Merge pull request #36097 from github/repo-sync

Repo sync

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,7 +4,8 @@ Thank you for contributing to this project! You must fill out the information be
 
 ### Why:
 
-Closes: ISSUE_NUMBER
+<!-- Paste the issue link or number here -->
+Closes: 
 
 <!-- If there's an existing issue for your change, please link to it above.
 If there's _not_ an existing issue, please open one first to make it more likely that this update will be accepted: https://github.com/github/docs/issues/new/choose. -->

.github/actions/precompute-pageinfo/action.yml

@@ -23,9 +23,8 @@ runs:
         key: pageinfo-cache-
         restore-keys: pageinfo-cache-
 
-    # When we use this composite action from the workflows like
-    # Azure Preview Deploy and Azure Production Deploy, we don't have
-    # any Node installed or any of its packages. I.e. we never
+    # When we use this composite action from deployment workflows
+    # we don't have any Node installed or any of its packages. I.e. we never
     # run `npm ci` in those actions. For security sake.
     # So we can't do things that require Node code.
     # Tests and others will omit the `restore-only` input, but

.github/actions/warmup-remotejson-cache/action.yml

@@ -20,9 +20,8 @@ runs:
         key: remotejson-cache-
         restore-keys: remotejson-cache-
 
-    # When we use this composite action from the workflows like
-    # Azure Preview Deploy and Azure Production Deploy, we don't have
-    # any Node installed or any of its packages. I.e. we never
+    # When we use this composite action from deployment workflows
+    # we don't have any Node installed or any of its packages. I.e. we never
     # run `npm ci` in those actions. For security sake.
     # So we can't do things that require Node code.
     # Tests and others will omit the `restore-only` input, but

.github/branch_protection_settings/main.json

@@ -4,7 +4,6 @@
     "url": "https://api.github.com/repos/github/docs-internal/branches/main/protection/required_status_checks",
     "strict": true,
     "contexts": [
-      "Build and deploy Azure preview environment",
       "automated-pipelines",
       "github-apps",
       "graphql",
@@ -48,10 +47,6 @@
     ],
     "contexts_url": "https://api.github.com/repos/github/docs-internal/branches/main/protection/required_status_checks/contexts",
     "checks": [
-      {
-        "context": "Build and deploy Azure preview environment",
-        "app_id": 15368
-      },
       { "context": "automated-pipelines", "app_id": 15368 },
       { "context": "github-apps", "app_id": 15368 },
       { "context": "graphql", "app_id": 15368 },

config/kubernetes/production/deployments/webapp.yaml

@@ -53,5 +53,5 @@ spec:
             httpGet:
               # WARNING: This should be updated to a meaningful endpoint for your application which will return a 200 once the app is fully started.
               # See: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
-              path: /healthz
+              path: /healthcheck
               port: http

content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md

@@ -26,7 +26,7 @@ You can take part in a security campaign by fixing one or more of the alerts cho
 
 In addition to the benefit of removing an important security problem from your code, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
 
-* You have a contact on the security team to collaborate with.
+* You have a campaign manager on the security team to collaborate with and a specific contact link for discussing campaign activities.
 * You know that you are fixing a security alert that is important to the company.
 * Potentially, you may have access to targeted training materials.{% ifversion security-campaigns-autofix %}
 * You don't need to request a {% data variables.product.prodname_copilot_autofix %} suggestion, it is already available as a starting point.{% endif %}{% ifversion copilot %}

content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md

@@ -19,7 +19,8 @@ topics:
 Successful security campaigns to fix alerts at scale have many features in common, including:
 
 * Selecting a related group of security alerts for remediation.
-* Making sure that the manager for the campaign is available for collaboration, reviews, and questions about fixes.
+* Using {% data variables.product.prodname_copilot_autofix_short %} suggestions where possible to help developers remediate alerts faster and more effectively.
+* Making sure that the campaign managers are available for collaboration, reviews, and questions about fixes.
 * Providing access to educational information about the type of alerts included in the campaign.{% ifversion ghec %}
 * Making {% data variables.product.prodname_copilot_chat %} available for developers to use to learn about the vulnerabilities highlighted by the security alerts in the campaign. {% endif %}
 * Defining a realistic deadline for campaign, bearing in mind the number of alerts you aim to fix.
@@ -36,7 +37,11 @@ For example, if you have many alerts for cross-site scripting vulnerabilities, y
 * Create educational content for developers in a repository using resources from the OWASP Foundation, see [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/).
 * Create a campaign to remediate all alerts for this vulnerability, including a link to the educational content in the campaign description.
 * Hold a training session or other event to highlight this opportunity to gain confidence in secure coding while fixing real bugs.
-* Make sure that the security team member assigned to manage the campaign is available to review the pull requests created to fix the campaign alerts, collaborating as needed.
+* Make sure that the security team members assigned to manage the campaign are available to review the pull requests created to fix the campaign alerts, collaborating as needed.
+
+### Using {% data variables.product.prodname_copilot_autofix_short %} to help remediate security alerts
+
+{% data variables.product.prodname_copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help fix {% data variables.product.prodname_code_scanning %} alerts. When you select alerts to include in a security campaign, you can preferentially include alerts that are eligible to be fixed with the help of {% data variables.product.prodname_copilot_autofix %} using the `autofix:supported` filter.
 
