else %}or reopened{% endif %}. You can then parse the webhook payload and integrate it into tools your team uses like Slack, Microsoft Teams, Splunk, or email. For more information, see "[About webhooks](/webhooks-and-events/webhooks/about-webhooks)" and "[Webhook events and payloads](/webhooks-and-events/webhooks/webhook-events-and-payloads)." +You can also integrate webhook payloads into other tools you use to monitor and inform security behaviors. For example, a webhook fires when a secret alert is either created, resolved, {% ifversion secret-scanning-validity-check-partner-patterns %}revoked, reopened, or when a secret's validity status changes{% else %}or reopened{% endif %}. You can then parse the webhook payload and integrate it into tools your team uses like Slack, Microsoft Teams, Splunk, or email. For more information, see [About webhooks](/webhooks-and-events/webhooks/about-webhooks) and [Webhook events and payloads](/webhooks-and-events/webhooks/webhook-events-and-payloads). ## API @@ -67,7 +67,7 @@ You can use the API to list and interact with security alerts, for example, gett You can list all {% data variables.product.prodname_dependabot %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. For example, you might only want to list {% data variables.product.prodname_dependabot %} alerts for Maven that were dismissed. Alternatively, you can get full details for an alert or update the alert. -For more information, see "[{% data variables.product.prodname_dependabot %} alerts](/rest/dependabot/alerts#about-dependabot-alerts)." +For more information, see [{% data variables.product.prodname_dependabot %} alerts](/rest/dependabot/alerts#about-dependabot-alerts). ### {% data variables.product.prodname_secret_scanning_caps %} alerts API @@ -75,13 +75,13 @@ You can list all {% data variables.product.prodname_secret_scanning %} alerts fo To see which {% data variables.product.prodname_secret_scanning %} alerts were the result of a push protection bypass, filter the results for `"push_protection_bypassed": true`. -For more information, see "[{% data variables.product.prodname_secret_scanning_caps %}](/rest/secret-scanning)." +For more information, see [{% data variables.product.prodname_secret_scanning_caps %}](/rest/secret-scanning). ### {% data variables.product.prodname_code_scanning_caps %} alerts API You can list all {% data variables.product.prodname_code_scanning %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. Alternatively, you can get full details for an alert or update the alert. -For more information, see "[{% data variables.product.prodname_code_scanning_caps %}](/rest/code-scanning)." +For more information, see [{% data variables.product.prodname_code_scanning_caps %}](/rest/code-scanning). ## Further reading diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index df3b238331be..c4b64f214c68 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -30,17 +30,17 @@ The best approach will depend on the type of organization you're managing. For e Protect your organization's repositories and settings by implementing security best practices, including enabling 2FA and requiring it for all members, and establishing strong password guidelines. -{% ifversion ghec %}- Enabling secure authentication processes by using SAML and SCIM integrations, as well as 2FA authentication whenever possible. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)," "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)," and "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)." {% endif %} +{% ifversion ghec %}- Enabling secure authentication processes by using SAML and SCIM integrations, as well as 2FA authentication whenever possible. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on), [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations), and [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa). {% endif %} -* Requiring organization members, outside collaborators, and billing managers to enable 2FA for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.{% ifversion ghec %} This is one step further from enabling secure authentication.{% endif %} For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)." +* Requiring organization members, outside collaborators, and billing managers to enable 2FA for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.{% ifversion ghec %} This is one step further from enabling secure authentication.{% endif %} For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization). -* Encouraging your users to create strong passwords and secure them appropriately, by following {% data variables.product.prodname_dotcom %}’s recommended password guidelines. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password)."{% ifversion secret-scanning-push-protection-for-users %} +* Encouraging your users to create strong passwords and secure them appropriately, by following {% data variables.product.prodname_dotcom %}’s recommended password guidelines. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password).{% ifversion secret-scanning-push-protection-for-users %} -* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users).{% endif %} -* Establishing an internal security policy in {% data variables.product.prodname_dotcom %}, so users know the appropriate steps to take and who to contact if an incident is suspected. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." +* Establishing an internal security policy in {% data variables.product.prodname_dotcom %}, so users know the appropriate steps to take and who to contact if an incident is suspected. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). -For more detailed information about securing accounts, see "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts)." +For more detailed information about securing accounts, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts). ## Prevent data leaks @@ -48,18 +48,18 @@ As an organization owner, you should limit and review access as appropriate for Recommendation | More information ------------------ | ----------------- -Disable the ability to fork repositories. | "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository)" -Disable changing repository visibility. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization)" -Restrict repository creation to private or internal. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization)" -Disable repository deletion and transfer. | "[AUTOTITLE](/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories)" +Disable the ability to fork repositories. | [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository) +Disable changing repository visibility. | [AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization) +Restrict repository creation to private or internal. | [AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization) +Disable repository deletion and transfer. | [AUTOTITLE](/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories) | {% ifversion deploy-keys-enterprise-org-policy %} | -Disable the ability to use deploy keys. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization)" +Disable the ability to use deploy keys. | [AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization) | {% endif %} | Scope {% data variables.product.pat_generic %}s to the minimum permissions necessary. | None Secure your code by converting public repositories to private whenever appropriate. You can alert the repository owners of this change automatically using a {% data variables.product.prodname_github_app %}. | [Prevent-Public-Repos](https://github.com/apps/prevent-public-repos) in {% data variables.product.prodname_marketplace %} -Confirm your organization’s identity by verifying your domain and restricting email notifications to only verified email domains. | "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization){% ifversion ghec or ghes %}" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization){% endif %}"{% ifversion fpt or ghec %} -Ensure your organization has upgraded to the {% data variables.product.company_short %} Customer Agreement instead of using the Standard Terms of Service. | "[AUTOTITLE](/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement)"{% endif %} -Prevent contributors from making accidental commits. | "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#avoiding-accidental-commits-in-the-future)" +Confirm your organization’s identity by verifying your domain and restricting email notifications to only verified email domains. | [AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization){% ifversion ghec or ghes %} and [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization){% endif %}{% ifversion fpt or ghec %} +Ensure your organization has upgraded to the {% data variables.product.company_short %} Customer Agreement instead of using the Standard Terms of Service. | [AUTOTITLE](/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement){% endif %} +Prevent contributors from making accidental commits. | [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository#avoiding-accidental-commits-in-the-future) ## Detect data leaks @@ -83,19 +83,19 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava * Private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %} {% endif %} -{% ifversion ghes %}Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for your instance before you can use this feature. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)."{% endif %} +{% ifversion ghes %}Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for your instance before you can use this feature. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance).{% endif %} -For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." +For more information about {% data variables.product.prodname_secret_scanning %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning). -{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% data reusables.secret-scanning.push-protection-high-level %} For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).{% endif %} ### Review the audit log for your organization -You can also proactively secure IP and maintain compliance for your organization by leveraging your organization's audit log, along with the GraphQL Audit Log API. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)" and "[AUTOTITLE](/graphql/reference/interfaces#auditentry)." +You can also proactively secure IP and maintain compliance for your organization by leveraging your organization's audit log, along with the GraphQL Audit Log API. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) and [AUTOTITLE](/graphql/reference/interfaces#auditentry). ### Set up branch protection rules -To ensure that all code is properly reviewed prior to being merged into the default branch, you can enable branch protection. By setting branch protection rules, you can enforce certain workflows or requirements before a contributor can push changes. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." +To ensure that all code is properly reviewed prior to being merged into the default branch, you can enable branch protection. By setting branch protection rules, you can enforce certain workflows or requirements before a contributor can push changes. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). {% ifversion repo-rules %} @@ -105,7 +105,7 @@ To ensure that all code is properly reviewed prior to being merged into the defa ## Mitigate data leaks -If a user pushes sensitive data, ask them to remove it by using the `git filter-repo` tool. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." Also, if the sensitive data has not been pushed yet, you can just undo those changes locally; for more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2015-06-08-how-to-undo-almost-anything-with-git/) (but note that `git revert` is not a valid way to undo the addition of sensitive data as it leaves the original sensitive commit in Git history). +If a user pushes sensitive data, ask them to remove it by using the `git filter-repo` tool. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). Also, if the sensitive data has not been pushed yet, you can just undo those changes locally; for more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2015-06-08-how-to-undo-almost-anything-with-git/) (but note that `git revert` is not a valid way to undo the addition of sensitive data as it leaves the original sensitive commit in Git history). If you're unable to coordinate directly with the repository owner to remove data that you're confident you own, you can fill out a DMCA takedown notice form and tell GitHub Support. Make sure to include the problematic commit hashes. For more information, see [DMCA takedown notice](https://support.github.com/contact/dmca-takedown). @@ -115,5 +115,5 @@ counter notice form and alert GitHub Support. For more information, see [DMCA co ## Next steps -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)" -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds)" \ No newline at end of file +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) diff --git a/content/code-security/getting-started/dependabot-quickstart-guide.md b/content/code-security/getting-started/dependabot-quickstart-guide.md index ddbea869e80b..8eb370496c22 100644 --- a/content/code-security/getting-started/dependabot-quickstart-guide.md +++ b/content/code-security/getting-started/dependabot-quickstart-guide.md @@ -25,7 +25,7 @@ This quickstart guide walks you through setting up and enabling {% data variable ## Prerequisites {% ifversion ghes %} -Before you can use the {% data variables.product.prodname_dependabot_alerts %} feature in {% data variables.product.product_name %}, you must ensure that your enterprise administrator enables {% data variables.product.prodname_dependabot %} for the instance. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise#enabling-dependabot-alerts)." +Before you can use the {% data variables.product.prodname_dependabot_alerts %} feature in {% data variables.product.product_name %}, you must ensure that your enterprise administrator enables {% data variables.product.prodname_dependabot %} for the instance. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise#enabling-dependabot-alerts). {% endif %} For the purpose of this guide, we're going to use a demo repository to illustrate how {% data variables.product.prodname_dependabot %} finds vulnerabilities in dependencies, where you can see {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.prodname_dotcom %}, and how you can explore, fix, or dismiss these alerts. @@ -34,23 +34,23 @@ You need to start by forking the demo repository. 1. Navigate to [https://github.com/dependabot/demo](https://github.com/dependabot/demo). 1. At the top of the page, on the right, click **{% octicon "repo-forked" aria-hidden="true" %} Fork**. -1. Select an owner (you can select your {% data variables.product.prodname_dotcom %} personal account) and type a repository name. For more information about forking repositories, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo#forking-a-repository)." +1. Select an owner (you can select your {% data variables.product.prodname_dotcom %} personal account) and type a repository name. For more information about forking repositories, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo#forking-a-repository). 1. Click **Create fork**. ## Enabling {% data variables.product.prodname_dependabot %} for your repository -You need to follow the steps below on the repository you forked in "[Prerequisites](#prerequisites)." +You need to follow the steps below on the repository you forked in [Prerequisites](#prerequisites). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under {% ifversion code-security-wording-only %}"Code security"{% else %}"Code security and analysis"{% endif %}, to the right of {% data variables.product.prodname_dependabot_alerts %}, click **Enable** for {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %}. -1. Optionally, if you are interested in experimenting with {% data variables.product.prodname_dependabot_version_updates %}, click **.github/dependabot.yml**. This will create a default `dependabot.yml` configuration file in the `/.github` directory of your repository. To enable {% data variables.product.prodname_dependabot_version_updates %} for your repository, you typically configure this file to suit your needs by editing the default file, and committing your changes. You can refer to the snippet provided in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file)" for an example. +1. Optionally, if you are interested in experimenting with {% data variables.product.prodname_dependabot_version_updates %}, click **.github/dependabot.yml**. This will create a default `dependabot.yml` configuration file in the `/.github` directory of your repository. To enable {% data variables.product.prodname_dependabot_version_updates %} for your repository, you typically configure this file to suit your needs by editing the default file, and committing your changes. You can refer to the snippet provided in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file) for an example. > [!NOTE] > If the dependency graph is not already enabled for the repository, {% data variables.product.prodname_dotcom %} will enable it automatically when you enable {% data variables.product.prodname_dependabot %}. -For more information about configuring each of these {% data variables.product.prodname_dependabot %} features, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)," "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)," and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +For more information about configuring each of these {% data variables.product.prodname_dependabot %} features, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts), [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates), and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). ## Viewing {% data variables.product.prodname_dependabot_alerts %} for your repository @@ -63,7 +63,7 @@ If {% data variables.product.prodname_dependabot_alerts %} are enabled for a rep ![Screenshot showing the list of Dependabot alerts for the demo repository.](/assets/images/help/repository/dependabot-alerts-list-demo-repo.png) - You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts)."{% ifversion dependabot-auto-triage-rules %} You can also use {% data variables.dependabot.auto_triage_rules %} to filter out false positive alerts or alerts you're not interested in. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules)."{% endif %} + You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts).{% ifversion dependabot-auto-triage-rules %} You can also use {% data variables.dependabot.auto_triage_rules %} to filter out false positive alerts or alerts you're not interested in. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).{% endif %} 1. Click the "Command Injection in lodash" alert on the `javascript/package-lock.json` file. The details page for the alert will show the following information (note that some information may not apply to all alerts): * Whether {% data variables.product.prodname_dependabot %} created a pull request that will fix the vulnerability. You can review the suggested security update by clicking **Review security update**. @@ -76,24 +76,24 @@ If {% data variables.product.prodname_dependabot_alerts %} are enabled for a rep 1. Optionally, you can also explore the information on the right-side of the page. Some of the information shown in the screenshot may not apply to every alert. * Severity - * CVSS metrics: We use CVSS levels to assign severity levels. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-cvss-levels)." + * CVSS metrics: We use CVSS levels to assign severity levels. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-cvss-levels). * Tags * Weaknesses: List of CWEs related to the vulnerability, if applicable * CVE ID: Unique CVE identifier for the vulnerability, if applicable - * GHSA ID: Unique identifier of the corresponding advisory on the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids)." + * GHSA ID: Unique identifier of the corresponding advisory on the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids). * Option to navigate to the advisory on the {% data variables.product.prodname_advisory_database %} * Option to see all of your repositories that are affected by this vulnerability * Option to suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %} ![Screenshot of the detailed page of an alert in the demo repository, showing the information displayed on the right-side of the page.](/assets/images/help/repository/more-alert-details-demo-repo.png) -For more information about viewing, prioritizing, and sorting {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)." +For more information about viewing, prioritizing, and sorting {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). ## Fixing or dismissing a {% data variables.product.prodname_dependabot %} alert You can fix or dismiss {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.prodname_dotcom %}. Let's continue to use the forked repository as an example, and the "Command Injection in lodash" alert described in the previous section. -1. Navigate to the {% data variables.product.prodname_dependabot_alerts %} tab for the repository. For more information, see the "[Viewing {% data variables.product.prodname_dependabot_alerts %} for your repository](#viewing-dependabot-alerts-for-your-repository)" section above. +1. Navigate to the {% data variables.product.prodname_dependabot_alerts %} tab for the repository. For more information, see the [Viewing {% data variables.product.prodname_dependabot_alerts %} for your repository](#viewing-dependabot-alerts-for-your-repository) section above. 1. Click an alert. 1. Click the "Command Injection in lodash" alert on the `javascript/package-lock.json` file. 1. Review the alert. You can: @@ -114,7 +114,7 @@ You can fix or dismiss {% data variables.product.prodname_dependabot_alerts %} o * Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. * Click **Dismiss alert**. The alert won't appear anymore in the **Open** tab of the alert list, and you are able to view it in the **Closed** tab. -For more information about reviewing and updating {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#reviewing-and-fixing-alerts)." +For more information about reviewing and updating {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#reviewing-and-fixing-alerts). ## Troubleshooting @@ -122,16 +122,16 @@ You may need to do some troubleshooting if: * {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix an alert, or * The information reported by {% data variables.product.prodname_dependabot %} is not what you expect. -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)," respectively. +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies), respectively. ## Next steps -For more information about configuring {% data variables.product.prodname_dependabot %} updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +For more information about configuring {% data variables.product.prodname_dependabot %} updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). -For more information about configuring {% data variables.product.prodname_dependabot %} for an organization, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-organization)." +For more information about configuring {% data variables.product.prodname_dependabot %} for an organization, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-organization). -For more information about viewing pull requests opened by {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#viewing-dependabot-pull-requests)." +For more information about viewing pull requests opened by {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#viewing-dependabot-pull-requests). -For more information about the security advisories that contribute to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)." +For more information about the security advisories that contribute to {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database). -For more information about configuring notifications about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)." +For more information about configuring notifications about {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts). diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index f318e0faa2e4..9456fda5d896 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -23,12 +23,12 @@ The {% data variables.product.prodname_advisory_database %} contains a curated l ### Security policy -Make it easy for your users to confidentially report security vulnerabilities they've found in your repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." +Make it easy for your users to confidentially report security vulnerabilities they've found in your repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). ### {% data variables.product.prodname_dependabot_alerts %} and security updates -View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" -and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). {% ifversion dependabot-auto-triage-rules %} @@ -40,13 +40,13 @@ You can use default {% data variables.dependabot.auto_triage_rules %} curated by ### {% data variables.product.prodname_dependabot_version_updates %} -Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." +Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). ### Dependency graph The dependency graph allows you to explore the ecosystems and packages that your repository depends on and the repositories and packages that depend on your repository. -You can find the dependency graph on the **Insights** tab for your repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." +You can find the dependency graph on the **Insights** tab for your repository. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). {% data reusables.dependency-graph.sbom-export %} @@ -54,7 +54,7 @@ You can find the dependency graph on the **Insights** tab for your repository. F ### Security overview -Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). {% else %} @@ -71,25 +71,25 @@ Security overview shows which security features are enabled for the repository, ### Security advisories -Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)." +Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). {% endif %} ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts). {% ifversion secret-scanning-push-protection-for-users %} ### Push protection for users -Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users). {% endif %} ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). {% endif %} @@ -108,7 +108,7 @@ Many {% data variables.product.prodname_GH_advanced_security %} features are ava {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GH_advanced_security %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GH_advanced_security %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -116,7 +116,7 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can ### {% data variables.product.prodname_code_scanning_caps %} -Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." +Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning). ### {% data variables.secret-scanning.user_alerts_caps %} @@ -132,7 +132,7 @@ Automatically detect tokens or credentials that have been checked into a reposit ### Dependency review -Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)." +Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). {% ifversion security-overview-displayed-alerts %} @@ -142,10 +142,10 @@ Show the full impact of changes to dependencies and see details of any vulnerabl ### Security overview for organizations{% ifversion ghes %}, enterprises,{% endif %} and teams -Review the security configuration and alerts for your organization and identify the repositories at greatest risk. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +Review the security configuration and alerts for your organization and identify the repositories at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). {% endif %} ## Further reading -* "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)" -* "[AUTOTITLE](/get-started/learning-about-github/github-language-support)" +* [AUTOTITLE](/get-started/learning-about-github/githubs-plans) +* [AUTOTITLE](/get-started/learning-about-github/github-language-support) diff --git a/content/code-security/getting-started/quickstart-for-securing-your-organization.md b/content/code-security/getting-started/quickstart-for-securing-your-organization.md index 4b4a282698a2..50465394f0e9 100644 --- a/content/code-security/getting-started/quickstart-for-securing-your-organization.md +++ b/content/code-security/getting-started/quickstart-for-securing-your-organization.md @@ -17,38 +17,38 @@ shortTitle: Secure organization quickstart ## Introduction -As an organization owner or security manager, you can use {% data variables.product.company_short %}'s security features to keep your organization's code, dependencies, and secrets secure. For more information, see "[AUTOTITLE](/code-security/getting-started/github-security-features)." +As an organization owner or security manager, you can use {% data variables.product.company_short %}'s security features to keep your organization's code, dependencies, and secrets secure. For more information, see [AUTOTITLE](/code-security/getting-started/github-security-features). Your organization's security needs are unique. You may want to enable a feature if your organization has been impacted by a vulnerability that a certain feature would have prevented, or if the feature will help your organization meet a compliance requirement. You can enable security features across multiple repositories in an organization at the same time. For each feature you want to enable, you must decide how to roll out the feature across your organization's repositories. Different features have different effects on your organization and its contributors, so it's important to assess the impact each feature will have. For example: -* Some features can generate notifications to inform your organization's members about specific vulnerabilities: to ensure these notifications are targeted and relevant, you may want to ask members to check their notification settings before you enable a feature. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications)." +* Some features can generate notifications to inform your organization's members about specific vulnerabilities: to ensure these notifications are targeted and relevant, you may want to ask members to check their notification settings before you enable a feature. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications). * Some features can consume resources for each repository in which they're enabled. For example, enabling {% data variables.product.prodname_code_scanning %} in a private repository may consume a {% data variables.product.prodname_GH_advanced_security %} license, and running {% data variables.product.prodname_code_scanning %} analysis in a repository will incur usage of {% data variables.product.prodname_actions %} or another CI system. -As an organization owner, you can give certain users permission to enable or disable security features by assigning the "security manager" role to a team. Security managers can configure security settings and monitor usage of security features across your organization. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)." +As an organization owner, you can give certain users permission to enable or disable security features by assigning the "security manager" role to a team. Security managers can configure security settings and monitor usage of security features across your organization. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization). ## About prerequisites of features Some security features have prerequisites. For example, {% data variables.product.prodname_dependabot_alerts %} use information from the dependency graph, so enabling {% data variables.product.prodname_dependabot_alerts %} automatically enables the dependency graph. -Some features are only available to enterprises that use {% data variables.product.prodname_GH_advanced_security %} and have enabled {% data variables.product.prodname_advanced_security %} as a feature for repositories. For more information, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security#about-advanced-security-features)." +Some features are only available to enterprises that use {% data variables.product.prodname_GH_advanced_security %} and have enabled {% data variables.product.prodname_advanced_security %} as a feature for repositories. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security#about-advanced-security-features). >[!NOTE] -> Enterprises can set a policy to manage which organizations can enable {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." +> Enterprises can set a policy to manage which organizations can enable {% data variables.product.prodname_GH_advanced_security %}. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). -There are some features you must configure for each repository individually. For example, to enable {% data variables.product.prodname_dependabot_version_updates %} in a repository, you must add a `dependabot.yml` file specifying where to find information about the project's dependencies. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +There are some features you must configure for each repository individually. For example, to enable {% data variables.product.prodname_dependabot_version_updates %} in a repository, you must add a `dependabot.yml` file specifying where to find information about the project's dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). ## Enabling security features in your organization When you have decided to enable a security feature, the next step is to decide how to roll out that feature across your organization. -* If you want to roll out a feature as quickly as possible, you can enable it for all eligible repositories at once. For more information, see "[Enabling a feature for all repositories](#enabling-a-feature-for-all-repositories)." -* If you want control over how quickly you roll out a feature, and which features are enabled in which repositories, you can enable a feature for a selection of repositories. For more information, see "[Enabling a feature for a selection of repositories](#enabling-a-feature-for-a-selection-of-repositories)." +* If you want to roll out a feature as quickly as possible, you can enable it for all eligible repositories at once. For more information, see [Enabling a feature for all repositories](#enabling-a-feature-for-all-repositories). +* If you want control over how quickly you roll out a feature, and which features are enabled in which repositories, you can enable a feature for a selection of repositories. For more information, see [Enabling a feature for a selection of repositories](#enabling-a-feature-for-a-selection-of-repositories). -When you have decided how to enable a feature for your organization's existing repositories, you must also decide how to handle any new repositories that are created in your organization in the future. For more information, see "[Enabling a feature for new repositories](#enabling-a-feature-for-new-repositories)." +When you have decided how to enable a feature for your organization's existing repositories, you must also decide how to handle any new repositories that are created in your organization in the future. For more information, see [Enabling a feature for new repositories](#enabling-a-feature-for-new-repositories). -For more information about creating a strategy for rolling out security features across a large organization or enterprise, see "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale)." +For more information about creating a strategy for rolling out security features across a large organization or enterprise, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). ### Enabling a feature for all repositories @@ -69,7 +69,7 @@ When you're ready to proceed, follow these steps to enable a feature for all rep 1. Locate the feature that you want to enable and use any associated check boxes to fine-tune the options. 1. When you are ready to enable the feature for all repositories in your organization where the feature is supported, next to the name of the feature, click **Enable all**. -When you click **Enable all**, you'll be prompted to confirm your choice. You'll also be told if the feature depends on another feature, or requires {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories)." +When you click **Enable all**, you'll be prompted to confirm your choice. You'll also be told if the feature depends on another feature, or requires {% data variables.product.prodname_GH_advanced_security %}. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories). ### Enabling a feature for a selection of repositories @@ -84,13 +84,13 @@ If you're not sure about the impact a feature will have, you may want to test th 1. In the sidebar, click **{% octicon "meter" aria-hidden="true" %} Coverage**. -On this view, you can use checkboxes to select specific repositories, or you can use the search bar to find the repositories where you want to enable a feature. For example, you can use filters to identify repositories where a certain team has write or admin access, or exclude repositories that don't require the same level of protection, such as test repositories or repositories for internal documentation. Then you can enable features for all selected repositories at once. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)." +On this view, you can use checkboxes to select specific repositories, or you can use the search bar to find the repositories where you want to enable a feature. For example, you can use filters to identify repositories where a certain team has write or admin access, or exclude repositories that don't require the same level of protection, such as test repositories or repositories for internal documentation. Then you can enable features for all selected repositories at once. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories). -{% else %}When you have identified the repositories that require a feature, you can enable the feature for each repository individually. As an organization owner or security manager, you can configure the security settings for each repository in your organization. For more information, see "[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository)." +{% else %}When you have identified the repositories that require a feature, you can enable the feature for each repository individually. As an organization owner or security manager, you can configure the security settings for each repository in your organization. For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository). {% endif %} -If you have a limited number of licenses for {% data variables.product.prodname_GH_advanced_security %}, you may want to prioritize repositories that contain critical projects, or that have the highest commit frequencies. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)." +If you have a limited number of licenses for {% data variables.product.prodname_GH_advanced_security %}, you may want to prioritize repositories that contain critical projects, or that have the highest commit frequencies. See [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). {% data reusables.security-overview.settings-limitations %} @@ -110,18 +110,18 @@ You can choose to enable a security feature automatically in all new repositorie When you have enabled a feature, you should communicate with repository administrators and contributors in your organization to assess the impact of the feature. You may need to adjust the configuration of some features at the repository level, or reassess the distribution of security features across your organization. You should also monitor the security alerts that a feature generates, and your members' responses to these alerts. -You can use security overview to see which teams and repositories are affected by security alerts, with a breakdown of alerts by severity. For more information, see "[AUTOTITLE](/code-security/security-overview/assessing-code-security-risk)." +You can use security overview to see which teams and repositories are affected by security alerts, with a breakdown of alerts by severity. For more information, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk). {% ifversion security-overview-dashboard %} -Security overview also has a dashboard where you can explore high-level trends and metrics to gain insight into your organization's security landscape. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-security-insights)." +Security overview also has a dashboard where you can explore high-level trends and metrics to gain insight into your organization's security landscape. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights). {% endif %} -You can use various tools to monitor the actions that your organization's members are taking in response to security alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)". +You can use various tools to monitor the actions that your organization's members are taking in response to security alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). ## Next steps -To help users report security vulnerabilities, you can create a default security policy that will display in any of your organization's public repositories that do not have their own security policy. For more information, see "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)." +To help users report security vulnerabilities, you can create a default security policy that will display in any of your organization's public repositories that do not have their own security policy. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file). -Once your organization's security setup is in place, you may want to prevent users from changing the security settings in a repository. An enterprise owner can prevent repository administrators from enabling or disabling features in a repository. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." +Once your organization's security setup is in place, you may want to prevent users from changing the security settings in a repository. An enterprise owner can prevent repository administrators from enabling or disabling features in a repository. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). {% data reusables.security-overview.security-information-about-actions %} diff --git a/content/code-security/getting-started/quickstart-for-securing-your-repository.md b/content/code-security/getting-started/quickstart-for-securing-your-repository.md index d686f7098ba3..606ba9d7b202 100644 --- a/content/code-security/getting-started/quickstart-for-securing-your-repository.md +++ b/content/code-security/getting-started/quickstart-for-securing-your-repository.md @@ -23,18 +23,18 @@ shortTitle: Secure repository quickstart This guide shows you how to configure security features for a repository. You must be a repository administrator or organization owner to configure security settings for a repository. -Your security needs are unique to your repository, so you may not need to enable every feature for your repository. For more information, see "[AUTOTITLE](/code-security/getting-started/github-security-features)." +Your security needs are unique to your repository, so you may not need to enable every feature for your repository. For more information, see [AUTOTITLE](/code-security/getting-started/github-security-features). {% data reusables.advanced-security.security-feature-availability %} ## Managing access to your repository -The first step to securing a repository is to establish who can see and modify your code. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features)." +The first step to securing a repository is to establish who can see and modify your code. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features). From the main page of your repository, click **{% octicon "gear" aria-hidden="true" %} Settings**, then scroll down to the "Danger Zone." -* To change who can view your repository, click **Change visibility**. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility)." -* To change who can access your repository and adjust permissions, click **Manage access**. For more information, see"[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository)." +* To change who can view your repository, click **Change visibility**. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility). +* To change who can access your repository and adjust permissions, click **Manage access**. For more information, see[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository). ## Managing the dependency graph @@ -48,7 +48,7 @@ From the main page of your repository, click **{% octicon "gear" aria-hidden="tr {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %} -For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)." +For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository). ## Managing {% data variables.product.prodname_dependabot_alerts %} @@ -74,11 +74,11 @@ For more information, see "[AUTOTITLE](/code-security/supply-chain-security/unde {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %} {% endif %} -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts){% ifversion fpt or ghec %}" and "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account){% endif %}." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts){% ifversion fpt or ghec %} and [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account){% endif %}. ## Managing dependency review -Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)." +Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). Dependency review is a {% data variables.product.prodname_GH_advanced_security %} feature. {% ifversion fpt or ghec %}Dependency review is already enabled for all public repositories. {% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %} can additionally enable dependency review for private and internal repositories. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/getting-started/quickstart-for-securing-your-repository#managing-dependency-review). {% endif %}{% endif %}{% ifversion ghec or ghes %}To enable dependency review for a {% ifversion ghec %}private or internal {% endif %}repository, ensure that the dependency graph is enabled and enable {% data variables.product.prodname_GH_advanced_security %}. @@ -97,20 +97,20 @@ For any repository that uses {% data variables.product.prodname_dependabot_alert 1. Click {% ifversion code-security-wording-only %}**Code security**{% else %}**Code security and analysis**{% endif %}. 1. Next to {% data variables.product.prodname_dependabot_security_updates %}, click **Enable**. -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). ## Managing {% data variables.product.prodname_dependabot_version_updates %} -You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." +You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). {% ifversion dependabot-settings-update-37 %} 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" %} Settings**. 1. Click {% ifversion code-security-wording-only %}**Code security**{% else %}**Code security and analysis**{% endif %}. 1. Next to {% data variables.product.prodname_dependabot_version_updates %}, click **Enable** to create a basic `dependabot.yml` configuration file. -1. Specify the dependencies to update and any associated configuration options, then commit the file to the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates)." +1. Specify the dependencies to update and any associated configuration options, then commit the file to the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). {% else %} -To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a `dependabot.yml` configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). {% endif %} ## Configuring {% data variables.product.prodname_code_scanning %} @@ -118,14 +118,14 @@ To enable {% data variables.product.prodname_dependabot_version_updates %}, you > [!NOTE] > {% data variables.product.prodname_code_scanning_caps %} is available {% ifversion fpt or ghec %}for all public repositories, and for private repositories owned by organizations that are part of an enterprise with a license for {% else %}for organization-owned repositories if your enterprise uses {% endif %}{% data variables.product.prodname_GH_advanced_security %}. -You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool. Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.prodname_dotcom %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool. Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.prodname_dotcom %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" %} Settings**. 1. In the "Security" section of the sidebar, click **{% octicon "shield-lock" aria-hidden="true" %} {% ifversion code-security-wording-only %}Code security{% else %}Code security and analysis{% endif %}**. 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, select **Set up** {% octicon "triangle-down" aria-hidden="true" %}, then click **Default**. 1. In the pop-up window that appears, review the default configuration settings for your repository, then click **Enable {% data variables.product.prodname_codeql %}**. -Alternatively, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +Alternatively, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). ## Configuring {% data variables.product.prodname_secret_scanning %} @@ -146,15 +146,15 @@ If you are a repository maintainer, it's good practice to specify a security pol 1. Click **Start setup**. 1. Add information about supported versions of your project and how to report vulnerabilities. -For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." +For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). ## Next steps -You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)," "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)," "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)," and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)". +You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts), [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates), [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository), and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). -You can also use {% data variables.product.prodname_dotcom %}'s tools to audit responses to security alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)". +You can also use {% data variables.product.prodname_dotcom %}'s tools to audit responses to security alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). -{% ifversion fpt or ghec %}If you have a security vulnerability in a public repository, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)" and "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +{% ifversion fpt or ghec %}If you have a security vulnerability in a public repository, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories) and [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). {% endif %} {% data reusables.security-overview.security-information-about-actions %} diff --git a/content/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection.md index d9c5ced32677..d532c10cbafc 100644 --- a/content/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection.md @@ -40,7 +40,7 @@ You can then enable {% data variables.secret-scanning.generic-secret-detection % 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under "Secret scanning", select the checkbox next to "Scan for generic secrets". -For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +For information on how to view alerts for generic secrets that have been detected using AI, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts). ## Further reading diff --git a/content/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning.md b/content/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning.md index 878725023b6a..f69457393d07 100644 --- a/content/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning.md +++ b/content/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning.md @@ -50,4 +50,4 @@ redirect_from: ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator)" +* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator) diff --git a/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md b/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md index 75c91875cf04..8ec6763a1857 100644 --- a/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md +++ b/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md @@ -43,7 +43,7 @@ The system scans for passwords using the LLM. No additional data is collected by The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input. -These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} +These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} ## Improving the performance of {% data variables.secret-scanning.generic-secret-detection %} diff --git a/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md b/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md index 1886f3514ecc..25b60db47ff1 100644 --- a/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md +++ b/content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md @@ -43,11 +43,11 @@ The model returns up to three regular expressions for you to review. You can cli Some results may be quite similar, and some results may not find every instance of the secret that the pattern is intended to detect. It is also possible that the regular expression generator may produce results which are invalid or inappropriate. -When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} +When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). {% endif %} ## Improving performance when generating regular expressions with AI -To enhance performance and address some of the limitations of {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, there are various measures that you can adopt. For more information on the limitations of the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, see "[Limitations of generating regular expressions with AI](#limitations-of-generating-regular-expressions-with-ai)." +To enhance performance and address some of the limitations of {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, there are various measures that you can adopt. For more information on the limitations of the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, see [Limitations of generating regular expressions with AI](#limitations-of-generating-regular-expressions-with-ai). ### Use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} as a tool, not a replacement diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index 06ac5d599285..812e4af72c17 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -20,25 +20,25 @@ To enable push protection for a repository, you must first enable {% data variab {% ifversion secret-scanning-push-protection-for-users %} -You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users). {% endif %} {% ifversion security-configurations %} -If you're an organization owner, you can enable push protection for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +If you're an organization owner, you can enable push protection for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). {% else %} -If you're an organization owner, you can enable push protection for multiple repositories at a time. For more information, see "[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)." +If you're an organization owner, you can enable push protection for multiple repositories at a time. For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization). {% endif %} -Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. +Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see [AUTOTITLE](/rest/repos#update-a-repository) and expand the "Properties of the `security_and_analysis` object" section. {% ifversion secret-scanning-enterprise-level %} -If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise). {% endif %} @@ -52,7 +52,7 @@ If your organization is owned by an enterprise account, an enterprise owner can ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)" -* "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" -* "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning) +* [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) +* [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 5eb3b7982c79..6428735023a7 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -28,17 +28,17 @@ topics: {% ifversion security-configurations %} -If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). {% else %} -If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time. For more information, see "[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)." +If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time. For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization). {% endif %} {% ifversion secret-scanning-enterprise-level %} -If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise). {% endif %} @@ -56,9 +56,9 @@ If your organization is owned by an enterprise account, an enterprise owner can ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the {% ifversion code-security-wording-only %}"Code security"{% else %}"Code security and analysis"{% endif %} page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." +A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts) +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index d2847aa8bcf3..0f9afd3aacc1 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -31,7 +31,7 @@ You can filter by validation status on the alerts page, to help you prioritize w > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." +For more information on using validity checks, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity). ## Enabling validity checks @@ -40,10 +40,10 @@ For more information on using validity checks, see "[AUTOTITLE](/code-security/s {% data reusables.repositories.navigate-to-code-security-and-analysis %} {% data reusables.secret-scanning.validity-check-auto-enable %} -You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." +You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository). -Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." +Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). For more information on enabling at the enterprise-level, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise) and [AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise). ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index dd50bc97f268..fb3893a78954 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -34,18 +34,18 @@ You can enable push protection: {% endif %} -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). -Push protection has some limitations. For more information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations)." +Push protection has some limitations. For more information, see [AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations). ## How push protection works Push protection works: -* From the command line. See "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)." -* In the {% data variables.product.prodname_dotcom %} UI. See "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)."{% ifversion push-protection-delegated-bypass-file-upload-support %} +* From the command line. See [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line). +* In the {% data variables.product.prodname_dotcom %} UI. See [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui).{% ifversion push-protection-delegated-bypass-file-upload-support %} * On files uploaded onto the repository on {% data variables.product.prodname_dotcom %}.{% endif %}{% ifversion secret-scanning-push-protection-content-endpoints %} -* From the REST API. See "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api)."{% endif %} +* From the REST API. See [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api).{% endif %} Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. @@ -53,9 +53,9 @@ By default, anyone with write access to the repository can choose to bypass push {% data reusables.secret-scanning.bypass-reasons-and-alerts %} -{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."{% endif %} +{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %} -{% ifversion secret-scanning-push-protection-content-endpoints %}You can also bypass push protection using the REST API. For more information, see "[AUTOTITLE](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#create-a-push-protection-bypass)."{% endif %} +{% ifversion secret-scanning-push-protection-content-endpoints %}You can also bypass push protection using the REST API. For more information, see [AUTOTITLE](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#create-a-push-protection-bypass).{% endif %} ## About the benefits of push protection @@ -75,7 +75,7 @@ By default, anyone with write access to the repository can choose to bypass push {% ifversion secret-scanning-push-protection-for-users %} -Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users). {% endif %} @@ -91,7 +91,7 @@ Integrate push protection with your Continuous Integration/Continuous Deployment ### Define custom patterns -Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). {% endif %} @@ -99,14 +99,14 @@ Define custom patterns that push protection can use to identify secrets and bloc ### Configure delegated bypass -Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). {% endif %} ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)"{% ifversion secret-scanning-push-protection-custom-patterns %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} +* [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository) +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line) +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui){% ifversion secret-scanning-push-protection-custom-patterns %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning){% endif %}{% ifversion push-protection-delegated-bypass %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection){% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 13d6bc733cc9..8271671fc816 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -24,10 +24,10 @@ The reason partner alerts are directly sent to the secret providers whenever a l ## What are the supported secrets -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" -* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" -* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns) +* [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 0dcfe274f209..81c8845c2ef4 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,18 +28,18 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom %}. For more information about partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."{% endif %} +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom %}. For more information about partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts).{% endif %} -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). -You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." +You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see [AUTOTITLE](/rest/secret-scanning). {% ifversion ghec or ghes %} -You can also use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +You can also use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). {% endif %} {% data reusables.secret-scanning.audit-secret-scanning-events %} @@ -50,17 +50,17 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Detection:** {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* **Alerts:** When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." +* **Alerts:** When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts). * **Review:** When a secret is detected, you'll need to review the alert details provided. -* **Remediation:** You then need to take appropriate action to remediate the exposure. This should always include rotating the affected credential to ensure it is no longer usable. It may also include removing the secret from the repository's history (using tools like `git-filter-repo`; see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) for more details") though this will likely involve a heavy cost in time and effort, and is usually unnecessary if the credentials have been revoked. +* **Remediation:** You then need to take appropriate action to remediate the exposure. This should always include rotating the affected credential to ensure it is no longer usable. It may also include removing the secret from the repository's history (using tools like `git-filter-repo`; see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository) for more details) though this will likely involve a heavy cost in time and effort, and is usually unnecessary if the credentials have been revoked. * **Monitoring:** It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} -* **Integration with partners:** {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +* **Integration with partners:** {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program). {% endif %} @@ -74,7 +74,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% ifversion fpt or ghec %} -* **Integration with service providers:** {% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +* **Integration with service providers:** {% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program). {% endif %} @@ -98,19 +98,19 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Detection of non-provider patterns -Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." +Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns). {% endif %} ### Performing validity checks -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository) and{% endif %} [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity). {% ifversion ghec or ghes %} ### Defining custom patterns -Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). {% endif %} @@ -118,16 +118,16 @@ Define your own patterns for secrets used by your organization that {% data vari ### {% data variables.secret-scanning.copilot-secret-scanning %} -* **{% data variables.secret-scanning.generic-secret-detection-caps %}:** Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."{% ifversion secret-scanning-custom-pattern-ai-generated %} -* **{% data variables.secret-scanning.custom-pattern-regular-expression-generator-caps %}:** Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator).{% endif %} +* **{% data variables.secret-scanning.generic-secret-detection-caps %}:** Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% ifversion secret-scanning-custom-pattern-ai-generated %} +* **{% data variables.secret-scanning.custom-pattern-regular-expression-generator-caps %}:** Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to generate regular expressions that will capture all your custom patterns. For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator).{% endif %} {% endif %} ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)" -* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" -* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" \ No newline at end of file +* [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* [AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization) +* [AUTOTITLE](/code-security/getting-started/securing-your-repository) +* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index b312d0032199..229d4bd1575c 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -21,13 +21,13 @@ shortTitle: Supported patterns {% data reusables.secret-scanning.alert-types %} -For in-depth information about each alert type, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." +For in-depth information about each alert type, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts). -For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. +For details about all the supported patterns, see the [Supported secrets](#supported-secrets) section below. -If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." +If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see [AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning). -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning)." +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see [AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning). ## Supported secrets @@ -38,14 +38,14 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **User:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives. - * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." + * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %} * **{% data variables.product.prodname_secret_scanning_caps %} alert:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% else %} Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% endif %} * **Push protection:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled. -* **Validity check:** Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} +* **Validity check:** Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see [{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security) in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see [AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets) in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} {% ifversion secret-scanning-non-provider-patterns %} @@ -111,9 +111,9 @@ Service providers update the patterns used to generate tokens periodically and m ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts) {%- ifversion fpt or ghec %} -* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" +* [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program) {%- endif %} -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" -* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" +* [AUTOTITLE](/code-security/getting-started/securing-your-repository) +* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 720d48e0b5fb..27994cecfc8f 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -30,7 +30,7 @@ When {% data variables.product.company_short %} detects a supported secret in a * {% ifversion secret-scanning-alert-experimental-list %}Default{% else %}High confidence{% endif %} alerts, which relate to supported patterns and specified custom patterns. * {% ifversion secret-scanning-alert-experimental-list %}Experimental{% else %}Other{% endif %} alerts, which can have a higher ratio of false positives or secrets used in tests. -{% data variables.product.prodname_dotcom %} displays {% ifversion secret-scanning-alert-experimental-list %}experimental{% else %}these "other"{% endif %} alerts in a different list to {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +{% data variables.product.prodname_dotcom %} displays {% ifversion secret-scanning-alert-experimental-list %}experimental{% else %}these "other"{% endif %} alerts in a different list to {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} alerts, making triaging a better experience for users. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts). {% endif %} @@ -38,20 +38,20 @@ When {% data variables.product.company_short %} detects a supported secret in a ## About push protection alerts -Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. To see all push protection alerts for a repository, you must filter by `bypassed: true` on the alerts page. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#filtering-alerts)." +Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. To see all push protection alerts for a repository, you must filter by `bypassed: true` on the alerts page. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#filtering-alerts). {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} >[!NOTE] -> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users).{% endif %} > -> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see [AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions). {% ifversion fpt or ghec %} ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program) and [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. @@ -59,11 +59,11 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts) ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} -* "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)"{% endif %} +* [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning){% endif %}{% ifversion secret-scanning-non-provider-patterns %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} +* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets){% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 4858be257c6b..99c95994186c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -20,10 +20,10 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand validity check](#performing-an-on-demand-validity-check)."{% endif %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %} -* Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %} +* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see [Checking a secret's validity](#checking-a-secrets-validity).{% ifversion secret-scanning-validity-check-partner-patterns %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see [Performing an on-demand validity check](#performing-an-on-demand-validity-check).{% endif %} +* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see [Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata).{% ifversion secret-scanning-multi-repo-public-leak %} +* Review the labels assigned to the alert. For more information, see [Reviewing alert labels](#reviewing-alert-labels).{% endif %} ## Checking a secret's validity @@ -33,7 +33,7 @@ By default, {% data variables.product.company_short %} checks the validity of {% {% ifversion fpt %} -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see [Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity) in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} @@ -43,17 +43,17 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +For information on how to enable validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository), and for information on which partner patterns are currently supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). {% endif %} -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." +You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see [AUTOTITLE](/rest/secret-scanning) in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in [AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert). {% ifversion copilot-chat-ghas-alerts %} ## Asking {% data variables.product.prodname_copilot_chat %} about {% data variables.product.prodname_secret_scanning %} alerts -With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_secret_scanning %} alerts, in repositories in your organization. For more information, see "[AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features)." +With a {% data variables.product.prodname_copilot_enterprise %} license, you can ask {% data variables.product.prodname_copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_secret_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -89,7 +89,7 @@ Tokens, like {% data variables.product.pat_generic %} and other credentials, are |Last used on| Date the token was last used| |Access| Whether the token has organization access| -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} +{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise).{% endif %}{% endif %} {% ifversion secret-scanning-multi-repo-public-leak-deduped-alerts or secret-scanning-multi-repo-public-leak %} @@ -108,4 +108,4 @@ In the alert view, you can review any labels assigned to the alert. The labels p ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index c2d6a386c313..ec4afc54db3b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -20,9 +20,9 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} -* For secrets detected in private repositories, report the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} -* Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See [Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See [Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check).{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} +* For secrets detected in private repositories, report the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See [Reporting a leaked secret](#reporting-a-leaked-secret). {% endif %} +* Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). * Depending on the secret provider, check your security logs for any unauthorized activity. {% ifversion secret-scanning-report-secret-github-pat %} @@ -36,7 +36,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} -If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a supported partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a supported partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). {% endif %} @@ -76,9 +76,9 @@ You will only see the option to report a privately exposed secret to {% data var ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. +1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see [AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert) in the REST API documentation. 1. Click **Close alert**. ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 2bdd119095cb..5e7534829c6d 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -65,7 +65,7 @@ In addition, alerts that fall into this category: * Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. * Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." +For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %} and [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}. {% ifversion secret-scanning-alert-experimental-list %} @@ -100,18 +100,18 @@ You can apply various filters to the alerts list to help you find the alerts you |`is:open`|Displays open alerts.| |`is:closed`|Displays closed alerts.| | {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."| +|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).| | {% endif %} | -|`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| +|`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."| +|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secret). | +|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).| | {% ifversion secret-scanning-non-provider-patterns %} | -|{% ifversion secret-scanning-alert-experimental-list %}`results:default`{% else %}`confidence:high`{% endif %}| Displays alerts for {% ifversion secret-scanning-alert-experimental-list %}{% else %}high-confidence secrets, which relate to {% endif %}supported secrets and custom patterns. For a list of supported patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." | -|{% ifversion secret-scanning-alert-experimental-list %}`results:experimental`{% else %}`confidence:other`{% endif %}| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."{% endif %}| +|{% ifversion secret-scanning-alert-experimental-list %}`results:default`{% else %}`confidence:high`{% endif %}| Displays alerts for {% ifversion secret-scanning-alert-experimental-list %}{% else %}high-confidence secrets, which relate to {% endif %}supported secrets and custom patterns. For a list of supported patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). | +|{% ifversion secret-scanning-alert-experimental-list %}`results:experimental`{% else %}`confidence:other`{% endif %}| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns). {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %}| | {% endif %} | ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts) diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md index b8fc5f3468c3..bc3c3897c756 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md @@ -22,7 +22,7 @@ shortTitle: Partner program When a match of your secret format is found in a public source, a payload is sent to an HTTP endpoint of your choice. -When a match of your secret format is found in a private repository configured for {% data variables.product.prodname_secret_scanning %}, then repository admins and the committer are alerted and can view and manage the {% data variables.product.prodname_secret_scanning %} result on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +When a match of your secret format is found in a private repository configured for {% data variables.product.prodname_secret_scanning %}, then repository admins and the committer are alerted and can view and manage the {% data variables.product.prodname_secret_scanning %} result on {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). This article describes how you can partner with {% data variables.product.prodname_dotcom %} as a service provider and join the {% data variables.product.prodname_secret_scanning %} partner program. @@ -35,7 +35,7 @@ The following diagram summarizes the {% data variables.product.prodname_secret_s ## Joining the {% data variables.product.prodname_secret_scanning %} program on {% data variables.product.prodname_dotcom %} 1. Contact {% data variables.product.prodname_dotcom %} to get the process started. -1. Identify the relevant secrets you want to scan for and create regular expressions to capture them. For more detailed information and recommendations, see "[Identify your secrets and create regular expressions](#identify-your-secrets-and-create-regular-expressions)" below. +1. Identify the relevant secrets you want to scan for and create regular expressions to capture them. For more detailed information and recommendations, see [Identify your secrets and create regular expressions](#identify-your-secrets-and-create-regular-expressions) below. 1. For secret matches found publicly, create a secret alert service which accepts webhooks from {% data variables.product.prodname_dotcom %} that contain the {% data variables.product.prodname_secret_scanning %} message payload. 1. Implement signature verification in your secret alert service. 1. Implement secret revocation and user notification in your secret alert service. @@ -121,7 +121,7 @@ will provide several `key_identifier` and public keys. You can determine which p key to use based on the value of `Github-Public-Key-Identifier`. > [!NOTE] -> When you send a request to the public key endpoint above, you may hit rate limits. To avoid hitting rate limits, you can use a {% data variables.product.pat_v1 %} (no scopes required) or a {% data variables.product.pat_v2 %} (only the automatic public repositories read access required) as suggested in the samples below, or use a conditional request. For more information, see "[AUTOTITLE](/rest/guides/getting-started-with-the-rest-api#conditional-requests)." +> When you send a request to the public key endpoint above, you may hit rate limits. To avoid hitting rate limits, you can use a {% data variables.product.pat_v1 %} (no scopes required) or a {% data variables.product.pat_v2 %} (only the automatic public repositories read access required) as suggested in the samples below, or use a conditional request. For more information, see [AUTOTITLE](/rest/guides/getting-started-with-the-rest-api#conditional-requests). > [!NOTE] > The signature was generated using the raw message body. So it's important you also use the raw message body for signature validation, instead of parsing and stringifying the JSON, to avoid rearranging the message or changing spacing. diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 67bd7665e2e2..2d6141f446d9 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -22,7 +22,7 @@ redirect_from: {% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource. -Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). ## About legacy GitHub tokens @@ -30,7 +30,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o ## Push protection limitations -If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). If your secret is in the supported list, there are various reasons why push protection may not detect it. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 4f5b8348758d..e9754d5cf903 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -18,17 +18,17 @@ topics: ## About custom patterns for {% data variables.product.prodname_secret_scanning %} -You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). You can define custom patterns for your enterprise, organization, or repository. {% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository. -{% ifversion secret-scanning-push-protection-custom-patterns %}You can also enable push protection for custom patterns. For more information about push protection, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% endif %} +{% ifversion secret-scanning-push-protection-custom-patterns %}You can also enable push protection for custom patterns. For more information about push protection, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).{% endif %} ## About using regular expressions for custom patterns You can specify custom patterns for {% data variables.product.prodname_secret_scanning %} as one or more regular expressions. -{% data variables.product.prodname_secret_scanning_caps %} uses the [Hyperscan library](https://github.com/intel/hyperscan) and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see "[Pattern support](http://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support)" in the Hyperscan documentation. +{% data variables.product.prodname_secret_scanning_caps %} uses the [Hyperscan library](https://github.com/intel/hyperscan) and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see [Pattern support](http://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support) in the Hyperscan documentation. {% ifversion secret-scanning-custom-pattern-ai-generated %}Regular expressions can be entered manually or generated using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}. @@ -41,19 +41,19 @@ The **More options {% octicon "chevron-down" aria-hidden="true" %}** section in * **After secret:** an expression that describes the characters that come after the secret. By default, this is set to `\z|[^0-9A-Za-z]` which means that the secret must be followed by a new line or a non-alphanumeric character. * **Additional match requirements:** one or more optional expressions that the secret itself must or must not match. -For simple tokens you will usually only need to specify a secret format. The other fields provide flexibility so that you can specify more complex secrets without creating complex regular expressions. For an example of a custom pattern, see "[Example of a custom pattern specified using additional requirements](#example-of-a-custom-pattern-specified-using-additional-requirements)" below. +For simple tokens you will usually only need to specify a secret format. The other fields provide flexibility so that you can specify more complex secrets without creating complex regular expressions. For an example of a custom pattern, see [Example of a custom pattern specified using additional requirements](#example-of-a-custom-pattern-specified-using-additional-requirements) below. {% ifversion secret-scanning-custom-pattern-ai-generated %} ### Using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} -{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator)" and "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning)." +{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator) and [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning). {% endif %} ## Defining a custom pattern for a repository -Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." +Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} @@ -70,11 +70,11 @@ Before defining a custom pattern, you must ensure that {% data variables.product > [!NOTE] > The "Enable" button isn't available until after the dry run succeeds and you publish the pattern. - For more information about push protection, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." + For more information about push protection, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning). {% endif %} -After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). ### Example of a custom pattern specified using additional requirements @@ -107,8 +107,8 @@ aAAAe9 ## Defining a custom pattern for an organization -Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. {% ifversion security-configurations %} You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)."{% else %} -To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. {% ifversion security-configurations %} You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).{% else %} +To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). {% endif %} {% data reusables.profile.access_org %} @@ -127,11 +127,11 @@ To enable {% data variables.product.prodname_secret_scanning %} on all repositor {% data reusables.advanced-security.secret-scanning-dry-run-results %} {%- endif %} {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}{% ifversion secret-scanning-push-protection-custom-patterns %} -1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-in-an-organization-for-a-custom-pattern)." +1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-in-an-organization-for-a-custom-pattern). {% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}{% endif %} -After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). ## Defining a custom pattern for an enterprise account @@ -155,12 +155,12 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% data reusables.advanced-security.secret-scanning-dry-run-results %} {%- endif %} {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}{% ifversion secret-scanning-push-protection-custom-patterns %} -1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." +1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning). {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %} -After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" {% ifversion secret-scanning-custom-patterns-metrics %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)"{% endif %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns) {% ifversion secret-scanning-custom-patterns-metrics %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns){% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 93d0fd89b712..cc38eabaaa26 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -12,7 +12,7 @@ topics: - Secret scanning --- -Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). At the enterprise level, only the creator of a custom pattern can edit the pattern, and use it in a dry run. There are no similar restrictions for editing custom patterns at repository and organization level. @@ -76,7 +76,7 @@ Before enabling push protection for a custom pattern at enterprise level, you mu ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern -Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} @@ -95,7 +95,7 @@ Before enabling push protection for a custom pattern at organization level, you ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 09dba6e19c7e..ac03584bc7cf 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -38,5 +38,5 @@ The following types of users can always bypass push protection without having to ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)" +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 049d80601fa9..7dc2353c2b66 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -19,11 +19,11 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. -{% ifversion push-protection-bypass-fine-grained-permissions %}Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %} +{% ifversion push-protection-bypass-fine-grained-permissions %}Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see [Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests).{% endif %} ## Configuring delegated bypass for a repository @@ -49,7 +49,7 @@ When you enable this feature, you will create a bypass list of roles and teams w You must configure delegated bypass for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization. -1. Create a new custom security configuration, or edit an existing one. See "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration)." +1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration). 1. When creating the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that the dropdown menus for "Alerts" and "Push protection" are set to **Enabled**. 1. Under "Push protection", to the right of "Bypass privileges", select the dropdown menu, then click **Specific actors**. @@ -61,12 +61,12 @@ You must configure delegated bypass for your organization using a custom securit 1. Click the "Select actors" dropdown menu, then select the roles and teams you want to assign bypass privileges to. > [!TIP] - > In addition to assigning bypass privileges to roles and teams, you can also grant _individual_ organization members the ability to review and manage bypass requests using fine-grained permissions. See "[Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)." + > In addition to assigning bypass privileges to roles and teams, you can also grant _individual_ organization members the ability to review and manage bypass requests using fine-grained permissions. See [Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests). 1. Click **Save configuration**. -1. Apply the security configuration to all (or selected) repositories in your organization. See "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration)." +1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). -To learn more about security configurations, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +To learn more about security configurations, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). {% else %} @@ -90,9 +90,9 @@ To learn more about security configurations, see "[AUTOTITLE](/code-security/sec You can grant specific individuals or teams in your organization the ability to review and manage bypass requests using fine-grained permissions. -1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in "[Configuring delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and ensure you have saved and applied the security configuration to your selected repositories. -1. Create (or edit) a custom organization role. For information on creating and editing custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles#creating-a-custom-role)." +1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in [Configuring delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization) and ensure you have saved and applied the security configuration to your selected repositories. +1. Create (or edit) a custom organization role. For information on creating and editing custom roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles#creating-a-custom-role). 1. When choosing which permissions to add to the custom role, select the "Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests" permission. -1. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role)." +1. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role). {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 89930abeef35..29edd129fc54 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -55,7 +55,7 @@ The contributor is notified of the decision by email and must take the required ### Managing requests for an organization -Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See "[AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection)." +Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection). {% endif %} @@ -82,6 +82,6 @@ The following statuses are assigned to a request: ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% ifversion security-overview-delegated-bypass-requests %} -* "[AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection)"{% endif %} +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection){% ifversion security-overview-delegated-bypass-requests %} +* [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection){% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 55b183598a26..7f05a5e87c55 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -38,7 +38,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da This tells {% data variables.product.prodname_secret_scanning %} to ignore everything in the `docs` directory. You can use this example file as a template to add the files and folders you’d like to exclude from your own repositories. - You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." + You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see [Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet). ``` yaml copy paths-ignore: diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 6aee36a65e28..d909b72adc83 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -38,10 +38,10 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec ### Enabling detection of non-provider patterns for an organization -You can enable scanning for non-provider patterns at the organization level {% ifversion security-configurations-cloud %}using the {% data variables.product.prodname_github_security_configuration %} or {% endif %}by applying a custom security configuration. For more information, see {% ifversion security-configurations-cloud %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and {% endif %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +You can enable scanning for non-provider patterns at the organization level {% ifversion security-configurations-cloud %}using the {% data variables.product.prodname_github_security_configuration %} or {% endif %}by applying a custom security configuration. For more information, see {% ifversion security-configurations-cloud %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization) and {% endif %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" +* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index 4884500b35c0..fc1e8b6f18ad 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -18,15 +18,15 @@ redirect_from: Push protection for users automatically protects you from accidentally committing secrets to public repositories across {% data variables.product.product_name %}. -When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" or "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)", depending on whether you use the {% data variables.product.product_name %} UI or the command line. +When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui) or [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line), depending on whether you use the {% data variables.product.product_name %} UI or the command line. -Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)." +Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see [Disabling push protection for users](#disabling-push-protection-for-users). -Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." +Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email. -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information on the secrets and service providers supported for push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). ## Disabling push protection for users diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index cb5c0eb6b634..263613fa7d8b 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -23,22 +23,22 @@ When you attempt to push a supported secret from the command line to a repositor You should either: -* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push](#resolving-a-blocked-push)." -* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." +* **Remove** the secret from your branch. For more information, see [Resolving a blocked push](#resolving-a-blocked-push). +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and [Requesting bypass privileges](#requesting-bypass-privileges){% endif %}. Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." +If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). {% data reusables.secret-scanning.push-protection-multiple-branch-note %} ## Resolving a blocked push To resolve a blocked push, you must remove the secret from all of the commits it appears in. -* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." -* If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +* If the secret was introduced by your latest commit, see [Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch). +* If the secret appears in earlier commits, see [Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch). ->[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)." +>[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit). ### Removing a secret introduced by the latest commit on your branch @@ -125,7 +125,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-allow-email %} -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges) in the {% data variables.product.prodname_ghe_cloud %} documentation. {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -152,7 +152,7 @@ Requests expire after 7 days. If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push](#resolving-a-blocked-push)." +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see [Resolving a blocked push](#resolving-a-blocked-push). {% endif %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api.md index 7f79cf4bbc4b..2dbcc8b21c43 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api.md @@ -17,14 +17,14 @@ topics: Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. -The "Create a blob" and "Create or update file contents" endpoints in the REST API include push protection. See "[AUTOTITLE](/rest/git/blobs?apiVersion=2022-11-28#create-a-blob)" and "[AUTOTITLE](/rest/repos/contents?apiVersion=2022-11-28#create-or-update-file-contents)." +The "Create a blob" and "Create or update file contents" endpoints in the REST API include push protection. See [AUTOTITLE](/rest/git/blobs?apiVersion=2022-11-28#create-a-blob) and [AUTOTITLE](/rest/repos/contents?apiVersion=2022-11-28#create-or-update-file-contents). If you make a request with these endpoints whose content includes a supported secret, the REST API will return a 409 error, indicating that a secret has been detected. To resolve the error, you can either: * **Remove** the secret from the content of your API request before trying again. -* **Create a push protection bypass:** You can bypass push protection using the "Create a push protection bypass" endpoint. For more information, see "[AUTOTITLE](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#create-a-push-protection-bypass)." +* **Create a push protection bypass:** You can bypass push protection using the "Create a push protection bypass" endpoint. For more information, see [AUTOTITLE](/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#create-a-push-protection-bypass). ## Further reading diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 01e179793339..8e5800ccc6e7 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -29,8 +29,8 @@ When you {% ifversion push-protection-delegated-bypass-file-upload-support %}upl You should either: -* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit](#resolving-a-blocked-commit)." -* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." +* **Remove** the secret from the commit. For more information, see [Resolving a blocked commit](#resolving-a-blocked-commit). +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and [Requesting bypass privileges](#requesting-bypass-privileges){% endif %}. {% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. @@ -42,7 +42,7 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. ->[!NOTE] To learn how to resolved a blocked push on the command line, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push)." +>[!NOTE] To learn how to resolved a blocked push on the command line, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push). ## Bypassing push protection @@ -59,7 +59,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% ifversion push-protection-delegated-bypass %} -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)." +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges). {% endif %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration.md index afdcf77b1b21..397c956a57fd 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration.md @@ -15,14 +15,14 @@ redirect_from: ## About applying a {% data variables.product.prodname_custom_security_configuration %} -After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your organization to enable the configuration's settings on those repositories. To learn how to create a {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your organization to enable the configuration's settings on those repositories. To learn how to create a {% data variables.product.prodname_custom_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). ## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} -1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to apply your {% data variables.product.prodname_custom_security_configuration %} to. To learn how to filter the repository table, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table)." +1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to apply your {% data variables.product.prodname_custom_security_configuration %} to. To learn how to filter the repository table, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). 1. In the repository table, select repositories with one of three methods: * Select each repository you would like to apply the {% data variables.product.prodname_security_configuration %} to. * To select all repositories displayed on the current page of the repository table, select **NUMBER repositories**. @@ -38,7 +38,7 @@ After you create a {% data variables.product.prodname_custom_security_configurat ## Next steps -To learn how to interpret security findings from your {% data variables.product.prodname_custom_security_configuration %} on a repository, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings)." +To learn how to interpret security findings from your {% data variables.product.prodname_custom_security_configuration %} on a repository, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings). {% data reusables.security-configurations.edit-configuration-next-step %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md index 53449191dfaa..b9e20f229caf 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md @@ -32,7 +32,7 @@ The {% data variables.product.prodname_github_security_configuration %} is a col {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} -1. Optionally, in the "Apply configurations" section, filter the view to find the repositories you would like to apply the {% data variables.product.prodname_github_security_configuration %} to. To learn how to filter the repository table, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table)." +1. Optionally, in the "Apply configurations" section, filter the view to find the repositories you would like to apply the {% data variables.product.prodname_github_security_configuration %} to. To learn how to filter the repository table, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). 1. In the repository table, select repositories with one of three methods: * Select each individual repository you would like to apply the {% data variables.product.prodname_security_configuration %} to. * To select all repositories on the current page of the repository table, select **NUMBER repositories**. @@ -57,6 +57,6 @@ The {% data variables.product.prodname_github_security_configuration %} is a col ## Next steps -After you apply the {% data variables.product.prodname_github_security_configuration %}, you can customize your organization-level security settings with {% data variables.product.prodname_global_settings %}. See "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)." +After you apply the {% data variables.product.prodname_github_security_configuration %}, you can customize your organization-level security settings with {% data variables.product.prodname_global_settings %}. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization). {% data reusables.security-configurations.troubleshooting-next-step %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 8ff637eeed67..6cfd8f06d673 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -39,11 +39,11 @@ You can create and manage {% data variables.dependabot.auto_triage_rules %} to i * You can create a new rule by clicking **New rule**, then entering the details for your rule and clicking **Create rule**. * You can edit an existing rule by clicking {% octicon "pencil" aria-label="Edit CURATED-OR-CUSTOM rule" %}, then making the desired changes and clicking **Save rule**. -For more information on {% data variables.dependabot.auto_triage_rules %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules)" and "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-organization)." +For more information on {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules) and [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-organization). ### Grouping {% data variables.product.prodname_dependabot_security_updates %} -{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request)." +{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). {% ifversion dependabot-on-actions-opt-in %} @@ -53,7 +53,7 @@ If both {% data variables.product.prodname_dependabot %} and {% data variables.p Otherwise, to allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners to perform dependency updates for all existing repositories in the organization, select "{% data variables.product.prodname_dependabot %} on Actions runners". -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% data reusables.dependabot.dependabot-on-actions-self-hosted-link %} @@ -61,7 +61,7 @@ For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-de ### Granting {% data variables.product.prodname_dependabot %} access to private {% ifversion ghec or ghes %}and internal {% endif %}repositories -To update private dependencies of repositories in your organization, {% data variables.product.prodname_dependabot %} needs access to those repositories. To grant {% data variables.product.prodname_dependabot %} access to the desired private {% ifversion ghec or ghes %}or internal {% endif %}repository, scroll down to the "Grant {% data variables.product.prodname_dependabot %} access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting {% data variables.product.prodname_dependabot %} access to a repository means all users in your organization will have access to the contents of that repository through {% data variables.product.prodname_dependabot_updates %}. For more information about the supported ecosystems for private repositories, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories)." +To update private dependencies of repositories in your organization, {% data variables.product.prodname_dependabot %} needs access to those repositories. To grant {% data variables.product.prodname_dependabot %} access to the desired private {% ifversion ghec or ghes %}or internal {% endif %}repository, scroll down to the "Grant {% data variables.product.prodname_dependabot %} access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting {% data variables.product.prodname_dependabot %} access to a repository means all users in your organization will have access to the contents of that repository through {% data variables.product.prodname_dependabot_updates %}. For more information about the supported ecosystems for private repositories, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories). ## Configuring global {% data variables.product.prodname_code_scanning %} settings @@ -76,18 +76,18 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Recommending the extended query suite for default setup -{% data variables.product.prodname_code_scanning_caps %} offers specific groups of {% data variables.product.prodname_codeql %} queries, called {% data variables.product.prodname_codeql %} query suites, to run against your code. By default, the "Default" query suite is run. {% data variables.product.company_short %} also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select **Recommend the extended query suite for repositories enabling default setup**. For more information on built-in query suites for {% data variables.product.prodname_codeql %} default setup, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." +{% data variables.product.prodname_code_scanning_caps %} offers specific groups of {% data variables.product.prodname_codeql %} queries, called {% data variables.product.prodname_codeql %} query suites, to run against your code. By default, the "Default" query suite is run. {% data variables.product.company_short %} also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select **Recommend the extended query suite for repositories enabling default setup**. For more information on built-in query suites for {% data variables.product.prodname_codeql %} default setup, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites). {% ifversion code-scanning-autofix %} ### Enabling {% data variables.product.prodname_copilot_autofix_short %} for {% data variables.product.prodname_codeql %} -You can select **{% data variables.product.prodname_copilot_autofix_short %}** to enable {% data variables.product.prodname_copilot_autofix_short %} for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. {% data variables.product.prodname_copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +You can select **{% data variables.product.prodname_copilot_autofix_short %}** to enable {% data variables.product.prodname_copilot_autofix_short %} for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. {% data variables.product.prodname_copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). ### Enabling {% data variables.product.prodname_copilot_autofix_short %} for third-party {% data variables.product.prodname_code_scanning %} tools >[!NOTE] -> Third-party {% data variables.product.prodname_code_scanning %} tool support is in {% data variables.release-phases.public_preview %}, and subject to change. Currently, the third-party tool ESLint is supported. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +> Third-party {% data variables.product.prodname_code_scanning %} tool support is in {% data variables.release-phases.public_preview %}, and subject to change. Currently, the third-party tool ESLint is supported. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). You can select **{% data variables.product.prodname_copilot_autofix_short %} for third-party tools** to enable {% data variables.product.prodname_copilot_autofix_short %} for all the repositories in your organization that use third-party tools. {% data variables.product.prodname_copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. @@ -95,7 +95,7 @@ You can select **{% data variables.product.prodname_copilot_autofix_short %} for ### Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests -You can choose the severity levels at which {% data variables.product.prodname_code_scanning %} check runs on pull requests will fail. To choose a security severity level, select the **Security: SECURITY-SEVERITY-LEVEL** dropdown menu, then click a security severity level. To choose an alert severity level, select the **OTHER: ALERT-SEVERITY-LEVEL** dropdown menu, then click an alert severity level. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." +You can choose the severity levels at which {% data variables.product.prodname_code_scanning %} check runs on pull requests will fail. To choose a security severity level, select the **Security: SECURITY-SEVERITY-LEVEL** dropdown menu, then click a security severity level. To choose an alert severity level, select the **OTHER: ALERT-SEVERITY-LEVEL** dropdown menu, then click an alert severity level. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels). ## Configuring global {% data variables.product.prodname_secret_scanning %} settings @@ -112,7 +112,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### {% data variables.secret-scanning.generic-secret-detection-caps %} with {% data variables.secret-scanning.copilot-secret-scanning %} -{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Scan for generic secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)." +{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Scan for generic secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets). {% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %} @@ -125,7 +125,7 @@ To provide context for developers when {% data variables.product.prodname_secret ### Defining custom patterns -You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). {% endif %} @@ -133,7 +133,7 @@ You can define custom patterns for {% data variables.product.prodname_secret_sca The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview. -To learn more about the security manager role, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)." +To learn more about the security manager role, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization). {% ifversion ghes < 3.16 %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md index 89e59d23912f..ef40b0c16764 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md @@ -17,7 +17,7 @@ redirect_from: {% ifversion security-configurations-cloud %} -We recommend securing your organization with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." +We recommend securing your organization with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization). {% endif %} @@ -45,27 +45,27 @@ When creating a security configuration, keep in mind that: {% data reusables.security-configurations.view-configurations-page %} 1. In the "Code security configurations" section, click **New configuration**. 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Code {% data variables.product.prodname_security_configurations %}" page, name your configuration and create a description. -1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)." +1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). 1. In the "Dependency graph" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * Dependency graph. To learn about dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."{%- ifversion maven-transitive-dependencies %} - * Automatic dependency submission. To learn about automatic dependency submission, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository)."{%- endif %} - * {% data variables.product.prodname_dependabot %}. To learn about {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." - * Security updates. To learn about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." + * Dependency graph. To learn about dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).{%- ifversion maven-transitive-dependencies %} + * Automatic dependency submission. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %} + * {% data variables.product.prodname_dependabot %}. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). + * Security updates. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). > [!NOTE] > You cannot manually change the enablement settings for vulnerable function calls. If {% data variables.product.prodname_GH_advanced_security %} features and {% data variables.product.prodname_dependabot_alerts %} are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled. 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.{% ifversion code-scanning-default-setup-customize-labels %} - If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can also choose to use custom-labeled runners at this step.{% endif %} See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." + If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can also choose to use custom-labeled runners at this step.{% endif %} See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} - * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %}{% ifversion org-npp-enablement-security-configurations %} - * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} - * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." + * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).{% ifversion secret-scanning-validity-check-partner-patterns %} + * Validity check. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion org-npp-enablement-security-configurations %} + * Non-provider patterns. To learn more about scanning for non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} + * Push protection. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). {% ifversion push-protection-delegated-bypass-configurations %} -1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)." +1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization). {% endif %} -1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." +1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository). 1. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the **None** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Public**, or **Private and internal**, or both. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %} @@ -86,19 +86,19 @@ When creating a security configuration, keep in mind that: {% data reusables.security-configurations.view-configurations-page %} 1. In the "Code security configurations" section, click **New configuration**. 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Code {% data variables.product.prodname_security_configurations %}" page, name your configuration and create a description. -1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)." +1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). 1. In the "Dependency graph and Dependabot" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * {% data variables.product.prodname_dependabot_alerts %}. To learn about {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." - * Security updates. To learn about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." + * {% data variables.product.prodname_dependabot_alerts %}. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). + * Security updates. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). > [!NOTE] > You cannot manually change the enablement setting for the dependency graph. This setting is installed and managed by a site administrator at the instance level. -1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." +1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * Alerts. To learn about {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion org-npp-enablement-security-configurations %} - * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} - * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." + * Alerts. To learn about {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).{% ifversion org-npp-enablement-security-configurations %} + * Non-provider patterns. To learn more about scanning for non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} + * Push protection. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). {% ifversion push-protection-delegated-bypass-configurations %} -1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)." +1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization). {% endif %} 1. