diff --git a/Dockerfile b/Dockerfile index 0e36674c25d7..c895cafcf78a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # --------------------------------------------------------------- # To update the sha: # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble -FROM ghcr.io/github/gh-base-image/gh-base-noble:20250625-232939-g2376d80a2 AS base +FROM ghcr.io/github/gh-base-image/gh-base-noble:20250630-232247-g421d4a07a AS base # Install curl for Node install and determining the early access branch # Install git for cloning docs-early-access & translations repos diff --git a/content/actions/concepts/runners/about-github-hosted-runners.md b/content/actions/concepts/runners/about-github-hosted-runners.md new file mode 100644 index 000000000000..6fc558423db2 --- /dev/null +++ b/content/actions/concepts/runners/about-github-hosted-runners.md @@ -0,0 +1,90 @@ +--- +title: About GitHub-hosted runners +shortTitle: GitHub-hosted runners +intro: '{% data variables.product.prodname_dotcom %} offers hosted virtual machines to run workflows. The virtual machine contains an environment of tools, packages, and settings available for {% data variables.product.prodname_actions %} to use.' +redirect_from: + - /articles/virtual-environments-for-github-actions + - /github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions + - /github/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners + - /actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners + - /actions/reference/virtual-environments-for-github-hosted-runners + - /actions/reference/software-installed-on-github-hosted-runners + - /actions/reference/specifications-for-github-hosted-runners + - /actions/using-github-hosted-runners/about-github-hosted-runners + - /actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + - /actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners + - /actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners +versions: + fpt: '*' + ghes: '*' + ghec: '*' +--- + +{% data reusables.actions.enterprise-github-hosted-runners %} + +## Overview of {% data variables.product.prodname_dotcom %}-hosted runners + +Runners are the machines that execute jobs in a {% data variables.product.prodname_actions %} workflow. For example, a runner can clone your repository locally, install testing software, and then run commands that evaluate your code. + +{% data variables.product.prodname_dotcom %} provides runners that you can use to run your jobs, or you can [host your own runners](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). Each {% data variables.product.prodname_dotcom %}-hosted runner is a new virtual machine (VM) hosted by {% data variables.product.prodname_dotcom %} with the runner application and other tools preinstalled, and is available with Ubuntu Linux, Windows, or macOS operating systems. When you use a {% data variables.product.prodname_dotcom %}-hosted runner, machine maintenance and upgrades are taken care of for you. + +{% ifversion not ghes %} + +You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners). + +Using {% data variables.product.prodname_dotcom %}-hosted runners requires network access with at least 70 kilobits per second upload and download speeds. + +{% endif %} + +{% ifversion github-hosted-runners-emus-entitlements %} + +> [!NOTE] +> {% data reusables.actions.entitlement-minutes-emus %} For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). + +{% endif %} + +{% ifversion not ghes %} + +## Runner Images + +{% data variables.product.github %} maintains our own set of VM images for our standard hosted runners. This includes the images for macOS, x64 linux and Windows images. The list of images and their included tools are managed in the [`actions/runner-images`](https://github.com/actions/runner-images) repository. Our arm64 images are partner images, and those are managed in the [`actions/partner-runner-images`](https://github.com/actions/partner-runner-images) repository. + +### Preinstalled software for GitHub-owned images + +The software tools included in our GitHub-owned images are updated weekly. The update process takes several days, and the list of preinstalled software on the `main` branch is updated after the whole deployment ends. + +Workflow logs include a link to the preinstalled tools on the exact runner. To find this information in the workflow log, expand the `Set up job` section. Under that section, expand the `Runner Image` section. The link following `Included Software` will describe the preinstalled tools on the runner that ran the workflow. + +For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). + +{% data variables.product.prodname_dotcom %}-hosted runners include the operating system's default built-in tools, in addition to the packages listed in the above references. For example, Ubuntu and macOS runners include `grep`, `find`, and `which`, among other default tools. + +{% ifversion actions-sbom %} + +You can also view a software bill of materials (SBOM) for each build of the Windows and Ubuntu runner images. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reviewing-the-supply-chain-for-github-hosted-runners). + +{% endif %} + +We recommend using actions to interact with the software installed on runners. This approach has several benefits: +* Usually, actions provide more flexible functionality like version selection, ability to pass arguments, and parameters +* It ensures the tool versions used in your workflow will remain the same regardless of software updates + +If there is a tool that you'd like to request, please open an issue at [actions/runner-images](https://github.com/actions/runner-images). This repository also contains announcements about all major software updates on runners. + +> [!NOTE] You can also install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. See [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners). + +## Cloud hosts used by {% data variables.product.prodname_dotcom %}-hosted runners + +{% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. {% data variables.product.prodname_dotcom %} hosts macOS runners in Azure data centers. + +## Workflow continuity + +{% data reusables.actions.runner-workflow-continuity %} + +In addition, if the workflow run has been successfully queued, but has not been processed by a {% data variables.product.prodname_dotcom %}-hosted runner within 45 minutes, then the queued workflow run is discarded. + +## The `etc/hosts` file + +{% data reusables.actions.runners-etc-hosts-file %} + +{% endif %} diff --git a/content/actions/concepts/runners/index.md b/content/actions/concepts/runners/index.md index 6cbf75f973d5..69259122a96b 100644 --- a/content/actions/concepts/runners/index.md +++ b/content/actions/concepts/runners/index.md @@ -7,6 +7,7 @@ versions: ghes: '*' ghec: '*' children: + - /about-github-hosted-runners - /about-larger-runners - /about-private-networking-with-github-hosted-runners - /about-self-hosted-runners diff --git a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md b/content/actions/how-tos/using-github-hosted-runners/customizing-github-hosted-runners.md similarity index 95% rename from content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md rename to content/actions/how-tos/using-github-hosted-runners/customizing-github-hosted-runners.md index 3741df6b3b57..4e8b69163fa7 100644 --- a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners.md +++ b/content/actions/how-tos/using-github-hosted-runners/customizing-github-hosted-runners.md @@ -4,6 +4,7 @@ intro: You can install additional software on GitHub-hosted runners as a part of versions: fpt: '*' ghec: '*' + ghes: '*' type: tutorial topics: - Workflows @@ -12,6 +13,7 @@ redirect_from: - /actions/using-github-hosted-runners/customizing-github-hosted-runners - /actions/using-github-hosted-runners/about-github-hosted-runners/customizing-github-hosted-runners - /actions/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners + - /actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/customizing-github-hosted-runners --- {% data reusables.actions.enterprise-github-hosted-runners %} diff --git a/content/actions/how-tos/using-github-hosted-runners/index.md b/content/actions/how-tos/using-github-hosted-runners/index.md index 267d21d6cfb5..28dd6cbd6e9a 100644 --- a/content/actions/how-tos/using-github-hosted-runners/index.md +++ b/content/actions/how-tos/using-github-hosted-runners/index.md @@ -8,6 +8,8 @@ versions: ghes: '*' children: - /using-github-hosted-runners + - /customizing-github-hosted-runners + - /monitoring-your-current-jobs - /using-larger-runners - /connecting-to-a-private-network redirect_from: diff --git a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md b/content/actions/how-tos/using-github-hosted-runners/monitoring-your-current-jobs.md similarity index 94% rename from content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md rename to content/actions/how-tos/using-github-hosted-runners/monitoring-your-current-jobs.md index 7674e90c015e..e2411cfc321f 100644 --- a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs.md +++ b/content/actions/how-tos/using-github-hosted-runners/monitoring-your-current-jobs.md @@ -8,8 +8,9 @@ redirect_from: - /actions/using-github-hosted-runners/monitoring-your-current-jobs - /actions/using-github-hosted-runners/about-github-hosted-runners/monitoring-your-current-jobs - /actions/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs + - /actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/monitoring-your-current-jobs --- - + {% data reusables.actions.enterprise-github-hosted-runners %} ## Viewing active jobs in your organization or enterprise diff --git a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners.md b/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners.md new file mode 100644 index 000000000000..5b62599aaa0d --- /dev/null +++ b/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners.md @@ -0,0 +1,88 @@ +--- +title: Using GitHub-hosted runners +shortTitle: Use GitHub-hosted runners +intro: 'You can assign a job to run on a virtual machine hosted by {% data variables.product.github %}.' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +--- + +{% ifversion ghes %} + +{% data reusables.actions.enterprise-github-hosted-runners %} + +{% else %} + +## Using a {% data variables.product.prodname_dotcom %}-hosted runner + +To use a {% data variables.product.prodname_dotcom %}-hosted runner, create a job and use `runs-on` to specify the type of runner that will process the job, such as `ubuntu-latest`, `windows-latest`, or `macos-latest`. For the full list of runner types, see [AUTOTITLE](/actions/reference/github-hosted-runners-reference#supported-runners-and-hardware-resources).{% ifversion repository-actions-runners %} If you have `repo: write` access to a repository, you can view a list of the runners available to use in workflows in the repository. For more information, see [Viewing available runners for a repository](#viewing-available-runners-for-a-repository).{% endif %} + +When the job begins, {% data variables.product.prodname_dotcom %} automatically provisions a new VM for that job. All steps in the job execute on the VM, allowing the steps in that job to share information using the runner's filesystem. You can run workflows directly on the VM or in a Docker container. When the job has finished, the VM is automatically decommissioned. + +The following diagram demonstrates how two jobs in a workflow are executed on two different {% data variables.product.prodname_dotcom %}-hosted runners. + +![Diagram of a workflow that consists of two jobs. One job runs on Ubuntu and the other runs on Windows.](/assets/images/help/actions/overview-github-hosted-runner.png) + +The following example workflow has two jobs, named `Run-npm-on-Ubuntu` and `Run-PSScriptAnalyzer-on-Windows`. When this workflow is triggered, {% data variables.product.prodname_dotcom %} provisions a new virtual machine for each job. + +* The job named `Run-npm-on-Ubuntu` is executed on a Linux VM, because the job's `runs-on:` specifies `ubuntu-latest`. +* The job named `Run-PSScriptAnalyzer-on-Windows` is executed on a Windows VM, because the job's `runs-on:` specifies `windows-latest`. + +```yaml copy +name: Run commands on different operating systems +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + Run-npm-on-Ubuntu: + name: Run npm on Ubuntu + runs-on: ubuntu-latest + steps: + - uses: {% data reusables.actions.action-checkout %} + - uses: {% data reusables.actions.action-setup-node %} + with: + node-version: '14' + - run: npm help + + Run-PSScriptAnalyzer-on-Windows: + name: Run PSScriptAnalyzer on Windows + runs-on: windows-latest + steps: + - uses: {% data reusables.actions.action-checkout %} + - name: Install PSScriptAnalyzer module + shell: pwsh + run: | + Set-PSRepository PSGallery -InstallationPolicy Trusted + Install-Module PSScriptAnalyzer -ErrorAction Stop + - name: Get list of rules + shell: pwsh + run: | + Get-ScriptAnalyzerRule +``` + +While the job runs, the logs and output can be viewed in the {% data variables.product.prodname_dotcom %} UI: + +![Screenshot of a workflow run. The steps for the "Run PSScriptAnalyzer on Windows" job are displayed.](/assets/images/help/repository/actions-runner-output.png) + +{% data reusables.actions.runner-app-open-source %} + +{% ifversion repository-actions-runners %} + +## Viewing available runners for a repository + +{% data reusables.actions.about-viewing-runner-list %} + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.actions-tab %} +{% data reusables.repositories.repository-runners %} +1. Review the list of available GitHub-hosted runners for the repository. +{% data reusables.actions.copy-runner-label %} + +{% data reusables.actions.actions-tab-new-runners-note %} + +{% endif %} +{% endif %} diff --git a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md b/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md deleted file mode 100644 index 8c05929b3d57..000000000000 --- a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners.md +++ /dev/null @@ -1,251 +0,0 @@ ---- -title: About GitHub-hosted runners -shortTitle: About GitHub-hosted runners -intro: '{% data variables.product.prodname_dotcom %} offers hosted virtual machines to run workflows. The virtual machine contains an environment of tools, packages, and settings available for {% data variables.product.prodname_actions %} to use.' -redirect_from: - - /articles/virtual-environments-for-github-actions - - /github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions - - /github/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners - - /actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners - - /actions/reference/virtual-environments-for-github-hosted-runners - - /actions/reference/software-installed-on-github-hosted-runners - - /actions/reference/specifications-for-github-hosted-runners - - /actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners - - /actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners -versions: - fpt: '*' - ghes: '*' - ghec: '*' ---- - -{% data reusables.actions.enterprise-github-hosted-runners %} - -## Overview of {% data variables.product.prodname_dotcom %}-hosted runners - -Runners are the machines that execute jobs in a {% data variables.product.prodname_actions %} workflow. For example, a runner can clone your repository locally, install testing software, and then run commands that evaluate your code. - -{% data variables.product.prodname_dotcom %} provides runners that you can use to run your jobs, or you can [host your own runners](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). Each {% data variables.product.prodname_dotcom %}-hosted runner is a new virtual machine (VM) hosted by {% data variables.product.prodname_dotcom %} with the runner application and other tools preinstalled, and is available with Ubuntu Linux, Windows, or macOS operating systems. When you use a {% data variables.product.prodname_dotcom %}-hosted runner, machine maintenance and upgrades are taken care of for you. - -{% ifversion not ghes %} - -You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners). - -Using {% data variables.product.prodname_dotcom %}-hosted runners requires network access with at least 70 kilobits per second upload and download speeds. - -{% endif %} - -{% ifversion github-hosted-runners-emus-entitlements %} - -> [!NOTE] -> {% data reusables.actions.entitlement-minutes-emus %} For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). - -{% endif %} - -{% ifversion not ghes %} - -## Using a {% data variables.product.prodname_dotcom %}-hosted runner - -To use a {% data variables.product.prodname_dotcom %}-hosted runner, create a job and use `runs-on` to specify the type of runner that will process the job, such as `ubuntu-latest`, `windows-latest`, or `macos-latest`. For the full list of runner types, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources).{% ifversion repository-actions-runners %} If you have `repo: write` access to a repository, you can view a list of the runners available to use in workflows in the repository. For more information, see [Viewing available runners for a repository](#viewing-available-runners-for-a-repository).{% endif %} - -When the job begins, {% data variables.product.prodname_dotcom %} automatically provisions a new VM for that job. All steps in the job execute on the VM, allowing the steps in that job to share information using the runner's filesystem. You can run workflows directly on the VM or in a Docker container. When the job has finished, the VM is automatically decommissioned. - -The following diagram demonstrates how two jobs in a workflow are executed on two different {% data variables.product.prodname_dotcom %}-hosted runners. - -![Diagram of a workflow that consists of two jobs. One job runs on Ubuntu and the other runs on Windows.](/assets/images/help/actions/overview-github-hosted-runner.png) - -The following example workflow has two jobs, named `Run-npm-on-Ubuntu` and `Run-PSScriptAnalyzer-on-Windows`. When this workflow is triggered, {% data variables.product.prodname_dotcom %} provisions a new virtual machine for each job. - -* The job named `Run-npm-on-Ubuntu` is executed on a Linux VM, because the job's `runs-on:` specifies `ubuntu-latest`. -* The job named `Run-PSScriptAnalyzer-on-Windows` is executed on a Windows VM, because the job's `runs-on:` specifies `windows-latest`. - -```yaml copy -name: Run commands on different operating systems -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -jobs: - Run-npm-on-Ubuntu: - name: Run npm on Ubuntu - runs-on: ubuntu-latest - steps: - - uses: {% data reusables.actions.action-checkout %} - - uses: {% data reusables.actions.action-setup-node %} - with: - node-version: '14' - - run: npm help - - Run-PSScriptAnalyzer-on-Windows: - name: Run PSScriptAnalyzer on Windows - runs-on: windows-latest - steps: - - uses: {% data reusables.actions.action-checkout %} - - name: Install PSScriptAnalyzer module - shell: pwsh - run: | - Set-PSRepository PSGallery -InstallationPolicy Trusted - Install-Module PSScriptAnalyzer -ErrorAction Stop - - name: Get list of rules - shell: pwsh - run: | - Get-ScriptAnalyzerRule -``` - -While the job runs, the logs and output can be viewed in the {% data variables.product.prodname_dotcom %} UI: - -![Screenshot of a workflow run. The steps for the "Run PSScriptAnalyzer on Windows" job are displayed.](/assets/images/help/repository/actions-runner-output.png) - -{% data reusables.actions.runner-app-open-source %} - -{% ifversion repository-actions-runners %} - -## Viewing available runners for a repository - -{% data reusables.actions.about-viewing-runner-list %} - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.actions-tab %} -{% data reusables.repositories.repository-runners %} -1. Review the list of available GitHub-hosted runners for the repository. -{% data reusables.actions.copy-runner-label %} - -{% data reusables.actions.actions-tab-new-runners-note %} - -{% endif %} - -## Supported runners and hardware resources - -{% ifversion actions-hosted-runners %} - -Ranges of {% data variables.product.prodname_dotcom %}-hosted runners are available for use in public and private repositories. - -For lists of available runners, see: -* [Standard runners for **public** repositories](#standard-github-hosted-runners-for-public-repositories) -* {% ifversion ghec %}[Standard runners for **private** and **internal** repositories](#standard-github-hosted-runners-for-internal-and-private-repositories){% else %}[Standard runners for **private** repositories](#standard-github-hosted-runners-for--private-repositories){% endif %} - -{% data variables.product.prodname_dotcom %}-hosted Linux runners support hardware acceleration for Android SDK tools, which makes running Android tests much faster and consumes fewer minutes. For more information on Android hardware acceleration, see [Configure hardware acceleration for the Android Emulator](https://developer.android.com/studio/run/emulator-acceleration) in the Android Developers documentation. - -> [!NOTE] -> The `-latest` runner images are the latest stable images that {% data variables.product.prodname_dotcom %} provides, and might not be the most recent version of the operating system available from the operating system vendor. - -> [!WARNING] -> Beta and Deprecated Images are provided "as-is", "with all faults" and "as available" and are excluded from the service level agreement and warranty. Beta Images may not be covered by customer support. - -{% endif %} - -{% data reusables.actions.supported-github-runners %} - -Workflow logs list the runner used to run a job. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). - -### Limitations for arm64 macOS runners - -{% data reusables.actions.macos-runner-limitations %} - -### {% data variables.actions.hosted_runner_caps %}s - -{% data reusables.actions.about-larger-runners %} - -For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners). - -## Runner Images - -{% data variables.product.github %} maintains our own set of VM images for our standard hosted runners. This includes the images for macOS, x64 linux and Windows images. The list of images and their included tools are managed in the [`actions/runner-images`](https://github.com/actions/runner-images) repository. Our arm64 images are partner images, and those are managed in the [`actions/partner-runner-images`](https://github.com/actions/partner-runner-images) repository. - -### Preinstalled software for GitHub-owned images - -The software tools included in our GitHub-owned images are updated weekly. The update process takes several days, and the list of preinstalled software on the `main` branch is updated after the whole deployment ends. - -Workflow logs include a link to the preinstalled tools on the exact runner. To find this information in the workflow log, expand the `Set up job` section. Under that section, expand the `Runner Image` section. The link following `Included Software` will describe the preinstalled tools on the runner that ran the workflow. - -For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). - -{% data variables.product.prodname_dotcom %}-hosted runners include the operating system's default built-in tools, in addition to the packages listed in the above references. For example, Ubuntu and macOS runners include `grep`, `find`, and `which`, among other default tools. - -{% ifversion actions-sbom %} - -You can also view a software bill of materials (SBOM) for each build of the Windows and Ubuntu runner images. For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#reviewing-the-supply-chain-for-github-hosted-runners). - -{% endif %} - -### Using preinstalled software - -We recommend using actions to interact with the software installed on runners. This approach has several benefits: -* Usually, actions provide more flexible functionality like version selection, ability to pass arguments, and parameters -* It ensures the tool versions used in your workflow will remain the same regardless of software updates - -If there is a tool that you'd like to request, please open an issue at [actions/runner-images](https://github.com/actions/runner-images). This repository also contains announcements about all major software updates on runners. - -### Installing additional software - -You can install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners). - -## Cloud hosts used by {% data variables.product.prodname_dotcom %}-hosted runners - -{% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. {% data variables.product.prodname_dotcom %} hosts macOS runners in Azure data centers. - -## Workflow continuity - -{% data reusables.actions.runner-workflow-continuity %} - -In addition, if the workflow run has been successfully queued, but has not been processed by a {% data variables.product.prodname_dotcom %}-hosted runner within 45 minutes, then the queued workflow run is discarded. - -## Administrative privileges - -The Linux and macOS virtual machines both run using passwordless `sudo`. When you need to execute commands or install tools that require more privileges than the current user, you can use `sudo` without needing to provide a password. For more information, see the [Sudo Manual](https://www.sudo.ws/man/1.8.27/sudo.man.html). - -Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see [How User Account Control works](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works) in the Windows documentation. - -## IP addresses - -To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API. For more information, see the `actions` key in the response of the `GET /meta` endpoint. For more information, see [AUTOTITLE](/rest/meta/meta#get-github-meta-information). - -Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in {% data variables.product.prodname_dotcom %}'s own macOS cloud. - -Since there are so many IP address ranges for {% data variables.product.prodname_dotcom %}-hosted runners, we do not recommend that you use these as allowlists for your internal resources. Instead, we recommend you use {% data variables.actions.hosted_runner %}s with a static IP address range, or self-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners) or [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). - -The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. - -## Communication requirements for {% data variables.product.prodname_dotcom %}-hosted runners - -A {% data variables.product.github %}-hosted runner must establish connections to {% data variables.product.github %}-owned endpoints to perform essential communication operations. In addition, your runner may require access to additional networks that you specify or utilize within an action. - -To ensure proper communications for {% data variables.product.github %}-hosted runners between networks within your configuration, ensure that the following communications are allowed. - -{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} - -{% data reusables.actions.runner-essential-communications %} - -## The `etc/hosts` file - -{% data reusables.actions.runners-etc-hosts-file %} - -## File systems - -{% data variables.product.prodname_dotcom %} executes actions and shell commands in specific directories on the virtual machine. The file paths on virtual machines are not static. Use the environment variables {% data variables.product.prodname_dotcom %} provides to construct file paths for the `home`, `workspace`, and `workflow` directories. - -| Directory | Environment variable | Description | -|-----------|----------------------|-------------| -| `home` | `HOME` | Contains user-related data. For example, this directory could contain credentials from a login attempt. | -| `workspace` | `GITHUB_WORKSPACE` | Actions and shell commands execute in this directory. An action can modify the contents of this directory, which subsequent actions can access. | -| `workflow/event.json` | `GITHUB_EVENT_PATH` | The `POST` payload of the webhook event that triggered the workflow. {% data variables.product.prodname_dotcom %} rewrites this each time an action executes to isolate file content between actions. - -For a list of the environment variables {% data variables.product.prodname_dotcom %} creates for each workflow, see [AUTOTITLE](/actions/reference/variables-reference#default-environment-variables). - -### Docker container filesystem - -Actions that run in Docker containers have static directories under the `/github` path. However, we strongly recommend using the default environment variables to construct file paths in Docker containers. - -{% data variables.product.prodname_dotcom %} reserves the `/github` path prefix and creates three directories for actions. - -* `/github/home` -* `/github/workspace` - {% data reusables.repositories.action-root-user-required %} -* `/github/workflow` - -## Further reading - -* [AUTOTITLE](/billing/managing-billing-for-github-actions) -* You can use a matrix strategy to run your jobs on multiple images. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). - -{% endif %} diff --git a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/index.md b/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/index.md deleted file mode 100644 index d5a13e0ab2af..000000000000 --- a/content/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/index.