Merge branch 'main' into patch-2

Author: janiceilene

.github/allowed-actions.js

@@ -31,7 +31,7 @@ module.exports = [
   'rachmari/actions-add-new-issue-to-column@1a459ef92308ba7c9c9dc2fcdd72f232495574a9',
   'rachmari/labeler@832d42ec5523f3c6d46e8168de71cd54363e3e2e',
   'repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88',
-  'repo-sync/pull-request@ea6773388b83b337e4da9a223293309f2c3670e7',
+  'repo-sync/pull-request@58af525d19d3c2b4f744d3348c6823b6340a4921',
   'rtCamp/action-slack-notify@e17352feaf9aee300bf0ebc1dfbf467d80438815',
   'tjenkinson/gh-action-auto-merge-dependency-updates@cee2ac0'
 ]

.github/workflows/repo-freeze-reminders.yml

@@ -0,0 +1,24 @@
+name: Repo Freeze Reminders
+
+on:
+  schedule:
+  - cron: "00 11 * * *" # once per day around 11:00am UTC
+
+env:
+  FREEZE: ${{ secrets.FREEZE }}
+
+jobs:
+  check-freezer:
+    name: Remind about deployment freezes
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Send Slack notification if repo is frozen
+      if: ${{ env.FREEZE == 'true' }}
+      uses: rtCamp/action-slack-notify@e17352feaf9aee300bf0ebc1dfbf467d80438815
+      env:
+        SLACK_WEBHOOK: ${{ secrets.DOCS_ALERTS_SLACK_WEBHOOK }}
+        SLACK_USERNAME: docs-repo-sync
+        SLACK_ICON_EMOJI: ':freezing_face:'
+        SLACK_COLOR: '#51A0D5' # Carolina Blue
+        SLACK_MESSAGE: All repo-sync runs will fail for ${{ github.repository }} because the repo is currently frozen!

.github/workflows/repo-sync.yml

@@ -14,8 +14,8 @@ env:
   FREEZE: ${{ secrets.FREEZE }}
 
 jobs:
-  repo-sync:
-    name: Repo Sync
+  check-freezer:
+    name: Check for deployment freezes
     runs-on: ubuntu-latest
     steps:
 
@@ -25,6 +25,12 @@ jobs:
         echo 'The repo is currently frozen! Exiting this workflow.'
         exit 1 # prevents further steps from running
 
+  repo-sync:
+    name: Repo Sync
+    needs: check-freezer
+    runs-on: ubuntu-latest
+    steps:
+
     - name: Check out repo
       uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
 
@@ -39,7 +45,7 @@ jobs:
         github_token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
 
     - name: Create pull request
-      uses: repo-sync/pull-request@ea6773388b83b337e4da9a223293309f2c3670e7
+      uses: repo-sync/pull-request@58af525d19d3c2b4f744d3348c6823b6340a4921
       env:
         GITHUB_TOKEN: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
       with:
@@ -56,6 +62,7 @@ jobs:
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         branch: repo-sync
+        base: main
 
     - name: Approve pull request
       if: ${{ steps.find-pull-request.outputs.number }}
@@ -66,7 +73,10 @@ jobs:
 
     - name: Send Slack notification if workflow fails
       uses: rtCamp/action-slack-notify@e17352feaf9aee300bf0ebc1dfbf467d80438815
-      if: failure()
+      if: ${{ failure() }}
       env:
         SLACK_WEBHOOK: ${{ secrets.DOCS_ALERTS_SLACK_WEBHOOK }}
+        SLACK_USERNAME: docs-repo-sync
+        SLACK_ICON_EMOJI: ':ohno:'
+        SLACK_COLOR: '#B90E0A' # Crimson
         SLACK_MESSAGE: The last repo-sync run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions?query=workflow%3A%22Repo+Sync%22

