Merge branch 'check-links-improvement-redux' of github.com:github/docs-internal into check-links-improvement-redux

Author: sarahs

.github/allowed-actions.js

@@ -25,12 +25,13 @@ module.exports = [
   'pascalgn/automerge-action@c9bd182',
   'peter-evans/create-issue-from-file@a04ce672e3acedb1f8e416b46716ddfd09905326',
   'peter-evans/create-or-update-comment@5221bf4aa615e5c6e95bb142f9673a9c791be2cd',
-  'peter-evans/create-pull-request@938e6aea6f8dbdaced2064e948cb806c77fe87b8',
+  'peter-evans/create-pull-request@8c603dbb04b917a9fc2dd991dc54fef54b640b43',
   'rachmari/actions-add-new-issue-to-column@1a459ef92308ba7c9c9dc2fcdd72f232495574a9',
   'rachmari/labeler@832d42ec5523f3c6d46e8168de71cd54363e3e2e',
   'repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88',
   'repo-sync/pull-request@33777245b1aace1a58c87a29c90321aa7a74bd7d',
   'someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd',
   'tjenkinson/gh-action-auto-merge-dependency-updates@cee2ac0',
-  'EndBug/add-and-commit@9358097a71ad9fb9e2f9624c6098c89193d83575'
+  'EndBug/add-and-commit@9358097a71ad9fb9e2f9624c6098c89193d83575',
+  'dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58'
 ]

.github/workflows/close-unwanted-pull-requests.yml

@@ -2,6 +2,9 @@ name: CodeQL analysis
 
 on:
   push:
+    branches: main
+  pull_request:
+    branches: main
     paths:
       - '**/*.js'
       - '.github/workflows/codeql.yml'

.github/workflows/codeql.yml

@@ -0,0 +1,73 @@
+name: Confirm internal staff meant to post in public
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  check-team-membership:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    if: github.repository == 'github/docs'
+    steps:
+      - id: membership_check
+        uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
+        with:
+          github-token: ${{ secrets.DOCUBOT_FR_PROJECT_BOARD_WORKFLOWS_REPO_ORG_READ_SCOPES }}
+          script: |
+            // Only perform this action with GitHub employees
+            try {
+              await github.teams.getMembershipForUserInOrg({
+                org: 'github',
+                team_slug: 'employees',
+                username: context.payload.sender.login,
+              });
+            } catch(err) {
+              // An error will be thrown if the user is not a GitHub employee
+              // If a user is not a GitHub employee, we should stop here and
+              // Not send a notification
+              return
+            }
+
+            // Don't perform this action with Docs team members
+            try {
+              await github.teams.getMembershipForUserInOrg({
+                org: 'github',
+                team_slug: 'docs',
+                username: context.payload.sender.login,
+              });
+              // If the user is a Docs team member, we should stop here and not send
+              // a notification
+              return
+            } catch(err) {
+              // An error will be thrown if the user is not a Docs team member
+              // If a user is not a Docs team member we should continue and send
+              // the notification
+            }
+
+            const issueNo = context.number || context.issue.number
+
+            // Create an issue in our private repo
+            await github.issues.create({
+              owner: 'github',
+              repo: 'docs-internal',
+              title: `@${context.payload.sender.login} confirm that \#${issueNo} should be in the public github/docs repo`,
+              body: `@${context.payload.sender.login} opened https://github.com/github/docs/issues/${issueNo} publicly in the github/docs repo, instead of the private github/docs-internal repo.\n\n@${context.payload.sender.login}, please confirm that this belongs in the public repo and that no sensitive information was disclosed by commenting below and closing the issue.\n\nIf this was not intentional and sensitive information was shared, please delete https://github.com/github/docs/issues/${issueNo} and notify us in the \#docs-open-source channel.\n\nThanks! \n\n/cc @github/docs @github/docs-engineering`
+            });
+
+            core.setOutput('did_warn', 'true')
+
+      - name: Send Slack notification if a GitHub employee who isn't on the docs team opens an issue in public
+        if: ${{ steps.membership_check.outputs.did_warn && github.repository == 'github/docs' }}
+        uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
+        with:
+          channel: ${{ secrets.DOCS_OPEN_SOURCE_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          text: <@${{github.actor}}> opened https://github.com/github/docs/issues/${{ github.event.number || github.event.issue.number }} publicly on the github/docs repo instead of the private github/docs-internal repo. They have been notified via a new issue in the github/docs-internal repo to confirm this was intentional.