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Using GitHub-hosted runners -shortTitle: About GitHub-hosted runners -intro: '{% data variables.product.prodname_dotcom %} offers hosted virtual machines to run workflows. The virtual machine contains an environment of tools, packages, and settings available for {% data variables.product.prodname_actions %} to use.' -versions: - fpt: '*' - ghec: '*' - ghes: '*' -children: - - /about-github-hosted-runners - - /monitoring-your-current-jobs - - /customizing-github-hosted-runners -redirect_from: - - /actions/using-github-hosted-runners/about-github-hosted-runners - - /actions/using-github-hosted-runners/using-github-hosted-runners ---- - -{% data reusables.actions.enterprise-github-hosted-runners %} diff --git a/content/actions/reference/github-hosted-runners-reference.md b/content/actions/reference/github-hosted-runners-reference.md new file mode 100644 index 000000000000..de08982a09d2 --- /dev/null +++ b/content/actions/reference/github-hosted-runners-reference.md @@ -0,0 +1,99 @@ +--- +title: GitHub-hosted runners reference +shortTitle: GitHub-hosted runners reference +intro: 'Find information about {% data variables.product.github %}-hosted runners, including their specifications and customization options.' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +--- + +{% ifversion ghes %} + +{% data reusables.actions.enterprise-github-hosted-runners %} + +{% else %} + +## Supported runners and hardware resources + +{% ifversion actions-hosted-runners %} + +Ranges of {% data variables.product.prodname_dotcom %}-hosted runners are available for use in public and private repositories. + +For lists of available runners, see: +* [Standard runners for **public** repositories](#standard-github-hosted-runners-for-public-repositories) +* {% ifversion ghec %}[Standard runners for **private** and **internal** repositories](#standard-github-hosted-runners-for-internal-and-private-repositories){% else %}[Standard runners for **private** repositories](#standard-github-hosted-runners-for--private-repositories){% endif %} + +{% data variables.product.prodname_dotcom %}-hosted Linux runners support hardware acceleration for Android SDK tools, which makes running Android tests much faster and consumes fewer minutes. For more information on Android hardware acceleration, see [Configure hardware acceleration for the Android Emulator](https://developer.android.com/studio/run/emulator-acceleration) in the Android Developers documentation. + +> [!NOTE] +> The `-latest` runner images are the latest stable images that {% data variables.product.prodname_dotcom %} provides, and might not be the most recent version of the operating system available from the operating system vendor. + +> [!WARNING] +> Beta and Deprecated Images are provided "as-is", "with all faults" and "as available" and are excluded from the service level agreement and warranty. Beta Images may not be covered by customer support. + +{% endif %} + +{% data reusables.actions.supported-github-runners %} + +Workflow logs list the runner used to run a job. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). + +### Limitations for arm64 macOS runners + +{% data reusables.actions.macos-runner-limitations %} + +### {% data variables.actions.hosted_runner_caps %}s + +{% data reusables.actions.about-larger-runners %} + +For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners). + +## Administrative privileges + +The Linux and macOS virtual machines both run using passwordless `sudo`. When you need to execute commands or install tools that require more privileges than the current user, you can use `sudo` without needing to provide a password. For more information, see the [Sudo Manual](https://www.sudo.ws/man/1.8.27/sudo.man.html). + +Windows virtual machines are configured to run as administrators with User Account Control (UAC) disabled. For more information, see [How User Account Control works](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works) in the Windows documentation. + +## IP addresses + +To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API. For more information, see the `actions` key in the response of the `GET /meta` endpoint. For more information, see [AUTOTITLE](/rest/meta/meta#get-github-meta-information). + +Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in {% data variables.product.prodname_dotcom %}'s own macOS cloud. + +Since there are so many IP address ranges for {% data variables.product.prodname_dotcom %}-hosted runners, we do not recommend that you use these as allowlists for your internal resources. Instead, we recommend you use {% data variables.actions.hosted_runner %}s with a static IP address range, or self-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners) or [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). + +The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. + +## Communication requirements for {% data variables.product.prodname_dotcom %}-hosted runners + +A {% data variables.product.github %}-hosted runner must establish connections to {% data variables.product.github %}-owned endpoints to perform essential communication operations. In addition, your runner may require access to additional networks that you specify or utilize within an action. + +To ensure proper communications for {% data variables.product.github %}-hosted runners between networks within your configuration, ensure that the following communications are allowed. + +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} + +{% data reusables.actions.runner-essential-communications %} + +## File systems + +{% data variables.product.prodname_dotcom %} executes actions and shell commands in specific directories on the virtual machine. The file paths on virtual machines are not static. Use the environment variables {% data variables.product.prodname_dotcom %} provides to construct file paths for the `home`, `workspace`, and `workflow` directories. + +| Directory | Environment variable | Description | +|-----------|----------------------|-------------| +| `home` | `HOME` | Contains user-related data. For example, this directory could contain credentials from a login attempt. | +| `workspace` | `GITHUB_WORKSPACE` | Actions and shell commands execute in this directory. An action can modify the contents of this directory, which subsequent actions can access. | +| `workflow/event.json` | `GITHUB_EVENT_PATH` | The `POST` payload of the webhook event that triggered the workflow. {% data variables.product.prodname_dotcom %} rewrites this each time an action executes to isolate file content between actions. + +For a list of the environment variables {% data variables.product.prodname_dotcom %} creates for each workflow, see [AUTOTITLE](/actions/learn-github-actions/variables#default-environment-variables). + +### Docker container filesystem + +Actions that run in Docker containers have static directories under the `/github` path. However, we strongly recommend using the default environment variables to construct file paths in Docker containers. + +{% data variables.product.prodname_dotcom %} reserves the `/github` path prefix and creates three directories for actions. + +* `/github/home` +* `/github/workspace` - {% data reusables.repositories.action-root-user-required %} +* `/github/workflow` + +{% endif %} diff --git a/content/actions/reference/index.md b/content/actions/reference/index.md index d03443a4efb7..72dac46857ee 100644 --- a/content/actions/reference/index.md +++ b/content/actions/reference/index.md @@ -16,8 +16,8 @@ children: - /metadata-syntax-reference - /actions-limits - /dockerfile-support-for-github-actions + - /github-hosted-runners-reference - /supported-architectures-and-operating-systems-for-self-hosted-runners - /usage-limits-for-self-hosted-runners - /supplemental-arguments-and-settings --- - diff --git a/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md b/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md index 414a529f6a7c..407c0b391153 100644 --- a/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md +++ b/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md @@ -16,7 +16,8 @@ topics: There are some additional {% data variables.product.prodname_secret_scanning %} settings that cannot be applied to repositories using {% data variables.product.prodname_security_configurations %}, so you must configure these settings separately: * [Configuring a resource link for push protection](#configuring-a-resource-link-for-push-protection) -* [Controlling features for new repositories created in a user namespace](#controlling-features-for-new-repositories-created-in-a-user-namespace) +* [Controlling features for new repositories created in a user namespace](#controlling-features-for-new-repositories-created-in-a-user-namespace){% ifversion push-protected-pattern-configuration %} +* [Specifying patterns to include in push protection for your enterprise](#specifying-patterns-to-include-in-push-protection-for-your-enterprise){% endif %} These additional settings apply only to repositories with {% data variables.product.prodname_secret_scanning %} and {% data variables.product.prodname_GHAS %} both enabled{% ifversion ghas-products %}, or with {% data variables.product.prodname_GH_secret_protection %} enabled{% endif %}. @@ -31,7 +32,7 @@ These additional settings apply only to repositories with {% data variables.prod To provide context for developers when {% data variables.product.prodname_secret_scanning %} blocks a commit, you can display a link with more information on why the commit was blocked. -1. Under "Additional settings", to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %}**. +1. Under "Additional settings", in the "{% data variables.product.UI_secret_protection_scanning %}" section and to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %}**. 1. In the text box, type the link to the desired resource, then click **{% octicon "check" aria-label="Save" %}**. ### Controlling features for new repositories created in a user namespace @@ -39,3 +40,17 @@ To provide context for developers when {% data variables.product.prodname_secret To ensure that any repositories created by users outside of an organization are protected by the same security features as repositories created within an organization, you can enable or disable {% data variables.product.prodname_secret_scanning %} features for new repositories created in a user namespace. Under "Additional settings", use the options in the "User namespace repositories" section to enable or disable features for new repositories. + +{% ifversion push-protected-pattern-configuration %} + +### Specifying patterns to include in push protection for your enterprise + +{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %} + +You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your enterprise. + +1. Under "Additional settings", in the "{% data variables.product.UI_secret_protection_scanning %}" section, click anywhere inside the "Pattern configurations for push protection" row. +1. In the page that gets displayed, make the desired changes in the "Enterprise setting" column. +{% data reusables.secret-scanning.pattern-enablement-org-enterprise %} + +{% endif %} diff --git a/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md b/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md index d9429996c2cb..b0cf7fc13845 100644 --- a/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md +++ b/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md @@ -94,6 +94,14 @@ See [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protectio Push protection can be enabled at the organization, repository, and user account level. See [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository). +{% ifversion push-protected-pattern-configuration %} + +{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %} + +To align secret detection with internal security policies and more effectively prevent unauthorized exposure of sensitive information in your repositories, you can customize which secret patterns are included in push protection at the enterprise or organization level. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#specifying-patterns-to-include-in-push-protection-for-your-enterprise) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#specifying-patterns-to-include-in-push-protection). + +{% endif %} + {% ifversion push-protection-delegated-bypass %} ## Setting up an approval process for sensitive actions diff --git a/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise.md b/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise.md index b9b6f6c167a3..ae37cec62e2b 100644 --- a/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise.md +++ b/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise.md @@ -34,7 +34,9 @@ After you assign a license for {% data variables.visual_studio.prodname_vss_ghec > [!NOTE] For {% data variables.product.prodname_emu %} only, to make sure a user account consumes a {% data variables.product.prodname_vs %} license, ensure the {% data variables.product.prodname_vs %} UPN matches the SCIM `userName` attribute or the email address from the linked identity on the {% data variables.product.prodname_dotcom %} account. -The total quantity of your licenses for your enterprise on {% data variables.product.prodname_dotcom %} is the sum of any standard {% data variables.product.prodname_enterprise %} licenses and the number of {% data variables.product.prodname_vs %} subscription licenses that include access to {% data variables.product.prodname_dotcom %}. If the personal account for an enterprise member does not correspond with the email address for a {% data variables.product.prodname_vs %} subscriber, the license that the personal account consumes is unavailable for a {% data variables.product.prodname_vs %} subscriber. +The total quantity of your licenses for your enterprise on {% data variables.product.prodname_dotcom %} is the sum of any standard {% data variables.product.prodname_enterprise %} licenses and the number of {% data variables.product.prodname_vs %} subscription licenses that include access to {% data variables.product.prodname_dotcom %}. + +If the personal account for an enterprise member does not correspond with the email address for a {% data variables.product.prodname_vs %} subscriber, an enterprise owner can manually match the accounts to consolidate licenses. Under the terms of service, the {% data variables.product.github %} account and {% data variables.product.prodname_vs %} subscription must belong to the same person. For more information about {% data variables.product.prodname_enterprise %}, see [AUTOTITLE](/get-started/learning-about-github/githubs-plans#github-enterprise). For more information about accounts on {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/get-started/learning-about-github/types-of-github-accounts). diff --git a/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/setting-up-visual-studio-subscriptions-with-github-enterprise.md b/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/setting-up-visual-studio-subscriptions-with-github-enterprise.md index 8f097452b461..8ff638adb136 100644 --- a/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/setting-up-visual-studio-subscriptions-with-github-enterprise.md +++ b/content/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/setting-up-visual-studio-subscriptions-with-github-enterprise.md @@ -57,8 +57,33 @@ One person may be able to complete the tasks because the person has all of the r > * If the subscriber accepts the invitation to the organization with an existing personal account on {% data variables.location.product_location %}, we recommend that the subscriber add the email address they use for {% data variables.product.prodname_vs %} to their personal account on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account). > * If the organization owner must invite a large number of subscribers, a script may make the process faster. For more information, see [the sample PowerShell script](https://github.com/github/platform-samples/blob/master/api/powershell/invite_members_to_org.ps1) in the `github/platform-samples` repository. +1. If any enterprise members aren't automatically matched to their {% data variables.product.prodname_vs %} account, an enterprise owner can match the accounts manually on {% data variables.product.github %}. See [Reconciling users across {% data variables.product.prodname_vs %} and {% data variables.product.github %}](#reconciling-users-across-visual-studio-and-github). + After {% data variables.visual_studio.prodname_vss_ghe %} is set up for subscribers on your team, enterprise owners can review licensing information on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/billing/managing-the-plan-for-your-github-account/viewing-the-subscription-and-usage-for-your-enterprise-account). +## Reconciling users across {% data variables.product.prodname_vs %} and {% data variables.product.github %} + +To stay compliant with the terms of use, a {% data variables.product.github %} **enterprise owner** should ensure all user accounts are correctly matched across {% data variables.product.github %} and {% data variables.product.prodname_vs %}. + +Most users are automatically matched across {% data variables.product.github %} and {% data variables.product.prodname_vs %}. If a user has different email addresses in {% data variables.product.github %} and {% data variables.product.prodname_vs %}, you may need to match the accounts manually. + +Under the terms of use, the {% data variables.product.github %} account and {% data variables.product.prodname_vs %} account for a single license must belong to the same person. + +### 1. Audit user mappings + +To audit your user mappings, download a summary of assigned users from the {% data variables.product.prodname_vs %} portal, and compare it against the verified emails of users in your {% data variables.product.github %} enterprise. See [AUTOTITLE](/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-members-email-addresses). + +### 2. Match users to {% data variables.product.prodname_vs %} + +When you've identified {% data variables.product.github %} users who aren't correctly matched to their {% data variables.product.prodname_vs %} account, you can update the mappings on {% data variables.product.github %}. You can't update mappings for users who have been automatically matched. + +1. Go to your enterprise on {% data variables.product.github %} and click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**. +1. In the left sidebar, click **{% octicon "law" aria-hidden="true" aria-label="law" %} Licensing**. +1. On the Licensing page, next to "Enterprise Cloud", click **Manage**. +1. In the list of users, look for users with an "Enterprise" license type. These are enterprise members that aren't matched to a user in your {% data variables.product.prodname_vs %} subscription. +1. To match a user to their {% data variables.product.prodname_vs %} account, click {% octicon "kebab-horizontal" aria-label="More options" %}, then click **Change to {% data variables.product.prodname_vs %} license**. +1. Select the user's {% data variables.product.prodname_vs %} login email, then click **Confirm change**. + ## Further reading * [AUTOTITLE](/get-started/onboarding/getting-started-with-github-enterprise-cloud) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index f0808ead500d..e82b2eef34f2 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -88,6 +88,14 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p Once push protection is enabled, you can customize it further: +{% ifversion push-protected-pattern-configuration %} + +### Configure push protected patterns + +Customize which secret patterns are included in push protection at the enterprise or organization level. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#specifying-patterns-to-include-in-push-protection-for-your-enterprise) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#specifying-patterns-to-include-in-push-protection). + +{% endif %} + ### Define custom patterns Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 6f488832b672..3710c8f57fbf 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -78,7 +78,7 @@ You can customize several {% data variables.product.prodname_global_settings %} * [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql) * [Enabling {% data variables.copilot.copilot_autofix_short %} for third-party {% data variables.product.prodname_code_scanning %} tools](#enabling-copilot-autofix-for-third-party-code-scanning-tools) {% endif %} * [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup){% ifversion ghes < 3.17 %} -* [Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests](#setting-a-failure-threshold-for-code-scanning-checks-in-pull-requests){% endif %} +* [Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests](#setting-a-failure-threshold-for-code-scanning-checks-in-pull-requests) {% endif %} @@ -116,7 +116,8 @@ You can choose the severity levels at which {% data variables.product.prodname_c You can customize several {% data variables.product.prodname_global_settings %} for {% data variables.product.prodname_secret_scanning %}: * [Adding a resource link for blocked commits](#adding-a-resource-link-for-blocked-commits) -* [Defining custom patterns](#defining-custom-patterns) +* [Defining custom patterns](#defining-custom-patterns){% endif %}{% ifversion push-protected-pattern-configuration %} +* [Specifying patterns to include in push protection](#specifying-patterns-to-include-in-push-protection){% endif %} ### Adding a resource link for blocked commits @@ -126,6 +127,20 @@ To provide context for developers when {% data variables.product.prodname_secret You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +{% ifversion push-protected-pattern-configuration %} + +### Specifying patterns to include in push protection + +{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %} + +You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your organization. + +1. Under "Additional settings", in the "{% data variables.product.prodname_secret_scanning_caps %}" section and to the right of "Pattern configurations", click **{% octicon "gear" aria-label="The Gear icon" %}**. +1. In the page that gets displayed, make the desired changes in the "Organization setting" column. +{% data reusables.secret-scanning.pattern-enablement-org-enterprise %} + +{% endif %} + ## Creating security managers for your organization The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview. diff --git a/content/copilot/concepts/about-copilot-coding-agent.md b/content/copilot/concepts/about-copilot-coding-agent.md index 