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the **None** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Public**, or **Private and internal**, or **All repositories**. @@ -114,6 +114,6 @@ When creating a security configuration, keep in mind that: ## Next steps -To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration)." +To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). {% data reusables.security-configurations.edit-configuration-next-step %} diff --git a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md index c9aaf65d4648..c87fdd0c2292 100644 --- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md +++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md @@ -39,5 +39,5 @@ In addition, you can use one of the templates to select a group of closely relat ## Next steps -* "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)" -* "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)" +* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale) +* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) diff --git a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md index 40bfaa585643..a47f8967a0e4 100644 --- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md +++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md @@ -25,7 +25,7 @@ Successful security campaigns to fix alerts at scale have many features in commo * Defining a realistic deadline for campaign, bearing in mind the number of alerts you aim to fix. * Publicizing the collaboration to developer teams and identifying the best way to engage them for your organization. -For information about the developer experience, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign)." +For information about the developer experience, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign). ## Selecting security alerts for remediation @@ -69,7 +69,7 @@ The OWASP Foundation provides many resources for learning about the most common {% data variables.product.prodname_copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. However, developers will often want more information about why the original code is insecure and how to test that the fix is correct and doesn't break other components. -{% data variables.product.prodname_copilot %} is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see "[AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/granting-access-to-copilot-for-members-of-your-organization)." +{% data variables.product.prodname_copilot %} is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/granting-access-to-copilot-for-members-of-your-organization). > [!TIP] The {% data variables.product.prodname_GH_advanced_security %} skill provides {% data variables.product.prodname_copilot_chat_short %} with additional context to answer questions about security alerts. @@ -81,4 +81,4 @@ As with any other project, it's important to define realistic timescales to avoi ## Next steps -* "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)" +* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) diff --git a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns.md b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns.md index 76d59b5990e8..39b7fd6c5162 100644 --- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns.md +++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns.md @@ -20,7 +20,7 @@ topics: Security campaigns are created and managed from the **Security** tab for your organization. You choose the alerts to include in a campaign by selecting a campaign template from the sidebar of the "Overview" dashboard or by filtering the alerts displayed on the {% data variables.product.prodname_code_scanning %} alerts view for your organization. -For more information about filtering alerts, see "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale#selecting-security-alerts-for-remediation)" and "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +For more information about filtering alerts, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale#selecting-security-alerts-for-remediation) and [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). ### Creating a campaign from a template @@ -73,7 +73,7 @@ Once you include these core filters, you will usually want to add a filter to li > [!TIP] When you enter a keyword followed by colon in the search field, a list of all valid values is displayed, for example: `tag:`. -For more information about the rules run by {% data variables.product.prodname_codeql %}{% ifversion security-campaigns-autofix %} and support for autofix{% endif %}, see "[Query lists for the default query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)." +For more information about the rules run by {% data variables.product.prodname_codeql %}{% ifversion security-campaigns-autofix %} and support for autofix{% endif %}, see [Query lists for the default query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites). ## Launching a security campaign @@ -89,11 +89,11 @@ Everyone with **write** access to a repository that is included in the campaign > [!NOTE] During the {% data variables.release-phases.public_preview %}, notifications are only sent to users who have email notification enabled. -In addition to the automatic notifications sent out, the new campaign is shown in the sidebar of the "Security" tab for each repository included. For more information about the developer experience, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign)." +In addition to the automatic notifications sent out, the new campaign is shown in the sidebar of the "Security" tab for each repository included. For more information about the developer experience, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign). ### How to increase engagement with the security campaign -The best way to increase engagement with a campaign is to publicize it to the teams you want to collaborate with to remediate alerts. For example, you might work with engineering managers to choose a quieter development period to run a series of security campaigns, each focused on a different type of alert, with associated training sessions. For more ideas, see "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)." +The best way to increase engagement with a campaign is to publicize it to the teams you want to collaborate with to remediate alerts. For example, you might work with engineering managers to choose a quieter development period to run a series of security campaigns, each focused on a different type of alert, with associated training sessions. For more ideas, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale). ## Tracking security campaigns diff --git a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md index cd1050584536..9a5cbbda586a 100644 --- a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md +++ b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md @@ -12,7 +12,7 @@ topics: ## About securing your organization -{% data variables.product.company_short %} offers many code security products and features including {% data variables.product.prodname_GH_advanced_security %}, a suite of features designed to protect your organization from vulnerabilities in your code, insecure dependencies, leaked secrets, and more. For more information on {% data variables.product.prodname_GH_advanced_security %}, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +{% data variables.product.company_short %} offers many code security products and features including {% data variables.product.prodname_GH_advanced_security %}, a suite of features designed to protect your organization from vulnerabilities in your code, insecure dependencies, leaked secrets, and more. For more information on {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). You can easily enable and manage {% data variables.product.company_short %}'s security features throughout your organization with {% data variables.product.prodname_security_configurations %}, which control repository-level security features, and {% data variables.product.prodname_global_settings %}, which control security features at the organization level. We recommend applying {% data variables.product.prodname_security_configurations %} _and_ customizing your {% data variables.product.prodname_global_settings %} to create a system that best meets the security needs of your organization. @@ -40,10 +40,10 @@ You will only ever see enablement settings for features that have been installed >[!NOTE] {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %} -Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. {% ifversion security-configurations-cloud %}To find out how you should get started with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories)."{% endif %} +Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. {% ifversion security-configurations-cloud %}To find out how you should get started with {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories).{% endif %} {% ifversion security-configurations-api %} -You can also create and manage security configurations using the REST API. For more information, see "[AUTOTITLE](/rest/code-security/configurations)." +You can also create and manage security configurations using the REST API. For more information, see [AUTOTITLE](/rest/code-security/configurations). {% endif %} ## About {% data variables.product.prodname_global_settings %} @@ -54,10 +54,10 @@ While {% data variables.product.prodname_security_configurations %} determine re {% ifversion security-configurations-cloud %} -To determine which {% data variables.product.prodname_security_configurations %} are right for the repositories in your organization, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories)." +To determine which {% data variables.product.prodname_security_configurations %} are right for the repositories in your organization, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories). {% elsif security-configurations-ghes-only %} -To get started with creating a {% data variables.product.prodname_security_configuration %} for your organization, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +To get started with creating a {% data variables.product.prodname_security_configuration %} for your organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} diff --git a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories.md b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories.md index 0e3c47f80dff..79f331f0c61d 100644 --- a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories.md +++ b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories.md @@ -28,7 +28,7 @@ The {% data variables.product.prodname_github_security_configuration %} offers a * It is the quickest {% data variables.product.prodname_security_configuration %} to apply to all repositories in your organization. * It is designed to effectively secure both low- and high-impact repositories. -To start securing repositories in your organization with the {% data variables.product.prodname_github_security_configuration %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." +To start securing repositories in your organization with the {% data variables.product.prodname_github_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization). ## Choosing a {% data variables.product.prodname_custom_security_configuration %} @@ -38,4 +38,4 @@ If you are familiar with {% data variables.product.company_short %}'s security p * Create several configurations for repositories with different security needs * Manage your {% data variables.product.prodname_GH_advanced_security %} licensing by including or excluding {% data variables.product.prodname_GH_advanced_security %} features for a particular configuration -To start securing repositories in your organization with {% data variables.product.prodname_custom_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +To start securing repositories in your organization with {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/deleting-a-custom-security-configuration.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/deleting-a-custom-security-configuration.md index cec56aee372f..01b7103a564b 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/deleting-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/deleting-a-custom-security-configuration.md @@ -13,7 +13,7 @@ topics: ## About deleting a {% data variables.product.prodname_custom_security_configuration %} -If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you are deleting a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, you can instead edit the configuration. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration)." +If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you are deleting a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, you can instead edit the configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration). > [!WARNING] > Deleting a {% data variables.product.prodname_custom_security_configuration %} will detach all repositories that are linked to that configuration. The existing security settings for those repositories will be unchanged, but you must apply a different {% data variables.product.prodname_security_configuration %} or manage their security settings at the repository level to keep their settings up to date. diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/detaching-repositories-from-their-security-configurations.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/detaching-repositories-from-their-security-configurations.md index a6cea377d4df..5a7cb1051055 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/detaching-repositories-from-their-security-configurations.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/detaching-repositories-from-their-security-configurations.md @@ -13,16 +13,16 @@ topics: ## About detaching repositories from their {% data variables.product.prodname_security_configurations %} -If you decide that the security needs of a repository are too specific for a {% data variables.product.prodname_security_configuration %} to be useful, you can detach that repository from the linked configuration and instead manage security enablement settings at the repository level. Detaching a repository from a {% data variables.product.prodname_security_configuration %} will not change the existing security enablement settings for that repository. For an introduction to securing your repository at the repository level, see "[AUTOTITLE](/code-security/getting-started/securing-your-repository)." +If you decide that the security needs of a repository are too specific for a {% data variables.product.prodname_security_configuration %} to be useful, you can detach that repository from the linked configuration and instead manage security enablement settings at the repository level. Detaching a repository from a {% data variables.product.prodname_security_configuration %} will not change the existing security enablement settings for that repository. For an introduction to securing your repository at the repository level, see [AUTOTITLE](/code-security/getting-started/securing-your-repository). -Alternatively, if you want to apply a {% data variables.product.prodname_security_configuration %} to a repository that's already attached to a different configuration, you can apply the configuration as normal, and you do not need to detach the current configuration. For more information, see {% ifversion security-configurations-cloud %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and {% endif %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration)." +Alternatively, if you want to apply a {% data variables.product.prodname_security_configuration %} to a repository that's already attached to a different configuration, you can apply the configuration as normal, and you do not need to detach the current configuration. For more information, see {% ifversion security-configurations-cloud %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization) and {% endif %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). ## Detaching repositories from linked {% data variables.product.prodname_security_configurations %} {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} -1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to detach from their configurations. To learn more, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table)." +1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to detach from their configurations. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). 1. In the repository table, select repositories with one of three methods: * Select each individual repository you would like to detach. * To select all repositories displayed on the current page of the repository table, select **NUMBER repositories**. diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md index be43760f42b8..18e5d26bc9e8 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md @@ -15,12 +15,12 @@ topics: After creating and applying a {% data variables.product.prodname_custom_security_configuration %}, you may need to edit the enablement settings for that configuration to better secure your repositories. Any changes you make to the enablement settings of a {% data variables.product.prodname_security_configuration %} will automatically populate to all linked repositories. -To determine if your {% data variables.product.prodname_custom_security_configuration %} is meeting your security needs, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings)." +To determine if your {% data variables.product.prodname_custom_security_configuration %} is meeting your security needs, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings). {% ifversion security-configurations-cloud %} > [!NOTE] -> The {% data variables.product.prodname_github_security_configuration %} is managed by {% data variables.product.company_short %} and cannot be edited. If you would like to customize your security enablement settings, you need to create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +> The {% data variables.product.prodname_github_security_configuration %} is managed by {% data variables.product.company_short %} and cannot be edited. If you would like to customize your security enablement settings, you need to create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures.md index 26f9142d6100..f961bb641ec7 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures.md @@ -33,5 +33,5 @@ Click the link in the banner display, or alternatively, filter the list of repos ## Further reading -* "[AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning)" -* "[AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses)" +* [AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning) +* [AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses) diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings.md index e34c365caf75..802e26d13f1f 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings.md @@ -17,7 +17,7 @@ redirect_from: After you apply a {% data variables.product.prodname_security_configuration %} to a repository, the enabled security features will likely raise security findings on that repository. These findings may show up as feature-specific alerts, or as automatically generated pull requests designed to keep your repositories secure. You can analyze the findings across the organization and make any necessary adjustments to your {% data variables.product.prodname_security_configuration %}. -To best secure your organization, you should encourage contributors to review and resolve security alerts and pull requests. {% ifversion security-campaigns %}In addition, you can collaborate with contributors to fix historical security alerts, see "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)."{% endif %} +To best secure your organization, you should encourage contributors to review and resolve security alerts and pull requests. {% ifversion security-campaigns %}In addition, you can collaborate with contributors to fix historical security alerts, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale).{% endif %} {% ifversion ghec or ghes %} @@ -30,7 +30,7 @@ To best secure your organization, you should encourage contributors to review an * `tool:dependabot` to show only alerts for dependencies identified by {% data variables.product.prodname_dependabot %}. * `tool:secret-scanning` to only show alerts for secrets identified by {% data variables.product.prodname_secret_scanning %}. * `tool:codeql` to show only alerts for potential security vulnerabilities identified by {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. -1. You can add further filters to show only the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +1. You can add further filters to show only the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). * Use the **Teams** dropdown to show information only for the repositories owned by one or more teams. * Click **NUMBER affected** or **NUMBER unaffected** in the header for any feature to show only the repositories with open alerts or no open alerts of that type. * Click any of the descriptions of "Open alerts" in the header to show only repositories with alerts of that type and category. For example, **1 critical** to show the repository with a critical alert for {% data variables.product.prodname_dependabot %}. @@ -48,9 +48,9 @@ To best secure your organization, you should encourage contributors to review an {% endif %} You can view {% data variables.product.prodname_secret_scanning %} alerts for an organization by navigating to the main page of that organization, clicking the **{% octicon "shield" aria-hidden="true" %} Security** tab, then clicking **{% octicon "key" aria-hidden="true" %} {% data variables.product.prodname_secret_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." +For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts). -To learn how to evaluate {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts)." +To learn how to evaluate {% data variables.product.prodname_secret_scanning %} alerts, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts). ## Interpreting {% data variables.product.prodname_code_scanning %} alerts @@ -58,29 +58,29 @@ To learn how to evaluate {% data variables.product.prodname_secret_scanning %} a You can view the {% data variables.product.prodname_code_scanning %} alerts for an organization by navigating to the main page of that organization, clicking the **{% octicon "shield" aria-hidden="true" %} Security** tab, then clicking **{% octicon "codescan" aria-hidden="true" %} {% data variables.product.prodname_code_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." +For an introduction to {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts). -To learn how to interpret and resolve {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts)." +To learn how to interpret and resolve {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository) and [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts). ## Interpreting {% data variables.product.prodname_dependabot_alerts %} {% data variables.product.prodname_dependabot_alerts %} inform you about vulnerabilities in the dependencies that you use in repositories in your organization. You can view {% data variables.product.prodname_dependabot_alerts %} for an organization by navigating to the main page of that organization, clicking the **{% octicon "shield" aria-hidden="true" %} Security** tab, then clicking **{% octicon "dependabot" aria-hidden="true" %} {% data variables.product.prodname_dependabot %}**. -For an introduction to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +For an introduction to {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -To learn how to interpret and resolve {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)." +To learn how to interpret and resolve {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). > [!NOTE] -> If you enabled {% data variables.product.prodname_dependabot_security_updates %}, {% data variables.product.prodname_dependabot %} can also automatically raise pull requests to update the dependencies used in the repositories of the organization. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +> If you enabled {% data variables.product.prodname_dependabot_security_updates %}, {% data variables.product.prodname_dependabot %} can also automatically raise pull requests to update the dependencies used in the repositories of the organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). ## Next steps {% ifversion security-configurations-cloud %} -If you are using the {% data variables.product.prodname_github_security_configuration %}, and your findings indicate the security enablement settings are not meeting your needs, you should create a {% data variables.product.prodname_custom_security_configuration %}. To get started, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +If you are using the {% data variables.product.prodname_github_security_configuration %}, and your findings indicate the security enablement settings are not meeting your needs, you should create a {% data variables.product.prodname_custom_security_configuration %}. To get started, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% endif %} -If {% ifversion security-configurations-cloud %}you are using a {% data variables.product.prodname_custom_security_configuration %}, and {% endif %}your findings indicate the security enablement settings are not meeting your needs, you can edit your existing configuration. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration)." +If {% ifversion security-configurations-cloud %}you are using a {% data variables.product.prodname_custom_security_configuration %}, and {% endif %}your findings indicate the security enablement settings are not meeting your needs, you can edit your existing configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration). -Lastly, you can also edit your organization-level security settings with {% data variables.product.prodname_global_settings %}. To learn more, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)." +Lastly, you can also edit your organization-level security settings with {% data variables.product.prodname_global_settings %}. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization). diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md index 60c83116e7a2..5ead9cc239b3 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md @@ -23,7 +23,7 @@ For information on managing your {% data variables.product.prodname_GH_advanced_ To use {% data variables.product.prodname_GH_advanced_security %} (GHAS) features on private or internal repositories with unique active committers, you must have available GHAS licenses. With {% data variables.product.prodname_security_configurations %}, you can easily understand the GHAS license usage of repositories in your organization, as well as the number of available GHAS licenses in your enterprise. Additionally, if you need to make more GHAS licenses available to secure a high-impact repository, you can quickly disable GHAS features on private and internal repositories at scale. -To learn about GHAS licenses, as well as unique and active committers, see "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)." +To learn about GHAS licenses, as well as unique and active committers, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). ## Understanding your {% data variables.product.prodname_GH_advanced_security %} license usage @@ -34,7 +34,7 @@ To learn about GHAS licenses, as well as unique and active committers, see "[AUT ![Screenshot of the "Apply configurations" section. The current GHAS license usage for the enterprise is outlined in dark orange.](/assets/images/help/security-configurations/current-ghas-license-usage.png) -1. Optionally, to find specific repositories in your organization, filter the repository table. To learn more, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table)." +1. Optionally, to find specific repositories in your organization, filter the repository table. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). 1. To quickly identify the number of GHAS licenses needed to enable GHAS features on a specific repository, in that repository's row of the repository table, read "NUMBER licenses required". 1. To view license usage for multiple repositories in your organization, select the repositories from the repository table. In the "Apply configurations" section, you will see the number of licenses required to apply GHAS features to the repositories, as well as the number of licenses made available if you disable GHAS features on those repositories. @@ -45,13 +45,13 @@ To learn about GHAS licenses, as well as unique and active committers, see "[AUT {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} -1. Optionally, in the "Apply configurations" section, filter for specific repositories on which you would like to disable GHAS. To learn more, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table)." +1. Optionally, in the "Apply configurations" section, filter for specific repositories on which you would like to disable GHAS. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). 1. In the repository table, select repositories with one of three methods: * Select each individual repository you would like to disable GHAS features on. * To select all repositories displayed on the current page of the repository table, select **NUMBER repositories**. * After selecting **NUMBER repositories**, to select _all_ repositories in your organization that match any filters you have applied, click **Select all**. - Once you have selected the desired repositories, in the "Apply configurations" section, you can see how many GHAS licenses will become available when you disable GHAS features on those repositories. For more information, see "[Understanding your {% data variables.product.prodname_GH_advanced_security %} license usage](#understanding-your-github-advanced-security-license-usage)." + Once you have selected the desired repositories, in the "Apply configurations" section, you can see how many GHAS licenses will become available when you disable GHAS features on those repositories. For more information, see [Understanding your {% data variables.product.prodname_GH_advanced_security %} license usage](#understanding-your-github-advanced-security-license-usage). 1. Select the **Apply configuration** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Disable {% data variables.product.prodname_GH_advanced_security %}**. 1. To finish disabling GHAS features on the selected private or internal repositories, in the "Disable {% data variables.product.prodname_GH_advanced_security %}?" window, click **Disable {% data variables.product.prodname_GH_advanced_security %}**. diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md index 082b0b0b2765..d6daa0b9ff1c 100644 --- a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md @@ -35,5 +35,5 @@ For all repositories without an active advanced setup, the {% data variables.pro There are two ways you can solve this problem: -1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." -1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). +1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses.md index f8270a6366eb..4926e07ebfe5 100644 --- a/content/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses.md +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses.md @@ -11,7 +11,7 @@ topics: - Security --- -You must have an available {% data variables.product.prodname_GH_advanced_security %} (GHAS) license for each unique active committer to enable GHAS features on a private{% ifversion ghec or ghes %} or internal{% endif %} repository. To learn about GHAS licensing, as well as unique and active committers, see "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)." +You must have an available {% data variables.product.prodname_GH_advanced_security %} (GHAS) license for each unique active committer to enable GHAS features on a private{% ifversion ghec or ghes %} or internal{% endif %} repository. To learn about GHAS licensing, as well as unique and active committers, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). If you try to apply a {% data variables.product.prodname_security_configuration %} with GHAS features to your repositories and don't have enough GHAS licenses, the configuration will only be successfully applied to public repositories. For private {% ifversion ghec or ghes %}and internal {% endif %}repositories, only free security features will be enabled due to the license limitation, resulting in the following outcomes: @@ -19,4 +19,4 @@ If you try to apply a {% data variables.product.prodname_security_configuration * GHAS features _will not_ be enabled for _any_ private {% ifversion ghec or ghes %}or internal {% endif %}repositories. * The {% data variables.product.prodname_security_configuration %} _will not_ be applied to _any_ private {% ifversion ghec or ghes %}or internal {% endif %}repositories, since only some features from the configuration are enabled. -For more information on managing GHAS licenses for your organization, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage)." +For more information on managing GHAS licenses for your organization, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage). diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md index 33f21124cad3..e81845badbaa 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md +++ b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md @@ -20,7 +20,7 @@ shortTitle: Coordinated disclosure {% data reusables.security-advisory.disclosing-vulnerabilities %} -The initial report of a vulnerability is made privately, and the full details are only published once the maintainer has acknowledged the issue, and ideally made remediations or a patch available, sometimes with a delay to allow more time for the patches to be installed. For more information, see the "[OWASP Cheat Sheet Series about vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#commercial-and-open-source-software)" on the OWASP Cheat Sheet Series website. +The initial report of a vulnerability is made privately, and the full details are only published once the maintainer has acknowledged the issue, and ideally made remediations or a patch available, sometimes with a delay to allow more time for the patches to be installed. For more information, see the [OWASP Cheat Sheet Series about vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#commercial-and-open-source-software) on the OWASP Cheat Sheet Series website. ### Best practices for vulnerability reporters @@ -32,7 +32,7 @@ It's good practice to report vulnerabilities privately to maintainers. When poss It's acceptable for vulnerability reporters to disclose a vulnerability publicly after a period of time, if they have tried to contact the maintainers and not received a response, or contacted them and been asked to wait too long to disclose it. -We recommend vulnerability reporters clearly state the terms of their disclosure policy as part of their reporting process. Even if the vulnerability reporter does not adhere to a strict policy, it's a good idea to set clear expectations for maintainers in terms of timelines on intended vulnerability disclosures. For an example of disclosure policy, see the "[Security Lab's disclosure policy](https://securitylab.github.com/advisories#policy)" on the GitHub Security Lab website. +We recommend vulnerability reporters clearly state the terms of their disclosure policy as part of their reporting process. Even if the vulnerability reporter does not adhere to a strict policy, it's a good idea to set clear expectations for maintainers in terms of timelines on intended vulnerability disclosures. For an example of disclosure policy, see the [Security Lab's disclosure policy](https://securitylab.github.com/advisories#policy) on the GitHub Security Lab website. ### Best practices for maintainers @@ -60,26 +60,26 @@ There are two processes available on {% data variables.product.prodname_dotcom % The process for reporting and disclosing vulnerabilities for projects on {% data variables.product.prodname_dotcom %} is as follows: - If you are a vulnerability reporter (for example, a security researcher) who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. + If you are a vulnerability reporter (for example, a security researcher) who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies). If there is one, follow it to understand the process before contacting the security team for that repository. If there isn't a security policy in place, the most efficient way to establish a private means of communication with maintainers is to create an issue asking for a preferred security contact. It's worth noting that the issue will be immediately publicly visible, so it should not include any information about the bug. Once communication is established, you can suggest the maintainers define a security policy for future use. > [!NOTE] -> _For npm only_ - If we receive a report of malware in an npm package, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see "[Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package)" on the npm Docs website. +> _For npm only_ - If we receive a report of malware in an npm package, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see [Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package) on the npm Docs website. If you've found a security vulnerability in {% data variables.product.prodname_dotcom %}, please report the vulnerability through our coordinated disclosure process. For more information, see the [{% data variables.product.prodname_dotcom %} Security Bug Bounty](https://bounty.github.com/) website. - If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. + If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies). If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. - As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)." + As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). - To get started, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." + To get started, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). ### Private vulnerability reporting {% data reusables.security-advisory.private-vulnerability-reporting-enable %} - Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)", respectively. + Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) and [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities), respectively. > [!NOTE] -> If the repository containing the vulnerability doesn't have private vulnerability reporting enabled, both security researchers and repository maintainers need to follow the instructions described in the "[Standard process](#standard-process)" section above. +> If the repository containing the vulnerability doesn't have private vulnerability reporting enabled, both security researchers and repository maintainers need to follow the instructions described in the [Standard process](#standard-process) section above. diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories.md b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories.md index eaad4d26e089..07b7ede2b10f 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories.md +++ b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories.md @@ -20,7 +20,7 @@ Anyone with admin permissions to a public repository can create and edit a secur ## About security advisories for repositories -{% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)." +{% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). We recommend you use the syntax used in the {% data variables.product.prodname_advisory_database %}, especially the version formatting, when you write a repository security advisory, or make a community contribution to a global security advisory. @@ -29,13 +29,13 @@ If you follow the syntax for the {% data variables.product.prodname_advisory_dat * {% data variables.product.prodname_dependabot %} will have the information to accurately identify repositories that are affected and send them {% data variables.product.prodname_dependabot_alerts %} to notify them. * Community members are less likely to suggest edits to your advisory to fix missing or incorrect information. -You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). -You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). ## Ecosystem -You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories)." +You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories). ![Screenshot of the "Affected products" area of the security advisory form. The "Ecosystem" field is highlighted with a dark orange outline.](/assets/images/help/security/security-advisory-ecosystem.png) diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities.md b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities.md index 696218b1b9b4..2a4856332ee2 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities.md +++ b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities.md @@ -26,7 +26,7 @@ When a security researcher reports a vulnerability privately, you are notified a {% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %} -For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)." +For more information about configuring notification preferences, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -40,7 +40,7 @@ For more information about configuring notification preferences, see "[AUTOTITLE * To accept the reported vulnerability, click **Accept and open as draft** to accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}. If you choose this option: * This doesn't make the report public. * The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create. - For more information on security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)." + For more information on security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). * To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory. * If you have enough information to determine that the problem the reporter describes is not a security risk, click **Close security advisory**. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory. diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability.md b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability.md index b9e710abcc8b..e785060e8639 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability.md +++ b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability.md @@ -16,9 +16,9 @@ redirect_from: {% data reusables.security-advisory.private-vulnerability-reporting-enable %} > [!NOTE] -> * If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +> * If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). > * The ability to privately report a vulnerability in a repository is not related to the presence of a `SECURITY.md` file in that repository's root or `docs` directory. -> * The `SECURITY.md` file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." +> * The `SECURITY.md` file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). > * You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the `SECURITY.md` file. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission. ## About privately reporting a security vulnerability @@ -36,8 +36,8 @@ For security researchers, the benefits of using private vulnerability reporting ## Privately reporting a security vulnerability -If a public repository has private vulnerability reporting enabled, anyone can privately report a security vulnerability to repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository)." +If a public repository has private vulnerability reporting enabled, anyone can privately report a security vulnerability to repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository). {% data reusables.security-advisory.reporting-a-vulnerability-non-admin %} -The next steps depend on the action taken by the repository maintainer. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)." +The next steps depend on the action taken by the repository maintainer. For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities). diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md index b009c25350de..ca1bd0286f7b 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md @@ -17,7 +17,7 @@ redirect_from: ## About global security advisories -{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %} +{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).{% endif %} Global security advisories are grouped into these categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories. * {% data reusables.advisory-database.github-reviewed-overview %} @@ -27,12 +27,12 @@ Global security advisories are grouped into these categories: {% data variables. > [!NOTE] > {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for unreviewed and malware advisories. -For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database)." +For more information about the {% data variables.product.prodname_advisory_database %}, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database). {% data reusables.security-advisory.global-advisories %} Every repository advisory is reviewed by the {% data variables.product.prodname_security %} curation team for consideration as a global advisory. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). -You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)." +You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database). -You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index 93cb0f15e401..f0bc22d06690 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -19,7 +19,7 @@ redirect_from: {% data reusables.repositories.tracks-vulnerabilities %} -Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see "[Open Source Vulnerability format](https://ossf.github.io/osv-schema/)." +Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see [Open Source Vulnerability format](https://ossf.github.io/osv-schema/). ## About types of security advisories @@ -50,7 +50,7 @@ Generally, we name our supported ecosystems after the software programming langu If you have a suggestion for a new ecosystem we should support, please open an [issue](https://github.com/github/advisory-database/issues) for discussion. -If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). ### Unreviewed advisories @@ -91,9 +91,9 @@ You can validate a GHSA ID using a regular expression. {% ifversion cvss-4 %} The {% data variables.product.prodname_advisory_database %} supports both CVSS version 3.1 and CVSS version 4.0.{% endif %} -Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "[National Vulnerability Database](https://nvd.nist.gov/)" from the National Institute of Standards and Technology. +Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the [National Vulnerability Database](https://nvd.nist.gov/) from the National Institute of Standards and Technology. -The severity level is one of four possible levels defined in the "[Common Vulnerability Scoring System (CVSS), Section 5](https://www.first.org/cvss/specification-document)." +The severity level is one of four possible levels defined in the [Common Vulnerability Scoring System (CVSS), Section 5](https://www.first.org/cvss/specification-document). * Low * Medium/Moderate * High @@ -120,9 +120,9 @@ FIRST also provides additional information around the distribution of their EPSS >[!NOTE] {% data variables.product.company_short %} keeps EPSS data up to date with a daily synchronization action. While EPSS score percentages will always be fully synchronized, score percentiles will only be updated when significantly different. -At {% data variables.product.company_short %}, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. For more information about community contributions, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +At {% data variables.product.company_short %}, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. For more information about community contributions, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). ## Further reading -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) * The CVE Program's [definition of "vulnerability"](https://www.cve.org/ResourcesSupport/Glossary#glossaryVulnerability) diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md index 93bc5c6ef857..c885dec67558 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md @@ -35,14 +35,14 @@ You can access any advisory in the {% data variables.product.prodname_advisory_d 1. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar. -The database is also accessible using the GraphQL API. By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify `type:malware`. For more information, see the "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory)." +The database is also accessible using the GraphQL API. By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify `type:malware`. For more information, see the [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory). {% ifversion security-advisories-rest-api %} -Additionally, you can access the {% data variables.product.prodname_advisory_database %} using the REST API. For more information, see "[AUTOTITLE](/rest/security-advisories/global-advisories)."{% endif %} +Additionally, you can access the {% data variables.product.prodname_advisory_database %} using the REST API. For more information, see [AUTOTITLE](/rest/security-advisories/global-advisories).{% endif %} ## Editing an advisory in the {% data variables.product.prodname_advisory_database %} -You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). ## Searching the {% data variables.product.prodname_advisory_database %} @@ -72,11 +72,11 @@ You can search the database, and use qualifiers to narrow your search. For examp | `created:YYYY-MM-DD`| [**created:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=created%3A2021-01-13) will show only advisories created on this date. | | `updated:YYYY-MM-DD`| [**updated:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=updated%3A2021-01-13) will show only advisories updated on this date. | -A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "[About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids)." +A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see [About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids). ## Viewing your vulnerable repositories -For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." +For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts). 1. Navigate to https://github.com/advisories. 1. Click an advisory. @@ -89,7 +89,7 @@ For any {% data variables.product.company_short %}-reviewed advisory in the {% d ## Accessing the local advisory database on {% data variables.product.prodname_ghe_server %} -If your site administrator has enabled {% data variables.product.prodname_github_connect %} for your instance, you can also browse reviewed advisories locally. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/about-github-connect)". +If your site administrator has enabled {% data variables.product.prodname_github_connect %} for your instance, you can also browse reviewed advisories locally. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/about-github-connect). You can use your local advisory database to check whether a specific security vulnerability is included, and therefore whether you'd get alerts for vulnerable dependencies. You can also view any vulnerable repositories. @@ -97,17 +97,17 @@ You can use your local advisory database to check whether a specific security vu 1. Optionally, to filter the list, use any of the drop-down menus. > [!NOTE] - > Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Accessing an advisory in the GitHub Advisory Database](#accessing-an-advisory-in-the-github-advisory-database)". + > Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see [Accessing an advisory in the GitHub Advisory Database](#accessing-an-advisory-in-the-github-advisory-database). 1. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar. -You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)". +You can also suggest improvements to any advisory directly from your local advisory database. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance). ### Viewing vulnerable repositories for your instance {% data reusables.repositories.enable-security-alerts %} -In the local advisory database, you can see which repositories are affected by each security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." +In the local advisory database, you can see which repositories are affected by each security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts). 1. Navigate to `https://HOSTNAME/advisories`. 1. Click an advisory. diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md index d7b73868bb64..d69f059b8582 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md @@ -22,20 +22,20 @@ shortTitle: Edit Advisory Database ## Editing advisories in the {% data variables.product.prodname_advisory_database %} -The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories)." +The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories). Anyone can suggest improvements on any global security advisory in the {% data variables.product.prodname_advisory_database %} by making a **community contribution**. A **community contribution** is a pull request submitted to the [github/advisory-database](https://github.com/github/advisory-database) repository that improves the content of a global security advisory. When you make a community contribution, you can edit or add any detail, including additionally affected ecosystems, severity level or description of who is impacted. The {% data variables.product.prodname_security %} curation team will review the submitted contributions and publish them onto the {% data variables.product.prodname_advisory_database %} if accepted. {% ifversion security-advisories-credit-types %} -If we accept and publish the community contribution, the person who submitted the community contribution pull request will automatically be assigned a credit type of "Analyst". For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."{% endif %} +If we accept and publish the community contribution, the person who submitted the community contribution pull request will automatically be assigned a credit type of "Analyst". For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories).{% endif %} {% ifversion fpt or ghec %} -Only repository owners and administrators can edit repository-level security advisories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."{% endif %} +Only repository owners and administrators can edit repository-level security advisories. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory).{% endif %} 1. Navigate to https://github.com/advisories. 1. Select the security advisory you would like to contribute to. 1. On the right-hand side of the page, click the **Suggest improvements for this vulnerability** link. -1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."{% endif %} +1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories).{% endif %} 1. Under **Reason for change**, explain why you want to make this improvement. If you include links to supporting material this will help our reviewers. 1. When you finish editing the advisory, click **Submit improvements**. 1. Once you submit your community contribution, a pull request containing your changes will be created for review in [github/advisory-database](https://github.com/github/advisory-database) by the {% data variables.product.prodname_security %} curation team. If the advisory originated from a {% data variables.product.prodname_dotcom %} repository, we will also tag the original publisher for optional commentary. You can view the pull request and get notifications when it is updated or closed. @@ -51,5 +51,5 @@ If you have {% data variables.product.prodname_github_connect %} enabled on your 1. Navigate to `https://HOSTNAME/advisories`. 1. Select the security advisory you would like to contribute to. 1. On the right-hand side of the page, click the **Suggest improvements for this vulnerability on {% data variables.product.prodname_dotcom %}.** link. A new tab opens with the same security advisory on {% data variables.product.prodname_dotcom %}. -1. Edit the advisory, following steps four through six in "[Editing advisories in the GitHub Advisory Database](#editing-advisories-in-the-github-advisory-database)" above. +1. Edit the advisory, following steps four through six in [Editing advisories in the GitHub Advisory Database](#editing-advisories-in-the-github-advisory-database) above. {% endif %} diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md b/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md index e837663aefe2..d9271a1d4c18 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md @@ -25,27 +25,27 @@ topics: ## About repository security advisories -{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities)." +{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities). {% data reusables.security-advisory.security-advisory-overview %} With repository security advisories, you can: -1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). 1. Privately collaborate to fix the vulnerability in a temporary private fork. -1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)." +1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory). {% data reusables.repositories.security-advisories-republishing %} {% ifversion repository-security-advisories-API %} -You can also use the REST API to create, list, and update repository security advisories. For more information, see "[AUTOTITLE](/rest/security-advisories/repository-advisories)." +You can also use the REST API to create, list, and update repository security advisories. For more information, see [AUTOTITLE](/rest/security-advisories/repository-advisories). {% endif %} -You can give credit to individuals who contributed to a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." +You can give credit to individuals who contributed to a security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories). {% data reusables.repositories.security-guidelines %} -If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see [npmjs.com/advisories](https://www.npmjs.com/advisories). @@ -55,12 +55,12 @@ If a security advisory is specifically for npm, we also publish the advisory to {% data variables.product.prodname_security_advisories %} builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. The security advisory form on {% data variables.product.prodname_dotcom %} is a standardized form that matches the CVE description format. -{% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "[About CVE](https://www.cve.org/About/Overview)" and "[CVE Numbering Authorities](https://www.cve.org/ProgramOrganization/CNAs)" on the CVE website. +{% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see [About CVE](https://www.cve.org/About/Overview) and [CVE Numbering Authorities](https://www.cve.org/ProgramOrganization/CNAs) on the CVE website. When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %} Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database. -For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)." +For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory). ## {% data variables.product.prodname_dependabot_alerts %} for published security advisories diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md index 034e2b85a629..9e402b080d51 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md @@ -25,10 +25,10 @@ People with admin permissions to a security advisory can add collaborators to th ## Adding a collaborator to a security advisory -Collaborators have write permissions to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)." +Collaborators have write permissions to the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories). > [!NOTE] -> {% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." +> {% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -40,6 +40,6 @@ Collaborators have write permissions to the security advisory. For more informat ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory). diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md b/content/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md index a53f7162446d..73209edaab0e 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md @@ -23,7 +23,7 @@ shortTitle: Temporary private forks ## Prerequisites -Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). ## Creating a temporary private fork @@ -50,11 +50,11 @@ To keep information about vulnerabilities secure, integrations, including CI, ca For example, if you create a temporary private fork in a repository called `octocat-repo`, and the automatically generated ID for the draft advisory is `GHSA-x854-cvjg-vx26`, the temporary fork will be called `octocat-repo-ghsa-x854-cvjg-vx26`. -You can also use the REST API to create temporary private forks. For more information, see "[Create a temporary private fork](/rest/security-advisories/repository-advisories#create-a-temporary-private-fork)" in the REST API documentation. +You can also use the REST API to create temporary private forks. For more information, see [Create a temporary private fork](/rest/security-advisories/repository-advisories#create-a-temporary-private-fork) in the REST API documentation. ## Adding collaborators to a temporary private fork -Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." +Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory). ## Adding changes to a temporary private fork @@ -65,7 +65,7 @@ Anyone with write permissions to a security advisory can collaborate on a patch {% data reusables.repositories.sidebar-advisories %} 1. In the "Security Advisories" list, click the name of the security advisory you'd like to work on. 1. You can make your changes on {% data variables.product.product_name %} or locally: - * To make your changes on {% data variables.product.product_name %}, under "Collaborate on a patch", click **the temporary private fork**. Then, create a new branch and edit files. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository)" and "[AUTOTITLE](/repositories/working-with-files/managing-files/editing-files)." + * To make your changes on {% data variables.product.product_name %}, under "Collaborate on a patch", click **the temporary private fork**. Then, create a new branch and edit files. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository) and [AUTOTITLE](/repositories/working-with-files/managing-files/editing-files). * To add changes locally, follow the instructions under "Clone and create a new branch" and "Make your changes, then push." ![Screenshot of the "Collaborate on a patch" area of a draft security advisory. The "the temporary private fork" link is outlined in dark orange.](/assets/images/help/security/add-changes-to-this-advisory-box.png) @@ -81,10 +81,10 @@ Anyone with write permissions to a security advisory can create a pull request f 1. Scroll to the bottom of the advisory form. Then, under "Collaborate on a patch", click **Compare & pull request** to create a pull request for the associated branch. ![Screenshot of the "Collaborate on a patch" area of a draft security advisory. The "Compare & pull request" button is outlined in dark orange.](/assets/images/help/security/security-advisory-compare-and-pr.png) - The "Open a pull request" includes a header showing the branches that will be compared in a three-dot Git diff comparison when the pull request is created. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-comparing-branches-in-pull-requests#three-dot-and-two-dot-git-diff-comparisons)." + The "Open a pull request" includes a header showing the branches that will be compared in a three-dot Git diff comparison when the pull request is created. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-comparing-branches-in-pull-requests#three-dot-and-two-dot-git-diff-comparisons). {% data reusables.repositories.create-pull-request %} -{% data reusables.repositories.merge-all-pulls-together %} For more information, see "[Merging changes in a security advisory](#merging-changes-in-a-security-advisory)." +{% data reusables.repositories.merge-all-pulls-together %} For more information, see [Merging changes in a security advisory](#merging-changes-in-a-security-advisory). ## Merging changes in a security advisory @@ -92,7 +92,7 @@ Anyone with admin permissions to a security advisory can merge changes in a secu {% data reusables.repositories.merge-all-pulls-together %} -Before you can merge changes in a security advisory, every open pull request in the temporary private fork must be mergeable. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." +Before you can merge changes in a security advisory, every open pull request in the temporary private fork must be mergeable. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). Additionally, there can be no merge conflicts, and {% data variables.product.prodname_dotcom %} won't enforce any of the protection rules that you may have set up for the branch you're trying to merge the changes in to. @@ -107,9 +107,9 @@ Additionally, there can be no merge conflicts, and {% data variables.product.pro > [!NOTE] > You can only merge one pull request into the `main` branch of a temporary private fork. If more than one pull request targets the `main` branch, merging is blocked. -After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)." +After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory). ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory) diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md b/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md index 3c03c53dbaff..2efc801f8346 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md @@ -23,7 +23,7 @@ Security researchers often feel responsible for alerting users to a vulnerabilit For maintainers, the benefits of using private vulnerability reporting are: {% data reusables.security-advisory.private-vulnerability-reporting-benefits %} -The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)." +The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization). ## Enabling or disabling private vulnerability reporting for a repository diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md b/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md index b6256f3a813c..85c9d53f0fe6 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md @@ -23,15 +23,15 @@ Security researchers often feel responsible for alerting users to a vulnerabilit For organization owners and security managers, the benefits of using private vulnerability reporting are: {% data reusables.security-advisory.private-vulnerability-reporting-benefits %} -The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." +The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository). {% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %} -For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)." +For more information about configuring notification preferences, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting). ## Enabling or disabling private vulnerability reporting for public repositories added to the organization -You can enable or disable private vulnerability reporting for new public repositories added to the organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +You can enable or disable private vulnerability reporting for new public repositories added to the organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). ## What having private vulnerability reporting enabled for a repository looks like for a security researcher diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory.md index a9eb28455a8b..a04777ea2efe 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory.md @@ -24,7 +24,7 @@ shortTitle: Create repository advisories ## Creating a security advisory {% ifversion repository-security-advisories-API %} -You can also use the REST API to create repository security advisories. For more information, see "[AUTOTITLE](/rest/security-advisories/repository-advisories)." +You can also use the REST API to create repository security advisories. For more information, see [AUTOTITLE](/rest/security-advisories/repository-advisories). {% endif %} {% data reusables.repositories.navigate-to-repo %} @@ -78,7 +78,7 @@ If someone accepts credit, the person's username appears in the "Credits" sectio ## Next steps * Comment on the draft security advisory to discuss the vulnerability with your team. -* Add collaborators to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." -* Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." -* Add individuals who should receive credit for contributing to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." -* Publish the security advisory to notify your community of the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)." +* Add collaborators to the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory). +* Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability). +* Add individuals who should receive credit for contributing to the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories). +* Publish the security advisory to notify your community of the security vulnerability. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory). diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory.md index 093af572d53f..eeb0a59b2781 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory.md @@ -23,4 +23,4 @@ If you publish a security advisory in error, you can delete the security advisor ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory) diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory.md index fe2adf200a31..3b96ce511740 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory.md @@ -22,7 +22,7 @@ shortTitle: Edit repository advisories ## Editing a security advisory {% ifversion repository-security-advisories-API %} -You can also use the REST API to edit repository security advisories. For more information, see "[AUTOTITLE](/rest/security-advisories/repository-advisories)". +You can also use the REST API to edit repository security advisories. For more information, see [AUTOTITLE](/rest/security-advisories/repository-advisories). {% endif %} {% data reusables.repositories.navigate-to-repo %} @@ -37,7 +37,7 @@ You can also use the REST API to edit repository security advisories. For more i {% data reusables.repositories.security-advisory-edit-cwe %} 1. Optionally, under "Credits", remove existing credits, or use the search box to find additional people you want to credit on the security advisory, then click their username to add them. {% ifversion security-advisories-credit-types %} - * Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)." + * Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories). ![Screenshot of a draft security advisory. A dropdown menu, labeled "Choose a credit type," is highlighted with an orange outline.](/assets/images/help/security/security-advisories-choose-credit-type.png) @@ -48,4 +48,4 @@ You can also use the REST API to edit repository security advisories. For more i ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory) diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository.md b/content/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository.md index 089dc47fe318..32e1bdf24349 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository.md @@ -20,11 +20,11 @@ Evaluating a public repository's security settings can help security researchers If a repository is public, high level information about the repository's security settings is available to anyone. For example, you can see whether the repository has a security policy, and whether private vulnerability reporting is enabled. You can also view published and closed security advisories for the repository. If no security policy is associated with a repository, you can suggest one. If the repository has private vulnerability reporting enabled, you can privately report security vulnerabilities directly to repository maintainers. -If you have admin permissions to the repository, and the repository is owned by an organization, you can see more detailed information about the repository's security settings through the security overview. For more information on the security overview, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/about-security-overview){% ifversion ghec %}."{% else %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} +If you have admin permissions to the repository, and the repository is owned by an organization, you can see more detailed information about the repository's security settings through the security overview. For more information on the security overview, see [AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/about-security-overview){% ifversion ghec %}."{% else %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} If a repository is private, you can only see the security settings if you have admin permissions to the repository or have been granted special security permissions covering the repository, for example, as an organization-wide security manager. -If you would like to evaluate the security posture of repositories at scale, you can use the API to check whether or not some security settings are enabled for repositories, such as private vulnerability reporting. For more information, see "[AUTOTITLE](/rest/repos/repos#check-if-private-vulnerability-reporting-is-enabled-for-a-repository)." +If you would like to evaluate the security posture of repositories at scale, you can use the API to check whether or not some security settings are enabled for repositories, such as private vulnerability reporting. For more information, see [AUTOTITLE](/rest/repos/repos#check-if-private-vulnerability-reporting-is-enabled-for-a-repository). ## Suggesting a security policy for a repository diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories.md b/content/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories.md index 883bc218eee9..57b0a58577d5 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories.md @@ -18,29 +18,29 @@ topics: - Permissions shortTitle: Permission levels --- -This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). ## Permissions overview -{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." +{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory). Action | Write permissions | Admin permissions | ------ | ----------------- | ----------------- | See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Add collaborators to the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add collaborators to the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Create a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Add changes to a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Create pull requests in a temporary private fork (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Merge changes in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Add and edit metadata in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Add and remove credits for a security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Create a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add changes to a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Create pull requests in a temporary private fork (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Merge changes in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add and edit metadata in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Add and remove credits for a security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Publish the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Publish the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory) diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory.md index 2b53d847974b..85cb3644b3ee 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory.md @@ -27,9 +27,9 @@ Anyone with admin permissions to a security advisory can publish the security ad ## Prerequisites -Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). -If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)." +If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory). ## About publishing a security advisory @@ -37,7 +37,7 @@ When you publish a security advisory, you notify your community about the securi {% data reusables.repositories.security-advisories-republishing %} -Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." +Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability). > [!WARNING] > Whenever possible, you should always add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue, without offering any safe version to update to. @@ -58,7 +58,7 @@ When you publish a draft advisory from a public repository, everyone is able to After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory. -If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)." +If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory). ## Publishing a security advisory @@ -73,7 +73,7 @@ Publishing a security advisory deletes the temporary private fork for the securi ![Screenshot of the "Required advisory information has been provided" area of a draft security advisory. The "Publish advisory" button is outlined in dark orange.](/assets/images/help/security/publish-advisory-button.png) > [!NOTE] - > If you selected "Request CVE ID later", you will see a **Request CVE** button in place of the **Publish advisory** button. For more information, see "[Requesting a CVE identification number (Optional)](#requesting-a-cve-identification-number-optional)" below. + > If you selected "Request CVE ID later", you will see a **Request CVE** button in place of the **Publish advisory** button. For more information, see [Requesting a CVE identification number (Optional)](#requesting-a-cve-identification-number-optional) below. ## {% data variables.product.prodname_dependabot_alerts %} for published security advisories @@ -81,7 +81,7 @@ Publishing a security advisory deletes the temporary private fork for the securi ## Requesting a CVE identification number (Optional) -{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)." +{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -93,4 +93,4 @@ Publishing a security advisory deletes the temporary private fork for the securi ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory) diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md b/content/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md index d6cff1a60ae7..feee1389ff6c 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md @@ -36,5 +36,5 @@ People with admin permissions to a security advisory can remove collaborators fr ## Further reading -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)" -* "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories) +* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory) diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md index 102477df6983..a473adeb8ec2 100644 --- a/content/code-security/security-overview/about-security-overview.md +++ b/content/code-security/security-overview/about-security-overview.md @@ -30,17 +30,17 @@ Security overview contains focused views where you can explore trends in detecti * Information about {% data variables.product.prodname_dependabot %} features and alerts is shown for all repositories. * Information for {% data variables.product.prodname_GH_advanced_security %} features, such as {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, is shown for enterprises that use {% data variables.product.prodname_GH_advanced_security %}{% ifversion ghec %} and for public repositories{% endif %}. -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)" and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies) and [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). ## About the views > [!NOTE] > All views show information and metrics for the **default** branches of the repositories you have permission to view in an organization or enterprise. -The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk, see security trends, and see the impact of pull request analysis on blocking security vulnerabilities entering your code. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk, see security trends, and see the impact of pull request analysis on blocking security vulnerabilities entering your code. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). {% ifversion security-overview-export-data %} -{% data reusables.security-overview.download-csv-files %} For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." +{% data reusables.security-overview.download-csv-files %} For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} There are dedicated views for each type of security alert. You can limit your analysis to a specific type of alert, and then narrow the results further with a range of filters specific to each view. For example, in the {% data variables.product.prodname_secret_scanning %} alert view, you can use the "Secret type" filter to view only {% data variables.secret-scanning.alerts %} for a specific secret, like a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}. @@ -50,22 +50,22 @@ There are dedicated views for each type of security alert. You can limit your an ## About security overview for organizations -The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. For example, {% ifversion security-overview-dashboard %}the team can use the "Overview" dashboard view to track your organization's security landscape and progression{% else %}the team can use the "Coverage" view to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Risk" view to identify repositories with more than five open {% data variables.secret-scanning.alerts %}{% endif %}. {% ifversion pre-security-configurations %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."{% endif %} +The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. For example, {% ifversion security-overview-dashboard %}the team can use the "Overview" dashboard view to track your organization's security landscape and progression{% else %}the team can use the "Coverage" view to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Risk" view to identify repositories with more than five open {% data variables.secret-scanning.alerts %}{% endif %}. {% ifversion pre-security-configurations %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories).{% endif %} -You can find security overview on the **Security** tab for any organization. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. For information about permissions, see "[Permission to view data in security overview](#permission-to-view-data-in-security-overview)." +You can find security overview on the **Security** tab for any organization. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. For information about permissions, see [Permission to view data in security overview](#permission-to-view-data-in-security-overview). Security overview has multiple views that provide different ways to explore enablement and alert data. {% ifversion security-overview-dashboard %} -* **Overview:** visualize trends in **Detection**, **Remediation**, and **Prevention** of security alerts, see "[AUTOTITLE](/code-security/security-overview/viewing-security-insights)."{% endif %} -* **Risk and Alert views:** explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see "[AUTOTITLE](/code-security/security-overview/assessing-code-security-risk)." -* **Coverage:** assess the adoption of code security features across repositories in the organization, see "[AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security)."{% ifversion security-overview-tool-adoption %} +* **Overview:** visualize trends in **Detection**, **Remediation**, and **Prevention** of security alerts, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).{% endif %} +* **Risk and Alert views:** explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk). +* **Coverage:** assess the adoption of code security features across repositories in the organization, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security).{% ifversion security-overview-tool-adoption %} * **Enablement trends:** see how quickly different teams are adopting security features.{% endif %}{% ifversion security-overview-org-codeql-pr-alerts %} -* **CodeQL pull request alerts:** assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts)."{% endif %}{% ifversion security-overview-push-protection-metrics-page %} -* **Secret scanning:** find out which types of secret are blocked by push protection{% ifversion security-overview-delegated-bypass-requests %} and which teams are bypassing push protection{% endif %}, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection){% ifversion security-overview-delegated-bypass-requests %}" and "[AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection){% endif %}."{% endif %} +* **CodeQL pull request alerts:** assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).{% endif %}{% ifversion security-overview-push-protection-metrics-page %} +* **Secret scanning:** find out which types of secret are blocked by push protection{% ifversion security-overview-delegated-bypass-requests %} and which teams are bypassing push protection{% endif %}, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection){% ifversion security-overview-delegated-bypass-requests %} and [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection){% endif %}.{% endif %} {% ifversion security-campaigns %} -You also create and manage security campaigns to remediate alerts from security overview, see "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)" and "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)." +You also create and manage security campaigns to remediate alerts from security overview, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale). {% endif %} ## About security overview for enterprises @@ -74,7 +74,7 @@ You can find security overview on the **Code Security** tab for your enterprise. As with security overview for organizations, security overview for enterprises has multiple views that provide different ways to explore data. -For information about permissions, see "[Permission to view data in security overview](#permission-to-view-data-in-security-overview)." +For information about permissions, see [Permission to view data in security overview](#permission-to-view-data-in-security-overview). ## Permission to view data in security overview @@ -113,23 +113,23 @@ If you are an **organization or team member**, you can view security overview fo > [!NOTE] > To ensure a consistent and responsive experience, for organization members, the organization-level security overview pages will only display results from the most recently updated 3,000 repositories. If your results have been restricted, a notification will appear at the top of the page. Organization owners and security managers will see results from all repositories. -For more information about access to security alerts and related views, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)" and "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security)." +For more information about access to security alerts and related views, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) and [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security). ### Enterprise-level overview > [!NOTE] -> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)." +> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). -In the enterprise-level security overview, you can see data for all organizations where you are an **organization owner or security manager**. {% ifversion pre-security-configurations %}However, you cannot use the enterprise-level security overview to enable and disable security features. {% endif %}For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +In the enterprise-level security overview, you can see data for all organizations where you are an **organization owner or security manager**. {% ifversion pre-security-configurations %}However, you cannot use the enterprise-level security overview to enable and disable security features. {% endif %}For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise). {% ifversion ghec %} -If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)." +If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). {% endif %} ## Further reading -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"{% ifversion security-configurations %} -* "[AUTOTITLE](/code-security/securing-your-organization)"{% else %} -* "[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)"{% endif %} -* "[AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale)" +* [AUTOTITLE](/code-security/getting-started/securing-your-repository){% ifversion security-configurations %} +* [AUTOTITLE](/code-security/securing-your-organization){% else %} +* [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization){% endif %} +* [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale) {% endif %} diff --git a/content/code-security/security-overview/assessing-adoption-code-security.md b/content/code-security/security-overview/assessing-adoption-code-security.md index d86a3363e05c..108479724e07 100644 --- a/content/code-security/security-overview/assessing-adoption-code-security.md +++ b/content/code-security/security-overview/assessing-adoption-code-security.md @@ -26,12 +26,12 @@ You can use security overview to see which repositories and teams have already e >[!NOTE] "Pull request alerts" are reported as enabled only when {% data variables.product.prodname_code_scanning %} has analyzed at least one pull request since alerts were enabled for the repository. {% ifversion security-overview-export-data %} -You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." +You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} {% ifversion security-overview-tool-adoption %} -You can use the "Enablement trends" view to see enablement status and enablement status trends over time for {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %}, or {% data variables.product.prodname_secret_scanning %} for repositories in an organization{% ifversion security-overview-enterprise-enablement-report %}, or across organizations in an enterprise{% endif %}. For each of these features, you can view a graph visualizing the percentage of repositories that have the feature enabled, as well as a detailed table with enablement percentages for different points in time. For more information, see "[Viewing enablement trends for an organization](#viewing-enablement-trends-for-an-organization){% ifversion security-overview-enterprise-enablement-report %}" and "[Viewing enablement trends for an enterprise](#viewing-enablement-trends-for-an-enterprise){% endif %}." +You can use the "Enablement trends" view to see enablement status and enablement status trends over time for {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %}, or {% data variables.product.prodname_secret_scanning %} for repositories in an organization{% ifversion security-overview-enterprise-enablement-report %}, or across organizations in an enterprise{% endif %}. For each of these features, you can view a graph visualizing the percentage of repositories that have the feature enabled, as well as a detailed table with enablement percentages for different points in time. For more information, see "[Viewing enablement trends for an organization](#viewing-enablement-trends-for-an-organization){% ifversion security-overview-enterprise-enablement-report %}" and [Viewing enablement trends for an enterprise](#viewing-enablement-trends-for-an-enterprise){% endif %}. {% endif %} @@ -47,8 +47,8 @@ You can view data to assess the enablement of code security features across repo ![Screenshot of the "Security coverage" view. The options for filtering are outlined in dark orange.](/assets/images/help/security-overview/security-coverage-view-highlights.png) {% ifversion pre-security-configurations %} -1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable code security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-repository)." -1. Optionally, select some or all of the repositories that match your current search and click **Security settings** in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click **Apply changes** to confirm the changes. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)." +1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable code security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see [AUTOTITLE](/code-security/getting-started/securing-your-repository). +1. Optionally, select some or all of the repositories that match your current search and click **Security settings** in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click **Apply changes** to confirm the changes. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories). {% data reusables.security-overview.settings-limitations %} @@ -56,7 +56,7 @@ You can view data to assess the enablement of code security features across repo {% ifversion dependabot-updates-paused-enterprise-orgs %} -In the list of repositories, a "Paused" label under "{% data variables.product.prodname_dependabot %}" indicates repositories for which {% data variables.product.prodname_dependabot_updates %} are paused. For information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)," for security and version updates, respectively.{% endif %} +In the list of repositories, a "Paused" label under "{% data variables.product.prodname_dependabot %}" indicates repositories for which {% data variables.product.prodname_dependabot_updates %} are paused. For information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively.{% endif %} ## Viewing the enablement of code security features for an enterprise @@ -93,7 +93,7 @@ You can view data to assess the enablement status and enablement status trends o 1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}", "{% data variables.product.prodname_code_scanning_caps %}", or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories in your organization with that feature enabled. This data is displayed as a graph and a detailed table. 1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for. * Use the date picker to set the time range that you want to view enablement trends for. - * Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." + * Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). ![Screenshot of the "Enablement trends" view for an organization, showing Dependabot status and trends over 30 days, with a filter applied.](/assets/images/help/security-overview/security-overview-enablement-trends.png) @@ -117,16 +117,16 @@ You can view data to assess the enablement status and enablement status trends o 1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}", "{% data variables.product.prodname_code_scanning_caps %}", or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories across organizations in your enterprise with that feature enabled. This data is displayed as a graph and a detailed table. 1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for. * Use the date picker to set the time range that you want to view enablement trends for. - * Click in the search box to add further filters on the enablement trends displayed. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." + * Click in the search box to add further filters on the enablement trends displayed. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). ->[!TIP] You can use the `owner:` filter in the search field to filter the data by organization. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +>[!TIP] You can use the `owner:` filter in the search field to filter the data by organization. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). {% endif %} ## Interpreting and acting on the enablement data -Some code security features can and should be enabled on all repositories. For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see {% ifversion security-configurations %}"[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization){% else %}"[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization){% endif %}." For information on enabling features across your entire enterprise, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +Some code security features can and should be enabled on all repositories. For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization){% else %}[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization){% endif %}. For information on enabling features across your entire enterprise, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise). Other features are not available for use in all repositories. For example, there would be no point in enabling {% data variables.product.prodname_dependabot %}{% ifversion default-setup-pre-enablement %}{% else %} or {% data variables.product.prodname_code_scanning %}{% endif %} for repositories that only use ecosystems or languages that are unsupported. As such, it's normal to have some repositories where these features are not enabled. -Your enterprise may also have configured policies to limit the use of some code security features. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." +Your enterprise may also have configured policies to limit the use of some code security features. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). diff --git a/content/code-security/security-overview/assessing-code-security-risk.md b/content/code-security/security-overview/assessing-code-security-risk.md index 7a6490b86354..227fb3db10cc 100644 --- a/content/code-security/security-overview/assessing-code-security-risk.md +++ b/content/code-security/security-overview/assessing-code-security-risk.md @@ -36,7 +36,7 @@ These views provide you with the data and filters to: * Export your current selection of data for further analysis and reporting. {% endif %} {% ifversion security-overview-dashboard %} -For information about the **Overview**, see "[AUTOTITLE](/code-security/security-overview/viewing-security-insights)."{% endif %} +For information about the **Overview**, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).{% endif %} ## Viewing organization-level code security risks @@ -50,7 +50,7 @@ For information about the **Overview**, see "[AUTOTITLE](/code-security/security {% data reusables.security-overview.unaffected-repositories %} {% data reusables.organizations.security-overview-feature-specific-page %} {% ifversion security-overview-export-data %} -1. Optionally, use the **{% octicon "download" aria-hidden="true" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} +1. Optionally, use the **{% octicon "download" aria-hidden="true" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} {% data reusables.security-overview.alert-differences %} @@ -69,7 +69,7 @@ You can view data for security alerts across organizations in an enterprise. {% data reusables.security-overview.unaffected-repositories %} {% data reusables.organizations.security-overview-feature-specific-page %}{% ifversion security-overview-export-data %} -1. Optionally, use the {% octicon "download" aria-hidden="true" %} **Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} +1. Optionally, use the {% octicon "download" aria-hidden="true" %} **Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} {% data reusables.security-overview.alert-differences %} @@ -77,5 +77,5 @@ You can view data for security alerts across organizations in an enterprise. ## Next steps -When you have assessed your code security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)" and "[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)." +When you have assessed your code security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale). {% endif %} diff --git a/content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md b/content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md index 92a30a235aed..f7deb94d8dea 100644 --- a/content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md +++ b/content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md @@ -21,14 +21,14 @@ If you're a security manager, repository administrator, or organization owner, y You can use checkboxes to select which repositories you want to include, or use the search bar to narrow down to a specific subset of repositories, and enable or disable security features for that group. This is useful if you want to introduce a feature to your organization gradually over time, or if your organization requires a complex security setup where different features are enabled in different repositories. For example, if you are enabling a feature across a group of repositories, you may find the following filtering options helpful. -* To exclude certain repositories from the selection, you can assign a topic such as `test` to these repositories, then exclude them from the results with a search like `-topic:test`. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics)." +* To exclude certain repositories from the selection, you can assign a topic such as `test` to these repositories, then exclude them from the results with a search like `-topic:test`. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics). * If a team uses repositories that all require a certain feature, you can use the `team:` filter to search for repositories where a team has write access. -* If you're enabling {% data variables.product.prodname_code_scanning %}, you can see which repositories are eligible for default setup with the search `code-scanning-default-setup:eligible`. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)."{% ifversion security-overview-repository-properties %} -* You can use custom repository properties to filter security overview to show results from specific groups of repositories. Custom properties are metadata that organization owners can add and set for repositories in an organization. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)."{% endif %} +* If you're enabling {% data variables.product.prodname_code_scanning %}, you can see which repositories are eligible for default setup with the search `code-scanning-default-setup:eligible`. For more information, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale).{% ifversion security-overview-repository-properties %} +* You can use custom repository properties to filter security overview to show results from specific groups of repositories. Custom properties are metadata that organization owners can add and set for repositories in an organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).{% endif %} -For more information on filters you can use in different parts of security overview, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +For more information on filters you can use in different parts of security overview, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). -For more information about the different ways of enabling security features in an organization, see {% ifversion security-configurations %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} +For more information about the different ways of enabling security features in an organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization).{% else %}[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization).{% endif %} ## Enabling security features for multiple repositories @@ -55,6 +55,6 @@ The security features that you can enable and disable in this view are: * {% data variables.secret-scanning.alerts_caps %} * {% data variables.product.prodname_secret_scanning_caps %} as a push protection -If you're blocked from enabling a security feature due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the **{% octicon "gear" aria-hidden="true" %} Security settings** button. However, you will see a message in the side panel indicating that the functionality is not available. For more information about enterprise policies, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." +If you're blocked from enabling a security feature due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the **{% octicon "gear" aria-hidden="true" %} Security settings** button. However, you will see a message in the side panel indicating that the functionality is not available. For more information about enterprise policies, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). -Organization owners and security managers can use security overview to enable or disable security features for all repositories belonging to their organization. There are no enterprise policies that restrict organization owners or security managers from enabling or disabling any security features. For more information about enterprise policies, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/about-enterprise-policies)." +Organization owners and security managers can use security overview to enable or disable security features for all repositories belonging to their organization. There are no enterprise policies that restrict organization owners or security managers from enabling or disabling any security features. For more information about enterprise policies, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/about-enterprise-policies). diff --git a/content/code-security/security-overview/filtering-alerts-in-security-overview.md b/content/code-security/security-overview/filtering-alerts-in-security-overview.md index 847c00461001..bc22de44757f 100644 --- a/content/code-security/security-overview/filtering-alerts-in-security-overview.md +++ b/content/code-security/security-overview/filtering-alerts-in-security-overview.md @@ -65,8 +65,8 @@ These qualifiers are available in all views. | Qualifier | Description | |--------|--------| -| `team` | Display data for all repositories that the specified team has {% ifversion security-overview-team-write-access -%} write access or {% endif -%} admin access to. For more information on repository roles, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization)". | -| `topic` | Display data for all repositories that are classified with a specific topic. For more information on repository topics, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics)." | +| `team` | Display data for all repositories that the specified team has {% ifversion security-overview-team-write-access -%} write access or {% endif -%} admin access to. For more information on repository roles, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization). | +| `topic` | Display data for all repositories that are classified with a specific topic. For more information on repository topics, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics). | {% ifversion security-overview-repository-properties %} @@ -75,7 +75,7 @@ These qualifiers are available in all views. > [!NOTE] > Repository properties are in {% data variables.release-phases.public_preview %} and subject to change. -Custom repository properties are metadata that organization owners can add to repositories in an organization, providing a way to group repositories by the information you are interested in. For example, you can add custom repository properties for compliance frameworks or data sensitivity. For more information on adding custom repository properties, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)." +Custom repository properties are metadata that organization owners can add to repositories in an organization, providing a way to group repositories by the information you are interested in. For example, you can add custom repository properties for compliance frameworks or data sensitivity. For more information on adding custom repository properties, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). If you add custom properties to your organization and set values for repositories, you can filter the "Overview" using those custom properties as qualifiers. These qualifiers are available in both the organization-level and enterprise-level views. @@ -188,7 +188,7 @@ You can filter the view to show {% data variables.product.prodname_dependabot_al | Qualifier | Description | | -------- | -------- | |`ecosystem`|Display {% data variables.product.prodname_dependabot_alerts %} detected in a specified ecosystem, for example: `ecosystem:Maven`.| -|`has`| Display {% data variables.product.prodname_dependabot_alerts %} for vulnerabilities where either a secure version is already available (`patch`) or where at least one call from the repository to a vulnerable function is detected (`vulnerable-calls`). For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#about-the-detection-of-calls-to-vulnerable-functions)."| +|`has`| Display {% data variables.product.prodname_dependabot_alerts %} for vulnerabilities where either a secure version is already available (`patch`) or where at least one call from the repository to a vulnerable function is detected (`vulnerable-calls`). For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#about-the-detection-of-calls-to-vulnerable-functions).| |`is`|Display {% data variables.product.prodname_dependabot_alerts %} that are open (`open`) or closed (`closed`).| |`package`|Display {% data variables.product.prodname_dependabot_alerts %} detected in the specified package, for example: `package:semver`.| |`resolution`| Display {% data variables.product.prodname_dependabot_alerts %} closed as "auto-dismissed" (`auto-dismissed`), "a fix has already been started" (`fix-started`), "fixed" (`fixed`), "this alert is inaccurate or incorrect" (`inaccurate`), "no bandwidth to fix this" (`no-bandwidth`), "vulnerable code is not actually used" (`not-used`), or "risk is tolerable to this project" (`tolerable-risk`).| diff --git a/content/code-security/security-overview/reviewing-requests-to-bypass-push-protection.md b/content/code-security/security-overview/reviewing-requests-to-bypass-push-protection.md index 3b8dd6bd697e..d53d9e3428c0 100644 --- a/content/code-security/security-overview/reviewing-requests-to-bypass-push-protection.md +++ b/content/code-security/security-overview/reviewing-requests-to-bypass-push-protection.md @@ -21,7 +21,7 @@ If your organization has configured delegated bypass for push protection, a desi On the "Bypass requests" page in security overview, reviewers can find, review (approve or deny) and manage these requests. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." +For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection). ## Reviewing bypass requests for an organization @@ -54,5 +54,5 @@ The following statuses are assigned to a request: ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection) diff --git a/content/code-security/security-overview/viewing-metrics-for-pull-request-alerts.md b/content/code-security/security-overview/viewing-metrics-for-pull-request-alerts.md index 5884e14fe95a..f9f9aad8c522 100644 --- a/content/code-security/security-overview/viewing-metrics-for-pull-request-alerts.md +++ b/content/code-security/security-overview/viewing-metrics-for-pull-request-alerts.md @@ -56,7 +56,7 @@ You can apply filters to the data. The metrics are based on activity from the de * Click **{% octicon "plus" aria-hidden="true" %} Add a filter**, then select a filter from the dropdown menu. * To search for repositories matching the selected filter, fill out the available fields for that filter, then click **Apply**. You can repeat this process to add as many filters as you would like to your search. * Optionally, to remove a filter from your search, click **{% octicon "filter" aria-hidden="true" %} Filter**. In the row of the filter you want to remove, click {% octicon "x" aria-label="Delete FILTER-NUMBER: FILTER-PROPERTIES" %}, then click **Apply**.{% ifversion security-overview-export-data %} -1. You can use the **{% octicon "download" aria-hidden="true" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} +1. You can use the **{% octicon "download" aria-hidden="true" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} {% ifversion security-overview-enterprise-codeql-pr-alerts %} diff --git a/content/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection.md b/content/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection.md index c71d50905000..851c668ba67f 100644 --- a/content/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection.md +++ b/content/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection.md @@ -31,13 +31,13 @@ You can also find more granular metrics, such as: * The repositories that are bypassing push protection the most * The percentage distribution of reasons that users give when they bypass the protection -{% ifversion security-overview-additional-tools %}Use the date picker to set the time range that you want to view alert activity and metrics for, and click in the search box to add further filters on the alerts and metrics displayed. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview#additional-filters-for-secret-scanning-alert-views)." +{% ifversion security-overview-additional-tools %}Use the date picker to set the time range that you want to view alert activity and metrics for, and click in the search box to add further filters on the alerts and metrics displayed. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview#additional-filters-for-secret-scanning-alert-views). You can see {% data variables.product.prodname_secret_scanning %} metrics if you have: * The `admin` role for the repository. -* A custom repository role with the "View {% data variables.product.prodname_secret_scanning %} results" fine-grained permissions for the repository. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security)." -* Access to alerts for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." +* A custom repository role with the "View {% data variables.product.prodname_secret_scanning %} results" fine-grained permissions for the repository. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security). +* Access to alerts for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts). The metrics are based on activity from the default period or your selected period. diff --git a/content/code-security/security-overview/viewing-security-insights.md b/content/code-security/security-overview/viewing-security-insights.md index 1ba3e8b2a1eb..ebcae6678615 100644 --- a/content/code-security/security-overview/viewing-security-insights.md +++ b/content/code-security/security-overview/viewing-security-insights.md @@ -47,17 +47,17 @@ The dashboard is divided into three tabs, each focused around a different securi * The "Impact analysis" section shows the repositories that pose the highest potential security risk in your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}. {% endif %} -You can filter the overview dashboard by selecting a specific time period, and apply additional filters to focus on narrower areas of interest. All data and metrics across the dashboard will change as you apply filters. By default, the dashboard displays all alerts from {% data variables.product.prodname_dotcom %} tools, but you can use the tool filter to show alerts from a specific tool ({% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, a specific third-party tool) or all third-party {% data variables.product.prodname_code_scanning %} tools. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +You can filter the overview dashboard by selecting a specific time period, and apply additional filters to focus on narrower areas of interest. All data and metrics across the dashboard will change as you apply filters. By default, the dashboard displays all alerts from {% data variables.product.prodname_dotcom %} tools, but you can use the tool filter to show alerts from a specific tool ({% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, a specific third-party tool) or all third-party {% data variables.product.prodname_code_scanning %} tools. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). {% ifversion security-overview-export-data %} -You can download a CSV file of the overview dashboard data for your organization or enterprise. This data file can integrate easily with external datasets, so you may find it useful for security research, data analysis, and more. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." +You can download a CSV file of the overview dashboard data for your organization or enterprise. This data file can integrate easily with external datasets, so you may find it useful for security research, data analysis, and more. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} -{% ifversion security-overview-dashboard-enterprise %}Enterprise members can access the overview page for organizations in their enterprise. {% endif %}The metrics you see will depend on your role and repository permissions. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview#permission-to-view-data-in-security-overview)." +{% ifversion security-overview-dashboard-enterprise %}Enterprise members can access the overview page for organizations in their enterprise. {% endif %}The metrics you see will depend on your role and repository permissions. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview#permission-to-view-data-in-security-overview). ### Limitations -The data that populates the overview page can and will change over time due to various factors, such as repository deletion or modifications to a security advisory. This means that the overview metrics for the same time period could vary if viewed at two different times. For compliance reports or other scenarios where data consistency is crucial, we recommend that you source data from the audit log. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +The data that populates the overview page can and will change over time due to various factors, such as repository deletion or modifications to a security advisory. This means that the overview metrics for the same time period could vary if viewed at two different times. For compliance reports or other scenarios where data consistency is crucial, we recommend that you source data from the audit log. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). Keep in mind that the overview page tracks changes over time for security alert data only. If you filter the page by non-alert attributes, such as repository status, the data you see will reflect the current state of those attributes, instead of the historical state. For example, consider that you archived a repository that contains open security alerts, an action which closes the alerts. If you then view the overview page for the week before you archived the repository, the alert data for the repository will only appear when you filter to show data from archived repositories, because the current state of the repository is archived. However, the alerts will appear as open, since they were open during that time period and the overview page tracks the historical state of alerts. @@ -96,7 +96,7 @@ Keep in mind that the overview page tracks changes over time for security alert Some metrics in the security overview dashboard include a trend indicator, which shows the percentage gain or loss for the chosen time period relative to previous period. For example, when you select a week with 10 alerts, if the previous week had 20 alerts, the trend indicator reports that the metric has dropped by 50%. If the average age of the open alerts is 15 days, and for the previous period it was 5 days, the trend indicator reports that the metric has risen by 200%. >[!NOTE] -> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security landscape of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce non-security alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." +> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security landscape of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce non-security alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels). ### Detection tab @@ -134,7 +134,7 @@ You can also see how many secrets were successfully blocked, which is calculated You can click **View details** to view the {% data variables.product.prodname_secret_scanning %} report with the same filters and time period selected. -For more information on {% data variables.product.prodname_secret_scanning %} push protection metrics, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." +For more information on {% data variables.product.prodname_secret_scanning %} push protection metrics, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection). #### Impact analysis table @@ -204,7 +204,7 @@ The "Vulnerabilities fixed in pull requests" metric shows the count of pull requ #### Pull request alerts fixed with {% data variables.product.prodname_copilot_autofix_short %} suggestions -{% data variables.product.prodname_copilot_autofix %} for {% data variables.product.prodname_code_scanning %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +{% data variables.product.prodname_copilot_autofix %} for {% data variables.product.prodname_code_scanning %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). The "Pull request alerts fixed with autofix suggestions" metric shows the ratio of accepted {% data variables.product.prodname_copilot_autofix_short %} suggestions to the total number of {% data variables.product.prodname_copilot_autofix_short %} suggestions on pull request alerts detected by {% data variables.product.prodname_code_scanning %}. @@ -225,7 +225,7 @@ The "Pull request alerts fixed with autofix suggestions" metric shows the ratio Some metrics in the security overview dashboard include a trend indicator, which shows the percentage gain or loss for the chosen time period relative to previous period. For example, when you select a week with 10 alerts, if the previous week had 20 alerts, the trend indicator reports that the metric has dropped by 50%. If the average age of the open alerts is 15 days, and for the previous period it was 5 days, the trend indicator reports that the metric has risen by 200%. >[!NOTE] -> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security posture of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." +> The number of alerts shown on the security overview dashboard may not match the number of {% data variables.product.prodname_code_scanning %} alerts. The security overview dashboard focuses on the security posture of your organization, and only includes alerts with a security severity ("Critical", "High", "Medium", or "Low"), but {% data variables.product.prodname_codeql %} and third-party tools may separately produce alerts with a level of "Error", "Warning", or "Note". For more information about alert severity and security severity levels in {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels). ### Alert trends graph @@ -257,7 +257,7 @@ You can also see how many secrets were successfully blocked, which is calculated You can click **View details** to view the {% data variables.product.prodname_secret_scanning %} report with the same filters and time period selected. -For more information on secret scanning push protection metrics, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." +For more information on secret scanning push protection metrics, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection). ### Mean time to remediate @@ -279,7 +279,7 @@ Alerts that are reopened and re-closed during the chosen time period are ignored ### {% data variables.product.prodname_copilot_autofix_short %} suggestions -{% data variables.product.prodname_copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts (including {% data variables.product.prodname_codeql %} alerts). For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)." +{% data variables.product.prodname_copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts (including {% data variables.product.prodname_codeql %} alerts). For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). The "{% data variables.product.prodname_copilot_autofix_short %} suggestions" metric is the total number of {% data variables.product.prodname_copilot_autofix_short %} suggestions generated in open and closed pull requests during the chosen time period. diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview.md index c3ce69576dd6..c93a1965676a 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview.md @@ -19,7 +19,7 @@ topics: At its core, end-to-end software supply chain security is about making sure the code you distribute hasn't been tampered with. Previously, attackers focused on targeting dependencies you use, for example libraries and frameworks. Attackers have now expanded their focus to include targeting user accounts and build processes, and so those systems must be defended as well. -For information about features in {% data variables.product.prodname_dotcom %} that can help you secure dependencies, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)." +For information about features in {% data variables.product.prodname_dotcom %} that can help you secure dependencies, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). ## About these guides @@ -27,11 +27,11 @@ This series of guides explains how to think about securing your end-to-end suppl Everyone's needs are different, so each guide starts with the highest impact change, and continues from there with additional improvements you should consider. You should feel free to skip around and focus on improvements you think will have the biggest benefit. The goal isn't to do everything at once but to continuously improve security in your systems over time. -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) ## Further reading diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md index 23b5c98f368b..c41d771afd02 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md @@ -32,11 +32,11 @@ Account security is fundamental to the security of your supply chain. If an atta {% ifversion ghec %} If you're an enterprise or organization owner, you can configure centralized authentication with SAML. While you can add or remove members manually, it's simpler and more secure to set up single sign-on (SSO) and SCIM between {% data variables.product.product_name %} and your SAML identity provider (IdP). This also simplifies the authentication process for all members of your enterprise. -You can configure SAML authentication for an enterprise or organization account. With SAML, you can grant access to the personal accounts of members of your enterprise or organization on {% data variables.product.prodname_dotcom %} through your IdP, or you can create and control the accounts that belong to your enterprise by using {% data variables.product.prodname_emus %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise)." +You can configure SAML authentication for an enterprise or organization account. With SAML, you can grant access to the personal accounts of members of your enterprise or organization on {% data variables.product.prodname_dotcom %} through your IdP, or you can create and control the accounts that belong to your enterprise by using {% data variables.product.prodname_emus %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise). After you configure SAML authentication, when members request access to your resources, they'll be directed to your SSO flow to ensure they are still recognized by your IdP. If they are unrecognized, their request is declined. -Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." +Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations). {% endif %} {% ifversion ghes %} @@ -44,7 +44,7 @@ If you're the site administrator for your instance, you can simplify the login e Some authentication methods also support communicating additional information to {% data variables.product.product_name %}, for example, what groups the user is a member of, or synchronizing cryptographic keys for the user. This is a great way to simplify your administration as your organization grows. -For more information about the authentication methods available for {% data variables.product.product_name %}, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise)." +For more information about the authentication methods available for {% data variables.product.product_name %}, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise). {% endif %} ## Configure two-factor authentication @@ -68,12 +68,12 @@ If you're an enterprise owner, you may be able to configure a policy to require {% endif %} {% ifversion ghes %} -If you're the site administrator for your instance, you may be able to configure 2FA for all users of your instance. The availability of 2FA on {% data variables.product.product_name %} depends on the authentication method that you use. For more information, see "[Centralize authentication](#centralize-authentication)." +If you're the site administrator for your instance, you may be able to configure 2FA for all users of your instance. The availability of 2FA on {% data variables.product.product_name %} depends on the authentication method that you use. For more information, see [Centralize authentication](#centralize-authentication). {% endif %} If you're an organization owner, then you {% ifversion fpt %}can{% else %}may be able to{% endif %} require that all members of the organization enable 2FA. -To learn more about enabling 2FA on your own account, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)." To learn more about requiring 2FA in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)." +To learn more about enabling 2FA on your own account, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication). To learn more about requiring 2FA in your organization, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization). {% ifversion ghec or ghes %} @@ -93,7 +93,7 @@ If your enterprise uses {% data variables.product.prodname_emus %} or SAML authe {% endif %} -For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam)" and {% endif %}"[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#requiring-two-factor-authentication-for-organizations-in-your-enterprise)." +For more information, see {% ifversion ghec %}[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam) and {% endif %}[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#requiring-two-factor-authentication-for-organizations-in-your-enterprise). {% endif %} @@ -108,7 +108,7 @@ For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/identity-and-a {% data variables.product.product_name %} supports several options for 2FA, and while any of them is better than nothing, the most secure option is a WebAuthn credential. WebAuthn requires an authenticator such as a FIDO2 hardware security key, a platform authenticator like Windows Hello, an Apple or Google phone, or a password manager. It's possible, although difficult, to phish other forms of 2FA (for example, someone asking you to read them your 6 digit one-time password). However WebAuthn is much more resistant to phishing, because domain scoping is built into the protocol, which prevents credentials from a website impersonating the login page from being used on {% data variables.product.product_name %}. -When you set up 2FA, you should always download the recovery codes and set up more than one 2FA credential. This ensures that access to your account doesn't depend on a single device. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)" and "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods)." +When you set up 2FA, you should always download the recovery codes and set up more than one 2FA credential. This ensures that access to your account doesn't depend on a single device. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) and [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods). ### Configure your organization account @@ -121,25 +121,25 @@ When you set up 2FA, you should always download the recovery codes and set up mo If you're an organization owner, you can see which users don't have 2FA enabled, help them get set up, and then require 2FA for your organization. To guide you through that process, see: -1. "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)" -1. "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization)" -1. "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)" +1. [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled) +1. [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization) +1. [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) ## Connect to {% data variables.product.product_name %} using SSH keys -There are other ways to interact with {% data variables.product.product_name %} beyond signing into the website. Many people authorize the code they push to {% data variables.product.prodname_dotcom %} with an SSH private key. For more information, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/about-ssh)." +There are other ways to interact with {% data variables.product.product_name %} beyond signing into the website. Many people authorize the code they push to {% data variables.product.prodname_dotcom %} with an SSH private key. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/about-ssh). -Just like your account password, if an attacker were able to get your SSH private key, they could impersonate you and push malicious code to any repository you have write access for. If you store your SSH private key on a disk drive, it's a good idea to protect it with a passphrase. For more information, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/working-with-ssh-key-passphrases)." +Just like your account password, if an attacker were able to get your SSH private key, they could impersonate you and push malicious code to any repository you have write access for. If you store your SSH private key on a disk drive, it's a good idea to protect it with a passphrase. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/working-with-ssh-key-passphrases). -Another option is to generate SSH keys on a hardware security key. You could use the same key you're using for 2FA. Hardware security keys are very difficult to compromise remotely, because the private SSH key remains on the hardware, and is not directly accessible from software. For more information, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key)." +Another option is to generate SSH keys on a hardware security key. You could use the same key you're using for 2FA. Hardware security keys are very difficult to compromise remotely, because the private SSH key remains on the hardware, and is not directly accessible from software. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key). {% ifversion ghec or ghes %} -Hardware-backed SSH keys are quite secure, but the hardware requirement might not work for some organizations. An alternative approach is to use SSH keys that are only valid for a short period of time, so even if the private key is compromised it can't be exploited for very long. This is the concept behind running your own SSH certificate authority. While this approach gives you a lot of control over how users authenticate, it also comes with the responsibility of maintaining an SSH certificate authority yourself. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)." +Hardware-backed SSH keys are quite secure, but the hardware requirement might not work for some organizations. An alternative approach is to use SSH keys that are only valid for a short period of time, so even if the private key is compromised it can't be exploited for very long. This is the concept behind running your own SSH certificate authority. While this approach gives you a lot of control over how users authenticate, it also comes with the responsibility of maintaining an SSH certificate authority yourself. For more information, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities). {% endif %} ## Next steps -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview)" -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)" -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview) +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) +* [AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization) diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md index d5498bcadcf4..e9fafe2ba919 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md @@ -37,7 +37,7 @@ There are several security capabilities a build system should have: In addition to the security benefits, {% data variables.product.prodname_actions %} lets you trigger builds manually, periodically, or on git events in your repository for frequent and fast builds. -{% data variables.product.prodname_actions %} is a big topic, but a good place to get started is "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)," as well as "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#choosing-github-hosted-runners)," and "[AUTOTITLE](/actions/using-workflows/triggering-a-workflow)." +{% data variables.product.prodname_actions %} is a big topic, but a good place to get started is [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions), as well as [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#choosing-github-hosted-runners), and [AUTOTITLE](/actions/using-workflows/triggering-a-workflow). {% ifversion artifact-attestations %} @@ -47,7 +47,7 @@ In addition to the security benefits, {% data variables.product.prodname_actions Artifact attestations include a signature over a built artifact, along with links to the source code and build instructions. If you sign your build with artifact attestations, you do not have to manage your own signing key material. {% data variables.product.prodname_dotcom %} handles this for you with the signing authority we operate. -For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." +For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). {% endif %} @@ -57,18 +57,18 @@ After your build process is secure, you want to prevent someone from tampering w How exactly you sign your build will depend on what sort of code you're writing, and who your users are. Often it's difficult to know how to securely store the private key. One basic option here is to use {% data variables.product.prodname_actions %} encrypted secrets, although you'll need to be careful to limit who has access to those {% data variables.product.prodname_actions %} workflows. {% ifversion fpt or ghec %}If your private key is stored in another system accessible over the public internet (like Microsoft Azure, or HashiCorp Vault), a more advanced option is to authenticate with OpenID Connect, so you don't have to share secrets across systems.{% endif %} If your private key is only accessible from a private network, another option is to use self-hosted runners for {% data variables.product.prodname_actions %}. -For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)"{% ifversion fpt or ghec %}, "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)",{% endif %} and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion fpt or ghec %}, [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect),{% endif %} and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). ## Harden security for {% data variables.product.prodname_actions %} There are many further steps you can take to additionally secure {% data variables.product.prodname_actions %}. In particular, be careful when evaluating third-party workflows, and consider using `CODEOWNERS` to limit who can make changes to your workflows. -For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions)" and "[AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions)." +For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions) and [AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions). ## Next steps -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index bbacbeeb81c8..dcdadf429e7d 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -47,11 +47,11 @@ As a first step, you want to make a complete inventory of your dependencies. The ### Automatic detection of vulnerabilities in dependencies -{% data variables.product.prodname_dependabot %} can help you by monitoring your dependencies and notifying you when they contain a known vulnerability. You can even enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests that update the dependency to a secure version. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)". +{% data variables.product.prodname_dependabot %} can help you by monitoring your dependencies and notifying you when they contain a known vulnerability. You can even enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests that update the dependency to a secure version. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). ### Automatic detection of vulnerabilities in pull requests -The {% data variables.dependency-review.action_name %} enforces a dependency review on your pull requests, making it easy for you to see if a pull request will introduce a vulnerable version of a dependency to your repository. When a vulnerability is detected, the {% data variables.dependency-review.action_name %} can block the pull request from merging. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#the-dependency-review-action)." +The {% data variables.dependency-review.action_name %} enforces a dependency review on your pull requests, making it easy for you to see if a pull request will introduce a vulnerable version of a dependency to your repository. When a vulnerability is detected, the {% data variables.dependency-review.action_name %} can block the pull request from merging. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#the-dependency-review-action). ### Assessment of exposure to risk from a vulnerable dependency @@ -71,7 +71,7 @@ Code often needs to communicate with other systems over a network, and requires {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts##about-partner-alerts)." +{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts##about-partner-alerts). {% endif %} {% ifversion fpt %} @@ -82,19 +82,19 @@ You can enable and configure additional scanning that will alert you about accid {% elsif secret-scanning-user-owned-repos %} If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)." +You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts). {% else %} -You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) and [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). {% endif %} ### Secure storage of secrets you use in {% data variables.product.product_name %} {% ifversion fpt or ghec %} -Besides your code, you probably need to use secrets in other places. For example, to allow {% data variables.product.prodname_actions %} workflows, {% data variables.product.prodname_dependabot %}, or your {% data variables.product.prodname_github_codespaces %} development environment to communicate with other systems. For more information on how to securely store and use secrets, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)," "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)," and "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)." +Besides your code, you probably need to use secrets in other places. For example, to allow {% data variables.product.prodname_actions %} workflows, {% data variables.product.prodname_dependabot %}, or your {% data variables.product.prodname_github_codespaces %} development environment to communicate with other systems. For more information on how to securely store and use secrets, see [AUTOTITLE](/actions/security-guides/encrypted-secrets), [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use), and [AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces). {% endif %} {% ifversion ghes %} -Besides your code, you probably need to use secrets in other places. For example, to allow {% data variables.product.prodname_actions %} workflows{% ifversion ghes %} or {% data variables.product.prodname_dependabot %}{% endif %} to communicate with other systems. For more information on how to securely store and use secrets, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion ghes %}" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."{% else %}."{% endif %} +Besides your code, you probably need to use secrets in other places. For example, to allow {% data variables.product.prodname_actions %} workflows{% ifversion ghes %} or {% data variables.product.prodname_dependabot %}{% endif %} to communicate with other systems. For more information on how to securely store and use secrets, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion ghes %} and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use).{% else %}."{% endif %} {% endif %} ## Keep vulnerable coding patterns out of your repository @@ -106,16 +106,16 @@ Besides your code, you probably need to use secrets in other places. For example ### Create a pull request review process -You can improve the quality and security of your code by ensuring that all pull requests are reviewed and tested before they are merged. {% data variables.product.prodname_dotcom %} has many features you can use to control the review and merge process. To get started, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." +You can improve the quality and security of your code by ensuring that all pull requests are reviewed and tested before they are merged. {% data variables.product.prodname_dotcom %} has many features you can use to control the review and merge process. To get started, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). ### Scan your code for vulnerable patterns -Insecure code patterns are often difficult for reviewers to spot unaided. In addition to scanning your code for secrets, you can check it for patterns that are associated with security vulnerabilities. For example, a function that isn't memory-safe, or failing to escaping user input that could lead to an injection vulnerability. {% data variables.product.prodname_dotcom %} offers several different ways to approach both how and when you scan your code. To get started, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." +Insecure code patterns are often difficult for reviewers to spot unaided. In addition to scanning your code for secrets, you can check it for patterns that are associated with security vulnerabilities. For example, a function that isn't memory-safe, or failing to escaping user input that could lead to an injection vulnerability. {% data variables.product.prodname_dotcom %} offers several different ways to approach both how and when you scan your code. To get started, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning). ## Next steps -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts) -* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds)" +* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md index 76bb1177c9ed..acea800a95c5 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md @@ -25,17 +25,17 @@ redirect_from: For pull requests that contain changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities. >[!NOTE] -> The "{% data variables.dependency-review.action_name %}" refers to the specific action that can report on differences in a pull request within the {% data variables.product.prodname_actions %} context, and add enforcement mechanisms to the {% data variables.product.prodname_actions %} workflow. For more information, see "[The {% data variables.dependency-review.action_name %}](#about-the-dependency-review-action)" later in this article. +> The "{% data variables.dependency-review.action_name %}" refers to the specific action that can report on differences in a pull request within the {% data variables.product.prodname_actions %} context, and add enforcement mechanisms to the {% data variables.product.prodname_actions %} workflow. For more information, see [The {% data variables.dependency-review.action_name %}](#about-the-dependency-review-action) later in this article. Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities. -By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." +By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request). -{% data variables.product.prodname_dependabot_alerts %} will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)." +{% data variables.product.prodname_dependabot_alerts %} will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies). -Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)." +Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). -For more information on supply chain features available on {% data variables.product.product_name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)." +For more information on supply chain features available on {% data variables.product.product_name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). {% ifversion ghec or ghes %} @@ -58,11 +58,11 @@ The action is available for all {% ifversion fpt or ghec %}public repositories, {% data reusables.dependency-review.action-enterprise %} -The action uses the dependency review REST API to get the diff of dependency changes between the base commit and head commit. You can use the dependency review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[AUTOTITLE](/rest/dependency-graph/dependency-review)."{% ifversion dependency-review-submission-api %} The action also considers dependencies submitted via the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +The action uses the dependency review REST API to get the diff of dependency changes between the base commit and head commit. You can use the dependency review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see [AUTOTITLE](/rest/dependency-graph/dependency-review).{% ifversion dependency-review-submission-api %} The action also considers dependencies submitted via the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). {% data reusables.dependency-review.works-with-submission-api-beta %} -You can configure the {% data variables.dependency-review.action_name %} to better suit your needs. For example, you can specify the severity level that will make the action fail{% ifversion dependency-review-action-licenses %}, or set an allow or deny list for licenses to scan{% endif %}. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action)." +You can configure the {% data variables.dependency-review.action_name %} to better suit your needs. For example, you can specify the severity level that will make the action fail{% ifversion dependency-review-action-licenses %}, or set an allow or deny list for licenses to scan{% endif %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action). {% endif %} @@ -98,4 +98,4 @@ If you don’t use {% data variables.product.prodname_actions %}, and your code ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index e81bd205a4b3..d12b0792a58b 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -49,7 +49,7 @@ Other supply chain features on {% data variables.product.prodname_dotcom %} rely {% data variables.product.prodname_dependabot_version_updates %} don't use the dependency graph and rely on the semantic versioning of dependencies instead. {% data variables.product.prodname_dependabot_version_updates %} help you keep your dependencies updated, even when they don’t have any vulnerabilities. -For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview)." +For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview). ## Feature overview @@ -64,7 +64,7 @@ To generate the dependency graph, {% data variables.product.company_short %} loo {% data reusables.dependency-submission.dependency-submission-link %} -For more information about the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." +For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). ### What is dependency review @@ -73,7 +73,7 @@ Dependency review helps reviewers and contributors understand dependency changes * Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change. * You can see the dependency review for a pull request by showing the rich diff on the **Files Changed** tab. -For more information about dependency review, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)." +For more information about dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). ### What is Dependabot @@ -85,7 +85,7 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll * {% data variables.product.prodname_dependabot_security_updates %}: Triggered updates to upgrade your dependencies to a secure version when an alert is triggered. * {% data variables.product.prodname_dependabot_version_updates %}: Scheduled updates to keep your dependencies up to date with the latest version. -{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)."{% endif %} +{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions).{% endif %} {% ifversion dependabot-on-actions-opt-in %}By default: @@ -93,15 +93,15 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll * If {% data variables.product.prodname_actions %} is not enabled for the repository, {% data variables.product.prodname_dotcom %} generates {% data variables.product.prodname_dependabot_alerts %} using the built-in {% data variables.product.prodname_dependabot %} application in {% data variables.product.product_name %}. -For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)." +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% else %} -{% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.product_name %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." +{% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.product_name %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} -{% data reusables.dependabot.dependabot-actions-support %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)." +{% data reusables.dependabot.dependabot-actions-support %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). #### What are Dependabot alerts @@ -114,7 +114,7 @@ For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-de * The dependency graph for the repository changes. * {% data variables.product.prodname_dependabot_alerts %} are displayed on the **Security** tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version. -For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). #### What are Dependabot updates @@ -132,7 +132,7 @@ There are two types of {% data variables.product.prodname_dependabot_updates %}: * Update dependencies to the latest version that matches the configuration * Supported for a different group of ecosystems -For more information about {% data variables.product.prodname_dependabot_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." +For more information about {% data variables.product.prodname_dependabot_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). ## Feature availability @@ -142,28 +142,28 @@ Public repositories: * **Dependency graph:** Enabled by default and cannot be disabled. * **Dependency review:** Enabled by default and cannot be disabled. * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. - You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). Private repositories: -* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)." +* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository). {% ifversion fpt %} * **Dependency review:** Available in private repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GH_advanced_security %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). {% elsif ghec %} -* **Dependency review:** Available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" and "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)." +* **Dependency review:** Available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository). {% endif %} * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. - You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). Any repository type: -* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." -* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). +* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). {% endif %} {% ifversion ghes %} -* **Dependency graph and {% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see {% ifversion ghes %}"[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)" and {% endif %}"[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." -* **Dependency review:** Available when dependency graph is enabled for your instance and {% data variables.product.prodname_advanced_security %} is enabled for the organization or repository. For more information, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +* **Dependency graph and {% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see {% ifversion ghes %}[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise) and {% endif %}[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +* **Dependency review:** Available when dependency graph is enabled for your instance and {% data variables.product.prodname_advanced_security %} is enabled for the organization or repository. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). {% endif %} {% ifversion ghes %} -* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." -* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). +* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). {% endif %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 6f48aa11b47d..4ae79f724d8f 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -24,27 +24,27 @@ shortTitle: Dependency graph When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% ifversion fpt or ghec %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} -For information on the supported ecosystems and manifest files, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)." +For information on the supported ecosystems and manifest files, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). {% data reusables.dependency-submission.dependency-submission-link %} -When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)." +When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). {% data reusables.dependency-graph.sbom-export %} ## Dependency graph availability {% ifversion fpt or ghec %} -{% data reusables.dependency-graph.feature-availability %} For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." +{% data reusables.dependency-graph.feature-availability %} For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). -Repository administrators can also set up the dependency graph for private repositories. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph)." +Repository administrators can also set up the dependency graph for private repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). {% endif %} {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %} {% ifversion ghes %} -For more information about configuration of the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph)."{% endif %} +For more information about configuration of the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph).{% endif %} ## Dependencies included @@ -53,9 +53,9 @@ The dependency graph includes all the dependencies of a repository that are deta * Direct dependencies, that are explicitly defined in a manifest or lock file or have been submitted using the {% data variables.dependency-submission-api.name %} * Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies -The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file or have been submitted using the {% data variables.dependency-submission-api.name %}. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. If your ecosystem does not have lock files, you can use pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)." +The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file or have been submitted using the {% data variables.dependency-submission-api.name %}. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. If your ecosystem does not have lock files, you can use pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions). -For more information on how {% data variables.product.product_name %} helps you understand the dependencies in your environment, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)." +For more information on how {% data variables.product.product_name %} helps you understand the dependencies in your environment, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). {% ifversion fpt or ghec %} @@ -67,14 +67,14 @@ For public repositories, only public repositories that depend on it or on packag You can use the dependency graph to: -* Explore the repositories your code depends on{% ifversion fpt or ghec %}, and those that depend on it{% endif %}. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)." {% ifversion ghec %} -* View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization#viewing-organization-dependency-insights)."{% endif %} -* View and update vulnerable dependencies for your repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." -* See information about vulnerable dependencies in pull requests. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." +* Explore the repositories your code depends on{% ifversion fpt or ghec %}, and those that depend on it{% endif %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). {% ifversion ghec %} +* View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization#viewing-organization-dependency-insights).{% endif %} +* View and update vulnerable dependencies for your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +* See information about vulnerable dependencies in pull requests. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request). ## Further reading -* "[Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph)" on Wikipedia -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)" -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)" +* [Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph) on Wikipedia +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md index f40b39abdc6a..41fcf46baf61 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md @@ -23,7 +23,7 @@ Dependency graph analyzes the manifest and lock files in a repository, in order When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository and will submit these dependencies to {% data variables.product.company_short %} using the {% data variables.dependency-submission-api.name %}. You can then report on these dependencies using the dependency graph. -Using automatic dependency submission counts toward your {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." +Using automatic dependency submission counts toward your {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions). Optionally, you can choose to configure self-hosted runners or {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission. For more information, see "[Using self-hosted runners for automatic dependency submission](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository#using-self-hosted-runners-for-automatic-dependency-submission )" and "[Using GitHub-hosted larger runners for automatic dependency submission](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository#using-github-hosted-larger-runners-for-automatic-dependency-submission @@ -33,13 +33,13 @@ Optionally, you can choose to configure self-hosted runners or {% data variables Dependency graph must be enabled for the repository for you to enable automatic dependency submission. -You must also enable {% data variables.product.prodname_actions %} for the repository in order to use automatic dependency submission. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)." +You must also enable {% data variables.product.prodname_actions %} for the repository in order to use automatic dependency submission. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository). ## Enabling automatic dependency submission Repository administrators can enable or disable automatic dependency submission for a repository by following the steps outlined in this procedure. -Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration)." +Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} @@ -58,8 +58,8 @@ You can view details about the automatic workflows run by viewing the **Actions* You can configure self-hosted runners to run automatic dependency submission jobs, instead of using the {% data variables.product.prodname_actions %} infrastructure. -1. Provision one or more self-hosted runners, at the repository or organization level. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." The self-hosted runners must be running on Linux or macOS, and must have Docker installed. -1. Assign a `dependency-submission` label to each runner you want automatic dependency submission to use. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner)." +1. Provision one or more self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). The self-hosted runners must be running on Linux or macOS, and must have Docker installed. +1. Assign a `dependency-submission` label to each runner you want automatic dependency submission to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner). {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled for labeled runners**. @@ -73,17 +73,17 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs. -1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see "[Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)." -1. Give your repository access to the runner. For more information, see "[Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners)." +1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see [Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). +1. Give your repository access to the runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners). 1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled for labeled runners**. ## Troubleshooting automatic dependency submission Automatic dependency submission is currently only supported for Maven. The feature uses the Maven Dependency Tree Submission action. For more information, see the documentation for the [Maven Dependency Tree Dependency Submission](https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission) action in the {% data variables.product.prodname_marketplace %}. If your project uses a non-standard Maven configuration, it may not properly generate the dependencies and submit them to the dependency graph. -Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)." +Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)" -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md index 07f11fdb02ee..c299bd56dfed 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md @@ -19,13 +19,13 @@ shortTitle: Configure dependency graph {% data reusables.dependabot.about-the-dependency-graph %} -For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." +For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). {% ifversion fpt or ghec %} ## Configuring the dependency graph -To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories. For more information on viewing the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)." +To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private {% ifversion ghec %}and internal {% endif %}repositories. For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). {% data reusables.dependency-submission.dependency-submission-link %} @@ -59,8 +59,8 @@ When the dependency graph is first enabled, any manifest and lock files for supp ## Further reading {%- ifversion maven-transitive-dependencies %} -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository)"{%- endif %} +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository){%- endif %} {%- ifversion ghec %} -* "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization)"{%- endif %} -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)" +* [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){%- endif %} +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action.md index 88b678b6b34c..8524136ee791 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action.md @@ -198,4 +198,4 @@ For further details about the configuration options, see [`dependency-review-act ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md index 7db54ca354ed..4a198d5cb9ca 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration.md @@ -24,8 +24,8 @@ This guide shows you how to add three very common customizations: failing builds This guide assumes that: -* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private repositories.{% endif %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository)". -* {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)". +* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private repositories.{% endif %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). +* {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository). ## Step 1: Adding the dependency review action @@ -144,5 +144,5 @@ When customizing your dependency review configuration, there are some best pract ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action)"{% ifversion repo-rules %} -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization)"{% endif %} +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action){% ifversion repo-rules %} +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization){% endif %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md index 77e68e4e8443..831ee61ded06 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md @@ -18,7 +18,7 @@ versions: ## About the dependency graph -{% data reusables.dependabot.about-the-dependency-graph %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." +{% data reusables.dependabot.about-the-dependency-graph %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). In this article, you can see what the supported ecosystems are. @@ -30,7 +30,7 @@ The recommended formats explicitly define which versions are used for all direct {% ifversion maven-transitive-dependencies %} -For ecosystems that resolve transitive dependencies at build-time, we recommend configuring dependency submission to automatically submit these dependencies to the dependency graph. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository)." +For ecosystems that resolve transitive dependencies at build-time, we recommend configuring dependency submission to automatically submit these dependencies to the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository). {% endif %} @@ -38,10 +38,10 @@ For ecosystems that resolve transitive dependencies at build-time, we recommend You can use the {% data variables.dependency-submission-api.name %} to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. Dependency information from these submitted dependencies will, in turn, flow into {% data variables.product.prodname_dependabot_updates %} and {% data variables.product.prodname_dependabot_alerts %}. -{% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +{% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). You typically use the {% data variables.dependency-submission-api.name %} in a {% data variables.product.prodname_actions %} workflow to submit dependencies for your project when your project is built. {% data reusables.dependency-submission.api-premade-actions %} You can find links to the currently available actions in the table below. {% data reusables.dependency-submission.premade-action-table %} -You can also create your own action. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#creating-your-own-action)." +You can also create your own action. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#creating-your-own-action). diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization.md index fdbd281b0895..455e69172c51 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization.md @@ -18,13 +18,13 @@ topics: {% data reusables.dependency-review.action-enterprise %} -{% data reusables.dependency-review.about-dependency-review-action %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#about-the-dependency-review-action)." +{% data reusables.dependency-review.about-dependency-review-action %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#about-the-dependency-review-action). -You can enforce the use of the {% data variables.dependency-review.action_name %} in your organization by setting up a repository ruleset that will require the `dependency-review-action` workflow to pass before pull requests can be merged. Repository rulesets are rule settings that allow you to control how users can interact with selected branches and tags in your repositories. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)" and "[Require workflows to pass before merging](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-workflows-to-pass-before-merging)." +You can enforce the use of the {% data variables.dependency-review.action_name %} in your organization by setting up a repository ruleset that will require the `dependency-review-action` workflow to pass before pull requests can be merged. Repository rulesets are rule settings that allow you to control how users can interact with selected branches and tags in your repositories. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) and [Require workflows to pass before merging](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-workflows-to-pass-before-merging). ## Prerequisites -You need to add the {% data variables.dependency-review.action_name %} to one of the repositories in your organization, and configure the action. For more information, see "[Configuring the dependency review action](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action)." +You need to add the {% data variables.dependency-review.action_name %} to one of the repositories in your organization, and configure the action. For more information, see [Configuring the dependency review action](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action). ## Enforcing dependency review for your organization @@ -33,10 +33,10 @@ You need to add the {% data variables.dependency-review.action_name %} to one of {% data reusables.organizations.access-ruleset-settings %} 1. Click **New branch ruleset**. 1. Set **Enforcement status** to **{% octicon "play" aria-hidden="true" %} Active**. -1. Optionally, you can target specific repositories in your organization. For more information, see "[Choosing which repositories to target in your organization](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#choosing-which-repositories-to-target-in-your-organization)." +1. Optionally, you can target specific repositories in your organization. For more information, see [Choosing which repositories to target in your organization](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#choosing-which-repositories-to-target-in-your-organization). 1. In the "Rules" section, select the "Require workflows to pass before merging" option. 1. In "Workflow configurations", click **Add workflow**. -1. In the dialog, select the repository that you added the {% data variables.dependency-review.action_name %} to. For more information, see "[Prerequisites](#prerequisites)." +1. In the dialog, select the repository that you added the {% data variables.dependency-review.action_name %} to. For more information, see [Prerequisites](#prerequisites). 1. Select a branch and the workflow file for dependency review in the enhanced dialog. ![Screenshot of the Add required workflow dialog. You need to specify a repository, branch, and workflow.](/assets/images/help/repository/add-required-workflow-dialog.png) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md index ebc468d18883..56fc531ae17f 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md @@ -24,7 +24,7 @@ shortTitle: Explore dependencies ## Viewing the dependency graph -The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. {% ifversion dependency-graph-repository-view-update %} {% data reusables.dependency-graph.repository-view-update %}{% endif %} For information about the detection of dependencies and which ecosystems are supported, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems)." +The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. {% ifversion dependency-graph-repository-view-update %} {% data reusables.dependency-graph.repository-view-update %}{% endif %} For information about the detection of dependencies and which ecosystems are supported, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -46,7 +46,7 @@ The dependency graph shows the dependencies{% ifversion fpt or ghec %} and depen {% endif %} {% ifversion ghes %} -Enterprise owners can configure the dependency graph at an enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)." +Enterprise owners can configure the dependency graph at an enterprise level. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise). {% endif %} ### Dependencies view @@ -60,7 +60,7 @@ Any direct and indirect dependencies that are specified in the repository's mani {% endif %} {% ifversion dependency-graph-repository-view-update %} -Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %}, although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %} For more information on using the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %}, although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %} For more information on using the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}. @@ -115,8 +115,8 @@ If a manifest or lock file is not processed, its dependencies are omitted from t ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" -* "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)"{% ifversion ghec %} -* "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization)"{% endif %}{% ifversion fpt or ghec %} -* "[AUTOTITLE](/get-started/privacy-on-github)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) +* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts){% ifversion ghec %} +* [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){% endif %}{% ifversion fpt or ghec %} +* [AUTOTITLE](/get-started/privacy-on-github) {% endif %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md index 7d91ee87e57e..82ab0dc92803 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md @@ -38,4 +38,4 @@ If your company provides software to the US federal government per [Executive Or ## Exporting a software bill of materials for your repository using the REST API -If you want to use the REST API to export an SBOM for your repository, see "[AUTOTITLE](/rest/dependency-graph/sboms#export-a-software-bill-of-materials-sbom-for-a-repository)." +If you want to use the REST API to export an SBOM for your repository, see [AUTOTITLE](/rest/dependency-graph/sboms#export-a-software-bill-of-materials-sbom-for-a-repository). diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md index 73b98cc49411..b68ad1de67ec 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md @@ -26,7 +26,7 @@ The dependency graph automatically includes information on dependencies that are The dependency graph doesn't automatically include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). **Check:** Is the missing dependency for a component that's not specified in the repository's manifest or lockfile? @@ -34,7 +34,7 @@ However, you can use the {% data variables.dependency-submission-api.name %} to The dependency graph analyzes manifests as they’re pushed to {% data variables.product.prodname_dotcom %}. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not automatically be included in the dependency graph. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). **Check:** Is the missing dependency declared in the manifest by using a variable for its name or version? @@ -65,7 +65,7 @@ Yes, the dependency graph has {% ifversion dependency-graph-repository-view-upda ## Further reading -* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" -* "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)" -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)" +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) +* [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md index 4ab565119d2f..82054076e1ab 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md @@ -17,7 +17,7 @@ versions: {% data reusables.dependency-submission.about-dependency-submission %} -Dependencies are submitted to the {% data variables.dependency-submission-api.name %} in the form of a snapshot. A snapshot is a set of dependencies associated with a commit SHA and other metadata, that reflects the current state of your repository for a commit. Snapshots can be generated from your dependencies detected at build time or from a software bill of materials (SBOM). There are {% data variables.product.prodname_actions %} that support either of these use cases. For more information about the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/rest/dependency-graph/dependency-submission)." +Dependencies are submitted to the {% data variables.dependency-submission-api.name %} in the form of a snapshot. A snapshot is a set of dependencies associated with a commit SHA and other metadata, that reflects the current state of your repository for a commit. Snapshots can be generated from your dependencies detected at build time or from a software bill of materials (SBOM). There are {% data variables.product.prodname_actions %} that support either of these use cases. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/rest/dependency-graph/dependency-submission). ## Submitting dependencies at build-time @@ -27,17 +27,17 @@ You can use the {% data variables.dependency-submission-api.name %} in a {% data {% data reusables.dependency-submission.api-premade-actions %} -For more information about these actions, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions)." +For more information about these actions, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions). ### Creating your own action Alternatively, you can write your own action to submit dependencies for your project at build-time. Your workflow should: 1. Generate a list of dependencies for your project. - 1. Translate the list of dependencies into the snapshot format accepted by the {% data variables.dependency-submission-api.name %}. For more information about the format, see the body parameters for the "Create a repository snapshot" API endpoint in "[AUTOTITLE](/rest/dependency-graph/dependency-submission)." + 1. Translate the list of dependencies into the snapshot format accepted by the {% data variables.dependency-submission-api.name %}. For more information about the format, see the body parameters for the "Create a repository snapshot" API endpoint in [AUTOTITLE](/rest/dependency-graph/dependency-submission). 1. Submit the formatted list of dependencies to the {% data variables.dependency-submission-api.name %}. -{% data variables.product.product_name %} maintains the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit), a TypeScript library to help you build your own GitHub Action for submitting dependencies to the {% data variables.dependency-submission-api.name %}. For more information about writing an action, see "[AUTOTITLE](/actions/creating-actions)". +{% data variables.product.product_name %} maintains the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit), a TypeScript library to help you build your own GitHub Action for submitting dependencies to the {% data variables.dependency-submission-api.name %}. For more information about writing an action, see [AUTOTITLE](/actions/creating-actions). ## Generating and submitting a software bill of materials (SBOM) @@ -46,9 +46,9 @@ Alternatively, you can write your own action to submit dependencies for your pro ### Generating a software bill of materials (SBOM) To generate an SBOM, you can use: -* The **{% data variables.product.prodname_dotcom %} UI**. For more information about how to export an SBOM for a repository using information from the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)." -* The **REST API**. For more information, see "[AUTOTITLE](/rest/dependency-graph/sboms)." -* **{% data variables.product.prodname_actions %}**. The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)." +* The **{% data variables.product.prodname_dotcom %} UI**. For more information about how to export an SBOM for a repository using information from the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository). +* The **REST API**. For more information, see [AUTOTITLE](/rest/dependency-graph/sboms). +* **{% data variables.product.prodname_actions %}**. The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). Action | Details | --- | --- | From 0fd09b3f11e3ee1cc397662882443dc44d945975 Mon Sep 17 00:00:00 2001 From: Ashley Date: Thu, 12 Dec 2024 06:06:10 -0500 Subject: [PATCH 2/2] [Remove Quotes] removed quotations from links in files in content/actions (#53540) Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- ...ntinuous-deployment-with-github-actions.md | 14 +- ...tinuous-integration-with-github-actions.md | 10 +- .../understanding-github-actions.md | 16 +-- ...rets-and-runners-with-your-organization.md | 8 +- ...usage-limits-billing-and-administration.md | 28 ++-- .../about-actions-runner-controller.md | 12 +- .../authenticating-to-the-github-api.md | 6 +- ...ale-sets-with-actions-runner-controller.md | 34 ++--- ...uickstart-for-actions-runner-controller.md | 18 +-- ...ooting-actions-runner-controller-errors.md | 2 +- ...runner-controller-runners-in-a-workflow.md | 4 +- .../about-self-hosted-runners.md | 28 ++-- .../adding-self-hosted-runners.md | 28 ++-- .../autoscaling-with-self-hosted-runners.md | 14 +- ...-hosted-runner-application-as-a-service.md | 6 +- ...customizing-the-containers-used-by-jobs.md | 20 +-- ...and-troubleshooting-self-hosted-runners.md | 10 +- .../removing-self-hosted-runners.md | 8 +- .../running-scripts-before-or-after-a-job.md | 12 +- ...a-proxy-server-with-self-hosted-runners.md | 2 +- .../using-labels-with-self-hosted-runners.md | 4 +- ...using-self-hosted-runners-in-a-workflow.md | 6 +- ...ring-custom-deployment-protection-rules.md | 8 +- ...ting-custom-deployment-protection-rules.md | 24 ++-- .../managing-environments-for-deployment.md | 46 +++--- .../reviewing-deployments.md | 10 +- .../viewing-deployment-history.md | 8 +- ...roving-workflow-runs-from-private-forks.md | 2 +- .../canceling-a-workflow.md | 2 +- .../disabling-and-enabling-a-workflow.md | 2 +- .../downloading-workflow-artifacts.md | 2 +- .../manually-running-a-workflow.md | 6 +- .../re-running-workflows-and-jobs.md | 4 +- .../removing-workflow-artifacts.md | 6 +- .../skipping-workflow-runs.md | 2 +- ...-from-azure-pipelines-to-github-actions.md | 14 +- ...grating-from-circleci-to-github-actions.md | 20 +-- ...ting-from-gitlab-cicd-to-github-actions.md | 16 +-- ...igrating-from-jenkins-to-github-actions.md | 8 +- ...rating-from-travis-ci-to-github-actions.md | 38 ++--- ...tions-importer-with-custom-transformers.md | 14 +- ...ure-devops-with-github-actions-importer.md | 10 +- ...rom-bamboo-with-github-actions-importer.md | 6 +- ...-pipelines-with-github-actions-importer.md | 6 +- ...m-circleci-with-github-actions-importer.md | 2 +- ...rom-gitlab-with-github-actions-importer.md | 6 +- ...om-jenkins-with-github-actions-importer.md | 6 +- ...-travis-ci-with-github-actions-importer.md | 8 +- .../about-monitoring-workflows.md | 12 +- .../adding-a-workflow-status-badge.md | 4 +- .../using-workflow-run-logs.md | 6 +- .../viewing-job-execution-time.md | 2 +- .../about-troubleshooting-workflows.md | 10 +- .../enabling-debug-logging.md | 8 +- ...working-with-support-for-github-actions.md | 20 +-- .../automatic-token-authentication.md | 24 ++-- .../security-hardening-for-github-actions.md | 50 +++---- ...es-to-secure-your-use-of-github-actions.md | 24 ++-- .../using-secrets-in-github-actions.md | 26 ++-- ...-security-hardening-with-openid-connect.md | 44 +++--- ...g-openid-connect-in-amazon-web-services.md | 4 +- .../configuring-openid-connect-in-azure.md | 6 +- ...uring-openid-connect-in-cloud-providers.md | 4 +- ...openid-connect-in-google-cloud-platform.md | 2 +- ...uring-openid-connect-in-hashicorp-vault.md | 6 +- .../configuring-openid-connect-in-jfrog.md | 4 +- ...-openid-connect-with-reusable-workflows.md | 8 +- ...kflows-to-achieve-slsa-v1-build-level-3.md | 8 +- ...ions-to-establish-provenance-for-builds.md | 8 +- .../verifying-attestations-offline.md | 2 +- .../avoiding-duplication.md | 2 +- .../creating-actions/about-custom-actions.md | 14 +- .../creating-a-composite-action.md | 16 +-- .../creating-a-docker-container-action.md | 24 ++-- .../creating-a-javascript-action.md | 12 +- .../developing-a-third-party-cli-action.md | 4 +- .../dockerfile-support-for-github-actions.md | 12 +- .../metadata-syntax-for-github-actions.md | 26 ++-- ...ublishing-actions-in-github-marketplace.md | 6 +- .../releasing-and-maintaining-actions.md | 18 +-- .../setting-exit-codes-for-actions.md | 4 +- ...orkflow-templates-for-your-organization.md | 4 +- .../sharing-automations/required-workflows.md | 2 +- .../sharing-automations/reusing-workflows.md | 52 +++---- ...-workflows-from-your-private-repository.md | 6 +- ...ions-and-workflows-with-your-enterprise.md | 8 +- ...ns-and-workflows-with-your-organization.md | 6 +- .../building-and-testing-go.md | 8 +- .../building-and-testing-java-with-ant.md | 8 +- .../building-and-testing-java-with-gradle.md | 8 +- .../building-and-testing-java-with-maven.md | 8 +- .../building-and-testing-net.md | 6 +- .../building-and-testing-nodejs.md | 20 +-- .../building-and-testing-powershell.md | 14 +- .../building-and-testing-python.md | 18 +-- .../building-and-testing-ruby.md | 4 +- .../building-and-testing-swift.md | 6 +- ...ilding-and-testing-xamarin-applications.md | 6 +- .../deploying-docker-to-azure-app-service.md | 4 +- .../deploying-java-to-azure-app-service.md | 2 +- .../deploying-net-to-azure-app-service.md | 2 +- .../deploying-nodejs-to-azure-app-service.md | 4 +- .../deploying-php-to-azure-app-service.md | 2 +- .../deploying-python-to-azure-app-service.md | 2 +- ...ing-to-amazon-elastic-container-service.md | 8 +- .../deploying-to-azure-kubernetes-service.md | 4 +- .../deploying-to-azure-static-web-app.md | 8 +- .../deploying-to-google-kubernetes-engine.md | 6 +- .../deploying-with-github-actions.md | 24 ++-- ...-on-macos-runners-for-xcode-development.md | 6 +- .../adding-labels-to-issues.md | 8 +- .../closing-inactive-issues.md | 4 +- ...nting-on-an-issue-when-a-label-is-added.md | 10 +- ...oving-assigned-issues-on-project-boards.md | 12 +- ...card-is-added-to-a-project-board-column.md | 12 +- .../scheduling-issue-creation.md | 8 +- ...g-github-actions-for-project-management.md | 14 +- .../about-packaging-with-github-actions.md | 2 +- .../publishing-docker-images.md | 24 ++-- .../publishing-java-packages-with-gradle.md | 26 ++-- .../publishing-java-packages-with-maven.md | 24 ++-- .../publishing-nodejs-packages.md | 24 ++-- .../about-service-containers.md | 12 +- .../creating-postgresql-service-containers.md | 6 +- .../creating-redis-service-containers.md | 6 +- ...e-networking-with-github-hosted-runners.md | 8 +- .../using-an-api-gateway-with-oidc.md | 4 +- ...g-wireguard-to-create-a-network-overlay.md | 4 +- .../about-github-hosted-runners.md | 30 ++-- .../customizing-github-hosted-runners.md | 2 +- .../monitoring-your-current-jobs.md | 2 +- .../about-larger-runners.md | 28 ++-- .../controlling-access-to-larger-runners.md | 2 +- .../managing-larger-runners.md | 12 +- .../running-jobs-on-larger-runners.md | 4 +- .../writing-workflows/about-workflows.md | 24 ++-- ...textual-information-about-workflow-runs.md | 44 +++--- .../adding-scripts-to-your-workflow.md | 4 +- ...hing-dependencies-to-speed-up-workflows.md | 28 ++-- ...te-expressions-in-workflows-and-actions.md | 16 +-- .../store-information-in-variables.md | 34 ++--- ...toring-and-sharing-data-from-a-workflow.md | 16 +-- .../using-environments-for-deployment.md | 2 +- ...ritten-building-blocks-in-your-workflow.md | 16 +-- .../workflow-commands-for-github-actions.md | 18 +-- .../events-that-trigger-workflows.md | 136 +++++++++--------- .../triggering-a-workflow.md | 22 +-- ...ing-conditions-to-control-job-execution.md | 2 +- .../actions/writing-workflows/quickstart.md | 10 +- .../using-workflow-templates.md | 14 +- .../workflow-syntax-for-github-actions.md | 52 +++---- 151 files changed, 984 insertions(+), 984 deletions(-) diff --git a/content/actions/about-github-actions/about-continuous-deployment-with-github-actions.md b/content/actions/about-github-actions/about-continuous-deployment-with-github-actions.md index 8d31a045e66d..20f8058911b9 100644 --- a/content/actions/about-github-actions/about-continuous-deployment-with-github-actions.md +++ b/content/actions/about-github-actions/about-continuous-deployment-with-github-actions.md @@ -22,15 +22,15 @@ topics: _Continuous deployment_ (CD) is the practice of using automation to publish and deploy software updates. As part of the typical CD process, the code is automatically built and tested before deployment. -Continuous deployment is often coupled with continuous integration. For more information about continuous integration, see "[AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration)". +Continuous deployment is often coupled with continuous integration. For more information about continuous integration, see [AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration). ## About continuous deployment using {% data variables.product.prodname_actions %} You can set up a {% data variables.product.prodname_actions %} workflow to deploy your software product. To verify that your product works as expected, your workflow can build the code in your repository and run your tests before deploying. -You can configure your CD workflow to run when a {% data variables.product.product_name %} event occurs (for example, when new code is pushed to the default branch of your repository), on a set schedule, manually, or when an external event occurs using the repository dispatch webhook. For more information about when your workflow can run, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +You can configure your CD workflow to run when a {% data variables.product.product_name %} event occurs (for example, when new code is pushed to the default branch of your repository), on a set schedule, manually, or when an external event occurs using the repository dispatch webhook. For more information about when your workflow can run, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). -{% data variables.product.prodname_actions %} provides features that give you more control over deployments. For example, you can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow, or limit access to secrets. You can use concurrency to limit your CD pipeline to a maximum of one in-progress deployment and one pending deployment. For more information about these features, see "[AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." +{% data variables.product.prodname_actions %} provides features that give you more control over deployments. For example, you can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow, or limit access to secrets. You can use concurrency to limit your CD pipeline to a maximum of one in-progress deployment and one pending deployment. For more information about these features, see [AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions) and [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). ## Using OpenID Connect to access cloud resources @@ -42,7 +42,7 @@ You can configure your CD workflow to run when a {% data variables.product.produ ## Further reading -* "[AUTOTITLE](/actions/use-cases-and-examples/deploying)" -* "[AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions)" -* "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)"{% ifversion fpt or ghec %} -* "[AUTOTITLE](/billing/managing-billing-for-github-actions)"{% endif %} +* [AUTOTITLE](/actions/use-cases-and-examples/deploying) +* [AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions) +* [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment){% ifversion fpt or ghec %} +* [AUTOTITLE](/billing/managing-billing-for-github-actions){% endif %} diff --git a/content/actions/about-github-actions/about-continuous-integration-with-github-actions.md b/content/actions/about-github-actions/about-continuous-integration-with-github-actions.md index 56fa016d17a1..b9703d1e018e 100644 --- a/content/actions/about-github-actions/about-continuous-integration-with-github-actions.md +++ b/content/actions/about-github-actions/about-continuous-integration-with-github-actions.md @@ -31,7 +31,7 @@ Building and testing your code requires a server. You can build and test updates ## About continuous integration using {% data variables.product.prodname_actions %} - CI using {% data variables.product.prodname_actions %} offers workflows that can build the code in your repository and run your tests. Workflows can run on {% data variables.product.prodname_dotcom %}-hosted virtual machines, or on machines that you host yourself. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." + CI using {% data variables.product.prodname_actions %} offers workflows that can build the code in your repository and run your tests. Workflows can run on {% data variables.product.prodname_dotcom %}-hosted virtual machines, or on machines that you host yourself. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). You can configure your CI workflow to run when a {% data variables.product.prodname_dotcom %} event occurs (for example, when new code is pushed to your repository), on a set schedule, or when an external event occurs using the repository dispatch webhook. @@ -39,9 +39,9 @@ You can configure your CI workflow to run when a {% data variables.product.prodn When you set up CI in your repository, {% data variables.product.product_name %} analyzes the code in your repository and recommends CI workflows based on the language and framework in your repository. For example, if you use [Node.js](https://nodejs.org/en/), {% data variables.product.product_name %} will suggest a workflow template that installs your Node.js packages and runs your tests. You can use the CI workflow template suggested by {% data variables.product.product_name %}, customize the suggested workflow template, or create your own custom workflow file to run your CI tests. -In addition to helping you set up CI workflows for your project, you can use {% data variables.product.prodname_actions %} to create workflows across the full software development life cycle. For example, you can use actions to deploy, package, or release your project. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +In addition to helping you set up CI workflows for your project, you can use {% data variables.product.prodname_actions %} to create workflows across the full software development life cycle. For example, you can use actions to deploy, package, or release your project. For more information, see [AUTOTITLE](/actions/learn-github-actions). -For a definition of common terms, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +For a definition of common terms, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Workflow templates @@ -51,5 +51,5 @@ Browse the complete list of CI workflow templates offered by {% data variables.p ## Further reading -* "[AUTOTITLE](/actions/use-cases-and-examples/building-and-testing)"{% ifversion fpt or ghec %} -* "[AUTOTITLE](/billing/managing-billing-for-github-actions)"{% endif %} +* [AUTOTITLE](/actions/use-cases-and-examples/building-and-testing){% ifversion fpt or ghec %} +* [AUTOTITLE](/billing/managing-billing-for-github-actions){% endif %} diff --git a/content/actions/about-github-actions/understanding-github-actions.md b/content/actions/about-github-actions/understanding-github-actions.md index 0ebe9f67e911..ab293815051d 100644 --- a/content/actions/about-github-actions/understanding-github-actions.md +++ b/content/actions/about-github-actions/understanding-github-actions.md @@ -39,7 +39,7 @@ You must host your own Linux, Windows, or macOS virtual machines to run workflow {% ifversion ghec or ghes %} -For more information about introducing {% data variables.product.prodname_actions %} to your enterprise, see "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise)." +For more information about introducing {% data variables.product.prodname_actions %} to your enterprise, see [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise). {% endif %} @@ -53,9 +53,9 @@ You can configure a {% data variables.product.prodname_actions %} **workflow** t {% data reusables.actions.about-workflows-long %} -You can reference a workflow within another workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +You can reference a workflow within another workflow. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). -For more information, see "[AUTOTITLE](/actions/using-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows). ### Events @@ -71,7 +71,7 @@ You can configure a job's dependencies with other jobs; by default, jobs have no For example, you might configure multiple build jobs for different architectures without any job dependencies and a packaging job that depends on those builds. The build jobs run in parallel, and once they complete successfully, the packaging job runs. -For more information, see "[AUTOTITLE](/actions/using-jobs)." +For more information, see [AUTOTITLE](/actions/using-jobs). ### Actions @@ -81,7 +81,7 @@ You can write your own actions, or you can find actions to use in your workflows {% data reusables.actions.internal-actions-summary %} -For more information on actions, see "[AUTOTITLE](/actions/creating-actions)." +For more information on actions, see [AUTOTITLE](/actions/creating-actions). ### Runners @@ -89,12 +89,12 @@ A **runner** is a server that runs your workflows when they're triggered. Each r {% ifversion ghes %} You must host your own runners for {% data variables.product.product_name %}. {% elsif fpt or ghec %}{% data variables.product.company_short %} provides Ubuntu Linux, Microsoft Windows, and macOS runners to run your **workflows**. Each workflow run executes in a fresh, newly-provisioned virtual machine. -{% ifversion actions-hosted-runners %} {% data variables.product.prodname_dotcom %} also offers {% data variables.actions.hosted_runner %}s, which are available in larger configurations. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners)." +{% ifversion actions-hosted-runners %} {% data variables.product.prodname_dotcom %} also offers {% data variables.actions.hosted_runner %}s, which are available in larger configurations. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners). {% endif %} If you need a different operating system or require a specific hardware configuration, you can host your own runners. {% endif %} -For more information{% ifversion fpt or ghec %} about self-hosted runners{% endif %}, see "[AUTOTITLE](/actions/hosting-your-own-runners)." +For more information{% ifversion fpt or ghec %} about self-hosted runners{% endif %}, see [AUTOTITLE](/actions/hosting-your-own-runners). ## Next steps @@ -104,5 +104,5 @@ For more information{% ifversion fpt or ghec %} about self-hosted runners{% endi ## Further reading -* "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)" +* [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises) {% endif %} diff --git a/content/actions/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization.md b/content/actions/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization.md index bd5f33dff091..db9ce32b544a 100644 --- a/content/actions/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization.md +++ b/content/actions/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization.md @@ -40,7 +40,7 @@ Your organization can share workflows by reusing the workflows exactly or by cre ### Using workflow templates -{% data reusables.actions.workflow-organization-templates %} For more information, see "[AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization)." +{% data reusables.actions.workflow-organization-templates %} For more information, see [AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization). ## Sharing secrets and variables within an organization @@ -55,14 +55,14 @@ When creating a secret or variable in an organization, you can use a policy to l {% data reusables.actions.sidebar-secrets-and-variables %} 1. Click the **Secrets** or **Variables** tab, and create the secret or variable with your desired values and options. - For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization)" or "[AUTOTITLE](/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization)." + For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization) or [AUTOTITLE](/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization). ## Share self-hosted runners within an organization Organization owners can add their self-hosted runners to groups, and then create policies that control which repositories can access the group. -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). ## Next steps -To continue learning about {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization)." +To continue learning about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization). diff --git a/content/actions/administering-github-actions/usage-limits-billing-and-administration.md b/content/actions/administering-github-actions/usage-limits-billing-and-administration.md index 0c640f414040..b39687f11afd 100644 --- a/content/actions/administering-github-actions/usage-limits-billing-and-administration.md +++ b/content/actions/administering-github-actions/usage-limits-billing-and-administration.md @@ -18,12 +18,12 @@ shortTitle: Workflow billing & limits ## About billing for {% data variables.product.prodname_actions %} -{% data reusables.repositories.about-github-actions %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghes or ghec %}" and "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."{% endif %} +{% data reusables.repositories.about-github-actions %} For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}.{% elsif ghes or ghec %} and [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises).{% endif %} {% ifversion fpt or ghec %} -{% data reusables.actions.actions-billing %} For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." +{% data reusables.actions.actions-billing %} For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions). {% else %} -GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} instances that use self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} instances that use self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). {% endif %} {% ifversion fpt or ghec %} @@ -40,7 +40,7 @@ GitHub Actions usage is free for {% data variables.product.prodname_ghe_server % There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. These limits are subject to change. > [!NOTE] -> For self-hosted runners, different usage limits apply. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)." +> For self-hosted runners, different usage limits apply. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits). * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete. {% data reusables.actions.usage-workflow-run-time %} @@ -72,7 +72,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe {% data reusables.actions.usage-workflow-queue-limits %} {% else %} -Usage limits apply to self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)." +Usage limits apply to self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits). {% endif %} {% ifversion fpt or ghec %} @@ -86,7 +86,7 @@ In addition to the usage limits, you must ensure that you use {% data variables. ## {% data variables.product.prodname_actions %} usage metrics -Organization owners and users with the "View organization Actions metrics" permission can view {% data variables.product.prodname_actions %} usage metrics for their organization. These metrics can help you understand how and where your Actions minutes are being used. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/organizations/collaborating-with-groups-in-organizations/viewing-usage-metrics-for-github-actions)." +Organization owners and users with the "View organization Actions metrics" permission can view {% data variables.product.prodname_actions %} usage metrics for their organization. These metrics can help you understand how and where your Actions minutes are being used. For more information, see [AUTOTITLE](/enterprise-cloud@latest/organizations/collaborating-with-groups-in-organizations/viewing-usage-metrics-for-github-actions). When you view usage metrics, it is important to remember that {% data reusables.actions.actions-usage-metrics-not-billing-metrics %} @@ -96,7 +96,7 @@ When you view usage metrics, it is important to remember that {% data reusables. If you reuse a workflow, billing is always associated with the caller workflow. Assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. The caller cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. -For more information see, "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +For more information see, [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## Artifact and log retention policy @@ -106,9 +106,9 @@ You can configure the artifact and log retention period for your repository, org For more information, see: -* "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository)" -* "[AUTOTITLE](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization)" -* "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise)" +* [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository) +* [AUTOTITLE](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization) +* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise) ## Workflow run history retention policy @@ -121,9 +121,9 @@ The workflow runs in a repository's workflow run history are retained for 400 da {% ifversion actions-cache-admin-ui %}You can also manage {% data variables.product.prodname_actions %} settings for your enterprise, such as workflow permissions and cache storage.{% endif %} For more information, see: -* "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)" -* "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)" -* "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise)" +* [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) +* [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization) +* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise) ## Disabling and enabling workflows @@ -131,4 +131,4 @@ You can enable and disable individual workflows in your repository on {% data va {% data reusables.actions.scheduled-workflows-disabled %} -For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)." +For more information, see [AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow). diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md index 19921124c34d..b64f8591bcbe 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md @@ -85,9 +85,9 @@ ARC consists of several custom resource definitions (CRDs). For more information * [actions.github.com/v1alpha1](https://pkg.go.dev/github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1) * [actions.summerwind.net/v1alpha1](https://pkg.go.dev/github.com/actions/actions-runner-controller/apis/actions.summerwind.net/v1alpha1) -Because custom resources are extensions of the Kubernetes API, they won't be available in a default Kubernetes installation. You will need to install these custom resources to use ARC. For more information on installing custom resources, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller)." +Because custom resources are extensions of the Kubernetes API, they won't be available in a default Kubernetes installation. You will need to install these custom resources to use ARC. For more information on installing custom resources, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller). -Once the custom resources are installed, you can deploy ARC into your Kubernetes cluster. For information about deploying ARC, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)." +Once the custom resources are installed, you can deploy ARC into your Kubernetes cluster. For information about deploying ARC, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). ### About the runner container image @@ -101,7 +101,7 @@ You can find the definition of ARC's runner image in [this Dockerfile](https://g You can create your own runner image that meets your requirements. Your runner image must fulfill the following conditions. -* Use a base image that can run the self-hosted runner application. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). * The [runner binary](https://github.com/actions/runner/releases) must be placed under `/home/runner/` and launched using `/home/runner/run.sh`. * If you use Kubernetes mode, the [runner container hooks](https://github.com/actions/runner-container-hooks/releases) must be placed under `/home/runner/k8s`. @@ -148,15 +148,15 @@ USER runner ## Executing workflows -After installation and configuration are complete, you can use ARC to execute workflow runs. A workflow can be created in the same repository that can target a self hosted runner created by ARC. For more information about targeting workflows to run on self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow)." +After installation and configuration are complete, you can use ARC to execute workflow runs. A workflow can be created in the same repository that can target a self hosted runner created by ARC. For more information about targeting workflows to run on self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow). ### Using ARC runners in a workflow -{% data reusables.actions.actions-runner-controller-labels %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow)." +{% data reusables.actions.actions-runner-controller-labels %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). ## Scaling runners -You can scale runners statically or dynamically depending on your needs. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners)." +You can scale runners statically or dynamically depending on your needs. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners). ## Software installed in the ARC runner image diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md index 6864494b15e0..a3f3d57725ee 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md @@ -19,11 +19,11 @@ defaultPlatform: linux You can authenticate {% data variables.product.prodname_actions_runner_controller %} (ARC) to the {% data variables.product.prodname_dotcom %} API by using a {% data variables.product.prodname_github_app %} or by using a {% data variables.product.pat_v1 %}. > [!NOTE] -> You cannot authenticate using a {% data variables.product.prodname_github_app %} for runners at the enterprise level. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#about-runner-groups)." +> You cannot authenticate using a {% data variables.product.prodname_github_app %} for runners at the enterprise level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#about-runner-groups). ## Authenticating ARC with a {% data variables.product.prodname_github_app %} -1. Create a {% data variables.product.prodname_github_app %} that is owned by an organization. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app)". Configure the {% data variables.product.prodname_github_app %} as follows. +1. Create a {% data variables.product.prodname_github_app %} that is owned by an organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app). Configure the {% data variables.product.prodname_github_app %} as follows. 1. For "Homepage URL," enter `https://github.com/actions/actions-runner-controller`. @@ -59,7 +59,7 @@ ARC can use {% data variables.product.pat_v1_plural %} to register self-hosted r {% endif %} -1. Create a {% data variables.product.pat_v1 %} with the required scopes. The required scopes are different depending on whether you are registering runners at the repository{% ifversion ghec or ghes %}, organization, or enterprise{% else %} or organization{% endif %} level. For more information on how to create a {% data variables.product.pat_v1 %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.pat_v1 %} with the required scopes. The required scopes are different depending on whether you are registering runners at the repository{% ifversion ghec or ghes %}, organization, or enterprise{% else %} or organization{% endif %} level. For more information on how to create a {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic). The following is the list of required {% data variables.product.pat_generic %} scopes for ARC runners. * Repository runners: `repo` diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md index 43b6000022aa..e77dc8107eca 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md @@ -18,13 +18,13 @@ defaultPlatform: linux Runner scale sets is a group of homogeneous runners that can be assigned jobs from {% data variables.product.prodname_actions %}. The number of active runners owned by a runner scale set can be controlled by auto-scaling runner solutions such as {% data variables.product.prodname_actions_runner_controller %} (ARC). -You can use runner groups to manage runner scale sets. Similar to self-hosted runners, you can add runner scale sets to existing runner groups. However, runner scale sets can belong to only one runner group at a time and can only have one label assigned to them. For more information on runner groups, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +You can use runner groups to manage runner scale sets. Similar to self-hosted runners, you can add runner scale sets to existing runner groups. However, runner scale sets can belong to only one runner group at a time and can only have one label assigned to them. For more information on runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). -To assign jobs to a runner scale set, you must configure your workflow to reference the runner scale set's name. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow)." +To assign jobs to a runner scale set, you must configure your workflow to reference the runner scale set's name. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). ## Deploying a runner scale set -To deploy a runner scale set, you must have ARC up and running. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller)." +To deploy a runner scale set, you must have ARC up and running. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller). You can deploy runner scale sets with ARC's Helm charts or by deploying the necessary manifests. Using ARC's Helm charts is the preferred method, especially if you do not have prior experience using ARC. @@ -105,7 +105,7 @@ You can deploy runner scale sets with ARC's Helm charts or by deploying the nece arc-runner-set-754b578d-listener 1/1 Running 0 12s ``` -If your installation was not successful, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors)" for troubleshooting information. +If your installation was not successful, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors) for troubleshooting information. ## Using advanced configuration options @@ -159,7 +159,7 @@ githubConfigUrl: "http(s):///<'enterprises/your_enterprise'/'org'/'org ### Using a {% data variables.product.prodname_github_app %} for authentication -If you are not using enterprise-level runners, you can use {% data variables.product.prodname_github_apps %} to authenticate with the {% data variables.product.company_short %} API. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api)." +If you are not using enterprise-level runners, you can use {% data variables.product.prodname_github_apps %} to authenticate with the {% data variables.product.company_short %} API. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api). > [!NOTE] > Given the security risk associated with exposing your private key in plain text in a file on disk, we recommend creating a Kubernetes secret and passing the reference instead. @@ -210,7 +210,7 @@ githubConfigSecret: ### Managing access with runner groups -You can use runner groups to control which organizations or repositories have access to your runner scale sets. For more information on runner groups, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +You can use runner groups to control which organizations or repositories have access to your runner scale sets. For more information on runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). To add a runner scale set to a runner group, you must already have a runner group created. Then set the `runnerGroup` property in your copy of the `values.yaml` file. The following example adds a runner scale set to the Octo-Group runner group. @@ -444,15 +444,15 @@ listenerTemplate: If you are using container jobs and services or container actions, the `containerMode` value must be set to `dind` or `kubernetes`. -* For more information on container jobs and services, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container)." -* For more information on container actions, see "[AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action)." +* For more information on container jobs and services, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container). +* For more information on container actions, see [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action). ### Using Docker-in-Docker mode > [!NOTE] > The Docker-in-Docker container requires privileged mode. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the Kubernetes documentation. > -> By default, the `dind` container uses the `docker:dind` image, which runs the Docker daemon as root. You can replace this image with `docker:dind-rootless` as long as you are aware of the [known limitations](https://docs.docker.com/engine/security/rootless/#known-limitations) and run the pods with `--privileged` mode. To learn how to customize the Docker-in-Docker configuration, see "[Customizing container modes](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#customizing-container-modes)." +> By default, the `dind` container uses the `docker:dind` image, which runs the Docker daemon as root. You can replace this image with `docker:dind-rootless` as long as you are aware of the [known limitations](https://docs.docker.com/engine/security/rootless/#known-limitations) and run the pods with `--privileged` mode. To learn how to customize the Docker-in-Docker configuration, see [Customizing container modes](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#customizing-container-modes). Docker-in-Docker mode is a configuration that allows you to run Docker inside a Docker container. In this configuration, for each runner pod created, ARC creates the following containers. @@ -806,7 +806,7 @@ As of ARC version 0.4.0, runner-container-hooks support hook extensions. You can There are two options to configure hook extensions. -* Store in your **custom runner image**. You can store the PodSpec in a YAML file anywhere in your custom runner image. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image)." +* Store in your **custom runner image**. You can store the PodSpec in a YAML file anywhere in your custom runner image. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image). * Store in a **ConfigMap**. You can create a config map with the PodSpec and mount that config map in the runner container. For more information, see [ConfigMaps](https://kubernetes.io/docs/concepts/configuration/configmap/) in the Kubernetes documentation. > [!NOTE] @@ -905,16 +905,16 @@ The following table shows the metrics emitted by the controller-manager and list ## Using ARC with {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} -You can use {% data variables.product.prodname_actions_runner_controller %} to create dedicated runners for your {% data variables.product.prodname_ghe_server %} instance that {% data variables.product.prodname_dependabot %} can use to help secure and maintain the dependencies used in repositories on your enterprise. For more information, see "[AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates#system-requirements-for-dependabot-runners)." +You can use {% data variables.product.prodname_actions_runner_controller %} to create dedicated runners for your {% data variables.product.prodname_ghe_server %} instance that {% data variables.product.prodname_dependabot %} can use to help secure and maintain the dependencies used in repositories on your enterprise. For more information, see [AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates#system-requirements-for-dependabot-runners). -You can also use ARC with {% data variables.product.prodname_codeql %} to identify vulnerabilities and errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." If you're already using {% data variables.product.prodname_code_scanning %} and want to configure a runner scale set to use default setup, set `INSTALLATION_NAME=code-scanning`. For more information about {% data variables.product.prodname_code_scanning %} default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +You can also use ARC with {% data variables.product.prodname_codeql %} to identify vulnerabilities and errors in your code. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). If you're already using {% data variables.product.prodname_code_scanning %} and want to configure a runner scale set to use default setup, set `INSTALLATION_NAME=code-scanning`. For more information about {% data variables.product.prodname_code_scanning %} default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). {% data variables.product.prodname_actions_runner_controller %} does not use multiple labels to route jobs to specific runner scale sets. Instead, to designate a runner scale set for {% data variables.product.prodname_dependabot %} updates or {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}, use a descriptive installation name in your Helm chart, such as `dependabot` or `code-scanning`. You can then set the `runs-on` value in your workflows to the installation name as the single label, and use the designated runner scale set for {% data variables.product.prodname_dependabot %} updates or {% data variables.product.prodname_code_scanning %} jobs. -If you're using default setup for {% data variables.product.prodname_code_scanning %}, the analysis will automatically look for a runner scale set with the installation name `code-scanning` {% ifversion code-scanning-default-setup-customize-labels %} but you can specify a custom name in the configuration, so that individual repositories can use different runner scale sets. See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners){% endif %}. +If you're using default setup for {% data variables.product.prodname_code_scanning %}, the analysis will automatically look for a runner scale set with the installation name `code-scanning` {% ifversion code-scanning-default-setup-customize-labels %} but you can specify a custom name in the configuration, so that individual repositories can use different runner scale sets. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners){% endif %}. > [!NOTE] -> The [Dependabot Action](https://github.com/github/dependabot-action) is used to run {% data variables.product.prodname_dependabot %} updates via {% data variables.product.prodname_actions %}. This action requires Docker as a dependency. For this reason, you can only use {% data variables.product.prodname_actions_runner_controller %} with {% data variables.product.prodname_dependabot %} when Docker-in-Docker (DinD) mode is enabled. For more information, see "[AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates#system-requirements-for-dependabot-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#using-docker-in-docker-or-kubernetes-mode-for-containers)." +> The [Dependabot Action](https://github.com/github/dependabot-action) is used to run {% data variables.product.prodname_dependabot %} updates via {% data variables.product.prodname_actions %}. This action requires Docker as a dependency. For this reason, you can only use {% data variables.product.prodname_actions_runner_controller %} with {% data variables.product.prodname_dependabot %} when Docker-in-Docker (DinD) mode is enabled. For more information, see [AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates#system-requirements-for-dependabot-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#using-docker-in-docker-or-kubernetes-mode-for-containers). {% endif %} @@ -928,9 +928,9 @@ Because there is no support for upgrading or deleting CRDs with Helm, it is not 1. If there is a change in CRDs from the version you currently have installed, to the upgraded version, remove all CRDs associated with `actions.github.com` API group. 1. Reinstall ARC again. -For more information, see "[Deploying a runner scale set](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#deploying-a-runner-scale-set)." +For more information, see [Deploying a runner scale set](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#deploying-a-runner-scale-set). -If you would like to upgrade ARC but are concerned about downtime, you can deploy ARC in a high availability configuration to ensure runners are always available. For more information, see "[High availability and automatic failover](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#high-availability-and-automatic-failover)." +If you would like to upgrade ARC but are concerned about downtime, you can deploy ARC in a high availability configuration to ensure runners are always available. For more information, see [High availability and automatic failover](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#high-availability-and-automatic-failover). > [!NOTE] > Transitioning from the [community supported version of ARC](https://github.com/actions/actions-runner-controller/discussions/2775) to the GitHub supported version is a substantial architectural change. The GitHub supported version involves a redesign of many components of ARC. It is not a minor software upgrade. For these reasons, we recommend testing the new versions in a staging environment that matches your production environment first. This will ensure stability and reliability of the setup before deploying in production. @@ -949,7 +949,7 @@ You can test features before they are released by using canary releases of the c ## High availability and automatic failover -ARC can be deployed in a high availability (active-active) configuration. If you have two distinct Kubernetes clusters deployed in separate regions, you can deploy ARC in both clusters and configure runner scale sets to use the same `runnerScaleSetName`. In order to do this, each runner scale set must be assigned to a distinct runner group. For example, you can have two runner scale sets each named `arc-runner-set`, as long as one runner scale set belongs to `runner-group-A` and the other runner scale set belongs to `runner-group-B`. For information on assigning runner scale sets to runner groups, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +ARC can be deployed in a high availability (active-active) configuration. If you have two distinct Kubernetes clusters deployed in separate regions, you can deploy ARC in both clusters and configure runner scale sets to use the same `runnerScaleSetName`. In order to do this, each runner scale set must be assigned to a distinct runner group. For example, you can have two runner scale sets each named `arc-runner-set`, as long as one runner scale set belongs to `runner-group-A` and the other runner scale set belongs to `runner-group-B`. For information on assigning runner scale sets to runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). If both runner scale sets are online, jobs assigned to them will be distributed arbitrarily (assignment race). You cannot configure the job assignment algorithm. If one of the clusters goes down, the runner scale set in the other cluster will continue to acquire jobs normally without any intervention or configuration change. diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller.md index b3a39c0101df..6e72e00fbb4a 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller.md @@ -18,7 +18,7 @@ defaultPlatform: linux {% data reusables.actions.actions-runner-controller-about-arc %} -You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)." +You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set). ## Prerequisites @@ -61,14 +61,14 @@ In order to use ARC, ensure you have the following. When you run the command, keep the following in mind. - * Update the `INSTALLATION_NAME` value carefully. You will use the installation name as the value of `runs-on` in your workflows. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on)." + * Update the `INSTALLATION_NAME` value carefully. You will use the installation name as the value of `runs-on` in your workflows. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on). * Update the `NAMESPACE` value to the location you want the runner pods to be created. * Set `GITHUB_CONFIG_URL` to the URL of your repository, organization, or enterprise. This is the entity that the runners will belong to. * This example command installs the latest version of the Helm chart. To install a specific version, you can pass the `--version` argument with the version of the chart you wish to install. You can find the list of releases in the [GitHub Container Registry](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set). > [!NOTE] > * {% data reusables.actions.actions-runner-controller-security-practices-namespace %} - > * {% data reusables.actions.actions-runner-controller-security-practices-secret %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)." + > * {% data reusables.actions.actions-runner-controller-security-practices-secret %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). ```bash copy INSTALLATION_NAME="arc-runner-set" @@ -113,7 +113,7 @@ In order to use ARC, ensure you have the following. arc-runner-set-754b578d-listener 1/1 Running 0 12s ``` -If your installation was not successful, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors)" for troubleshooting information. +If your installation was not successful, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors) for troubleshooting information. ## Using runner scale sets @@ -121,7 +121,7 @@ Now you will create and run a simple test workflow that uses the runner scale se 1. In a repository, create a workflow similar to the following example. The `runs-on` value should match the Helm installation name you used when you installed the autoscaling runner set. - For more information on adding workflows to a repository, see "[AUTOTITLE](/actions/quickstart#creating-your-first-workflow)." + For more information on adding workflows to a repository, see [AUTOTITLE](/actions/quickstart#creating-your-first-workflow). ```yaml copy name: Actions Runner Controller Demo @@ -136,7 +136,7 @@ Now you will create and run a simple test workflow that uses the runner scale se - run: echo "🎉 This job uses runner scale set runners!" ``` -1. Once you've added the workflow to your repository, manually trigger the workflow. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow)." +1. Once you've added the workflow to your repository, manually trigger the workflow. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow). 1. To view the runner pods being created while the workflow is running, run the following command from your terminal. @@ -155,9 +155,9 @@ Now you will create and run a simple test workflow that uses the runner scale se {% data variables.product.prodname_actions_runner_controller %} can help you efficiently manage your {% data variables.product.prodname_actions %} runners. Ready to get started? Here are some helpful resources for taking your next steps with ARC: -* For detailed authentication information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api)." -* For help using ARC runners in your workflows, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow)." -* For deployment information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)." +* For detailed authentication information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api). +* For help using ARC runners in your workflows, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). +* For deployment information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). ## Legal notice diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md index d72a454b71e9..ccda03994781 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md @@ -86,7 +86,7 @@ If the controller pod is running, but the listener pod is not, inspect the logs If you have a proxy configured or you're using a sidecar proxy that's automatically injected, such as [Istio](https://istio.io/), ensure it's configured to allow traffic from the controller container (manager) to the Kubernetes API server. -If you have installed the autoscaling runner set, but the listener pod is not created, verify that the `githubConfigSecret` you provided is correct and that the `githubConfigUrl` you provided is accurate. See "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)" for more information. +If you have installed the autoscaling runner set, but the listener pod is not created, verify that the `githubConfigSecret` you provided is correct and that the `githubConfigUrl` you provided is accurate. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller) for more information. ## Runner pods are recreated after a canceled workflow run diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md index c189e93f7c59..4bdf95cb3213 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md @@ -44,9 +44,9 @@ jobs: ## Using runner scale set names -Runner scale set names are unique within the runner group they belong to. To deploy multiple runner scale sets with the same name, they must belong to different runner groups. For more information about specifying runner scale set names, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)." +Runner scale set names are unique within the runner group they belong to. To deploy multiple runner scale sets with the same name, they must belong to different runner groups. For more information about specifying runner scale set names, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). -{% data reusables.actions.actions-runner-controller-labels %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners)." +{% data reusables.actions.actions-runner-controller-labels %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners). ## Legal notice diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md index f4bea918f6e3..fa7530f9d7c7 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md @@ -16,7 +16,7 @@ type: overview ## About self-hosted runners -A self-hosted runner is a system that you deploy and manage to execute jobs from {% data variables.product.prodname_actions %} on {% data variables.product.product_name %}. For more information about {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghec or ghes %}" and "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."{% endif %} +A self-hosted runner is a system that you deploy and manage to execute jobs from {% data variables.product.prodname_actions %} on {% data variables.product.product_name %}. For more information about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghec or ghes %} and [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises).{% endif %} {% data reusables.actions.self-hosted-runner-description %} {% data reusables.actions.self-hosted-runner-locations %} @@ -35,7 +35,7 @@ You can add self-hosted runners at various levels in the management hierarchy: {% data reusables.actions.self-hosted-runner-auto-removal %} -For more information about installing and using self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow)." +For more information about installing and using self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow). ## Differences between {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners @@ -48,25 +48,25 @@ For more information about installing and using self-hosted runners, see "[AUTOT * Use free minutes on your {% data variables.product.prodname_dotcom %} plan, with per-minute rates applied after surpassing the free minutes. **Self-hosted runners:** -* Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner. For more information about controlling runner software updates on self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#controlling-runner-software-updates-on-self-hosted-runners)." You are responsible for updating the operating system and all other software. +* Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner. For more information about controlling runner software updates on self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#controlling-runner-software-updates-on-self-hosted-runners). You are responsible for updating the operating system and all other software. * Can use cloud services or local machines that you already pay for. * Are customizable to your hardware, operating system, software, and security requirements. * Don't need to have a clean instance for every job execution. * Are free to use with {% data variables.product.prodname_actions %}, but you are responsible for the cost of maintaining your runner machines.{% ifversion ghec or ghes %} -* Can be organized into groups to restrict access to specific {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)."{% endif %} +* Can be organized into groups to restrict access to specific {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %} ## Requirements for self-hosted runner machines You can use any machine as a self-hosted runner as long at it meets these requirements: -* You can install and run the self-hosted runner application on the machine. For more information, see "[Supported architectures and operating systems for self-hosted runners](#supported-architectures-and-operating-systems-for-self-hosted-runners)." -* The machine can communicate with {% data variables.product.prodname_actions %}. For more information, see "[Communication between self-hosted runners and {% data variables.product.product_name %}](#communication-requirements)." +* You can install and run the self-hosted runner application on the machine. For more information, see [Supported architectures and operating systems for self-hosted runners](#supported-architectures-and-operating-systems-for-self-hosted-runners). +* The machine can communicate with {% data variables.product.prodname_actions %}. For more information, see [Communication between self-hosted runners and {% data variables.product.product_name %}](#communication-requirements). * The machine has enough hardware resources for the type of workflows you plan to run. The self-hosted runner application itself only requires minimal resources. * If you want to run workflows that use Docker container actions or service containers, you must use a Linux machine and Docker must be installed. ## Autoscaling your self-hosted runners -You can automatically increase or decrease the number of self-hosted runners in your environment in response to the webhook events you receive. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)." +You can automatically increase or decrease the number of self-hosted runners in your environment in response to the webhook events you receive. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners). ## Usage limits @@ -124,7 +124,7 @@ The following processor architectures are supported for the self-hosted runner a ## Supported actions on self-hosted runners -Some extra configuration might be required to use actions from {% data variables.product.github %} with {% data variables.product.prodname_ghe_server %}, or to use the `actions/setup-LANGUAGE` actions with self-hosted runners that do not have internet access. For more information, see "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom)" and contact your {% data variables.product.prodname_enterprise %} site administrator. +Some extra configuration might be required to use actions from {% data variables.product.github %} with {% data variables.product.prodname_ghe_server %}, or to use the `actions/setup-LANGUAGE` actions with self-hosted runners that do not have internet access. For more information, see [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom) and contact your {% data variables.product.prodname_enterprise %} site administrator. {% endif %} @@ -153,7 +153,7 @@ For caching to work, the runner must be able to communicate with the blob storag You must ensure that the machine has the appropriate network access with at least 70 kilobits per second upload and download speed to communicate with the {% data variables.product.prodname_dotcom %} hosts listed below. Some hosts are required for essential runner operations, while other hosts are only required for certain functionality. -You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. For more information about the domains and IP addresses used, see "[AUTOTITLE](/rest/meta/meta)." +You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. For more information about the domains and IP addresses used, see [AUTOTITLE](/rest/meta/meta). {% data reusables.actions.domain-name-cname-recursive-firewall-rules %} @@ -169,15 +169,15 @@ If you use an IP address allow list for your {% data variables.product.prodname_ {% endif %} -You can also use self-hosted runners with a proxy server. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners)." +You can also use self-hosted runners with a proxy server. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners). -For more information about troubleshooting common network connectivity issues, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity)." +For more information about troubleshooting common network connectivity issues, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity). {% ifversion ghes %} ## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %} -Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.prodname_ghe_server %}. For more information, see "[AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise)." +Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise). If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions. You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below. @@ -214,7 +214,7 @@ Untrusted workflows running on your self-hosted runner pose significant security * Exposing access to the machine's network environment. * Persisting unwanted or dangerous data on the machine. -For more information about security hardening for self-hosted runners, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)." +For more information about security hardening for self-hosted runners, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners). ### Restricting the use of self-hosted runners @@ -224,6 +224,6 @@ For more information about security hardening for self-hosted runners, see "[AUT ## Further reading -* "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)" +* [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise) {% endif %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md index 7ee1b2a0df0a..f3be54b66527 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md @@ -19,18 +19,18 @@ You can add a self-hosted runner to a repository, an organization, or an enterpr If you are an organization or enterprise administrator, you might want to add your self-hosted runners at the organization or enterprise level. This approach makes the runner available to multiple repositories in your organization or enterprise, and also lets you to manage your runners in one place. -For information on supported operating systems for self-hosted runners, or using self-hosted runners with a proxy server, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +For information on supported operating systems for self-hosted runners, or using self-hosted runners with a proxy server, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). > [!WARNING] > {% data reusables.actions.self-hosted-runner-security %} > -> For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)." +> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories). -You can set up automation to scale the number of self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)." +You can set up automation to scale the number of self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners). {% ifversion actions-single-use-tokens %} -You can register ephemeral runners that perform a single job before the registration is cleaned up by using just-in-time runner registration. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#using-just-in-time-runners)." +You can register ephemeral runners that perform a single job before the registration is cleaned up by using just-in-time runner registration. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#using-just-in-time-runners). {% endif %} @@ -42,9 +42,9 @@ You can register ephemeral runners that perform a single job before the registra You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, {% ifversion custom-org-roles %}you must be an organization owner, have admin access to the repository, or have the “Manage organization runners and runner groups” permission.{% else %}you must be an organization owner or have admin access to the repository.{% endif %} -{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %} +{% ifversion custom-org-roles %}For more information about custom organization roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %} -For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +For information about how to add a self-hosted runner with the REST API, see [AUTOTITLE](/rest/actions/self-hosted-runners). > [!NOTE] > {% data reusables.actions.disable-selfhosted-runners-crossrefs %} @@ -56,13 +56,13 @@ For information about how to add a self-hosted runner with the REST API, see "[A {% data reusables.actions.self-hosted-runner-configure %} {% data reusables.actions.self-hosted-runner-check-installation-success %} -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). ## Adding a self-hosted runner to an organization -You can add self-hosted runners at the organization level, where they can be used to process jobs for multiple repositories in an organization. To add a self-hosted runner to an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +You can add self-hosted runners at the organization level, where they can be used to process jobs for multiple repositories in an organization. To add a self-hosted runner to an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. For information about how to add a self-hosted runner with the REST API, see [AUTOTITLE](/rest/actions/self-hosted-runners). -{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %} +{% ifversion custom-org-roles %}For more information about custom organization roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %} {% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} @@ -71,7 +71,7 @@ You can add self-hosted runners at the organization level, where they can be use {% data reusables.actions.self-hosted-runner-configure %} {% data reusables.actions.self-hosted-runner-check-installation-success %} -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). {% data reusables.actions.self-hosted-runner-public-repo-access %} @@ -80,7 +80,7 @@ For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managin {% ifversion fpt %}If you use {% data variables.product.prodname_ghe_cloud %}, you{% elsif ghec or ghes %}You{% endif %} can add self-hosted runners to an enterprise, where they can be assigned to multiple organizations. The organization owner can control which repositories can use it. {% ifversion fpt %}For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise).{% endif %} {% ifversion ghec or ghes %} -New runners are assigned to the default group. You can modify the runner's group after you've registered the runner. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)." +New runners are assigned to the default group. You can modify the runner's group after you've registered the runner. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group). {% ifversion ghec or ghes %} @@ -92,7 +92,7 @@ To add a self-hosted runner to an enterprise, you must be an enterprise owner. F {% data reusables.actions.self-hosted-runner-check-installation-success %} -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). {% data reusables.actions.self-hosted-runner-public-repo-access %} @@ -102,13 +102,13 @@ By default, runners in an enterprise's "Default" self-hosted runner group are av To make an enterprise-level self-hosted runner group available to an organization repository, you might need to change the organization's inherited settings for the runner group to make the runner available to repositories in the organization. -For more information on changing runner group access settings, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)." +For more information on changing runner group access settings, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group). {% endif %} {% ifversion ghec or ghes %} ## Further reading -* "[AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)" +* [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise) {% endif %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners.md index 07379ef4f219..930cb48970da 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners.md @@ -21,13 +21,13 @@ You can automatically increase or decrease the number of self-hosted runners in {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %}-hosted runners inherently autoscale based on your needs. {% data variables.product.prodname_dotcom %}-hosted runners can be a low-maintenance and cost-effective alternative to developing or implementing autoscaling solutions. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners)." +{% data variables.product.prodname_dotcom %}-hosted runners inherently autoscale based on your needs. {% data variables.product.prodname_dotcom %}-hosted runners can be a low-maintenance and cost-effective alternative to developing or implementing autoscaling solutions. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners). {% endif %} The [actions/actions-runner-controller](https://github.com/actions/actions-runner-controller) (ARC) project is a Kubernetes-based runner autoscaler. {% data variables.product.prodname_dotcom %} recommends ARC if the team deploying it has expert Kubernetes knowledge and experience. -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-support-for-actions-runner-controller)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-support-for-actions-runner-controller). ## Using ephemeral runners for autoscaling @@ -35,7 +35,7 @@ For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managin This approach allows you to manage your runners as ephemeral systems, since you can use automation to provide a clean environment for each job. This helps limit the exposure of any sensitive resources from previous jobs, and also helps mitigate the risk of a compromised runner receiving new jobs. ->[!WARNING]The runner application log files for ephemeral runners must be forwarded to an external log storage solution for troubleshooting and diagnostic purposes. While it is not required for ephemeral runners to be deployed, {% data variables.product.prodname_dotcom %} recommends ensuring runner logs are forwarded and preserved externally before deploying an ephemeral runner autoscaling solution in a production environment. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files)." +>[!WARNING]The runner application log files for ephemeral runners must be forwarded to an external log storage solution for troubleshooting and diagnostic purposes. While it is not required for ephemeral runners to be deployed, {% data variables.product.prodname_dotcom %} recommends ensuring runner logs are forwarded and preserved externally before deploying an ephemeral runner autoscaling solution in a production environment. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files). To add an ephemeral runner to your environment, include the `--ephemeral` parameter when registering your runner using `config.sh`. For example: @@ -50,7 +50,7 @@ The {% data variables.product.prodname_actions %} service will then automaticall {% ifversion actions-single-use-tokens %} -Alternatively, you can create ephemeral, just-in-time runners using the REST API. For more information, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +Alternatively, you can create ephemeral, just-in-time runners using the REST API. For more information, see [AUTOTITLE](/rest/actions/self-hosted-runners). {% endif %} @@ -66,7 +66,7 @@ To turn off automatic software updates and install software updates yourself, sp If you disable automatic updates, you must still update your runner version regularly. New functionality in {% data variables.product.prodname_actions %} requires changes in both the {% data variables.product.prodname_actions %} service _and_ the runner software. The runner may not be able to correctly process jobs that take advantage of new features in {% data variables.product.prodname_actions %} without a software update. -If you disable automatic updates, you will be required to update your runner version within 30 days of a new version being made available. You may want to subscribe to notifications for releases in the [`actions/runner` repository](https://github.com/actions/runner/releases). For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#about-custom-notifications)." +If you disable automatic updates, you will be required to update your runner version within 30 days of a new version being made available. You may want to subscribe to notifications for releases in the [`actions/runner` repository](https://github.com/actions/runner/releases). For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#about-custom-notifications). For instructions on how to install the latest runner version, see the installation instructions for [the latest release](https://github.com/actions/runner/releases). @@ -76,8 +76,8 @@ For instructions on how to install the latest runner version, see the installati You can create your own autoscaling environment by using payloads received from the [`workflow_job`](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job) webhook. This webhook is available at the repository, organization, and enterprise levels, and the payload for this event contains an `action` key that corresponds to the stages of a workflow job's life-cycle; for example when jobs are `queued`, `in_progress`, and `completed`. You must then create your own scaling automation in response to these webhook payloads. -* For more information about the `workflow_job` webhook, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job)." -* To learn how to work with webhooks, see "[AUTOTITLE](/webhooks)." +* For more information about the `workflow_job` webhook, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job). +* To learn how to work with webhooks, see [AUTOTITLE](/webhooks). ## Authentication requirements diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service.md index dd47abb03c49..8df55422b8e1 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service.md @@ -22,7 +22,7 @@ defaultPlatform: linux > [!NOTE] > You must add a runner to {% data variables.product.product_name %} before you can configure the self-hosted runner application as a service. -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). {% endcapture %} @@ -43,7 +43,7 @@ For Linux systems that use `systemd`, you can use the `svc.sh` script that is cr > [!NOTE] > Configuring the self-hosted runner application as a service on Windows is part of the application configuration process. If you have already configured the self-hosted runner application but did not choose to configure it as a service, you must remove the runner from {% data variables.product.prodname_dotcom %} and re-configure the application. When you re-configure the application, choose the option to configure the application as a service. > -> For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." +> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). You can manage the runner service in the Windows **Services** application, or you can use PowerShell to run the commands below. @@ -141,7 +141,7 @@ Get-Service "{{ service_win_name }}" {% endmac %} - For more information on viewing the status of your self-hosted runner, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." + For more information on viewing the status of your self-hosted runner, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). ## Stopping the service diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs.md index 82a9ec964145..85454d081282 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs.md @@ -14,9 +14,9 @@ shortTitle: Customize containers used by jobs ## About container customization -{% data variables.product.prodname_actions %} allows you to run a job within a container, using the `container:` statement in your workflow file. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container)." To process container-based jobs, the self-hosted runner creates a container for each job. +{% data variables.product.prodname_actions %} allows you to run a job within a container, using the `container:` statement in your workflow file. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container). To process container-based jobs, the self-hosted runner creates a container for each job. -{% data variables.product.prodname_actions %} supports commands that let you customize the way your containers are created by the self-hosted runner. For example, you can use these commands to manage the containers through Kubernetes or Podman, and you can also customize the `docker run` or `docker create` commands used to invoke the container. The customization commands are run by a script, which is automatically triggered when a specific environment variable is set on the runner. For more information, see "[Triggering the customization script](#triggering-the-customization-script)" below. +{% data variables.product.prodname_actions %} supports commands that let you customize the way your containers are created by the self-hosted runner. For example, you can use these commands to manage the containers through Kubernetes or Podman, and you can also customize the `docker run` or `docker create` commands used to invoke the container. The customization commands are run by a script, which is automatically triggered when a specific environment variable is set on the runner. For more information, see [Triggering the customization script](#triggering-the-customization-script) below. This customization is only available for Linux-based self-hosted runners, and root user access is not required. @@ -29,7 +29,7 @@ This customization is only available for Linux-based self-hosted runners, and ro * [`run_container_step`](/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs#run_container_step): Called once for each container action in the job. * [`run_script_step`](/actions/hosting-your-own-runners/managing-self-hosted-runners/customizing-the-containers-used-by-jobs#run_script_step): Runs any step that is not a container action. -Each of these customization commands must be defined in its own JSON file. The file name must match the command name, with the extension `.json`. For example, the `prepare_job` command is defined in `prepare_job.json`. These JSON files will then be run together on the self-hosted runner, as part of the main `index.js` script. This process is described in more detail in "[Generating the customization script](#generating-the-customization-script)." +Each of these customization commands must be defined in its own JSON file. The file name must match the command name, with the extension `.json`. For example, the `prepare_job` command is defined in `prepare_job.json`. These JSON files will then be run together on the self-hosted runner, as part of the main `index.js` script. This process is described in more detail in [Generating the customization script](#generating-the-customization-script). These commands also include configuration arguments, explained below in more detail. @@ -46,7 +46,7 @@ The `prepare_job` command is called when a job is started. {% data variables.pro * Start the service containers. * Write to the response file any information that {% data variables.product.prodname_actions %} will need: * Required: State whether the container is an `alpine` linux container (using the `isAlpine` boolean). - * Optional: Any context fields you want to set on the job context, otherwise they will be unavailable for users to use. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#job-context)." + * Optional: Any context fields you want to set on the job context, otherwise they will be unavailable for users to use. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#job-context). * Return `0` when the health checks have succeeded and the job/service containers are started. #### Arguments for `prepare_job` @@ -54,9 +54,9 @@ The `prepare_job` command is called when a job is started. {% data variables.pro * `jobContainer`: **Optional**. An object containing information about the specified job container. * `image`: **Required**. A string containing the Docker image. * `workingDirectory`: **Required**. A string containing the absolute path of the working directory. - * `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)." + * `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container). * `environmentVariables`: **Optional**. Sets a map of key environment variables. - * `userMountVolumes`: **Optional**. An array of user mount volumes set in the YAML. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)." + * `userMountVolumes`: **Optional**. An array of user mount volumes set in the YAML. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container). * `sourceVolumePath`: **Required**. The source path to the volume that will be mounted into the Docker container. * `targetVolumePath`: **Required**. The target path to the volume that will be mounted into the Docker container. * `readOnly`: **Required**. Determines whether or not the mount should be read-only. @@ -72,7 +72,7 @@ The `prepare_job` command is called when a job is started. {% data variables.pro * `services`: **Optional**. An array of service containers to spin up. * `contextName`: **Required**. The name of the service in the Job context. * `image`: **Required**. A string containing the Docker image. - * `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)." + * `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container). * `environmentVariables`: **Optional**. Sets a map of key environment variables. * `userMountVolumes`: **Optional**. An array of mounts to mount into the container, same fields as above. * `sourceVolumePath`: **Required**. The source path to the volume that will be mounted into the Docker container. @@ -252,10 +252,10 @@ The `run_container_step` command is called once for each container action in you * `entryPointArgs`: **Optional**. A list containing the entry point args. * `entryPoint`: **Optional**. The container entry point to use if the default image entrypoint should be overwritten. * `workingDirectory`: **Required**. A string containing the absolute path of the working directory. -* `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)." +* `createOptions`: **Optional**. The optional _create_ options specified in the YAML. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container). * `environmentVariables`: **Optional**. Sets a map of key environment variables. * `prependPath`: **Optional**. An array of additional paths to prepend to the `$PATH` variable. -* `userMountVolumes`: **Optional**. an array of user mount volumes set in the YAML. For more information, see "[AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container)." +* `userMountVolumes`: **Optional**. an array of user mount volumes set in the YAML. For more information, see [AUTOTITLE](/actions/using-jobs/running-jobs-in-a-container#example-running-a-job-within-a-container). * `sourceVolumePath`: **Required**. The source path to the volume that will be mounted into the Docker container. * `targetVolumePath`: **Required**. The target path to the volume that will be mounted into the Docker container. * `readOnly`: **Required**. Determines whether or not the mount should be read-only. @@ -519,4 +519,4 @@ There is currently no timeout setting available for the script executed by `ACTI ### Reviewing the workflow run log -To confirm whether your scripts are executing, you can review the logs for that job. For more information on checking the logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures)." +To confirm whether your scripts are executing, you can review the logs for that job. For more information on checking the logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures). diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md index 34fd8a8dc163..931d8f3c612d 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md @@ -47,7 +47,7 @@ You can use the self-hosted runner application's `config` script with the `--che In addition to `--check`, you must provide two arguments to the script: * `--url` with the URL to your {% data variables.product.company_short %} repository, organization, or enterprise. For example, `--url https://github.com/octo-org/octo-repo`. -* `--pat` with the value of a {% data variables.product.pat_v1 %}, which must have the `workflow` scope, or a {% data variables.product.pat_v2 %} with workflows read and write access. For example, `--pat ghp_abcd1234`. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +* `--pat` with the value of a {% data variables.product.pat_v1 %}, which must have the `workflow` scope, or a {% data variables.product.pat_v2 %} with workflows read and write access. For example, `--pat ghp_abcd1234`. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). For example: @@ -71,7 +71,7 @@ config.cmd --check --url https://github.com/YOUR-ORG/YOUR-REPO --pat GHP_ABCD123 The script tests each service, and outputs either a `PASS` or `FAIL` for each one. If you have any failing checks, you can see more details on the problem in the log file for the check. The log files are located in the `_diag` directory where you installed the runner application, and the path of the log file for each check is shown in the console output of the script. -If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-requirements)." +If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-requirements). ### Disabling TLS certificate verification @@ -119,7 +119,7 @@ export GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1 You can monitor the status of the self-hosted runner application and its activities. Log files are kept in the `_diag` directory where you installed the runner application, and a new log is generated each time the application is started. The filename begins with `Runner_`, and is followed by a UTC timestamp of when the application was started. > [!WARNING] -> Runner application log files for ephemeral runners must be forwarded and preserved externally for troubleshooting and diagnostic purposes. For more information about ephemeral runners and autoscaling self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling)." +> Runner application log files for ephemeral runners must be forwarded and preserved externally for troubleshooting and diagnostic purposes. For more information about ephemeral runners and autoscaling self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling). For detailed logs on workflow job executions, see the next section describing the `Worker_` files. @@ -164,7 +164,7 @@ Feb 11 16:07:10 runner01 runsvc.sh[962]: 2020-02-11 16:07:10Z: Job testAction co ``` To view the `systemd` configuration, you can locate the service file here: `/etc/systemd/system/actions.runner.-..service`. -If you want to customize the self-hosted runner application service, do not directly modify this file. Follow the instructions described in "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#customizing-the-self-hosted-runner-service)." +If you want to customize the self-hosted runner application service, do not directly modify this file. Follow the instructions described in [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#customizing-the-self-hosted-runner-service). {% endlinux %} @@ -192,7 +192,7 @@ Started: The resulting output includes the process ID and the name of the application’s `launchd` service. To view the `launchd` configuration, you can locate the service file here: `/Users/exampleUsername/Library/LaunchAgents/actions.runner...service`. -If you want to customize the self-hosted runner application service, do not directly modify this file. Follow the instructions described in "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#customizing-the-self-hosted-runner-service-1)." +If you want to customize the self-hosted runner application service, do not directly modify this file. Follow the instructions described in [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#customizing-the-self-hosted-runner-service-1). {% endmac %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md index ca785aa0466b..3bac1dee60cb 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md @@ -24,11 +24,11 @@ shortTitle: Remove self-hosted runners > * {% data reusables.actions.jit-runner-removal %} {%- endif %} -To remove a self-hosted runner from a user repository you must be the repository owner. Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can remove a runner from a repository in the organization. {% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %} +To remove a self-hosted runner from a user repository you must be the repository owner. Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can remove a runner from a repository in the organization. {% ifversion custom-org-roles %}For more information about custom organization roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %} We recommend that you also have access to the self-hosted runner machine. -For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +For information about how to remove a self-hosted runner with the REST API, see [AUTOTITLE](/rest/actions/self-hosted-runners). {% data reusables.actions.self-hosted-runner-reusing %} {% data reusables.repositories.navigate-to-repo %} @@ -46,9 +46,9 @@ For information about how to remove a self-hosted runner with the REST API, see > * {% data reusables.actions.jit-runner-removal %} {%- endif %} -To remove a self-hosted runner from an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +To remove a self-hosted runner from an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see [AUTOTITLE](/rest/actions/self-hosted-runners). -{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %} +{% ifversion custom-org-roles %}For more information about custom organization roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %} {% data reusables.actions.self-hosted-runner-reusing %} {% data reusables.organizations.navigate-to-org %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md index 743c2cf8f37e..739fbb652f77 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md @@ -13,7 +13,7 @@ shortTitle: Run a script before or after a job You can automatically execute scripts on a self-hosted runner, either before a job runs, or after a job finishes running. You could use these scripts to support the job's requirements, such as building or tearing down a runner environment, or cleaning out directories. You could also use these scripts to track telemetry of how your runners are used. -The custom scripts are automatically triggered when a specific environment variable is set on the runner; the environment variable must contain the absolute path to the script. For more information, see "[Triggering the scripts](#triggering-the-scripts)" below. +The custom scripts are automatically triggered when a specific environment variable is set on the runner; the environment variable must contain the absolute path to the script. For more information, see [Triggering the scripts](#triggering-the-scripts) below. The following scripting languages are supported: @@ -24,8 +24,8 @@ The following scripting languages are supported: Your custom scripts can use the following features: -* **Variables:** Scripts have access to the default variables. The full webhook event payload can be found in `GITHUB_EVENT_PATH`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)." -* **Workflow commands:** Scripts can use workflow commands. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions)". Scripts can also use environment files. For more information, see [Environment files](/actions/using-workflows/workflow-commands-for-github-actions#environment-files). +* **Variables:** Scripts have access to the default variables. The full webhook event payload can be found in `GITHUB_EVENT_PATH`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). +* **Workflow commands:** Scripts can use workflow commands. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions). Scripts can also use environment files. For more information, see [Environment files](/actions/using-workflows/workflow-commands-for-github-actions#environment-files). Your script files must use a file extension for the relevant language, such as `.sh` or `.ps1`, in order to run successfully. @@ -34,7 +34,7 @@ Your script files must use a file extension for the relevant language, such as ` ### Handling exit codes -For pre-job scripts, exit code `0` indicates that the script completed successfully, and the job will then proceed to run. If there is any other exit code, the job will not run and will be marked as failed. To see the results of your pre-job scripts, check the logs for `Set up runner` entries. For more information on checking the logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures)." +For pre-job scripts, exit code `0` indicates that the script completed successfully, and the job will then proceed to run. If there is any other exit code, the job will not run and will be marked as failed. To see the results of your pre-job scripts, check the logs for `Set up runner` entries. For more information on checking the logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures). The [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error) setting is not supported for use by these scripts. @@ -68,7 +68,7 @@ If you get a "permission denied" error when you attempt to run a script, make su chmod +x PATH/TO/FILE ``` -For information about using workflows to run scripts, see "[AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow)." +For information about using workflows to run scripts, see [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow). ### No timeout setting @@ -76,4 +76,4 @@ There is currently no timeout setting available for scripts executed by `ACTIONS ### Reviewing the workflow run log -To confirm whether your scripts are executing, you can review the logs for that job. The scripts will be listed within separate steps for either `Set up runner` or `Complete runner`, depending on which environment variable is triggering the script. For more information on checking the logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures)." +To confirm whether your scripts are executing, you can review the logs for that job. The scripts will be listed within separate steps for either `Set up runner` or `Complete runner`, depending on which environment variable is triggering the script. For more information on checking the logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures). diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners.md index 67a1d8858c77..750c1cf3b42a 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners.md @@ -53,4 +53,4 @@ no_proxy=example.com,myserver.local:443 If you use Docker container actions or service containers in your workflows, you might also need to configure Docker to use your proxy server in addition to setting the above environment variables. -For information on the required Docker configuration, see "[Configure Docker to use a proxy server](https://docs.docker.com/network/proxy/)" in the Docker documentation. +For information on the required Docker configuration, see [Configure Docker to use a proxy server](https://docs.docker.com/network/proxy/) in the Docker documentation. diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners.md index e89ef73ce467..ef7eee7ec3db 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners.md @@ -13,7 +13,7 @@ shortTitle: Label runners {% data reusables.actions.enterprise-github-hosted-runners %} -For information on how to use labels to route jobs to specific types of self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow)." {% ifversion target-runner-groups %}You can also route jobs to runners in a specific group. For more information, see "[AUTOTITLE](/actions/using-jobs/choosing-the-runner-for-a-job#targeting-runners-in-a-group)."{% endif %} +For information on how to use labels to route jobs to specific types of self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow). {% ifversion target-runner-groups %}You can also route jobs to runners in a specific group. For more information, see [AUTOTITLE](/actions/using-jobs/choosing-the-runner-for-a-job#targeting-runners-in-a-group).{% endif %} {% data reusables.actions.self-hosted-runner-management-permissions-required %} @@ -119,7 +119,7 @@ You can remove custom labels from self-hosted runners at the repository{% ifvers You can programmatically assign labels to a self-hosted runner after the runner is created, or during its initial configuration. -* To programmatically assign labels to an existing self-hosted runner, you must use the REST API. For more information, see "[AUTOTITLE](/rest/actions/self-hosted-runners)." +* To programmatically assign labels to an existing self-hosted runner, you must use the REST API. For more information, see [AUTOTITLE](/rest/actions/self-hosted-runners). * To programmatically assign labels to a self-hosted runner during the initial runner configuration, you can pass label names to the `config` script using the `labels` parameter. > [!NOTE] diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md index 5acdd7a75909..3416f054f945 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md @@ -25,7 +25,7 @@ Labels allow you to send workflow jobs to specific types of self-hosted runners, {% data reusables.actions.self-hosted-runner-labels-runs-on %} -For information on creating custom and default labels, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)." +For information on creating custom and default labels, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners). {% ifversion target-runner-groups %} @@ -35,7 +35,7 @@ For self-hosted runners defined at the organization {% ifversion ghec or ghes %} To specify a self-hosted runner group for your job, configure `runs-on.group` in your workflow file. -For information on creating and managing runner groups, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +For information on creating and managing runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). {% endif %} @@ -49,7 +49,7 @@ For information on creating and managing runner groups, see "[AUTOTITLE](/action {% data reusables.repositories.actions-tab %} {% data reusables.repositories.repository-runners %} 1. Click the **Self hosted** tab at the top of the list of runners. -1. Review the list of available self-hosted runners for the repository. This list includes both self-hosted runners and runner scale sets created with {% data variables.product.prodname_actions_runner_controller %}. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)." +1. Review the list of available self-hosted runners for the repository. This list includes both self-hosted runners and runner scale sets created with {% data variables.product.prodname_actions_runner_controller %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller). {% data reusables.actions.copy-runner-label %} {% data reusables.actions.actions-tab-new-runners-note %} diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/configuring-custom-deployment-protection-rules.md b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/configuring-custom-deployment-protection-rules.md index 9c65ca77eaff..25f09394cb6c 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/configuring-custom-deployment-protection-rules.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/configuring-custom-deployment-protection-rules.md @@ -21,11 +21,11 @@ redirect_from: Custom deployment protection rules are powered by {% data variables.product.prodname_github_apps %}. Once a deployment protection rule is configured and installed in a repository, it can be enabled for any environments in the repository. -After you enable a custom deployment protection rule on an environment, every time a workflow step targets that environment, the deployment protection rule will run automatically. For more information about targeting an environment for deployments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." +After you enable a custom deployment protection rule on an environment, every time a workflow step targets that environment, the deployment protection rule will run automatically. For more information about targeting an environment for deployments, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). When a custom deployment protection rule is triggered it will wait for up to 30 days for a webhook event response before it times out and the workflow job fails. -For more information about creating your own custom deployment protection rules, see "[AUTOTITLE](/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules)." +For more information about creating your own custom deployment protection rules, see [AUTOTITLE](/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules). {% data reusables.actions.custom-deployment-protection-rules-limits %} @@ -44,7 +44,7 @@ The following is a list of official partner implementations for deployment prote ## Prerequisites -In order for a custom deployment protection rule to be available to all environments in a repository, you must first install the custom deployment protection rule on the repository. For more information, see "[AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps)." +In order for a custom deployment protection rule to be available to all environments in a repository, you must first install the custom deployment protection rule on the repository. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps). After a custom deployment protection rule has been installed in a repository, it must be enabled for each environment where you want the rule to apply. @@ -57,4 +57,4 @@ After a custom deployment protection rule has been installed in a repository, it 1. Under "Deployment protection rules," check the box next to each custom deployment protection rule you want to enable for the environment. 1. Click **Save protection rules**. -Once a custom deployment protection rule has been enabled for an environment, it will automatically run whenever a workflow reaches a job that references the environment. You can see the results of an approval or rejection for your deployment by reviewing the details of the deployment. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments)." +Once a custom deployment protection rule has been enabled for an environment, it will automatically run whenever a workflow reaches a job that references the environment. You can see the results of an approval or rejection for your deployment by reviewing the details of the deployment. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments). diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules.md b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules.md index 21ae0fdce84b..68aae5ecbf09 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules.md @@ -21,7 +21,7 @@ redirect_from: {% data reusables.actions.about-custom-deployment-protection-rules %} -Custom deployment protection rules are powered by {% data variables.product.prodname_github_apps %} and run based on webhooks and callbacks. Approval or rejection of a workflow job is based on consumption of the `deployment_protection_rule` webhook. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment_protection_rule)" and "[Approving or rejecting deployments](#approving-or-rejecting-deployments)." +Custom deployment protection rules are powered by {% data variables.product.prodname_github_apps %} and run based on webhooks and callbacks. Approval or rejection of a workflow job is based on consumption of the `deployment_protection_rule` webhook. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment_protection_rule) and [Approving or rejecting deployments](#approving-or-rejecting-deployments). Once you have created a custom deployment protection rule and installed it on your repository, the custom deployment protection rule will automatically be available for all environments in the repository. @@ -37,8 +37,8 @@ Alternatively, you can write your own protection rules for any of the above use ## Creating a custom deployment protection rule with {% data variables.product.prodname_github_apps %} -1. Create a {% data variables.product.prodname_github_app %}. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app)." Configure the {% data variables.product.prodname_github_app %} as follows. - 1. Optionally, in the **Callback URL** text field under "Identifying and authorizing users," enter the callback URL. For more information, see "[AUTOTITLE](/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url)." +1. Create a {% data variables.product.prodname_github_app %}. For more information, see [AUTOTITLE](/apps/creating-github-apps/creating-github-apps/creating-a-github-app). Configure the {% data variables.product.prodname_github_app %} as follows. + 1. Optionally, in the **Callback URL** text field under "Identifying and authorizing users," enter the callback URL. For more information, see [AUTOTITLE](/apps/creating-github-apps/creating-github-apps/about-the-user-authorization-callback-url). 1. Under "Permissions," select **Repository permissions**. 1. To the right of "Actions," click the drop down menu and select **Access: Read-only**. ![Screenshot of the "Repository permissions" section when creating a new GitHub App. The button to configure permissions, with the "read-only" permission selected, for Actions is highlighted by a dark orange rectangle.](/assets/images/help/actions/actions-repo-permissions-read-only.png) @@ -47,15 +47,15 @@ Alternatively, you can write your own protection rules for any of the above use 1. Under "Subscribe to events," select **Deployment protection rule**. ![Screenshot of the "Subscribe to events section" section while creating a new GitHub App. The checkbox to subscribe to the deployment protection rule event is highlighted by a dark orange rectangle.](/assets/images/help/actions/actions-subscribe-to-events-deployment-protection-rules.png) -1. Install the custom deployment protection rule in your repositories and enable it for use. For more information, see "[AUTOTITLE](/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules)." +1. Install the custom deployment protection rule in your repositories and enable it for use. For more information, see [AUTOTITLE](/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules). ## Approving or rejecting deployments Once a workflow reaches a job that references an environment that has the custom deployment protection rule enabled, {% data variables.product.company_short %} sends a `POST` request to a URL you configure containing the `deployment_protection_rule` payload. You can write your deployment protection rule to automatically send REST API requests that approve or reject the deployment based on the `deployment_protection_rule` payload. Configure your REST API requests as follows. -1. Validate the incoming `POST` request. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/securing-your-webhooks#validating-payloads-from-github)." -1. Use a JSON Web Token to authenticate as a {% data variables.product.prodname_github_app %}. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app#about-authentication-as-a-github-app)." -1. Using the installation ID from the `deployment_protection_rule` webhook payload, generate an install token. For more information, see "[AUTOTITLE](/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app)." +1. Validate the incoming `POST` request. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/securing-your-webhooks#validating-payloads-from-github). +1. Use a JSON Web Token to authenticate as a {% data variables.product.prodname_github_app %}. For more information, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app#about-authentication-as-a-github-app). +1. Using the installation ID from the `deployment_protection_rule` webhook payload, generate an install token. For more information, see [AUTOTITLE](/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app). ```shell curl --request POST \ @@ -72,18 +72,18 @@ Once a workflow reaches a job that references an environment that has the custom }' ``` -1. Optionally, to add a status report without taking any other action to {% data variables.product.prodname_dotcom %}, send a `POST` request to `/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule`. In the request body, omit the `state`. For more information, see "[AUTOTITLE](/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run)." You can post a status report on the same deployment up to 10 times. Status reports support Markdown formatting and can be up to 1024 characters long. +1. Optionally, to add a status report without taking any other action to {% data variables.product.prodname_dotcom %}, send a `POST` request to `/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule`. In the request body, omit the `state`. For more information, see [AUTOTITLE](/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run). You can post a status report on the same deployment up to 10 times. Status reports support Markdown formatting and can be up to 1024 characters long. -1. To approve or reject a request, send a `POST` request to `/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule`. In the request body, set the `state` property to either `approved` or `rejected`. For more information, see "[AUTOTITLE](/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run)." +1. To approve or reject a request, send a `POST` request to `/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule`. In the request body, set the `state` property to either `approved` or `rejected`. For more information, see [AUTOTITLE](/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run). -1. Optionally, request the status of an approval for a workflow run by sending a `GET` request to `/repos/OWNER/REPOSITORY_ID/actions/runs/RUN_ID/approvals`. For more information, see "[AUTOTITLE](/rest/actions/workflow-runs#get-the-review-history-for-a-workflow-run)." +1. Optionally, request the status of an approval for a workflow run by sending a `GET` request to `/repos/OWNER/REPOSITORY_ID/actions/runs/RUN_ID/approvals`. For more information, see [AUTOTITLE](/rest/actions/workflow-runs#get-the-review-history-for-a-workflow-run). -1. Optionally, review the deployment on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments)." +1. Optionally, review the deployment on {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments). {% ifversion fpt or ghec %} ## Publishing custom deployment protection rules in the {% data variables.product.prodname_marketplace %} -You can publish your {% data variables.product.prodname_github_app %} to the {% data variables.product.prodname_marketplace %} to allow developers to discover suitable protection rules and install it across their {% data variables.product.company_short %} repositories. Or you can browse existing custom deployment protection rules to suit your needs. For more information, see "[AUTOTITLE](/apps/publishing-apps-to-github-marketplace/github-marketplace-overview/about-github-marketplace)" and "[AUTOTITLE](/apps/publishing-apps-to-github-marketplace/listing-an-app-on-github-marketplace)." +You can publish your {% data variables.product.prodname_github_app %} to the {% data variables.product.prodname_marketplace %} to allow developers to discover suitable protection rules and install it across their {% data variables.product.company_short %} repositories. Or you can browse existing custom deployment protection rules to suit your needs. For more information, see [AUTOTITLE](/apps/publishing-apps-to-github-marketplace/github-marketplace-overview/about-github-marketplace) and [AUTOTITLE](/apps/publishing-apps-to-github-marketplace/listing-an-app-on-github-marketplace). {% endif %} diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment.md b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment.md index b34626d72cff..9f9dddceaef9 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment.md @@ -24,18 +24,18 @@ versions: ## About environments -Environments are used to describe a general deployment target like `production`, `staging`, or `development`. When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. For more information about viewing deployments to environments, see "[AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history)." +Environments are used to describe a general deployment target like `production`, `staging`, or `development`. When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. For more information about viewing deployments to environments, see [AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history). You can configure environments with protection rules and secrets. When a workflow job references an environment, the job won't start until all of the environment's protection rules pass. A job also cannot access secrets that are defined in an environment until all the deployment protection rules pass. -{% ifversion actions-break-glass %}Optionally, you can bypass an environment's protection rules and force all pending jobs referencing the environment to proceed. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments#bypassing-environment-protection-rules)."{% endif %} +{% ifversion actions-break-glass %}Optionally, you can bypass an environment's protection rules and force all pending jobs referencing the environment to proceed. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments#bypassing-environment-protection-rules).{% endif %} {% ifversion fpt %} > [!NOTE] > Users with {% data variables.product.prodname_free_user %} plans can only configure environments for public repositories. If you convert a repository from public to private, any configured protection rules or environment secrets will be ignored, and you will not be able to configure any environments. If you convert your repository back to public, you will have access to any previously configured protection rules and environment secrets. > -> Organizations with {% data variables.product.prodname_team %} and users with {% data variables.product.prodname_pro %} can configure environments for private repositories. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)." +> Organizations with {% data variables.product.prodname_team %} and users with {% data variables.product.prodname_pro %} can configure environments for private repositories. For more information, see [AUTOTITLE](/get-started/learning-about-github/githubs-plans). {% endif %} @@ -55,7 +55,7 @@ Use required reviewers to require a specific person or team to approve workflow {% ifversion deployments-prevent-self-approval %}You also have the option to prevent self-reviews for deployments to protected environments. If you enable this setting, users who initiate a deployment cannot approve the deployment job, even if they are a required reviewer. This ensures that deployments to protected environments are always reviewed by more than one person.{% endif %} -For more information on reviewing jobs that reference an environment with required reviewers, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments)." +For more information on reviewing jobs that reference an environment with required reviewers, see [AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments). {% ifversion fpt %} @@ -84,7 +84,7 @@ Use deployment branches{% ifversion deployment-protections-tag-patterns %} and t {%- else %} * **All branches:** All branches in the repository can deploy to the environment. {%- endif %} -* **Protected branches{% ifversion deployment-protections-tag-patterns %} only{% endif %}:** Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy. For more information about branch protection rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)."{% ifversion actions-protected-branches-restrictions %} +* **Protected branches{% ifversion deployment-protections-tag-patterns %} only{% endif %}:** Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy. For more information about branch protection rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches).{% ifversion actions-protected-branches-restrictions %} > [!NOTE] > Deployment workflow runs triggered by tags with the same name as a protected branch and forks with branches that match the protected branch name cannot deploy to the environment. @@ -111,7 +111,7 @@ Use deployment branches{% ifversion deployment-protections-tag-patterns %} and t ### Allow administrators to bypass configured protection rules -By default, administrators can bypass the protection rules and force deployments to specific environments. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments#bypassing-environment-protection-rules)." +By default, administrators can bypass the protection rules and force deployments to specific environments. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments#bypassing-environment-protection-rules). Alternatively, you can configure environments to disallow bypassing the protection rules for all deployments to the environment. @@ -129,9 +129,9 @@ Alternatively, you can configure environments to disallow bypassing the protecti {% data reusables.actions.custom-deployment-protection-rules-beta-note %} -{% data reusables.actions.about-custom-deployment-protection-rules %} For more information, see "[AUTOTITLE](/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules)". +{% data reusables.actions.about-custom-deployment-protection-rules %} For more information, see [AUTOTITLE](/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules). -Once custom deployment protection rules have been created and installed on a repository, you can enable the custom deployment protection rule for any environment in the repository. For more information about configuring and enabling custom deployment protection rules, see "[AUTOTITLE](/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules)." +Once custom deployment protection rules have been created and installed on a repository, you can enable the custom deployment protection rule for any environment in the repository. For more information about configuring and enabling custom deployment protection rules, see [AUTOTITLE](/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules). {% ifversion fpt %} @@ -144,23 +144,23 @@ Once custom deployment protection rules have been created and installed on a rep ## Environment secrets -Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it. For more information about secrets, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it. For more information about secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). {% ifversion fpt %} > [!NOTE] -> * Workflows that run on self-hosted runners are not run in an isolated container, even if they use environments. Environment secrets should be treated with the same level of security as repository and organization secrets. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)." -> * If you are using {% data variables.product.prodname_free_user %}, environment secrets are only available in public repositories. For access to environment secrets in private or internal repositories, you must use {% data variables.product.prodname_pro %}, {% data variables.product.prodname_team %}, or {% data variables.product.prodname_enterprise %}. For more information on switching your plan, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan)." +> * Workflows that run on self-hosted runners are not run in an isolated container, even if they use environments. Environment secrets should be treated with the same level of security as repository and organization secrets. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners). +> * If you are using {% data variables.product.prodname_free_user %}, environment secrets are only available in public repositories. For access to environment secrets in private or internal repositories, you must use {% data variables.product.prodname_pro %}, {% data variables.product.prodname_team %}, or {% data variables.product.prodname_enterprise %}. For more information on switching your plan, see [AUTOTITLE](/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan). {% else %} > [!NOTE] -> Workflows that run on self-hosted runners are not run in an isolated container, even if they use environments. Environment secrets should be treated with the same level of security as repository and organization secrets. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)." +> Workflows that run on self-hosted runners are not run in an isolated container, even if they use environments. Environment secrets should be treated with the same level of security as repository and organization secrets. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners). {% endif %} ## Environment variables -Variables stored in an environment are only available to workflow jobs that reference the environment. These variables are only accessible using the [`vars`](/actions/learn-github-actions/contexts#vars-context) context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)." +Variables stored in an environment are only available to workflow jobs that reference the environment. These variables are only accessible using the [`vars`](/actions/learn-github-actions/contexts#vars-context) context. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). {% ifversion fpt %} @@ -186,22 +186,22 @@ Variables stored in an environment are only available to workflow jobs that refe {% data reusables.actions.sidebar-environment %} {% data reusables.actions.new-environment %} {% data reusables.actions.name-environment %} -1. Optionally, specify people or teams that must approve workflow jobs that use this environment. For more information, see "[Required reviewers](#required-reviewers)." +1. Optionally, specify people or teams that must approve workflow jobs that use this environment. For more information, see [Required reviewers](#required-reviewers). 1. Select **Required reviewers**. 1. Enter up to 6 people or teams. Only one of the required reviewers needs to approve the job for it to proceed. {% ifversion deployments-prevent-self-approval %}1. Optionally, to prevent users from approving workflows runs that they triggered, select **Prevent self-review**.{% endif %} 1. Click **Save protection rules**. -1. Optionally, specify the amount of time to wait before allowing workflow jobs that use this environment to proceed. For more information, see "[Wait timer](#wait-timer)." +1. Optionally, specify the amount of time to wait before allowing workflow jobs that use this environment to proceed. For more information, see [Wait timer](#wait-timer). 1. Select **Wait timer**. 1. Enter the number of minutes to wait. 1. Click **Save protection rules**. {%- ifversion actions-break-glass %} -1. Optionally, disallow bypassing configured protection rules. For more information, see "[Allow administrators to bypass configured protection rules](#allow-administrators-to-bypass-configured-protection-rules)." +1. Optionally, disallow bypassing configured protection rules. For more information, see [Allow administrators to bypass configured protection rules](#allow-administrators-to-bypass-configured-protection-rules). 1. Deselect **Allow administrators to bypass configured protection rules**. 1. Click **Save protection rules**. {%- endif %} {%- ifversion actions-custom-deployment-protection-rules-beta %} -1. Optionally, enable any custom deployment protection rules that have been created with {% data variables.product.prodname_github_apps %}. For more information, see "[Custom deployment protection rules](#custom-deployment-protection-rules)." +1. Optionally, enable any custom deployment protection rules that have been created with {% data variables.product.prodname_github_apps %}. For more information, see [Custom deployment protection rules](#custom-deployment-protection-rules). 1. Select the custom protection rule you want to enable. 1. Click **Save protection rules**. {%- endif %} @@ -216,18 +216,18 @@ Variables stored in an environment are only available to workflow jobs that refe {% endif %} 1. Click **Add rule**. -1. Optionally, add environment secrets. These secrets are only available to workflow jobs that use the environment. Additionally, workflow jobs that use this environment can only access these secrets after any configured rules (for example, required reviewers) pass. For more information, see "[Environment secrets](#environment-secrets)." +1. Optionally, add environment secrets. These secrets are only available to workflow jobs that use the environment. Additionally, workflow jobs that use this environment can only access these secrets after any configured rules (for example, required reviewers) pass. For more information, see [Environment secrets](#environment-secrets). 1. Under **Environment secrets**, click **Add Secret**. 1. Enter the secret name. 1. Enter the secret value. 1. Click **Add secret**. -1. Optionally, add environment variables. These variables are only available to workflow jobs that use the environment, and are only accessible using the [`vars`](/actions/learn-github-actions/contexts#vars-context) context. For more information, see "[Environment variables](#environment-variables)." +1. Optionally, add environment variables. These variables are only available to workflow jobs that use the environment, and are only accessible using the [`vars`](/actions/learn-github-actions/contexts#vars-context) context. For more information, see [Environment variables](#environment-variables). 1. Under **Environment variables**, click **Add Variable**. 1. Enter the variable name. 1. Enter the variable value. 1. Click **Add variable**. -You can also create and configure environments through the REST API. For more information, see "[AUTOTITLE](/rest/deployments/environments)," "[AUTOTITLE](/rest/actions/secrets)," "[AUTOTITLE](/rest/actions/variables)," and "[AUTOTITLE](/rest/deployments/branch-policies)." +You can also create and configure environments through the REST API. For more information, see [AUTOTITLE](/rest/deployments/environments), [AUTOTITLE](/rest/actions/secrets), [AUTOTITLE](/rest/actions/variables), and [AUTOTITLE](/rest/deployments/branch-policies). Running a workflow that references an environment that does not exist will create an environment with the referenced name. If the environment is created from running implicit page builds (for example, from a branch or folder source), the source branch will be added as a protection rule to the environment. Otherwise, the newly created environment will not have any protection rules or secrets configured. Anyone that can edit workflows in the repository can create environments via a workflow file, but only repository admins can configure the environment. @@ -243,14 +243,14 @@ Deleting an environment will delete all secrets and protection rules associated 1. Next to the environment that you want to delete, click {% octicon "trash" aria-label="Delete environment" %}. 1. Click **I understand, delete this environment**. -You can also delete environments through the REST API. For more information, see "[AUTOTITLE](/rest/repos#environments)." +You can also delete environments through the REST API. For more information, see [AUTOTITLE](/rest/repos#environments). ## How environments relate to deployments {% data reusables.actions.environment-deployment-event %} -You can access these objects through the REST API or GraphQL API. You can also subscribe to these webhook events. For more information, see "[AUTOTITLE](/rest/repos#deployments)," "[AUTOTITLE](/graphql/reference/objects#deployment)" (GraphQL API), or "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment)." +You can access these objects through the REST API or GraphQL API. You can also subscribe to these webhook events. For more information, see [AUTOTITLE](/rest/repos#deployments), [AUTOTITLE](/graphql/reference/objects#deployment) (GraphQL API), or [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment). ## Next steps -{% data variables.product.prodname_actions %} provides several features for managing your deployments. For more information, see "[AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions)." +{% data variables.product.prodname_actions %} provides several features for managing your deployments. For more information, see [AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions). diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments.md b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments.md index 4b34487ae409..4e84b29e1881 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments.md @@ -16,11 +16,11 @@ redirect_from: Jobs that reference an environment configured with required reviewers will wait for an approval before starting. While a job is awaiting approval, it has a status of "Waiting". If a job is not approved within 30 days, it will automatically fail. -For more information about environments and required approvals, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." For information about how to review deployments with the REST API, see "[AUTOTITLE](/rest/actions/workflow-runs)." +For more information about environments and required approvals, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). For information about how to review deployments with the REST API, see [AUTOTITLE](/rest/actions/workflow-runs). ## Approving or rejecting a job -1. Navigate to the workflow run that requires review. For more information about navigating to a workflow run, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Navigate to the workflow run that requires review. For more information about navigating to a workflow run, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. If the run requires review, you will see a notification for the review request. On the notification, click **Review deployments**. 1. Select the job environment(s) to approve or reject. Optionally, leave a comment. 1. Approve or reject: @@ -30,7 +30,7 @@ For more information about environments and required approvals, see "[AUTOTITLE] {% ifversion deployments-prevent-self-approval %} > [!NOTE] -> If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#required-reviewers)." +> If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#required-reviewers). {% endif %} @@ -41,10 +41,10 @@ For more information about environments and required approvals, see "[AUTOTITLE] If you have configured deployment protection rules that control whether software can be deployed to an environment, you can bypass these rules and force all pending jobs referencing the environment to proceed. > [!NOTE] -> * You cannot bypass deployment protection rules if the environment has been configured to prevent admins from bypassing configured protection rules. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#creating-an-environment)." +> * You cannot bypass deployment protection rules if the environment has been configured to prevent admins from bypassing configured protection rules. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#creating-an-environment). > * You can only bypass deployment protection rules during workflow execution when a job referencing the environment is in a "Pending" state. -1. Navigate to the workflow run. For more information about navigating to a workflow run, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Navigate to the workflow run. For more information about navigating to a workflow run, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. To the right of **Deployment protection rules**, click **Start all waiting jobs**. ![Screenshot of the "Deployment protection rules" section with the "Start all waiting jobs" button outlined in orange.](/assets/images/actions-bypass-env-protection-rules.png) 1. In the pop-up window, select the environments for which you want to bypass deployment protection rules. diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/viewing-deployment-history.md b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/viewing-deployment-history.md index 65091fbd1757..aa86e0ed5cf5 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-deployments/viewing-deployment-history.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-deployments/viewing-deployment-history.md @@ -28,7 +28,7 @@ On the deployments page of your repository, you can view the following aspects o * Connected {% data variables.product.prodname_actions %} workflow logs * The deployment URL (if one exists) * The source pull request and branch related to each deployment -* Deployment statuses. For more information about deployment statuses, see "[AUTOTITLE](/rest/deployments/deployments#about-deployments)." +* Deployment statuses. For more information about deployment statuses, see [AUTOTITLE](/rest/deployments/deployments#about-deployments). By default, the deployments page shows currently active deployments from select environments and a timeline of the latest deployments for all environments. @@ -39,7 +39,7 @@ By default, the deployments page shows currently active deployments from select * **To view recent deployments for a specific environment**, in the "Environments" section of the left sidebar, click an environment.{% ifversion deployment-dashboard-filter %} * **To pin an environment to the top of the deployment history list**, repository administrators can click {% octicon "pin" aria-label="Pin environment" %} to the right of the environment. You can pin up to ten environments.{% endif %} * **To view the commit that triggered a deployment**, in the deployment history list, click the commit message for the deployment you want to view. - >[!NOTE]Deployments from commits that originate from a fork outside of the repository will not show links to the source pull request and branch related to each deployment. For more information about forks, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks)." + >[!NOTE]Deployments from commits that originate from a fork outside of the repository will not show links to the source pull request and branch related to each deployment. For more information about forks, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks). * **To view the URL for a deployment**, to the right of the commit message in the deployment history list, click {% octicon "link-external" aria-label="Navigate to deployment URL" %}. * **To navigate to the workflow run logs associated with a deployment**, to the right of the commit message in the deployment history list, click {% octicon "kebab-horizontal" aria-label="View logs" %}, then click **View logs**.{% ifversion deployment-dashboard-filter %} 1. Optionally, to filter the deployment history list, create a filter. @@ -58,8 +58,8 @@ To view current and past deployments, click **Environments** in the sidebar of t The deployments page displays the last active deployment of each environment for your repository. If the deployment includes an environment URL, a **View deployment** button that links to the URL is shown next to the deployment. -The activity log shows the deployment history for your environments. By default, only the most recent deployment for an environment has an `Active` status; all previously active deployments have an `Inactive` status. For more information on automatic inactivation of deployments, see "[AUTOTITLE](/rest/deployments#inactive-deployments)." +The activity log shows the deployment history for your environments. By default, only the most recent deployment for an environment has an `Active` status; all previously active deployments have an `Inactive` status. For more information on automatic inactivation of deployments, see [AUTOTITLE](/rest/deployments#inactive-deployments). -You can also use the REST API to get information about deployments. For more information, see "[AUTOTITLE](/rest/repos#deployments)." +You can also use the REST API to get information about deployments. For more information, see [AUTOTITLE](/rest/repos#deployments). {% endif %} diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-private-forks.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-private-forks.md index 2a6cdf1e90fd..0803f64d56a3 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-private-forks.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-private-forks.md @@ -13,7 +13,7 @@ redirect_from: ## About workflow runs from private forks -{% data reusables.actions.private-repository-forks-overview %} For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories)." +{% data reusables.actions.private-repository-forks-overview %} For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories). ## Approving workflow runs on a pull request from a private fork diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/canceling-a-workflow.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/canceling-a-workflow.md index 3fd15aba279d..3437dcee1a06 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/canceling-a-workflow.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/canceling-a-workflow.md @@ -29,6 +29,6 @@ When canceling workflow run, you may be running other software that uses resourc 1. To cancel the workflow run, the server re-evaluates `if` conditions for all currently running jobs. If the condition evaluates to `true`, the job will not get canceled. For example, the condition `if: always()` would evaluate to true and the job continues to run. When there is no condition, that is the equivalent of the condition `if: success()`, which only runs if the previous step finished successfully. 1. For jobs that need to be canceled, the server sends a cancellation message to all the runner machines with jobs that need to be canceled. -1. For jobs that continue to run, the server re-evaluates `if` conditions for the unfinished steps. If the condition evaluates to `true`, the step continues to run. You can use the `cancelled` expression to apply a status check of `cancelled()`. For more information see "[AUTOTITLE](/actions/learn-github-actions/expressions#cancelled)." +1. For jobs that continue to run, the server re-evaluates `if` conditions for the unfinished steps. If the condition evaluates to `true`, the step continues to run. You can use the `cancelled` expression to apply a status check of `cancelled()`. For more information see [AUTOTITLE](/actions/learn-github-actions/expressions#cancelled). 1. For steps that need to be canceled, the runner machine sends `SIGINT/Ctrl-C` to the step's entry process (`node` for javascript action, `docker` for container action, and `bash/cmd/pwd` when using `run` in a step). If the process doesn't exit within 7500 ms, the runner will send `SIGTERM/Ctrl-Break` to the process, then wait for 2500 ms for the process to exit. If the process is still running, the runner kills the process tree. 1. After the 5 minutes cancellation timeout period, the server will force terminate all jobs and steps that don't finish running or fail to complete the cancellation process. diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow.md index 6a0e6169272b..b87a67073c99 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow.md @@ -25,7 +25,7 @@ Temporarily disabling a workflow can be useful in many scenarios. These are a fe > [!WARNING] > {% data reusables.actions.scheduled-workflows-disabled %} -You can also disable and enable a workflow using the REST API. For more information, see "[AUTOTITLE](/rest/actions/workflows)." +You can also disable and enable a workflow using the REST API. For more information, see [AUTOTITLE](/rest/actions/workflows). ## Disabling a workflow diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts.md index fc2fb9f8202c..21e60325f8a2 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts.md @@ -13,7 +13,7 @@ redirect_from: {% data reusables.actions.enterprise-github-hosted-runners %} -By default, {% data variables.product.product_name %} stores build logs and artifacts for 90 days, and you can customize this retention period, depending on the type of repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository)." +By default, {% data variables.product.product_name %} stores build logs and artifacts for 90 days, and you can customize this retention period, depending on the type of repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository). {% data reusables.repositories.permissions-statement-read %} diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow.md index 998deaa1de9d..1bd5567432a0 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow.md @@ -17,7 +17,7 @@ redirect_from: To run a workflow manually, the workflow must be configured to run on the `workflow_dispatch` event. -To trigger the `workflow_dispatch` event, your workflow must be in the default branch. For more information about configuring the `workflow_dispatch` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch)." +To trigger the `workflow_dispatch` event, your workflow must be in the default branch. For more information about configuring the `workflow_dispatch` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch). {% data reusables.repositories.permissions-statement-write %} @@ -37,7 +37,7 @@ To trigger the `workflow_dispatch` event, your workflow must be in the default b 1. Above the list of workflow runs, click the **Run workflow** button. > [!NOTE] - > To see the **Run workflow** button, your workflow file must use the `workflow_dispatch` event trigger. Only workflow files that use the `workflow_dispatch` event trigger will have the option to run the workflow manually using the **Run workflow** button. For more information about configuring the `workflow_dispatch` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch)." + > To see the **Run workflow** button, your workflow file must use the `workflow_dispatch` event trigger. Only workflow files that use the `workflow_dispatch` event trigger will have the option to run the workflow manually using the **Run workflow** button. For more information about configuring the `workflow_dispatch` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch). ![Screenshot of a workflow page. Above the list of workflow runs, a button, labeled "Run workflow", is outlined in dark orange.](/assets/images/help/actions/actions-workflow-dispatch.png) 1. Select the **Branch** dropdown menu and click a branch to run the workflow on. @@ -89,4 +89,4 @@ When using the REST API, you configure the `inputs` and `ref` as request body pa > [!NOTE] > You can define up to 10 `inputs` for a `workflow_dispatch` event. -For more information about using the REST API, see "[AUTOTITLE](/rest/actions/workflows#create-a-workflow-dispatch-event)." +For more information about using the REST API, see [AUTOTITLE](/rest/actions/workflows#create-a-workflow-dispatch-event). diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/re-running-workflows-and-jobs.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/re-running-workflows-and-jobs.md index be243501d625..4cb1f9346d8b 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/re-running-workflows-and-jobs.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/re-running-workflows-and-jobs.md @@ -16,7 +16,7 @@ versions: ## About re-running workflows and jobs -Re-running a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. The workflow will use the privileges of the actor who initially triggered the workflow, not the privileges of the actor who initiated the re-run. You can re-run a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.{% ifversion re-run-jobs %} You cannot re-run jobs in a workflow once its logs have passed their retention limits. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy)."{% endif %}{% ifversion debug-reruns %} When you re-run a workflow or jobs in a workflow, you can enable debug logging for the re-run. This will enable runner diagnostic logging and step debug logging for the re-run. For more information about debug logging, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging)."{% endif %} +Re-running a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. The workflow will use the privileges of the actor who initially triggered the workflow, not the privileges of the actor who initiated the re-run. You can re-run a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.{% ifversion re-run-jobs %} You cannot re-run jobs in a workflow once its logs have passed their retention limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy).{% endif %}{% ifversion debug-reruns %} When you re-run a workflow or jobs in a workflow, you can enable debug logging for the re-run. This will enable runner diagnostic logging and step debug logging for the re-run. For more information about debug logging, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging).{% endif %} ## Re-running all the jobs in a workflow @@ -144,7 +144,7 @@ gh run rerun --job JOB_ID --debug ## Reviewing previous workflow runs -You can view the results from your previous attempts at running a workflow. You can also view previous workflow runs using the API. For more information, see "[AUTOTITLE](/rest/actions/workflow-runs#get-a-workflow-run)." +You can view the results from your previous attempts at running a workflow. You can also view previous workflow runs using the API. For more information, see [AUTOTITLE](/rest/actions/workflow-runs#get-a-workflow-run). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.actions-tab %} diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/removing-workflow-artifacts.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/removing-workflow-artifacts.md index 29c0160d9b12..9d5c9f2bb21d 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/removing-workflow-artifacts.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/removing-workflow-artifacts.md @@ -31,10 +31,10 @@ redirect_from: ## Setting the retention period for an artifact -Retention periods for artifacts and logs can be configured at the repository, organization, and enterprise level. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy)." +Retention periods for artifacts and logs can be configured at the repository, organization, and enterprise level. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy). -You can also define a custom retention period for individual artifacts using the `actions/upload-artifact` action in a workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts#configuring-a-custom-artifact-retention-period)." +You can also define a custom retention period for individual artifacts using the `actions/upload-artifact` action in a workflow. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts#configuring-a-custom-artifact-retention-period). ## Finding the expiration date of an artifact -You can use the API to confirm the date that an artifact is scheduled to be deleted. For more information, see the `expires_at` value returned by the REST API. For more information, see "[AUTOTITLE](/rest/actions/artifacts)." +You can use the API to confirm the date that an artifact is scheduled to be deleted. For more information, see the `expires_at` value returned by the REST API. For more information, see [AUTOTITLE](/rest/actions/artifacts). diff --git a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs.md b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs.md index 3dd59237c949..ea3c30b9e5d4 100644 --- a/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs.md +++ b/content/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/skipping-workflow-runs.md @@ -34,4 +34,4 @@ You won't be able to merge the pull request if your repository is configured to > [!NOTE] > Skip instructions only apply to the `push` and `pull_request` events. For example, adding `[skip ci]` to a commit message won't stop a workflow that's triggered `on: pull_request_target` from running. -Skip instructions only apply to the workflow run(s) that would be triggered by the commit that contains the skip instructions. You can also disable a workflow from running. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)." +Skip instructions only apply to the workflow run(s) that would be triggered by the commit that contains the skip instructions. You can also disable a workflow from running. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow). diff --git a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions.md b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions.md index 99d99e5ce9ae..93799bd44a97 100644 --- a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions.md @@ -29,7 +29,7 @@ Azure Pipelines and {% data variables.product.prodname_actions %} both allow you * Jobs include one or more steps or individual commands. * Steps or tasks can be reused and shared with the community. -For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Key differences @@ -52,7 +52,7 @@ Jobs and steps in Azure Pipelines are very similar to jobs and steps in {% data You can run a script or a shell command as a step in a workflow. In Azure Pipelines, script steps can be specified using the `script` key, or with the `bash`, `powershell`, or `pwsh` keys. Scripts can also be specified as an input to the [Bash task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash?view=azure-devops) or the [PowerShell task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell?view=azure-devops). -In {% data variables.product.prodname_actions %}, all scripts are specified using the `run` key. To select a particular shell, you can specify the `shell` key when providing the script. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun)." +In {% data variables.product.prodname_actions %}, all scripts are specified using the `run` key. To select a particular shell, you can specify the `shell` key when providing the script. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). Below is an example of the syntax for each system. @@ -100,7 +100,7 @@ jobs: In Azure Pipelines, scripts can be configured to error if any output is sent to `stderr`. {% data variables.product.prodname_actions %} does not support this configuration. -{% data variables.product.prodname_actions %} configures shells to "fail fast" whenever possible, which stops the script immediately if one of the commands in a script exits with an error code. In contrast, Azure Pipelines requires explicit configuration to exit immediately on an error. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference)." +{% data variables.product.prodname_actions %} configures shells to "fail fast" whenever possible, which stops the script immediately if one of the commands in a script exits with an error code. In contrast, Azure Pipelines requires explicit configuration to exit immediately on an error. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference). ## Differences in the default shell on Windows @@ -141,7 +141,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#using-a-specific-shell)." +For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#using-a-specific-shell). ## Migrating conditionals and expression syntax @@ -182,7 +182,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). ## Dependencies between jobs @@ -252,7 +252,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds)." +For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). ## Migrating tasks to actions @@ -293,4 +293,4 @@ jobs: - run: python script.py ``` -You can find actions that you can use in your workflow in [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see "[AUTOTITLE](/actions/creating-actions)." +You can find actions that you can use in your workflow in [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/creating-actions). diff --git a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-circleci-to-github-actions.md b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-circleci-to-github-actions.md index c06cb28bedcc..51adef23f714 100644 --- a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-circleci-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-circleci-to-github-actions.md @@ -29,26 +29,26 @@ CircleCI and {% data variables.product.prodname_actions %} both allow you to cre * Jobs include one or more steps or individual commands. * Steps or tasks can be reused and shared with the community. -For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Key differences When migrating from CircleCI, consider the following differences: * CircleCI’s automatic test parallelism automatically groups tests according to user-specified rules or historical timing information. This functionality is not built into {% data variables.product.prodname_actions %}. -* Actions that execute in Docker containers are sensitive to permissions problems since containers have a different mapping of users. You can avoid many of these problems by not using the `USER` instruction in your _Dockerfile_. For more information about the Docker filesystem on {% data variables.product.product_name %}-hosted runners, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem)." +* Actions that execute in Docker containers are sensitive to permissions problems since containers have a different mapping of users. You can avoid many of these problems by not using the `USER` instruction in your _Dockerfile_. For more information about the Docker filesystem on {% data variables.product.product_name %}-hosted runners, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). ## Migrating workflows and jobs CircleCI defines `workflows` in the _config.yml_ file, which allows you to configure more than one workflow. {% data variables.product.product_name %} requires one workflow file per workflow, and as a consequence, does not require you to declare `workflows`. You'll need to create a new workflow file for each workflow configured in _config.yml_. -Both CircleCI and {% data variables.product.prodname_actions %} configure `jobs` in the configuration file using similar syntax. If you configure any dependencies between jobs using `requires` in your CircleCI workflow, you can use the equivalent {% data variables.product.prodname_actions %} `needs` syntax. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds)." +Both CircleCI and {% data variables.product.prodname_actions %} configure `jobs` in the configuration file using similar syntax. If you configure any dependencies between jobs using `requires` in your CircleCI workflow, you can use the equivalent {% data variables.product.prodname_actions %} `needs` syntax. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). ## Migrating orbs to actions -Both CircleCI and {% data variables.product.prodname_actions %} provide a mechanism to reuse and share tasks in a workflow. CircleCI uses a concept called orbs, written in YAML, to provide tasks that people can reuse in a workflow. {% data variables.product.prodname_actions %} has powerful and flexible reusable components called actions, which you build with either JavaScript files or Docker images. You can create actions by writing custom code that interacts with your repository in any way you'd like, including integrating with {% data variables.product.product_name %}'s APIs and any publicly available third-party API. For example, an action can publish npm modules, send SMS alerts when urgent issues are created, or deploy production-ready code. For more information, see "[AUTOTITLE](/actions/creating-actions)." +Both CircleCI and {% data variables.product.prodname_actions %} provide a mechanism to reuse and share tasks in a workflow. CircleCI uses a concept called orbs, written in YAML, to provide tasks that people can reuse in a workflow. {% data variables.product.prodname_actions %} has powerful and flexible reusable components called actions, which you build with either JavaScript files or Docker images. You can create actions by writing custom code that interacts with your repository in any way you'd like, including integrating with {% data variables.product.product_name %}'s APIs and any publicly available third-party API. For example, an action can publish npm modules, send SMS alerts when urgent issues are created, or deploy production-ready code. For more information, see [AUTOTITLE](/actions/creating-actions). -CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports the most common need for reusability using matrices. For more information about matrices, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports the most common need for reusability using matrices. For more information about matrices, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). ## Using Docker images @@ -58,15 +58,15 @@ CircleCI provides a set of pre-built images with common dependencies. These imag We recommend that you move away from CircleCI's pre-built images when you migrate to {% data variables.product.prodname_actions %}. In many cases, you can use actions to install the additional dependencies you need. -For more information about the Docker filesystem, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem)." +For more information about the Docker filesystem, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). -For more information about the tools and packages available on {% data variables.product.prodname_dotcom %}-hosted runner images, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +For more information about the tools and packages available on {% data variables.product.prodname_dotcom %}-hosted runner images, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Using variables and secrets CircleCI and {% data variables.product.prodname_actions %} support setting variables in the configuration file and creating secrets using the CircleCI or {% data variables.product.product_name %} UI. -For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Caching @@ -141,7 +141,7 @@ Below is an example in CircleCI and {% data variables.product.prodname_actions % name: homework ``` -For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Using databases and service containers @@ -258,7 +258,7 @@ jobs: -For more information, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers)." +For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers). ## Complete Example diff --git a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions.md b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions.md index 92a986e45b73..54ddfa118270 100644 --- a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions.md @@ -111,7 +111,7 @@ linux_job: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on)." +For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on). ## Docker images @@ -142,7 +142,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer)." +For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer). ## Condition and expression syntax @@ -180,7 +180,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). ## Dependencies between Jobs @@ -252,19 +252,19 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds)." +For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). ## Scheduling workflows Both GitLab CI/CD and {% data variables.product.prodname_actions %} allow you to run workflows at a specific interval. In GitLab CI/CD, pipeline schedules are configured with the UI, while in {% data variables.product.prodname_actions %} you can trigger a workflow on a scheduled interval with the "on" key. -For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events)." +For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). ## Variables and secrets GitLab CI/CD and {% data variables.product.prodname_actions %} support setting variables in the pipeline or workflow configuration file, and creating secrets using the GitLab or {% data variables.product.product_name %} UI. -For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Caching @@ -338,7 +338,7 @@ artifacts: path: math-homework.txt ``` -For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Databases and service containers @@ -412,4 +412,4 @@ jobs: POSTGRES_PORT: 5432 ``` -For more information, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers)." +For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers). diff --git a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions.md b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions.md index ca59b53dbe1c..8c31324f2b98 100644 --- a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions.md @@ -26,14 +26,14 @@ Jenkins and {% data variables.product.prodname_actions %} both allow you to crea * Jenkins creates workflows using _Declarative Pipelines_, which are similar to {% data variables.product.prodname_actions %} workflow files. * Jenkins uses _stages_ to run a collection of steps, while {% data variables.product.prodname_actions %} uses jobs to group one or more steps or individual commands. -* Jenkins and {% data variables.product.prodname_actions %} support container-based builds. For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action)." +* Jenkins and {% data variables.product.prodname_actions %} support container-based builds. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action). * Steps or tasks can be reused and shared with the community. -For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Key differences -* Jenkins has two types of syntax for creating pipelines: Declarative Pipeline and Scripted Pipeline. {% data variables.product.prodname_actions %} uses YAML to create workflows and configuration files. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." +* Jenkins has two types of syntax for creating pipelines: Declarative Pipeline and Scripted Pipeline. {% data variables.product.prodname_actions %} uses YAML to create workflows and configuration files. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). * Jenkins deployments are typically self-hosted, with users maintaining the servers in their own data centers. {% data variables.product.prodname_actions %} offers a hybrid cloud approach by hosting its own runners that you can use to run jobs, while also supporting self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). ## Comparing capabilities @@ -42,7 +42,7 @@ For more information, see "[AUTOTITLE](/actions/learn-github-actions/understandi Jenkins lets you send builds to a single build agent, or you can distribute them across multiple agents. You can also classify these agents according to various attributes, such as operating system types. -Similarly, {% data variables.product.prodname_actions %} can send jobs to {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners, and you can use labels to classify runners according to various attributes. For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +Similarly, {% data variables.product.prodname_actions %} can send jobs to {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners, and you can use labels to classify runners according to various attributes. For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). ### Using sections to organize pipelines diff --git a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions.md b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions.md index bdf3b939a74b..fdca1ee9a597 100644 --- a/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions.md @@ -28,8 +28,8 @@ This guide helps you migrate from Travis CI to {% data variables.product.prodnam Before starting your migration to {% data variables.product.prodname_actions %}, it would be useful to become familiar with how it works: -* For a quick example that demonstrates a {% data variables.product.prodname_actions %} job, see "[AUTOTITLE](/actions/quickstart)." -* To learn the essential {% data variables.product.prodname_actions %} concepts, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +* For a quick example that demonstrates a {% data variables.product.prodname_actions %} job, see [AUTOTITLE](/actions/quickstart). +* To learn the essential {% data variables.product.prodname_actions %} concepts, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Comparing job execution @@ -41,28 +41,28 @@ To give you control over when CI tasks are executed, a {% data variables.product ### Using YAML syntax -Travis CI and {% data variables.product.prodname_actions %} both use YAML to create jobs and workflows, and these files are stored in the code's repository. For more information on how {% data variables.product.prodname_actions %} uses YAML, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow)." +Travis CI and {% data variables.product.prodname_actions %} both use YAML to create jobs and workflows, and these files are stored in the code's repository. For more information on how {% data variables.product.prodname_actions %} uses YAML, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow). ### Custom variables -Travis CI lets you set variables and share them between stages. Similarly, {% data variables.product.prodname_actions %} lets you define variables for a workflows. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)." +Travis CI lets you set variables and share them between stages. Similarly, {% data variables.product.prodname_actions %} lets you define variables for a workflows. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). ### Default variables -Travis CI and {% data variables.product.prodname_actions %} both include default environment variables that you can use in your YAML files. For {% data variables.product.prodname_actions %}, you can see these listed in "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)." +Travis CI and {% data variables.product.prodname_actions %} both include default environment variables that you can use in your YAML files. For {% data variables.product.prodname_actions %}, you can see these listed in [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). ### Parallel job processing -Travis CI can use `stages` to run jobs in parallel. Similarly, {% data variables.product.prodname_actions %} runs `jobs` in parallel. For more information, see "[AUTOTITLE](/actions/using-workflows/about-workflows#creating-dependent-jobs)." +Travis CI can use `stages` to run jobs in parallel. Similarly, {% data variables.product.prodname_actions %} runs `jobs` in parallel. For more information, see [AUTOTITLE](/actions/using-workflows/about-workflows#creating-dependent-jobs). ### Status badges Travis CI and {% data variables.product.prodname_actions %} both support status badges, which let you indicate whether a build is passing or failing. -For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge)." +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge). ### Using a matrix -Travis CI and {% data variables.product.prodname_actions %} both support a matrix, allowing you to perform testing using combinations of operating systems and software packages. For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +Travis CI and {% data variables.product.prodname_actions %} both support a matrix, allowing you to perform testing using combinations of operating systems and software packages. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). Below is an example comparing the syntax for each system. @@ -95,7 +95,7 @@ jobs: ### Targeting specific branches -Travis CI and {% data variables.product.prodname_actions %} both allow you to target your CI to a specific branch. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)." +Travis CI and {% data variables.product.prodname_actions %} both allow you to target your CI to a specific branch. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore). Below is an example of the syntax for each system. @@ -163,21 +163,21 @@ When migrating from Travis CI, consider the following key features in {% data va ### Storing secrets -{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### Sharing files between jobs and workflows -{% data variables.product.prodname_actions %} includes integrated support for artifact storage, allowing you to share files between jobs in a workflow. You can also save the resulting files and share them with other workflows. For more information, see "[AUTOTITLE](/actions/learn-github-actions/essential-features-of-github-actions#sharing-data-between-jobs)." +{% data variables.product.prodname_actions %} includes integrated support for artifact storage, allowing you to share files between jobs in a workflow. You can also save the resulting files and share them with other workflows. For more information, see [AUTOTITLE](/actions/learn-github-actions/essential-features-of-github-actions#sharing-data-between-jobs). ### Hosting your own runners -If your jobs require specific hardware or software, {% data variables.product.prodname_actions %} allows you to host your own runners and send your jobs to them for processing. {% data variables.product.prodname_actions %} also lets you use policies to control how these runners are accessed, granting access at the organization or repository level. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners)." +If your jobs require specific hardware or software, {% data variables.product.prodname_actions %} allows you to host your own runners and send your jobs to them for processing. {% data variables.product.prodname_actions %} also lets you use policies to control how these runners are accessed, granting access at the organization or repository level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners). {% ifversion fpt or ghec %} ### Concurrent jobs and execution time -The concurrent jobs and workflow execution times in {% data variables.product.prodname_actions %} can vary depending on your {% data variables.product.company_short %} plan. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration)." +The concurrent jobs and workflow execution times in {% data variables.product.prodname_actions %} can vary depending on your {% data variables.product.company_short %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration). {% endif %} @@ -193,7 +193,7 @@ When working with different languages in {% data variables.product.prodname_acti ## Executing scripts -{% data variables.product.prodname_actions %} can use `run` steps to run scripts or shell commands. To use a particular shell, you can specify the `shell` type when providing the path to the script. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun)." +{% data variables.product.prodname_actions %} can use `run` steps to run scripts or shell commands. To use a particular shell, you can specify the `shell` type when providing the path to the script. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). For example: @@ -210,15 +210,15 @@ When migrating to {% data variables.product.prodname_actions %}, there are diffe ### Script error handling -{% data variables.product.prodname_actions %} stops a job immediately if one of the steps returns an error code. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference)." +{% data variables.product.prodname_actions %} stops a job immediately if one of the steps returns an error code. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference). ### Job error handling -{% data variables.product.prodname_actions %} uses `if` conditionals to execute jobs or steps in certain situations. For example, you can run a step when another step results in a `failure()`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#example-using-status-check-functions)." You can also use [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error) to prevent a workflow run from stopping when a job fails. +{% data variables.product.prodname_actions %} uses `if` conditionals to execute jobs or steps in certain situations. For example, you can run a step when another step results in a `failure()`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#example-using-status-check-functions). You can also use [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error) to prevent a workflow run from stopping when a job fails. ## Migrating syntax for conditionals and expressions -To run jobs under conditional expressions, Travis CI and {% data variables.product.prodname_actions %} share a similar `if` condition syntax. {% data variables.product.prodname_actions %} lets you use the `if` conditional to prevent a job or step from running unless a condition is met. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +To run jobs under conditional expressions, Travis CI and {% data variables.product.prodname_actions %} share a similar `if` condition syntax. {% data variables.product.prodname_actions %} lets you use the `if` conditional to prevent a job or step from running unless a condition is met. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). This example demonstrates how an `if` conditional can control whether a step is executed: @@ -233,7 +233,7 @@ jobs: ## Migrating phases to steps -Where Travis CI uses _phases_ to run _steps_, {% data variables.product.prodname_actions %} has _steps_ which execute _actions_. You can find prebuilt actions in the [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see "[AUTOTITLE](/actions/creating-actions)." +Where Travis CI uses _phases_ to run _steps_, {% data variables.product.prodname_actions %} has _steps_ which execute _actions_. You can find prebuilt actions in the [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/creating-actions). Below is an example of the syntax for each system. @@ -355,4 +355,4 @@ jobs: ## Next steps -To continue learning about the main features of {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions)." +To continue learning about the main features of {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/extending-github-actions-importer-with-custom-transformers.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/extending-github-actions-importer-with-custom-transformers.md index 07849e65717d..a42e986fb049 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/extending-github-actions-importer-with-custom-transformers.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/extending-github-actions-importer-with-custom-transformers.md @@ -21,9 +21,9 @@ redirect_from: {% data variables.product.prodname_actions_importer %} offers the ability to extend its built-in mapping by creating custom transformers. Custom transformers can be used to: -* Convert items that {% data variables.product.prodname_actions_importer %} does not automatically convert, or modify how items are converted. For more information, see "[Creating custom transformers for items](#creating-custom-transformers-for-items)." -* Convert references to runners to use different runner labels. For more information, see "[Creating custom transformers for runners](#creating-custom-transformers-for-runners)." -* Convert environment variable values from your existing pipelines to {% data variables.product.prodname_actions %} workflows. For more information, see "[Creating custom transformers for environment variables](#creating-custom-transformers-for-environment-variables)." +* Convert items that {% data variables.product.prodname_actions_importer %} does not automatically convert, or modify how items are converted. For more information, see [Creating custom transformers for items](#creating-custom-transformers-for-items). +* Convert references to runners to use different runner labels. For more information, see [Creating custom transformers for runners](#creating-custom-transformers-for-runners). +* Convert environment variable values from your existing pipelines to {% data variables.product.prodname_actions %} workflows. For more information, see [Creating custom transformers for environment variables](#creating-custom-transformers-for-environment-variables). ## Using custom transformers with {% data variables.product.prodname_actions_importer %} @@ -57,7 +57,7 @@ You can create custom transformers that {% data variables.product.prodname_actio {% data variables.product.prodname_actions_importer %} uses custom transformers that are defined using a DSL built on top of Ruby. In order to create custom transformers for build steps and triggers: * Each custom transformer file must contain at least one `transform` method. -* Each `transform` method must return a `Hash`, an array of `Hash`'s, or `nil`. This returned value will correspond to an action defined in YAML. For more information about actions, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +* Each `transform` method must return a `Hash`, an array of `Hash`'s, or `nil`. This returned value will correspond to an action defined in YAML. For more information about actions, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ### Example custom transformer for a build step @@ -98,7 +98,7 @@ You can customize the mapping between runners in your source CI/CD instance and {% data variables.product.prodname_actions_importer %} uses custom transformers that are defined using a DSL built on top of Ruby. To create custom transformers for runners: * The custom transformer file must have at least one `runner` method. -* The `runner` method accepts two parameters. The first parameter is the source CI/CD instance's runner label, and the second parameter is the corresponding {% data variables.product.prodname_actions %} runner label. For more information on {% data variables.product.prodname_actions %} runners, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)." +* The `runner` method accepts two parameters. The first parameter is the source CI/CD instance's runner label, and the second parameter is the corresponding {% data variables.product.prodname_actions %} runner label. For more information on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). ### Example custom transformers for runners @@ -127,7 +127,7 @@ You can customize the mapping between environment variables in your source CI/CD {% data variables.product.prodname_actions_importer %} uses custom transformers that are defined using a DSL built on top of Ruby. To create custom transformers for environment variables: * The custom transformer file must have at least one `env` method. -* The `env` method accepts two parameters. The first parameter is the name of the environment variable in the original pipeline, and the second parameter is the updated value for the environment variable for {% data variables.product.prodname_actions %}. For more information about {% data variables.product.prodname_actions %} environment variables, see "[AUTOTITLE](/actions/learn-github-actions/variables)." +* The `env` method accepts two parameters. The first parameter is the name of the environment variable in the original pipeline, and the second parameter is the updated value for the environment variable for {% data variables.product.prodname_actions %}. For more information about {% data variables.product.prodname_actions %} environment variables, see [AUTOTITLE](/actions/learn-github-actions/variables). ### Example custom transformers for environment variables @@ -151,7 +151,7 @@ There are several ways you can set up custom transformers to map your environmen env "MONALISA", secret("OCTOCAT") ``` - This will set up a reference to a secret named `OCTOCAT` in the transformed workflow. For the secret to work, you will need to create the secret in your GitHub repository. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository)." + This will set up a reference to a secret named `OCTOCAT` in the transformed workflow. For the secret to work, you will need to create the secret in your GitHub repository. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). * You can also use regular expressions to update the values of multiple environment variables at once. For example, the following custom transformer removes all environment variables from the converted workflow: diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-azure-devops-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-azure-devops-with-github-actions-importer.md index f74cc20321bd..9440388bbca9 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-azure-devops-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-azure-devops-with-github-actions-importer.md @@ -44,7 +44,7 @@ Certain Azure DevOps constructs must be migrated manually from Azure DevOps into * Environments * Pre-deployment approvals -For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions)." +For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions). #### Unsupported tasks @@ -63,7 +63,7 @@ For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-t The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with Azure DevOps and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. @@ -441,10 +441,10 @@ You can transform Azure DevOps templates with {% data variables.product.prodname {% data variables.product.prodname_actions_importer %} is able to transform Azure DevOps templates with some limitations. -* Azure DevOps templates used under the `stages`, `deployments`, and `jobs` keys are converted into reusable workflows in {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." -* Azure DevOps templates used under the `steps` key are converted into composite actions. For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-composite-action)." +* Azure DevOps templates used under the `stages`, `deployments`, and `jobs` keys are converted into reusable workflows in {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). +* Azure DevOps templates used under the `steps` key are converted into composite actions. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-composite-action). * If you currently have job templates that reference other job templates, {% data variables.product.prodname_actions_importer %} converts the templates into reusable workflows. Because reusable workflows cannot reference other reusable workflows, this is invalid syntax in {% data variables.product.prodname_actions %}. You must manually correct nested reusable workflows. -* If a template references an external Azure DevOps organization or {% data variables.product.prodname_dotcom %} repository, you must use the `--credentials-file` option to provide credentials to access this template. For more information, see "[AUTOTITLE](/actions/migrating-to-github-actions/automated-migrations/supplemental-arguments-and-settings#using-a-credentials-file-for-authentication)." +* If a template references an external Azure DevOps organization or {% data variables.product.prodname_dotcom %} repository, you must use the `--credentials-file` option to provide credentials to access this template. For more information, see [AUTOTITLE](/actions/migrating-to-github-actions/automated-migrations/supplemental-arguments-and-settings#using-a-credentials-file-for-authentication). * You can dynamically generate YAML using `each` expressions with the following caveats: * Nested `each` blocks are not supported and cause the parent `each` block to be unsupported. * `each` and contained `if` conditions are evaluated at transformation time, because {% data variables.product.prodname_actions %} does not support this style of insertion. diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bamboo-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bamboo-with-github-actions-importer.md index 6a358f7b635d..ee60e06abc0a 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bamboo-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bamboo-with-github-actions-importer.md @@ -35,11 +35,11 @@ There are some limitations when migrating from Bamboo to {% data variables.produ * {% data variables.product.prodname_actions_importer %} relies on the YAML specification generated by the Bamboo Server to perform migrations. When Bamboo does not support exporting something to YAML, the missing information is not migrated. * Trigger conditions are unsupported. When {% data variables.product.prodname_actions_importer %} encounters a trigger with a condition, the condition is surfaced as a comment and the trigger is transformed without it. * Bamboo Plans with customized settings for storing artifacts are not transformed. Instead, artifacts are stored and retrieved using the [`upload-artifact`](https://github.com/actions/upload-artifact) and [`download-artifact`](https://github.com/actions/download-artifact) actions. -* Disabled plans must be disabled manually in the GitHub UI. For more information, see "[AUTOTITLE](/actions/using-workflows/disabling-and-enabling-a-workflow)." +* Disabled plans must be disabled manually in the GitHub UI. For more information, see [AUTOTITLE](/actions/using-workflows/disabling-and-enabling-a-workflow). * Disabled jobs are transformed with a `if: false` condition which prevents it from running. You must remove this to re-enable the job. * Disabled tasks are not transformed because they are not included in the exported plan when using the Bamboo API. * Bamboo provides options to clean up build workspaces after a build is complete. These are not transformed because it is assumed GitHub-hosted runners or ephemeral self-hosted runners will automatically handle this. -* The hanging build detection options are not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. The closest option is `timeout-minutes` on a job, which can be used to set the maximum number of minutes to let a job run. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes)." +* The hanging build detection options are not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. The closest option is `timeout-minutes` on a job, which can be used to set the maximum number of minutes to let a job run. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes). * Pattern match labeling is not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. * All artifacts are transformed into an `actions/upload-artifact`, regardless of whether they are `shared` or not, so they can be downloaded from any job in the workflow. * Permissions are not transformed because there is no suitable equivalent in {% data variables.product.prodname_actions %}. @@ -60,7 +60,7 @@ Certain Bamboo constructs must be migrated manually. These include: The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with Bamboo and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer.md index 1c575efc24fd..e9ba6869fe55 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer.md @@ -30,9 +30,9 @@ The instructions below will guide you through configuring your environment to us There are some limitations when migrating from Bitbucket Pipelines to {% data variables.product.prodname_actions %} with {% data variables.product.prodname_actions_importer %}. * Images in a private AWS ECR are not supported. -* The Bitbucket Pipelines option `size` is not supported. {% ifversion fpt or ghec %}If additional runner resources are required in {% data variables.product.prodname_actions %}, consider using {% data variables.actions.hosted_runner %}s. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)."{% endif %} +* The Bitbucket Pipelines option `size` is not supported. {% ifversion fpt or ghec %}If additional runner resources are required in {% data variables.product.prodname_actions %}, consider using {% data variables.actions.hosted_runner %}s. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).{% endif %} * Metrics detailing the queue time of jobs is not supported by the `forecast` command. -* Bitbucket [after-scripts](https://support.atlassian.com/bitbucket-cloud/docs/step-options/#After-script) are supported using {% data variables.product.prodname_actions %} `always()` in combination with checking the `steps..conclusion` of the previous step. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#steps-context)." +* Bitbucket [after-scripts](https://support.atlassian.com/bitbucket-cloud/docs/step-options/#After-script) are supported using {% data variables.product.prodname_actions %} `always()` in combination with checking the `steps..conclusion` of the previous step. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#steps-context). The following is an example of using the `always()` with `steps..conclusion`. @@ -66,7 +66,7 @@ Certain Bitbucket Pipelines constructs must be migrated manually. These include: The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with Bitbucket Pipelines and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-circleci-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-circleci-with-github-actions-importer.md index a7eab3e873ec..db2e0ae63b55 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-circleci-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-circleci-with-github-actions-importer.md @@ -51,7 +51,7 @@ Certain CircleCI constructs must be migrated manually. These include: The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with CircleCI and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-gitlab-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-gitlab-with-github-actions-importer.md index 190916ce7a4a..921765544b2e 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-gitlab-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-gitlab-with-github-actions-importer.md @@ -41,7 +41,7 @@ Certain GitLab constructs must be migrated manually. These include: * Masked project or group variable values * Artifact reports -For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions)." +For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions). ## Installing the {% data variables.product.prodname_actions_importer %} CLI extension @@ -51,7 +51,7 @@ For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-t The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with GitLab and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. @@ -313,7 +313,7 @@ gh actions-importer migrate gitlab --project my-project-name --output-dir output ### Supported syntax for GitLab pipelines -The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how GitLab pipeline syntax aligns with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions)". +The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how GitLab pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions). | GitLab Pipelines | GitHub Actions | Status | | :-------------------------------------- | :------------------------------ | :-------------------------- | diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-jenkins-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-jenkins-with-github-actions-importer.md index 29f43d7d2870..1778452bcb65 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-jenkins-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-jenkins-with-github-actions-importer.md @@ -37,7 +37,7 @@ There are some limitations when migrating from Jenkins to {% data variables.prod * Self-hosted runners * Unknown plugins -For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions)." +For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions). ## Installing the {% data variables.product.prodname_actions_importer %} CLI extension @@ -47,7 +47,7 @@ For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-t The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with Jenkins and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. @@ -273,7 +273,7 @@ source_files: ### Supported syntax for Jenkins pipelines -The following tables show the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Jenkins pipeline syntax aligns with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions)". +The following tables show the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Jenkins pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions). For information about supported Jenkins plugins, see the [`github/gh-actions-importer` repository](https://github.com/github/gh-actions-importer/blob/main/docs/jenkins/index.md). diff --git a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-travis-ci-with-github-actions-importer.md b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-travis-ci-with-github-actions-importer.md index cf6837fee0a5..decbab06db70 100644 --- a/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-travis-ci-with-github-actions-importer.md +++ b/content/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-travis-ci-with-github-actions-importer.md @@ -38,13 +38,13 @@ Certain Travis CI constructs must be migrated manually. These include: * Secrets * Unknown job properties -For more information on manual migrations, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions)." +For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions). #### Travis CI project languages {% data variables.product.prodname_actions_importer %} transforms Travis CI project languages by adding a set of preconfigured build tools and a default build script to the transformed workflow. If no language is explicitly declared, {% data variables.product.prodname_actions_importer %} assumes a project language is Ruby. -For a list of the project languages supported by {% data variables.product.prodname_actions_importer %}, see "[Supported project languages](#supported-project-languages)." +For a list of the project languages supported by {% data variables.product.prodname_actions_importer %}, see [Supported project languages](#supported-project-languages). ## Installing the {% data variables.product.prodname_actions_importer %} CLI extension @@ -54,7 +54,7 @@ For a list of the project languages supported by {% data variables.product.prodn The `configure` CLI command is used to set required credentials and options for {% data variables.product.prodname_actions_importer %} when working with Travis CI and {% data variables.product.prodname_dotcom %}. -1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." +1. Create a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic). Your token must have the `workflow` scope. @@ -311,7 +311,7 @@ gh actions-importer dry-run travis-ci --travis-ci-repository travis-org-name/tra ### Supported syntax for Travis CI pipelines -The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Travis CI pipeline syntax aligns with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions)". +The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Travis CI pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions). | Travis CI | GitHub Actions | Status | | :------------------ | :--------------------------------- | ------------------: | diff --git a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/about-monitoring-workflows.md b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/about-monitoring-workflows.md index 89d6654b108f..7721e2e01f82 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/about-monitoring-workflows.