 ### Campaign filter templates
 
@@ -47,15 +52,19 @@ When you select alerts to include in a security campaign, you can use any of the
 The following limitations are intended to encourage you to take a balanced and measured approach to remediating alerts in your code. An iterative approach, addressing a few targeted sets of alerts at a time, is likely to lead to a sustainable and long-term change in security posture.
 
 * A maximum of 10 active security campaigns at a time (no limits on closed campaigns).
-* Each campaign can contain up to 1000 alerts spread across up to 100 repositories.
+* Each campaign can contain up to 1000 alerts.
 
 If you choose to create a campaign that exceeds these limits, alerts will be omitted to bring the campaign into line with the limits. Alerts in repositories with recent pushes are prioritized for inclusion in the campaign.
 
-## Defining the role of the campaign manager
+## Specifying campaign managers and contact links
+
+When you create a security campaign, you must select one or more "Campaign managers." A campaign manager must be either:
+* A user with the organization owner role,  or the security manager role.
+* A member of a team with either the organization owner role, or the security manager role.
 
-When you create a security campaign, you must select a "Campaign manager." The campaign manager must have either the organization owner or security manager role.
+The names of the campaign managers are visible to developers when they take part in the campaign. To support communication between developers and the campaigns managers, you can also provide a contact link, such as a link to a {% data variables.product.prodname_discussions %} or another communication channel, when you create a campaign.
 
-The name of the campaign manager is visible to developers when they take part in the campaign. If you want to increase the remediation rate for alerts and scale the knowledge of the security team, this is a key opportunity to build collaborative relationships with developers. Ideally, a campaign manager is available to answer questions, collaborate on difficult fixes, and review pull requests for fixes over the whole course of the campaign.
+If you want to increase the remediation rate for alerts and scale the knowledge of the security team, this is a key opportunity to build collaborative relationships with developers. Ideally, the campaign managers are available to answer questions and collaborate on difficult fixes via the contact link. Campaign managers should also be available to review pull requests for fixes over the whole course of the campaign.
 
 ## Combining security training with a security campaign
 

content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns.md

@@ -32,12 +32,11 @@ The campaign templates contain filters for the most common alert selections. {%
 1. Select one of the pre-defined filter templates to open a "New campaign from TEMPLATE_NAME template" dialog box.
 1. If the message "This looks like a big campaign" is displayed, click **Back to filters** to display the {% data variables.product.prodname_code_scanning %} alerts view with the campaign template filter shown.
    1. Add further filters to reduce the number of alerts shown, for example, filtering by "Team" or by custom property.
-   1. When there are fewer than 1000 alerts in 100 repositories, click **Create campaign** to redisplay the "New campaign" dialog.
+   1. When there are 1000 alerts or fewer, click **Create campaign** to redisplay the "New campaign" dialog.
 
    Alternatively, you can click **Continue creating a campaign** and create the campaign. {% data reusables.security-campaigns.too-many-alerts %}
-1. Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
-1. Define a "Campaign due date" and select a "Campaign manager" as the primary contact for the campaign (an owner or security manager of this organization).
-1. When you're ready to create the campaign, click **Create campaign**.
+
+{% data reusables.security-campaigns.campaign-configuration %}
 
 The security campaign is created and the campaign overview page is displayed.
 
@@ -46,16 +45,15 @@ The security campaign is created and the campaign overview page is displayed.
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.security-overview %}
 1. In the left sidebar, under "Alerts" click **{% octicon "codescan" aria-hidden="true" %} {% data variables.product.prodname_code_scanning_caps %}** to show the alerts view.
-1. Add filters to select a subset of alerts for your campaign. When you have chosen fewer than 1000 alerts, spread across fewer than 100 repositories, you are ready to create a campaign.
+1. Add filters to select a subset of alerts for your campaign. When you have chosen 1000 alerts or fewer, you are ready to create a campaign.
 1. Above the table of alerts, click **Create campaign** to start creating a campaign.
 1. If the message "This looks like a big campaign" is displayed, click **Back to filters** to display the {% data variables.product.prodname_code_scanning %} alerts view with your existing filters.
    1. Add further filters to reduce the number of alerts shown, for example, filtering by "Team" or by custom property.
-   1. When there are fewer than 1000 alerts in 100 repositories, click **Create campaign** to redisplay the "New campaign" dialog.
+   1. When there are fewer than 1000 alerts, click **Create campaign** to redisplay the "New campaign" dialog.
 
