Merge pull request #13028 from github/repo-sync

repo sync

Author: Octomerger

content/codespaces/codespaces-reference/allowing-your-codespace-to-access-a-private-image-registry.md

@@ -74,12 +74,38 @@ ACR_CONTAINER_REGISTRY_USER = acr-user-here
 ACR_CONTAINER_REGISTRY_PASSWORD = <PAT>
 ```
 
-For information on common image registries, see "[Common image registry servers](#common-image-registry-servers)."
+For information on common image registries, see "[Common image registry servers](#common-image-registry-servers)." Note that accessing AWS Elastic Container Registry (ECR) is different.
 
 ![Image registry secret example](/assets/images/help/settings/codespaces-image-registry-secret-example.png)
 
 Once you've added the secrets, you may need to stop and then start the codespace you are in for the new environment variables to be passed into the container. For more information, see "[Suspending or stopping a codespace](/codespaces/codespaces-reference/using-the-command-palette-in-codespaces#suspending-or-stopping-a-codespace)."
 
+#### Accessing AWS Elastic Container Registry
+
+To access AWS Elastic Container Registry (ECR),  you can provide an AWS access key ID and secret key, and {% data variables.product.prodname_dotcom %}  can retrieve an access token for you and log in on your behalf.
+
+```
+*_CONTAINER_REGISTRY_SERVER = <ECR_URL>
+*_CONTAINER_REGISTRY_USER = <AWS_ACCESS_KEY_ID>
+*_container_REGISTRY_PASSWORD = <AWS_SECRET_KEY>
+```
+
+You must also ensure you have the appropriate AWS IAM permissions to perform the credential swap (e.g. `sts:GetServiceBearerToken`) as well as the ECR read operation (either `AmazonEC2ContainerRegistryFullAccess` or `ReadOnlyAccess`).
+
+Alternatively, if you don't want GitHub to perform the credential swap on your behalf, you can provide an authorization token fetched via AWS's APIs or CLI.
+
+```
+*_CONTAINER_REGISTRY_SERVER = <ECR_URL>
+*_CONTAINER_REGISTRY_USER = AWS
+*_container_REGISTRY_PASSWORD = <TOKEN>
+```
+
+Since these tokens are short lived and need to be refreshed periodically, we recommend providing an access key ID and secret.
+
+While these secrets can have any name, so long as the `*_CONTAINER_REGISTRY_SERVER` is an ECR URL, we recommend using `ECR_CONTAINER_REGISTRY_*` unless you are dealing with multiple ECR registries.
+
+For more information, see AWS ECR's "[Private registry authentication documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)."
+
 ### Common image registry servers
 
 Some of the common image registry servers are listed below:
@@ -90,6 +116,6 @@ Some of the common image registry servers are listed below:
 - [AWS Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html) - `<aws_account_id>.dkr.ecr.<region>.amazonaws.com`
 - [Google Cloud Container Registry](https://cloud.google.com/container-registry/docs/overview#registries) - `gcr.io` (US), `eu.gcr.io` (EU), `asia.gcr.io` (Asia)
 
-#### Accessing AWS Elastic Container Registry
+## Debugging private image registry access
 
-If you want to access AWS Elastic Container Registry (ECR), you must provide an AWS authorization token in the `ECR_CONTAINER_REGISTRY_PASSWORD`. This authorization token is not the same as your secret key. You can obtain an AWS authorization token by using AWS's APIs or CLI. These tokens are short lived and will need to be refreshed periodically. For more information, see AWS ECR's "[Private registry authentication documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)."
+If you are having trouble pulling an image from a private image registry, make sure you are able to run `docker login -u <user> -p <password> <server>`, using the values of the secrets defined above. If login fails, ensure that the login credentials are valid and that you have the apprioriate permissions on the server to fetch a container image. If login succeeds, make sure that these values are copied appropriately into the right {% data variables.product.prodname_codespaces %} secrets, either at the user, repository, or organization level and try again.

data/graphql/ghae/schema.docs-ghae.graphql

@@ -9235,6 +9235,11 @@ type Enterprise implements Node {
     The search string to look for.
     """
     query: String
+
+    """
+    The viewer's role in an organization.
+    """
+    viewerOrganizationRole: RoleInOrganization
   ): OrganizationConnection!
 
   """
@@ -17705,6 +17710,16 @@ type Mutation {
     input: UpdateLabelInput!
   ): UpdateLabelPayload @preview(toggledBy: "bane-preview")
 
+  """
+  Sets whether private repository forks are enabled for an organization.
+  """
+  updateOrganizationAllowPrivateRepositoryForkingSetting(
+    """
+    Parameters for UpdateOrganizationAllowPrivateRepositoryForkingSetting
+    """
+    input: UpdateOrganizationAllowPrivateRepositoryForkingSettingInput!
+  ): UpdateOrganizationAllowPrivateRepositoryForkingSettingPayload
+
   """
   Updates an existing project.
   """
@@ -21238,6 +21253,11 @@ type Organization implements Actor & MemberStatusable & Node & ProfileOwner & Pr
     orderBy: UserStatusOrder = {field: UPDATED_AT, direction: DESC}
   ): UserStatusConnection!
 
+  """
+  Members can fork private repositories in this organization
+  """
+  membersCanForkPrivateRepositories: Boolean!
+
   """
   A list of users who are members of this organization.
   """
@@ -33813,6 +33833,26 @@ type ReviewStatusHovercardContext implements HovercardContext {
   reviewDecision: PullRequestReviewDecision
 }
 
+"""
+Possible roles a user may have in relation to an organization.
+"""
+enum RoleInOrganization {
+  """
+  A user who is a direct member of the organization.
+  """
+  DIRECT_MEMBER
+
+  """
+  A user with full administrative access to the organization.
+  """
+  OWNER
+
+  """
+  A user who is unaffiliated with the organization.
+  """
+  UNAFFILIATED
+}
+
 """
 The possible digest algorithms used to sign SAML requests for an identity provider.
 """
@@ -39265,6 +39305,46 @@ type UpdateLabelPayload @preview(toggledBy: "bane-preview") {
   label: Label
 }
 
+"""
+Autogenerated input type of UpdateOrganizationAllowPrivateRepositoryForkingSetting
+"""
+input UpdateOrganizationAllowPrivateRepositoryForkingSettingInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  Enable forking of private repositories in the organization?
+  """
+  forkingEnabled: Boolean!
+
+  """
+  The ID of the organization on which to set the allow private repository forking setting.
+  """
+  organizationId: ID! @possibleTypes(concreteTypes: ["Organization"])
+}
+
+"""
+Autogenerated return type of UpdateOrganizationAllowPrivateRepositoryForkingSetting
+"""
+type UpdateOrganizationAllowPrivateRepositoryForkingSettingPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  A message confirming the result of updating the allow private repository forking setting.
+  """
+  message: String
+
+  """
+  The organization with the updated allow private repository forking setting.
+  """
+  organization: Organization
+}
+
 """
 Autogenerated input type of UpdateProjectCard
 """