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/about-monitoring-workflows.md @@ -26,34 +26,34 @@ Every workflow run generates a real-time graph that illustrates the run progress ![Screenshot of the visualization graph of a workflow run.](/assets/images/help/actions/workflow-graph.png) -For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-the-visualization-graph)." +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-the-visualization-graph). ### Adding a workflow status badge {% data reusables.repositories.actions-workflow-status-badge-intro %} -For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge)." +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge). {% ifversion fpt or ghec %} ### Viewing job execution time -To identify how long a job took to run, you can view its execution time. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-job-execution-time)." +To identify how long a job took to run, you can view its execution time. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-job-execution-time). {% endif %} ### Viewing workflow run history -You can view the status of each job and step in a workflow. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +You can view the status of each job and step in a workflow. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). {% ifversion actions-metrics %} ## Monitoring {% data variables.product.prodname_actions %} metrics -To analyze the efficiency and reliability of your workflows using metrics, see "[AUTOTITLE](/actions/administering-github-actions/viewing-github-actions-metrics)". +To analyze the efficiency and reliability of your workflows using metrics, see [AUTOTITLE](/actions/administering-github-actions/viewing-github-actions-metrics). {% endif %} ## Monitoring self-hosted runners If you use self-hosted runners, you can view their activity and diagnose common issues. -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). diff --git a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md index 1404091f6837..e874d93c8d6a 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md @@ -18,7 +18,7 @@ versions: {% data reusables.repositories.actions-workflow-status-badge-intro %} -To add a workflow status badge to your `README.md` file, first find the URL for the status badge you would like to display. Then you can use Markdown to display the badge as an image in your `README.md` file. For more information about image markup in Markdown, see "[AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images)." +To add a workflow status badge to your `README.md` file, first find the URL for the status badge you would like to display. Then you can use Markdown to display the badge as an image in your `README.md` file. For more information about image markup in Markdown, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images). ## Using the workflow file name @@ -28,7 +28,7 @@ You can build the URL for a workflow status badge using the name of the workflow {% ifversion fpt or ghec %}https://github.com{% else %}HOSTNAME{% endif %}/OWNER/REPOSITORY/actions/workflows/WORKFLOW-FILE/badge.svg ``` -To display the workflow status badge in your `README.md` file, use the Markdown markup for embedding images. For more information about image markup in Markdown, see "[AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images)." +To display the workflow status badge in your `README.md` file, use the Markdown markup for embedding images. For more information about image markup in Markdown, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images). For example, add the following Markdown to your `README.md` file to add a status badge for a workflow with the file path `.github/workflows/main.yml`. The `OWNER` of the repository is the `github` organization and the `REPOSITORY` name is `docs`. diff --git a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/using-workflow-run-logs.md b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/using-workflow-run-logs.md index b03b02284256..d6a3d6650d94 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/using-workflow-run-logs.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/using-workflow-run-logs.md @@ -13,11 +13,11 @@ versions: {% data reusables.actions.enterprise-github-hosted-runners %} -You can see whether a workflow run is in progress or complete from the workflow run page. You must be logged in to a {% data variables.product.prodname_dotcom %} account to view workflow run information, including for public repositories. For more information, see "[AUTOTITLE](/get-started/learning-about-github/access-permissions-on-github)." +You can see whether a workflow run is in progress or complete from the workflow run page. You must be logged in to a {% data variables.product.prodname_dotcom %} account to view workflow run information, including for public repositories. For more information, see [AUTOTITLE](/get-started/learning-about-github/access-permissions-on-github). If the run is complete, you can see whether the result was a success, failure, canceled, or neutral. If the run failed, you can view and search the build logs to diagnose the failure and re-run the workflow. You can also view billable job execution minutes, or download logs and build artifacts. -{% data variables.product.prodname_actions %} use the Checks API to output statuses, results, and logs for a workflow. {% data variables.product.prodname_dotcom %} creates a new check suite for each workflow run. The check suite contains a check run for each job in the workflow, and each job includes steps. {% data variables.product.prodname_actions %} are run as a step in a workflow. For more information about the Checks API, see "[AUTOTITLE](/rest/checks)." +{% data variables.product.prodname_actions %} use the Checks API to output statuses, results, and logs for a workflow. {% data variables.product.prodname_dotcom %} creates a new check suite for each workflow run. The check suite contains a check run for each job in the workflow, and each job includes steps. {% data variables.product.prodname_actions %} are run as a step in a workflow. For more information about the Checks API, see [AUTOTITLE](/rest/checks). {% data reusables.actions.invalid-workflow-files %} @@ -50,7 +50,7 @@ You can search the build logs for a particular step. When you search logs, only ## Downloading logs -You can download the log files from your workflow run. You can also download a workflow's artifacts. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." {% data reusables.repositories.permissions-statement-read %} +You can download the log files from your workflow run. You can also download a workflow's artifacts. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). {% data reusables.repositories.permissions-statement-read %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.actions-tab %} diff --git a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/viewing-job-execution-time.md b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/viewing-job-execution-time.md index 879cc99893c7..5a014f1ce99c 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/viewing-job-execution-time.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/viewing-job-execution-time.md @@ -22,4 +22,4 @@ Billable job execution minutes are only shown for jobs run on private repositori 1. To view details about the billable job execution time, in the left sidebar under "Run details", click **{% octicon "stopwatch" aria-hidden="true" %} Usage**. > [!NOTE] - > The billable time shown does not include any minute multipliers. To view your total {% data variables.product.prodname_actions %} usage, including minute multipliers, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage)." + > The billable time shown does not include any minute multipliers. To view your total {% data variables.product.prodname_actions %} usage, including minute multipliers, see [AUTOTITLE](/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage). diff --git a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/about-troubleshooting-workflows.md b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/about-troubleshooting-workflows.md index 2220ca5fa87a..950009168246 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/about-troubleshooting-workflows.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/about-troubleshooting-workflows.md @@ -14,21 +14,21 @@ shortTitle: About troubleshooting ### Using workflow run logs -Each workflow run generates activity logs that you can view, search, and download. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)." +Each workflow run generates activity logs that you can view, search, and download. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs). ### Enabling debug logging -If the workflow logs do not provide enough detail to diagnose why a workflow, job, or step is not working as expected, you can enable additional debug logging. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging)." +If the workflow logs do not provide enough detail to diagnose why a workflow, job, or step is not working as expected, you can enable additional debug logging. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging). ### Canceling a workflow -If you attempt to cancel a workflow and the cancellation doesn't succeed, make sure you aren't using the `always` expression. The `always` expression causes a workflow step to run even when the workflow is canceled, which results in a hanging cancellation. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions#always)". +If you attempt to cancel a workflow and the cancellation doesn't succeed, make sure you aren't using the `always` expression. The `always` expression causes a workflow step to run even when the workflow is canceled, which results in a hanging cancellation. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions#always). {% ifversion actions-metrics %} ## Troubleshooting {% data variables.product.prodname_actions %} inefficiencies -To analyze the inefficiencies and reliability of your workflows using metrics, see "[AUTOTITLE](/actions/administering-github-actions/viewing-github-actions-metrics)". +To analyze the inefficiencies and reliability of your workflows using metrics, see [AUTOTITLE](/actions/administering-github-actions/viewing-github-actions-metrics). {% endif %} ## Monitoring self-hosted runners @@ -37,4 +37,4 @@ To analyze the inefficiencies and reliability of your workflows using metrics, s If you use self-hosted runners, you can view their activity and diagnose common issues. -For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners)." +For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners). diff --git a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/enabling-debug-logging.md b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/enabling-debug-logging.md index db0a4b0af71d..e954e71da37c 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/enabling-debug-logging.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/enabling-debug-logging.md @@ -19,11 +19,11 @@ These extra logs are enabled by setting secrets or variables in the repository c * {% data reusables.actions.permissions-statement-secrets-environment %} * {% data reusables.actions.permissions-statement-secrets-and-variables-organization %} -For more information on setting secrets and variables, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" and "[AUTOTITLE](/actions/learn-github-actions/variables)." +For more information on setting secrets and variables, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) and [AUTOTITLE](/actions/learn-github-actions/variables). {% ifversion debug-reruns %} -Additionally, anyone who has access to run a workflow can enable runner diagnostic logging and step debug logging for a workflow re-run. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs)." +Additionally, anyone who has access to run a workflow can enable runner diagnostic logging and step debug logging for a workflow re-run. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). {% endif %} @@ -35,11 +35,11 @@ Runner diagnostic logging provides additional log files that contain information * The worker process log, which logs the execution of a job. 1. To enable runner diagnostic logging, set the following secret or variable in the repository that contains the workflow: `ACTIONS_RUNNER_DEBUG` to `true`. If both the secret and variable are set, the value of the secret takes precedence over the variable. -1. To download runner diagnostic logs, download the log archive of the workflow run. The runner diagnostic logs are contained in the `runner-diagnostic-logs` folder. For more information on downloading logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#downloading-logs)." +1. To download runner diagnostic logs, download the log archive of the workflow run. The runner diagnostic logs are contained in the `runner-diagnostic-logs` folder. For more information on downloading logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#downloading-logs). ## Enabling step debug logging Step debug logging increases the verbosity of a job's logs during and after a job's execution. 1. To enable step debug logging, set the following secret or variable in the repository that contains the workflow: `ACTIONS_STEP_DEBUG` to `true`. If both the secret and variable are set, the value of the secret takes precedence over the variable. -1. After setting the secret or variable, more debug events are shown in the step logs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures)." +1. After setting the secret or variable, more debug events are shown in the step logs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#viewing-logs-to-diagnose-failures). diff --git a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/working-with-support-for-github-actions.md b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/working-with-support-for-github-actions.md index 6cc24558de71..57abb05f68b9 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/working-with-support-for-github-actions.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/troubleshooting-workflows/working-with-support-for-github-actions.md @@ -30,14 +30,14 @@ Some information that {% data variables.contact.github_support %} will request c For example: `https://github.com/ORG/REPO/actions/runs/0123456789` {% endif %} -* The workflow `.yml` file(s) attached to the ticket as `.txt` files. For more information about workflows, see "[AUTOTITLE](/actions/using-workflows/about-workflows#about-workflows)." -* A copy of your workflow run logs for an example workflow run failure. For more information about workflow run logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#downloading-logs)." -* {% ifversion ghes %}A copy of your runner logs, {% else %}If you are running this workflow on a self-hosted runner, self-hosted runner logs{% endif %} which can be found under the `_diag` folder within the runner. For more information about self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files)." +* The workflow `.yml` file(s) attached to the ticket as `.txt` files. For more information about workflows, see [AUTOTITLE](/actions/using-workflows/about-workflows#about-workflows). +* A copy of your workflow run logs for an example workflow run failure. For more information about workflow run logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#downloading-logs). +* {% ifversion ghes %}A copy of your runner logs, {% else %}If you are running this workflow on a self-hosted runner, self-hosted runner logs{% endif %} which can be found under the `_diag` folder within the runner. For more information about self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files). Self-hosted runner log file names are be formatted: `Runner_YYYY####-xxxxxx-utc.log` and `Worker_YYYY####-xxxxxx-utc.log`. > [!NOTE] -> Attach files to your support ticket by changing the file's extension to `.txt` or `.zip`. If you include textual data such as log or workflow file snippets inline in your ticket, ensure they are formatted correctly as Markdown code blocks. For more information about proper Markdown formatting, see "[AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#quoting-code)." +> Attach files to your support ticket by changing the file's extension to `.txt` or `.zip`. If you include textual data such as log or workflow file snippets inline in your ticket, ensure they are formatted correctly as Markdown code blocks. For more information about proper Markdown formatting, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#quoting-code). > > If the information you provide is unreadable due to the loss of formatting by improper Markdown syntax, {% data variables.contact.github_support %} may request that resubmit the information either as an attachment or with the correct Markdown formatting. @@ -45,24 +45,24 @@ Some information that {% data variables.contact.github_support %} will request c > Ensure all files and text provided to {% data variables.contact.github_support %} have been properly redacted to remove sensitive information such as tokens and other secrets. {% ifversion ghes %} -Depending on the nature of your inquiry, {% data variables.contact.github_support %} may also request that you generate and upload a support bundle for further review and analysis. For more information about providing data to {% data variables.contact.github_support %} and support bundles, see "[AUTOTITLE](/support/contacting-github-support/providing-data-to-github-support)." +Depending on the nature of your inquiry, {% data variables.contact.github_support %} may also request that you generate and upload a support bundle for further review and analysis. For more information about providing data to {% data variables.contact.github_support %} and support bundles, see [AUTOTITLE](/support/contacting-github-support/providing-data-to-github-support). {% endif %} ### Ephemeral Runner Application Log Files -{% data variables.contact.github_support %} may request the runner application log files from ephemeral runners. {% data variables.product.prodname_dotcom %} expects and recommends that you have implemented a mechanism to forward and preserve the runner application log files from self-hosted ephemeral runners. For more information about runner application log files and troubleshooting self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files)." +{% data variables.contact.github_support %} may request the runner application log files from ephemeral runners. {% data variables.product.prodname_dotcom %} expects and recommends that you have implemented a mechanism to forward and preserve the runner application log files from self-hosted ephemeral runners. For more information about runner application log files and troubleshooting self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#reviewing-the-self-hosted-runner-application-log-files). ### {% data variables.product.prodname_actions_runner_controller %} -If you are using {% data variables.product.prodname_actions_runner_controller %} (ARC), {% data variables.contact.github_support %} may ask you to submit the complete logs for the controller, listeners, and runner pods. For more information about collecting {% data variables.product.prodname_actions_runner_controller %}'s logs, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#checking-the-logs-of-the-controller-and-runner-set-listener)." +If you are using {% data variables.product.prodname_actions_runner_controller %} (ARC), {% data variables.contact.github_support %} may ask you to submit the complete logs for the controller, listeners, and runner pods. For more information about collecting {% data variables.product.prodname_actions_runner_controller %}'s logs, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#checking-the-logs-of-the-controller-and-runner-set-listener). -For more information about the scope of support for {% data variables.product.prodname_actions_runner_controller %}, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-support-for-actions-runner-controller)." +For more information about the scope of support for {% data variables.product.prodname_actions_runner_controller %}, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-support-for-actions-runner-controller). ### {% data variables.product.prodname_codeql %} and {% data variables.product.prodname_actions %} -If you are requesting assistance with a {% data variables.code-scanning.codeql_workflow %}, {% data variables.contact.github_support %} may request a copy of the {% data variables.product.prodname_codeql %} debugging artifacts. For more information about debugging artifacts for a {% data variables.code-scanning.codeql_workflow %}, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough#creating-codeql-debugging-artifacts)." +If you are requesting assistance with a {% data variables.code-scanning.codeql_workflow %}, {% data variables.contact.github_support %} may request a copy of the {% data variables.product.prodname_codeql %} debugging artifacts. For more information about debugging artifacts for a {% data variables.code-scanning.codeql_workflow %}, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough#creating-codeql-debugging-artifacts). -To provide the debugging artifacts to {% data variables.contact.github_support %}, please download the {% data variables.product.prodname_codeql %} debugging artifacts from a sample workflow run and attach it to your ticket as a `.zip` file. For more information on downloading workflow artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)." +To provide the debugging artifacts to {% data variables.contact.github_support %}, please download the {% data variables.product.prodname_codeql %} debugging artifacts from a sample workflow run and attach it to your ticket as a `.zip` file. For more information on downloading workflow artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). If the {% data variables.product.prodname_codeql %} debugging artifacts `.zip` file is too large to upload to the ticket, please advise {% data variables.contact.github_support %}, and we will work with you to determine the next steps. diff --git a/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md b/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md index 4062da830817..bc72270705d4 100644 --- a/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md +++ b/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md @@ -20,18 +20,18 @@ shortTitle: Automatic token authentication At the start of each workflow job, {% data variables.product.prodname_dotcom %} automatically creates a unique `GITHUB_TOKEN` secret to use in your workflow. You can use the `GITHUB_TOKEN` to authenticate in the workflow job. -When you enable {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dotcom %} installs a {% data variables.product.prodname_github_app %} on your repository. The `GITHUB_TOKEN` secret is a {% data variables.product.prodname_github_app %} installation access token. You can use the installation access token to authenticate on behalf of the {% data variables.product.prodname_github_app %} installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see "[Permissions for the `GITHUB_TOKEN`](#permissions-for-the-github_token)." +When you enable {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dotcom %} installs a {% data variables.product.prodname_github_app %} on your repository. The `GITHUB_TOKEN` secret is a {% data variables.product.prodname_github_app %} installation access token. You can use the installation access token to authenticate on behalf of the {% data variables.product.prodname_github_app %} installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see [Permissions for the `GITHUB_TOKEN`](#permissions-for-the-github_token). Before each job begins, {% data variables.product.prodname_dotcom %} fetches an installation access token for the job. {% data reusables.actions.github-token-expiration %} -The token is also available in the `github.token` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)." +The token is also available in the `github.token` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). ## Using the `GITHUB_TOKEN` in a workflow You can use the `GITHUB_TOKEN` by using the standard syntax for referencing secrets: {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}. Examples of using the `GITHUB_TOKEN` include passing the token as an input to an action, or using it to make an authenticated {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API request. > [!IMPORTANT] -> An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see "[Permissions for the `GITHUB_TOKEN`](#permissions-for-the-github_token)." +> An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see [Permissions for the `GITHUB_TOKEN`](#permissions-for-the-github_token). {% data reusables.actions.actions-do-not-trigger-workflows %} @@ -71,9 +71,9 @@ jobs: ## Permissions for the `GITHUB_TOKEN` -For information about the API endpoints {% data variables.product.prodname_github_apps %} can access with each permission, see "[AUTOTITLE](/rest/overview/permissions-required-for-github-apps)." +For information about the API endpoints {% data variables.product.prodname_github_apps %} can access with each permission, see [AUTOTITLE](/rest/overview/permissions-required-for-github-apps). -The following table shows the permissions granted to the `GITHUB_TOKEN` by default. People with admin permissions to an {% ifversion not ghes %}enterprise, organization, or repository,{% else %}organization or repository{% endif %} can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the `GITHUB_TOKEN` for your enterprise, organization, or repository, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)," "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization)," or "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)." +The following table shows the permissions granted to the `GITHUB_TOKEN` by default. People with admin permissions to an {% ifversion not ghes %}enterprise, organization, or repository,{% else %}organization or repository{% endif %} can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the `GITHUB_TOKEN` for your enterprise, organization, or repository, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise), [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization), or [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository). {% rowheaders %} @@ -102,15 +102,15 @@ The following table shows the permissions granted to the `GITHUB_TOKEN` by defau {% endrowheaders %} > [!NOTE] -> * When a workflow is triggered by the [`pull_request_target`](/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event, the `GITHUB_TOKEN` is granted read/write repository permission, even when it is triggered from a public fork. For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)." -> * Private repositories can control whether pull requests from forks can run workflows, and can configure the permissions assigned to `GITHUB_TOKEN`. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories)." +> * When a workflow is triggered by the [`pull_request_target`](/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event, the `GITHUB_TOKEN` is granted read/write repository permission, even when it is triggered from a public fork. For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target). +> * Private repositories can control whether pull requests from forks can run workflows, and can configure the permissions assigned to `GITHUB_TOKEN`. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories). > * {% data reusables.actions.workflow-runs-dependabot-note %} ### Modifying the permissions for the `GITHUB_TOKEN` You can modify the permissions for the `GITHUB_TOKEN` in individual workflow files. If the default permissions for the `GITHUB_TOKEN` are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully. If the default permissions are permissive, you can edit the workflow file to remove some permissions from the `GITHUB_TOKEN`. As a good security practice, you should grant the `GITHUB_TOKEN` the least required access. -You can see the permissions that `GITHUB_TOKEN` had for a specific job in the "Set up job" section of the workflow run log. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)." +You can see the permissions that `GITHUB_TOKEN` had for a specific job in the "Set up job" section of the workflow run log. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs). You can use the `permissions` key in your workflow file to modify permissions for the `GITHUB_TOKEN` for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. When the `permissions` key is used, all unspecified permissions are set to no access, with the exception of the `metadata` scope, which always gets read access. @@ -118,10 +118,10 @@ You can use the `permissions` key in your workflow file to modify permissions fo The two workflow examples earlier in this article show the `permissions` key being used at the job level, as it is best practice to limit the permissions' scope. -For full details of the `permissions` key, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#permissions)." +For full details of the `permissions` key, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#permissions). > [!NOTE] -> Organization{% ifversion not fpt %} and enterprise{% endif %} owners can prevent you from granting write access to the `GITHUB_TOKEN` at the repository level. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization){% ifversion not fpt %} and "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)."{% else %}."{% endif %} +> Organization{% ifversion not fpt %} and enterprise{% endif %} owners can prevent you from granting write access to the `GITHUB_TOKEN` at the repository level. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization){% ifversion not fpt %} and [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise).{% else %}.{% endif %} #### How the permissions are calculated for a workflow job @@ -129,8 +129,8 @@ The permissions for the `GITHUB_TOKEN` are initially set to the default setting ### Granting additional permissions -If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, you can create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see "[AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)." Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}`${{ secrets.SECRET_NAME }}`{% endraw %} syntax. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, you can create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}`${{ secrets.SECRET_NAME }}`{% endraw %} syntax. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### Further reading -* "[AUTOTITLE](/rest/overview/rate-limits-for-the-rest-api)" +* [AUTOTITLE](/rest/overview/rate-limits-for-the-rest-api) diff --git a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md index 84fd4c588163..9a937bc05df3 100644 --- a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md @@ -17,7 +17,7 @@ topics: ## Overview -This guide explains how to configure security hardening for certain {% data variables.product.prodname_actions %} features. If the {% data variables.product.prodname_actions %} concepts are unfamiliar, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +This guide explains how to configure security hardening for certain {% data variables.product.prodname_actions %} features. If the {% data variables.product.prodname_actions %} concepts are unfamiliar, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Using secrets @@ -36,15 +36,15 @@ To help prevent accidental disclosure, {% data variables.product.product_name %} * Registering secrets applies to any sort of transformation/encoding as well. If your secret is transformed in some way (such as Base64 or URL-encoded), be sure to register the new value as a secret too. * **Audit how secrets are handled** * Audit how secrets are used, to help ensure they’re being handled as expected. You can do this by reviewing the source code of the repository executing the workflow, and checking any actions used in the workflow. For example, check that they’re not sent to unintended hosts, or explicitly being printed to log output. - * View the run logs for your workflow after testing valid/invalid inputs, and check that secrets are properly redacted, or not shown. It's not always obvious how a command or tool you’re invoking will send errors to `STDOUT` and `STDERR`, and secrets might subsequently end up in error logs. As a result, it is good practice to manually review the workflow logs after testing valid and invalid inputs. For information on how to clean up workflow logs that may unintentionally contain sensitive data, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs)." + * View the run logs for your workflow after testing valid/invalid inputs, and check that secrets are properly redacted, or not shown. It's not always obvious how a command or tool you’re invoking will send errors to `STDOUT` and `STDERR`, and secrets might subsequently end up in error logs. As a result, it is good practice to manually review the workflow logs after testing valid and invalid inputs. For information on how to clean up workflow logs that may unintentionally contain sensitive data, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs). * **Use credentials that are minimally scoped** * Make sure the credentials being used within workflows have the least privileges required, and be mindful that any user with write access to your repository has read access to all secrets configured in your repository. - * Actions can use the `GITHUB_TOKEN` by accessing it from the `github.token` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)." You should therefore make sure that the `GITHUB_TOKEN` is granted the minimum required permissions. It's good security practice to set the default permission for the `GITHUB_TOKEN` to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)." + * Actions can use the `GITHUB_TOKEN` by accessing it from the `github.token` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). You should therefore make sure that the `GITHUB_TOKEN` is granted the minimum required permissions. It's good security practice to set the default permission for the `GITHUB_TOKEN` to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). * **Audit and rotate registered secrets** * Periodically review the registered secrets to confirm they are still required. Remove those that are no longer needed. * Rotate secrets periodically to reduce the window of time during which a compromised secret is valid. * **Consider requiring review for access to secrets** - * You can use required reviewers to protect environment secrets. A workflow job cannot access environment secrets until approval is granted by a reviewer. For more information about storing secrets in environments or requiring reviews for environments, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." + * You can use required reviewers to protect environment secrets. A workflow job cannot access environment secrets until approval is granted by a reviewer. For more information about storing secrets in environments or requiring reviews for environments, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) and [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). > [!WARNING] > Any user with write access to your repository has read access to all secrets configured in your repository. Therefore, you should ensure that the credentials being used within workflows have the least privileges required. @@ -53,7 +53,7 @@ To help prevent accidental disclosure, {% data variables.product.product_name %} You can use the `CODEOWNERS` feature to control how changes are made to your workflow files. For example, if all your workflow files are stored in `.github/workflows`, you can add this directory to the code owners list, so that any proposed changes to these files will first require approval from a designated reviewer. -For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)." +For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). ## Understanding the risk of script injections @@ -61,7 +61,7 @@ When creating workflows, [custom actions](/actions/creating-actions/about-custom Attackers can add their own malicious content to the [`github` context](/actions/learn-github-actions/contexts#github-context), which should be treated as potentially untrusted input. These contexts typically end with `body`, `default_branch`, `email`, `head_ref`, `label`, `message`, `name`, `page_name`,`ref`, and `title`. For example: `github.event.issue.title`, or `github.event.pull_request.body`. - You should ensure that these values do not flow directly into workflows, actions, API calls, or anywhere else where they could be interpreted as executable code. By adopting the same defensive programming posture you would use for any other privileged application code, you can help security harden your use of {% data variables.product.prodname_actions %}. For information on some of the steps an attacker could take, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)." + You should ensure that these values do not flow directly into workflows, actions, API calls, or anywhere else where they could be interpreted as executable code. By adopting the same defensive programming posture you would use for any other privileged application code, you can help security harden your use of {% data variables.product.prodname_actions %}. For information on some of the steps an attacker could take, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner). In addition, there are other less obvious sources of potentially untrusted input, such as branch names and email addresses, which can be quite flexible in terms of their permitted content. For example, `zzz";echo${IFS}"hello";#` would be a valid branch name and would be a possible attack vector for a target repository. @@ -154,13 +154,13 @@ With this approach, the value of the {% raw %}`${{ github.event.issue.title }}`{ {% data reusables.advanced-security.starter-workflows-beta %} {% data variables.product.prodname_code_scanning_caps %} allows you to find security vulnerabilities before they reach production. {% data variables.product.product_name %} provides workflow templates for {% data variables.product.prodname_code_scanning %}. You can use these suggested workflows to construct your {% data variables.product.prodname_code_scanning %} workflows, instead of starting from scratch. {% data variables.product.company_short %}'s workflow, the {% data variables.code-scanning.codeql_workflow %}, is powered by {% data variables.product.prodname_codeql %}. There are also third-party workflow templates available. -For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)." +For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions). {% endif %} ### Restricting permissions for tokens -To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token)." +To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). {% ifversion custom-org-roles %} @@ -170,7 +170,7 @@ You can practice the principle of least privilege for your organization's CI/CD {% data reusables.actions.org-roles-for-gh-actions %} -For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)." +For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles). {% endif %} @@ -184,7 +184,7 @@ For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. -This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on {% data variables.product.prodname_dotcom %}. For information on some of the steps an attacker could take, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)." +This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on {% data variables.product.prodname_dotcom %}. For information on some of the steps an attacker could take, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner). You can help mitigate this risk by following these good practices: @@ -202,7 +202,7 @@ You can help mitigate this risk by following these good practices: ## Reusing third-party workflows -The same principles described above for using third-party actions also apply to using third-party workflows. You can help mitigate the risks associated with reusing workflows by following the same good practices outlined above. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +The same principles described above for using third-party actions also apply to using third-party workflows. You can help mitigate the risks associated with reusing workflows by following the same good practices outlined above. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## Using {% data variables.product.prodname_dependabot_version_updates %} to keep actions up to date @@ -212,7 +212,7 @@ The same principles described above for using third-party actions also apply to ## Allowing workflows to access internal and private repositories -{% data reusables.actions.outside-collaborators-actions %} For more information, see "[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)." +{% data reusables.actions.outside-collaborators-actions %} For more information, see [AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise). {% data reusables.actions.scoped-token-note %} @@ -222,7 +222,7 @@ The same principles described above for using third-party actions also apply to {% data reusables.actions.workflow-pr-approval-permissions-intro %} Allowing workflows, or any other automation, to create or approve pull requests could be a security risk if the pull request is merged without proper oversight. -For more information on how to configure this setting, see {% ifversion ghes or ghec %}"[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests),"{% endif %} "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests)," and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests)." +For more information on how to configure this setting, see {% ifversion ghes or ghec %}[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests),{% endif %} [Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests), and [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests). ## Using OpenSSF Scorecards to secure workflows @@ -275,20 +275,20 @@ The attacker server can use the {% ifversion fpt or ghec %}{% data variables.pro {% data variables.product.prodname_actions %} is intentionally scoped for a single repository at a time. The `GITHUB_TOKEN` grants the same level of access as a write-access user, because any write-access user can access this token by creating or modifying a workflow file, elevating the permissions of the `GITHUB_TOKEN` if necessary. Users have specific permissions for each repository, so allowing the `GITHUB_TOKEN` for one repository to grant access to another would impact the {% data variables.product.prodname_dotcom %} permission model if not implemented carefully. Similarly, caution must be taken when adding {% data variables.product.prodname_dotcom %} authentication tokens to a workflow, because this can also affect the {% data variables.product.prodname_dotcom %} permission model by inadvertently granting broad access to collaborators. -If your organization is owned by an enterprise account, then you can share and reuse {% data variables.product.prodname_actions %} by storing them in internal repositories. For more information, see "[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)." +If your organization is owned by an enterprise account, then you can share and reuse {% data variables.product.prodname_actions %} by storing them in internal repositories. For more information, see [AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise). You can perform other privileged, cross-repository interactions by referencing a {% data variables.product.prodname_dotcom %} authentication token or SSH key as a secret within the workflow. Because many authentication token types do not allow for granular access to specific resources, there is significant risk in using the wrong token type, as it can grant much broader access than intended. This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference: 1. **The `GITHUB_TOKEN`** - * This token is intentionally scoped to the single repository that invoked the workflow, and can have the same level of access as a write-access user on the repository. The token is created before each job begins and expires when the job is finished. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." + * This token is intentionally scoped to the single repository that invoked the workflow, and can have the same level of access as a write-access user on the repository. The token is created before each job begins and expires when the job is finished. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). * The `GITHUB_TOKEN` should be used whenever possible. 1. **Repository deploy key** - * Deploy keys are one of the only credential types that grant read or write access to a single repository, and can be used to interact with another repository within a workflow. For more information, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)." + * Deploy keys are one of the only credential types that grant read or write access to a single repository, and can be used to interact with another repository within a workflow. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys). * Note that deploy keys can only clone and push to the repository using Git, and cannot be used to interact with the REST or GraphQL API, so they may not be appropriate for your requirements. 1. **{% data variables.product.prodname_github_app %} tokens** - * {% data variables.product.prodname_github_apps %} can be installed on select repositories, and even have granular permissions on the resources within them. You could create a {% data variables.product.prodname_github_app %} internal to your organization, install it on the repositories you need access to within your workflow, and authenticate as the installation within your workflow to access those repositories. For more information, see "[AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)." + * {% data variables.product.prodname_github_apps %} can be installed on select repositories, and even have granular permissions on the resources within them. You could create a {% data variables.product.prodname_github_app %} internal to your organization, install it on the repositories you need access to within your workflow, and authenticate as the installation within your workflow to access those repositories. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). 1. **{% data variables.product.pat_generic %}s** * You should never use a {% data variables.product.pat_v1 %}. These tokens grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account. This indirectly grants broad access to all write-access users of the repository the workflow is in. * If you do use a {% data variables.product.pat_generic %}, you should never use a {% data variables.product.pat_generic %} from your own account. If you later leave an organization, workflows using this token will immediately break, and debugging this issue can be challenging. Instead, you should use a {% data variables.product.pat_v2 %}for a new account that belongs to your organization and that is only granted access to the specific repositories that are needed for the workflow. Note that this approach is not scalable and should be avoided in favor of alternatives, such as deploy keys. @@ -317,7 +317,7 @@ For third-party images, such as the images for ARM-powered runners, you can find ### Denying access to hosts -{% data reusables.actions.runners-etc-hosts-file %} For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." +{% data reusables.actions.runners-etc-hosts-file %} For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners). {% endif %} @@ -333,7 +333,7 @@ For third-party images, such as the images for ARM-powered runners, you can find {% data reusables.actions.disable-selfhosted-runners-crossrefs %} -When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). You should also consider the environment of the self-hosted runner machines: * What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others. @@ -345,10 +345,10 @@ Some customers might attempt to partially mitigate these risks by implementing s ### Using just-in-time runners -To improve runner registration security, you can use the REST API to create ephemeral, just-in-time (JIT) runners. These self-hosted runners perform at most one job before being automatically removed from the repository, organization, or enterprise. For more information about configuring JIT runners, see "[AUTOTITLE](/rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-an-organization)." +To improve runner registration security, you can use the REST API to create ephemeral, just-in-time (JIT) runners. These self-hosted runners perform at most one job before being automatically removed from the repository, organization, or enterprise. For more information about configuring JIT runners, see [AUTOTITLE](/rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-an-organization). > [!NOTE] -> Re-using hardware to host JIT runners can risk exposing information from the environment. Use automation to ensure the JIT runner uses a clean environment. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling)." +> Re-using hardware to host JIT runners can risk exposing information from the environment. Use automation to ensure the JIT runner uses a clean environment. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling). Once you have the config file from the REST API response, you can pass it to the runner at startup. @@ -372,7 +372,7 @@ A self-hosted runner can be added to various levels in your {% data variables.pr ### Authenticating to your cloud provider -If you are using {% data variables.product.prodname_actions %} to deploy to a cloud provider, or intend to use HashiCorp Vault for secret management, then its recommended that you consider using OpenID Connect to create short-lived, well-scoped access tokens for your workflow runs. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)." +If you are using {% data variables.product.prodname_actions %} to deploy to a cloud provider, or intend to use HashiCorp Vault for secret management, then its recommended that you consider using OpenID Connect to create short-lived, well-scoped access tokens for your workflow runs. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). ## Auditing {% data variables.product.prodname_actions %} events @@ -384,8 +384,8 @@ For example, you can use the audit log to track the `org.update_actions_secret` For the full list of events that you can find in the audit log for each account type, see the following articles: -* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/security-log-events)" -* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization)" +* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/security-log-events) +* [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization) {%- ifversion ghec or ghes %} -* "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise)" +* [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise) {%- endif %} diff --git a/content/actions/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions.md b/content/actions/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions.md index 51d15a76a4e1..f54d5f700aff 100644 --- a/content/actions/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions.md +++ b/content/actions/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions.md @@ -12,7 +12,7 @@ redirect_from: ## About {% data variables.product.prodname_dotcom %}'s security features -{% data variables.product.prodname_dotcom %} provides many features to make your code more secure. You can use {% data variables.product.prodname_dotcom %}'s built-in features to understand the actions your workflows depend on, ensure you are notified about vulnerabilities in the actions you consume, or automate the process of keeping the actions in your workflows up to date. If you publish and maintain actions, you can use {% data variables.product.prodname_dotcom %} to communicate with your community about vulnerabilities and how to fix them. For more information about security features that {% data variables.product.prodname_dotcom %} offers, see "[AUTOTITLE](/code-security/getting-started/github-security-features#about-githubs-security-features)." +{% data variables.product.prodname_dotcom %} provides many features to make your code more secure. You can use {% data variables.product.prodname_dotcom %}'s built-in features to understand the actions your workflows depend on, ensure you are notified about vulnerabilities in the actions you consume, or automate the process of keeping the actions in your workflows up to date. If you publish and maintain actions, you can use {% data variables.product.prodname_dotcom %} to communicate with your community about vulnerabilities and how to fix them. For more information about security features that {% data variables.product.prodname_dotcom %} offers, see [AUTOTITLE](/code-security/getting-started/github-security-features#about-githubs-security-features). This article will explain how you can use some of {% data variables.product.prodname_dotcom %}'s security features to increase the security of your use of {% data variables.product.prodname_actions %}. @@ -28,7 +28,7 @@ The dependency graph shows the following information about actions used in workf In the dependency graph, dependencies are automatically sorted by vulnerability severity. If any of the actions you use have security advisories, they will display at the top of the list. You can navigate to the advisory from the dependency graph and access instructions for resolving the vulnerability. -{% ifversion fpt or ghec %}The dependency graph is enabled for public repositories, and you can choose to enable it on private repositories. For more information about using the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)."{% else %}Enterprise owners can configure the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for an enterprise. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."{% endif %} +{% ifversion fpt or ghec %}The dependency graph is enabled for public repositories, and you can choose to enable it on private repositories. For more information about using the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository).{% else %}Enterprise owners can configure the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for an enterprise. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise).{% endif %} ## Being aware of security vulnerabilities in actions you use @@ -36,8 +36,8 @@ For actions available on the marketplace, {% data variables.product.prodname_dot You can set up your repositories so that you: -* Receive alerts when actions used in your workflows receive a vulnerability report. For more information, see "[Monitoring the actions in your workflows](#monitoring-the-actions-in-your-workflows)." -* Are warned about existing advisories when you add or update an action in a workflow. For more information, see "[Screening actions for vulnerabilities in new or updated workflows](#screening-actions-for-vulnerabilities-in-new-or-updated-workflows)." +* Receive alerts when actions used in your workflows receive a vulnerability report. For more information, see [Monitoring the actions in your workflows](#monitoring-the-actions-in-your-workflows). +* Are warned about existing advisories when you add or update an action in a workflow. For more information, see [Screening actions for vulnerabilities in new or updated workflows](#screening-actions-for-vulnerabilities-in-new-or-updated-workflows). ### Monitoring the actions in your workflows @@ -46,9 +46,9 @@ You can use {% data variables.product.prodname_dependabot %} to monitor the acti > [!NOTE] > {% data variables.product.prodname_dependabot %} only creates alerts for vulnerable actions that use semantic versioning and will not create alerts for actions pinned to SHA values. -{% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for your personal account, for a repository, or for an organization. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)."{% else %}An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."{% endif %} +{% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for your personal account, for a repository, or for an organization. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).{% else %}An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} -{% data reusables.dependabot.where-to-view-dependabot-alerts %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)." +{% data reusables.dependabot.where-to-view-dependabot-alerts %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). ### Screening actions for vulnerabilities in new or updated workflows @@ -56,9 +56,9 @@ When you open pull requests to update your workflows, it is good practice to use If any of the changes you made to your workflows are flagged as vulnerable, you can avoid adding them to your project or update them to a secure version. -For more information about dependency review, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)." +For more information about dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). -{% data reusables.dependency-review.about-dependency-review-action %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#about-the-dependency-review-action)." +{% data reusables.dependency-review.about-dependency-review-action %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#about-the-dependency-review-action). ## Keeping the actions in your workflows secure and up to date @@ -72,9 +72,9 @@ The following features can automatically update the actions in your workflows. > [!NOTE] > {% data reusables.actions.dependabot-version-updates-actions-caveats %} -For information on how to configure {% data variables.product.prodname_dependabot_version_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." +For information on how to configure {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). -For information on how to configure {% data variables.product.prodname_dependabot_security_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)." +For information on how to configure {% data variables.product.prodname_dependabot_security_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). {% ifversion fpt or ghec %} @@ -84,7 +84,7 @@ For information on how to configure {% data variables.product.prodname_dependabo If you are someone who maintains an action that is used in other projects, you can use the following {% data variables.product.prodname_dotcom %} features to enhance the security of the actions you've published. -* Use the dependants view in the Dependency graph to see which projects depend on your code. If you receive a vulnerability report, this will give you an idea of who you need to communicate with about the vulnerability and how to fix it. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependents-view)." -* Use repository security advisories to create a security advisory, privately collaborate to fix the vulnerability in a temporary private fork, and publish a security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)" and "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)." +* Use the dependants view in the Dependency graph to see which projects depend on your code. If you receive a vulnerability report, this will give you an idea of who you need to communicate with about the vulnerability and how to fix it. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependents-view). +* Use repository security advisories to create a security advisory, privately collaborate to fix the vulnerability in a temporary private fork, and publish a security advisory to alert your community of the vulnerability once a patch is released. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository) and [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). {% endif %} diff --git a/content/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.md b/content/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.md index 3d16aafb51bf..2bc492b856fa 100644 --- a/content/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.md +++ b/content/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.md @@ -44,15 +44,15 @@ To help ensure that {% data variables.product.prodname_dotcom %} redacts your se ### Accessing your secrets -To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)." +To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv). -You can use and read secrets in a workflow file if you have access to edit the file. For more information, see "[AUTOTITLE](/get-started/learning-about-github/access-permissions-on-github)." +You can use and read secrets in a workflow file if you have access to edit the file. For more information, see [AUTOTITLE](/get-started/learning-about-github/access-permissions-on-github). {% data reusables.actions.secrets-redaction-warning %} Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts. -You can also manage secrets using the REST API. For more information, see "[AUTOTITLE](/rest/actions/secrets)." +You can also manage secrets using the REST API. For more information, see [AUTOTITLE](/rest/actions/secrets). ### Limiting credential permissions @@ -60,10 +60,10 @@ When generating credentials, we recommend that you grant the minimum permissions When generating a {% data variables.product.pat_v1 %}, select the fewest scopes necessary. When generating a {% data variables.product.pat_v2 %}, select the minimum permissions and repository access required. -Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see "[AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)." +Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). > [!NOTE] -> Users with collaborator access to a repository can use the REST API to manage secrets for that repository, and users with admin access to an organization can use the REST API to manage secrets for that organization. For more information, see "[AUTOTITLE](/rest/actions/secrets)." +> Users with collaborator access to a repository can use the REST API to manage secrets for that repository, and users with admin access to an organization can use the REST API to manage secrets for that organization. For more information, see [AUTOTITLE](/rest/actions/secrets). ## Creating secrets for a repository @@ -211,9 +211,9 @@ You can check which access policies are being applied to a secret in your organi > [!NOTE] > * {% data reusables.actions.forked-secrets %} -> * Secrets are not automatically passed to reusable workflows. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow)." +> * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow). -To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." +To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). {% raw %} @@ -228,7 +228,7 @@ steps: {% endraw %} -Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#context-availability)" and [`jobs..steps[*].if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif). +Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#context-availability) and [`jobs..steps[*].if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif). If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string. @@ -291,11 +291,11 @@ A workflow created in a repository can access the following number of secrets: * If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name). * All 100 environment secrets. -Secrets are limited to 48 KB in size. To store larger secrets, see the "[Storing large secrets](#storing-large-secrets)" workaround below. +Secrets are limited to 48 KB in size. To store larger secrets, see the [Storing large secrets](#storing-large-secrets) workaround below. ### Storing large secrets -To use secrets that are larger than 48 KB, you can use a workaround to store secrets in your repository and save the decryption passphrase as a secret on {% data variables.product.prodname_dotcom %}. For example, you can use `gpg` to encrypt a file containing your secret locally before checking the encrypted file in to your repository on {% data variables.product.prodname_dotcom %}. For more information, see the "[gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html)." +To use secrets that are larger than 48 KB, you can use a workaround to store secrets in your repository and save the decryption passphrase as a secret on {% data variables.product.prodname_dotcom %}. For example, you can use `gpg` to encrypt a file containing your secret locally before checking the encrypted file in to your repository on {% data variables.product.prodname_dotcom %}. For more information, see the [gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html). > [!WARNING] > Be careful that your secrets do not get printed when your workflow runs. When using this workaround, {% data variables.product.prodname_dotcom %} does not redact secrets that are printed in logs. @@ -368,7 +368,7 @@ To use secrets that are larger than 48 KB, you can use a workaround to store sec ## Storing Base64 binary blobs as secrets -You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#limits-for-secrets)." +You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#limits-for-secrets). > [!NOTE] > Note that Base64 only converts binary to text, and is not a substitute for actual encryption. @@ -442,6 +442,6 @@ You can use Base64 encoding to store small binary blobs as secrets. You can then > [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions). -As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log)." +As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log). -Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs)." +Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs). diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md index 1b12c685e2d5..d1f43177defb 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md @@ -47,7 +47,7 @@ The following diagram gives an overview of how {% data variables.product.prodnam When you configure your cloud to trust {% data variables.product.prodname_dotcom %}'s OIDC provider, you **must** add conditions that filter incoming requests, so that untrusted repositories or workflows can’t request access tokens for your cloud resources: * Before granting an access token, your cloud provider checks that the [`subject`](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) and other claims used to set conditions in its trust settings match those in the request's JSON Web Token (JWT). As a result, you must take care to correctly define the _subject_ and other conditions in your cloud provider. -* The OIDC trust configuration steps and the syntax to set conditions for cloud roles (using _Subject_ and other claims) will vary depending on which cloud provider you're using. For some examples, see "[Example subject claims](#example-subject-claims)." +* The OIDC trust configuration steps and the syntax to set conditions for cloud roles (using _Subject_ and other claims) will vary depending on which cloud provider you're using. For some examples, see [Example subject claims](#example-subject-claims). ### Understanding the OIDC token @@ -137,7 +137,7 @@ The token also includes custom claims provided by {% data variables.product.prod | `environment`| The name of the environment used by the job. If the `environment` claim is included (also via `include_claim_keys`), an environment is required and must be provided. | | `event_name`| The name of the event that triggered the workflow run. | | `head_ref`| The source branch of the pull request in a workflow run. | -| `job_workflow_ref`| For jobs using a reusable workflow, the ref path to the reusable workflow. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows)." | +| `job_workflow_ref`| For jobs using a reusable workflow, the ref path to the reusable workflow. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows). | | `job_workflow_sha`| For jobs using a reusable workflow, the commit SHA for the reusable workflow file. | | `ref`| _(Reference)_ The git ref that triggered the workflow run. | | `ref_type`| The type of `ref`, for example: "branch". | @@ -160,9 +160,9 @@ With OIDC, a {% data variables.product.prodname_actions %} workflow requires a t Audience and Subject claims are typically used in combination while setting conditions on the cloud role/resources to scope its access to the GitHub workflows. * **Audience:** By default, this value uses the URL of the organization or repository owner. This can be used to set a condition that only the workflows in the specific organization can access the cloud role. -* **Subject:** By default, has a predefined format and is a concatenation of some of the key metadata about the workflow, such as the {% data variables.product.prodname_dotcom %} organization, repository, branch, or associated [`job`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment) environment. See "[Example subject claims](#example-subject-claims)" to see how the subject claim is assembled from concatenated metadata. +* **Subject:** By default, has a predefined format and is a concatenation of some of the key metadata about the workflow, such as the {% data variables.product.prodname_dotcom %} organization, repository, branch, or associated [`job`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment) environment. See [Example subject claims](#example-subject-claims) to see how the subject claim is assembled from concatenated metadata. -If you need more granular trust conditions, you can customize the {% ifversion ghec %}issuer (`iss`) and {% endif %}subject (`sub`) claim{% ifversion ghec %}s that are{% else %} that's{% endif %} included with the JWT. For more information, see "[Customizing the token claims](#customizing-the-token-claims)". +If you need more granular trust conditions, you can customize the {% ifversion ghec %}issuer (`iss`) and {% endif %}subject (`sub`) claim{% ifversion ghec %}s that are{% else %} that's{% endif %} included with the JWT. For more information, see [Customizing the token claims](#customizing-the-token-claims). There are also many additional claims supported in the OIDC token that can be used for setting these conditions. In addition, your cloud provider could allow you to assign a role to the access tokens, letting you specify even more granular permissions. @@ -220,7 +220,7 @@ To configure the subject in your cloud provider's trust relationship, you must a | Google Cloud Platform| `(assertion.sub=='repo:octo-org/octo-repo:ref:refs/heads/demo-branch')` | | HashiCorp Vault| `bound_subject="repo:octo-org/octo-repo:ref:refs/heads/demo-branch"` | -For more information, see the guides listed in "[Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider)." +For more information, see the guides listed in [Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider). ## Updating your actions for OIDC @@ -247,15 +247,15 @@ curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOK You can security harden your OIDC configuration by customizing the claims that are included with the JWT. These customizations allow you to define more granular trust conditions on your cloud roles when allowing your workflows to access resources hosted in the cloud: -* You can customize values for {% ifversion ghec %}`issuer` or {% endif %}`audience` claims. See {% ifversion ghec %}"[Customizing the `issuer` value for an enterprise](#customizing-the-issuer-value-for-an-enterprise)" and {% endif %}"[Customizing the `audience` value](#customizing-the-audience-value)." +* You can customize values for {% ifversion ghec %}`issuer` or {% endif %}`audience` claims. See {% ifversion ghec %}[Customizing the `issuer` value for an enterprise](#customizing-the-issuer-value-for-an-enterprise) and {% endif %}[Customizing the `audience` value](#customizing-the-audience-value). * You can customize the format of your OIDC configuration by setting conditions on the subject (`sub`) claim that require JWT tokens to originate from a specific repository, reusable workflow, or other source. -* You can define granular OIDC policies by using additional OIDC token claims, such as `repository_id` and `repository_visibility`. See "[Understanding the OIDC token](#understanding-the-oidc-token)." +* You can define granular OIDC policies by using additional OIDC token claims, such as `repository_id` and `repository_visibility`. See [Understanding the OIDC token](#understanding-the-oidc-token). ### Customizing the `audience` value When you use custom actions in your workflows, those actions may use the {% data variables.product.prodname_actions %} Toolkit to enable you to supply a custom value for the `audience` claim. Some cloud providers also use this in their official login actions to enforce a default value for the `audience` claim. For example, the [GitHub Action for Azure Login](https://github.com/Azure/login/blob/master/action.yml) provides a default `aud` value of `api://AzureADTokenExchange`, or it allows you to set a custom `aud` value in your workflows. For more information on the {% data variables.product.prodname_actions %} Toolkit, see the [OIDC token](https://github.com/actions/toolkit/tree/main/packages/core#oidc-token) section in the documentation. -If you do not want to use the default `aud` value offered by an action, you can provide a custom value for the `audience` claim. This allows you to set a condition that only workflows in a specific repository or organization can access the cloud role. If the action you are using supports this, you can use the `with` keyword in your workflow to pass a custom `aud` value to the action. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#inputs)." +If you do not want to use the default `aud` value offered by an action, you can provide a custom value for the `audience` claim. This allows you to set a condition that only workflows in a specific repository or organization can access the cloud role. If the action you are using supports this, you can use the `with` keyword in your workflow to pass a custom `aud` value to the action. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#inputs). {% ifversion ghec %} @@ -267,7 +267,7 @@ To security harden their OIDC configuration, enterprise administrators can confi This configuration means that your enterprise will receive the OIDC token from a unique URL, and you can then configure your cloud provider to only accept tokens from that URL. This helps ensure that only the enterprise's repositories can access your cloud resources using OIDC. -To activate this setting for your enterprise, an enterprise administrator must use the `/enterprises/{enterprise}/actions/oidc/customization/issuer` endpoint and specify `"include_enterprise_slug": true` in the request body. For more information, see "[AUTOTITLE](/rest/actions/oidc#set-the-github-actions-oidc-custom-issuer-policy-for-an-enterprise)." +To activate this setting for your enterprise, an enterprise administrator must use the `/enterprises/{enterprise}/actions/oidc/customization/issuer` endpoint and specify `"include_enterprise_slug": true` in the request body. For more information, see [AUTOTITLE](/rest/actions/oidc#set-the-github-actions-oidc-custom-issuer-policy-for-an-enterprise). After this setting is applied, the JWT will contain the updated `iss` value. In the following example, the `iss` key uses `octocat-inc` as its `enterpriseSlug` value: @@ -289,12 +289,12 @@ After this setting is applied, the JWT will contain the updated `iss` value. In ### Customizing the subject claims for an organization or repository -To help improve security, compliance, and standardization, you can customize the standard claims to suit your required access conditions. If your cloud provider supports conditions on subject claims, you can create a condition that checks whether the `sub` value matches the path of the reusable workflow, such as `"job_workflow_ref:octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main"`. The exact format will vary depending on your cloud provider's OIDC configuration. To configure the matching condition on {% data variables.product.prodname_dotcom %}, you can use the REST API to require that the `sub` claim must always include a specific custom claim, such as `job_workflow_ref`. You can use the REST API to apply a customization template for the OIDC subject claim; for example, you can require that the `sub` claim within the OIDC token must always include a specific custom claim, such as `job_workflow_ref`. For more information, see "[AUTOTITLE](/rest/actions/oidc)." +To help improve security, compliance, and standardization, you can customize the standard claims to suit your required access conditions. If your cloud provider supports conditions on subject claims, you can create a condition that checks whether the `sub` value matches the path of the reusable workflow, such as `"job_workflow_ref:octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main"`. The exact format will vary depending on your cloud provider's OIDC configuration. To configure the matching condition on {% data variables.product.prodname_dotcom %}, you can use the REST API to require that the `sub` claim must always include a specific custom claim, such as `job_workflow_ref`. You can use the REST API to apply a customization template for the OIDC subject claim; for example, you can require that the `sub` claim within the OIDC token must always include a specific custom claim, such as `job_workflow_ref`. For more information, see [AUTOTITLE](/rest/actions/oidc). > [!NOTE] -> When the organization template is applied, it will not affect any workflows already using OIDC unless their repository has opted in to custom organization templates. For all repositories, existing and new, the repository owner will need to use the repository-level REST API to opt in to receive this configuration by setting `use_default` to `false`. Alternatively, the repository owner could use the REST API to apply a different configuration specific to the repository. For more information, see "[AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository)." +> When the organization template is applied, it will not affect any workflows already using OIDC unless their repository has opted in to custom organization templates. For all repositories, existing and new, the repository owner will need to use the repository-level REST API to opt in to receive this configuration by setting `use_default` to `false`. Alternatively, the repository owner could use the REST API to apply a different configuration specific to the repository. For more information, see [AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository). -Customizing the claims results in a new format for the entire `sub` claim, which replaces the default predefined `sub` format in the token described in "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)." +Customizing the claims results in a new format for the entire `sub` claim, which replaces the default predefined `sub` format in the token described in [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims). > [!NOTE] > The `sub` claim uses the shortened form `repo` (for example, `repo:ORG-NAME/REPO-NAME`) instead of `repository` to reference the repository. {% ifversion fpt or ghec or ghes > 3.15 %} @@ -379,7 +379,7 @@ For example: `"sub": "repo:octo-org/octo-repo:environment:prod:job_workflow_ref: #### Example: Granting access to a specific repository -This example template lets you grant cloud access to all the workflows in a specific repository, across all branches/tags and environments. {% ifversion ghec %}To further improve security, you can combine this template with a unique issuer URL for your enterprise, as described in "[Customizing the `issuer` value for an enterprise](#customizing-the-issuer-value-for-an-enterprise)."{% endif %} +This example template lets you grant cloud access to all the workflows in a specific repository, across all branches/tags and environments. {% ifversion ghec %}To further improve security, you can combine this template with a unique issuer URL for your enterprise, as described in [Customizing the `issuer` value for an enterprise](#customizing-the-issuer-value-for-an-enterprise).{% endif %} {% data reusables.actions.use-request-body-api %} @@ -462,7 +462,7 @@ In your cloud provider's OIDC configuration, configure the `sub` condition to re All repositories in an organization have the ability to opt in or opt out of (organization and repository-level) customized `sub` claim templates. -To opt out a repository and reset back to the default `sub` claim format, a repository administrator must use the REST API endpoint at "[AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository)." +To opt out a repository and reset back to the default `sub` claim format, a repository administrator must use the REST API endpoint at [AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository). To configure repositories to use the default `sub` claim format, use the `PUT /repos/{owner}/{repo}/actions/oidc/customization/sub` REST API endpoint at with the following request body. @@ -476,7 +476,7 @@ To configure repositories to use the default `sub` claim format, use the `PUT /r Once an organization has created a customized `sub` claim template, the REST API can be used to programmatically apply the template to repositories within the organization. A repository administrator can configure their repository to use the template created by the administrator of their organization. -To configure the repository to use the organization's template, a repository admin must use the `PUT /repos/{owner}/{repo}/actions/oidc/customization/sub` REST API endpoint at with the following request body. For more information, see "[AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository)." +To configure the repository to use the organization's template, a repository admin must use the `PUT /repos/{owner}/{repo}/actions/oidc/customization/sub` REST API endpoint at with the following request body. For more information, see [AUTOTITLE](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-a-repository). ```json { @@ -486,13 +486,13 @@ To configure the repository to use the organization's template, a repository adm ## Updating your workflows for OIDC -You can now update your YAML workflows to use OIDC access tokens instead of secrets. Popular cloud providers have published their official login actions that make it easy for you to get started with OIDC. For more information about updating your workflows, see the cloud-specific guides listed below in "[Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider)." +You can now update your YAML workflows to use OIDC access tokens instead of secrets. Popular cloud providers have published their official login actions that make it easy for you to get started with OIDC. For more information about updating your workflows, see the cloud-specific guides listed below in [Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider). {% ifversion fpt or ghec %} ## Enabling OpenID Connect for Python package publishing -You can use a {% data variables.product.prodname_actions %} workflow in a repository as a trusted publisher for a PyPI project. Using a workflow as a trusted publisher allows OIDC access tokens to be exchanged for temporary PyPI API tokens. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi)" and "[Publishing to PyPI with a Trusted Publisher](https://docs.pypi.org/trusted-publishers/)" in the PyPI documentation. +You can use a {% data variables.product.prodname_actions %} workflow in a repository as a trusted publisher for a PyPI project. Using a workflow as a trusted publisher allows OIDC access tokens to be exchanged for temporary PyPI API tokens. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi) and [Publishing to PyPI with a Trusted Publisher](https://docs.pypi.org/trusted-publishers/) in the PyPI documentation. {% endif %} @@ -500,14 +500,14 @@ You can use a {% data variables.product.prodname_actions %} workflow in a reposi To enable and configure OIDC for your specific cloud provider, see the following guides: -* "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)" -* "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)" -* "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform)" -* "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault)" +* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) +* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) +* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform) +* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault) To enable and configure OIDC for another cloud provider, see the following guide: -* "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)" +* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) {% ifversion ghec %} diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index c660b51e148d..eeb27108f722 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -52,7 +52,7 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se ### Configuring the role and trust policy -To configure the role and trust in IAM, see the AWS documentation "[Configure AWS Credentials for GitHub Actions](https://github.com/aws-actions/configure-aws-credentials#configure-aws-credentials-for-github-actions)" and "[Configuring a role for GitHub OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub)." +To configure the role and trust in IAM, see the AWS documentation [Configure AWS Credentials for GitHub Actions](https://github.com/aws-actions/configure-aws-credentials#configure-aws-credentials-for-github-actions) and [Configuring a role for GitHub OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub). > [!NOTE] > AWS Identity and Access Management (IAM) recommends that users evaluate the IAM condition key, `token.actions.githubusercontent.com:sub`, in the trust policy of any role that trusts {% data variables.product.prodname_dotcom %}’s OIDC identity provider (IdP). Evaluating this condition key in the role trust policy limits which {% data variables.product.prodname_dotcom %} actions are able to assume the role. @@ -68,7 +68,7 @@ Edit the trust policy, adding the `sub` field to the validation conditions. For } ``` -If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)." +If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token). {% data reusables.actions.oidc-deployment-protection-rules %} diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md index 8fda3cafa989..12123ea443c1 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md @@ -36,12 +36,12 @@ This guide gives an overview of how to configure Azure to trust {% data variable > [!NOTE] > Microsoft Entra ID (previously known as Azure AD) does not have fixed IP ranges defined for these endpoints. -* Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see "[AUTOTITLE](/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)." +* Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see [AUTOTITLE](/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). {% endif %} ## Adding the federated credentials to Azure -{% data variables.product.prodname_dotcom %}'s OIDC provider works with Azure's workload identity federation. For an overview, see Microsoft's documentation at "[Workload identity federation](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)." +{% data variables.product.prodname_dotcom %}'s OIDC provider works with Azure's workload identity federation. For an overview, see Microsoft's documentation at [Workload identity federation](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation). To configure the OIDC identity provider in Azure, you will need to perform the following configuration. For instructions on making these changes, refer to [the Azure documentation](https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure). @@ -53,7 +53,7 @@ To configure the OIDC identity provider in Azure, you will need to perform the f Additional guidance for configuring the identity provider: -* For security hardening, make sure you've reviewed "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud)." For an example, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider)." +* For security hardening, make sure you've reviewed [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud). For an example, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider). * For the `audience` setting, `api://AzureADTokenExchange` is the recommended value, but you can also specify other values here. ## Updating your {% data variables.product.prodname_actions %} workflow diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md index 4f34c460273f..adf82eb86915 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md @@ -63,7 +63,7 @@ To update your workflows using this approach, you will need to make three change ### Requesting the JWT using the Actions core toolkit -The following example demonstrates how to use `actions/github-script` with the `core` toolkit to request the JWT from {% data variables.product.prodname_dotcom %}'s OIDC provider. For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-javascript-action#adding-actions-toolkit-packages)." +The following example demonstrates how to use `actions/github-script` with the `core` toolkit to request the JWT from {% data variables.product.prodname_dotcom %}'s OIDC provider. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-javascript-action#adding-actions-toolkit-packages). ```yaml jobs: @@ -87,7 +87,7 @@ jobs: The following example demonstrates how to use environment variables to request a JSON Web Token. -For your deployment job, you will need to define the token settings, using `actions/github-script` with the `core` toolkit. For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-javascript-action#adding-actions-toolkit-packages)." +For your deployment job, you will need to define the token settings, using `actions/github-script` with the `core` toolkit. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-javascript-action#adding-actions-toolkit-packages). For example: diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md index 9841a0d84a40..9839084bd93a 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md @@ -39,7 +39,7 @@ To configure the OIDC identity provider in GCP, you will need to perform the fol Additional guidance for configuring the identity provider: -* For security hardening, make sure you've reviewed "[Configuring the OIDC trust with the cloud](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud)." For an example, see "[Configuring the subject in your cloud provider](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider)." +* For security hardening, make sure you've reviewed [Configuring the OIDC trust with the cloud](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud). For an example, see [Configuring the subject in your cloud provider](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider). * For the service account to be available for configuration, it needs to be assigned to the `roles/iam.workloadIdentityUser` role. For more information, see [the GCP documentation](https://cloud.google.com/iam/docs/workload-identity-federation?_ga=2.114275588.-285296507.1634918453#conditions). * The Issuer URL to use: {% ifversion ghes %}`https://HOSTNAME/_services/token`{% else %}`https://token.actions.githubusercontent.com`{% endif %} diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md index 350d8d4afeed..4dd8bff3baa1 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md @@ -51,7 +51,7 @@ To configure your Vault server to accept JSON Web Tokens (JWT) for authenticatio {% ifversion ghec %} > [!NOTE] - > If a unique issuer URL for an enterprise was set using the REST API (as described in "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url)"), the values for `bound_issuer` and `oidc_discover_url` must match that unique URL. For example, for an enterprise named `octocat` that uses the unique issuer URL, `bound_issuer` and `oidc_discovery_url` must be set to `https://token.actions.githubusercontent.com/octocat`. + > If a unique issuer URL for an enterprise was set using the REST API (as described in [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url)), the values for `bound_issuer` and `oidc_discover_url` must match that unique URL. For example, for an enterprise named `octocat` that uses the unique issuer URL, `bound_issuer` and `oidc_discovery_url` must be set to `https://token.actions.githubusercontent.com/octocat`. {% endif %} @@ -86,7 +86,7 @@ To configure your Vault server to accept JSON Web Tokens (JWT) for authenticatio * `ttl` defines the validity of the resulting access token. * Ensure that the `bound_claims` parameter is defined for your security requirements, and has at least one condition. Optionally, you can also set the `bound_subject` as well as the `bound_audiences` parameter. * To check arbitrary claims in the received JWT payload, the `bound_claims` parameter contains a set of claims and their required values. In the above example, the role will accept any incoming authentication requests from the `repo-name` repository owned by the `user-or-org-name` account. -* To see all the available claims supported by {% data variables.product.prodname_dotcom %}'s OIDC provider, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud)." +* To see all the available claims supported by {% data variables.product.prodname_dotcom %}'s OIDC provider, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud). For more information, see the HashiCorp Vault [documentation](https://www.vaultproject.io/docs/auth/jwt). @@ -148,7 +148,7 @@ jobs: ``` > [!NOTE] -> * If your Vault server is not accessible from the public network, consider using a self-hosted runner with other available Vault [auth methods](https://www.vaultproject.io/docs/auth). For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +> * If your Vault server is not accessible from the public network, consider using a self-hosted runner with other available Vault [auth methods](https://www.vaultproject.io/docs/auth). For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). > * `VAULT-NAMESPACE` must be set for a Vault Enterprise (including HCP Vault) deployment. For more information, see [Vault namespace](https://www.vaultproject.io/docs/enterprise/namespaces). ### Revoking the access token diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md index 031a5cbf6810..df5d264bf35c 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md @@ -31,7 +31,7 @@ For an example {% data variables.product.prodname_actions %} workflow using the {% data reusables.actions.oidc-on-ghecom %} -* To be secure, you need to set a Claims JSON in JFrog when configuring identity mappings. For more information, see "[AUTOTITLE](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings)" and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims)." +* To be secure, you need to set a Claims JSON in JFrog when configuring identity mappings. For more information, see [AUTOTITLE](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings) and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims). For example, you can set `iss` to `https://token.actions.githubusercontent.com`, and the `repository` to something like "octo-org/octo-repo"`. This will ensure only Actions workflows from the specified repository will have access to your JFrog platform. The following is an example Claims JSON when configuring identity mappings. @@ -84,7 +84,7 @@ The following example shows part of a {% data variables.product.prodname_actions echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT ``` -Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see "[AUTOTITLE](/actions/learn-github-actions/contexts#env-context)." +Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context). {% data reusables.actions.oidc-deployment-protection-rules %} diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md index 067a47c4ed32..51e4e361a6bf 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md @@ -19,9 +19,9 @@ topics: ## About reusable workflows -Rather than copying and pasting deployment jobs from one workflow to another, you can create a reusable workflow that performs the deployment steps. A reusable workflow can be used by another workflow if it meets one of the access requirements described in "[AUTOTITLE](/actions/using-workflows/reusing-workflows#access-to-reusable-workflows)." +Rather than copying and pasting deployment jobs from one workflow to another, you can create a reusable workflow that performs the deployment steps. A reusable workflow can be used by another workflow if it meets one of the access requirements described in [AUTOTITLE](/actions/using-workflows/reusing-workflows#access-to-reusable-workflows). -You should be familiar with the concepts described in "[AUTOTITLE](/actions/using-workflows/reusing-workflows)" and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)." +You should be familiar with the concepts described in [AUTOTITLE](/actions/using-workflows/reusing-workflows) and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). ## Defining the trust conditions @@ -29,10 +29,10 @@ When combined with OpenID Connect (OIDC), reusable workflows let you enforce con * **Using `job_workflow_ref`:** * To create trust conditions based on reusable workflows, your cloud provider must support custom claims for `job_workflow_ref`. This allows your cloud provider to identify which repository the job originally came from. - * For clouds that only support the standard claims (audience (`aud`) and subject (`sub`)), you can use the API to customize the `sub` claim to include `job_workflow_ref`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims)". Support for custom claims is currently available for Google Cloud Platform and HashiCorp Vault. + * For clouds that only support the standard claims (audience (`aud`) and subject (`sub`)), you can use the API to customize the `sub` claim to include `job_workflow_ref`. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims). Support for custom claims is currently available for Google Cloud Platform and HashiCorp Vault. * **Customizing the token claims:** - * You can configure more granular trust conditions by customizing the {% ifversion ghec %}issuer (`iss`) and {% endif %}subject (`sub`) claim{% ifversion ghec %}s that are{% else %} that's{% endif %} included with the JWT. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims)". + * You can configure more granular trust conditions by customizing the {% ifversion ghec %}issuer (`iss`) and {% endif %}subject (`sub`) claim{% ifversion ghec %}s that are{% else %} that's{% endif %} included with the JWT. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims). ## How the token works with reusable workflows diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3.md b/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3.md index d6bba21c19da..cfca245e1e85 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3.md @@ -23,8 +23,8 @@ But remember that by itself, artifact attestations provides links, like the buil You can take this a step further by requiring builds make use of known, vetted build instructions. A great way to do this is to have your build take place in a reusable workflow that many repositories across your organization share. Reusable workflows can provide isolation between the build process and the calling workflow, to meet SLSA v1.0 Build Level 3. Before starting this guide, you should be familiar with: -* Generating artifact attestations. See "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." -* Writing and using reusable workflows. See "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +* Generating artifact attestations. See [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). +* Writing and using reusable workflows. See [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## Step 1: Configuring your builds @@ -32,11 +32,11 @@ First, we need to build with both artifact attestations and a reusable workflow. ### Building with a reusable workflow -If you aren't already using reusable workflows to build your software, you'll need to take your build steps and move them into a reusable workflow. For more information on how to write and call a reusable workflow, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +If you aren't already using reusable workflows to build your software, you'll need to take your build steps and move them into a reusable workflow. For more information on how to write and call a reusable workflow, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ### Building with artifact attestations -The reusable workflow you use to build your software must also generate artifact attestations to establish build provenance. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." +The reusable workflow you use to build your software must also generate artifact attestations to establish build provenance. For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). When you use a reusable workflow to generate artifact attestations, both the calling workflow and the reusable workflow need to have the following permissions. diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md b/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md index a0fa57db6d49..84edd58697cc 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md @@ -46,7 +46,7 @@ You should **not** sign: ### About verifying artifact attestations -If you consume software that publishes artifact attestations, you can use the {% data variables.product.prodname_cli %} to verify those attestations. Because the attestations give you information about where and how software was built, you can use that information to create and enforce security policies that elevate your supply chain security. For more information, see "[Verifying artifact attestations with the {% data variables.product.prodname_cli %}](#verifying-artifact-attestations-with-the-github-cli)." +If you consume software that publishes artifact attestations, you can use the {% data variables.product.prodname_cli %} to verify those attestations. Because the attestations give you information about where and how software was built, you can use that information to create and enforce security policies that elevate your supply chain security. For more information, see [Verifying artifact attestations with the {% data variables.product.prodname_cli %}](#verifying-artifact-attestations-with-the-github-cli). >[!WARNING]It is important to remember that artifact attestations are _not_ a guarantee that an artifact is secure. Instead, artifact attestations link you to the source code and the build instructions that produced them. It is up to you to define your policy criteria, evaluate that policy by evaluating the content, and make an informed risk decision when you are consuming software. @@ -108,7 +108,7 @@ When you run your updated workflows, they will build your artifacts and generate The value of the `subject-name` parameter should specify the fully-qualified image name. For example, `ghcr.io/user/app` or `acme.azurecr.io/user/app`. Do not include a tag as part of the image name. - The value of the `subject-digest` parameter should be set to the SHA256 digest of the subject for the attestation, in the form `sha256:HEX_DIGEST`. If your workflow uses `docker/build-push-action`, you can use the [`digest`](https://github.com/docker/build-push-action?tab=readme-ov-file#outputs) output from that step to supply the value. For more information on using outputs, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs)." + The value of the `subject-digest` parameter should be set to the SHA256 digest of the subject for the attestation, in the form `sha256:HEX_DIGEST`. If your workflow uses `docker/build-push-action`, you can use the [`digest`](https://github.com/docker/build-push-action?tab=readme-ov-file#outputs) output from that step to supply the value. For more information on using outputs, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs). ## Generating an attestation for a software bill of materials (SBOM) @@ -171,7 +171,7 @@ When you run your updated workflows, they will build your artifacts and generate The value of the `subject-name` parameter should specify the fully-qualified image name. For example, `ghcr.io/user/app` or `acme.azurecr.io/user/app`. Do not include a tag as part of the image name. - The value of the `subject-digest` parameter should be set to the SHA256 digest of the subject for the attestation, in the form `sha256:HEX_DIGEST`. If your workflow uses `docker/build-push-action`, you can use the [`digest`](https://github.com/docker/build-push-action?tab=readme-ov-file#outputs) output from that step to supply the value. For more information on using outputs, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs)." + The value of the `subject-digest` parameter should be set to the SHA256 digest of the subject for the attestation, in the form `sha256:HEX_DIGEST`. If your workflow uses `docker/build-push-action`, you can use the [`digest`](https://github.com/docker/build-push-action?tab=readme-ov-file#outputs) output from that step to supply the value. For more information on using outputs, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs). The value of the `sbom-path` parameter should be set to the path to the JSON-formatted SBOM file you want to attest. @@ -191,6 +191,6 @@ docker login ghcr.io gh attestation verify oci://ghcr.io/ORGANIZATION_NAME/IMAGE_NAME:test -R ORGANIZATION_NAME/REPOSITORY_NAME ``` ->[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see "[AUTOTITLE](/actions/security-guides/verifying-attestations-offline)." +>[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see [AUTOTITLE](/actions/security-guides/verifying-attestations-offline). For more information, see the [`attestation`](https://cli.github.com/manual/gh_attestation) section of the {% data variables.product.prodname_cli %} manual. diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline.md b/content/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline.md index 907c3bed5007..2fcd6d8361dd 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline.md @@ -22,7 +22,7 @@ By default, attestations are stored in GitHub's attestation API, which `gh attes This command can work without internet connectivity, but you need to supply the attestation bundle and the key material in the trusted root manually. -Before starting this guide, you should be building with generating artifact attestations. See "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." +Before starting this guide, you should be building with generating artifact attestations. See [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). ## Step 1: Download attestation bundle diff --git a/content/actions/sharing-automations/avoiding-duplication.md b/content/actions/sharing-automations/avoiding-duplication.md index b07b6addecc9..74b2026f5e05 100644 --- a/content/actions/sharing-automations/avoiding-duplication.md +++ b/content/actions/sharing-automations/avoiding-duplication.md @@ -23,7 +23,7 @@ Reusable workflows and composite actions are two ways to avoid duplicating the c Reusable workflows and composite actions solve similar problems, but have a few important differences. Most of the time you can use either solution. But some of the time, you’ll need to use one or the other, as described later in this article. -For details of how to create and use reusable workflows and composite actions, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)" and "[AUTOTITLE](/actions/creating-actions/creating-a-composite-action)." +For details of how to create and use reusable workflows and composite actions, see [AUTOTITLE](/actions/using-workflows/reusing-workflows) and [AUTOTITLE](/actions/creating-actions/creating-a-composite-action). ## Comparison of reusable workflows and composite actions diff --git a/content/actions/sharing-automations/creating-actions/about-custom-actions.md b/content/actions/sharing-automations/creating-actions/about-custom-actions.md index 69504cfc70bd..a9624d3a6920 100644 --- a/content/actions/sharing-automations/creating-actions/about-custom-actions.md +++ b/content/actions/sharing-automations/creating-actions/about-custom-actions.md @@ -32,7 +32,7 @@ Actions can run directly on a machine or in a Docker container. You can define a ## Types of actions -You can build Docker container, JavaScript, and composite actions. Actions require a metadata file to define the inputs, outputs and main entrypoint for your action. The metadata filename must be either `action.yml` or `action.yaml`. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions)." +You can build Docker container, JavaScript, and composite actions. Actions require a metadata file to define the inputs, outputs and main entrypoint for your action. The metadata filename must be either `action.yml` or `action.yaml`. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). {% rowheaders %} @@ -62,7 +62,7 @@ If you're developing a Node.js project, the {% data variables.product.prodname_a ### Composite Actions -A _composite_ action allows you to combine multiple workflow steps within one action. For example, you can use this feature to bundle together multiple run commands into an action, and then have a workflow that executes the bundled commands as a single step using that action. To see an example, check out "[AUTOTITLE](/actions/creating-actions/creating-a-composite-action)". +A _composite_ action allows you to combine multiple workflow steps within one action. For example, you can use this feature to bundle together multiple run commands into an action, and then have a workflow that executes the bundled commands as a single step using that action. To see an example, check out [AUTOTITLE](/actions/creating-actions/creating-a-composite-action). ## Choosing a location for your action @@ -82,7 +82,7 @@ Many people access {% data variables.product.github %} at a domain other than {% To ensure that your action is compatible with other platforms, do not use any hard-coded references to API URLs such as `https://api.github.com`. Instead, you can: -* Use environment variables (see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)"): +* Use environment variables (see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)): * For the REST API, use the `GITHUB_API_URL` environment variable. * For GraphQL, use the `GITHUB_GRAPHQL_URL` environment variable. @@ -106,8 +106,8 @@ To use a specific action version, users can configure their {% data variables.pr We recommend using tags for actions release management. Using this approach, your users can easily distinguish between major and minor versions: * Create and validate a release on a release branch (such as `release/v1`) before creating the release tag (for example, `v1.0.2`). -* Create a release using semantic versioning. For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)." -* Move the major version tag (such as `v1`, `v2`) to point to the Git ref of the current release. For more information, see "[Git basics - tagging](https://git-scm.com/book/en/v2/Git-Basics-Tagging)." +* Create a release using semantic versioning. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository). +* Move the major version tag (such as `v1`, `v2`) to point to the Git ref of the current release. For more information, see [Git basics - tagging](https://git-scm.com/book/en/v2/Git-Basics-Tagging). * Introduce a new major version tag (`v2`) for changes that will break existing workflows. For example, changing an action's inputs would be a breaking change. * Major versions can be initially released with a `beta` tag to indicate their status, for example, `v2-beta`. The `-beta` tag can then be removed when ready. @@ -156,7 +156,7 @@ We recommend creating a README file to help people learn how to use your action. ## Comparing {% data variables.product.prodname_actions %} to {% data variables.product.prodname_github_apps %} -{% data variables.product.prodname_marketplace %} offers tools to improve your workflow. Understanding the differences and the benefits of each tool will allow you to select the best tool for your job. For more information about building apps, see "[AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/about-creating-github-apps)." +{% data variables.product.prodname_marketplace %} offers tools to improve your workflow. Understanding the differences and the benefits of each tool will allow you to select the best tool for your job. For more information about building apps, see [AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/about-creating-github-apps). ### Strengths of GitHub Actions and GitHub Apps @@ -177,4 +177,4 @@ While both {% data variables.product.prodname_actions %} and {% data variables.p ## Further reading -* "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions)" +* [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions) diff --git a/content/actions/sharing-automations/creating-actions/creating-a-composite-action.md b/content/actions/sharing-automations/creating-actions/creating-a-composite-action.md index a313da9d958e..ed1f8397c398 100644 --- a/content/actions/sharing-automations/creating-actions/creating-a-composite-action.md +++ b/content/actions/sharing-automations/creating-actions/creating-a-composite-action.md @@ -27,15 +27,15 @@ Once you complete this project, you should understand how to build your own comp ### Composite actions and reusable workflows -Composite actions allow you to collect a series of workflow job steps into a single action which you can then run as a single job step in multiple workflows. Reusable workflows provide another way of avoiding duplication, by allowing you to run a complete workflow from within other workflows. For more information, see "[AUTOTITLE](/actions/using-workflows/avoiding-duplication)." +Composite actions allow you to collect a series of workflow job steps into a single action which you can then run as a single job step in multiple workflows. Reusable workflows provide another way of avoiding duplication, by allowing you to run a complete workflow from within other workflows. For more information, see [AUTOTITLE](/actions/using-workflows/avoiding-duplication). ## Prerequisites Before you begin, you'll create a repository on {% data variables.product.github %}. -1. Create a new public repository on {% data variables.product.github %}. You can choose any repository name, or use the following `hello-world-composite-action` example. You can add these files after your project has been pushed to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository)." +1. Create a new public repository on {% data variables.product.github %}. You can choose any repository name, or use the following `hello-world-composite-action` example. You can add these files after your project has been pushed to {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository). -1. Clone your repository to your computer. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository)." +1. Clone your repository to your computer. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository). 1. From your terminal, change directories into your new repository. @@ -90,7 +90,7 @@ Before you begin, you'll create a repository on {% data variables.product.github ## Creating an action metadata file -1. In the `hello-world-composite-action` repository, create a new file called `action.yml` and add the following example code. For more information about this syntax, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-composite-actions)". +1. In the `hello-world-composite-action` repository, create a new file called `action.yml` and add the following example code. For more information about this syntax, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-composite-actions). ```yaml copy name: 'Hello World' @@ -132,9 +132,9 @@ Before you begin, you'll create a repository on {% data variables.product.github This file defines the `who-to-greet` input, maps the random generated number to the `random-number` output variable, adds the action's path to the runner system path (to locate the `goodbye.sh` script during execution), and runs the `goodbye.sh` script. - For more information about managing outputs, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions)". + For more information about managing outputs, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions). - For more information about how to use `github.action_path`, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)". + For more information about how to use `github.action_path`, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). 1. From your terminal, check in your `action.yml` file. @@ -144,7 +144,7 @@ Before you begin, you'll create a repository on {% data variables.product.github git push ``` -1. From your terminal, add a tag. This example uses a tag called `v1`. For more information, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions)." +1. From your terminal, add a tag. This example uses a tag called `v1`. For more information, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). ```shell copy git tag -a -m "Description of this release" v1 @@ -153,7 +153,7 @@ Before you begin, you'll create a repository on {% data variables.product.github ## Testing out your action in a workflow -The following workflow code uses the completed hello world action that you made in "[AUTOTITLE](/actions/creating-actions/creating-a-composite-action#creating-an-action-metadata-file)". +The following workflow code uses the completed hello world action that you made in [AUTOTITLE](/actions/creating-actions/creating-a-composite-action#creating-an-action-metadata-file). Copy the workflow code into a `.github/workflows/main.yml` file in another repository, replacing `actions` and `SHA` with the repository owner and the SHA of the commit you want to use, respectively. You can also replace the `who-to-greet` input with your name. diff --git a/content/actions/sharing-automations/creating-actions/creating-a-docker-container-action.md b/content/actions/sharing-automations/creating-actions/creating-a-docker-container-action.md index 7dec054c0478..5a18bb49ffd9 100644 --- a/content/actions/sharing-automations/creating-actions/creating-a-docker-container-action.md +++ b/content/actions/sharing-automations/creating-actions/creating-a-docker-container-action.md @@ -32,13 +32,13 @@ Once you complete this project, you should understand how to build your own Dock ## Prerequisites -* You must create a repository on {% data variables.product.github %} and clone it to your workstation. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository)" and "[AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository)." -* If your repository uses {% data variables.large_files.product_name_short %}, you must include the objects in archives of your repository. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)." -* You may find it helpful to have a basic understanding of {% data variables.product.prodname_actions %}, environment variables and the Docker container filesystem. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)" and "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem)." +* You must create a repository on {% data variables.product.github %} and clone it to your workstation. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository) and [AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository). +* If your repository uses {% data variables.large_files.product_name_short %}, you must include the objects in archives of your repository. For more information, see [AUTOTITLE](/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository). +* You may find it helpful to have a basic understanding of {% data variables.product.prodname_actions %}, environment variables and the Docker container filesystem. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). ## Creating a Dockerfile -In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. Make sure that your filename is capitalized correctly (use a capital `D` but not a capital `f`) if you're having issues. For more information, see "[AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions)." +In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. Make sure that your filename is capitalized correctly (use a capital `D` but not a capital `f`) if you're having issues. For more information, see [AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions). **Dockerfile** @@ -55,7 +55,7 @@ ENTRYPOINT ["/entrypoint.sh"] ## Creating an action metadata file -Create a new `action.yml` file in the `hello-world-docker-action` directory you created above. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions)." +Create a new `action.yml` file in the `hello-world-docker-action` directory you created above. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). {% raw %} **action.yml** @@ -89,7 +89,7 @@ This metadata defines one `who-to-greet` input and one `time` output parameter. You can choose any base Docker image and, therefore, any language for your action. The following shell script example uses the `who-to-greet` input variable to print "Hello [who-to-greet]" in the log file. -Next, the script gets the current time and sets it as an output variable that actions running later in a job can use. In order for {% data variables.product.prodname_dotcom %} to recognize output variables, you must write them to the `$GITHUB_OUTPUT` environment file: `echo "=" >> $GITHUB_OUTPUT`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter)." +Next, the script gets the current time and sets it as an output variable that actions running later in a job can use. In order for {% data variables.product.prodname_dotcom %} to recognize output variables, you must write them to the `$GITHUB_OUTPUT` environment file: `echo "=" >> $GITHUB_OUTPUT`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter). 1. Create a new `entrypoint.sh` file in the `hello-world-docker-action` directory. @@ -106,7 +106,7 @@ Next, the script gets the current time and sets it as an output variable that ac ``` - If `entrypoint.sh` executes without any errors, the action's status is set to `success`. You can also explicitly set exit codes in your action's code to provide an action's status. For more information, see "[AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions)." + If `entrypoint.sh` executes without any errors, the action's status is set to `success`. You can also explicitly set exit codes in your action's code to provide an action's status. For more information, see [AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions). 