assets/images/help/repository/audit-log-entries.png

@@ -237,4 +237,4 @@ Sometimes you want to link to a Dotcom-only article in Enterprise content and yo
 <a href="/github/site-policy/github-terms-of-service" class="dotcom-only">GitHub's Terms of Service</a>
 ```
 
-Sometimes the canonical home of content moves outside the docs site. None of the links included in [`lib/redirects/external-redirects.json`](lib/redirects/external-redirects.json) get rewritten. See  [`contributing/redirects.md`](contributing/redirects.md) for more info about this type of redirect.
+Sometimes the canonical home of content moves outside the docs site. None of the links included in [`lib/redirects/external-sites.json`](/lib/redirects/external-sites.json) get rewritten. See  [`contributing/redirects.md`](/contributing/redirects.md) for more info about this type of redirect.

content/README.md

@@ -95,3 +95,42 @@ As a result, self-hosted runners should almost [never be used for public reposit
 You should also consider the environment of the self-hosted runner machines:
 - What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others. 
 - Does the machine have network access to sensitive services? For example, Azure or AWS metadata services. The amount of sensitive information in this environment should be kept to a minimum, and you should always be mindful that any user capable of invoking workflows has access to this environment.
+
+### Auditing {% data variables.product.prodname_actions %} events
+
+You can use the audit log to monitor administrative tasks in an organization. The audit log records the type of action, when it was run, and which user account perfomed the action.
+
+For example, you can use the audit log to track the `action:org.update_actions_secret` event, which tracks changes to organization secrets:
+  ![Audit log entries](/assets/images/help/repository/audit-log-entries.png)
+
+The following tables describe the {% data variables.product.prodname_actions %} events that you can find in the audit log. For more information on using the audit log, see 
+"[Reviewing the audit log for your organization](/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#searching-the-audit-log)."
+
+#### Events for secret management
+| Action | Description
+|------------------|-------------------
+| `action:org.create_actions_secret` | Triggered when a organization admin [creates a {% data variables.product.prodname_actions %} secret](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization).
+| `action:org.remove_actions_secret` | Triggered when a organization admin removes a {% data variables.product.prodname_actions %} secret.
+| `action:org.update_actions_secret` | Triggered when a organization admin updates a {% data variables.product.prodname_actions %} secret.
+| `action:repo.create_actions_secret ` | Triggered when a repository admin [creates a {% data variables.product.prodname_actions %} secret](/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).
+| `action:repo.remove_actions_secret` | Triggered when a repository admin removes a {% data variables.product.prodname_actions %} secret.
+| `action:repo.update_actions_secret` | Triggered when a repository admin updates a {% data variables.product.prodname_actions %} secret.
+
+#### Events for self-hosted runners
+| Action | Description
+|------------------|-------------------
+| `action:org.register_self_hosted_runner` | Triggered when an organization owner [registers a new self-hosted runner](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization).
+| `action:org.remove_self_hosted_runner` | Triggered when an organization owner [removes a self-hosted runner](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization).
+| `action:repo.register_self_hosted_runner` | Triggered when a repository admin [registers a new self-hosted runner](/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository). 
+| `action:repo.remove_self_hosted_runner` | Triggered when a repository admin [removes a self-hosted runner](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository). 
+
+#### Events for self-hosted runner groups
+| Action | Description
+|------------------|-------------------
+| `action:org.runner_group_created` | Triggered when an organization admin [creates a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization). 
+| `action:org.runner_group_removed` | Triggered when an organization admin removes a self-hosted runner group. 
+| `action:org.runner_group_renamed` | Triggered when an organization admin renames a self-hosted runner group. 
+| `action:org.runner_group_runners_added` | Triggered when an organization admin [adds a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group). 
+| `action:org.runner_group_runners_removed` | Triggered when an organization admin removes a self-hosted runner from a group. 
+
+

content/actions/learn-github-actions/security-hardening-for-github-actions.md

@@ -18,10 +18,13 @@ You can connect {% data variables.product.product_location_enterprise %} to {% d
 
 After connecting {% data variables.product.product_location_enterprise %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location_enterprise %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}.
 
-{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location_enterprise %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and send {% data variables.product.prodname_dependabot_short %} alerts to owners and people with admin access in those repositories. They can customize how they receive {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/#configuring-notifications-for-github-dependabot-alerts)."