.github/workflows/confirm-internal-staff-work-in-docs.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Remove script results file
         run: rm -rf ./results.md
       - name: Create pull request
-        uses: peter-evans/create-pull-request@938e6aea6f8dbdaced2064e948cb806c77fe87b8
+        uses: peter-evans/create-pull-request@8c603dbb04b917a9fc2dd991dc54fef54b640b43
         with:
           # need to use a token with repo and workflow scopes for this step
           token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}

.github/workflows/remove-unused-assets.yml

@@ -2,7 +2,7 @@ name: Repo Sync Stalls
 on:
   workflow_dispatch:
   schedule:
-    - cron: '*/30 * * * *'
+    - cron: '0 */2 * * *'
 jobs:
   check-freezer:
     name: Check for deployment freezes
@@ -40,7 +40,7 @@ jobs:
               const timeDelta = Date.now() - Date.parse(pr.created_at);
               const minutesOpen = timeDelta / 1000 / 60;
 
-              if (minutesOpen > 30) {
+              if (minutesOpen > 180) {
                 core.setFailed('Repo sync appears to be stalled') 
               }
             })

.github/workflows/repo-sync-stalls.yml

@@ -7,6 +7,7 @@
 name: Repo Sync
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '*/15 * * * *' # every 15 minutes
 
@@ -51,7 +52,7 @@ jobs:
           destination_branch: main
           pr_title: 'repo sync'
           pr_body: "This is an automated pull request to sync changes between the public and private repos.\n\n:robot: This pull request should be merged (not squashed) to preserve continuity across repos, so please let a bot do the merging!"
-          pr_label: automerge,autoupdate
+          pr_label: automerge,autoupdate,automated-reposync-pr
           github_token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
 