1. Make your `entrypoint.sh` file executable. Git provides a way to explicitly change the permission mode of a file so that it doesn’t get reset every time there is a clone/fork. @@ -166,7 +166,7 @@ with: From your terminal, commit your `action.yml`, `entrypoint.sh`, `Dockerfile`, and `README.md` files. -It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions)." +It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). ```shell copy git add action.yml entrypoint.sh Dockerfile README.md @@ -179,15 +179,15 @@ git push --follow-tags Now you're ready to test your action out in a workflow. -{% ifversion private-actions %}- When an action is in a private repository, you can control who can access it. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)."{% else %}- When an action is in a private repository, the action can only be used in workflows in the same repository.{% endif %} -{% ifversion ghes or ghec %}{% ifversion internal-actions %}- When an action is in an internal repository, you can control who can access it. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository)."{% else %}- When an action is in an internal repository, the action can only be used in workflows in the same repository.{% endif %}{% endif %} +{% ifversion private-actions %}- When an action is in a private repository, you can control who can access it. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository).{% else %}- When an action is in a private repository, the action can only be used in workflows in the same repository.{% endif %} +{% ifversion ghes or ghec %}{% ifversion internal-actions %}- When an action is in an internal repository, you can control who can access it. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository).{% else %}- When an action is in an internal repository, the action can only be used in workflows in the same repository.{% endif %}{% endif %} * Public actions can be used by workflows in any repository. {% data reusables.actions.enterprise-marketplace-actions %} ### Example using a public action -The following workflow code uses the completed _hello world_ action in the public [`actions/hello-world-docker-action`](https://github.com/actions/hello-world-docker-action) repository. Copy the following workflow example code into a `.github/workflows/main.yml` file, but replace the `actions/hello-world-docker-action` with your repository and action name. You can also replace the `who-to-greet` input with your name. {% ifversion fpt or ghec %}Public actions can be used even if they're not published to {% data variables.product.prodname_marketplace %}. For more information, see "[AUTOTITLE](/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action)." {% endif %} +The following workflow code uses the completed _hello world_ action in the public [`actions/hello-world-docker-action`](https://github.com/actions/hello-world-docker-action) repository. Copy the following workflow example code into a `.github/workflows/main.yml` file, but replace the `actions/hello-world-docker-action` with your repository and action name. You can also replace the `who-to-greet` input with your name. {% ifversion fpt or ghec %}Public actions can be used even if they're not published to {% data variables.product.prodname_marketplace %}. For more information, see [AUTOTITLE](/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action). {% endif %} **.github/workflows/main.yml** @@ -264,7 +264,7 @@ jobs: path: {% raw %}${{ github.workspace }}{% endraw %} ``` -For more information about uploading build output as an artifact, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information about uploading build output as an artifact, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Example Docker container actions on {% data variables.product.prodname_dotcom_the_website %} diff --git a/content/actions/sharing-automations/creating-actions/creating-a-javascript-action.md b/content/actions/sharing-automations/creating-actions/creating-a-javascript-action.md index d3a9e286ee5c..0eaf12bd5763 100644 --- a/content/actions/sharing-automations/creating-actions/creating-a-javascript-action.md +++ b/content/actions/sharing-automations/creating-actions/creating-a-javascript-action.md @@ -39,9 +39,9 @@ Before you begin, you'll need to download Node.js and create a public {% data va 1. Download and install Node.js {% ifversion actions-node20-support %}20.x{% else %}16.x{% endif %}, which includes npm. https://nodejs.org/en/download/ -1. Create a new public repository on {% data variables.product.github %} and call it "hello-world-javascript-action". For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository)." +1. Create a new public repository on {% data variables.product.github %} and call it "hello-world-javascript-action". For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository). -1. Clone your repository to your computer. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository)." +1. Clone your repository to your computer. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository). 1. From your terminal, change directories into your new repository. @@ -57,7 +57,7 @@ Before you begin, you'll need to download Node.js and create a public {% data va ## Creating an action metadata file -Create a new file named `action.yml` in the `hello-world-javascript-action` directory with the following example code. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions)." +Create a new file named `action.yml` in the `hello-world-javascript-action` directory with the following example code. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). ```yaml copy name: 'Hello World' @@ -126,7 +126,7 @@ try { {% endraw %} -If an error is thrown in the above `index.js` example, `core.setFailed(error.message);` uses the actions toolkit [`@actions/core`](https://github.com/actions/toolkit/tree/main/packages/core) package to log a message and set a failing exit code. For more information, see "[AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions)." +If an error is thrown in the above `index.js` example, `core.setFailed(error.message);` uses the actions toolkit [`@actions/core`](https://github.com/actions/toolkit/tree/main/packages/core) package to log a message and set a failing exit code. For more information, see [AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions). ## Creating a README @@ -173,7 +173,7 @@ with: From your terminal, commit your `action.yml`, `index.js`, `node_modules`, `package.json`, `package-lock.json`, and `README.md` files. If you added a `.gitignore` file that lists `node_modules`, you'll need to remove that line to commit the `node_modules` directory. -It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions)." +It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). ```shell copy git add action.yml index.js node_modules/* package.json package-lock.json README.md @@ -215,7 +215,7 @@ Checking in your `node_modules` directory can cause problems. As an alternative, Now you're ready to test your action out in a workflow. -Public actions can be used by workflows in any repository. When an action is in a private{% ifversion ghec or ghes %} or internal{% endif %} repository, the repository settings dictate whether the action is available only within the same repository or also to other repositories owned by the same {% ifversion ghec or ghes %}organization or enterprise{% else %}user or organization{% endif %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)." +Public actions can be used by workflows in any repository. When an action is in a private{% ifversion ghec or ghes %} or internal{% endif %} repository, the repository settings dictate whether the action is available only within the same repository or also to other repositories owned by the same {% ifversion ghec or ghes %}organization or enterprise{% else %}user or organization{% endif %}. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository). {% data reusables.actions.enterprise-marketplace-actions %} diff --git a/content/actions/sharing-automations/creating-actions/developing-a-third-party-cli-action.md b/content/actions/sharing-automations/creating-actions/developing-a-third-party-cli-action.md index f0a3aa649680..01ed43db4285 100644 --- a/content/actions/sharing-automations/creating-actions/developing-a-third-party-cli-action.md +++ b/content/actions/sharing-automations/creating-actions/developing-a-third-party-cli-action.md @@ -28,7 +28,7 @@ This article will demonstrate how to write an action that retrieves a specific v ## Prerequisites -You should have an understanding of how to write a custom action. For more information, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions)". For a more detailed guide on how to write a custom action, see "[AUTOTITLE](/actions/creating-actions/creating-a-javascript-action)." +You should have an understanding of how to write a custom action. For more information, see [AUTOTITLE](/actions/creating-actions/about-custom-actions). For a more detailed guide on how to write a custom action, see [AUTOTITLE](/actions/creating-actions/creating-a-javascript-action). ## Example @@ -61,7 +61,7 @@ module.exports = setup {% endraw %} -To use this script, replace `getDownloadURL` with a function that downloads your CLI. You will also need to create an actions metadata file (`action.yml`) that accepts a `version` input and that runs this script. For full details about how to create an action, see "[AUTOTITLE](/actions/creating-actions/creating-a-javascript-action)." +To use this script, replace `getDownloadURL` with a function that downloads your CLI. You will also need to create an actions metadata file (`action.yml`) that accepts a `version` input and that runs this script. For full details about how to create an action, see [AUTOTITLE](/actions/creating-actions/creating-a-javascript-action). ## Further reading diff --git a/content/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions.md b/content/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions.md index 796517bae008..c304e80b65fb 100644 --- a/content/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions.md +++ b/content/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions.md @@ -16,7 +16,7 @@ type: reference ## About Dockerfile instructions -A `Dockerfile` contains instructions and arguments that define the contents and startup behavior of a Docker container. For more information about the instructions Docker supports, see "[Dockerfile reference](https://docs.docker.com/engine/reference/builder/)" in the Docker documentation. +A `Dockerfile` contains instructions and arguments that define the contents and startup behavior of a Docker container. For more information about the instructions Docker supports, see [Dockerfile reference](https://docs.docker.com/engine/reference/builder/) in the Docker documentation. ## Dockerfile instructions and overrides @@ -24,7 +24,7 @@ Some Docker instructions interact with GitHub Actions, and an action's metadata ### USER -Docker actions must be run by the default Docker user (root). Do not use the `USER` instruction in your `Dockerfile`, because you won't be able to access the `GITHUB_WORKSPACE` directory. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)" and [USER reference](https://docs.docker.com/engine/reference/builder/#user) in the Docker documentation. +Docker actions must be run by the default Docker user (root). Do not use the `USER` instruction in your `Dockerfile`, because you won't be able to access the `GITHUB_WORKSPACE` directory. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables) and [USER reference](https://docs.docker.com/engine/reference/builder/#user) in the Docker documentation. ### FROM @@ -38,11 +38,11 @@ These are some best practices when setting the `FROM` argument: ### WORKDIR -{% data variables.product.product_name %} sets the working directory path in the `GITHUB_WORKSPACE` environment variable. It's recommended to not use the `WORKDIR` instruction in your `Dockerfile`. Before the action executes, {% data variables.product.product_name %} will mount the `GITHUB_WORKSPACE` directory on top of anything that was at that location in the Docker image and set `GITHUB_WORKSPACE` as the working directory. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)" and the [WORKDIR reference](https://docs.docker.com/engine/reference/builder/#workdir) in the Docker documentation. +{% data variables.product.product_name %} sets the working directory path in the `GITHUB_WORKSPACE` environment variable. It's recommended to not use the `WORKDIR` instruction in your `Dockerfile`. Before the action executes, {% data variables.product.product_name %} will mount the `GITHUB_WORKSPACE` directory on top of anything that was at that location in the Docker image and set `GITHUB_WORKSPACE` as the working directory. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables) and the [WORKDIR reference](https://docs.docker.com/engine/reference/builder/#workdir) in the Docker documentation. ### ENTRYPOINT -If you define `entrypoint` in an action's metadata file, it will override the `ENTRYPOINT` defined in the `Dockerfile`. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsentrypoint)." +If you define `entrypoint` in an action's metadata file, it will override the `ENTRYPOINT` defined in the `Dockerfile`. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsentrypoint). The Docker `ENTRYPOINT` instruction has a _shell_ form and _exec_ form. The Docker `ENTRYPOINT` documentation recommends using the _exec_ form of the `ENTRYPOINT` instruction. For more information about _exec_ and _shell_ form, see the [ENTRYPOINT reference](https://docs.docker.com/engine/reference/builder/#entrypoint) in the Docker documentation. @@ -102,7 +102,7 @@ Error response from daemon: OCI runtime create failed: container_linux.go:348: s ### CMD -If you define `args` in the action's metadata file, `args` will override the `CMD` instruction specified in the `Dockerfile`. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsargs)". +If you define `args` in the action's metadata file, `args` will override the `CMD` instruction specified in the `Dockerfile`. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsargs). If you use `CMD` in your `Dockerfile`, follow these guidelines: @@ -110,4 +110,4 @@ If you use `CMD` in your `Dockerfile`, follow these guidelines: ## Supported Linux capabilities -{% data variables.product.prodname_actions %} supports the default Linux capabilities that Docker supports. Capabilities can't be added or removed. For more information about the default Linux capabilities that Docker supports, see "[Linux kernel capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities)" in the Docker documentation. To learn more about Linux capabilities, see "[Overview of Linux capabilities](http://man7.org/linux/man-pages/man7/capabilities.7.html)" in the Linux man-pages. +{% data variables.product.prodname_actions %} supports the default Linux capabilities that Docker supports. Capabilities can't be added or removed. For more information about the default Linux capabilities that Docker supports, see [Linux kernel capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) in the Docker documentation. To learn more about Linux capabilities, see [Overview of Linux capabilities](http://man7.org/linux/man-pages/man7/capabilities.7.html) in the Linux man-pages. diff --git a/content/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions.md b/content/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions.md index 70d5f32c7dfc..368f919bff29 100644 --- a/content/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions.md +++ b/content/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions.md @@ -21,7 +21,7 @@ type: reference All actions require a metadata file. The metadata filename must be either `action.yml` or `action.yaml`. The data in the metadata file defines the inputs, outputs, and runs configuration for your action. -Action metadata files use YAML syntax. If you're new to YAML, you can read "[Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)." +Action metadata files use YAML syntax. If you're new to YAML, you can read [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). ## `name` @@ -46,7 +46,7 @@ This example configures two inputs: `num-octocats` and `octocat-eye-color`. The > [!NOTE] > Actions using `required: true` will not automatically return an error if the input is not specified. -Workflow files that use this action can use the `with` keyword to set an input value for `octocat-eye-color`. For more information about the `with` syntax, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepswith)." +Workflow files that use this action can use the `with` keyword to set an input value for `octocat-eye-color`. For more information about the `with` syntax, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepswith). ```yaml inputs: @@ -63,7 +63,7 @@ When you specify an input, {% data variables.product.prodname_dotcom %} creates If the action is written using a [composite](/actions/creating-actions/creating-a-composite-action), then it will not automatically get `INPUT_`. With composite actions you can use `inputs` [AUTOTITLE](/actions/learn-github-actions/contexts) to access action inputs. -To access the environment variable in a Docker container action, you must pass the input using the `args` keyword in the action metadata file. For more information about the action metadata file for Docker container actions, see "[AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action#creating-an-action-metadata-file)." +To access the environment variable in a Docker container action, you must pass the input using the `args` keyword in the action metadata file. For more information about the action metadata file for Docker container actions, see [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action#creating-an-action-metadata-file). For example, if a workflow defined the `num-octocats` and `octocat-eye-color` inputs, the action code could read the values of the inputs using the `INPUT_NUM-OCTOCATS` and `INPUT_OCTOCAT-EYE-COLOR` environment variables. @@ -93,7 +93,7 @@ For example, if a workflow defined the `num-octocats` and `octocat-eye-color` in {% data reusables.actions.output-limitations %} -If you don't declare an output in your action metadata file, you can still set outputs and use them in a workflow. For more information on setting outputs in an action, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter)." +If you don't declare an output in your action metadata file, you can still set outputs and use them in a workflow. For more information on setting outputs in an action, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter). ### Example: Declaring outputs for Docker container and JavaScript actions @@ -113,7 +113,7 @@ outputs: ## `outputs` for composite actions -**Optional** `outputs` use the same parameters as `outputs.` and `outputs..description` (see "[`outputs` for Docker container and JavaScript actions](#outputs-for-docker-container-and-javascript-actions)"), but also includes the `value` token. +**Optional** `outputs` use the same parameters as `outputs.` and `outputs..description` (see [`outputs` for Docker container and JavaScript actions](#outputs-for-docker-container-and-javascript-actions)), but also includes the `value` token. {% data reusables.actions.output-limitations %} @@ -140,7 +140,7 @@ runs: **Required** The value that the output parameter will be mapped to. You can set this to a `string` or an expression with context. For example, you can use the `steps` context to set the `value` of an output to the output value of a step. -For more information on how to use context syntax, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +For more information on how to use context syntax, see [AUTOTITLE](/actions/learn-github-actions/contexts). ## `runs` @@ -259,17 +259,17 @@ runs: shell: bash ``` -For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)". +For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). #### `runs.steps[*].shell` -**Optional** The shell where you want to run the command. You can use any of the shells listed in "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell)." Required if `run` is set. +**Optional** The shell where you want to run the command. You can use any of the shells listed in [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell). Required if `run` is set. #### `runs.steps[*].if` **Optional** You can use the `if` conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional. -{% data reusables.actions.expression-syntax-if %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +{% data reusables.actions.expression-syntax-if %} For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). **Example: Using contexts** @@ -283,7 +283,7 @@ steps: **Example: Using status check functions** -The `my backup step` only runs when the previous step of a composite action fails. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions#status-check-functions)." +The `my backup step` only runs when the previous step of a composite action fails. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions#status-check-functions). ```yaml steps: @@ -300,7 +300,7 @@ steps: #### `runs.steps[*].id` -**Optional** A unique identifier for the step. You can use the `id` to reference the step in contexts. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +**Optional** A unique identifier for the step. You can use the `id` to reference the step in contexts. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts). #### `runs.steps[*].env` @@ -421,7 +421,7 @@ runs: **Optional** Overrides the Docker `ENTRYPOINT` in the `Dockerfile`, or sets it if one wasn't already specified. Use `entrypoint` when the `Dockerfile` does not specify an `ENTRYPOINT` or you want to override the `ENTRYPOINT` instruction. If you omit `entrypoint`, the commands you specify in the Docker `ENTRYPOINT` instruction will execute. The Docker `ENTRYPOINT` instruction has a _shell_ form and _exec_ form. The Docker `ENTRYPOINT` documentation recommends using the _exec_ form of the `ENTRYPOINT` instruction. -For more information about how the `entrypoint` executes, see "[AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions#entrypoint)." +For more information about how the `entrypoint` executes, see [AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions#entrypoint). ### `runs.post-entrypoint` @@ -447,7 +447,7 @@ The `args` are used in place of the `CMD` instruction in a `Dockerfile`. If you If you need to pass environment variables into an action, make sure your action runs a command shell to perform variable substitution. For example, if your `entrypoint` attribute is set to `"sh -c"`, `args` will be run in a command shell. Alternatively, if your `Dockerfile` uses an `ENTRYPOINT` to run the same command (`"sh -c"`), `args` will execute in a command shell. -For more information about using the `CMD` instruction with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions#cmd)." +For more information about using the `CMD` instruction with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions#cmd). #### Example: Defining arguments for the Docker container diff --git a/content/actions/sharing-automations/creating-actions/publishing-actions-in-github-marketplace.md b/content/actions/sharing-automations/creating-actions/publishing-actions-in-github-marketplace.md index 409d374a4df2..823ebdef80f3 100644 --- a/content/actions/sharing-automations/creating-actions/publishing-actions-in-github-marketplace.md +++ b/content/actions/sharing-automations/creating-actions/publishing-actions-in-github-marketplace.md @@ -17,7 +17,7 @@ You must accept the terms of service to publish actions in {% data variables.pro ## About publishing actions -Before you can publish an action, you'll need to create an action in your repository. For more information, see "[AUTOTITLE](/actions/creating-actions)." +Before you can publish an action, you'll need to create an action in your repository. For more information, see [AUTOTITLE](/actions/creating-actions). When you plan to publish your action to {% data variables.product.prodname_marketplace %}, you'll need to ensure that the repository only includes the metadata file, code, and files necessary for the action. Creating a single repository for the action allows you to tag, release, and package the code in a single unit. {% data variables.product.prodname_dotcom %} also uses the action's metadata on your {% data variables.product.prodname_marketplace %} page. @@ -51,7 +51,7 @@ To draft a new release and publish the action to {% data variables.product.prodn 1. Optionally, select the **Another Category** dropdown menu and click a secondary category. 1. In the tag field, type a version for your action. This helps people know what changes or features the release includes. People will see the version in the action's dedicated {% data variables.product.prodname_marketplace %} page. 1. In the title field, type a release title. -1. Complete all other fields and click **Publish release**. Publishing requires you to use two-factor authentication. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)." +1. Complete all other fields and click **Publish release**. Publishing requires you to use two-factor authentication. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication). ## Removing an action from {% data variables.product.prodname_marketplace %} @@ -65,7 +65,7 @@ To remove a published action from {% data variables.product.prodname_marketplace ## Transferring an action repository -You can transfer an action repository to another user or organization. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/transferring-a-repository)." +You can transfer an action repository to another user or organization. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/transferring-a-repository). When a repository admin transfers an action repository, {% data variables.product.prodname_dotcom %} automatically creates a redirect from the previous URL to the new URL, meaning workflows that use the affected action do not need to be updated. diff --git a/content/actions/sharing-automations/creating-actions/releasing-and-maintaining-actions.md b/content/actions/sharing-automations/creating-actions/releasing-and-maintaining-actions.md index 33e424dea323..8e487ea6a326 100644 --- a/content/actions/sharing-automations/creating-actions/releasing-and-maintaining-actions.md +++ b/content/actions/sharing-automations/creating-actions/releasing-and-maintaining-actions.md @@ -51,26 +51,26 @@ JavaScript actions are Node.js repositories with metadata. However, JavaScript a To support the developer process in the next section, add two {% data variables.product.prodname_actions %} workflows to your repository: 1. Add a workflow that triggers when a commit is pushed to a feature branch or to `main` or when a pull request is created. Configure the workflow to run your unit and integration tests. For an example, see [this workflow](https://github.com/actions/javascript-action/blob/main/.github/workflows/ci.yml). -1. Add a workflow that triggers when a release is published or edited. Configure the workflow to ensure semantic tags are in place. You can use an action like [JasonEtco/build-and-tag-action](https://github.com/JasonEtco/build-and-tag-action) to compile and bundle the JavaScript and metadata file and force push semantic major, minor, and patch tags. For more information about semantic tags, see "[About semantic versioning](https://docs.npmjs.com/about-semantic-versioning)." +1. Add a workflow that triggers when a release is published or edited. Configure the workflow to ensure semantic tags are in place. You can use an action like [JasonEtco/build-and-tag-action](https://github.com/JasonEtco/build-and-tag-action) to compile and bundle the JavaScript and metadata file and force push semantic major, minor, and patch tags. For more information about semantic tags, see [About semantic versioning](https://docs.npmjs.com/about-semantic-versioning). ### Example developer process Here is an example process that you can follow to automatically run tests, create a release{% ifversion fpt or ghec %} and publish to {% data variables.product.prodname_marketplace %}{% endif %}, and publish your action. -1. Do feature work in branches per GitHub flow. For more information, see "[AUTOTITLE](/get-started/using-github/github-flow)." +1. Do feature work in branches per GitHub flow. For more information, see [AUTOTITLE](/get-started/using-github/github-flow). * Whenever a commit is pushed to the feature branch, your testing workflow will automatically run the tests. 1. Create pull requests to the `main` branch to initiate discussion and review, merging when ready. * When a pull request is opened, either from a branch or a fork, your testing workflow will again run the tests, this time with the merge commit. - * **Note:** for security reasons, workflows triggered by `pull_request` from forks have restricted `GITHUB_TOKEN` permissions and do not have access to secrets. If your tests or other workflows triggered upon pull request require access to secrets, consider using a different event like a [manual trigger](/actions/using-workflows/events-that-trigger-workflows#manual-events) or a [`pull_request_target`](/actions/using-workflows/events-that-trigger-workflows#pull_request_target). For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull-request-events-for-forked-repositories)." + * **Note:** for security reasons, workflows triggered by `pull_request` from forks have restricted `GITHUB_TOKEN` permissions and do not have access to secrets. If your tests or other workflows triggered upon pull request require access to secrets, consider using a different event like a [manual trigger](/actions/using-workflows/events-that-trigger-workflows#manual-events) or a [`pull_request_target`](/actions/using-workflows/events-that-trigger-workflows#pull_request_target). For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull-request-events-for-forked-repositories). -1. Create a semantically tagged release. {% ifversion fpt or ghec %} You may also publish to {% data variables.product.prodname_marketplace %} with a simple checkbox. {% endif %} For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release)"{% ifversion fpt or ghec %} and "[AUTOTITLE](/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action)"{% endif %}. +1. Create a semantically tagged release. {% ifversion fpt or ghec %} You may also publish to {% data variables.product.prodname_marketplace %} with a simple checkbox. {% endif %} For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release){% ifversion fpt or ghec %} and [AUTOTITLE](/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action){% endif %}. * When a release is published or edited, your release workflow will automatically take care of compilation and adjusting tags. - * We recommend creating releases using semantically versioned tags – for example, `v1.1.3` – and keeping major (`v1`) and minor (`v1.1`) tags current to the latest appropriate commit. For more information, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions)" and "[About semantic versioning](https://docs.npmjs.com/about-semantic-versioning)." + * We recommend creating releases using semantically versioned tags – for example, `v1.1.3` – and keeping major (`v1`) and minor (`v1.1`) tags current to the latest appropriate commit. For more information, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions) and [About semantic versioning](https://docs.npmjs.com/about-semantic-versioning). ### Results @@ -82,11 +82,11 @@ Using semantic releases means that the users of your actions can pin their workf {% data variables.product.product_name %} provides tools and guides to help you work with the open source community. Here are a few tools we recommend setting up for healthy bidirectional communication. By providing the following signals to the community, you encourage others to use, modify, and contribute to your action: -* Maintain a `README` with plenty of usage examples and guidance. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes)." -* Include a workflow status badge in your `README` file. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge)." Also visit [shields.io](https://shields.io/) to learn about other badges that you can add.{% ifversion fpt or ghec %} -* Add community health files like `CODE_OF_CONDUCT`, `CONTRIBUTING`, and `SECURITY`. For more information, see "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types)."{% endif %} +* Maintain a `README` with plenty of usage examples and guidance. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes). +* Include a workflow status badge in your `README` file. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge). Also visit [shields.io](https://shields.io/) to learn about other badges that you can add.{% ifversion fpt or ghec %} +* Add community health files like `CODE_OF_CONDUCT`, `CONTRIBUTING`, and `SECURITY`. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types).{% endif %} * Keep issues current by utilizing actions like [actions/stale](https://github.com/actions/stale).{% ifversion fpt or ghec %} -* Use {% data variables.product.product_name %}'s security features to communicate about vulnerabilities and how to fix them. For more information, see "[AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions#protecting-actions-youve-created)."{% endif %} +* Use {% data variables.product.product_name %}'s security features to communicate about vulnerabilities and how to fix them. For more information, see [AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions#protecting-actions-youve-created).{% endif %} ## Further reading diff --git a/content/actions/sharing-automations/creating-actions/setting-exit-codes-for-actions.md b/content/actions/sharing-automations/creating-actions/setting-exit-codes-for-actions.md index 3ba9ea0b766e..39ecae18c0be 100644 --- a/content/actions/sharing-automations/creating-actions/setting-exit-codes-for-actions.md +++ b/content/actions/sharing-automations/creating-actions/setting-exit-codes-for-actions.md @@ -35,7 +35,7 @@ try { } ``` -For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-javascript-action)." +For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-javascript-action). ## Setting a failure exit code in a Docker container action @@ -48,4 +48,4 @@ if ; then fi ``` -For more information, see "[AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action)." +For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action). diff --git a/content/actions/sharing-automations/creating-workflow-templates-for-your-organization.md b/content/actions/sharing-automations/creating-workflow-templates-for-your-organization.md index d2d64aa3169b..76c0a2c56392 100644 --- a/content/actions/sharing-automations/creating-workflow-templates-for-your-organization.md +++ b/content/actions/sharing-automations/creating-workflow-templates-for-your-organization.md @@ -37,7 +37,7 @@ Workflow templates created by users can only be used to create workflows in publ {% endif %} > [!NOTE] -> To avoid duplication among workflow templates you can call reusable workflows from within a workflow. This can help make your workflows easier to maintain. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +> To avoid duplication among workflow templates you can call reusable workflows from within a workflow. This can help make your workflows easier to maintain. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). This procedure demonstrates how to create a workflow template and metadata file. The metadata file describes how the workflow templates will be presented to users when they are creating a new workflow. @@ -114,4 +114,4 @@ To add another workflow template, add your files to the same `workflow-templates ## Next steps -To continue learning about {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions/using-starter-workflows)." +To continue learning about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions/using-starter-workflows). diff --git a/content/actions/sharing-automations/required-workflows.md b/content/actions/sharing-automations/required-workflows.md index c26152f424cb..c443c5dbbc76 100644 --- a/content/actions/sharing-automations/required-workflows.md +++ b/content/actions/sharing-automations/required-workflows.md @@ -50,4 +50,4 @@ After a required workflow has run at least once in a repository, you can view it ## Adding a required workflow to an organization -Organization owners can configure required workflows in their organization. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#adding-a-required-workflow-to-an-organization)." +Organization owners can configure required workflows in their organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#adding-a-required-workflow-to-an-organization). diff --git a/content/actions/sharing-automations/reusing-workflows.md b/content/actions/sharing-automations/reusing-workflows.md index 3fa5a9073f71..6832eb80beef 100644 --- a/content/actions/sharing-automations/reusing-workflows.md +++ b/content/actions/sharing-automations/reusing-workflows.md @@ -36,19 +36,19 @@ A workflow that uses another workflow is referred to as a "caller" workflow. The If you reuse a workflow from a different repository, any actions in the called workflow run as if they were part of the caller workflow. For example, if the called workflow uses `actions/checkout`, the action checks out the contents of the repository that hosts the caller workflow, not the called workflow. -When a reusable workflow is triggered by a caller workflow, the `github` context is always associated with the caller workflow. The called workflow is automatically granted access to `github.token` and `secrets.GITHUB_TOKEN`. For more information about the `github` context, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)." +When a reusable workflow is triggered by a caller workflow, the `github` context is always associated with the caller workflow. The called workflow is automatically granted access to `github.token` and `secrets.GITHUB_TOKEN`. For more information about the `github` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). You can view the reused workflows referenced in your {% data variables.product.prodname_actions %} workflows as dependencies in the dependency graph of the repository containing your workflows. For more information, see “[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).” ### Reusable workflows and composite actions -Reusable workflows and composite actions both help you to avoid duplication. Whereas reusable workflows allow you to reuse an entire workflow, with multiple jobs and steps, composite actions combine multiple steps that you can then run within a job step, just like any other action. For more information, see "[AUTOTITLE](/actions/using-workflows/avoiding-duplication)." +Reusable workflows and composite actions both help you to avoid duplication. Whereas reusable workflows allow you to reuse an entire workflow, with multiple jobs and steps, composite actions combine multiple steps that you can then run within a job step, just like any other action. For more information, see [AUTOTITLE](/actions/using-workflows/avoiding-duplication). ### Reusable workflows and workflow templates -Workflow templates allow everyone in your organization who has permission to create workflows to do so more quickly and easily. When people create a new workflow, they can choose a workflow template and some or all of the work of writing the workflow will be done for them. Within a workflow template, you can also reference reusable workflows to make it easy for people to benefit from reusing centrally managed workflow code. If you use a commit SHA when referencing the reusable workflow, you can ensure that everyone who reuses that workflow will always be using the same YAML code. However, if you reference a reusable workflow by a tag or branch, be sure that you can trust that version of the workflow. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows)." +Workflow templates allow everyone in your organization who has permission to create workflows to do so more quickly and easily. When people create a new workflow, they can choose a workflow template and some or all of the work of writing the workflow will be done for them. Within a workflow template, you can also reference reusable workflows to make it easy for people to benefit from reusing centrally managed workflow code. If you use a commit SHA when referencing the reusable workflow, you can ensure that everyone who reuses that workflow will always be using the same YAML code. However, if you reference a reusable workflow by a tag or branch, be sure that you can trust that version of the workflow. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows). -For more information, see "[AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization)." +For more information, see [AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization). ## Access to reusable workflows @@ -60,8 +60,8 @@ A reusable workflow can be used by another workflow if any of the following is t You cannot directly use reusable workflows defined on {% data variables.product.prodname_dotcom_the_website %}. Instead store a copy of the reusable workflow on {% data variables.location.product_location %}, and call the workflow from that path. {% elsif actions-workflow-policy %}, and your {% ifversion ghec %}enterprise{% else %}organization{% endif %} allows you to use public reusable workflows.{% endif %}{% ifversion ghes or ghec %} -* The called workflow is stored in an internal repository and the settings for that repository allow it to be accessed. For more information, see {% ifversion internal-actions %}"[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise){% else %}"[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository){% endif %}."{% endif %}{% ifversion private-actions %} -* The called workflow is stored in a private repository and the settings for that repository allow it to be accessed. For more information, see {% ifversion ghes or ghec %}"[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)."{% else %}"[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-organization)" and "[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-from-your-private-repository)."{% endif %} +* The called workflow is stored in an internal repository and the settings for that repository allow it to be accessed. For more information, see {% ifversion internal-actions %}[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise){% else %}[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository){% endif %}.{% endif %}{% ifversion private-actions %} +* The called workflow is stored in a private repository and the settings for that repository allow it to be accessed. For more information, see {% ifversion ghes or ghec %}[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise).{% else %}[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-organization) and [AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-from-your-private-repository).{% endif %} {% endif %} The following table shows the accessibility of reusable workflows to a caller workflow, depending on the visibility of the host repository. @@ -74,9 +74,9 @@ The following table shows the accessibility of reusable workflows to a caller wo | {% endif %} | | `public` | `public` | -The **Actions permissions** on the callers repository's Actions settings page must be configured to allow the use of actions and reusable workflows - see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run)." +The **Actions permissions** on the callers repository's Actions settings page must be configured to allow the use of actions and reusable workflows - see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run). -For {% ifversion ghes or ghec %}internal or {% endif %}private repositories, the **Access** policy on the Actions settings page of the called workflow's repository must be explicitly configured to allow access from repositories containing caller workflows - see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)." +For {% ifversion ghes or ghec %}internal or {% endif %}private repositories, the **Access** policy on the Actions settings page of the called workflow's repository must be explicitly configured to allow access from repositories containing caller workflows - see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository). {% data reusables.actions.actions-redirects-workflows %} @@ -84,7 +84,7 @@ For {% ifversion ghes or ghec %}internal or {% endif %}private repositories, the ### Using GitHub-hosted runners -The assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. Billing for {% data variables.product.prodname_dotcom %}-hosted runners is always associated with the caller. The caller workflow cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." +The assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. Billing for {% data variables.product.prodname_dotcom %}-hosted runners is always associated with the caller. The caller workflow cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners). ### Using self-hosted runners @@ -95,7 +95,7 @@ Called workflows that are owned by the same user or organization{% ifversion ghe ## Limitations {% ifversion nested-reusable-workflow %} -* You can connect up to four levels of workflows. For more information, see "[Nesting reusable workflows](#nesting-reusable-workflows)." +* You can connect up to four levels of workflows. For more information, see [Nesting reusable workflows](#nesting-reusable-workflows). * You can call a maximum of 20 unique reusable workflows from a single workflow file. This limit includes any trees of nested reusable workflows that may be called starting from your top-level caller workflow file. For example, _top-level-caller-workflow.yml_ → _called-workflow-1.yml_ → _called-workflow-2.yml_ counts as 2 reusable workflows. @@ -105,9 +105,9 @@ Called workflows that are owned by the same user or organization{% ifversion ghe {% endif %} {% ifversion private-actions %}{% else %}- Reusable workflows stored within a private repository can only be used by workflows within the same repository.{% endif %} {% ifversion actions-reusable-workflow-matrix %}{% else %}* The `strategy` property is not supported in any job that calls a reusable workflow.{% endif %} -* Any environment variables set in an `env` context defined at the workflow level in the caller workflow are not propagated to the called workflow. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)" and "[AUTOTITLE](/actions/learn-github-actions/contexts#env-context)." -* Similarly, environment variables set in the `env` context, defined in the called workflow, are not accessible in the `env` context of the caller workflow. Instead, you must use outputs of the reusable workflow. For more information, see "[Using outputs from a reusable workflow](#using-outputs-from-a-reusable-workflow)." -* To reuse variables in multiple workflows, set them at the organization, repository, or environment levels and reference them using the `vars` context. For more information see "[AUTOTITLE](/actions/learn-github-actions/variables)" and "[AUTOTITLE](/actions/learn-github-actions/contexts#vars-context)." +* Any environment variables set in an `env` context defined at the workflow level in the caller workflow are not propagated to the called workflow. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/learn-github-actions/contexts#env-context). +* Similarly, environment variables set in the `env` context, defined in the called workflow, are not accessible in the `env` context of the caller workflow. Instead, you must use outputs of the reusable workflow. For more information, see [Using outputs from a reusable workflow](#using-outputs-from-a-reusable-workflow). +* To reuse variables in multiple workflows, set them at the organization, repository, or environment levels and reference them using the `vars` context. For more information see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/learn-github-actions/contexts#vars-context). * Reusable workflows are called directly within a job, and not from within a job step. You cannot, therefore, use `GITHUB_ENV` to pass values to job steps in the caller workflow. ## Creating a reusable workflow @@ -146,7 +146,7 @@ You can define inputs and secrets, which can be passed from the caller workflow 1. In the reusable workflow, reference the input or secret that you defined in the `on` key in the previous step. > [!NOTE] - > If the secrets are inherited by using `secrets: inherit` in the calling workflow, you can reference them even if they are not explicitly defined in the `on` key. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecretsinherit)." + > If the secrets are inherited by using `secrets: inherit` in the calling workflow, you can reference them even if they are not explicitly defined in the `on` key. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecretsinherit). {%- else %} 1. In the reusable workflow, reference the input or secret that you defined in the `on` key in the previous step. @@ -170,7 +170,7 @@ You can define inputs and secrets, which can be passed from the caller workflow In the example above, `personal_access_token` is a secret that's defined at the repository or organization level. > [!WARNING] - > Environment secrets cannot be passed from the caller workflow as `on.workflow_call` does not support the `environment` keyword. If you include `environment` in the reusable workflow at the job level, the environment secret will be used, and not the secret passed from the caller workflow. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#environment-secrets)" and "[AUTOTITLE](/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_call)". + > Environment secrets cannot be passed from the caller workflow as `on.workflow_call` does not support the `environment` keyword. If you include `environment` in the reusable workflow at the job level, the environment secret will be used, and not the secret passed from the caller workflow. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#environment-secrets) and [AUTOTITLE](/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_call). 1. Pass the input or secret from the caller workflow. @@ -231,7 +231,7 @@ You can call multiple workflows, referencing each in a separate job. Jobs using the matrix strategy can call a reusable workflow. -A matrix strategy lets you use variables in a single job definition to automatically create multiple job runs that are based on the combinations of the variables. For example, you can use a matrix strategy to pass different inputs to a reusable workflow. For more information about matrices, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +A matrix strategy lets you use variables in a single job definition to automatically create multiple job runs that are based on the combinations of the variables. For example, you can use a matrix strategy to pass different inputs to a reusable workflow. For more information about matrices, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). This example job below calls a reusable workflow and references the matrix context by defining the variable `target` with the values `[dev, stage, prod]`. It will run three jobs, one for each value in the variable. @@ -274,7 +274,7 @@ When you call a reusable workflow, you can only use the following keywords in th > [!NOTE] > - > * If `jobs..permissions` is not specified in the calling job, the called workflow will have the default permissions for the `GITHUB_TOKEN`. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)." + > * If `jobs..permissions` is not specified in the calling job, the called workflow will have the default permissions for the `GITHUB_TOKEN`. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). > * The `GITHUB_TOKEN` permissions passed from the caller workflow can be only downgraded (not elevated) by the called workflow. > * If you use `jobs..concurrency.cancel-in-progress: true`, don't use the same value for `jobs..concurrency.group` in the called and caller workflows as this will cause the workflow that's already running to be cancelled. A called workflow uses the name of its caller workflow in {% raw %}${{ github.workflow }}{% endraw %}, so using this context as the value of `jobs..concurrency.group` in both caller and called workflows will cause the caller workflow to be cancelled when the called workflow runs. @@ -334,7 +334,7 @@ jobs: ### Passing secrets to nested workflows -You can use `jobs..secrets` in a calling workflow to pass named secrets to a directly called workflow. Alternatively, you can use `jobs..secrets.inherit` to pass all of the calling workflow's secrets to a directly called workflow. For more information, see the section "[AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow)" above, and the reference article "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecretsinherit)." Secrets are only passed to directly called workflow, so in the workflow chain A > B > C, workflow C will only receive secrets from A if they have been passed from A to B, and then from B to C. +You can use `jobs..secrets` in a calling workflow to pass named secrets to a directly called workflow. Alternatively, you can use `jobs..secrets.inherit` to pass all of the calling workflow's secrets to a directly called workflow. For more information, see the section [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow) above, and the reference article [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecretsinherit). Secrets are only passed to directly called workflow, so in the workflow chain A > B > C, workflow C will only receive secrets from A if they have been passed from A to B, and then from B to C. In the following example, workflow A passes all of its secrets to workflow B, by using the `inherit` keyword, but workflow B only passes one secret to workflow C. Any of the other secrets passed to workflow B are not available to workflow C. @@ -359,11 +359,11 @@ jobs: ### Access and permissions -A workflow that contains nested reusable workflows will fail if any of the nested workflows is inaccessible to the initial caller workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows#access-to-reusable-workflows)." +A workflow that contains nested reusable workflows will fail if any of the nested workflows is inaccessible to the initial caller workflow. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#access-to-reusable-workflows). -`GITHUB_TOKEN` permissions can only be the same or more restrictive in nested workflows. For example, in the workflow chain A > B > C, if workflow A has `package: read` token permission, then B and C cannot have `package: write` permission. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." +`GITHUB_TOKEN` permissions can only be the same or more restrictive in nested workflows. For example, in the workflow chain A > B > C, if workflow A has `package: read` token permission, then B and C cannot have `package: write` permission. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). -For information on how to use the API to determine which workflow files were involved in a particular workflow run, see "[Monitoring which workflows are being used](#monitoring-which-workflows-are-being-used)." +For information on how to use the API to determine which workflow files were involved in a particular workflow run, see [Monitoring which workflows are being used](#monitoring-which-workflows-are-being-used). {% endif %} ## Using outputs from a reusable workflow @@ -377,7 +377,7 @@ The following reusable workflow has a single job containing two steps. In each o The `value` must be set to the value of a job-level output within the called workflow. Step-level outputs must first be mapped to job-level outputs as shown below. -For more information, see "[AUTOTITLE](/actions/using-jobs/defining-outputs-for-jobs#overview)" and "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_calloutputs)." +For more information, see [AUTOTITLE](/actions/using-jobs/defining-outputs-for-jobs#overview) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_calloutputs). {% raw %} @@ -435,7 +435,7 @@ jobs: {% endraw %} -For more information on using job outputs, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs)." If you want to share something other than a variable (e.g. a build artifact) between workflows, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information on using job outputs, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs). If you want to share something other than a variable (e.g. a build artifact) between workflows, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Monitoring which workflows are being used @@ -448,7 +448,7 @@ You can use the {% data variables.product.prodname_dotcom %} REST API to monitor * `calling_workflow_shas` - an array of SHAs for all the caller workflows involved in this workflow job. The array contains the same number of items, in the same order, as the `calling_workflow_refs` array. {% endif %} * `job_workflow_ref` - the workflow file that was used, in the form `{owner}/{repo}/{path}/{filename}@{ref}`. For a job that calls another workflow, this identifies the called workflow. -For information about using the REST API to query the audit log for an organization, see "[AUTOTITLE](/rest/orgs#get-the-audit-log-for-an-organization)." +For information about using the REST API to query the audit log for an organization, see [AUTOTITLE](/rest/orgs#get-the-audit-log-for-an-organization). > [!NOTE] > Audit data for `prepared_workflow_job` can only be viewed using the REST API. It is not visible in the {% data variables.product.prodname_dotcom %} web interface, or included in JSON/CSV exported audit data. @@ -463,6 +463,6 @@ For information about using the REST API to query the audit log for an organizat ## Next steps -To continue learning about {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +To continue learning about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). -{% ifversion restrict-groups-to-workflows %}You can standardize deployments by creating a self-hosted runner group that can only execute a specific reusable workflow. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)."{% endif %} +{% ifversion restrict-groups-to-workflows %}You can standardize deployments by creating a self-hosted runner group that can only execute a specific reusable workflow. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %} diff --git a/content/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository.md b/content/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository.md index 71ebdbdc6f7c..c99540dc0c4f 100644 --- a/content/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository.md +++ b/content/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository.md @@ -24,9 +24,9 @@ Any actions or reusable workflows stored in the private repository can be used i ## Sharing actions and workflows from your private repository -1. Store the action or reusable workflow in a private repository. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility)." -1. Configure the repository to allow access to workflows in other private repositories. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)." +1. Store the action or reusable workflow in a private repository. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility). +1. Configure the repository to allow access to workflows in other private repositories. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository). ## Further reading -* "[AUTOTITLE](/actions/using-workflows/reusing-workflows)" +* [AUTOTITLE](/actions/using-workflows/reusing-workflows) diff --git a/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-enterprise.md b/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-enterprise.md index bfd1c586083a..069ba8a7f5f8 100644 --- a/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-enterprise.md +++ b/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-enterprise.md @@ -24,10 +24,10 @@ Any actions or reusable workflows stored in the internal {% ifversion private-ac ## Sharing actions and workflows with your enterprise -1. Store the action or reusable workflow in an internal {% ifversion private-actions %}or private {% endif %}repository. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories)." -1. Configure the repository to allow access to workflows in other internal {% ifversion private-actions %}or private {% endif %}repositories. For more information, see {% ifversion private-actions %}"[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)" and {% endif %}"[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository)." +1. Store the action or reusable workflow in an internal {% ifversion private-actions %}or private {% endif %}repository. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories). +1. Configure the repository to allow access to workflows in other internal {% ifversion private-actions %}or private {% endif %}repositories. For more information, see {% ifversion private-actions %}[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository) and {% endif %}[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository). ## Further reading -* "[AUTOTITLE](/admin/overview/about-enterprise-accounts)" -* "[AUTOTITLE](/actions/using-workflows/reusing-workflows)" +* [AUTOTITLE](/admin/overview/about-enterprise-accounts) +* [AUTOTITLE](/actions/using-workflows/reusing-workflows) diff --git a/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-organization.md b/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-organization.md index 913d102f952c..4ddd9cf0713d 100644 --- a/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-organization.md +++ b/content/actions/sharing-automations/sharing-actions-and-workflows-with-your-organization.md @@ -24,9 +24,9 @@ Any actions or reusable workflows stored in the private repository can be used i ## Sharing actions and workflows with your organization -1. Store the action or reusable workflow in a private {% ifversion internal-actions %} or internal {% endif %}repository. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility)." -1. Configure the repository to allow access to workflows in other private repositories. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository)." +1. Store the action or reusable workflow in a private {% ifversion internal-actions %} or internal {% endif %}repository. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility). +1. Configure the repository to allow access to workflows in other private repositories. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository). ## Further reading -* "[AUTOTITLE](/actions/using-workflows/reusing-workflows)" +* [AUTOTITLE](/actions/using-workflows/reusing-workflows) diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-go.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-go.md index aac9837ef0e1..60b99176a879 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-go.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-go.md @@ -19,11 +19,11 @@ redirect_from: This guide shows you how to build, test, and publish a Go package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Go. For a full list of up-to-date software and the preinstalled versions of Go, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software)." +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Go. For a full list of up-to-date software and the preinstalled versions of Go, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). We recommend that you have a basic understanding of the Go language. For more information, see [Getting started with Go](https://golang.org/doc/tutorial/getting-started). @@ -187,7 +187,7 @@ Alternatively, you can use the `cache-dependency-path` parameter for cases when {% endif %} -If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ## Building and testing your code @@ -219,7 +219,7 @@ jobs: After a workflow completes, you can upload the resulting artifacts for analysis. For example, you may need to save log files, core dumps, test results, or screenshots. The following example demonstrates how you can use the `upload-artifact` action to upload test results. -For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ```yaml copy name: Upload Go test results diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-ant.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-ant.md index d2b6dff12f71..3b38e111ae42 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-ant.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-ant.md @@ -23,13 +23,13 @@ shortTitle: Build & test Java & Ant This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Ant build system. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Ant. For a list of software and the pre-installed versions for JDK and Ant, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Ant. For a list of software and the pre-installed versions for JDK and Ant, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" -* "[AUTOTITLE](/actions/learn-github-actions)" +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [AUTOTITLE](/actions/learn-github-actions) We recommend that you have a basic understanding of Java and the Ant framework. For more information, see the [Apache Ant Manual](https://ant.apache.org/manual/). @@ -107,7 +107,7 @@ steps: ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). Ant will usually create output files like JARs, EARs, or WARs in the `build/jar` directory. You can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle.md index a021729d421d..a67f08440154 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle.md @@ -23,13 +23,13 @@ shortTitle: Build & test Java & Gradle This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Gradle build system. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to cache files and upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Gradle. For a list of software and the pre-installed versions for JDK and Gradle, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Gradle. For a list of software and the pre-installed versions for JDK and Gradle, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" -* "[AUTOTITLE](/actions/learn-github-actions)" +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [AUTOTITLE](/actions/learn-github-actions) We recommend that you have a basic understanding of Java and the Gradle framework. For more information, see the [Gradle User Manual](https://docs.gradle.org/current/userguide/userguide.html). @@ -128,7 +128,7 @@ Caching is enabled by default when using the `gradle/actions/setup-gradle` actio ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). Gradle will usually create output files like JARs, EARs, or WARs in the `build/libs` directory. You can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-maven.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-maven.md index 304a52e98438..13230c3a7323 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-maven.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-maven.md @@ -23,13 +23,13 @@ shortTitle: Build & test Java with Maven This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Maven software project management tool. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to cache files and upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Maven. For a list of software and the pre-installed versions for JDK and Maven, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Maven. For a list of software and the pre-installed versions for JDK and Maven, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" -* "[AUTOTITLE](/actions/learn-github-actions)" +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [AUTOTITLE](/actions/learn-github-actions) We recommend that you have a basic understanding of Java and the Maven framework. For more information, see the [Maven Getting Started Guide](https://maven.apache.org/guides/getting-started/index.html) in the Maven documentation. @@ -131,7 +131,7 @@ This workflow will save the contents of your local Maven repository, located in ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). Maven will usually create output files like JARs, EARs, or WARs in the `target` directory. To upload those as artifacts, you can copy them into a new directory that contains artifacts to upload. For example, you can create a directory called `staging`. Then you can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-net.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-net.md index 4a917a2b237a..4961217cbc84 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-net.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-net.md @@ -21,7 +21,7 @@ This guide shows you how to build, test, and publish a .NET package. ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). We recommend that you have a basic understanding of the .NET Core SDK. For more information, see [Getting started with .NET](https://dotnet.microsoft.com/learn). @@ -140,7 +140,7 @@ steps: You can cache NuGet dependencies for future workflows using the optional `cache` input. For example, the YAML below caches the NuGet `global-packages` folder, and then installs the `Newtonsoft` package. A second optional input, `cache-dependency-path`, can be used to specify the path to a dependency file: `packages.lock.json`. -For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ```yaml steps: @@ -180,7 +180,7 @@ steps: After a workflow completes, you can upload the resulting artifacts for analysis. For example, you may need to save log files, core dumps, test results, or screenshots. The following example demonstrates how you can use the `upload-artifact` action to upload test results. -For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ```yaml name: dotnet package diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs.md index 87cfba84cfa6..1f335c16c0cd 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs.md @@ -28,8 +28,8 @@ This guide shows you how to create a continuous integration (CI) workflow that b We recommend that you have a basic understanding of Node.js, YAML, workflow configuration options, and how to create a workflow file. For more information, see: -* "[AUTOTITLE](/actions/learn-github-actions)" -* "[Getting started with Node.js](https://nodejs.org/en/docs/guides/getting-started-guide/)" +* [AUTOTITLE](/actions/learn-github-actions) +* [Getting started with Node.js](https://nodejs.org/en/docs/guides/getting-started-guide/) {% data reusables.actions.enterprise-setup-prereq %} @@ -97,7 +97,7 @@ The `setup-node` action takes a Node.js version as an input and configures that The workflow template includes a matrix strategy that builds and tests your code with the Node.js versions listed in `node-version`. The 'x' in the version number is a wildcard character that matches the latest minor and patch release available for a version. Each version of Node.js specified in the `node-version` array creates a job that runs the same steps. -Each job can access the value defined in the matrix `node-version` array using the `matrix` context. The `setup-node` action uses the context as the `node-version` input. The `setup-node` action configures each job with a different Node.js version before building and testing code. For more information about matrix strategies and contexts, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)" and "[AUTOTITLE](/actions/learn-github-actions/contexts)." +Each job can access the value defined in the matrix `node-version` array using the `matrix` context. The `setup-node` action uses the context as the `node-version` input. The `setup-node` action configures each job with a different Node.js version before building and testing code. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix) and [AUTOTITLE](/actions/learn-github-actions/contexts). ```yaml copy strategy: @@ -144,17 +144,17 @@ jobs: ``` If you don't specify a Node.js version, {% data variables.product.prodname_dotcom %} uses the environment's default Node.js version. -For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Installing dependencies {% data variables.product.prodname_dotcom %}-hosted runners have npm and Yarn dependency managers installed. You can use npm and Yarn to install dependencies in your workflow before building and testing your code. The Windows and Linux {% data variables.product.prodname_dotcom %}-hosted runners also have Grunt, Gulp, and Bower installed. -You can also cache dependencies to speed up your workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ### Example using npm -This example installs the versions in the _package-lock.json_ or _npm-shrinkwrap.json_ file and prevents updates to the lock file. Using `npm ci` is generally faster than running `npm install`. For more information, see [`npm ci`](https://docs.npmjs.com/cli/ci.html) and "[Introducing `npm ci` for faster, more reliable builds](https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable)." +This example installs the versions in the _package-lock.json_ or _npm-shrinkwrap.json_ file and prevents updates to the lock file. Using `npm ci` is generally faster than running `npm install`. For more information, see [`npm ci`](https://docs.npmjs.com/cli/ci.html) and [Introducing `npm ci` for faster, more reliable builds](https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable). ```yaml copy steps: @@ -212,7 +212,7 @@ steps: {% data reusables.actions.setup-node-intro %} -To authenticate to your private registry, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +To authenticate to your private registry, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). In the example below, the secret `NPM_TOKEN` stores the npm authentication token. The `setup-node` action configures the _.npmrc_ file to read the npm authentication token from the `NODE_AUTH_TOKEN` environment variable. When using the `setup-node` action to create an _.npmrc_ file, you must set the `NODE_AUTH_TOKEN` environment variable with the secret that contains your npm authentication token. @@ -292,7 +292,7 @@ steps: - run: pnpm test ``` -If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ## Building and testing your code @@ -312,8 +312,8 @@ steps: ## Packaging workflow data as artifacts -You can save artifacts from your build and test steps to view after a job completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +You can save artifacts from your build and test steps to view after a job completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Publishing to package registries -You can configure your workflow to publish your Node.js package to a package registry after your CI tests pass. For more information about publishing to npm and {% data variables.product.prodname_registry %}, see "[AUTOTITLE](/actions/publishing-packages/publishing-nodejs-packages)." +You can configure your workflow to publish your Node.js package to a package registry after your CI tests pass. For more information about publishing to npm and {% data variables.product.prodname_registry %}, see [AUTOTITLE](/actions/publishing-packages/publishing-nodejs-packages). diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-powershell.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-powershell.md index 0971b7a533d2..4addbb092fd7 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-powershell.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-powershell.md @@ -25,11 +25,11 @@ This guide shows you how to use PowerShell for CI. It describes how to use Peste {% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes PowerShell and Pester. -For a full list of up-to-date software and the pre-installed versions of PowerShell and Pester, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +For a full list of up-to-date software and the pre-installed versions of PowerShell and Pester, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites -You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions). We recommend that you have a basic understanding of PowerShell and Pester. For more information, see: * [Getting started with PowerShell](https://docs.microsoft.com/powershell/scripting/learn/ps101/01-getting-started) @@ -103,7 +103,7 @@ The table below describes the locations for various PowerShell modules in each { > [!NOTE] > The pre-installed packages (such as Pester) used by {% data variables.product.prodname_dotcom %}-hosted runners are regularly updated, and can introduce significant changes. As a result, it is recommended that you always specify the required package versions by using `Install-Module` with `-MaximumVersion`. -You can also cache dependencies to speed up your workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). For example, the following job installs the `SqlServer` and `PSScriptAnalyzer` modules: @@ -126,7 +126,7 @@ jobs: ### Caching dependencies -You can cache PowerShell dependencies using a unique key, which allows you to restore the dependencies for future workflows with the [`cache`](https://github.com/marketplace/actions/cache) action. For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +You can cache PowerShell dependencies using a unique key, which allows you to restore the dependencies for future workflows with the [`cache`](https://github.com/marketplace/actions/cache) action. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). PowerShell caches its dependencies in different locations, depending on the runner's operating system. For example, the `path` location used in the following Ubuntu example will be different for a Windows operating system. @@ -181,7 +181,7 @@ The following example installs `PSScriptAnalyzer` and uses it to lint all `ps1` ## Packaging workflow data as artifacts -You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). The following example demonstrates how you can use the `upload-artifact` action to archive the test results received from `Invoke-Pester`. For more information, see the [`upload-artifact` action](https://github.com/actions/upload-artifact). @@ -207,11 +207,11 @@ jobs: if: {% raw %}${{ always() }}{% endraw %} ``` -The `always()` function configures the job to continue processing even if there are test failures. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#always)." +The `always()` function configures the job to continue processing even if there are test failures. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#always). ## Publishing to PowerShell Gallery -You can configure your workflow to publish your PowerShell module to the PowerShell Gallery when your CI tests pass. You can use secrets to store any tokens or credentials needed to publish your package. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +You can configure your workflow to publish your PowerShell module to the PowerShell Gallery when your CI tests pass. You can use secrets to store any tokens or credentials needed to publish your package. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). The following example creates a package and uses `Publish-Module` to publish it to the PowerShell Gallery: diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-python.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-python.md index 1e5a6afd44b0..9efa3a6c6614 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-python.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-python.md @@ -23,11 +23,11 @@ shortTitle: Build & test Python This guide shows you how to build, test, and publish a Python package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Python and PyPy. You don't have to install anything! For a full list of up-to-date software and the pre-installed versions of Python and PyPy, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)". +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Python and PyPy. You don't have to install anything! For a full list of up-to-date software and the pre-installed versions of Python and PyPy, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites -You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions). We recommend that you have a basic understanding of Python, and pip. For more information, see: @@ -119,11 +119,11 @@ The table below describes the locations for the tools cache in each {% data vari If you are using a self-hosted runner, you can configure the runner to use the `setup-python` action to manage your dependencies. For more information, see [using setup-python with a self-hosted runner](https://github.com/actions/setup-python#using-setup-python-with-a-self-hosted-runner) in the `setup-python` README. -{% data variables.product.prodname_dotcom %} supports semantic versioning syntax. For more information, see "[Using semantic versioning](https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept)" and the "[Semantic versioning specification](https://semver.org/)." +{% data variables.product.prodname_dotcom %} supports semantic versioning syntax. For more information, see [Using semantic versioning](https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept) and the [Semantic versioning specification](https://semver.org/). ### Using multiple Python versions -The following example uses a matrix for the job to set up multiple Python versions. For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +The following example uses a matrix for the job to set up multiple Python versions. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). ```yaml copy name: Python package @@ -182,7 +182,7 @@ jobs: If you specify a version of Python that is not available, `setup-python` fails with an error such as: `##[error]Version 3.7 with arch x64 not found`. The error message includes the available versions. -You can also use the `exclude` keyword in your workflow if there is a configuration of Python that you do not wish to run. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy)." +You can also use the `exclude` keyword in your workflow if there is a configuration of Python that you do not wish to run. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy). ```yaml copy name: Python package @@ -218,7 +218,7 @@ We recommend using `setup-python` to configure the version of Python used in you {% data variables.product.prodname_dotcom %}-hosted runners have the pip package manager installed. You can use pip to install dependencies from the PyPI package registry before building and testing your code. For example, the YAML below installs or upgrades the `pip` package installer and the `setuptools` and `wheel` packages. -You can also cache dependencies to speed up your workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ```yaml copy steps: @@ -265,7 +265,7 @@ steps: - run: pip test ``` -By default, the `setup-python` action searches for the dependency file (`requirements.txt` for pip, `Pipfile.lock` for pipenv or `poetry.lock` for poetry) in the whole repository. For more information, see "[Caching packages dependencies](https://github.com/actions/setup-python#caching-packages-dependencies)" in the `setup-python` README. +By default, the `setup-python` action searches for the dependency file (`requirements.txt` for pip, `Pipfile.lock` for pipenv or `poetry.lock` for poetry) in the whole repository. For more information, see [Caching packages dependencies](https://github.com/actions/setup-python#caching-packages-dependencies) in the `setup-python` README. If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). Pip caches dependencies in different locations, depending on the operating system of the runner. The path you'll need to cache may differ from the Ubuntu example above, depending on the operating system you use. For more information, see [Python caching examples](https://github.com/actions/cache/blob/main/examples.md#python---pip) in the `cache` action repository. @@ -348,7 +348,7 @@ jobs: ## Packaging workflow data as artifacts -You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). The following example demonstrates how you can use the `upload-artifact` action to archive test results from running `pytest`. For more information, see the [`upload-artifact` action](https://github.com/actions/upload-artifact). @@ -389,7 +389,7 @@ jobs: ## Publishing to PyPI -You can configure your workflow to publish your Python package to PyPI once your CI tests pass. This section demonstrates how you can use {% data variables.product.prodname_actions %} to upload your package to PyPI each time you publish a release. For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)." +You can configure your workflow to publish your Python package to PyPI once your CI tests pass. This section demonstrates how you can use {% data variables.product.prodname_actions %} to upload your package to PyPI each time you publish a release. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository). The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token. diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-ruby.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-ruby.md index 3320b2d177e4..13fce8eb0d88 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-ruby.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-ruby.md @@ -124,7 +124,7 @@ strategy: {% endraw %} -Each version of Ruby specified in the `ruby-version` array creates a job that runs the same steps. The {% raw %}`${{ matrix.ruby-version }}`{% endraw %} context is used to access the current job's version. For more information about matrix strategies and contexts, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" and "[AUTOTITLE](/actions/learn-github-actions/contexts)." +Each version of Ruby specified in the `ruby-version` array creates a job that runs the same steps. The {% raw %}`${{ matrix.ruby-version }}`{% endraw %} context is used to access the current job's version. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) and [AUTOTITLE](/actions/learn-github-actions/contexts). The full updated workflow with a matrix strategy could look like this: @@ -196,7 +196,7 @@ This will configure bundler to install your gems to `vendor/cache`. For each suc **Caching without setup-ruby** -For greater control over caching, you can use the `actions/cache` action directly. For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +For greater control over caching, you can use the `actions/cache` action directly. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ```yaml steps: diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-swift.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-swift.md index eb3363e60b0f..6df66633b00e 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-swift.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-swift.md @@ -21,13 +21,13 @@ shortTitle: Build & test Swift This guide shows you how to build and test a Swift package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, and the Ubuntu and macOS runners include the dependencies for building Swift packages. For a full list of up-to-date software and the preinstalled versions of Swift and Xcode, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)." +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, and the Ubuntu and macOS runners include the dependencies for building Swift packages. For a full list of up-to-date software and the preinstalled versions of Swift and Xcode, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). -We recommend that you have a basic understanding of Swift packages. For more information, see "[Swift Packages](https://developer.apple.com/documentation/xcode/swift-packages)" in the Apple developer documentation. +We recommend that you have a basic understanding of Swift packages. For more information, see [Swift Packages](https://developer.apple.com/documentation/xcode/swift-packages) in the Apple developer documentation. ## Using a Swift workflow template diff --git a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-xamarin-applications.md b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-xamarin-applications.md index be1952bc746e..31b18ad4922b 100644 --- a/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-xamarin-applications.md +++ b/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-xamarin-applications.md @@ -31,9 +31,9 @@ For a full list of available Xamarin SDK versions on the {% data variables.produ We recommend that you have a basic understanding of Xamarin, .NET Core SDK, YAML, workflow configuration options, and how to create a workflow file. For more information, see: -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" -* "[Getting started with .NET](https://dotnet.microsoft.com/learn)" -* "[Learn Xamarin](https://dotnet.microsoft.com/learn/xamarin)" +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [Getting started with .NET](https://dotnet.microsoft.com/learn) +* [Learn Xamarin](https://dotnet.microsoft.com/learn/xamarin) {% ifversion ghec %} diff --git a/content/actions/use-cases-and-examples/deploying/deploying-docker-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-docker-to-azure-app-service.md index 221a655fed16..581b02ad7912 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-docker-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-docker-to-azure-app-service.md @@ -22,7 +22,7 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a Docker container to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites @@ -48,7 +48,7 @@ Before creating your {% data variables.product.prodname_actions %} workflow, you 1. Set registry credentials for your web app. - Create a {% data variables.product.pat_v1 %} with the `repo` and `read:packages` scopes. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." + Create a {% data variables.product.pat_v1 %} with the `repo` and `read:packages` scopes. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). Set `DOCKER_REGISTRY_SERVER_URL` to `https://ghcr.io`, `DOCKER_REGISTRY_SERVER_USERNAME` to the GitHub username or organization that owns the repository, and `DOCKER_REGISTRY_SERVER_PASSWORD` to your {% data variables.product.pat_generic %} from above. This will give your web app credentials so it can pull the container image after your workflow pushes a newly built image to the registry. You can do this with the following Azure CLI command: diff --git a/content/actions/use-cases-and-examples/deploying/deploying-java-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-java-to-azure-app-service.md index fcc7d297c6b6..9b5f3b875476 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-java-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-java-to-azure-app-service.md @@ -21,7 +21,7 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a Java project to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites diff --git a/content/actions/use-cases-and-examples/deploying/deploying-net-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-net-to-azure-app-service.md index 2137948e0b2c..04780c3bd330 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-net-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-net-to-azure-app-service.md @@ -20,7 +20,7 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a .NET project to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites diff --git a/content/actions/use-cases-and-examples/deploying/deploying-nodejs-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-nodejs-to-azure-app-service.md index f247a5764d95..47e3381b9519 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-nodejs-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-nodejs-to-azure-app-service.md @@ -25,7 +25,7 @@ topics: This guide explains how to use {% data variables.product.prodname_actions %} to build, test, and deploy a Node.js project to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites @@ -128,4 +128,4 @@ The following resources may also be useful: * For the original workflow template, see [`azure-webapps-node.yml`](https://github.com/actions/starter-workflows/blob/main/deployments/azure-webapps-node.yml) in the {% data variables.product.prodname_actions %} `starter-workflows` repository. * The action used to deploy the web app is the official Azure [`Azure/webapps-deploy`](https://github.com/Azure/webapps-deploy) action. * For more examples of GitHub Action workflows that deploy to Azure, see the [actions-workflow-samples](https://github.com/Azure/actions-workflow-samples) repository. -* The "[Create a Node.js web app in Azure](https://docs.microsoft.com/azure/app-service/quickstart-nodejs)" quickstart in the Azure web app documentation demonstrates using {% data variables.product.prodname_vscode %} with the [Azure App Service extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice). +* The [Create a Node.js web app in Azure](https://docs.microsoft.com/azure/app-service/quickstart-nodejs) quickstart in the Azure web app documentation demonstrates using {% data variables.product.prodname_vscode %} with the [Azure App Service extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice). diff --git a/content/actions/use-cases-and-examples/deploying/deploying-php-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-php-to-azure-app-service.md index 7e6b78a87d22..3f2b171ee3ce 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-php-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-php-to-azure-app-service.md @@ -20,7 +20,7 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a PHP project to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites diff --git a/content/actions/use-cases-and-examples/deploying/deploying-python-to-azure-app-service.md b/content/actions/use-cases-and-examples/deploying/deploying-python-to-azure-app-service.md index 43b09cc206d2..2b0c0db5d4ac 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-python-to-azure-app-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-python-to-azure-app-service.md @@ -21,7 +21,7 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a Python project to [Azure App Service](https://azure.microsoft.com/services/app-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites diff --git a/content/actions/use-cases-and-examples/deploying/deploying-to-amazon-elastic-container-service.md b/content/actions/use-cases-and-examples/deploying/deploying-to-amazon-elastic-container-service.md index ac5ae8b802cf..bf6122d3f52f 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-to-amazon-elastic-container-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-to-amazon-elastic-container-service.md @@ -26,7 +26,7 @@ This guide explains how to use {% data variables.product.prodname_actions %} to On every new push to `main` in your {% data variables.product.company_short %} repository, the {% data variables.product.prodname_actions %} workflow builds and pushes a new container image to Amazon ECR, and then deploys a new task definition to Amazon ECS. > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services). ## Prerequisites @@ -77,7 +77,7 @@ Before creating your {% data variables.product.prodname_actions %} workflow, you 1. Create {% data variables.product.prodname_actions %} secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` to store the values for your Amazon IAM access key. - For more information on creating secrets for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository)." + For more information on creating secrets for {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). See the documentation for each action used below for the recommended IAM policies for the IAM user, and methods for handling the access key credentials. @@ -172,8 +172,8 @@ For the original workflow template, see [`aws.yml`](https://github.com/actions/s For more information on the services used in these examples, see the following documentation: -* "[Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)" in the Amazon AWS documentation. -* Official AWS "[Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials)" action. +* [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the Amazon AWS documentation. +* Official AWS [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) action. * Official AWS [Amazon ECR "Login"](https://github.com/aws-actions/amazon-ecr-login) action. * Official AWS [Amazon ECS "Render Task Definition"](https://github.com/aws-actions/amazon-ecs-render-task-definition) action. * Official AWS [Amazon ECS "Deploy Task Definition"](https://github.com/aws-actions/amazon-ecs-deploy-task-definition) action. diff --git a/content/actions/use-cases-and-examples/deploying/deploying-to-azure-kubernetes-service.md b/content/actions/use-cases-and-examples/deploying/deploying-to-azure-kubernetes-service.md index 52e9d28ba96a..88b36af68658 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-to-azure-kubernetes-service.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-to-azure-kubernetes-service.md @@ -20,13 +20,13 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a project to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites Before creating your {% data variables.product.prodname_actions %} workflow, you will first need to complete the following setup steps: -1. Create a target AKS cluster and an Azure Container Registry (ACR). For more information, see "[Quickstart: Deploy an AKS cluster by using the Azure portal - Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/kubernetes-walkthrough-portal)" and "[Quickstart - Create registry in portal - Azure Container Registry](https://docs.microsoft.com/azure/container-registry/container-registry-get-started-portal)" in the Azure documentation. +1. Create a target AKS cluster and an Azure Container Registry (ACR). For more information, see [Quickstart: Deploy an AKS cluster by using the Azure portal - Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/kubernetes-walkthrough-portal) and [Quickstart - Create registry in portal - Azure Container Registry](https://docs.microsoft.com/azure/container-registry/container-registry-get-started-portal) in the Azure documentation. 1. Create a secret called `AZURE_CREDENTIALS` to store your Azure credentials. For more information about how to find this information and structure the secret, see [the `Azure/login` action documentation](https://github.com/Azure/login#configure-a-service-principal-with-a-secret). diff --git a/content/actions/use-cases-and-examples/deploying/deploying-to-azure-static-web-app.md b/content/actions/use-cases-and-examples/deploying/deploying-to-azure-static-web-app.md index 7a73e1cb10ea..dd7534e785e5 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-to-azure-static-web-app.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-to-azure-static-web-app.md @@ -20,15 +20,15 @@ redirect_from: This guide explains how to use {% data variables.product.prodname_actions %} to build and deploy a web app to [Azure Static Web Apps](https://azure.microsoft.com/services/app-service/static/). > [!NOTE] -> {% data reusables.actions.about-oidc-short-overview %} and "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)." +> {% data reusables.actions.about-oidc-short-overview %} and [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure). ## Prerequisites Before creating your {% data variables.product.prodname_actions %} workflow, you will first need to complete the following setup steps: -1. Create an Azure Static Web App using the 'Other' option for deployment source. For more information, see "[Quickstart: Building your first static site in the Azure portal](https://docs.microsoft.com/azure/static-web-apps/get-started-portal)" in the Azure documentation. +1. Create an Azure Static Web App using the 'Other' option for deployment source. For more information, see [Quickstart: Building your first static site in the Azure portal](https://docs.microsoft.com/azure/static-web-apps/get-started-portal) in the Azure documentation. -1. Create a secret called `AZURE_STATIC_WEB_APPS_API_TOKEN` with the value of your static web app deployment token. For more information about how to find your deployment token, see "[Reset deployment tokens in Azure Static Web Apps](https://docs.microsoft.com/azure/static-web-apps/deployment-token-management)" in the Azure documentation. +1. Create a secret called `AZURE_STATIC_WEB_APPS_API_TOKEN` with the value of your static web app deployment token. For more information about how to find your deployment token, see [Reset deployment tokens in Azure Static Web Apps](https://docs.microsoft.com/azure/static-web-apps/deployment-token-management) in the Azure documentation. ## Creating the workflow @@ -41,7 +41,7 @@ Under the workflow `env` key, change the following values: * `API_LOCATION` to the location of your API source code. If `API_LOCATION` is not relevant, you can delete the variable and the lines where it is used. * `OUTPUT_LOCATION` to the location of your client code build output -For more information about these values, see "[Build configuration for Azure Static Web Apps](https://docs.microsoft.com/azure/static-web-apps/build-configuration?tabs=github-actions)" in the Azure documentation. +For more information about these values, see [Build configuration for Azure Static Web Apps](https://docs.microsoft.com/azure/static-web-apps/build-configuration?tabs=github-actions) in the Azure documentation. ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} diff --git a/content/actions/use-cases-and-examples/deploying/deploying-to-google-kubernetes-engine.md b/content/actions/use-cases-and-examples/deploying/deploying-to-google-kubernetes-engine.md index 82eff64a6a0a..b322458c91ae 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-to-google-kubernetes-engine.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-to-google-kubernetes-engine.md @@ -102,11 +102,11 @@ This procedure demonstrates how to create the service account for your GKE integ export GKE_SA_KEY=$(cat key.json | base64) ``` - For more information about how to store a secret, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about how to store a secret, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### Storing your project name -Store the name of your project as a secret named `GKE_PROJECT`. For more information about how to store a secret, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +Store the name of your project as a secret named `GKE_PROJECT`. For more information about how to store a secret, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### (Optional) Configuring kustomize @@ -208,4 +208,4 @@ For more information on the tools used in these examples, see the following docu * For the full workflow template, see the ["Build and Deploy to GKE" workflow](https://github.com/actions/starter-workflows/blob/main/deployments/google.yml). * The Kubernetes YAML customization engine: [Kustomize](https://kustomize.io/). -* "[Deploying a containerized web application](https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app)" in the Google Kubernetes Engine documentation. +* [Deploying a containerized web application](https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app) in the Google Kubernetes Engine documentation. diff --git a/content/actions/use-cases-and-examples/deploying/deploying-with-github-actions.md b/content/actions/use-cases-and-examples/deploying/deploying-with-github-actions.md index 184043b12834..fc1dbfa862db 100644 --- a/content/actions/use-cases-and-examples/deploying/deploying-with-github-actions.md +++ b/content/actions/use-cases-and-examples/deploying/deploying-with-github-actions.md @@ -25,11 +25,11 @@ shortTitle: Deploy with GitHub Actions * Configure environments to set rules before a job can proceed and to limit access to secrets. * Use concurrency to control the number of deployments running at a time. -For more information about continuous deployment, see "[AUTOTITLE](/actions/deployment/about-deployments/about-continuous-deployment)." +For more information about continuous deployment, see [AUTOTITLE](/actions/deployment/about-deployments/about-continuous-deployment). ## Prerequisites -You should be familiar with the syntax for {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +You should be familiar with the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions). ## Triggering your deployment @@ -52,7 +52,7 @@ on: workflow_dispatch: ``` -For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). ## Using environments @@ -60,7 +60,7 @@ For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trig ## Using concurrency -Concurrency ensures that only a single job or workflow using the same concurrency group will run at a time. You can use concurrency so that an environment has a maximum of one deployment in progress and one deployment pending at a time. For more information about concurrency, see "[AUTOTITLE](/actions/using-jobs/using-concurrency)." +Concurrency ensures that only a single job or workflow using the same concurrency group will run at a time. You can use concurrency so that an environment has a maximum of one deployment in progress and one deployment pending at a time. For more information about concurrency, see [AUTOTITLE](/actions/using-jobs/using-concurrency). > [!NOTE] > `concurrency` and `environment` are not connected. The concurrency value can be any string; it does not need to be an environment name. Additionally, if another workflow uses the same environment but does not specify concurrency, that workflow will not be subject to any concurrency rules. @@ -129,35 +129,35 @@ jobs: # ...deployment-specific steps ``` -For guidance on writing deployment-specific steps, see "[Finding deployment examples](#finding-deployment-examples)." +For guidance on writing deployment-specific steps, see [Finding deployment examples](#finding-deployment-examples). ## Viewing deployment history -When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. For more information about viewing deployments to environments, see "[AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history)." +When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. For more information about viewing deployments to environments, see [AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history). ## Monitoring workflow runs -Every workflow run generates a real-time graph that illustrates the run progress. You can use this graph to monitor and debug deployments. For more information see, "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-the-visualization-graph)." +Every workflow run generates a real-time graph that illustrates the run progress. You can use this graph to monitor and debug deployments. For more information see, [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-the-visualization-graph). -You can also view the logs of each workflow run and the history of workflow runs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +You can also view the logs of each workflow run and the history of workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). ## Tracking deployments through apps {% ifversion fpt or ghec %} -If your personal account or organization on {% data variables.product.github %} is integrated with Microsoft Teams or Slack, you can track deployments that use environments through Microsoft Teams or Slack. For example, you can receive notifications through the app when a deployment is pending approval, when a deployment is approved, or when the deployment status changes. For more information about integrating Microsoft Teams or Slack, see "[AUTOTITLE](/get-started/exploring-integrations/github-extensions-and-integrations#team-communication-tools)." +If your personal account or organization on {% data variables.product.github %} is integrated with Microsoft Teams or Slack, you can track deployments that use environments through Microsoft Teams or Slack. For example, you can receive notifications through the app when a deployment is pending approval, when a deployment is approved, or when the deployment status changes. For more information about integrating Microsoft Teams or Slack, see [AUTOTITLE](/get-started/exploring-integrations/github-extensions-and-integrations#team-communication-tools). {% endif %} -You can also build an app that uses deployment and deployment status webhooks to track deployments. {% data reusables.actions.environment-deployment-event %} For more information, see "[AUTOTITLE](/apps)" and "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment)." +You can also build an app that uses deployment and deployment status webhooks to track deployments. {% data reusables.actions.environment-deployment-event %} For more information, see [AUTOTITLE](/apps) and [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment). ## Choosing a runner -You can run your deployment workflow on {% data variables.product.company_short %}-hosted runners or on self-hosted runners. Traffic from {% data variables.product.company_short %}-hosted runners can come from a [wide range of network addresses](/rest/meta/meta#get-github-meta-information). If you are deploying to an internal environment and your company restricts external traffic into private networks, {% data variables.product.prodname_actions %} workflows running on {% data variables.product.company_short %}-hosted runners may not be able to communicate with your internal services or resources. To overcome this, you can host your own runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)." +You can run your deployment workflow on {% data variables.product.company_short %}-hosted runners or on self-hosted runners. Traffic from {% data variables.product.company_short %}-hosted runners can come from a [wide range of network addresses](/rest/meta/meta#get-github-meta-information). If you are deploying to an internal environment and your company restricts external traffic into private networks, {% data variables.product.prodname_actions %} workflows running on {% data variables.product.company_short %}-hosted runners may not be able to communicate with your internal services or resources. To overcome this, you can host your own runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners). ## Displaying a status badge You can use a status badge to display the status of your deployment workflow. {% data reusables.repositories.actions-workflow-status-badge-intro %} -For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge)." +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge). ## Finding deployment examples diff --git a/content/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development.md b/content/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development.md index 161f2577184f..9dfa207925a4 100644 --- a/content/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development.md +++ b/content/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development.md @@ -27,8 +27,8 @@ This guide shows you how to add a step to your continuous integration (CI) workf You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* "[AUTOTITLE](/actions/learn-github-actions)" -* "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)" +* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) You should have an understanding of Xcode app building and signing. For more information, see the [Apple developer documentation](https://developer.apple.com/documentation/). @@ -36,7 +36,7 @@ You should have an understanding of Xcode app building and signing. For more inf The signing process involves storing certificates and provisioning profiles, transferring them to the runner, importing them to the runner's keychain, and using them in your build. -To use your certificate and provisioning profile on a runner, we strongly recommend that you use {% data variables.product.prodname_dotcom %} secrets. For more information on creating secrets and using them in a workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +To use your certificate and provisioning profile on a runner, we strongly recommend that you use {% data variables.product.prodname_dotcom %} secrets. For more information on creating secrets and using them in a workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). Create secrets in your repository or organization for the following items: diff --git a/content/actions/use-cases-and-examples/project-management/adding-labels-to-issues.md b/content/actions/use-cases-and-examples/project-management/adding-labels-to-issues.md index 3b2c1a88325b..bed3d740725a 100644 --- a/content/actions/use-cases-and-examples/project-management/adding-labels-to-issues.md +++ b/content/actions/use-cases-and-examples/project-management/adding-labels-to-issues.md @@ -54,7 +54,7 @@ In the tutorial, you will first make a workflow file that uses the {% data varia 1. Customize the `env` values in your workflow file: * The `GH_TOKEN`, `GH_REPO`, and `NUMBER` values are automatically set using the `github` and `secrets` contexts. You do not need to change these. - * Change the value for `LABELS` to the list of labels that you want to add to the issue. The label(s) must exist for your repository. Separate multiple labels with commas. For example, `help wanted,good first issue`. For more information about labels, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests)." + * Change the value for `LABELS` to the list of labels that you want to add to the issue. The label(s) must exist for your repository. Separate multiple labels with commas. For example, `help wanted,good first issue`. For more information about labels, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests). 1. {% data reusables.actions.commit-workflow %} ## Testing the workflow @@ -63,12 +63,12 @@ Every time an issue in your repository is opened or reopened, this workflow will Test out your workflow by creating an issue in your repository. -1. Create an issue in your repository. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue)." -1. To see the workflow run that was triggered by creating the issue, view the history of your workflow runs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Create an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). +1. To see the workflow run that was triggered by creating the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. When the workflow completes, the issue that you created should have the specified labels added. ## Next steps * To learn more about additional things you can do with the {% data variables.product.prodname_cli %}, see the [GitHub CLI manual](https://cli.github.com/manual/). -* To learn more about different events that can trigger your workflow, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#issues)." +* To learn more about different events that can trigger your workflow, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#issues). * [Search GitHub](https://github.com/search?q=path%3A.github%2Fworkflows+gh+issue+edit&type=code) for examples of workflows using `gh issue edit`. diff --git a/content/actions/use-cases-and-examples/project-management/closing-inactive-issues.md b/content/actions/use-cases-and-examples/project-management/closing-inactive-issues.md index 00e3dc95ae90..b22bcd249971 100644 --- a/content/actions/use-cases-and-examples/project-management/closing-inactive-issues.md +++ b/content/actions/use-cases-and-examples/project-management/closing-inactive-issues.md @@ -55,7 +55,7 @@ In the tutorial, you will first make a workflow file that uses the [`actions/sta ``` 1. Customize the parameters in your workflow file: - * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every day at 1:30 UTC. For more information about scheduled workflows, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events)." + * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every day at 1:30 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). * Change the value for `days-before-issue-stale` to the number of days without activity before the `actions/stale` action labels an issue. If you never want this action to label issues, set this value to `-1`. * Change the value for `days-before-issue-close` to the number of days without activity before the `actions/stale` action closes an issue. If you never want this action to close issues, set this value to `-1`. * Change the value for `stale-issue-label` to the label that you want to apply to issues that have been inactive for the amount of time specified by `days-before-issue-stale`. @@ -70,7 +70,7 @@ Based on the `schedule` parameter (for example, every day at 1:30 UTC), your wor > [!NOTE] > {% data reusables.actions.schedule-delay %} -You can view the history of your workflow runs to see this workflow run periodically. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). This workflow will only label and/or close 30 issues at a time in order to avoid exceeding a rate limit. You can configure this with the `operations-per-run` setting. For more information, see the [`actions/stale` action documentation](https://github.com/marketplace/actions/close-stale-issues). diff --git a/content/actions/use-cases-and-examples/project-management/commenting-on-an-issue-when-a-label-is-added.md b/content/actions/use-cases-and-examples/project-management/commenting-on-an-issue-when-a-label-is-added.md index 280eaf77b789..fb7f97e74aaf 100644 --- a/content/actions/use-cases-and-examples/project-management/commenting-on-an-issue-when-a-label-is-added.md +++ b/content/actions/use-cases-and-examples/project-management/commenting-on-an-issue-when-a-label-is-added.md @@ -19,7 +19,7 @@ shortTitle: Add label to comment on issue ## Introduction -This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to comment on an issue when a specific label is applied. For example, when the `help wanted` label is added to an issue, you can add a comment to encourage contributors to work on the issue. For more information about {% data variables.product.prodname_cli %}, see "[AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows)." +This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to comment on an issue when a specific label is applied. For example, when the `help wanted` label is added to an issue, you can add a comment to encourage contributors to work on the issue. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows). In the tutorial, you will first make a workflow file that uses the `gh issue comment` command to comment on an issue. Then, you will customize the workflow to suit your needs. @@ -56,7 +56,7 @@ In the tutorial, you will first make a workflow file that uses the `gh issue com 1. Customize the parameters in your workflow file: * Replace `help wanted` in `if: github.event.label.name == 'help wanted'` with the label that you want to act on. If you want to act on more than one label, separate the conditions with `||`. For example, `if: github.event.label.name == 'bug' || github.event.label.name == 'fix me'` will comment whenever the `bug` or `fix me` labels are added to an issue. - * Change the value for `BODY` to the comment that you want to add. GitHub flavored markdown is supported. For more information about markdown, see "[AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)." + * Change the value for `BODY` to the comment that you want to add. GitHub flavored markdown is supported. For more information about markdown, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax). 1. {% data reusables.actions.commit-workflow %} ## Testing the workflow @@ -65,9 +65,9 @@ Every time an issue in your repository is labeled, this workflow will run. If th Test your workflow by applying your specified label to an issue. -1. Open an issue in your repository. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue)." -1. Label the issue with the specified label in your workflow file. For more information, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests)." -1. To see the workflow run triggered by labeling the issue, view the history of your workflow runs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Open an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). +1. Label the issue with the specified label in your workflow file. For more information, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests). +1. To see the workflow run triggered by labeling the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. When the workflow completes, the issue that you labeled should have a comment added. ## Next steps diff --git a/content/actions/use-cases-and-examples/project-management/moving-assigned-issues-on-project-boards.md b/content/actions/use-cases-and-examples/project-management/moving-assigned-issues-on-project-boards.md index 7846fbeb8e66..66b5d53c80fe 100644 --- a/content/actions/use-cases-and-examples/project-management/moving-assigned-issues-on-project-boards.md +++ b/content/actions/use-cases-and-examples/project-management/moving-assigned-issues-on-project-boards.md @@ -27,7 +27,7 @@ In the tutorial, you will first make a workflow file that uses the [`alex-page/g ## Creating the workflow 1. {% data reusables.actions.choose-repo %} -1. In your repository, choose a {% data variables.projects.projects_v1_board %}. {% ifversion projects-v1-can-create %} You can use an existing project, or you can create a new project. For more information about creating a project, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/creating-a-project-board)."{% endif %} +1. In your repository, choose a {% data variables.projects.projects_v1_board %}. {% ifversion projects-v1-can-create %} You can use an existing project, or you can create a new project. For more information about creating a project, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/creating-a-project-board).{% endif %} 1. {% data reusables.actions.make-workflow-file %} 1. Copy the following YAML contents into your workflow file. @@ -56,8 +56,8 @@ In the tutorial, you will first make a workflow file that uses the [`alex-page/g * Change the value for `project` to the name of your {% data variables.projects.projects_v1_board %}. If you have multiple {% data variables.projects.projects_v1_boards %} with the same name, the `alex-page/github-project-automation-plus` action will act on all projects with the specified name. * Change the value for `column` to the name of the column where you want issues to move when they are assigned. * Change the value for `repo-token`: - 1. Create a {% data variables.product.pat_v1 %} with the `repo` scope. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." - 1. Store this {% data variables.product.pat_generic %} as a secret in your repository. For more information about storing secrets, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + 1. Create a {% data variables.product.pat_v1 %} with the `repo` scope. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). + 1. Store this {% data variables.product.pat_generic %} as a secret in your repository. For more information about storing secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). 1. In your workflow file, replace `PERSONAL_ACCESS_TOKEN` with the name of your secret. 1. {% data reusables.actions.commit-workflow %} @@ -69,9 +69,9 @@ If your repository is user-owned, the `alex-page/github-project-automation-plus` Test your workflow by assigning an issue in your repository. -1. Open an issue in your repository. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue)." -1. Assign the issue. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/assigning-issues-and-pull-requests-to-other-github-users)." -1. To see the workflow run that assigning the issue triggered, view the history of your workflow runs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Open an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). +1. Assign the issue. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/assigning-issues-and-pull-requests-to-other-github-users). +1. To see the workflow run that assigning the issue triggered, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. When the workflow completes, the issue that you assigned should be added to the specified {% data variables.projects.projects_v1_board %} column. ## Next steps diff --git a/content/actions/use-cases-and-examples/project-management/removing-a-label-when-a-card-is-added-to-a-project-board-column.md b/content/actions/use-cases-and-examples/project-management/removing-a-label-when-a-card-is-added-to-a-project-board-column.md index 3d308e147465..1b070dce5ee5 100644 --- a/content/actions/use-cases-and-examples/project-management/removing-a-label-when-a-card-is-added-to-a-project-board-column.md +++ b/content/actions/use-cases-and-examples/project-management/removing-a-label-when-a-card-is-added-to-a-project-board-column.md @@ -27,7 +27,7 @@ In the tutorial, you will first make a workflow file that uses the [`actions/git ## Creating the workflow 1. {% data reusables.actions.choose-repo %} -1. Choose a {% data variables.projects.projects_v1_board %} that belongs to the repository. This workflow cannot be used with projects that belong to users or organizations. {% ifversion projects-v1-can-create %} You can use an existing {% data variables.projects.projects_v1_board %}, or you can create a new {% data variables.projects.projects_v1_board %}. For more information about creating a project, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/creating-a-project-board)."