+{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location_enterprise %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and send {% data variables.product.prodname_dependabot_short %} alerts. You can customize how you receive {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-github-dependabot-alerts)."
 {% endif %}
 
-{% if currentVersion ver_lt "enterprise-server@2.21" or currentVersion == "enterprise-server@2.21" %}When {% data variables.product.product_location_enterprise %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and send security alerts to owners and people with admin access in those repositories. They can customize how they receive security alerts. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/#configuring-notifications-for-security-alerts)."
+{% if currentVersion == "enterprise-server@2.21" %}When {% data variables.product.product_location_enterprise %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and send security alerts. You can customize how you receive security alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-security-alerts)."
+{% endif %}
+
+{% if currentVersion ver_lt "enterprise-server@2.21" %}When {% data variables.product.product_location_enterprise %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and send security alerts. You can customize how you receive security alerts. For more information, see "[Choosing the delivery method for your notifications](/github/receiving-notifications-about-activity-on-github/choosing-the-delivery-method-for-your-notifications#choosing-the-delivery-method-for-security-alerts-for-vulnerable-dependencies)."
 {% endif %}
 
 {% if currentVersion ver_gt "enterprise-server@2.21" %}

content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md

@@ -30,6 +30,15 @@ The time required to failover depends on how long it takes to manually promote t
 5. Update the DNS record to point to the IP address of the replica. Traffic is directed to the replica after the TTL period elapses. If you are using a load balancer, ensure it is configured to send traffic to the replica.
 6. Notify users that they can resume normal operations.
 7. If desired, set up replication from the new primary to existing appliances and the previous primary. For more information, see "[About high availability configuration](/enterprise/{{ currentVersion }}/admin/guides/installation/about-high-availability-configuration/#utilities-for-replication-management)."
+8. Appliances you do not intend to setup replication to that were part of the high availability configuration prior the failover, need to be removed from the high availability configuration by UUID.
+    - On the former appliances, get their UUID via `cat /data/user/common/uuid`.
+      ```shell
+      $ cat /data/user/common/uuid
+      ```
+    - On the new primary, remove the UUIDs using `ghe-repl-teardown`. Please replace *`UUID`* with a UUID you retrieved in the previous step.
+      ```shell
+      $ ghe-repl-teardown -u <em>UUNID</em>
+      ```
 
 ### Further reading
 

content/admin/enterprise-management/initiating-a-failover-to-your-replica-appliance.md

@@ -34,7 +34,7 @@ You can populate the runner tool cache by running a {% data variables.product.pr
 
 ### Populating the tool cache for a self-hosted runner
 
-1. On {% data variables.product.prodname_dotcom_the_website %}, navigate to a repostory that you can use to run a {% data variables.product.prodname_actions %} workflow.
+1. On {% data variables.product.prodname_dotcom_the_website %}, navigate to a repository that you can use to run a {% data variables.product.prodname_actions %} workflow.
 1. Create a new workflow file in the repository's `.github/workflows` folder that uploads an artifact containing the {% data variables.product.prodname_dotcom %}-hosted runner's tool cache.
 
    The following example demonstrates a workflow that uploads the tool cache for an Ubuntu 18.04 environment, using the `setup-node` action with Node.js versions 10 and 12.

content/admin/github-actions/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access.md

@@ -28,13 +28,13 @@ The event objects returned from the Events API endpoints have the same structure
 | `actor.id` | The unique identifier for the actor. |
 | `actor.login` | The username of the actor. |
 | `actor.display_login` | The specific display format of the username. |
-| `actor.gravatar_id` | The unique indentifier of the Gravatar profile for the actor. |
+| `actor.gravatar_id` | The unique identifier of the Gravatar profile for the actor. |
 | `actor.url` | The REST API URL used to retrieve the user object, which includes additional user information. |
 | `actor.avatar_url` | The URL of the actor's profile image. |
 | `repo` | The repository object where the event occurred.  |
 | `repo.id` | The unique identifier of the repository. |
 | `repo.name` | The name of the repository, which includes the owner and repository name. For example, `octocat/hello-world` is the name of the `hello-world` repository owned by the `octocat` user account. |
-| `repo.url` | The REST API URL used to retrive the repository object, which includes additional repository information. |
+| `repo.url` | The REST API URL used to retrieve the repository object, which includes additional repository information. |
 | `payload` | The event payload object is unique to the event type. See the event type below for the event API `payload` object. |
 
 #### Example WatchEvent event object