       - name: Find pull request

.github/workflows/repo-sync.yml

@@ -0,0 +1,122 @@
+name: Check unallowed file changes
+
+on:
+  pull_request_target:
+    paths:
+      - '.github/workflows/**'
+      - '.github/CODEOWNERS'
+      - 'translations/**'
+      - 'assets/fonts/**'
+      - 'data/graphql/**'
+      - 'lib/graphql/**'
+      - 'lib/redirects/**'
+      - 'lib/rest/**'
+      - 'lib/webhooks/**'
+
+jobs:
+  triage:
+    if: github.repository == 'github/docs' && github.event.pull_request.user.login != 'Octomerger'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+      - name: Check for existing requested changes
+        id: requested-change
+        uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: json
+          script: |
+            const pullReviews = await github.pulls.listReviews({
+              ...context.repo,
+              pull_number: context.payload.number
+            })
+
+            const botReviews = pullReviews.data
+              .filter(review => review.user.login === 'github-actions[bot]')
+              .sort((a, b) => new Date(b.submitted_at) - new Date(a.submitted_at))
+              .shift()
+
+            if (botReviews) {
+              console.log(`Pull request reviews authored by the github-action bot: ${botReviews}`)
+            }
+            return botReviews
+
+      - name: Get files changed
+        uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58
+        id: filter
+        with:
+          # Base branch used to get changed files
+          base: 'main'
+
+          # Enables setting an output in the format in `${FILTER_NAME}_files
+          # with the names of the matching files formatted as JSON array
+          list-files: json
+
+          # Returns list of changed files matching each filter
+          filters: |
+            translation:
+              - 'translations/**'
+            openapi:
+              - 'lib/rest/static/**'
+            notAllowed:
+              - '.github/workflows/**'
+              - '.github/CODEOWNERS'
+              - 'translations/**'
+              - 'assets/fonts/**'
+              - 'data/graphql/**'
+              - 'lib/graphql/**'
+              - 'lib/redirects/**'
+              - 'lib/rest/**'
+              - 'lib/webhooks/**'
+
+      # When there are changes to files we can't accept
+      # and no review exists,leave a REQUEST_CHANGES review
+      - name: Request pull request changes
+        # Check for no reviews or reviews that aren't CHANGES_REQUESTED
+        if: ${{ steps.filter.outputs.notAllowed == 'true' && (!steps.requested-change.outputs.result || fromJson(steps.requested-change.outputs.result).state != 'CHANGES_REQUESTED') }}
+        uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const changedFiles = ${{steps.filter.outputs.notAllowed_files}}
+            const restFiles = ${{steps.filter.outputs.openapi_files}}
+            const translationFiles = ${{steps.filter.outputs.translation_files}}
+            const markdownFiles = changedFiles.map(file => `- \`${file}\`\n`).join('')
+
+            let reviewMessage = `👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions.\n${markdownFiles}\n\nYou'll need to revert all of these ☝️ files using [GitHub Desktop](https://docs.github.com/en/free-pro-team@latest/desktop/contributing-and-collaborating-using-github-desktop/reverting-a-commit) or \`git checkout origin/main <file name>\`. Once you get those files reverted, we can continue with the review process. :octocat:`
+
+            if (restFiles.length > 0) {
+              reviewMessage += "\n\nIt looks like you've modified the OpenAPI schema (`lib/rest/static/**`). While we aren't accepting changes to the schema directly, you can open an issue for any updates to the REST API docs. Head on over to the [`github/rest-api-description`](https://github.com/github/rest-api-description/issues/new?assignees=&labels=Inaccuracy&template=schema-inaccuracy.md&title=%5BSchema+Inaccuracy%5D+%3CDescribe+Problem%3E) repository to open an issue. ⚡"
+            }
+
+            if (translationFiles.length > 0) {
+              await github.issues.addLabels({
+                ...context.repo,
+                issue_number: context.payload.number,
+                labels: ['localization']
+              })
+              reviewMessage += "\n\nIt looks like you've modified translated content. Unfortunately, we are not able to accept pull requests for translated content. Our translation process involves an integration with an external service at crowdin.com, where all translation activity happens. We hope to eventually open up the translation process to the open source community, but we're not there yet. See https://github.com/github/docs/blob/main/CONTRIBUTING.md#earth_asia-translations for more details."
+            }
+
+            await github.pulls.createReview({
+              ...context.repo,
+              pull_number: context.payload.number,
+              body: reviewMessage,
+              event: 'REQUEST_CHANGES'
+            })
+      # When the most recent review was CHANGES_REQUESTED and the existing
+      # PR no longer contains unallowed changes, dismiss the previous review
+      - name: Dismiss pull request review
+        # Check that unallowed files aren't modified and that a
+        # CHANGES_REQUESTED review already exists
+        if: ${{ steps.filter.outputs.notAllowed == 'false' && steps.requested-change.outputs.result && fromJson(steps.requested-change.outputs.result).state == 'CHANGES_REQUESTED' }}
+        uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            await github.pulls.dismissReview({
+              ...context.repo,
+              pull_number: context.payload.number,
+              review_id: ${{fromJson(steps.requested-change.outputs.result).id}},
+              message: `✨Looks like you reverted all files we don't accept contributions for. 🙌 A member of the docs team will review your PR soon. 🚂`
+            })

.github/workflows/triage-unallowed-contributions.yml

@@ -9,6 +9,7 @@ env:
   FREEZE: ${{ secrets.FREEZE }}
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '20 16 * * *' # run every day at 16:20 UTC / 8:20 PST
 
@@ -36,15 +37,15 @@ jobs:
       - name: Run updater scripts
         env:
           # need to use a token from a user with access to github/github for this step
-          GITHUB_TOKEN: ${{ secrets.ZEKE_PAT_WITH_REPO_AND_WORKFLOW_SCOPE_FOR_REPO_SYNC }}
+          GITHUB_TOKEN: ${{ secrets.RACHMARI_REPO_WORKFLOW }}
         run: |
           script/graphql/update-files.js
       - name: Create pull request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@938e6aea6f8dbdaced2064e948cb806c77fe87b8
+        uses: peter-evans/create-pull-request@8c603dbb04b917a9fc2dd991dc54fef54b640b43
         with:
           # need to use a token with repo and workflow scopes for this step
-          token: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'Action ran graphql script"update-files"'
           title: GraphQL schema update
           body:

.github/workflows/update-graphql-files.yml

@@ -0,0 +1,13 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "type": "node",
+      "request": "attach",
+      "name": "Node: Nodemon",
+      "processId": "${command:PickProcess}",
+      "restart": true,
+      "protocol": "inspector",
+    },
+  ]
+}