{% endif %} +1. Choose a {% data variables.projects.projects_v1_board %} that belongs to the repository. This workflow cannot be used with projects that belong to users or organizations. {% ifversion projects-v1-can-create %} You can use an existing {% data variables.projects.projects_v1_board %}, or you can create a new {% data variables.projects.projects_v1_board %}. For more information about creating a project, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/creating-a-project-board).{% endif %} 1. {% data reusables.actions.make-workflow-file %} 1. Copy the following YAML contents into your workflow file. @@ -64,7 +64,7 @@ In the tutorial, you will first make a workflow file that uses the [`actions/git To find the column ID, navigate to your {% data variables.projects.projects_v1_board %}. Next to the title of the column, click {% octicon "kebab-horizontal" aria-label="Column menu" %} then click **Copy column link**. The column ID is the number at the end of the copied link. For example, `24687531` is the column ID for `https://github.com/octocat/octo-repo/projects/1#column-24687531`. If you want to act on more than one column, separate the conditions with `||`. For example, `if github.event.project_card.column_id == '12345678' || github.event.project_card.column_id == '87654321'` will act whenever a project card is added to column `12345678` or column `87654321`. The columns may be on different {% data variables.projects.projects_v1_boards %}. - * Change the value for `name` in the `github.rest.issues.removeLabel()` function to the name of the label that you want to remove from issues or pull requests that are moved to the specified column(s). For more information on labels, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests)." + * Change the value for `name` in the `github.rest.issues.removeLabel()` function to the name of the label that you want to remove from issues or pull requests that are moved to the specified column(s). For more information on labels, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests). 1. {% data reusables.actions.commit-workflow %} ## Testing the workflow @@ -73,10 +73,10 @@ Every time a project card on a {% data variables.projects.projects_v1_board %} i Test your workflow out by moving an issue on your {% data variables.projects.projects_v1_board %} into the target column. -1. Open an issue in your repository. For more information, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue)." -1. Label the issue with the label that you want the workflow to remove. For more information, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests)." -1. Add the issue to the {% data variables.projects.projects_v1_board %} column that you specified in your workflow file. For more information, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/tracking-work-with-project-boards/adding-issues-and-pull-requests-to-a-project-board)." -1. To see the workflow run that was triggered by adding the issue to the project, view the history of your workflow runs. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +1. Open an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). +1. Label the issue with the label that you want the workflow to remove. For more information, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests). +1. Add the issue to the {% data variables.projects.projects_v1_board %} column that you specified in your workflow file. For more information, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/tracking-work-with-project-boards/adding-issues-and-pull-requests-to-a-project-board). +1. To see the workflow run that was triggered by adding the issue to the project, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). 1. When the workflow completes, the issue that you added to the project column should have the specified label removed. ## Next steps diff --git a/content/actions/use-cases-and-examples/project-management/scheduling-issue-creation.md b/content/actions/use-cases-and-examples/project-management/scheduling-issue-creation.md index a0121d7d6369..02a158833396 100644 --- a/content/actions/use-cases-and-examples/project-management/scheduling-issue-creation.md +++ b/content/actions/use-cases-and-examples/project-management/scheduling-issue-creation.md @@ -19,7 +19,7 @@ topics: ## Introduction -This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to create an issue on a regular basis. For example, you can create an issue each week to use as the agenda for a team meeting. For more information about {% data variables.product.prodname_cli %}, see "[AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows)." +This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to create an issue on a regular basis. For example, you can create an issue each week to use as the agenda for a team meeting. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows). In the tutorial, you will first make a workflow file that uses the {% data variables.product.prodname_cli %}. Then, you will customize the workflow to suit your needs. @@ -85,12 +85,12 @@ In the tutorial, you will first make a workflow file that uses the {% data varia ``` 1. Customize the parameters in your workflow file: - * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every Monday at 7:20 UTC. For more information about scheduled workflows, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events)." + * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every Monday at 7:20 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). * Change the value for `ASSIGNEES` to the list of {% data variables.product.prodname_dotcom %} usernames that you want to assign to the issue. * Change the value for `LABELS` to the list of labels that you want to apply to the issue. * Change the value for `TITLE` to the title that you want the issue to have. * Change the value for `BODY` to the text that you want in the issue body. The `|` character allows you to use a multi-line value for this parameter. - * If you want to pin this issue in your repository, set `PINNED` to `true`. For more information about pinned issues, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository)." + * If you want to pin this issue in your repository, set `PINNED` to `true`. For more information about pinned issues, see [AUTOTITLE](/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository). * If you want to close the previous issue generated by this workflow each time a new issue is created, set `CLOSE_PREVIOUS` to `true`. The workflow will close the most recent issue that has the labels defined in the `labels` field. To avoid closing the wrong issue, use a unique label or combination of labels. 1. {% data reusables.actions.commit-workflow %} @@ -101,7 +101,7 @@ Based on the `schedule` parameter (for example, every Monday at 7:20 UTC), your > [!NOTE] > {% data reusables.actions.schedule-delay %} -You can view the history of your workflow runs to see this workflow run periodically. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). ## Next steps diff --git a/content/actions/use-cases-and-examples/project-management/using-github-actions-for-project-management.md b/content/actions/use-cases-and-examples/project-management/using-github-actions-for-project-management.md index c3eb9660c7a5..f4d8ac27124b 100644 --- a/content/actions/use-cases-and-examples/project-management/using-github-actions-for-project-management.md +++ b/content/actions/use-cases-and-examples/project-management/using-github-actions-for-project-management.md @@ -26,7 +26,7 @@ Many workflow triggers are useful for automating project management. * A comment is added to an issue. * A scheduled time. -For a full list of events that can trigger workflows, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +For a full list of events that can trigger workflows, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). ## What can workflows do? @@ -34,9 +34,9 @@ Workflows can do many things, such as commenting on an issue, adding or removing You can learn about using {% data variables.product.prodname_actions %} for project management by following these tutorials, which include example workflows that you can adapt to meet your needs. -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/adding-labels-to-issues)"{%- ifversion projects-v1 %} -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column)" -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards)"{% endif %} -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added)" -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/closing-inactive-issues)" -* "[AUTOTITLE](/actions/managing-issues-and-pull-requests/scheduling-issue-creation)" +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/adding-labels-to-issues){%- ifversion projects-v1 %} +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column) +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards){% endif %} +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added) +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/closing-inactive-issues) +* [AUTOTITLE](/actions/managing-issues-and-pull-requests/scheduling-issue-creation) diff --git a/content/actions/use-cases-and-examples/publishing-packages/about-packaging-with-github-actions.md b/content/actions/use-cases-and-examples/publishing-packages/about-packaging-with-github-actions.md index 4767c8759b5c..60b11fa31ce7 100644 --- a/content/actions/use-cases-and-examples/publishing-packages/about-packaging-with-github-actions.md +++ b/content/actions/use-cases-and-examples/publishing-packages/about-packaging-with-github-actions.md @@ -22,4 +22,4 @@ shortTitle: Packaging with GitHub Actions ## Further reading -* "[AUTOTITLE](/actions/publishing-packages/publishing-nodejs-packages)" +* [AUTOTITLE](/actions/publishing-packages/publishing-nodejs-packages) diff --git a/content/actions/use-cases-and-examples/publishing-packages/publishing-docker-images.md b/content/actions/use-cases-and-examples/publishing-packages/publishing-docker-images.md index adebfcbd13eb..5d0502e7aed5 100644 --- a/content/actions/use-cases-and-examples/publishing-packages/publishing-docker-images.md +++ b/content/actions/use-cases-and-examples/publishing-packages/publishing-docker-images.md @@ -25,24 +25,24 @@ layout: inline This guide shows you how to create a workflow that performs a Docker build, and then publishes Docker images to Docker Hub or {% data variables.product.prodname_registry %}. With a single workflow, you can publish images to a single registry or to multiple registries. > [!NOTE] -> If you want to push to another third-party Docker registry, the example in the "[Publishing images to {% data variables.product.prodname_registry %}](#publishing-images-to-github-packages)" section can serve as a good template. +> If you want to push to another third-party Docker registry, the example in the [Publishing images to {% data variables.product.prodname_registry %}](#publishing-images-to-github-packages) section can serve as a good template. ## Prerequisites -We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/learn-github-actions). You might also find it helpful to have a basic understanding of the following: -* "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" -* "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)"{% ifversion fpt or ghec %} -* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry)"{% else %} -* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-docker-registry)"{% endif %} +* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) +* [AUTOTITLE](/actions/security-guides/automatic-token-authentication){% ifversion fpt or ghec %} +* [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry){% else %} +* [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-docker-registry){% endif %} ## About image configuration This guide assumes that you have a complete definition for a Docker image stored in a {% data variables.product.prodname_dotcom %} repository. For example, your repository must contain a _Dockerfile_, and any other files needed to perform a Docker build to create an image. -{% data reusables.package_registry.about-annotation-keys %} For more information, see "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry#labelling-container-images)." +{% data reusables.package_registry.about-annotation-keys %} For more information, see [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry#labelling-container-images). In this guide, we will use the Docker `build-push-action` action to build the Docker image and push it to one or more Docker registries. For more information, see [`build-push-action`](https://github.com/marketplace/actions/build-and-push-docker-images). @@ -54,10 +54,10 @@ Each time you create a new release on {% data variables.product.product_name %}, In the example workflow below, we use the Docker `login-action` and `build-push-action` actions to build the Docker image and, if the build succeeds, push the built image to Docker Hub. -To push to Docker Hub, you will need to have a Docker Hub account, and have a Docker Hub repository created. For more information, see "[Pushing a Docker container image to Docker Hub](https://docs.docker.com/docker-hub/quickstart/#step-3-build-and-push-an-image-to-docker-hub)" in the Docker documentation. +To push to Docker Hub, you will need to have a Docker Hub account, and have a Docker Hub repository created. For more information, see [Pushing a Docker container image to Docker Hub](https://docs.docker.com/docker-hub/quickstart/#step-3-build-and-push-an-image-to-docker-hub) in the Docker documentation. The `login-action` options required for Docker Hub are: -* `username` and `password`: This is your Docker Hub username and password. We recommend storing your Docker Hub username and password as secrets so they aren't exposed in your workflow file. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +* `username` and `password`: This is your Docker Hub username and password. We recommend storing your Docker Hub username and password as secrets so they aren't exposed in your workflow file. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). The `metadata-action` option required for Docker Hub is: * `images`: The namespace and name for the Docker image you are building/pushing to Docker Hub. @@ -138,8 +138,8 @@ In the example workflow below, we use the Docker `login-action`{% ifversion fpt The `login-action` options required for {% data variables.product.prodname_registry %} are: * `registry`: Must be set to {% ifversion fpt or ghec %}`ghcr.io`{% elsif ghes %}`{% data reusables.package_registry.container-registry-hostname %}`{% else %}`docker.pkg.github.com`{% endif %}. -* `username`: You can use the {% raw %}`${{ github.actor }}`{% endraw %} context to automatically use the username of the user that triggered the workflow run. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#github-context)." -* `password`: You can use the automatically-generated `GITHUB_TOKEN` secret for the password. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." +* `username`: You can use the {% raw %}`${{ github.actor }}`{% endraw %} context to automatically use the username of the user that triggered the workflow run. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). +* `password`: You can use the automatically-generated `GITHUB_TOKEN` secret for the password. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). {% ifversion fpt or ghec %} The `metadata-action` option required for {% data variables.product.prodname_registry %} is: @@ -169,7 +169,7 @@ The above workflow is triggered by a push to the "release" branch. It checks out In a single workflow, you can publish your Docker image to multiple registries by using the `login-action` and `build-push-action` actions for each registry. -The following example workflow uses the steps from the previous sections ("[Publishing images to Docker Hub](#publishing-images-to-docker-hub)" and "[Publishing images to {% data variables.product.prodname_registry %}](#publishing-images-to-github-packages)") to create a single workflow that pushes to both registries. +The following example workflow uses the steps from the previous sections ([Publishing images to Docker Hub](#publishing-images-to-docker-hub) and [Publishing images to {% data variables.product.prodname_registry %}](#publishing-images-to-github-packages)) to create a single workflow that pushes to both registries. ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} diff --git a/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-gradle.md b/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-gradle.md index bb08d4d18635..7eac2add2d09 100644 --- a/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-gradle.md +++ b/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-gradle.md @@ -26,26 +26,26 @@ topics: ## Prerequisites -We recommend that you have a basic understanding of workflow files and configuration options. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/learn-github-actions). -For more information about creating a CI workflow for your Java project with Gradle, see "[AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-gradle)." +For more information about creating a CI workflow for your Java project with Gradle, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-gradle). You may also find it helpful to have a basic understanding of the following: -* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)" -* "[AUTOTITLE](/actions/learn-github-actions/variables)" -* "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" -* "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" +* [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) +* [AUTOTITLE](/actions/learn-github-actions/variables) +* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) +* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) ## About package configuration -The `groupId` and `artifactId` fields in the `MavenPublication` section of the _build.gradle_ file create a unique identifier for your package that registries use to link your package to a registry. This is similar to the `groupId` and `artifactId` fields of the Maven _pom.xml_ file. For more information, see the "[Maven Publish Plugin](https://docs.gradle.org/current/userguide/publishing_maven.html)" in the Gradle documentation. +The `groupId` and `artifactId` fields in the `MavenPublication` section of the _build.gradle_ file create a unique identifier for your package that registries use to link your package to a registry. This is similar to the `groupId` and `artifactId` fields of the Maven _pom.xml_ file. For more information, see the [Maven Publish Plugin](https://docs.gradle.org/current/userguide/publishing_maven.html) in the Gradle documentation. The _build.gradle_ file also contains configuration for the distribution management repositories that Gradle will publish packages to. Each repository must have a name, a deployment URL, and credentials for authentication. ## Publishing packages to the Maven Central Repository -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release)." +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). You can define a new Maven repository in the publishing block of your _build.gradle_ file that points to your package repository. For example, if you were deploying to the Maven Central Repository through the OSSRH hosting project, your _build.gradle_ could specify a repository with the name `"OSSRH"`. @@ -75,7 +75,7 @@ publishing { {% endraw %} -With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ```yaml copy @@ -111,11 +111,11 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to the `OSSRH` Maven repository. The `MAVEN_USERNAME` environment variable will be set with the contents of your `OSSRH_USERNAME` secret, and the `MAVEN_PASSWORD` environment variable will be set with the contents of your `OSSRH_TOKEN` secret. - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Publishing packages to {% data variables.product.prodname_registry %} -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release)." +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). You can define a new Maven repository in the publishing block of your _build.gradle_ that points to {% data variables.product.prodname_registry %}. In that repository configuration, you can also take advantage of environment variables set in your CI workflow run. You can use the `GITHUB_ACTOR` environment variable as a username, and you can set the `GITHUB_TOKEN` environment variable with your `GITHUB_TOKEN` secret. @@ -185,7 +185,7 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to {% data variables.product.prodname_registry %}. The `GITHUB_TOKEN` environment variable will be set with the content of the `GITHUB_TOKEN` secret. The `permissions` key specifies the access that the `GITHUB_TOKEN` secret will allow. - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Publishing packages to the Maven Central Repository and {% data variables.product.prodname_registry %} @@ -270,4 +270,4 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to the `OSSRH` Maven repository and {% data variables.product.prodname_registry %}. The `MAVEN_USERNAME` environment variable will be set with the contents of your `OSSRH_USERNAME` secret, and the `MAVEN_PASSWORD` environment variable will be set with the contents of your `OSSRH_TOKEN` secret. The `GITHUB_TOKEN` environment variable will be set with the content of the `GITHUB_TOKEN` secret. The `permissions` key specifies the access that the `GITHUB_TOKEN` secret will allow. - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). diff --git a/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-maven.md b/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-maven.md index e1aa6fd28af2..e2a4364758ca 100644 --- a/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-maven.md +++ b/content/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-maven.md @@ -26,16 +26,16 @@ topics: ## Prerequisites -We recommend that you have a basic understanding of workflow files and configuration options. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/learn-github-actions). -For more information about creating a CI workflow for your Java project with Maven, see "[AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-maven)." +For more information about creating a CI workflow for your Java project with Maven, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-maven). You may also find it helpful to have a basic understanding of the following: -* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)" -* "[AUTOTITLE](/actions/learn-github-actions/variables)" -* "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" -* "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" +* [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) +* [AUTOTITLE](/actions/learn-github-actions/variables) +* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) +* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) ## About package configuration @@ -47,7 +47,7 @@ You can use the `setup-java` action to configure the deployment repository as we ## Publishing packages to the Maven Central Repository -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release)." +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). In this workflow, you can use the `setup-java` action. This action installs the given version of the JDK into the `PATH`, but it also configures a Maven _settings.xml_ for publishing packages. By default, the settings file will be configured for {% data variables.product.prodname_registry %}, but it can be configured to deploy to another package registry, such as the Maven Central Repository. If you already have a distribution management repository configured in _pom.xml_, then you can specify that `id` during the `setup-java` action invocation. @@ -72,7 +72,7 @@ For example, if you were deploying to the Maven Central Repository through the O With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by specifying the repository management `id` to the `setup-java` action. You’ll also need to provide environment variables that contain the username and password to authenticate to the repository. -In the deploy step, you’ll need to set the environment variables to the username that you authenticate with to the repository, and to a secret that you’ve configured with the password or token to authenticate with. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +In the deploy step, you’ll need to set the environment variables to the username that you authenticate with to the repository, and to a secret that you’ve configured with the password or token to authenticate with. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ```yaml copy name: Publish package to the Maven Central Repository @@ -105,11 +105,11 @@ This workflow performs the following steps: 1. Sets up the Java JDK, and also configures the Maven _settings.xml_ file to add authentication for the `ossrh` repository using the `MAVEN_USERNAME` and `MAVEN_PASSWORD` environment variables. 1. {% data reusables.actions.publish-to-maven-workflow-step %} - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Publishing packages to {% data variables.product.prodname_registry %} -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release)." +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). In this workflow, you can use the `setup-java` action. This action installs the given version of the JDK into the `PATH`, and also sets up a Maven _settings.xml_ for publishing the package to {% data variables.product.prodname_registry %}. The generated _settings.xml_ defines authentication for a server with an `id` of `github`, using the `GITHUB_ACTOR` environment variable as the username and the `GITHUB_TOKEN` environment variable as the password. The `GITHUB_TOKEN` environment variable is assigned the value of the special `GITHUB_TOKEN` secret. @@ -167,7 +167,7 @@ This workflow performs the following steps: 1. Sets up the Java JDK, and also automatically configures the Maven _settings.xml_ file to add authentication for the `github` Maven repository to use the `GITHUB_TOKEN` environment variable. 1. {% data reusables.actions.publish-to-packages-workflow-step %} - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Publishing packages to the Maven Central Repository and {% data variables.product.prodname_registry %} @@ -222,4 +222,4 @@ This workflow performs the following steps: 1. Calls `setup-java` the second time. This automatically configures the Maven _settings.xml_ file for {% data variables.product.prodname_registry %}. 1. {% data reusables.actions.publish-to-packages-workflow-step %} - For more information about using secrets in your workflow, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). diff --git a/content/actions/use-cases-and-examples/publishing-packages/publishing-nodejs-packages.md b/content/actions/use-cases-and-examples/publishing-packages/publishing-nodejs-packages.md index 432305bcba12..584568a4de93 100644 --- a/content/actions/use-cases-and-examples/publishing-packages/publishing-nodejs-packages.md +++ b/content/actions/use-cases-and-examples/publishing-packages/publishing-nodejs-packages.md @@ -27,32 +27,32 @@ This guide shows you how to create a workflow that publishes Node.js packages to ## Prerequisites -We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see "[AUTOTITLE](/actions/learn-github-actions)." +We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/learn-github-actions). -For more information about creating a CI workflow for your Node.js project, see "[AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-nodejs)." +For more information about creating a CI workflow for your Node.js project, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-nodejs). You may also find it helpful to have a basic understanding of the following: -* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)" -* "[AUTOTITLE](/actions/learn-github-actions/variables)" -* "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" -* "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" +* [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) +* [AUTOTITLE](/actions/learn-github-actions/variables) +* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) +* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) ## About package configuration - The `name` and `version` fields in the `package.json` file create a unique identifier that registries use to link your package to a registry. You can add a summary for the package listing page by including a `description` field in the `package.json` file. For more information, see "[Creating a package.json file](https://docs.npmjs.com/creating-a-package-json-file)" and "[Creating Node.js modules](https://docs.npmjs.com/creating-node-js-modules)" in the npm documentation. + The `name` and `version` fields in the `package.json` file create a unique identifier that registries use to link your package to a registry. You can add a summary for the package listing page by including a `description` field in the `package.json` file. For more information, see [Creating a package.json file](https://docs.npmjs.com/creating-a-package-json-file) and [Creating Node.js modules](https://docs.npmjs.com/creating-node-js-modules) in the npm documentation. When a local `.npmrc` file exists and has a `registry` value specified, the `npm publish` command uses the registry configured in the `.npmrc` file. {% data reusables.actions.setup-node-intro %} You can specify the Node.js version installed on the runner using the `setup-node` action. -If you add steps in your workflow to configure the `publishConfig` fields in your `package.json` file, you don't need to specify the registry-url using the `setup-node` action, but you will be limited to publishing the package to one registry. For more information, see "[publishConfig](https://docs.npmjs.com/cli/v9/configuring-npm/package-json#publishconfig)" in the npm documentation. +If you add steps in your workflow to configure the `publishConfig` fields in your `package.json` file, you don't need to specify the registry-url using the `setup-node` action, but you will be limited to publishing the package to one registry. For more information, see [publishConfig](https://docs.npmjs.com/cli/v9/configuring-npm/package-json#publishconfig) in the npm documentation. ## Publishing packages to the npm registry -You can trigger a workflow to publish your package every time you publish a new release. The process in the following example is executed when the release event of type `published` is triggered. If the CI tests pass, the process uploads the package to the npm registry. For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release)." +You can trigger a workflow to publish your package every time you publish a new release. The process in the following example is executed when the release event of type `published` is triggered. If the CI tests pass, the process uploads the package to the npm registry. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release). -To perform authenticated operations against the npm registry in your workflow, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +To perform authenticated operations against the npm registry in your workflow, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). By default, npm uses the `name` field of the `package.json` file to determine the name of your published package. When publishing to a global namespace, you only need to include the package name. For example, you would publish a package named `my-package` to `https://www.npmjs.com/package/my-package`. @@ -98,7 +98,7 @@ Please note that you need to set the `registry-url` to `https://registry.npmjs.o ## Publishing packages to {% data variables.product.prodname_registry %} -You can trigger a workflow to publish your package every time you publish a new release. The process in the following example is executed when the release event of type `published` is triggered. If the CI tests pass, the process uploads the package to {% data variables.product.prodname_registry %}. For more information, see "[AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release)." +You can trigger a workflow to publish your package every time you publish a new release. The process in the following example is executed when the release event of type `published` is triggered. If the CI tests pass, the process uploads the package to {% data variables.product.prodname_registry %}. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release). ### Configuring the destination repository @@ -119,7 +119,7 @@ If you do provide the `repository` key in your `package.json` file, then the rep To perform authenticated operations against the {% data variables.product.prodname_registry %} registry in your workflow, you can use the `GITHUB_TOKEN`. {% data reusables.actions.github-token-permissions %} -If you want to publish your package to a different repository, you must use a {% data variables.product.pat_v1 %} that has permission to write to packages in the destination repository. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +If you want to publish your package to a different repository, you must use a {% data variables.product.pat_v1 %} that has permission to write to packages in the destination repository. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### Example workflow diff --git a/content/actions/use-cases-and-examples/using-containerized-services/about-service-containers.md b/content/actions/use-cases-and-examples/using-containerized-services/about-service-containers.md index 1ce3c9a8e786..2f48d5edd7b1 100644 --- a/content/actions/use-cases-and-examples/using-containerized-services/about-service-containers.md +++ b/content/actions/use-cases-and-examples/using-containerized-services/about-service-containers.md @@ -32,7 +32,7 @@ You can configure jobs in a workflow to run directly on a runner machine or in a ### Running jobs in a container -When you run jobs in a container, {% data variables.product.prodname_dotcom %} connects service containers to the job using Docker's user-defined bridge networks. For more information, see "[Bridge network driver](https://docs.docker.com/engine/network/drivers/bridge/)" in the Docker documentation. +When you run jobs in a container, {% data variables.product.prodname_dotcom %} connects service containers to the job using Docker's user-defined bridge networks. For more information, see [Bridge network driver](https://docs.docker.com/engine/network/drivers/bridge/) in the Docker documentation. Running the job and services in a container simplifies network access. You can access a service container using the label you configure in the workflow. The hostname of the service container is automatically mapped to the label name. For example, if you create a service container with the label `redis`, the hostname of the service container is `redis`. @@ -42,7 +42,7 @@ You don't need to configure any ports for service containers. By default, all co When running jobs directly on the runner machine, you can access service containers using `localhost:` or `127.0.0.1:`. {% data variables.product.prodname_dotcom %} configures the container network to enable communication from the service container to the Docker host. -When a job runs directly on a runner machine, the service running in the Docker container does not expose its ports to the job on the runner by default. You need to map ports on the service container to the Docker host. For more information, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports)." +When a job runs directly on a runner machine, the service running in the Docker container does not expose its ports to the job on the runner by default. You need to map ports on the service container to the Docker host. For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). ## Creating service containers @@ -86,9 +86,9 @@ You can map service containers ports to the Docker host using the `ports` keywor | `8080:80/udp` | Maps UDP port 80 in the container to port 8080 on the Docker host. | | `8080/udp` | Maps a randomly chosen port on the Docker host to UDP port 8080 in the container. | -When you map ports using the `ports` keyword, {% data variables.product.prodname_dotcom %} uses the `--publish` command to publish the container’s ports to the Docker host. For more information, see "[Docker container networking](https://docs.docker.com/config/containers/container-networking/)" in the Docker documentation. +When you map ports using the `ports` keyword, {% data variables.product.prodname_dotcom %} uses the `--publish` command to publish the container’s ports to the Docker host. For more information, see [Docker container networking](https://docs.docker.com/config/containers/container-networking/) in the Docker documentation. -When you specify the container port but not the Docker host port, the container port is randomly assigned to a free port. {% data variables.product.prodname_dotcom %} sets the assigned container port in the service container context. For example, for a `redis` service container, if you configured the Docker host port 5432, you can access the corresponding container port using the `job.services.redis.ports[5432]` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#job-context)." +When you specify the container port but not the Docker host port, the container port is randomly assigned to a free port. {% data variables.product.prodname_dotcom %} sets the assigned container port in the service container context. For example, for a `redis` service container, if you configured the Docker host port 5432, you can access the corresponding container port using the `job.services.redis.ports[5432]` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#job-context). ### Example mapping Redis ports @@ -152,5 +152,5 @@ jobs: ## Further reading -* "[AUTOTITLE](/actions/using-containerized-services/creating-redis-service-containers)" -* "[AUTOTITLE](/actions/using-containerized-services/creating-postgresql-service-containers)" +* [AUTOTITLE](/actions/using-containerized-services/creating-redis-service-containers) +* [AUTOTITLE](/actions/using-containerized-services/creating-postgresql-service-containers) diff --git a/content/actions/use-cases-and-examples/using-containerized-services/creating-postgresql-service-containers.md b/content/actions/use-cases-and-examples/using-containerized-services/creating-postgresql-service-containers.md index 931fd2e8081b..334e1d8ba589 100644 --- a/content/actions/use-cases-and-examples/using-containerized-services/creating-postgresql-service-containers.md +++ b/content/actions/use-cases-and-examples/using-containerized-services/creating-postgresql-service-containers.md @@ -31,8 +31,8 @@ This guide shows you workflow examples that configure a service container using You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and PostgreSQL. For more information, see: -* "[AUTOTITLE](/actions/learn-github-actions)" -* "[PostgreSQL tutorial](https://www.postgresqltutorial.com/)" in the PostgreSQL documentation +* [AUTOTITLE](/actions/learn-github-actions) +* [PostgreSQL tutorial](https://www.postgresqltutorial.com/) in the PostgreSQL documentation ## Running jobs in containers @@ -218,7 +218,7 @@ jobs: {% data reusables.actions.postgres-label-description %} -The workflow maps port 5432 on the PostgreSQL service container to the Docker host. For more information about the `ports` keyword, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports)." +The workflow maps port 5432 on the PostgreSQL service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). ```yaml copy jobs: diff --git a/content/actions/use-cases-and-examples/using-containerized-services/creating-redis-service-containers.md b/content/actions/use-cases-and-examples/using-containerized-services/creating-redis-service-containers.md index 899be3f64593..0940c1b28e7a 100644 --- a/content/actions/use-cases-and-examples/using-containerized-services/creating-redis-service-containers.md +++ b/content/actions/use-cases-and-examples/using-containerized-services/creating-redis-service-containers.md @@ -31,8 +31,8 @@ This guide shows you workflow examples that configure a service container using You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and Redis. For more information, see: -* "[AUTOTITLE](/actions/learn-github-actions)" -* "[Getting Started with Redis](https://redislabs.com/get-started-with-redis/)" in the Redis documentation +* [AUTOTITLE](/actions/learn-github-actions) +* [Getting Started with Redis](https://redislabs.com/get-started-with-redis/) in the Redis documentation ## Running jobs in containers @@ -208,7 +208,7 @@ jobs: {% data reusables.actions.redis-label-description %} -The workflow maps port 6379 on the Redis service container to the Docker host. For more information about the `ports` keyword, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports)." +The workflow maps port 6379 on the Redis service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). ```yaml copy jobs: diff --git a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md index 353fdb9384d3..30e2e7d8ff5c 100644 --- a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md @@ -27,11 +27,11 @@ There are a few different approaches you could take to configure this access, ea ## Using an API Gateway with OIDC -{% data reusables.actions.private-networking-oidc-intro %} For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc)." +{% data reusables.actions.private-networking-oidc-intro %} For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc). ## Using WireGuard to create a network overlay -{% data reusables.actions.private-networking-wireguard-intro %} For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay)." +{% data reusables.actions.private-networking-wireguard-intro %} For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay). {% ifversion actions-private-networking-azure-vnet %} @@ -41,13 +41,13 @@ There are a few different approaches you could take to configure this access, ea {% ifversion fpt %} -Organization owners using the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)." +Organization owners using the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization). {% endif %} {% ifversion ghec %} -Enterprises and organizations on {% data variables.product.prodname_ghe_cloud %} or {% data variables.product.prodname_team %} plans can configure Azure private networking for {% data variables.product.company_short %}-hosted runners. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)" and "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations)." +Enterprises and organizations on {% data variables.product.prodname_ghe_cloud %} or {% data variables.product.prodname_team %} plans can configure Azure private networking for {% data variables.product.company_short %}-hosted runners. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise) and [AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations). {% endif %} {% endif %} diff --git a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc.md b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc.md index ce00cfee09f2..c73915c5deb8 100644 --- a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc.md +++ b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-an-api-gateway-with-oidc.md @@ -20,7 +20,7 @@ The following diagram gives an overview of this solution's architecture: ![Diagram of an OIDC gateway architecture, starting with a {% data variables.product.prodname_actions %} runner and ending with a private network's private service.](/assets/images/help/actions/actions-oidc-gateway.png) -It's important that you verify not just that the OIDC token came from {% data variables.product.prodname_actions %}, but that it came specifically from your expected workflows, so that other {% data variables.product.prodname_actions %} users aren't able to access services in your private network. You can use OIDC claims to create these conditions. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-trust-conditions-on-cloud-roles-using-oidc-claims)." +It's important that you verify not just that the OIDC token came from {% data variables.product.prodname_actions %}, but that it came specifically from your expected workflows, so that other {% data variables.product.prodname_actions %} users aren't able to access services in your private network. You can use OIDC claims to create these conditions. For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-trust-conditions-on-cloud-roles-using-oidc-claims). The main disadvantages of this approach are that you must implement the API gateway to make requests on your behalf, and you must run the gateway on the edge of your network. @@ -29,4 +29,4 @@ The following advantages apply. * You don't need to configure any firewalls, or modify the routing of your private network. * The API gateway is stateless and scales horizontally to handle high availability and high throughput. -For more information, see [a reference implementation of an API Gateway](https://github.com/github/actions-oidc-gateway-example) in the github/actions-oidc-gateway repository. This implementation requires customization for your use case and is not ready-to-run as-is). For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)." +For more information, see [a reference implementation of an API Gateway](https://github.com/github/actions-oidc-gateway-example) in the github/actions-oidc-gateway repository. This implementation requires customization for your use case and is not ready-to-run as-is). For more information, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). diff --git a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay.md b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay.md index 0547d20e5c5f..0361d0fc27e5 100644 --- a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay.md +++ b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/using-wireguard-to-create-a-network-overlay.md @@ -63,7 +63,7 @@ jobs: - run: curl -vvv http://192.168.1.1 ``` -For more information, see [WireGuard's Quick Start](https://www.wireguard.com/quickstart/), as well as "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" for how to securely store keys. +For more information, see [WireGuard's Quick Start](https://www.wireguard.com/quickstart/), as well as [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) for how to securely store keys. ### Using Tailscale to create a network overlay @@ -73,4 +73,4 @@ Its disadvantages are similar to WireGuard: The connection is one-to-one, so you However, there are some advantages over WireGuard: NAT traversal is built-in, so you don't need to expose a port to the public internet. It is by far the quickest of these options to get up and running, since Tailscale provides an {% data variables.product.prodname_actions %} workflow with a single step to connect to the overlay network. -For more information, see the [Tailscale GitHub Action](https://github.com/tailscale/github-action), as well as "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" for how to securely store keys. +For more information, see the [Tailscale GitHub Action](https://github.com/tailscale/github-action), as well as [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) for how to securely store keys. diff --git a/content/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md b/content/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md index 341b962bb03a..f52b3d338f56 100644 --- a/content/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md @@ -27,7 +27,7 @@ Runners are the machines that execute jobs in a {% data variables.product.prodna {% ifversion not ghes %} -You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU or ARM processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners)." +You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU or ARM processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners). Using {% data variables.product.prodname_dotcom %}-hosted runners requires network access with at least 70 kilobits per second upload and download speeds. @@ -36,7 +36,7 @@ Using {% data variables.product.prodname_dotcom %}-hosted runners requires netwo {% ifversion github-hosted-runners-emus-entitlements %} > [!NOTE] -> {% data reusables.actions.entitlement-minutes-emus %} For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)." +> {% data reusables.actions.entitlement-minutes-emus %} For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). {% endif %} @@ -44,7 +44,7 @@ Using {% data variables.product.prodname_dotcom %}-hosted runners requires netwo ## Using a {% data variables.product.prodname_dotcom %}-hosted runner -To use a {% data variables.product.prodname_dotcom %}-hosted runner, create a job and use `runs-on` to specify the type of runner that will process the job, such as `ubuntu-latest`, `windows-latest`, or `macos-latest`. For the full list of runner types, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)."{% ifversion repository-actions-runners %} If you have `repo: write` access to a repository, you can view a list of the runners available to use in workflows in the repository. For more information, see "[Viewing available runners for a repository](#viewing-available-runners-for-a-repository)."{% endif %} +To use a {% data variables.product.prodname_dotcom %}-hosted runner, create a job and use `runs-on` to specify the type of runner that will process the job, such as `ubuntu-latest`, `windows-latest`, or `macos-latest`. For the full list of runner types, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources).{% ifversion repository-actions-runners %} If you have `repo: write` access to a repository, you can view a list of the runners available to use in workflows in the repository. For more information, see [Viewing available runners for a repository](#viewing-available-runners-for-a-repository).{% endif %} When the job begins, {% data variables.product.prodname_dotcom %} automatically provisions a new VM for that job. All steps in the job execute on the VM, allowing the steps in that job to share information using the runner's filesystem. You can run workflows directly on the VM or in a Docker container. When the job has finished, the VM is automatically decommissioned. @@ -132,7 +132,7 @@ While the job runs, the logs and output can be viewed in the {% data variables.p {% data reusables.actions.supported-github-runners %} -Workflow logs list the runner used to run a job. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." +Workflow logs list the runner used to run a job. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). ### Limitations for arm64 macOS runners @@ -142,7 +142,7 @@ Workflow logs list the runner used to run a job. For more information, see "[AUT {% data reusables.actions.about-larger-runners %} -For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)." +For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners). ## Supported software @@ -152,13 +152,13 @@ The software tools included in {% data variables.product.prodname_dotcom %}-host Workflow logs include a link to the preinstalled tools on the exact runner. To find this information in the workflow log, expand the `Set up job` section. Under that section, expand the `Runner Image` section. The link following `Included Software` will describe the preinstalled tools on the runner that ran the workflow. -For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)." For the overall list of included tools for each runner operating system, see the [Available Images](https://github.com/actions/runner-images#available-images) documentation the runner images repository. +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). For the overall list of included tools for each runner operating system, see the [Available Images](https://github.com/actions/runner-images#available-images) documentation the runner images repository. {% data variables.product.prodname_dotcom %}-hosted runners include the operating system's default built-in tools, in addition to the packages listed in the above references. For example, Ubuntu and macOS runners include `grep`, `find`, and `which`, among other default tools. {% ifversion actions-sbom %} -You can also view a software bill of materials (SBOM) for each build of the Windows and Ubuntu runner images. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reviewing-the-supply-chain-for-github-hosted-runners)." +You can also view a software bill of materials (SBOM) for each build of the Windows and Ubuntu runner images. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reviewing-the-supply-chain-for-github-hosted-runners). {% endif %} @@ -172,7 +172,7 @@ If there is a tool that you'd like to request, please open an issue at [actions/ ### Installing additional software -You can install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners)". +You can install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners). ## Cloud hosts used by {% data variables.product.prodname_dotcom %}-hosted runners @@ -190,17 +190,17 @@ In addition, if the workflow run has been successfully queued, but has not been ## Administrative privileges -The Linux and macOS virtual machines both run using passwordless `sudo`. When you need to execute commands or install tools that require more privileges than the current user, you can use `sudo` without needing to provide a password. For more information, see the "[Sudo Manual](https://www.sudo.ws/man/1.8.27/sudo.man.html)." +The Linux and macOS virtual machines both run using passwordless `sudo`. When you need to execute commands or install tools that require more privileges than the current user, you can use `sudo` without needing to provide a password. For more information, see the [Sudo Manual](https://www.sudo.ws/man/1.8.27/sudo.man.html). -Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see "[How User Account Control works](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works)" in the Windows documentation. +Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see [How User Account Control works](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works) in the Windows documentation. ## IP addresses -To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API. For more information, see the `actions` key in the response of the `GET /meta` endpoint. For more information, see "[AUTOTITLE](/rest/meta/meta#get-github-meta-information)." +To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API. For more information, see the `actions` key in the response of the `GET /meta` endpoint. For more information, see [AUTOTITLE](/rest/meta/meta#get-github-meta-information). Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in {% data variables.product.prodname_dotcom %}'s own macOS cloud. -Since there are so many IP address ranges for {% data variables.product.prodname_dotcom %}-hosted runners, we do not recommend that you use these as allowlists for your internal resources. Instead, we recommend you use {% data variables.actions.hosted_runner %}s with a static IP address range, or self-hosted runners. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners)" or "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." +Since there are so many IP address ranges for {% data variables.product.prodname_dotcom %}-hosted runners, we do not recommend that you use these as allowlists for your internal resources. Instead, we recommend you use {% data variables.actions.hosted_runner %}s with a static IP address range, or self-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners) or [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. @@ -228,7 +228,7 @@ To ensure proper communications for {% data variables.product.prodname_dotcom %} | `workspace` | `GITHUB_WORKSPACE` | Actions and shell commands execute in this directory. An action can modify the contents of this directory, which subsequent actions can access. | | `workflow/event.json` | `GITHUB_EVENT_PATH` | The `POST` payload of the webhook event that triggered the workflow. {% data variables.product.prodname_dotcom %} rewrites this each time an action executes to isolate file content between actions. -For a list of the environment variables {% data variables.product.prodname_dotcom %} creates for each workflow, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)." +For a list of the environment variables {% data variables.product.prodname_dotcom %} creates for each workflow, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). ### Docker container filesystem @@ -242,7 +242,7 @@ Actions that run in Docker containers have static directories under the `/github ## Further reading -* "[AUTOTITLE](/billing/managing-billing-for-github-actions)" -* You can use a matrix strategy to run your jobs on multiple images. For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +* [AUTOTITLE](/billing/managing-billing-for-github-actions) +* You can use a matrix strategy to run your jobs on multiple images. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). {% endif %} diff --git a/content/actions/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md b/content/actions/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md index 25fda15fffcc..4e2177392b02 100644 --- a/content/actions/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md @@ -17,7 +17,7 @@ redirect_from: If you require additional software packages on {% data variables.product.prodname_dotcom %}-hosted runners, you can create a job that installs the packages as part of your workflow. -To see which packages are already installed by default, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software)." +To see which packages are already installed by default, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software). This guide demonstrates how to create a job that installs additional software on a {% data variables.product.prodname_dotcom %}-hosted runner. diff --git a/content/actions/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md b/content/actions/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md index fe52aeb9831a..c2faf9d7b023 100644 --- a/content/actions/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md +++ b/content/actions/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md @@ -21,7 +21,7 @@ You can get a list of all jobs currently running on {% data variables.product.pr ## Viewing queued jobs in your organization or enterprise -{% data variables.product.prodname_dotcom %}-hosted runners allow you to run jobs concurrently, and the maximum number of concurrent jobs will vary depending on your plan. If you reach the maximum number of concurrent jobs, any new jobs will start to enter a queue. To find out more about the number of concurrent jobs available to your plan, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration)." +{% data variables.product.prodname_dotcom %}-hosted runners allow you to run jobs concurrently, and the maximum number of concurrent jobs will vary depending on your plan. If you reach the maximum number of concurrent jobs, any new jobs will start to enter a queue. To find out more about the number of concurrent jobs available to your plan, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration). The following procedure demonstrates how to check the maximum number of concurrent jobs you can run. diff --git a/content/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners.md b/content/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners.md index afb3e8b3ee81..c006e8f68091 100644 --- a/content/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners.md +++ b/content/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners.md @@ -13,17 +13,17 @@ redirect_from: {% data reusables.actions.about-larger-runners %} -{% data variables.product.prodname_dotcom %} offers {% data variables.actions.hosted_runners %} with macOS, Ubuntu, or Windows operating systems, and different features and sizes are available depending on which operating system you use. For more information, see "[Additional features for {% data variables.actions.hosted_runners %}](#additional-features-for-larger-runners)." +{% data variables.product.prodname_dotcom %} offers {% data variables.actions.hosted_runners %} with macOS, Ubuntu, or Windows operating systems, and different features and sizes are available depending on which operating system you use. For more information, see [Additional features for {% data variables.actions.hosted_runners %}](#additional-features-for-larger-runners). ### About Ubuntu and Windows {% data variables.actions.hosted_runners %} -{% data variables.actions.hosted_runner_caps %}s with Ubuntu or Windows operating systems are configured in your organization or enterprise. When you add a {% data variables.actions.hosted_runner %}, you are defining a type of machine from a selection of available hardware specifications and operating system images. {% data variables.product.prodname_dotcom %} will then create multiple instances of this runner that scale up and down to match the job demands of your organization, based on the autoscaling limits you define. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners)." +{% data variables.actions.hosted_runner_caps %}s with Ubuntu or Windows operating systems are configured in your organization or enterprise. When you add a {% data variables.actions.hosted_runner %}, you are defining a type of machine from a selection of available hardware specifications and operating system images. {% data variables.product.prodname_dotcom %} will then create multiple instances of this runner that scale up and down to match the job demands of your organization, based on the autoscaling limits you define. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners). -Ubuntu and Windows {% data variables.actions.hosted_runners %} offer autoscaling capabilities and the ability to assign the runners static IP addresses from a specific range. They can also be managed using runner groups, which enables you to control access to the {% data variables.actions.hosted_runners %}. For more information, see "[Additional features for {% data variables.actions.hosted_runners %}](#additional-features-for-larger-runners)." +Ubuntu and Windows {% data variables.actions.hosted_runners %} offer autoscaling capabilities and the ability to assign the runners static IP addresses from a specific range. They can also be managed using runner groups, which enables you to control access to the {% data variables.actions.hosted_runners %}. For more information, see [Additional features for {% data variables.actions.hosted_runners %}](#additional-features-for-larger-runners). ### About macOS {% data variables.actions.hosted_runners %} - {% data variables.actions.hosted_runner_caps %}s with a macOS operating system are used by updating the YAML workflow label to the desired runner image. To run your workflows on a macOS {% data variables.actions.hosted_runner %}, update the `runs-on` key to use one of the {% data variables.product.company_short %}-defined macOS {% data variables.actions.hosted_runner %} labels. No additional configuration is required. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/running-jobs-on-larger-runners?platform=mac)." + {% data variables.actions.hosted_runner_caps %}s with a macOS operating system are used by updating the YAML workflow label to the desired runner image. To run your workflows on a macOS {% data variables.actions.hosted_runner %}, update the `runs-on` key to use one of the {% data variables.product.company_short %}-defined macOS {% data variables.actions.hosted_runner %} labels. No additional configuration is required. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/running-jobs-on-larger-runners?platform=mac). The following machines sizes are available for macOS {% data variables.actions.hosted_runners %}. @@ -50,9 +50,9 @@ Compared to standard {% data variables.product.prodname_dotcom %}-hosted runners These features can enhance your CI/CD pipelines in the following ways. -* Assigning {% data variables.actions.hosted_runners %} static IP addresses from a specific range enables you to use this range to configure a firewall allowlist. For more information, see "[Networking for {% data variables.actions.hosted_runners %}](#networking-for-larger-runners)." -* Autoscaling enables {% data variables.actions.hosted_runners %} to scale up to a maximum limit set by you, so your workflows can run concurrently. For more information, see "[Autoscaling {% data variables.actions.hosted_runners %}](#autoscaling-larger-runners)." -* Runner groups allow you to control access to {% data variables.actions.hosted_runners %} for your organizations, repositories, and workflows. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners)." +* Assigning {% data variables.actions.hosted_runners %} static IP addresses from a specific range enables you to use this range to configure a firewall allowlist. For more information, see [Networking for {% data variables.actions.hosted_runners %}](#networking-for-larger-runners). +* Autoscaling enables {% data variables.actions.hosted_runners %} to scale up to a maximum limit set by you, so your workflows can run concurrently. For more information, see [Autoscaling {% data variables.actions.hosted_runners %}](#autoscaling-larger-runners). +* Runner groups allow you to control access to {% data variables.actions.hosted_runners %} for your organizations, repositories, and workflows. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners). ### Runner images @@ -67,7 +67,7 @@ These features can enhance your CI/CD pipelines in the following ways. > [!NOTE] > {% data variables.actions.hosted_runner_caps %}s are not eligible for the use of included minutes on private repositories. For both private and public repositories, when {% data variables.actions.hosted_runners %} are in use, they will always be billed at the per-minute rate. -Compared to standard {% data variables.product.prodname_dotcom %}-hosted runners, {% data variables.actions.hosted_runners %} are billed differently. {% data reusables.actions.about-larger-runners-billing %} For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates)." +Compared to standard {% data variables.product.prodname_dotcom %}-hosted runners, {% data variables.actions.hosted_runners %} are billed differently. {% data reusables.actions.about-larger-runners-billing %} For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates). ## Machine sizes for {% data variables.actions.hosted_runners %} @@ -100,14 +100,14 @@ You can choose from several specifications for {% data variables.actions.hosted_ > [!NOTE] > Only {% data variables.actions.hosted_runners %} with Linux or Windows operating systems can be assigned to runner groups. -Runner groups enable administrators to control access to runners at the organization and enterprise levels. With runner groups, you can collect sets of runners and create a security boundary around them. You can then decide which organizations or repositories are permitted to run jobs on those sets of machines. During the {% data variables.actions.hosted_runner %} deployment process, the runner can be added to an existing group, otherwise it will join a default group. You can create a group by following the steps in "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners)." +Runner groups enable administrators to control access to runners at the organization and enterprise levels. With runner groups, you can collect sets of runners and create a security boundary around them. You can then decide which organizations or repositories are permitted to run jobs on those sets of machines. During the {% data variables.actions.hosted_runner %} deployment process, the runner can be added to an existing group, otherwise it will join a default group. You can create a group by following the steps in [AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners). ## Architectural overview of {% data variables.actions.hosted_runners %} > [!NOTE] > This architecture diagram only applies to {% data variables.actions.hosted_runners %} with Linux or Windows operating systems. -{% data variables.actions.hosted_runner_caps %}s are managed at the organization level, where they are arranged into groups that can contain multiple instances of the runner. They can also be created at the enterprise level and shared with organizations in the hierarchy. Once you've created a group, you can then add a runner to the group and update your workflows to target either the group name or the label assigned to the {% data variables.actions.hosted_runner %}. You can also control which repositories are permitted to send jobs to the group for processing. For more information about groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners)." +{% data variables.actions.hosted_runner_caps %}s are managed at the organization level, where they are arranged into groups that can contain multiple instances of the runner. They can also be created at the enterprise level and shared with organizations in the hierarchy. Once you've created a group, you can then add a runner to the group and update your workflows to target either the group name or the label assigned to the {% data variables.actions.hosted_runner %}. You can also control which repositories are permitted to send jobs to the group for processing. For more information about groups, see [AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners). In the following diagram, a class of hosted runner named `ubuntu-20.04-16core` has been defined with customized hardware and operating system configuration. @@ -126,7 +126,7 @@ In the following diagram, a class of hosted runner named `ubuntu-20.04-16core` h {% data variables.actions.hosted_runner_caps %}s can automatically scale to suit your needs. You can provision machines to run a specified maximum number of jobs when jobs are submitted for processing. Each machine only handles one job at a time, so these settings effectively determine the number of jobs that can be run concurrently. -You can configure the maximum job concurrency, which allows you to control your costs by setting the maximum parallel number of jobs that can be run using this set. A higher value here can help avoid workflows being blocked due to parallelism. For more information on how to set limits, see "[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners#configuring-autoscaling-for-larger-runners)". For more information on the maximum auto-scaling limits for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits)." +You can configure the maximum job concurrency, which allows you to control your costs by setting the maximum parallel number of jobs that can be run using this set. A higher value here can help avoid workflows being blocked due to parallelism. For more information on how to set limits, see [AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners#configuring-autoscaling-for-larger-runners). For more information on the maximum auto-scaling limits for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits). ## Assigning static IP addresses to {% data variables.actions.hosted_runners %} @@ -134,13 +134,13 @@ You can assign static IP addresses only to {% data variables.actions.hosted_runn Static IP addresses assigned are all usable and are not in CIDR notation. -{% data reusables.actions.static-ip-limitation-vnet %} For more information about private networking for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." +{% data reusables.actions.static-ip-limitation-vnet %} For more information about private networking for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise). ## Networking for {% data variables.actions.hosted_runners %} -By default, {% data variables.actions.hosted_runners %} receive a dynamic IP address that changes for each job run. Optionally, {% data variables.product.prodname_ghe_cloud %} customers can configure their {% data variables.actions.hosted_runners %} to receive static IP addresses from {% data variables.product.prodname_dotcom %}'s IP address pool. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)." +By default, {% data variables.actions.hosted_runners %} receive a dynamic IP address that changes for each job run. Optionally, {% data variables.product.prodname_ghe_cloud %} customers can configure their {% data variables.actions.hosted_runners %} to receive static IP addresses from {% data variables.product.prodname_dotcom %}'s IP address pool. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses). -When enabled, instances of the {% data variables.actions.hosted_runner %} will receive IP addresses from specific ranges that are unique to the runner, allowing you to use the ranges to configure a firewall allowlist. {% ifversion fpt %}You can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges in total across all your {% data variables.actions.hosted_runners %}{% endif %}{% ifversion ghec %}You can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges for the {% data variables.actions.hosted_runners %} created at the enterprise level. In addition, you can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges for the {% data variables.actions.hosted_runners %} created at the organization level, for each organization in your enterprise{% endif %}. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners#networking-for-larger-runners)." +When enabled, instances of the {% data variables.actions.hosted_runner %} will receive IP addresses from specific ranges that are unique to the runner, allowing you to use the ranges to configure a firewall allowlist. {% ifversion fpt %}You can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges in total across all your {% data variables.actions.hosted_runners %}{% endif %}{% ifversion ghec %}You can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges for the {% data variables.actions.hosted_runners %} created at the enterprise level. In addition, you can use up to 10 {% data variables.actions.hosted_runners %} with static IP address ranges for the {% data variables.actions.hosted_runners %} created at the organization level, for each organization in your enterprise{% endif %}. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners#networking-for-larger-runners). {% data reusables.actions.larger-runner-static-ip-contact-support %} diff --git a/content/actions/using-github-hosted-runners/using-larger-runners/controlling-access-to-larger-runners.md b/content/actions/using-github-hosted-runners/using-larger-runners/controlling-access-to-larger-runners.md index 3ec3fff02440..d2c4d6b870e9 100644 --- a/content/actions/using-github-hosted-runners/using-larger-runners/controlling-access-to-larger-runners.md +++ b/content/actions/using-github-hosted-runners/using-larger-runners/controlling-access-to-larger-runners.md @@ -99,7 +99,7 @@ For runner groups in an organization, you can change what repositories in the or {% data reusables.actions.azure-vnet-network-configuration-intro %} -If you have configured your {% ifversion ghec %}enterprise or {% endif %}organization to connect to an Azure VNET, you can give runner groups access to the virtual network. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners#using-an-azure-virtual-network-vnet)." +If you have configured your {% ifversion ghec %}enterprise or {% endif %}organization to connect to an Azure VNET, you can give runner groups access to the virtual network. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners#using-an-azure-virtual-network-vnet). {% endif %} diff --git a/content/actions/using-github-hosted-runners/using-larger-runners/managing-larger-runners.md b/content/actions/using-github-hosted-runners/using-larger-runners/managing-larger-runners.md index 460533a60ca6..7a2d78ddbcc9 100644 --- a/content/actions/using-github-hosted-runners/using-larger-runners/managing-larger-runners.md +++ b/content/actions/using-github-hosted-runners/using-larger-runners/managing-larger-runners.md @@ -17,7 +17,7 @@ redirect_from: ## Adding a {% data variables.actions.hosted_runner %} to an enterprise -Enterprise owners can add {% data variables.actions.hosted_runner %}s to an enterprise and assign them to organizations. By default, when a {% data variables.actions.hosted_runner %} is created for an enterprise, it is added to a default runner group that all organizations in the enterprise have access to. While all organizations are granted access to the runner, the repositories in each organization **are not** granted access. For each organization, an organization owner must configure the runner group to specify which repositories have access to the enterprise runner. For more information, see "[Allowing repositories to access {% data variables.actions.hosted_runner %}s](#allowing-repositories-to-access-larger-runners)." +Enterprise owners can add {% data variables.actions.hosted_runner %}s to an enterprise and assign them to organizations. By default, when a {% data variables.actions.hosted_runner %} is created for an enterprise, it is added to a default runner group that all organizations in the enterprise have access to. While all organizations are granted access to the runner, the repositories in each organization **are not** granted access. For each organization, an organization owner must configure the runner group to specify which repositories have access to the enterprise runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runner %}s](#allowing-repositories-to-access-larger-runners). {% data reusables.actions.add-hosted-runner-overview %} @@ -32,7 +32,7 @@ Enterprise owners can add {% data variables.actions.hosted_runner %}s to an ente ## Adding a {% data variables.actions.hosted_runner %} to an organization -Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can add a {% data variables.actions.hosted_runner %} to an organization control which repositories can use it. When you create a new runner for an organization, by default, all repositories in the organization have access to the runner. To limit which repositories can use the runner, assign it to a runner group with access to specific repositories. For more information, see "[Allowing repositories to access larger runners](#allowing-repositories-to-access-larger-runners)." +Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can add a {% data variables.actions.hosted_runner %} to an organization control which repositories can use it. When you create a new runner for an organization, by default, all repositories in the organization have access to the runner. To limit which repositories can use the runner, assign it to a runner group with access to specific repositories. For more information, see [Allowing repositories to access larger runners](#allowing-repositories-to-access-larger-runners). {% data reusables.actions.add-hosted-runner-overview %} @@ -40,18 +40,18 @@ Organization owners{% ifversion custom-org-roles %} and users with the "Manage o {% data reusables.organizations.org_settings %} {% data reusables.organizations.settings-sidebar-actions-runners %} {% data reusables.actions.add-hosted-runner %} -1. To allow repositories to access your {% data variables.actions.hosted_runner %}s, add them to the list of repositories that can use it. For more information, see "[Allowing repositories to access {% data variables.actions.hosted_runner %}s](#allowing-repositories-to-access-larger-runners)." +1. To allow repositories to access your {% data variables.actions.hosted_runner %}s, add them to the list of repositories that can use it. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runner %}s](#allowing-repositories-to-access-larger-runners). ## Allowing repositories to access {% data variables.actions.hosted_runner %}s Repositories are granted access to {% data variables.actions.hosted_runner %}s through runner groups. Enterprise administrators can choose which organizations are granted access to enterprise-level runner groups, and organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} control repository-level access to all {% data variables.actions.hosted_runner %}s. -Organization owners can use and configure enterprise-level runner groups for the repositories in their organization, or they can create organization-level runner groups to control access.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" can only manage organization-level runner groups. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %} +Organization owners can use and configure enterprise-level runner groups for the repositories in their organization, or they can create organization-level runner groups to control access.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" can only manage organization-level runner groups. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).{% endif %} * **For enterprise-level runner groups:** {% data reusables.actions.about-enterprise-level-runner-groups %} * **For organization-level runner groups:** {% data reusables.actions.about-organization-level-runner-groups %} -Once a repository has access to {% data variables.actions.hosted_runner %}s, the {% data variables.actions.hosted_runner %}s can be added to workflow files. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/running-jobs-on-larger-runners)." +Once a repository has access to {% data variables.actions.hosted_runner %}s, the {% data variables.actions.hosted_runner %}s can be added to workflow files. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/running-jobs-on-larger-runners). {% data reusables.actions.runner-groups-org-navigation %} 1. Select a runner group from either list on the page. Organization-level runner groups are listed at the top of the page, and enterprise-level runner groups are listed under "Shared by the Enterprise." @@ -59,7 +59,7 @@ Once a repository has access to {% data variables.actions.hosted_runner %}s, the > [!WARNING] > {% data reusables.actions.hosted-runner-security %} -> For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners)." +> For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners). ## Changing the name of a {% data variables.actions.hosted_runner %} diff --git a/content/actions/using-github-hosted-runners/using-larger-runners/running-jobs-on-larger-runners.md b/content/actions/using-github-hosted-runners/using-larger-runners/running-jobs-on-larger-runners.md index 56726037141e..216443d2b709 100644 --- a/content/actions/using-github-hosted-runners/using-larger-runners/running-jobs-on-larger-runners.md +++ b/content/actions/using-github-hosted-runners/using-larger-runners/running-jobs-on-larger-runners.md @@ -27,7 +27,7 @@ redirect_from: {% mac %} -Once your runner type has been defined, you can update your workflow YAML files to send jobs to runner instances for processing. To run jobs on macOS {% data variables.actions.hosted_runner %}s, update the `runs-on` key in your workflow YAML files to use one of the {% data variables.product.company_short %}-defined labels for macOS runners. For more information, see "[Available macOS {% data variables.actions.hosted_runner %}s](#available-macos-larger-runners)." +Once your runner type has been defined, you can update your workflow YAML files to send jobs to runner instances for processing. To run jobs on macOS {% data variables.actions.hosted_runner %}s, update the `runs-on` key in your workflow YAML files to use one of the {% data variables.product.company_short %}-defined labels for macOS runners. For more information, see [Available macOS {% data variables.actions.hosted_runner %}s](#available-macos-larger-runners). {% endmac %} @@ -136,7 +136,7 @@ jobs: ## Targeting macOS {% data variables.actions.hosted_runner %}s in a workflow -To run your workflows on macOS {% data variables.actions.hosted_runner %}s, set the value of the `runs-on` key to a label associated with a macOS {% data variables.actions.hosted_runner %}. For a list of macOS {% data variables.actions.hosted_runner %} labels, see "[Available macOS {% data variables.actions.hosted_runner %}s](#available-macos-larger-runners)." +To run your workflows on macOS {% data variables.actions.hosted_runner %}s, set the value of the `runs-on` key to a label associated with a macOS {% data variables.actions.hosted_runner %}. For a list of macOS {% data variables.actions.hosted_runner %} labels, see [Available macOS {% data variables.actions.hosted_runner %}s](#available-macos-larger-runners). In this example, the workflow uses a label that is associated with macOS XL runners. The `runs-on` key sends the job to any available runner with a matching label: diff --git a/content/actions/writing-workflows/about-workflows.md b/content/actions/writing-workflows/about-workflows.md index 189a303a76c3..5c3de2edd28f 100644 --- a/content/actions/writing-workflows/about-workflows.md +++ b/content/actions/writing-workflows/about-workflows.md @@ -28,7 +28,7 @@ A workflow must contain the following basic components: 1. One or more _jobs_, each of which will execute on a _runner_ machine and run a series of one or more _steps_. 1. Each step can either run a script that you define or run an action, which is a reusable extension that can simplify your workflow. -For more information on these basic components, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#the-components-of-github-actions)." +For more information on these basic components, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#the-components-of-github-actions). ![Diagram of an event triggering Runner 1 to run Job 1, which triggers Runner 2 to run Job 2. Each of the jobs is broken into multiple steps.](/assets/images/help/actions/overview-actions-simple.png) @@ -36,13 +36,13 @@ For more information on these basic components, see "[AUTOTITLE](/actions/learn- {% data reusables.actions.about-triggers %} -For more information, see "[AUTOTITLE](/actions/using-workflows/triggering-a-workflow)", and for a full list of events, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/triggering-a-workflow), and for a full list of events, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). ## Workflow syntax -Workflows are defined using YAML. For the full reference of the YAML syntax for authoring workflows, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#about-yaml-syntax-for-workflows)." +Workflows are defined using YAML. For the full reference of the YAML syntax for authoring workflows, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#about-yaml-syntax-for-workflows). -For more on managing workflow runs, such as re-running, cancelling, or deleting a workflow run, see "[AUTOTITLE](/actions/managing-workflow-runs)." +For more on managing workflow runs, such as re-running, cancelling, or deleting a workflow run, see [AUTOTITLE](/actions/managing-workflow-runs). ## Using workflow templates @@ -76,7 +76,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ### Creating dependent jobs @@ -102,7 +102,7 @@ jobs: - run: ./test_server.sh ``` -For more information, see "[AUTOTITLE](/actions/using-jobs/using-jobs-in-a-workflow#defining-prerequisite-jobs)." +For more information, see [AUTOTITLE](/actions/using-jobs/using-jobs-in-a-workflow#defining-prerequisite-jobs). ### Using a matrix @@ -121,7 +121,7 @@ jobs: node-version: {% raw %}${{ matrix.node }}{% endraw %} ``` -For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). ### Caching dependencies @@ -144,7 +144,7 @@ jobs: {% raw %}${{ runner.os }}-build-${{ env.cache-name }}-{% endraw %} ``` -For more information, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). ### Using databases and service containers @@ -170,7 +170,7 @@ jobs: POSTGRES_PORT: 5432 ``` -For more information, see "[AUTOTITLE](/actions/using-containerized-services)." +For more information, see [AUTOTITLE](/actions/using-containerized-services). ### Using labels to route workflows @@ -186,10 +186,10 @@ jobs: A workflow will only run on a runner that has all the labels in the `runs-on` array. The job will preferentially go to an idle self-hosted runner with the specified labels. {% ifversion fpt or ghec %}If none are available and a {% data variables.product.prodname_dotcom %}-hosted runner with the specified labels exists, the job will go to a {% data variables.product.prodname_dotcom %}-hosted runner.{% endif %} -To learn more about self-hosted runner labels, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)." +To learn more about self-hosted runner labels, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners). {% ifversion fpt or ghec %} -To learn more about {% data variables.product.prodname_dotcom %}-hosted runner labels, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources)." +To learn more about {% data variables.product.prodname_dotcom %}-hosted runner labels, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). {% endif %} ### Reusing workflows @@ -202,4 +202,4 @@ To learn more about {% data variables.product.prodname_dotcom %}-hosted runner l ### Using environments -You can configure environments with protection rules and secrets to control the execution of jobs in a workflow. Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." +You can configure environments with protection rules and secrets to control the execution of jobs in a workflow. Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs.md index b3d47d29f6ba..af4aa0360ff7 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs.md @@ -24,7 +24,7 @@ versions: {% data reusables.actions.context-contents %} For example, the `matrix` context is only populated for jobs in a [matrix](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix). -You can access contexts using the expression syntax. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +You can access contexts using the expression syntax. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). {% raw %} `${{ }}` @@ -60,8 +60,8 @@ If you attempt to dereference a nonexistent property, it will evaluate to an emp {% data variables.product.prodname_actions %} includes a collection of variables called _contexts_ and a similar collection of variables called _default variables_. These variables are intended for use at different points in the workflow: -* **Default environment variables:** These environment variables exist only on the runner that is executing your job. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)." -* **Contexts:** You can use most contexts at any point in your workflow, including when _default variables_ would be unavailable. For example, you can use contexts with expressions to perform initial processing before the job is routed to a runner for execution; this allows you to use a context with the conditional `if` keyword to determine whether a step should run. Once the job is running, you can also retrieve context variables from the runner that is executing the job, such as `runner.os`. For details of where you can use various contexts within a workflow, see "[Context availability](#context-availability)." +* **Default environment variables:** These environment variables exist only on the runner that is executing your job. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). +* **Contexts:** You can use most contexts at any point in your workflow, including when _default variables_ would be unavailable. For example, you can use contexts with expressions to perform initial processing before the job is routed to a runner for execution; this allows you to use a context with the conditional `if` keyword to determine whether a step should run. Once the job is running, you can also retrieve context variables from the runner that is executing the job, such as `runner.os`. For details of where you can use various contexts within a workflow, see [Context availability](#context-availability). The following example demonstrates how these different types of variables can be used together in a job: @@ -173,7 +173,7 @@ jobs: ## `github` context -The `github` context contains information about the workflow run and the event that triggered the run. You can also read most of the `github` context data in environment variables. For more information about environment variables, see "[AUTOTITLE](/actions/learn-github-actions/variables)." +The `github` context contains information about the workflow run and the event that triggered the run. You can also read most of the `github` context data in environment variables. For more information about environment variables, see [AUTOTITLE](/actions/learn-github-actions/variables). {% data reusables.actions.github-context-warning %} {% data reusables.actions.context-injection-warning %} @@ -190,14 +190,14 @@ The `github` context contains information about the workflow run and the event t | `github.actor_id` | `string` | {% data reusables.actions.actor_id-description %} | | `github.api_url` | `string` | The URL of the {% data variables.product.prodname_dotcom %} REST API. | | `github.base_ref` | `string` | The `base_ref` or target branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either `pull_request` or `pull_request_target`. | -| `github.env` | `string` | Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable)." | -| `github.event` | `object` | The full event webhook payload. You can access individual properties of the event using this context. This object is identical to the webhook payload of the event that triggered the workflow run, and is different for each event. The webhooks for each {% data variables.product.prodname_actions %} event is linked in "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." For example, for a workflow run triggered by the [`push` event](/actions/using-workflows/events-that-trigger-workflows#push), this object contains the contents of the [push webhook payload](/webhooks-and-events/webhooks/webhook-events-and-payloads#push). | +| `github.env` | `string` | Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable). | +| `github.event` | `object` | The full event webhook payload. You can access individual properties of the event using this context. This object is identical to the webhook payload of the event that triggered the workflow run, and is different for each event. The webhooks for each {% data variables.product.prodname_actions %} event is linked in [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). For example, for a workflow run triggered by the [`push` event](/actions/using-workflows/events-that-trigger-workflows#push), this object contains the contents of the [push webhook payload](/webhooks-and-events/webhooks/webhook-events-and-payloads#push). | | `github.event_name` | `string` | The name of the event that triggered the workflow run. | | `github.event_path` | `string` | The path to the file on the runner that contains the full event webhook payload. | | `github.graphql_url` | `string` | The URL of the {% data variables.product.prodname_dotcom %} GraphQL API. | | `github.head_ref` | `string` | The `head_ref` or source branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either `pull_request` or `pull_request_target`. | | `github.job` | `string` | The [`job_id`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job.
Note: This context property is set by the Actions runner, and is only available within the execution `steps` of a job. Otherwise, the value of this property will be `null`. | -| `github.path` | `string` | Path on the runner to the file that sets system `PATH` variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path)." | +| `github.path` | `string` | Path on the runner to the file that sets system `PATH` variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path). | | `github.ref` | `string` | {% data reusables.actions.ref-description %} | | `github.ref_name` | `string` | {% data reusables.actions.ref_name-description %} | | `github.ref_protected` | `boolean` | {% data reusables.actions.ref_protected-description %} | @@ -214,7 +214,7 @@ The `github` context contains information about the workflow run and the event t | `github.secret_source` | `string` | The source of a secret used in a workflow. Possible values are `None`, `Actions`{% ifversion fpt or ghec %}, `Codespaces`{% endif %}, or `Dependabot`. | | `github.server_url` | `string` | The URL of the GitHub server. For example: `https://github.com`. | | `github.sha` | `string` | {% data reusables.actions.github_sha_description %} | -| `github.token` | `string` | A token to authenticate on behalf of the GitHub App installed on your repository. This is functionally equivalent to the `GITHUB_TOKEN` secret. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)."
Note: This context property is set by the Actions runner, and is only available within the execution `steps` of a job. Otherwise, the value of this property will be `null`. | +| `github.token` | `string` | A token to authenticate on behalf of the GitHub App installed on your repository. This is functionally equivalent to the `GITHUB_TOKEN` secret. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication).
Note: This context property is set by the Actions runner, and is only available within the execution `steps` of a job. Otherwise, the value of this property will be `null`. | | `github.triggering_actor` | `string` | {% data reusables.actions.github-triggering-actor-description %} | | `github.workflow` | `string` | The name of the workflow. If the workflow file doesn't specify a `name`, the value of this property is the full path of the workflow file in the repository. | | `github.workflow_ref` | `string` | {% data reusables.actions.workflow-ref-description %} | @@ -290,9 +290,9 @@ jobs: ## `env` context -The `env` context contains variables that have been set in a workflow, job, or step. It does not contain variables inherited by the runner process. For more information about setting variables in your workflow, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#env)." +The `env` context contains variables that have been set in a workflow, job, or step. It does not contain variables inherited by the runner process. For more information about setting variables in your workflow, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#env). -You can retrieve the values of variables stored in `env` context and use these values in your workflow file. You can use the `env` context in any key in a workflow step except for the `id` and `uses` keys. For more information on the step syntax, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps)." +You can retrieve the values of variables stored in `env` context and use these values in your workflow file. You can use the `env` context in any key in a workflow step except for the `id` and `uses` keys. For more information on the step syntax, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps). If you want to use the value of a variable inside a runner, use the runner operating system's normal method for reading environment variables. @@ -349,7 +349,7 @@ jobs: {% data reusables.actions.configuration-variables-beta-note %} -The `vars` context contains custom configuration variables set at the organization, repository, and environment levels. For more information about defining configuration variables for use in multiple workflows, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-variables-for-multiple-workflows)". +The `vars` context contains custom configuration variables set at the organization, repository, and environment levels. For more information about defining configuration variables for use in multiple workflows, see [AUTOTITLE](/actions/learn-github-actions/variables#defining-variables-for-multiple-workflows). ### Example contents of the `vars` context @@ -377,10 +377,10 @@ The `job` context contains information about the currently running job. | Property name | Type | Description | |---------------|------|-------------| | `job` | `object` | This context changes for each job in a workflow run. You can access this context from any step in a job. This object contains all the properties listed below. | -| `job.container` | `object` | Information about the job's container. For more information about containers, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer)." | +| `job.container` | `object` | Information about the job's container. For more information about containers, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer). | | `job.container.id` | `string` | The ID of the container. | | `job.container.network` | `string` | The ID of the container network. The runner creates the network used by all containers in a job. | -| `job.services` | `object` | The service containers created for a job. For more information about service containers, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices)." | +| `job.services` | `object` | The service containers created for a job. For more information about service containers, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices). | | `job.services..id` | `string` | The ID of the service container. | | `job.services..network` | `string` | The ID of the service container network. The runner creates the network used by all containers in a job. | | `job.services..ports` | `object` | The exposed ports of the service container. | @@ -435,7 +435,7 @@ jobs: ## `jobs` context -The `jobs` context is only available in reusable workflows, and can only be used to set outputs for a reusable workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow)." +The `jobs` context is only available in reusable workflows, and can only be used to set outputs for a reusable workflow. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow). | Property name | Type | Description | |---------------|------|-------------| @@ -462,7 +462,7 @@ This example `jobs` context contains the result and outputs of a job from a reus ### Example usage of the `jobs` context -This example reusable workflow uses the `jobs` context to set outputs for the reusable workflow. Note how the outputs flow up from the steps, to the job, then to the `workflow_call` trigger. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow)." +This example reusable workflow uses the `jobs` context to set outputs for the reusable workflow. Note how the outputs flow up from the steps, to the job, then to the `workflow_call` trigger. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow). {% raw %} @@ -504,7 +504,7 @@ The `steps` context contains information about the steps in the current job that | Property name | Type | Description | |---------------|------|-------------| | `steps` | `object` | This context changes for each step in a job. You can access this context from any step in a job. This object contains all the properties listed below. | -| `steps..outputs` | `object` | The set of outputs defined for the step. For more information, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions)." | +| `steps..outputs` | `object` | The set of outputs defined for the step. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions). | | `steps..conclusion` | `string` | The result of a completed step after [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) is applied. Possible values are `success`, `failure`, `cancelled`, or `skipped`. When a `continue-on-error` step fails, the `outcome` is `failure`, but the final `conclusion` is `success`. | | `steps..outcome` | `string` | The result of a completed step before [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) is applied. Possible values are `success`, `failure`, `cancelled`, or `skipped`. When a `continue-on-error` step fails, the `outcome` is `failure`, but the final `conclusion` is `success`. | | `steps..outputs.` | `string` | The value of a specific output. | @@ -610,16 +610,16 @@ jobs: ## `secrets` context -The `secrets` context contains the names and values of secrets that are available to a workflow run. The `secrets` context is not available for composite actions due to security reasons. If you want to pass a secret to a composite action, you need to do it explicitly as an input. For more information about secrets, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +The `secrets` context contains the names and values of secrets that are available to a workflow run. The `secrets` context is not available for composite actions due to security reasons. If you want to pass a secret to a composite action, you need to do it explicitly as an input. For more information about secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). -`GITHUB_TOKEN` is a secret that is automatically created for every workflow run, and is always included in the `secrets` context. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." +`GITHUB_TOKEN` is a secret that is automatically created for every workflow run, and is always included in the `secrets` context. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). {% data reusables.actions.secrets-redaction-warning %} | Property name | Type | Description | |---------------|------|-------------| | `secrets` | `object` | This context is the same for each job in a workflow run. You can access this context from any step in a job. This object contains all the properties listed below. | -| `secrets.GITHUB_TOKEN` | `string` | Automatically created token for each workflow run. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." | +| `secrets.GITHUB_TOKEN` | `string` | Automatically created token for each workflow run. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). | | `secrets.` | `string` | The value of a specific secret. | ### Example contents of the `secrets` context @@ -645,10 +645,10 @@ For workflows with a matrix, the `strategy` context contains information about t | Property name | Type | Description | |---------------|------|-------------| | `strategy` | `object` | This context changes for each job in a workflow run. You can access this context from any job or step in a workflow. This object contains all the properties listed below. | -| `strategy.fail-fast` | `boolean` | When this evaluates to `true`, all in-progress jobs are canceled if any job in a matrix fails. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast)." | +| `strategy.fail-fast` | `boolean` | When this evaluates to `true`, all in-progress jobs are canceled if any job in a matrix fails. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast). | | `strategy.job-index` | `number` | The index of the current job in the matrix. **Note:** This number is a zero-based number. The first job's index in the matrix is `0`. | | `strategy.job-total` | `number` | The total number of jobs in the matrix. **Note:** This number **is not** a zero-based number. For example, for a matrix with four jobs, the value of `job-total` is `4`. | -| `strategy.max-parallel` | `number` | The maximum number of jobs that can run simultaneously when using a `matrix` job strategy. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel)." | +| `strategy.max-parallel` | `number` | The maximum number of jobs that can run simultaneously when using a `matrix` job strategy. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel). | ### Example contents of the `strategy` context @@ -734,7 +734,7 @@ jobs: ## `needs` context -The `needs` context contains outputs from all jobs that are defined as a direct dependency of the current job. Note that this doesn't include implicitly dependent jobs (for example, dependent jobs of a dependent job). For more information on defining job dependencies, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds)." +The `needs` context contains outputs from all jobs that are defined as a direct dependency of the current job. Note that this doesn't include implicitly dependent jobs (for example, dependent jobs of a dependent job). For more information on defining job dependencies, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). | Property name | Type | Description | |---------------|------|-------------| diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow.md index d67498211b38..abf8b8316887 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow.md @@ -18,7 +18,7 @@ jobs: - run: npm install -g bats ``` -To use a workflow to run a script stored in your repository you must first check out the repository to the runner. Having done this, you can use the `run` keyword to run the script on the runner. The following example runs two scripts, each in a separate job step. The location of the scripts on the runner is specified by setting a default working directory for run commands. For more information, see "[AUTOTITLE](/actions/using-jobs/setting-default-values-for-jobs)." +To use a workflow to run a script stored in your repository you must first check out the repository to the runner. Having done this, you can use the `run` keyword to run the script on the runner. The following example runs two scripts, each in a separate job step. The location of the scripts on the runner is specified by setting a default working directory for run commands. For more information, see [AUTOTITLE](/actions/using-jobs/setting-default-values-for-jobs). ```yaml jobs: @@ -56,4 +56,4 @@ jobs: ./my-other-script.sh ``` -For more information about the `run` keyword, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun)." +For more information about the `run` keyword, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows.md index 3af5e6b5c8b2..c12de102babf 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows.md @@ -45,7 +45,7 @@ To cache dependencies for a job, you can use {% data variables.product.prodname_ {% data reusables.actions.comparing-artifacts-caching %} -For more information on workflow run artifacts, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)." +For more information on workflow run artifacts, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). ## Restrictions for accessing a cache @@ -61,9 +61,9 @@ Multiple workflow runs in a repository can share caches. A cache created for a b ## Using the `cache` action The [`cache` action](https://github.com/actions/cache) will attempt to restore a cache based on the `key` you provide. When the action finds a cache that _exactly_ matches the key, the action restores the cached files to the `path` you configure. -You can optionally provide a list of `restore-keys` to use in case the `key` doesn't match an existing cache. A list of `restore-keys` is useful when you are restoring a cache from another branch because `restore-keys` can _partially_ match cache keys. For more information about matching `restore-keys`, see "[Matching a cache key](#matching-a-cache-key)." +You can optionally provide a list of `restore-keys` to use in case the `key` doesn't match an existing cache. A list of `restore-keys` is useful when you are restoring a cache from another branch because `restore-keys` can _partially_ match cache keys. For more information about matching `restore-keys`, see [Matching a cache key](#matching-a-cache-key). -If there is an exact match to the provided `key`, this is considered a cache hit. If no cache exactly matches the provided `key`, this is considered a cache miss. On a cache miss, the action automatically creates a new cache if the job completes successfully. The new cache will use the `key` you provided and contains the files you specify in `path`. For more information about how this is handled, see "[Cache hits and misses](#cache-hits-and-misses)." +If there is an exact match to the provided `key`, this is considered a cache hit. If no cache exactly matches the provided `key`, this is considered a cache miss. On a cache miss, the action automatically creates a new cache if the job completes successfully. The new cache will use the `key` you provided and contains the files you specify in `path`. For more information about how this is handled, see [Cache hits and misses](#cache-hits-and-misses). You cannot change the contents of an existing cache. Instead, you can create a new cache with a new key. @@ -117,7 +117,7 @@ When a cache miss occurs, the action also searches your specified `restore-keys` 1. The `cache` action completes and the next step in the job runs. 1. If the job completes successfully, the action automatically creates a new cache with the contents of the `path` directory. -For a more detailed explanation of the cache matching process, see "[Matching a cache key](#matching-a-cache-key)." +For a more detailed explanation of the cache matching process, see [Matching a cache key](#matching-a-cache-key). ### Example using the `cache` action @@ -163,7 +163,7 @@ jobs: ### Using contexts to create cache keys -A cache key can include any of the contexts, functions, literals, and operators supported by {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)" and "[AUTOTITLE](/actions/learn-github-actions/expressions)." +A cache key can include any of the contexts, functions, literals, and operators supported by {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts) and [AUTOTITLE](/actions/learn-github-actions/expressions). Using expressions to create a `key` allows you to automatically create a new cache when dependencies change. @@ -198,7 +198,7 @@ In the example workflow above, there is a step that lists the state of the Node ## Matching a cache key -The `cache` action first searches for cache hits for `key` and the cache _version_ in the branch containing the workflow run. If there is no hit, it searches for `restore-keys` and the _version_. If there are still no hits in the current branch, the `cache` action retries same steps on the default branch. Please note that the scope restrictions apply during the search. For more information, see "[Restrictions for accessing a cache](#restrictions-for-accessing-a-cache)." +The `cache` action first searches for cache hits for `key` and the cache _version_ in the branch containing the workflow run. If there is no hit, it searches for `restore-keys` and the _version_. If there are still no hits in the current branch, the `cache` action retries same steps on the default branch. Please note that the scope restrictions apply during the search. For more information, see [Restrictions for accessing a cache](#restrictions-for-accessing-a-cache). Cache version is a way to stamp a cache with metadata of the `path` and the compression tool used while creating the cache. This ensures that the consuming workflow run uniquely matches a cache it can actually decompress and use. For more information, see [Cache Version](https://github.com/actions/cache#cache-version) in the Actions Cache documentation. @@ -259,11 +259,11 @@ For example, if a pull request contains a `feature` branch and targets the defau {% data variables.product.prodname_dotcom %} will remove any cache entries that have not been accessed in over 7 days. There is no limit on the number of caches you can store, but the total size of all caches in a repository is limited{% ifversion actions-cache-policy-apis %}. By default, the limit is 10 GB per repository, but this limit might be different depending on policies set by your enterprise owners or repository administrators.{% else %} to 10 GB.{% endif %} {% data reusables.actions.cache-eviction-policy %} -{% data reusables.actions.cache-eviction-process %} {% ifversion actions-cache-ui %}The cache eviction process may cause cache thrashing, where caches are created and deleted at a high frequency. To reduce this, you can review the caches for a repository and take corrective steps, such as removing caching from specific workflows. For more information, see "[Managing caches](#managing-caches)."{% endif %}{% ifversion actions-cache-admin-ui %} You can also increase the cache size limit for a repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-cache-storage-for-a-repository)." +{% data reusables.actions.cache-eviction-process %} {% ifversion actions-cache-ui %}The cache eviction process may cause cache thrashing, where caches are created and deleted at a high frequency. To reduce this, you can review the caches for a repository and take corrective steps, such as removing caching from specific workflows. For more information, see [Managing caches](#managing-caches).{% endif %}{% ifversion actions-cache-admin-ui %} You can also increase the cache size limit for a repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-cache-storage-for-a-repository). {% elsif actions-cache-policy-apis %} -For information on changing the policies for the repository cache size limit, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-cache-storage-in-your-enterprise)" and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-cache-storage-for-a-repository)." +For information on changing the policies for the repository cache size limit, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-cache-storage-in-your-enterprise) and [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-cache-storage-for-a-repository). {% endif %} @@ -283,7 +283,7 @@ To manage caches created from your workflows, you can: There are multiple ways to manage caches for your repositories: * Using the {% data variables.product.prodname_dotcom %} web interface, as shown below. -* Using the REST API. For more information, see "[AUTOTITLE](/rest/actions/cache)." +* Using the REST API. For more information, see [AUTOTITLE](/rest/actions/cache). * Installing the `gh cache` subcommand to manage your caches from the command line. For more information, see the [GitHub CLI documentation](https://cli.github.com/manual/gh_cache). > [!NOTE] @@ -291,9 +291,9 @@ There are multiple ways to manage caches for your repositories: {% else %} -You can use the {% data variables.product.product_name %} REST API to manage your caches. {% ifversion actions-cache-list-delete-apis %}You can use the API to list and delete cache entries, and see your cache usage.{% elsif actions-cache-management %}At present, you can use the API to see your cache usage, with more functionality expected in future updates.{% endif %} For more information, see "[AUTOTITLE](/rest/actions/cache)." +You can use the {% data variables.product.product_name %} REST API to manage your caches. {% ifversion actions-cache-list-delete-apis %}You can use the API to list and delete cache entries, and see your cache usage.{% elsif actions-cache-management %}At present, you can use the API to see your cache usage, with more functionality expected in future updates.{% endif %} For more information, see [AUTOTITLE](/rest/actions/cache). -You can also install a {% data variables.product.prodname_cli %} extension to manage your caches from the command line. For more information about the extension, see [the extension documentation](https://github.com/actions/gh-actions-cache#readme). For more information about {% data variables.product.prodname_cli %} extensions, see "[AUTOTITLE](/github-cli/github-cli/using-github-cli-extensions)." +You can also install a {% data variables.product.prodname_cli %} extension to manage your caches from the command line. For more information about the extension, see [the extension documentation](https://github.com/actions/gh-actions-cache#readme). For more information about {% data variables.product.prodname_cli %} extensions, see [AUTOTITLE](/github-cli/github-cli/using-github-cli-extensions). {% endif %} @@ -332,13 +332,13 @@ Users with `write` access to a repository can use the {% data variables.product. ### Force deleting cache entries -Caches have branch scope restrictions in place, which means some caches have limited usage options. For more information on cache scope restrictions, see "[Restrictions for accessing a cache](#restrictions-for-accessing-a-cache)," earlier in this article. If caches limited to a specific branch are using a lot of storage quota, it may cause caches from the `default` branch to be created and deleted at a high frequency. +Caches have branch scope restrictions in place, which means some caches have limited usage options. For more information on cache scope restrictions, see [Restrictions for accessing a cache](#restrictions-for-accessing-a-cache), earlier in this article. If caches limited to a specific branch are using a lot of storage quota, it may cause caches from the `default` branch to be created and deleted at a high frequency. For example, a repository could have many new pull requests opened, each with their own caches that are restricted to that branch. These caches could take up the majority of the cache storage for that repository. {% data reusables.actions.cache-eviction-policy %} In order to prevent cache thrashing when this happens, you can set up workflows to delete caches on a faster cadence than the cache eviction policy will. You can use the {% data variables.product.prodname_cli %} to delete caches for specific branches. The following example workflow uses `gh cache` to delete up to 100 caches created by a branch once a pull request is closed. -To run the following example on cross-repository pull requests or pull requests from forks, you can trigger the workflow with the `pull_request_target` event. If you do use `pull_request_target` to trigger the workflow, there are security considerations to keep in mind. For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)." +To run the following example on cross-repository pull requests or pull requests from forks, you can trigger the workflow with the `pull_request_target` event. If you do use `pull_request_target` to trigger the workflow, there are security considerations to keep in mind. For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target). ```yaml name: cleanup caches by a branch @@ -370,6 +370,6 @@ jobs: BRANCH: refs/pull/{% raw %}${{ github.event.pull_request.number }}{% endraw %}/merge ``` -Alternatively, you can use the API to automatically list or delete all caches on your own cadence. For more information, see "[AUTOTITLE](/rest/actions/cache#about-the-cache-in-github-actions)." +Alternatively, you can use the API to automatically list or delete all caches on your own cadence. For more information, see [AUTOTITLE](/rest/actions/cache#about-the-cache-in-github-actions). {% endif %} diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions.md index 874cc243ce57..6bf9bddb8bc0 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions.md @@ -15,7 +15,7 @@ redirect_from: ## About expressions -You can use expressions to programmatically set environment variables in workflow files and access contexts. An expression can be any combination of literal values, references to a context, or functions. You can combine literals, context references, and functions using operators. For more information about contexts, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +You can use expressions to programmatically set environment variables in workflow files and access contexts. An expression can be any combination of literal values, references to a context, or functions. You can combine literals, context references, and functions using operators. For more information about contexts, see [AUTOTITLE](/actions/learn-github-actions/contexts). Expressions are commonly used with the conditional `if` keyword in a workflow file to determine whether a step should run. When an `if` conditional is `true`, the step will run. @@ -26,7 +26,7 @@ Expressions are commonly used with the conditional `if` keyword in a workflow fi {% endraw %} > [!NOTE] -> The exception to this rule is when you are using expressions in an `if` clause, where, optionally, you can usually omit {% raw %}`${{`{% endraw %} and {% raw %}`}}`{% endraw %}. For more information about `if` conditionals, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idif)." +> The exception to this rule is when you are using expressions in an `if` clause, where, optionally, you can usually omit {% raw %}`${{`{% endraw %} and {% raw %}`}}`{% endraw %}. For more information about `if` conditionals, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idif). {% data reusables.actions.context-injection-warning %} @@ -91,8 +91,8 @@ env: > [!NOTE] > * {% data variables.product.company_short %} ignores case when comparing strings. - > * `steps..outputs.` evaluates as a string. {% data reusables.actions.expressions-syntax-evaluation %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#steps-context)." - > * For numerical comparison, the `fromJSON()` function can be used to convert a string to a number. For more information on the `fromJSON()` function, see "[fromJSON](#fromjson)." + > * `steps..outputs.` evaluates as a string. {% data reusables.actions.expressions-syntax-evaluation %} For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#steps-context). + > * For numerical comparison, the `fromJSON()` function can be used to convert a string to a number. For more information on the `fromJSON()` function, see [fromJSON](#fromjson). {% data variables.product.prodname_dotcom %} performs loose equality comparisons. @@ -105,7 +105,7 @@ env: | String | Parsed from any legal JSON number format, otherwise `NaN`.