    Alternatively, you can click **Continue creating a campaign** and create the campaign. {% data reusables.security-campaigns.too-many-alerts %}
-1. Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
-1. Define a "Campaign due date" and select a "Campaign manager" as the primary contact for the campaign (an owner or security manager of this organization).
-1. When you're ready to create the campaign, click **Create campaign**.
+
+{% data reusables.security-campaigns.campaign-configuration %}
 
 ### Examples of useful filters
 
@@ -85,7 +83,7 @@ When you create a campaign all the alerts are automatically submitted to {% data
 
 ### How developers know a security campaign has started
 
-Everyone with **write** access to a repository that is included in the campaign is notified, according to their notification preferences, about the campaign.
+When a campaign is started, anyone with **write** access to a repository included in the campaign, and who and has subscribed to watch either "All activity" or "security alerts" in that repository, is notified.
 
 > [!NOTE] During the {% data variables.release-phases.public_preview %}, notifications are only sent to users who have email notification enabled.
 

contributing/deployments.md

@@ -4,12 +4,7 @@ Staging and production deployments are automated by a deployer service created a
 
 ### Preview deployments
 
-When a pull request is **opened**, **reopened**, or **synchronized** (i.e has new commits), it is automatically deployed to a unique preview URL.
-
-If a preview deployment fails, you can trigger a new deployment in a few ways:
-  - close and re-open the pull request
-  - push another commit to the branch
-  - click **Update Branch** on the pull request page on github.com, if it's clickable
+When a pull request contains only content changes, it can be previewed without a deployment. Code changes will require a deployment. GitHub Staff can deploy such a PR to a staging environment. 
 
 ### Production deployments
 

data/reusables/security-campaigns/campaign-configuration.md

@@ -0,0 +1,4 @@
+1. Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
+1. Define a "Campaign due date" and select one or more "Campaign managers" as the primary contacts for the campaign. Campaign managers must be users or teams that are owners or security managers in the organization.
+1. Optionally, provide a "Contact link", for example a link to a {% data variables.product.prodname_discussions %} or another communication channel, for contacting the campaign managers.
+1. When you're ready to create the campaign, click **Create campaign**.

data/reusables/security-campaigns/too-many-alerts.md

@@ -1 +1 @@
-Alerts will be omitted to until there are fewer than 1000 alerts in fewer than 100 repositories remaining. Alerts in repositories with recent pushes are prioritized for inclusion in the campaign.
+Alerts will be omitted to until there are 1000 or fewer alerts remaining. Alerts in repositories with recent pushes are prioritized for inclusion in the campaign.

package.json

@@ -21,15 +21,13 @@
     "analyze-comment": "tsx src/events/scripts/analyze-comment-cli.ts",
     "archive-version": "tsx --max-old-space-size=16384 src/ghes-releases/scripts/archive-version.ts",
     "build": "next build",
-    "check-canary-slots": "tsx src/workflows/check-canary-slots.ts",
     "check-content-type": "tsx src/workflows/check-content-type.ts",
     "check-github-github-links": "tsx src/links/scripts/check-github-github-links.ts",
     "close-dangling-prs": "tsx src/workflows/close-dangling-prs.ts",
     "cmp-files": "tsx src/workflows/cmp-files.ts",
     "content-changes-table-comment": "tsx src/workflows/content-changes-table-comment.ts",
     "copy-fixture-data": "tsx src/tests/scripts/copy-fixture-data.js",
     "count-translation-corruptions": "tsx src/languages/scripts/count-translation-corruptions.ts",
-    "create-acr-token": "tsx src/workflows/acr-create-token.ts",
     "create-enterprise-issue": "tsx src/ghes-releases/scripts/create-enterprise-issue.js",
     "debug": "cross-env NODE_ENV=development ENABLED_LANGUAGES=en nodemon --inspect src/frame/server.ts",
     "delete-orphan-translation-files": "tsx src/workflows/delete-orphan-translation-files.ts",

src/frame/middleware/healthz.ts → src/frame/middleware/healthcheck.ts

@@ -9,7 +9,7 @@ const router = express.Router()
  * instance remains in the pool to handle requests
  * For example: if we have a failing database connection we may return a 500 status here.
  */
-router.get('/', function healthz(req, res) {
+router.get('/', function healthcheck(req, res) {
   noCacheControl(res)
 
   res.sendStatus(200)