5e001f08c40a..63168558c0a7 100644 --- a/content/copilot/concepts/about-copilot-coding-agent.md +++ b/content/copilot/concepts/about-copilot-coding-agent.md @@ -102,7 +102,6 @@ Users can include hidden messages in issues assigned to {% data variables.produc * **{% data variables.product.prodname_copilot_short %} can only access context in the same repository as the assigned issue**. By default, an integration with the {% data variables.product.prodname_copilot_short %} MCP server provides {% data variables.product.prodname_copilot_short %} access to one repository at a time. You can, however, configure broader access. See [AUTOTITLE](/copilot/using-github-copilot/coding-agent/extending-copilot-coding-agent-with-mcp). * **{% data variables.product.prodname_copilot_short %} can only open one pull request at a time**. {% data variables.product.prodname_copilot_short %} will open exactly one pull request to address each task it is assigned. * **{% data variables.product.prodname_copilot_short %} cannot work on an existing pull request that it didn't create**. If you would like {% data variables.product.prodname_copilot_short %} to provide feedback on an existing pull request, you can add it as a reviewer. See [AUTOTITLE](/copilot/using-github-copilot/code-review/using-copilot-code-review). -* **{% data variables.product.prodname_copilot_short %} will always start its changes from the repository's default branch**. {% data variables.product.prodname_copilot_short %} cannot branch off from any other branch—for example, a feature branch or a release branch. ### Limitations in Copilot's compatibility with other features diff --git a/content/copilot/how-tos/agents/copilot-coding-agent/asking-copilot-to-create-a-pull-request.md b/content/copilot/how-tos/agents/copilot-coding-agent/asking-copilot-to-create-a-pull-request.md index 1e4cc1bf0bb5..136a4c0ef4bb 100644 --- a/content/copilot/how-tos/agents/copilot-coding-agent/asking-copilot-to-create-a-pull-request.md +++ b/content/copilot/how-tos/agents/copilot-coding-agent/asking-copilot-to-create-a-pull-request.md @@ -36,7 +36,7 @@ You can ask {% data variables.product.prodname_copilot_short %} to work on a tas For example, `Implement a user friendly message for common errors.` ![Screenshot of asking Copilot to create a pull request from the Agents page.](/assets/images/help/copilot/coding-agent/agents-page-input.png) - + 1. Click the **Send now** button or press Return. {% data variables.product.prodname_copilot_short %} will start a new session, which will appear in the list below the prompt box. {% data variables.product.prodname_copilot_short %} will work on the task and push changes to its pull request, then add you as a reviewer when it has finished, triggering a notification. @@ -54,6 +54,10 @@ You can ask {% data variables.product.prodname_copilot_short %} to work on a tas > [!IMPORTANT] > {% data reusables.copilot.coding-agent.use-chat-participant-in-vsc %} + > [!TIP] + > * To help {% data variables.product.prodname_copilot_short %}, you can select the relevant line(s) of code before submitting your prompt. + > * From {% data variables.copilot.copilot_chat_short %}, you can ask {% data variables.product.prodname_copilot_short %} to open a pull request using a specific branch as the base branch by including it in your prompt. + 1. Submit your prompt. {% data variables.product.prodname_copilot_short %} asks you to confirm that you want to use the coding agent to create a pull request. diff --git a/content/copilot/reference/github-copilot-chat-cheat-sheet.md b/content/copilot/reference/github-copilot-chat-cheat-sheet.md index 527735db5434..63a76c4f339e 100644 --- a/content/copilot/reference/github-copilot-chat-cheat-sheet.md +++ b/content/copilot/reference/github-copilot-chat-cheat-sheet.md @@ -19,6 +19,16 @@ This version of this article is for {% data variables.product.prodname_copilot_s For information about how to get started with {% data variables.copilot.copilot_chat_short %} in the {% data variables.product.github %} website, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-github). +## Mentions + +Use `@` mentions in to attach relevant context directly to your conversations. Type `@` in the chat prompt box to display a list of items you can attach, such as: +* Discussions +* Extensions +* Files +* Issues +* Pull requests +* Repositories + ## Slash commands Use slash commands to avoid writing complex prompts for common scenarios. To use a slash command, type `/` in the chat prompt box, followed by the command name. diff --git a/data/features/push-protected-pattern-configuration.yml b/data/features/push-protected-pattern-configuration.yml new file mode 100644 index 000000000000..f5a544f5b0c5 --- /dev/null +++ b/data/features/push-protected-pattern-configuration.yml @@ -0,0 +1,6 @@ +# Issue 16897 +# Configuration for push protected patterns in secret scanning [Public Preview] +versions: + fpt: '*' + ghec: '*' + ghes: '>3.18' diff --git a/data/reusables/secret-scanning/pattern-enablement-org-enterprise.md b/data/reusables/secret-scanning/pattern-enablement-org-enterprise.md new file mode 100644 index 000000000000..abd26ff7c8d8 --- /dev/null +++ b/data/reusables/secret-scanning/pattern-enablement-org-enterprise.md @@ -0,0 +1,17 @@ + You can enable or disable push protection for individual patterns by using the toggle in the relevant column: "Enterprise setting" at the enterprise level, and "Organization setting" at the organization level. + + The data is limited to the scope, therefore the alert volume, false positives, bypass rate, or availability of custom patterns is reflective of user / alert activity within the _enterprise_ or _organization_. + + The {% data variables.product.github %} default may change over time as we increase precision and promote patterns. + + > [!NOTE] Organization administrators and security teams can override settings configured at the enterprise level. + + | Column | Description | + |---------------------------------------------|----------------------------------------------| + | Name | Name of the pattern or secret | + | Alert total | Total number of alerts for the pattern (percentage and absolute numbers) | + | False positives | Percentage of false positives for the pattern | + | Bypass rate | Percentage of bypasses for the pattern | + | {% data variables.product.github %} default | Default behavior for push protection, as recommended by {% data variables.product.github %} | + | Enterprise setting | **Uneditable at organization level**
Current enablement status for push protection
Can be `Enabled`, `Disabled`, and `Default`.
At enterprise level, `Default` is the default value. | + | Organization setting | **Only valid at organization level**
Current enablement status for push protection
Can be `Enabled`, `Disabled`, and `Enterprise` (inherited from the enterprise).
`Enterprise` is the default value. | diff --git a/data/reusables/secret-scanning/push-protected-pattern-configuration-org-enterprise-preview.md b/data/reusables/secret-scanning/push-protected-pattern-configuration-org-enterprise-preview.md new file mode 100644 index 000000000000..37b86cc58c4e --- /dev/null +++ b/data/reusables/secret-scanning/push-protected-pattern-configuration-org-enterprise-preview.md @@ -0,0 +1,2 @@ +> [!NOTE] +> The configuration of patterns for push protection at enterprise and organization level is currently in {% data variables.release-phases.public_preview %} and subject to change.