Note: empty string returns `0`. | | Array | `NaN` | | Object | `NaN` | -* When `NaN` is one of the operands of any relational comparison (`>`, `<`, `>=`, `<=`), the result is always `false`. For more information, see the "[NaN Mozilla docs](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/NaN)." +* When `NaN` is one of the operands of any relational comparison (`>`, `<`, `>=`, `<=`), the result is always `false`. For more information, see the [NaN Mozilla docs](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/NaN). * {% data variables.product.prodname_dotcom %} ignores case when comparing strings. * Objects and arrays are only considered equal when they are the same instance. @@ -151,7 +151,7 @@ Returns `true` if `search` contains `item`. If `search` is an array, this functi `contains(github.event.issue.labels.*.name, 'bug')` returns `true` if the issue related to the event has a label "bug". -For more information, see "[Object filters](#object-filters)." +For more information, see [Object filters](#object-filters). #### Example matching an array of strings @@ -288,7 +288,7 @@ The workflow uses the `fromJSON()` function to convert the environment variable `hashFiles(path)` -Returns a single hash for the set of files that matches the `path` pattern. You can provide a single `path` pattern or multiple `path` patterns separated by commas. The `path` is relative to the `GITHUB_WORKSPACE` directory and can only include files inside of the `GITHUB_WORKSPACE`. This function calculates an individual SHA-256 hash for each matched file, and then uses those hashes to calculate a final SHA-256 hash for the set of files. If the `path` pattern does not match any files, this returns an empty string. For more information about SHA-256, see "[SHA-2](https://en.wikipedia.org/wiki/SHA-2)." +Returns a single hash for the set of files that matches the `path` pattern. You can provide a single `path` pattern or multiple `path` patterns separated by commas. The `path` is relative to the `GITHUB_WORKSPACE` directory and can only include files inside of the `GITHUB_WORKSPACE`. This function calculates an individual SHA-256 hash for each matched file, and then uses those hashes to calculate a final SHA-256 hash for the set of files. If the `path` pattern does not match any files, this returns an empty string. For more information about SHA-256, see [SHA-2](https://en.wikipedia.org/wiki/SHA-2). You can use pattern matching characters to match file names. Pattern matching for `hashFiles` follows glob pattern matching and is case-insensitive on Windows. For more information about supported pattern matching characters, see the [Patterns](https://www.npmjs.com/package/@actions/glob#patterns) section in the `@actions/glob` documentation. @@ -306,7 +306,7 @@ Creates a hash for any `package-lock.json` and `Gemfile.lock` files in the repos ## Status check functions -You can use the following status check functions as expressions in `if` conditionals. A default status check of `success()` is applied unless you include one of these functions. For more information about `if` conditionals, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idif)" and "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsstepsif)". +You can use the following status check functions as expressions in `if` conditionals. A default status check of `success()` is applied unless you include one of these functions. For more information about `if` conditionals, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idif) and [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runsstepsif). ### success diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables.md index b173b9d672bf..2ded804dd12d 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables.md @@ -22,15 +22,15 @@ versions: Variables provide a way to store and reuse non-sensitive configuration information. You can store any configuration data such as compiler flags, usernames, or server names as variables. Variables are interpolated on the runner machine that runs your workflow. Commands that run in actions or workflow steps can create, read, and modify variables. -You can set your own custom variables or use the default environment variables that {% data variables.product.prodname_dotcom %} sets automatically. For more information, see "[Default environment variables](#default-environment-variables)". +You can set your own custom variables or use the default environment variables that {% data variables.product.prodname_dotcom %} sets automatically. For more information, see [Default environment variables](#default-environment-variables). You can set a custom variable in two ways. -* To define an environment variable for use in a single workflow, you can use the `env` key in the workflow file. For more information, see "[Defining environment variables for a single workflow](#defining-environment-variables-for-a-single-workflow)". -* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. For more information, see "[Defining configuration variables for multiple workflows](#defining-configuration-variables-for-multiple-workflows)". +* To define an environment variable for use in a single workflow, you can use the `env` key in the workflow file. For more information, see [Defining environment variables for a single workflow](#defining-environment-variables-for-a-single-workflow). +* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. For more information, see [Defining configuration variables for multiple workflows](#defining-configuration-variables-for-multiple-workflows). > [!WARNING] -> By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)". +> By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## Defining environment variables for a single workflow @@ -67,13 +67,13 @@ jobs: You can access `env` variable values using runner environment variables or using contexts. The example above shows three custom variables being used as runner environment variables in an `echo` command: `$DAY_OF_WEEK`, `$Greeting`, and `$First_Name`. The values for these variables are set, and scoped, at the workflow, job, and step level respectively. The interpolation of these variables happens on the runner. -The commands in the `run` steps of a workflow, or a referenced action, are processed by the shell you are using on the runner. The instructions in the other parts of a workflow are processed by {% data variables.product.prodname_actions %} and are not sent to the runner. You can use either runner environment variables or contexts in `run` steps, but in the parts of a workflow that are not sent to the runner you must use contexts to access variable values. For more information, see "[Using contexts to access variable values](#using-contexts-to-access-variable-values)." +The commands in the `run` steps of a workflow, or a referenced action, are processed by the shell you are using on the runner. The instructions in the other parts of a workflow are processed by {% data variables.product.prodname_actions %} and are not sent to the runner. You can use either runner environment variables or contexts in `run` steps, but in the parts of a workflow that are not sent to the runner you must use contexts to access variable values. For more information, see [Using contexts to access variable values](#using-contexts-to-access-variable-values). -Because runner environment variable interpolation is done after a workflow job is sent to a runner machine, you must use the appropriate syntax for the shell that's used on the runner. In this example, the workflow specifies `ubuntu-latest`. By default, Linux runners use the bash shell, so you must use the syntax `$NAME`. By default, Windows runners use PowerShell, so you would use the syntax `$env:NAME`. For more information about shells, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell)." +Because runner environment variable interpolation is done after a workflow job is sent to a runner machine, you must use the appropriate syntax for the shell that's used on the runner. In this example, the workflow specifies `ubuntu-latest`. By default, Linux runners use the bash shell, so you must use the syntax `$NAME`. By default, Windows runners use PowerShell, so you would use the syntax `$env:NAME`. For more information about shells, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell). ### Naming conventions for environment variables -When you set an environment variable, you cannot use any of the default environment variable names. For a complete list of default environment variables, see "[Default environment variables](#default-environment-variables)" below. If you attempt to override the value of one of these default variables, the assignment is ignored. +When you set an environment variable, you cannot use any of the default environment variable names. For a complete list of default environment variables, see [Default environment variables](#default-environment-variables) below. If you attempt to override the value of one of these default variables, the assignment is ignored. > [!NOTE] > You can list the entire set of environment variables that are available to a workflow step by using `run: env` in a step and then examining the output for the step. @@ -84,7 +84,7 @@ You can create configuration variables for use across multiple workflows, and ca For example, you can use configuration variables to set default values for parameters passed to build tools at an organization level, but then allow repository owners to override these parameters on a case-by-case basis. -When you define configuration variables, they are automatically available in the `vars` context. For more information, see "[Using the `vars` context to access configuration variable values](#using-the-vars-context-to-access-configuration-variable-values)". +When you define configuration variables, they are automatically available in the `vars` context. For more information, see [Using the `vars` context to access configuration variable values](#using-the-vars-context-to-access-configuration-variable-values). ### Configuration variable precedence @@ -178,7 +178,7 @@ A workflow created in a repository can access the following number of variables: ## Using contexts to access variable values -{% data reusables.actions.actions-contexts-about-description %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)". There are many other contexts that you can use for a variety of purposes in your workflows. For details of where you can use specific contexts within a workflow, see "[AUTOTITLE](/actions/learn-github-actions/contexts#context-availability)." +{% data reusables.actions.actions-contexts-about-description %} For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts). There are many other contexts that you can use for a variety of purposes in your workflows. For details of where you can use specific contexts within a workflow, see [AUTOTITLE](/actions/learn-github-actions/contexts#context-availability). You can access environment variable values using the `env` context and configuration variable values using the `vars` context. @@ -239,7 +239,7 @@ You will commonly use either the `env` or `github` context to access variable va ### Using the `vars` context to access configuration variable values -Configuration variables can be accessed across the workflow using `vars` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#vars-context)". +Configuration variables can be accessed across the workflow using `vars` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#vars-context). {% data reusables.actions.actions-vars-context-example-usage %} @@ -249,7 +249,7 @@ The default environment variables that {% data variables.product.prodname_dotcom Because default environment variables are set by {% data variables.product.prodname_dotcom %} and not defined in a workflow, they are not accessible through the `env` context. However, most of the default variables have a corresponding, and similarly named, context property. For example, the value of the `GITHUB_REF` variable can be read during workflow processing using the {% raw %}`${{ github.ref }}`{% endraw %} context property. -{% data reusables.actions.environment-variables-are-fixed %} For more information about setting environment variables, see "[Defining environment variables for a single workflow](#defining-environment-variables-for-a-single-workflow)" and "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable)." +{% data reusables.actions.environment-variables-are-fixed %} For more information about setting environment variables, see [Defining environment variables for a single workflow](#defining-environment-variables-for-a-single-workflow) and [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable). We strongly recommend that actions use variables to access the filesystem rather than using hardcoded file paths. {% data variables.product.prodname_dotcom %} sets variables for actions to use in all runner environments. @@ -264,14 +264,14 @@ We strongly recommend that actions use variables to access the filesystem rather | `GITHUB_ACTOR_ID` | {% data reusables.actions.actor_id-description %} | | `GITHUB_API_URL` | Returns the API URL. For example: `{% data variables.product.rest_url %}`. | | `GITHUB_BASE_REF` | The name of the base ref or target branch of the pull request in a workflow run. This is only set when the event that triggers a workflow run is either `pull_request` or `pull_request_target`. For example, `main`. | -| `GITHUB_ENV` | The path on the runner to the file that sets variables from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/set_env_87406d6e-4979-4d42-98e1-3dab1f48b13a`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable)." | +| `GITHUB_ENV` | The path on the runner to the file that sets variables from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/set_env_87406d6e-4979-4d42-98e1-3dab1f48b13a`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable). | | `GITHUB_EVENT_NAME` | The name of the event that triggered the workflow. For example, `workflow_dispatch`. | | `GITHUB_EVENT_PATH` | The path to the file on the runner that contains the full event webhook payload. For example, `/github/workflow/event.json`. | | `GITHUB_GRAPHQL_URL` | Returns the GraphQL API URL. For example: `{% data variables.product.graphql_url %}`. | | `GITHUB_HEAD_REF` | The head ref or source branch of the pull request in a workflow run. This property is only set when the event that triggers a workflow run is either `pull_request` or `pull_request_target`. For example, `feature-branch-1`. | | `GITHUB_JOB` | The [job_id](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job. For example, `greeting_job`. | -| `GITHUB_OUTPUT` | The path on the runner to the file that sets the current step's outputs from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/set_output_a50ef383-b063-46d9-9157-57953fc9f3f0`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter)." | -| `GITHUB_PATH` | The path on the runner to the file that sets system `PATH` variables from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/add_path_899b9445-ad4a-400c-aa89-249f18632cf5`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path)." | +| `GITHUB_OUTPUT` | The path on the runner to the file that sets the current step's outputs from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/set_output_a50ef383-b063-46d9-9157-57953fc9f3f0`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter). | +| `GITHUB_PATH` | The path on the runner to the file that sets system `PATH` variables from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/work/_temp/_runner_file_commands/add_path_899b9445-ad4a-400c-aa89-249f18632cf5`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path). | | `GITHUB_REF` | {% data reusables.actions.ref-description %} | | `GITHUB_REF_NAME` | {% data reusables.actions.ref_name-description %} | | `GITHUB_REF_PROTECTED` | {% data reusables.actions.ref_protected-description %} | @@ -286,7 +286,7 @@ We strongly recommend that actions use variables to access the filesystem rather | `GITHUB_RUN_NUMBER` | {% data reusables.actions.run_number_description %} For example, `3`. | | `GITHUB_SERVER_URL`| The URL of the {% data variables.product.product_name %} server. For example: `https://{% data variables.product.product_url %}`. | | `GITHUB_SHA` | {% data reusables.actions.github_sha_description %} | -| `GITHUB_STEP_SUMMARY` | The path on the runner to the file that contains job summaries from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/_layout/_work/_temp/_runner_file_commands/step_summary_1cb22d7f-5663-41a8-9ffc-13472605c76c`. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary)." | +| `GITHUB_STEP_SUMMARY` | The path on the runner to the file that contains job summaries from workflow commands. The path to this file is unique to the current step and changes for each step in a job. For example, `/home/runner/_layout/_work/_temp/_runner_file_commands/step_summary_1cb22d7f-5663-41a8-9ffc-13472605c76c`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary). | | `GITHUB_TRIGGERING_ACTOR` | {% data reusables.actions.github-triggering-actor-description %} | | `GITHUB_WORKFLOW` | The name of the workflow. For example, `My test workflow`. If the workflow file doesn't specify a `name`, the value of this variable is the full path of the workflow file in the repository. | | `GITHUB_WORKFLOW_REF` | {% data reusables.actions.workflow-ref-description %} | @@ -330,6 +330,6 @@ In this example, the two `if` statements check the `os` property of the `runner` ## Passing values between steps and jobs in a workflow - If you generate a value in one step of a job, you can use the value in subsequent steps of the same job by assigning the value to an existing or new environment variable and then writing this to the `GITHUB_ENV` environment file. The environment file can be used directly by an action, or from a shell command in the workflow file by using the `run` keyword. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable)." + If you generate a value in one step of a job, you can use the value in subsequent steps of the same job by assigning the value to an existing or new environment variable and then writing this to the `GITHUB_ENV` environment file. The environment file can be used directly by an action, or from a shell command in the workflow file by using the `run` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable). - If you want to pass a value from a step in one job in a workflow to a step in another job in the workflow, you can define the value as a job output. You can then reference this job output from a step in another job. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs)." + If you want to pass a value from a step in one job in a workflow to a step in another job in the workflow, you can define the value as a job output. You can then reference this job output from a step in another job. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs). diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/storing-and-sharing-data-from-a-workflow.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/storing-and-sharing-data-from-a-workflow.md index 0bfc8792b3eb..e22261b69a61 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/storing-and-sharing-data-from-a-workflow.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/storing-and-sharing-data-from-a-workflow.md @@ -37,7 +37,7 @@ These are some of the common artifacts that you can upload: {% ifversion fpt or ghec %} -Storing artifacts uses storage space on {% data variables.product.product_name %}. {% data reusables.actions.actions-billing %} For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions)." +Storing artifacts uses storage space on {% data variables.product.product_name %}. {% data reusables.actions.actions-billing %} For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions). {% else %} @@ -54,15 +54,15 @@ To share data between jobs: * **Uploading files:** Give the uploaded file a name and upload the data before the job ends. * **Downloading files:** You can only download artifacts that were uploaded during the same workflow run. When you download a file, you can reference it by name. -The steps of a job share the same environment on the runner machine, but run in their own individual processes. To pass data between steps in a job, you can use inputs and outputs. For more information about inputs and outputs, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions)." +The steps of a job share the same environment on the runner machine, but run in their own individual processes. To pass data between steps in a job, you can use inputs and outputs. For more information about inputs and outputs, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). {% data reusables.actions.comparing-artifacts-caching %} -For more information on dependency caching, see "[AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows#comparing-artifacts-and-dependency-caching)." +For more information on dependency caching, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows#comparing-artifacts-and-dependency-caching). ## Uploading build and test artifacts -You can create a continuous integration (CI) workflow to build and test your code. For more information about using {% data variables.product.prodname_actions %} to perform CI, see "[AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration)." +You can create a continuous integration (CI) workflow to build and test your code. For more information about using {% data variables.product.prodname_actions %} to perform CI, see [AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration). The output of building and testing your code often produces files you can use to debug test failures and production code that you can deploy. You can configure a workflow to build and test the code pushed to your repository and report a success or failure status. You can upload the build and test output to use for deployments, debugging failed tests or crashes, and viewing test suite coverage. @@ -126,7 +126,7 @@ jobs: You can access attestations after a build run, underneath the list of the artifacts the build produced. -For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." +For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). {% endif %} @@ -149,7 +149,7 @@ The `retention-days` value cannot exceed the retention limit set by the reposito During a workflow run, you can use the [`download-artifact`](https://github.com/actions/download-artifact) action to download artifacts that were previously uploaded in the same workflow run. -After a workflow run has been completed, you can download or delete artifacts on {% data variables.product.prodname_dotcom %} or using the REST API. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)," "[AUTOTITLE](/actions/managing-workflow-runs/removing-workflow-artifacts)," and "[AUTOTITLE](/rest/actions/artifacts)." +After a workflow run has been completed, you can download or delete artifacts on {% data variables.product.prodname_dotcom %} or using the REST API. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts), [AUTOTITLE](/actions/managing-workflow-runs/removing-workflow-artifacts), and [AUTOTITLE](/rest/actions/artifacts). ### Downloading artifacts during a workflow run @@ -253,12 +253,12 @@ jobs: echo The result is $value ``` -The workflow run will archive any artifacts that it generated. For more information on downloading archived artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)." +The workflow run will archive any artifacts that it generated. For more information on downloading archived artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). {% ifversion fpt or ghec %} ## Further reading -* "[AUTOTITLE](/billing/managing-billing-for-github-actions)". +* [AUTOTITLE](/billing/managing-billing-for-github-actions). {% endif %} diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/using-environments-for-deployment.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/using-environments-for-deployment.md index db8b1fa1f35c..8725a347de6b 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/using-environments-for-deployment.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/using-environments-for-deployment.md @@ -19,7 +19,7 @@ redirect_from: Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. The job can access the environment's secrets only after the job is sent to a runner. -When a workflow references an environment, the environment will appear in the repository's deployments. For more information about viewing current and previous deployments, see "[AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history)." +When a workflow references an environment, the environment will appear in the repository's deployments. For more information about viewing current and previous deployments, see [AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history). ## Using an environment in a workflow diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow.md index 2b8eeaa4eb62..0fa34110b054 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow.md @@ -72,8 +72,8 @@ An action's listing page includes the action's version and the workflow syntax r 1. Click to view the full marketplace listing for the action. 1. Under "Installation", click {% octicon "copy" aria-label="Copy to clipboard" %} to copy the workflow syntax. ![Screenshot of the marketplace listing for an action. The "Copy to clipboard" icon for the action is highlighted with a dark orange outline.](/assets/images/help/repository/actions-sidebar-detailed-view.png) -1. Paste the syntax as a new step in your workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps)." -1. If the action requires you to provide inputs, set them in your workflow. For information on inputs an action might require, see "[AUTOTITLE](/actions/learn-github-actions/finding-and-customizing-actions#using-inputs-and-outputs-with-an-action)." +1. Paste the syntax as a new step in your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps). +1. If the action requires you to provide inputs, set them in your workflow. For information on inputs an action might require, see [AUTOTITLE](/actions/learn-github-actions/finding-and-customizing-actions#using-inputs-and-outputs-with-an-action). {% data reusables.dependabot.version-updates-for-actions %} @@ -85,13 +85,13 @@ If an action is defined in the same repository where your workflow file uses the {% data reusables.actions.workflows.section-referencing-an-action-from-the-same-repository %} -The `action.yml` file is used to provide metadata for the action. Learn about the content of this file in "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions)." +The `action.yml` file is used to provide metadata for the action. Learn about the content of this file in [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). ### Adding an action from a different repository If an action is defined in a different repository than your workflow file, you can reference the action with the `{owner}/{repo}@{ref}` syntax in your workflow file. -The action must be stored in a public repository{% ifversion internal-actions %} or an internal repository that is configured to allow access to workflows. For more information, see "[AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)."{% else %}.{% endif %} +The action must be stored in a public repository{% ifversion internal-actions %} or an internal repository that is configured to allow access to workflows. For more information, see [AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise).{% else %}.{% endif %} ```yaml jobs: @@ -117,7 +117,7 @@ jobs: uses: docker://alpine:3.8 ``` -For some examples of Docker actions, see the [Docker-image.yml workflow](https://github.com/actions/starter-workflows/blob/main/ci/docker-image.yml) and "[AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action)." +For some examples of Docker actions, see the [Docker-image.yml workflow](https://github.com/actions/starter-workflows/blob/main/ci/docker-image.yml) and [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action). ### Security hardening for using actions in your workflows @@ -130,7 +130,7 @@ The creators of a community action have the option to use tags, branches, or SHA You will designate the version of the action in your workflow file. Check the action's documentation for information on their approach to release management, and to see which tag, branch, or SHA value to use. > [!NOTE] -> We recommend that you use a SHA value when using third-party actions. However, it's important to note {% data variables.product.prodname_dependabot %} will only create {% data variables.product.prodname_dependabot_alerts %} for vulnerable {% data variables.product.prodname_actions %} that use semantic versioning. For more information, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)" and "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +> We recommend that you use a SHA value when using third-party actions. However, it's important to note {% data variables.product.prodname_dependabot %} will only create {% data variables.product.prodname_dependabot_alerts %} for vulnerable {% data variables.product.prodname_actions %} that use semantic versioning. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) and [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). ### Using tags @@ -159,7 +159,7 @@ steps: - uses: actions/javascript-action@main ``` -For more information, see "[AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions)." +For more information, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). ## Using inputs and outputs with an action @@ -184,4 +184,4 @@ outputs: ## Next steps -To continue learning about {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions/essential-features-of-github-actions)." +To continue learning about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions/essential-features-of-github-actions). diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md index 85a9e902d838..7fc6700248c4 100644 --- a/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md +++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md @@ -24,7 +24,7 @@ versions: Actions can communicate with the runner machine to set environment variables, output values used by other actions, add debug messages to the output logs, and other tasks. -Most workflow commands use the `echo` command in a specific format, while others are invoked by writing to a file. For more information, see "[Environment files](#environment-files)." +Most workflow commands use the `echo` command in a specific format, while others are invoked by writing to a file. For more information, see [Environment files](#environment-files). ### Example of a workflow command @@ -106,7 +106,7 @@ The following table shows which toolkit functions are available within a workflo ## Setting a debug message -Prints a debug message to the log. You must create a secret named `ACTIONS_STEP_DEBUG` with the value `true` to see the debug messages set by this command in the log. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging)." +Prints a debug message to the log. You must create a secret named `ACTIONS_STEP_DEBUG` with the value `true` to see the debug messages set by this command in the log. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging). ```text copy ::debug::{message} @@ -382,7 +382,7 @@ If you want to pass a masked secret between jobs or workflows, you should store #### Setup 1. Set up a secret store to store the secret that you will generate during your workflow. For example, Vault. -1. Generate a key for reading and writing to that secret store. Store the key as a repository secret. In the following example workflow, the secret name is `SECRET_STORE_CREDENTIALS`. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +1. Generate a key for reading and writing to that secret store. Store the key as a repository secret. In the following example workflow, the secret name is `SECRET_STORE_CREDENTIALS`. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). #### Workflow @@ -531,7 +531,7 @@ jobs: You can create environment variables for sharing with your workflow's `pre:` or `post:` actions by writing to the file located at `GITHUB_STATE`. For example, you can create a file with the `pre:` action, pass the file location to the `main:` action, and then use the `post:` action to delete the file. Alternatively, you could create a file with the `main:` action, pass the file location to the `post:` action, and also use the `post:` action to delete the file. -If you have multiple `pre:` or `post:` actions, you can only access the saved value in the action where it was written to `GITHUB_STATE`. For more information on the `post:` action, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runspost)." +If you have multiple `pre:` or `post:` actions, you can only access the saved value in the action where it was written to `GITHUB_STATE`. For more information on the `post:` action, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runspost). The `GITHUB_STATE` file is only available within an action. The saved value is stored as an environment value with the `STATE_` prefix. @@ -554,7 +554,7 @@ console.log("The running PID from the main action is: " + process.env.STATE_proc ## Environment files -During the execution of a workflow, the runner generates temporary files that can be used to perform certain actions. The path to these files can be accessed and edited using GitHub's default environment variables. See "[AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables)." You will need to use UTF-8 encoding when writing to these files to ensure proper processing of the commands. Multiple commands can be written to the same file, separated by newlines. +During the execution of a workflow, the runner generates temporary files that can be used to perform certain actions. The path to these files can be accessed and edited using GitHub's default environment variables. See [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). You will need to use UTF-8 encoding when writing to these files to ensure proper processing of the commands. Multiple commands can be written to the same file, separated by newlines. To use environment variables in a GitHub Action, you create or modify `.env` files using specific GitHub Actions commands. Here's how: @@ -647,7 +647,7 @@ echo "{environment_variable_name}={value}" >> "$GITHUB_ENV" You can make an environment variable available to any subsequent steps in a workflow job by defining or updating the environment variable and writing this to the `GITHUB_ENV` environment file. The step that creates or updates the environment variable does not have access to the new value, but all subsequent steps in a job will have access. -{% data reusables.actions.environment-variables-are-fixed %} For more information about the default environment variables, see "[AUTOTITLE](/actions/learn-github-actions/environment-variables#default-environment-variables)." +{% data reusables.actions.environment-variables-are-fixed %} For more information about the default environment variables, see [AUTOTITLE](/actions/learn-github-actions/environment-variables#default-environment-variables). {% ifversion github-env-node-options %} @@ -741,7 +741,7 @@ steps: ## Setting an output parameter -Sets a step's output parameter. Note that the step will need an `id` to be defined to later retrieve the output value. You can set multi-line output values with the same technique used in the "[Multiline strings](/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings)" section to define multi-line environment variables. +Sets a step's output parameter. Note that the step will need an `id` to be defined to later retrieve the output value. You can set multi-line output values with the same technique used in the [Multiline strings](/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings) section to define multi-line environment variables. {% bash %} @@ -814,7 +814,7 @@ echo "{markdown content}" >> $GITHUB_STEP_SUMMARY You can set some custom Markdown for each job so that it will be displayed on the summary page of a workflow run. You can use job summaries to display and group unique content, such as test result summaries, so that someone viewing the result of a workflow run doesn't need to go into the logs to see important information related to the run, such as failures. -Job summaries support [{% data variables.product.prodname_dotcom %} flavored Markdown](https://github.github.com/gfm/), and you can add your Markdown content for a step to the `GITHUB_STEP_SUMMARY` environment file. `GITHUB_STEP_SUMMARY` is unique for each step in a job. For more information about the per-step file that `GITHUB_STEP_SUMMARY` references, see "[Environment files](#environment-files)." +Job summaries support [{% data variables.product.prodname_dotcom %} flavored Markdown](https://github.github.com/gfm/), and you can add your Markdown content for a step to the `GITHUB_STEP_SUMMARY` environment file. `GITHUB_STEP_SUMMARY` is unique for each step in a job. For more information about the per-step file that `GITHUB_STEP_SUMMARY` references, see [Environment files](#environment-files). When a job finishes, the summaries for all steps in a job are grouped together into a single job summary and are shown on the workflow run summary page. If multiple jobs generate summaries, the job summaries are ordered by job completion time. @@ -928,7 +928,7 @@ To completely remove a summary for the current step, the file that `GITHUB_STEP_ {% endpowershell %} -After a step has completed, job summaries are uploaded and subsequent steps cannot modify previously uploaded Markdown content. Summaries automatically mask any secrets that might have been added accidentally. If a job summary contains sensitive information that must be deleted, you can delete the entire workflow run to remove all its job summaries. For more information see "[AUTOTITLE](/actions/managing-workflow-runs/deleting-a-workflow-run)." +After a step has completed, job summaries are uploaded and subsequent steps cannot modify previously uploaded Markdown content. Summaries automatically mask any secrets that might have been added accidentally. If a job summary contains sensitive information that must be deleted, you can delete the entire workflow run to remove all its job summaries. For more information see [AUTOTITLE](/actions/managing-workflow-runs/deleting-a-workflow-run). ### Step isolation and limits diff --git a/content/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows.md b/content/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows.md index d0217a2a17d7..23a054968148 100644 --- a/content/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows.md +++ b/content/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows.md @@ -17,9 +17,9 @@ shortTitle: Events that trigger workflows ## About events that trigger workflows -Workflow triggers are events that cause a workflow to run. For more information about how to use workflow triggers, see "[AUTOTITLE](/actions/using-workflows/triggering-a-workflow)." +Workflow triggers are events that cause a workflow to run. For more information about how to use workflow triggers, see [AUTOTITLE](/actions/using-workflows/triggering-a-workflow). -Some events have multiple activity types. For these events, you can specify which activity types will trigger a workflow run. For more information about what each activity type means, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads)." +Some events have multiple activity types. For these events, you can specify which activity types will trigger a workflow run. For more information about what each activity type means, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads). > [!NOTE] > Not all webhook events trigger workflows. @@ -31,11 +31,11 @@ Some events have multiple activity types. For these events, you can specify whic | [`branch_protection_rule`](/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule) | - `created`
- `edited`
- `deleted` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when branch protection rules in the workflow repository are changed. For more information about branch protection rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)." For information about the branch protection rule APIs, see "[AUTOTITLE](/graphql/reference/objects#branchprotectionrule)" in the GraphQL API documentation or "[AUTOTITLE](/rest/branches)." +Runs your workflow when branch protection rules in the workflow repository are changed. For more information about branch protection rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). For information about the branch protection rule APIs, see [AUTOTITLE](/graphql/reference/objects#branchprotectionrule) in the GraphQL API documentation or [AUTOTITLE](/rest/branches). For example, you can run a workflow when a branch protection rule has been `created` or `deleted`: @@ -52,11 +52,11 @@ on: | [`check_run`](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_run) | - `created`
- `rerequested`
- `completed`
- `requested_action` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_run)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_run). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when activity related to a check run occurs. A check run is an individual test that is part of a check suite. For information, see "[AUTOTITLE](/rest/guides/using-the-rest-api-to-interact-with-checks)." For information about the check run APIs, see "[AUTOTITLE](/graphql/reference/objects#checkrun)" in the GraphQL API documentation or "[AUTOTITLE](/rest/checks/runs)." +Runs your workflow when activity related to a check run occurs. A check run is an individual test that is part of a check suite. For information, see [AUTOTITLE](/rest/guides/using-the-rest-api-to-interact-with-checks). For information about the check run APIs, see [AUTOTITLE](/graphql/reference/objects#checkrun) in the GraphQL API documentation or [AUTOTITLE](/rest/checks/runs). For example, you can run a workflow when a check run has been `rerequested` or `completed`. @@ -73,14 +73,14 @@ on: | [`check_suite`](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_suite) | - `completed` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_suite)." Although only the `completed` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#check_suite). Although only the `completed` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} > [!NOTE] > To prevent recursive workflows, this event does not trigger workflows if the check suite was created by {% data variables.product.prodname_actions %}. -Runs your workflow when check suite activity occurs. A check suite is a collection of the check runs created for a specific commit. Check suites summarize the status and conclusion of the check runs that are in the suite. For information, see "[AUTOTITLE](/rest/guides/using-the-rest-api-to-interact-with-checks)." For information about the check suite APIs, see "[AUTOTITLE](/graphql/reference/objects#checksuite)" in the GraphQL API documentation or "[AUTOTITLE](/rest/checks/suites)." +Runs your workflow when check suite activity occurs. A check suite is a collection of the check runs created for a specific commit. Check suites summarize the status and conclusion of the check runs that are in the suite. For information, see [AUTOTITLE](/rest/guides/using-the-rest-api-to-interact-with-checks). For information about the check suite APIs, see [AUTOTITLE](/graphql/reference/objects#checksuite) in the GraphQL API documentation or [AUTOTITLE](/rest/checks/suites). For example, you can run a workflow when a check suite has been `completed`. @@ -99,7 +99,7 @@ on: > [!NOTE] > An event will not be created when you create more than three tags at once. -Runs your workflow when someone creates a Git reference (Git branch or tag) in the workflow's repository. For information about the APIs to create a Git reference, see "[AUTOTITLE](/graphql/reference/mutations#createref)" in the GraphQL API documentation or "[AUTOTITLE](/rest/git/refs#create-a-reference)." +Runs your workflow when someone creates a Git reference (Git branch or tag) in the workflow's repository. For information about the APIs to create a Git reference, see [AUTOTITLE](/graphql/reference/mutations#createref) in the GraphQL API documentation or [AUTOTITLE](/rest/git/refs#create-a-reference). For example, you can run a workflow when the `create` event occurs. @@ -119,7 +119,7 @@ on: > [!NOTE] > An event will not be created when you delete more than three tags at once. -Runs your workflow when someone deletes a Git reference (Git branch or tag) in the workflow's repository. For information about the APIs to delete a Git reference, see "[AUTOTITLE](/graphql/reference/mutations#deleteref)" in the GraphQL API documentation or "[AUTOTITLE](/rest/git/refs#delete-a-reference)." +Runs your workflow when someone deletes a Git reference (Git branch or tag) in the workflow's repository. For information about the APIs to delete a Git reference, see [AUTOTITLE](/graphql/reference/mutations#deleteref) in the GraphQL API documentation or [AUTOTITLE](/rest/git/refs#delete-a-reference). For example, you can run a workflow when the `delete` event occurs. @@ -134,7 +134,7 @@ on: | --------------------- | -------------- | ------------ | -------------| | [`deployment`](/webhooks-and-events/webhooks/webhook-events-and-payloads#deployment) | Not applicable | Commit to be deployed | Branch or tag to be deployed (empty if created with a commit SHA)| -Runs your workflow when someone creates a deployment in the workflow's repository. Deployments created with a commit SHA may not have a Git ref. For information about the APIs to create a deployment, see "[AUTOTITLE](/graphql/reference/mutations#createdeployment)" in the GraphQL API documentation or "[AUTOTITLE](/rest/repos#deployments)." +Runs your workflow when someone creates a deployment in the workflow's repository. Deployments created with a commit SHA may not have a Git ref. For information about the APIs to create a deployment, see [AUTOTITLE](/graphql/reference/mutations#createdeployment) in the GraphQL API documentation or [AUTOTITLE](/rest/repos#deployments). For example, you can run a workflow when the `deployment` event occurs. @@ -152,7 +152,7 @@ on: > [!NOTE] > When a deployment status's state is set to `inactive`, a workflow run will not be triggered. -Runs your workflow when a third party provides a deployment status. Deployments created with a commit SHA may not have a Git ref. For information about the APIs to create a deployment status, see "[AUTOTITLE](/graphql/reference/mutations#createdeploymentstatus)" in the GraphQL API documentation or "[AUTOTITLE](/rest/deployments#create-a-deployment-status)." +Runs your workflow when a third party provides a deployment status. Deployments created with a commit SHA may not have a Git ref. For information about the APIs to create a deployment status, see [AUTOTITLE](/graphql/reference/mutations#createdeploymentstatus) in the GraphQL API documentation or [AUTOTITLE](/rest/deployments#create-a-deployment-status). For example, you can run a workflow when the `deployment_status` event occurs. @@ -168,13 +168,13 @@ on: | [`discussion`](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion) | - `created`
- `edited`
- `deleted`
- `transferred`
- `pinned`
- `unpinned`
- `labeled`
- `unlabeled`
- `locked`
- `unlocked`
- `category_changed`
- `answered`
- `unanswered` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} {% data reusables.webhooks.discussions-webhooks-beta %} -Runs your workflow when a discussion in the workflow's repository is created or modified. For activity related to comments on a discussion, use the [`discussion_comment`](#discussion_comment) event. For more information about discussions, see "[AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions)." For information about the GraphQL API, see "[AUTOTITLE](/graphql/reference/objects#discussion)." +Runs your workflow when a discussion in the workflow's repository is created or modified. For activity related to comments on a discussion, use the [`discussion_comment`](#discussion_comment) event. For more information about discussions, see [AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions). For information about the GraphQL API, see [AUTOTITLE](/graphql/reference/objects#discussion). For example, you can run a workflow when a discussion has been `created`, `edited`, or `answered`. @@ -191,13 +191,13 @@ on: | [`discussion_comment`](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion_comment) | - `created`
- `edited`
- `deleted`
| Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion_comment)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#discussion_comment). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} {% data reusables.webhooks.discussions-webhooks-beta %} -Runs your workflow when a comment on a discussion in the workflow's repository is created or modified. For activity related to a discussion as opposed to comments on the discussion, use the [`discussion`](#discussion) event. For more information about discussions, see "[AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions)." For information about the GraphQL API, see "[AUTOTITLE](/graphql/reference/objects#discussion)." +Runs your workflow when a comment on a discussion in the workflow's repository is created or modified. For activity related to a discussion as opposed to comments on the discussion, use the [`discussion`](#discussion) event. For more information about discussions, see [AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions). For information about the GraphQL API, see [AUTOTITLE](/graphql/reference/objects#discussion). For example, you can run a workflow when a discussion comment has been `created` or `deleted`. @@ -215,7 +215,7 @@ on: {% data reusables.actions.branch-requirement %} -Runs your workflow when someone forks a repository. For information about the REST API, see "[AUTOTITLE](/rest/repos/forks#create-a-fork)." +Runs your workflow when someone forks a repository. For information about the REST API, see [AUTOTITLE](/rest/repos/forks#create-a-fork). For example, you can run a workflow when the `fork` event occurs. @@ -232,7 +232,7 @@ on: {% data reusables.actions.branch-requirement %} -Runs your workflow when someone creates or updates a Wiki page. For more information, see "[AUTOTITLE](/communities/documenting-your-project-with-wikis/about-wikis)." +Runs your workflow when someone creates or updates a Wiki page. For more information, see [AUTOTITLE](/communities/documenting-your-project-with-wikis/about-wikis). For example, you can run a workflow when the `gollum` event occurs. @@ -248,11 +248,11 @@ on: | [`issue_comment`](/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment) | - `created`
- `edited`
- `deleted`
| Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when an issue or pull request comment is created, edited, or deleted. For information about the issue comment APIs, see "[AUTOTITLE](/graphql/reference/objects#issuecomment)" in the GraphQL API documentation or "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment)" in the REST API documentation. +Runs your workflow when an issue or pull request comment is created, edited, or deleted. For information about the issue comment APIs, see [AUTOTITLE](/graphql/reference/objects#issuecomment) in the GraphQL API documentation or [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment) in the REST API documentation. For example, you can run a workflow when an issue or pull request comment has been `created` or `deleted`. @@ -302,11 +302,11 @@ jobs: | [`issues`](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues) | - `opened`
- `edited`
- `deleted`
- `transferred`
- `pinned`
- `unpinned`
- `closed`
- `reopened`
- `assigned`
- `unassigned`
- `labeled`
- `unlabeled`
- `locked`
- `unlocked`
- `milestoned`
- `demilestoned` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when an issue in the workflow's repository is created or modified. For activity related to comments in an issue, use the [`issue_comment`](#issue_comment) event. For more information about issues, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/about-issues)." For information about the issue APIs, see "[AUTOTITLE](/graphql/reference/objects#issue)" in the GraphQL API documentation or "[AUTOTITLE](/rest/issues)." +Runs your workflow when an issue in the workflow's repository is created or modified. For activity related to comments in an issue, use the [`issue_comment`](#issue_comment) event. For more information about issues, see [AUTOTITLE](/issues/tracking-your-work-with-issues/about-issues). For information about the issue APIs, see [AUTOTITLE](/graphql/reference/objects#issue) in the GraphQL API documentation or [AUTOTITLE](/rest/issues). For example, you can run a workflow when an issue has been `opened`, `edited`, or `milestoned`. @@ -323,11 +323,11 @@ on: | [`label`](/webhooks-and-events/webhooks/webhook-events-and-payloads#label) | - `created`
- `edited`
- `deleted`
| Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#label)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#label). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when a label in your workflow's repository is created or modified. For more information about labels, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels)." For information about the label APIs, see "[AUTOTITLE](/graphql/reference/objects#label)" in the GraphQL API documentation or "[AUTOTITLE](/rest/issues/labels)." +Runs your workflow when a label in your workflow's repository is created or modified. For more information about labels, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels). For information about the label APIs, see [AUTOTITLE](/graphql/reference/objects#label) in the GraphQL API documentation or [AUTOTITLE](/rest/issues/labels). If you want to run your workflow when a label is added to or removed from an issue, pull request, or discussion, use the `labeled` or `unlabeled` activity types for the [`issues`](#issues), [`pull_request`](#pull_request), [`pull_request_target`](#pull_request_target), or [`discussion`](#discussion) events instead. @@ -348,10 +348,10 @@ on: | [`merge_group`](/webhooks-and-events/webhooks/webhook-events-and-payloads#merge_group) | `checks_requested` | SHA of the merge group | Ref of the merge group | > [!NOTE] -> * {% data reusables.developer-site.multiple_activity_types %} Although only the `checks_requested` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#merge_group)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> * {% data reusables.developer-site.multiple_activity_types %} Although only the `checks_requested` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#merge_group). {% data reusables.developer-site.limit_workflow_to_activity_types %} > * {% data reusables.actions.merge-group-event-with-required-checks %} -Runs your workflow when a pull request is added to a merge queue, which adds the pull request to a merge group. For more information see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request-with-a-merge-queue)". +Runs your workflow when a pull request is added to a merge queue, which adds the pull request to a merge group. For more information see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request-with-a-merge-queue). For example, you can run a workflow when the `checks_requested` activity has occurred. @@ -372,11 +372,11 @@ on: | [`milestone`](/webhooks-and-events/webhooks/webhook-events-and-payloads#milestone) | - `created`
- `closed`
- `opened`
- `edited`
- `deleted`
| Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#milestone)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#milestone). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when a milestone in the workflow's repository is created or modified. For more information about milestones, see "[AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/about-milestones)." For information about the milestone APIs, see "[AUTOTITLE](/graphql/reference/objects#milestone)" in the GraphQL API documentation or "[AUTOTITLE](/rest/issues/milestones)." +Runs your workflow when a milestone in the workflow's repository is created or modified. For more information about milestones, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/about-milestones). For information about the milestone APIs, see [AUTOTITLE](/graphql/reference/objects#milestone) in the GraphQL API documentation or [AUTOTITLE](/rest/issues/milestones). If you want to run your workflow when an issue is added to or removed from a milestone, use the `milestoned` or `demilestoned` activity types for the [`issues`](#issues) event instead. @@ -396,7 +396,7 @@ on: {% data reusables.actions.branch-requirement %} -Runs your workflow when someone pushes to a branch that is the publishing source for {% data variables.product.prodname_pages %}, if {% data variables.product.prodname_pages %} is enabled for the repository. For more information about {% data variables.product.prodname_pages %} publishing sources, see "[AUTOTITLE](/pages/getting-started-with-github-pages/configuring-a-publishing-source-for-your-github-pages-site)." For information about the REST API, see "[AUTOTITLE](/rest/repos#pages)." +Runs your workflow when someone pushes to a branch that is the publishing source for {% data variables.product.prodname_pages %}, if {% data variables.product.prodname_pages %} is enabled for the repository. For more information about {% data variables.product.prodname_pages %} publishing sources, see [AUTOTITLE](/pages/getting-started-with-github-pages/configuring-a-publishing-source-for-your-github-pages-site). For information about the REST API, see [AUTOTITLE](/rest/repos#pages). For example, you can run a workflow when the `page_build` event occurs. @@ -414,7 +414,7 @@ on: | [`project`](/webhooks-and-events/webhooks/webhook-events-and-payloads#project) | - `created`
- `closed`
- `reopened`
- `edited`
- `deleted`
| Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} The `edited` activity type refers to when a {% data variables.projects.projects_v1_board %}, not a column or card on the {% data variables.projects.projects_v1_board %}, is edited. For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} The `edited` activity type refers to when a {% data variables.projects.projects_v1_board %}, not a column or card on the {% data variables.projects.projects_v1_board %}, is edited. For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} @@ -428,7 +428,7 @@ on: {% endif %} -Runs your workflow when a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to cards or columns in a {% data variables.projects.projects_v1_board %}, use the [`project_card`](#project_card) or [`project_column`](#project_column) events instead. For more information about {% data variables.projects.projects_v1_boards %}, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards)." For information about the {% data variables.projects.projects_v1_board %} APIs, see "[AUTOTITLE](/graphql/reference/objects#project)" in the GraphQL API documentation or "[AUTOTITLE](/rest/projects)." +Runs your workflow when a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to cards or columns in a {% data variables.projects.projects_v1_board %}, use the [`project_card`](#project_card) or [`project_column`](#project_column) events instead. For more information about {% data variables.projects.projects_v1_boards %}, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards). For information about the {% data variables.projects.projects_v1_board %} APIs, see [AUTOTITLE](/graphql/reference/objects#project) in the GraphQL API documentation or [AUTOTITLE](/rest/projects). For example, you can run a workflow when a project has been `created` or `deleted`. @@ -445,7 +445,7 @@ on: | [`project_card`](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_card) | - `created`
- `moved`
- `converted` to an issue
- `edited`
- `deleted` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_card)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_card). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} @@ -459,7 +459,7 @@ on: {% endif %} -Runs your workflow when a card on a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to {% data variables.projects.projects_v1_boards %} or columns in a {% data variables.projects.projects_v1_board %}, use the [`project`](#project) or [`project_column`](#project_column) event instead. For more information about {% data variables.projects.projects_v1_boards %}, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards)." For information about the project card APIs, see "[AUTOTITLE](/graphql/reference/objects#projectcard)" in the GraphQL API documentation or "[AUTOTITLE](/rest/projects/cards)." +Runs your workflow when a card on a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to {% data variables.projects.projects_v1_boards %} or columns in a {% data variables.projects.projects_v1_board %}, use the [`project`](#project) or [`project_column`](#project_column) event instead. For more information about {% data variables.projects.projects_v1_boards %}, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards). For information about the project card APIs, see [AUTOTITLE](/graphql/reference/objects#projectcard) in the GraphQL API documentation or [AUTOTITLE](/rest/projects/cards). For example, you can run a workflow when a project card has been `created` or `deleted`. @@ -476,7 +476,7 @@ on: | [`project_column`](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_column) | - `created`
- `updated`
- `moved`
- `deleted` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_column)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#project_column). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} @@ -490,7 +490,7 @@ on: {% endif %} -Runs your workflow when a column on a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to {% data variables.projects.projects_v1_boards %} or cards in a {% data variables.projects.projects_v1_board %}, use the [`project`](#project) or [`project_card`](#project_card) event instead. For more information about {% data variables.projects.projects_v1_boards %}, see "[AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards)." For information about the project column APIs, see "[AUTOTITLE](/graphql/reference/objects#projectcolumn)" in the GraphQL API documentation or "[AUTOTITLE](/rest/projects#columns)." +Runs your workflow when a column on a {% data variables.projects.projects_v1_board %} is created or modified. For activity related to {% data variables.projects.projects_v1_boards %} or cards in a {% data variables.projects.projects_v1_board %}, use the [`project`](#project) or [`project_card`](#project_card) event instead. For more information about {% data variables.projects.projects_v1_boards %}, see [AUTOTITLE](/issues/organizing-your-work-with-project-boards/managing-project-boards/about-project-boards). For information about the project column APIs, see [AUTOTITLE](/graphql/reference/objects#projectcolumn) in the GraphQL API documentation or [AUTOTITLE](/rest/projects#columns). For example, you can run a workflow when a project column has been `created` or `deleted`. @@ -510,7 +510,7 @@ on: {% data reusables.actions.branch-requirement %} -Runs your workflow when your workflow's repository changes from private to public. For information about the REST API, see "[AUTOTITLE](/rest/repos#edit)." +Runs your workflow when your workflow's repository changes from private to public. For information about the REST API, see [AUTOTITLE](/rest/repos#edit). For example, you can run a workflow when the `public` event occurs. @@ -526,13 +526,13 @@ on: | [`pull_request`](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request) | - `assigned`
- `unassigned`
- `labeled`
- `unlabeled`
- `opened`
- `edited`
- `closed`
- `reopened`
- `synchronize`
- `converted_to_draft`
- `locked`
- `unlocked`
{% ifversion fpt or ghec %}- `enqueued`
- `dequeued`
{% endif %}- `milestoned`
- `demilestoned`
- `ready_for_review`
- `review_requested`
- `review_request_removed`
- `auto_merge_enabled`
- `auto_merge_disabled` | Last merge commit on the `GITHUB_REF` branch | PR merge branch `refs/pull/PULL_REQUEST_NUMBER/merge` | > [!NOTE] -> * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request)." By default, a workflow only runs when a `pull_request` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes)." +> * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request). By default, a workflow only runs when a `pull_request` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes). > * Workflows will not run on `pull_request` activity if the pull request has a merge conflict. The merge conflict must be resolved first. > Conversely, workflows with the `pull_request_target` event will run even if the pull request has a merge conflict. Before using the `pull_request_target` trigger, you should be aware of the security risks. For more information, see [`pull_request_target`](#pull_request_target). > * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories. > * The value of `GITHUB_REF` varies for a closed pull request depending on whether the pull request has been merged or not. If a pull request was closed but not merged, it will be `refs/pull/PULL_REQUEST_NUMBER/merge`. If a pull request was closed as a result of being merged, it will be the fully qualified `ref` of the branch it was merged into, for example `/refs/heads/main`. -Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. For activity related to pull request reviews, pull request review comments, or pull request comments, use the [`pull_request_review`](#pull_request_review), [`pull_request_review_comment`](#pull_request_review_comment), or [`issue_comment`](#issue_comment) events instead. For information about the pull request APIs, see "[AUTOTITLE](/graphql/reference/objects#pullrequest)" in the GraphQL API documentation or "[AUTOTITLE](/rest/pulls)." +Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. For activity related to pull request reviews, pull request review comments, or pull request comments, use the [`pull_request_review`](#pull_request_review), [`pull_request_review_comment`](#pull_request_review_comment), or [`issue_comment`](#issue_comment) events instead. For information about the pull request APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequest) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls). Note that `GITHUB_SHA` for this event is the last merge commit of the pull request merge branch. If you want to get the commit ID for the last commit to the head branch of the pull request, use `github.event.pull_request.head.sha` instead. @@ -560,7 +560,7 @@ jobs: ### Running your `pull_request` workflow based on the head or base branch of a pull request -You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)." +You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore). For example, this workflow will run when someone opens a pull request that targets a branch whose name starts with `releases/`: @@ -604,7 +604,7 @@ jobs: ### Running your `pull_request` workflow based on files changed in a pull request -You can also configure your workflow to run when a pull request changes specific files. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +You can also configure your workflow to run when a pull request changes specific files. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). For example, this workflow will run when a pull request includes a change to a JavaScript file (`.js`): @@ -661,9 +661,9 @@ To run your workflow when a comment on a pull request (not on a pull request's d | [`pull_request_review`](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review) | - `submitted`
- `edited`
- `dismissed` | Last merge commit on the `GITHUB_REF` branch | PR merge branch `refs/pull/PULL_REQUEST_NUMBER/merge` | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review). {% data reusables.developer-site.limit_workflow_to_activity_types %} -Runs your workflow when a pull request review is submitted, edited, or dismissed. A pull request review is a group of pull request review comments in addition to a body comment and a state. For activity related to pull request review comments or pull request comments, use the [`pull_request_review_comment`](#pull_request_review_comment) or [`issue_comment`](#issue_comment) events instead. For information about the pull request review APIs, see "[AUTOTITLE](/graphql/reference/objects#pullrequest)" in the GraphQL API documentation or "[AUTOTITLE](/rest/pulls#reviews)." +Runs your workflow when a pull request review is submitted, edited, or dismissed. A pull request review is a group of pull request review comments in addition to a body comment and a state. For activity related to pull request review comments or pull request comments, use the [`pull_request_review_comment`](#pull_request_review_comment) or [`issue_comment`](#issue_comment) events instead. For information about the pull request review APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequest) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls#reviews). For example, you can run a workflow when a pull request review has been `edited` or `dismissed`. @@ -699,9 +699,9 @@ jobs: | [`pull_request_review_comment`](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review_comment) | - `created`
- `edited`
- `deleted`| Last merge commit on the `GITHUB_REF` branch | PR merge branch `refs/pull/PULL_REQUEST_NUMBER/merge` | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review_comment)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request_review_comment). {% data reusables.developer-site.limit_workflow_to_activity_types %} -Runs your workflow when a pull request review comment is modified. A pull request review comment is a comment on a pull request's diff. For activity related to pull request reviews or pull request comments, use the [`pull_request_review`](#pull_request_review) or [`issue_comment`](#issue_comment) events instead. For information about the pull request review comment APIs, see "[AUTOTITLE](/graphql/reference/objects#pullrequestreviewcomment)" in the GraphQL API documentation or "[AUTOTITLE](/rest/pulls#comments)." +Runs your workflow when a pull request review comment is modified. A pull request review comment is a comment on a pull request's diff. For activity related to pull request reviews or pull request comments, use the [`pull_request_review`](#pull_request_review) or [`issue_comment`](#issue_comment) events instead. For information about the pull request review comment APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequestreviewcomment) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls#comments). For example, you can run a workflow when a pull request review comment has been `created` or `deleted`. @@ -720,7 +720,7 @@ on: | [`pull_request`](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request) | - `assigned`
- `unassigned`
- `labeled`
- `unlabeled`
- `opened`
- `edited`
- `closed`
- `reopened`
- `synchronize`
- `converted_to_draft`
- `ready_for_review`
- `locked`
- `unlocked`
- `review_requested`
- `review_request_removed`
- `auto_merge_enabled`
- `auto_merge_disabled` | Last commit on the PR base branch | PR base branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request)." By default, a workflow only runs when a `pull_request_target` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes)." +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request). By default, a workflow only runs when a `pull_request_target` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes). Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. @@ -740,7 +740,7 @@ on: ### Running your `pull_request_target` workflow based on the head or base branch of a pull request -You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)." +You can use the `branches` or `branches-ignore` filter to configure your workflow to only run on pull requests that target specific branches. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore). For example, this workflow will run when someone opens a pull request that targets a branch whose name starts with `releases/`: @@ -784,7 +784,7 @@ jobs: ### Running your `pull_request_target` workflow based on files changed in a pull request -You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a pull request changes specific files. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a pull request changes specific files. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). For example, this workflow will run when a pull request includes a change to a JavaScript file (`.js`): @@ -835,7 +835,7 @@ jobs: | [`push`](/webhooks-and-events/webhooks/webhook-events-and-payloads#push) | Not applicable | Tip commit pushed to the ref. When you delete a branch, the SHA in the workflow run (and its associated refs) reverts to the default branch of the repository. | Updated ref | > [!NOTE] -> The webhook payload available to GitHub Actions does not include the `added`, `removed`, and `modified` attributes in the `commit` object. You can retrieve the full commit object using the API. For information, see "[AUTOTITLE](/graphql/reference/objects#commit)" in the GraphQL API documentation or "[AUTOTITLE](/rest/commits#get-a-commit)." +> The webhook payload available to GitHub Actions does not include the `added`, `removed`, and `modified` attributes in the `commit` object. You can retrieve the full commit object using the API. For information, see [AUTOTITLE](/graphql/reference/objects#commit) in the GraphQL API documentation or [AUTOTITLE](/rest/commits#get-a-commit). > [!NOTE] > {% ifversion fpt or ghec or ghes > 3.14 %}Events will not be created if more than 5,000 branches are pushed at once. {% endif %}Events will not be created for tags when more than three tags are pushed at once. @@ -854,7 +854,7 @@ on: ### Running your workflow only when a push to specific branches occurs -You can use the `branches` or `branches-ignore` filter to configure your workflow to only run when specific branches are pushed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)." +You can use the `branches` or `branches-ignore` filter to configure your workflow to only run when specific branches are pushed. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore). For example, this workflow will run when someone pushes to `main` or to a branch that starts with `releases/`. @@ -880,7 +880,7 @@ on: ### Running your workflow only when a push of specific tags occurs -You can use the `tags` or `tags-ignore` filter to configure your workflow to only run when specific tags are pushed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)." +You can use the `tags` or `tags-ignore` filter to configure your workflow to only run when specific tags are pushed. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore). For example, this workflow will run when someone pushes a tag that starts with `v1.`. @@ -893,7 +893,7 @@ on: ### Running your workflow only when a push affects specific files -You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a push to specific files occurs. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +You can use the `paths` or `paths-ignore` filter to configure your workflow to run when a push to specific files occurs. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). For example, this workflow will run when someone pushes a change to a JavaScript file (`.js`): @@ -923,7 +923,7 @@ on: | [`registry_package`](/webhooks-and-events/webhooks/webhook-events-and-payloads#package) | - `published`
- `updated` | Commit of the published package | Branch or tag of the published package | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#registry_package)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#registry_package). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} @@ -936,7 +936,7 @@ on: > if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} > ``` -Runs your workflow when activity related to {% data variables.product.prodname_registry %} occurs in your repository. For more information, see "[{% data variables.product.prodname_registry %} Documentation](/packages)." +Runs your workflow when activity related to {% data variables.product.prodname_registry %} occurs in your repository. For more information, see [{% data variables.product.prodname_registry %} Documentation](/packages). For example, you can run a workflow when a new package version has been `published`. @@ -953,7 +953,7 @@ on: | [`release`](/webhooks-and-events/webhooks/webhook-events-and-payloads#release) | - `published`
- `unpublished`
- `created`
- `edited`
- `deleted`
- `prereleased`
- `released` | Last commit in the tagged release | Tag ref of release `refs/tags/` | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#release)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#release). {% data reusables.developer-site.limit_workflow_to_activity_types %} > [!NOTE] > Workflows are not triggered for the `created`, `edited`, or `deleted` activity types for draft releases. When you create your release through the {% data variables.product.product_name %} browser UI, your release may automatically be saved as a draft. @@ -961,7 +961,7 @@ on: > [!NOTE] > The `prereleased` type will not trigger for pre-releases published from draft releases, but the `published` type will trigger. If you want a workflow to run when stable _and_ pre-releases publish, subscribe to `published` instead of `released` and `prereleased`. -Runs your workflow when release activity in your repository occurs. For information about the release APIs, see "[AUTOTITLE](/graphql/reference/objects#release)" in the GraphQL API documentation or "[AUTOTITLE](/rest/releases)" in the REST API documentation. +Runs your workflow when release activity in your repository occurs. For information about the release APIs, see [AUTOTITLE](/graphql/reference/objects#release) in the GraphQL API documentation or [AUTOTITLE](/rest/releases) in the REST API documentation. For example, you can run a workflow when a release has been `published`. @@ -979,7 +979,7 @@ on: {% data reusables.actions.branch-requirement %} -You can use the {% data variables.product.product_name %} API to trigger a webhook event called [`repository_dispatch`](/webhooks-and-events/webhooks/webhook-events-and-payloads#repository_dispatch) when you want to trigger a workflow for activity that happens outside of {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/rest/repos/repos#create-a-repository-dispatch-event)." +You can use the {% data variables.product.product_name %} API to trigger a webhook event called [`repository_dispatch`](/webhooks-and-events/webhooks/webhook-events-and-payloads#repository_dispatch) when you want to trigger a workflow for activity that happens outside of {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/rest/repos/repos#create-a-repository-dispatch-event). When you make a request to create a `repository_dispatch` event, you must specify an `event_type` to describe the activity type. By default, all `repository_dispatch` activity types trigger a workflow to run. You can use the `types` keyword to limit your workflow to run when a specific `event_type` value is sent in the `repository_dispatch` webhook payload. @@ -1029,13 +1029,13 @@ jobs: | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` | | --------------------- | -------------- | ------------ | -------------| -| Not applicable | Not applicable | Last commit on default branch | Default branch | When the scheduled workflow is set to run. A scheduled workflow uses [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). For more information, see "[AUTOTITLE](/actions/using-workflows#triggering-a-workflow-with-events)." | +| Not applicable | Not applicable | Last commit on default branch | Default branch | When the scheduled workflow is set to run. A scheduled workflow uses [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). For more information, see [AUTOTITLE](/actions/using-workflows#triggering-a-workflow-with-events). | > [!NOTE] > * {% data reusables.actions.schedule-delay %} > * This event will only trigger a workflow run if the workflow file is on the default branch. > * Scheduled workflows will only run on the default branch. -> * In a public repository, scheduled workflows are automatically disabled when no repository activity has occurred in 60 days. For information on re-enabling a disabled workflow, see "[AUTOTITLE](/enterprise-server@3.12/actions/using-workflows/disabling-and-enabling-a-workflow#enabling-a-workflow)." +> * In a public repository, scheduled workflows are automatically disabled when no repository activity has occurred in 60 days. For information on re-enabling a disabled workflow, see [AUTOTITLE](/enterprise-server@3.12/actions/using-workflows/disabling-and-enabling-a-workflow#enabling-a-workflow). > * When the last user to commit to the cron schedule of a workflow is removed from the organization, the scheduled workflow will be disabled. If a user with `write` permissions to the repository makes a commit that changes the cron schedule, the scheduled workflow will be reactivated. Note that, in this situation, the workflow is not reactivated by any change to the workflow file; you must alter the `cron` value and commit this change. > > **Example:** @@ -1078,7 +1078,7 @@ You can use these operators in any of the five fields: You can use [crontab guru](https://crontab.guru/) to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of [crontab guru examples](https://crontab.guru/examples.html). -Notifications for scheduled workflows are sent to the user who last modified the cron syntax in the workflow file. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs)." +Notifications for scheduled workflows are sent to the user who last modified the cron syntax in the workflow file. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs). ## `status` @@ -1088,7 +1088,7 @@ Notifications for scheduled workflows are sent to the user who last modified the {% data reusables.actions.branch-requirement %} -Runs your workflow when the status of a Git commit changes. For example, commits can be marked as `error`, `failure`, `pending`, or `success`. If you want to provide more details about the status change, you may want to use the [`check_run`](#check_run) event. For information about the commit status APIs, see "[AUTOTITLE](/graphql/reference/objects#status)" in the GraphQL API documentation or "[AUTOTITLE](/rest/commits#commit-statuses)." +Runs your workflow when the status of a Git commit changes. For example, commits can be marked as `error`, `failure`, `pending`, or `success`. If you want to provide more details about the status change, you may want to use the [`check_run`](#check_run) event. For information about the commit status APIs, see [AUTOTITLE](/graphql/reference/objects#status) in the GraphQL API documentation or [AUTOTITLE](/rest/commits#commit-statuses). For example, you can run a workflow when the `status` event occurs. @@ -1122,11 +1122,11 @@ jobs: | [`watch`](/webhooks-and-events/webhooks/webhook-events-and-payloads#watch) | - `started` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} Although only the `started` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#watch)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} Although only the `started` activity type is supported, specifying the activity type will keep your workflow specific if more activity types are added in the future. For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#watch). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} -Runs your workflow when the workflow's repository is starred. For information about the pull request APIs, see "[AUTOTITLE](/graphql/reference/mutations#addstar)" in the GraphQL API documentation or "[AUTOTITLE](/rest/activity/starring)." +Runs your workflow when the workflow's repository is starred. For information about the pull request APIs, see [AUTOTITLE](/graphql/reference/mutations#addstar) in the GraphQL API documentation or [AUTOTITLE](/rest/activity/starring). For example, you can run a workflow when someone stars a repository, which is the `started` activity type for a watch event. @@ -1142,7 +1142,7 @@ on: | ------------------ | ------------ | ------------ | ------------------| | Same as the caller workflow | Not applicable | Same as the caller workflow | Same as the caller workflow | -`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event payload in the called workflow is the same event payload from the calling workflow. For more information see, "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +`workflow_call` is used to indicate that a workflow can be called by another workflow. When a workflow is triggered with the `workflow_call` event, the event payload in the called workflow is the same event payload from the calling workflow. For more information see, [AUTOTITLE](/actions/using-workflows/reusing-workflows). The example below only runs the workflow when it's called from another workflow: @@ -1158,7 +1158,7 @@ on: workflow_call {% data reusables.actions.branch-requirement %} -To enable a workflow to be triggered manually, you need to configure the `workflow_dispatch` event. You can manually trigger a workflow run using the {% data variables.product.product_name %} API, {% data variables.product.prodname_cli %}, or {% data variables.product.product_name %} browser interface. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow)." +To enable a workflow to be triggered manually, you need to configure the `workflow_dispatch` event. You can manually trigger a workflow run using the {% data variables.product.product_name %} API, {% data variables.product.prodname_cli %}, or {% data variables.product.product_name %} browser interface. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow). ```yaml on: workflow_dispatch @@ -1166,7 +1166,7 @@ on: workflow_dispatch ### Providing inputs -You can configure custom-defined input properties, default input values, and required inputs for the event directly in your workflow. When you trigger the event, you can provide the `ref` and any `inputs`. When the workflow runs, you can access the input values in the `inputs` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +You can configure custom-defined input properties, default input values, and required inputs for the event directly in your workflow. When you trigger the event, you can provide the `ref` and any `inputs`. When the workflow runs, you can access the input values in the `inputs` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts). {% data reusables.actions.inputs-vs-github-event-inputs %} @@ -1218,7 +1218,7 @@ You can also pass inputs when you run a workflow from a script, or by using {% d gh workflow run run-tests.yml -f logLevel=warning -f tags=false -f environment=staging ``` -For more information, see the {% data variables.product.prodname_cli %} information in "[AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow)." +For more information, see the {% data variables.product.prodname_cli %} information in [AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow). ## `workflow_run` @@ -1227,7 +1227,7 @@ For more information, see the {% data variables.product.prodname_cli %} informat | [`workflow_run`](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run) | - `completed`
- `requested`
- `in_progress` | Last commit on default branch | Default branch | > [!NOTE] -> {% data reusables.developer-site.multiple_activity_types %} The `requested` activity type does not occur when a workflow is re-run. For information about each activity type, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run)." {% data reusables.developer-site.limit_workflow_to_activity_types %} +> {% data reusables.developer-site.multiple_activity_types %} The `requested` activity type does not occur when a workflow is re-run. For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run). {% data reusables.developer-site.limit_workflow_to_activity_types %} {% data reusables.actions.branch-requirement %} @@ -1281,7 +1281,7 @@ jobs: ### Limiting your workflow to run based on branches -You can use the `branches` or `branches-ignore` filter to specify what branches the triggering workflow must run on in order to trigger your workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_runbranchesbranches-ignore)." For example, a workflow with the following trigger will only run when the workflow named `Build` runs on a branch named `canary`. +You can use the `branches` or `branches-ignore` filter to specify what branches the triggering workflow must run on in order to trigger your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_runbranchesbranches-ignore). For example, a workflow with the following trigger will only run when the workflow named `Build` runs on a branch named `canary`. ```yaml on: diff --git a/content/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow.md b/content/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow.md index e85a0b2ba5f5..123087811df9 100644 --- a/content/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow.md +++ b/content/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow.md @@ -21,7 +21,7 @@ redirect_from: {% data reusables.actions.about-triggers %} -Workflow triggers are defined with the `on` key. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#on)." +Workflow triggers are defined with the `on` key. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#on). The following steps occur to trigger a workflow run: @@ -29,15 +29,15 @@ The following steps occur to trigger a workflow run: 1. {% data variables.product.product_name %} searches the `.github/workflows` directory in the root of your repository for workflow files that are present in the associated commit SHA or Git ref of the event. 1. A workflow run is triggered for any workflows that have `on:` values that match the triggering event. Some events also require the workflow file to be present on the default branch of the repository in order to run. - Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. When a workflow runs, {% data variables.product.product_name %} sets the `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) environment variables in the runner environment. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)." + Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. When a workflow runs, {% data variables.product.product_name %} sets the `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) environment variables in the runner environment. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). ### Triggering a workflow from a workflow -{% data reusables.actions.actions-do-not-trigger-workflows %} For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." +{% data reusables.actions.actions-do-not-trigger-workflows %} For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token. -If you use a {% data variables.product.prodname_github_app %}, you'll need to create a {% data variables.product.prodname_github_app %} and store the app ID and private key as secrets. For more information, see "[AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)." If you use a {% data variables.product.pat_generic %}, you'll need to create a {% data variables.product.pat_generic %} and store it as a secret. For more information about creating a {% data variables.product.pat_generic %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." For more information about storing secrets, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +If you use a {% data variables.product.prodname_github_app %}, you'll need to create a {% data variables.product.prodname_github_app %} and store the app ID and private key as secrets. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). If you use a {% data variables.product.pat_generic %}, you'll need to create a {% data variables.product.pat_generic %} and store it as a secret. For more information about creating a {% data variables.product.pat_generic %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). For more information about storing secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). To minimize your {% data variables.product.prodname_actions %} usage costs, ensure that you don't create recursive or unintended workflow runs. @@ -81,7 +81,7 @@ jobs: ## Using events to trigger workflows -Use the `on` key to specify what events trigger your workflow. For more information about events you can use, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +Use the `on` key to specify what events trigger your workflow. For more information about events you can use, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). ### Using a single event @@ -167,7 +167,7 @@ You can use activity types and filters to further control when your workflow wil ## Defining inputs, outputs, and secrets for reusable workflows -You can define inputs and secrets that a reusable workflow should receive from a calling workflow. You can also specify outputs that a reusable workflow will make available to a calling workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +You can define inputs and secrets that a reusable workflow should receive from a calling workflow. You can also specify outputs that a reusable workflow will make available to a calling workflow. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## Using event information @@ -175,7 +175,7 @@ Information about the event that triggered a workflow run is available in the `g ### Viewing all properties of an event -Reference the webhook event documentation for common properties and example payloads. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads)." +Reference the webhook event documentation for common properties and example payloads. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads). You can also print the entire `github.event` context to see what properties are available for the event that triggered your workflow: @@ -220,7 +220,7 @@ jobs: gh pr comment $PR --body 'It looks like you edited `package*.json`, `.github/CODEOWNERS`, or `.github/workflows/**`. We do not allow contributions to these files. Please review our [contributing guidelines](https://github.com/octo-org/octo-repo/blob/main/CONTRIBUTING.md) for what contributions are accepted.' ``` -For more information about contexts, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." For more information about event payloads, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads)." +For more information about contexts, see [AUTOTITLE](/actions/learn-github-actions/contexts). For more information about event payloads, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads). ## Further controlling how your workflow will run @@ -275,11 +275,11 @@ jobs: echo A pull request was closed ``` -For more information about what information is available in the event context, see "[Using event information](#using-event-information)." For more information about how to use conditionals, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +For more information about what information is available in the event context, see [Using event information](#using-event-information). For more information about how to use conditionals, see [AUTOTITLE](/actions/learn-github-actions/expressions). ### Using environments to manually trigger workflow jobs -If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job. +If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment). Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job. For example, the following workflow will run whenever there is a push to main. The `build` job will always run. The `publish` job will only run after the `build` job successfully completes (due to `needs: [build]`) and after all of the rules (including required reviewers) for the environment called `production` pass (due to `environment: production`). @@ -310,4 +310,4 @@ jobs: ## Available events -For a full list of available events, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." +For a full list of available events, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows). diff --git a/content/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution.md b/content/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution.md index dfcea036231a..e18a51795494 100644 --- a/content/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution.md +++ b/content/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution.md @@ -21,4 +21,4 @@ redirect_from: On a skipped job, you should see "This check was skipped." > [!NOTE] -> In some parts of the workflow you cannot use environment variables. Instead you can use contexts to access the value of an environment variable. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#using-the-env-context-to-access-environment-variable-values)." +> In some parts of the workflow you cannot use environment variables. Instead you can use contexts to access the value of an environment variable. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables#using-the-env-context-to-access-environment-variable-values). diff --git a/content/actions/writing-workflows/quickstart.md b/content/actions/writing-workflows/quickstart.md index eb6430254ca8..c5e0b1706ecb 100644 --- a/content/actions/writing-workflows/quickstart.md +++ b/content/actions/writing-workflows/quickstart.md @@ -25,7 +25,7 @@ This quickstart guide shows you how to use the user interface of {% data variabl {% data reusables.actions.workflow-templates-for-more-information %} -For an overview of {% data variables.product.prodname_actions %} workflows, see "[AUTOTITLE](/actions/using-workflows/about-workflows)." If you want to learn about the various components that make up {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +For an overview of {% data variables.product.prodname_actions %} workflows, see [AUTOTITLE](/actions/using-workflows/about-workflows). If you want to learn about the various components that make up {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Using workflow templates @@ -36,11 +36,11 @@ For an overview of {% data variables.product.prodname_actions %} workflows, see ## Prerequisites This guide assumes that: -* You have at least a basic knowledge of how to use {% data variables.product.prodname_dotcom %}. If you don't, you'll find it helpful to read some of the articles in the documentation for repositories and pull requests first. For example, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/quickstart-for-repositories)," "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches)," and "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests)." +* You have at least a basic knowledge of how to use {% data variables.product.prodname_dotcom %}. If you don't, you'll find it helpful to read some of the articles in the documentation for repositories and pull requests first. For example, see [AUTOTITLE](/repositories/creating-and-managing-repositories/quickstart-for-repositories), [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches), and [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests). * You have a repository on {% data variables.product.github %} where you can add files. * You have access to {% data variables.product.prodname_actions %}. - > [!NOTE] If the **{% octicon "play" aria-hidden="true" %} Actions** tab is not displayed under the name of your repository on {% data variables.product.prodname_dotcom %}, it may be because Actions is disabled for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)." + > [!NOTE] If the **{% octicon "play" aria-hidden="true" %} Actions** tab is not displayed under the name of your repository on {% data variables.product.prodname_dotcom %}, it may be because Actions is disabled for the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository). ## Creating your first workflow @@ -76,7 +76,7 @@ This guide assumes that: - run: echo "🍏 This job's status is {% raw %}${{ job.status }}{% endraw %}." ``` - At this stage you don't need to understand the details of this workflow. For now, you can just copy and paste the contents into the file. After completing this quickstart guide, you can learn about the syntax of workflow files in "[AUTOTITLE](/actions/using-workflows/about-workflows#understanding-the-workflow-file)," and for an explanation of {% data variables.product.prodname_actions %} contexts, such as `{% raw %}${{ github.actor }}{% endraw %}` and `{% raw %}${{ github.event_name }}{% endraw %}`, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." + At this stage you don't need to understand the details of this workflow. For now, you can just copy and paste the contents into the file. After completing this quickstart guide, you can learn about the syntax of workflow files in [AUTOTITLE](/actions/using-workflows/about-workflows#understanding-the-workflow-file), and for an explanation of {% data variables.product.prodname_actions %} contexts, such as `{% raw %}${{ github.actor }}{% endraw %}` and `{% raw %}${{ github.event_name }}{% endraw %}`, see [AUTOTITLE](/actions/learn-github-actions/contexts). 1. Click **Commit changes**. 1. In the "Propose changes" dialog, select either the option to commit to the default branch or the option to create a new branch and start a pull request. Then click **Commit changes** or **Propose changes**. @@ -108,7 +108,7 @@ If you chose to start a pull request, you can continue and create the pull reque ![Screenshot of the "List files in the repository" step expanded to show the log output. The output for the step is highlighted with an orange outline.](/assets/images/help/repository/actions-quickstart-log-detail.png) -The example workflow you just added is triggered each time code is pushed to the branch, and shows you how {% data variables.product.prodname_actions %} can work with the contents of your repository. For an in-depth tutorial, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)." +The example workflow you just added is triggered each time code is pushed to the branch, and shows you how {% data variables.product.prodname_actions %} can work with the contents of your repository. For an in-depth tutorial, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). ## Next steps diff --git a/content/actions/writing-workflows/using-workflow-templates.md b/content/actions/writing-workflows/using-workflow-templates.md index d4557ce96f66..67e69054ca57 100644 --- a/content/actions/writing-workflows/using-workflow-templates.md +++ b/content/actions/writing-workflows/using-workflow-templates.md @@ -35,7 +35,7 @@ Workflow templates are templates that help you to create your own {% data variab {% data reusables.actions.workflow-templates-repo-link %} -You can also create your own workflow template to share with your organization. These workflow templates will appear alongside the {% data variables.product.product_name %}-provided workflow templates. Anyone with write access to the organization's `github` repository can set up a workflow template. For more information, see "[AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization)." +You can also create your own workflow template to share with your organization. These workflow templates will appear alongside the {% data variables.product.product_name %}-provided workflow templates. Anyone with write access to the organization's `github` repository can set up a workflow template. For more information, see [AUTOTITLE](/actions/using-workflows/creating-starter-workflows-for-your-organization). ## Choosing and using a workflow template @@ -45,18 +45,18 @@ You can also create your own workflow template to share with your organization. 1. The "Choose a workflow" page shows a selection of recommended workflow templates. Find the workflow template that you want to use, then click **Configure**. To help you find the workflow template that you want, you can search for keywords or filter by category. 1. If the workflow template contains comments detailing additional setup steps, follow these steps. - There are guides to accompany many of the workflow templates for building and testing projects. For more information, see "[AUTOTITLE](/actions/automating-builds-and-tests)." + There are guides to accompany many of the workflow templates for building and testing projects. For more information, see [AUTOTITLE](/actions/automating-builds-and-tests). -1. Some workflow templates use secrets. For example, {% raw %}`${{ secrets.npm_token }}`{% endraw %}. If the workflow template uses a secret, store the value described in the secret name as a secret in your repository. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +1. Some workflow templates use secrets. For example, {% raw %}`${{ secrets.npm_token }}`{% endraw %}. If the workflow template uses a secret, store the value described in the secret name as a secret in your repository. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). 1. Optionally, make additional changes. For example, you might want to change the value of `on` to change when the workflow runs. 1. Click **Start commit**. 1. Write a commit message and decide whether to commit directly to the default branch or to open a pull request. ## Further reading -* "[AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration)" -* "[AUTOTITLE](/actions/managing-workflow-runs)" -* "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/about-monitoring-and-troubleshooting)" +* [AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration) +* [AUTOTITLE](/actions/managing-workflow-runs) +* [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/about-monitoring-and-troubleshooting) {% ifversion fpt or ghec %} -* "[AUTOTITLE](/billing/managing-billing-for-github-actions)" +* [AUTOTITLE](/billing/managing-billing-for-github-actions) {% endif %} diff --git a/content/actions/writing-workflows/workflow-syntax-for-github-actions.md b/content/actions/writing-workflows/workflow-syntax-for-github-actions.md index d0ddbe1c5893..40afb8c36b74 100644 --- a/content/actions/writing-workflows/workflow-syntax-for-github-actions.md +++ b/content/actions/writing-workflows/workflow-syntax-for-github-actions.md @@ -109,17 +109,17 @@ run-name: Deploy to ${{ inputs.deploy_target }} by @${{ github.actor }} ## `on.workflow_call` -Use `on.workflow_call` to define the inputs and outputs for a reusable workflow. You can also map the secrets that are available to the called workflow. For more information on reusable workflows, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +Use `on.workflow_call` to define the inputs and outputs for a reusable workflow. You can also map the secrets that are available to the called workflow. For more information on reusable workflows, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## `on.workflow_call.inputs` -When using the `workflow_call` keyword, you can optionally specify inputs that are passed to the called workflow from the caller workflow. For more information about the `workflow_call` keyword, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow-reuse-events)." +When using the `workflow_call` keyword, you can optionally specify inputs that are passed to the called workflow from the caller workflow. For more information about the `workflow_call` keyword, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#workflow-reuse-events). In addition to the standard input parameters that are available, `on.workflow_call.inputs` requires a `type` parameter. For more information, see [`on.workflow_call.inputs..type`](#onworkflow_callinputsinput_idtype). If a `default` parameter is not set, the default value of the input is `false` for a boolean, `0` for a number, and `""` for a string. -Within the called workflow, you can use the `inputs` context to refer to an input. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#inputs-context)." +Within the called workflow, you can use the `inputs` context to refer to an input. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#inputs-context). If a caller workflow passes an input that is not specified in the called workflow, this results in an error. @@ -148,7 +148,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## `on.workflow_call.inputs..type` @@ -179,7 +179,7 @@ on: {% endraw %} -For information on how to reference a job output, see [`jobs..outputs`](#jobsjob_idoutputs). For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +For information on how to reference a job output, see [`jobs..outputs`](#jobsjob_idoutputs). For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## `on.workflow_call.secrets` @@ -188,7 +188,7 @@ A map of the secrets that can be used in the called workflow. Within the called workflow, you can use the `secrets` context to refer to a secret. > [!NOTE] -> If you are passing the secret to a nested reusable workflow, then you must use [`jobs..secrets`](#jobsjob_idsecrets) again to pass the secret. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-secrets-to-nested-workflows)." +> If you are passing the secret to a nested reusable workflow, then you must use [`jobs..secrets`](#jobsjob_idsecrets) again to pass the secret. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-secrets-to-nested-workflows). If a caller workflow passes a secret that is not specified in the called workflow, this results in an error. @@ -416,7 +416,7 @@ jobs: A job contains a sequence of tasks called `steps`. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the runner environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. {% data variables.product.prodname_dotcom %} provides built-in steps to set up and complete a job. -{% data variables.product.prodname_dotcom %} only displays the first 1,000 checks, however, you can run an unlimited number of steps as long as you are within the workflow usage limits. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration)" for {% data variables.product.prodname_dotcom %}-hosted runners and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)" for self-hosted runner usage limits. +{% data variables.product.prodname_dotcom %} only displays the first 1,000 checks, however, you can run an unlimited number of steps as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. ### Example of `jobs..steps` @@ -446,13 +446,13 @@ jobs: ## `jobs..steps[*].id` -A unique identifier for the step. You can use the `id` to reference the step in contexts. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +A unique identifier for the step. You can use the `id` to reference the step in contexts. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts). ## `jobs..steps[*].if` You can use the `if` conditional to prevent a step from running unless a condition is met. {% data reusables.actions.if-supported-contexts %} -{% data reusables.actions.expression-syntax-if %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." +{% data reusables.actions.expression-syntax-if %} For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). ### Example: Using contexts @@ -467,7 +467,7 @@ steps: ### Example: Using status check functions -The `my backup step` only runs when the previous step of a job fails. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions#status-check-functions)." +The `my backup step` only runs when the previous step of a job fails. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions#status-check-functions). ```yaml steps: @@ -503,7 +503,7 @@ jobs: {% endraw %} -For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts#context-availability)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#context-availability) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). ## `jobs..steps[*].name` @@ -624,7 +624,7 @@ jobs: ### Example: Using an action inside a different private repository than the workflow -Your workflow must checkout the private repository and reference the action locally. Generate a {% data variables.product.pat_generic %} and add the token as a secret. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)" and "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." +Your workflow must checkout the private repository and reference the action locally. Generate a {% data variables.product.pat_generic %} and add the token as a secret. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). Replace `PERSONAL_ACCESS_TOKEN` in the example with the name of your secret. @@ -643,7 +643,7 @@ jobs: uses: ./.github/actions/my-private-repo/my-action ``` -Alternatively, use a {% data variables.product.prodname_github_app %} instead of a {% data variables.product.pat_generic %} in order to ensure your workflow continues to run even if the {% data variables.product.pat_generic %} owner leaves. For more information, see "[AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)." +Alternatively, use a {% data variables.product.prodname_github_app %} instead of a {% data variables.product.pat_generic %} in order to ensure your workflow continues to run even if the {% data variables.product.pat_generic %} owner leaves. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). ## `jobs..steps[*].run` @@ -679,9 +679,9 @@ Using the `working-directory` keyword, you can specify the working directory of working-directory: ./temp ``` -Alternatively, you can specify a default working directory for all `run` steps in a job, or for all `run` steps in the entire workflow. For more information, see "[`defaults.run.working-directory`](/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrunworking-directory)" and "[`jobs..defaults.run.working-directory`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iddefaultsrunworking-directory)." +Alternatively, you can specify a default working directory for all `run` steps in a job, or for all `run` steps in the entire workflow. For more information, see [`defaults.run.working-directory`](/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrunworking-directory) and [`jobs..defaults.run.working-directory`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iddefaultsrunworking-directory). -You can also use a `run` step to run a script. For more information, see "[AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow)." +You can also use a `run` step to run a script. For more information, see [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/adding-scripts-to-your-workflow). ## `jobs..steps[*].shell` @@ -689,7 +689,7 @@ You can override the default shell settings in the runner's operating system and {% data reusables.actions.supported-shells %} -Alternatively, you can specify a default shell for all `run` steps in a job, or for all `run` steps in the entire workflow. For more information, see "[`defaults.run.shell`](/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrunshell)" and "[`jobs..defaults.run.shell`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iddefaultsrunshell)." +Alternatively, you can specify a default shell for all `run` steps in a job, or for all `run` steps in the entire workflow. For more information, see [`defaults.run.shell`](/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrunshell) and [`jobs..defaults.run.shell`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iddefaultsrunshell). ### Example: Running a command using Bash @@ -755,7 +755,7 @@ steps: The command used, `perl` in this example, must be installed on the runner. {% ifversion fpt or ghec %} -For information about the software included on GitHub-hosted runners, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software)." +For information about the software included on GitHub-hosted runners, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). {% endif %} ### Exit codes and error action preference @@ -780,7 +780,7 @@ For built-in shell keywords, we provide the following defaults that are executed A `map` of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with `INPUT_` and converted to upper case. -Input parameters defined for a Docker container must use `args`. For more information, see "[`jobs..steps[*].with.args`](#jobsjob_idstepswithargs)." +Input parameters defined for a Docker container must use `args`. For more information, see [`jobs..steps[*].with.args`](#jobsjob_idstepswithargs). ### Example of `jobs..steps[*].with` @@ -845,7 +845,7 @@ Sets variables for steps to use in the runner environment. You can also set vari {% data reusables.repositories.actions-env-var-note %} -Public actions may specify expected variables in the README file. If you are setting a secret or sensitive value, such as a password or token, you must set secrets using the `secrets` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)." +Public actions may specify expected variables in the README file. If you are setting a secret or sensitive value, such as a password or token, you must set secrets using the `secrets` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts). ### Example of `jobs..steps[*].env` @@ -876,14 +876,14 @@ Fractional values are not supported. `timeout-minutes` must be a positive intege The maximum number of minutes to let a job run before {% data variables.product.prodname_dotcom %} automatically cancels it. Default: 360 -If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits)" for {% data variables.product.prodname_dotcom %}-hosted runners and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits)" for self-hosted runner usage limits. +If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. > [!NOTE] -> {% data reusables.actions.github-token-expiration %} For self-hosted runners, the token may be the limiting factor if the job timeout is greater than 24 hours. For more information on the `GITHUB_TOKEN`, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#about-the-github_token-secret)." +> {% data reusables.actions.github-token-expiration %} For self-hosted runners, the token may be the limiting factor if the job timeout is greater than 24 hours. For more information on the `GITHUB_TOKEN`, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#about-the-github_token-secret). ## `jobs..strategy` -Use `jobs..strategy` to use a matrix strategy for your jobs. {% data reusables.actions.jobs.about-matrix-strategy %} For more information, see "[AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs)." +Use `jobs..strategy` to use a matrix strategy for your jobs. {% data reusables.actions.jobs.about-matrix-strategy %} For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). ## `jobs..strategy.matrix` @@ -992,7 +992,7 @@ If you configure your job to run in a container, or your step uses container act If you configure the job to run directly on the runner machine and your step doesn't use a container action, you must map any required Docker service container ports to the Docker host (the runner machine). You can access the service container using localhost and the mapped port. -For more information about the differences between networking service containers, see "[AUTOTITLE](/actions/using-containerized-services/about-service-containers)." +For more information about the differences between networking service containers, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers). ### Example: Using localhost @@ -1081,7 +1081,7 @@ volumes: ## `jobs..services..options` -Additional Docker container resource options. For a list of options, see "[`docker create` options](https://docs.docker.com/engine/reference/commandline/create/#options)." +Additional Docker container resource options. For a list of options, see [`docker create` options](https://docs.docker.com/engine/reference/commandline/create/#options). > [!WARNING] > The `--network` option is not supported. @@ -1096,7 +1096,7 @@ The location and version of a reusable workflow file to run as a job. Use one of {% data reusables.actions.uses-keyword-example %} -For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)." +For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). ## `jobs..with` @@ -1210,7 +1210,7 @@ branches: [ main, 'release/v[0-9].[0-9]' ] branches: [ main, release/v[0-9].[0-9] ] ``` -For more information about branch, tag, and path filter syntax, see "[`on..`](#onpushbranchestagsbranches-ignoretags-ignore)", "[`on..`](#onpull_requestpull_request_targetbranchesbranches-ignore)", and "[`on..paths`](#onpushpull_requestpull_request_targetpathspaths-ignore)." +For more information about branch, tag, and path filter syntax, see [`on..`](#onpushbranchestagsbranches-ignoretags-ignore), [`on..`](#onpull_requestpull_request_targetbranchesbranches-ignore), and [`on..paths`](#onpushpull_requestpull_request_targetpathspaths-ignore). ### Patterns to match branches and tags