From 7833a2648f9ffbe6117b980d74cebebc0861797f Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Tue, 4 Feb 2025 13:51:47 -0800
Subject: [PATCH 1/2] Limit GLB to allowed IPs, automatically update if needed
 (#54242)

---
 .../alert-changed-branch-protections.yml      |  2 +-
 .github/workflows/moda-allowed-ips.yml        | 59 +++++++++++++++++++
 .../production/services/webapp.yaml           |  7 +--
 src/workflows/tests/actions-workflows.ts      |  2 +-
 4 files changed, 63 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/moda-allowed-ips.yml

diff --git a/.github/workflows/alert-changed-branch-protections.yml b/.github/workflows/alert-changed-branch-protections.yml
index 7ce9e2df8c8f..0c6b9754f784 100644
--- a/.github/workflows/alert-changed-branch-protections.yml
+++ b/.github/workflows/alert-changed-branch-protections.yml
@@ -4,7 +4,7 @@ on:
   branch_protection_rule:
   workflow_dispatch:
   schedule:
-    - cron: '20 16 * * 3' # Run every Wednesday at 16:30 UTC / 8:30 PST
+    - cron: '20 16 * * 3' # Run every Wednesday at 16:20 UTC / 8:20 PST
 
 permissions:
   contents: read
diff --git a/.github/workflows/moda-allowed-ips.yml b/.github/workflows/moda-allowed-ips.yml
new file mode 100644
index 000000000000..942bc4465bb1
--- /dev/null
+++ b/.github/workflows/moda-allowed-ips.yml
@@ -0,0 +1,59 @@
+name: Update Moda allowed IPs
+
+# **What it does**: Make sure that the allowed IPs in Moda are up to date.
+# **Why we have it**: The IP ranges from Fastly can change.
+# **Who does it impact**: Docs engineering.
+
+on:
+  schedule:
+    - cron: '20 16 * * 4' # Run every Thursday at 16:20 UTC / 8:20 PST
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-moda-allowed-ips:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+
+      - name: Update list of allowed IPs
+        run: |
+          echo "Getting a list of Fastly IP addresses...."
+          ips=$( \
+            curl -s https://api.fastly.com/public-ip-list \
+            | jq -r '.addresses | join(",")' \
+          )
+          echo "Got a list of Fastly IP addresses: $ips"
+
+          echo "Updating the list of allowed IPs in Moda config..."
+          yq -i ".metadata.annotations[\"moda.github.net/allowed-ips\"] = \"$ips\"" \
+            config/kubernetes/production/services/webapp.yaml
+          echo "Updated the list of allowed IPs in Moda config"
+
+          echo "Checking if there is a change to make..."
+          if git diff --quiet; then
+            echo "No changes to the allowed IPs"
+            exit 0
+          fi
+
+          echo "Change found; making a pull request..."
+          branchname=update-allowed-ips-$(date +%s)
+          git checkout -b $branchname
+          git commit -am "Update list of allowed IPs"
+          git push
+          gh pr create \
+            --title "Update list of allowed IPs" \
+            --body 'This PR updates the list of allowed IPs in Moda. It is automatically generated.' \
+            --head=$branchname
+          echo "Pull request created"
+
+      - uses: ./.github/actions/slack-alert
+        if: ${{ failure() }}
+        with:
+          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
diff --git a/config/kubernetes/production/services/webapp.yaml b/config/kubernetes/production/services/webapp.yaml
index 4c96ca5be8b5..bdb21c6e4ce8 100644
--- a/config/kubernetes/production/services/webapp.yaml
+++ b/config/kubernetes/production/services/webapp.yaml
@@ -7,11 +7,8 @@ metadata:
   annotations:
     moda.github.net/domain-name: 'docs-internal.github.com'
     moda.github.net/dns-registration-enabled: 'false'
-    moda.github.net/load-balancer-type:
-      public-external-http
-      # moda.github.net/allowed-ips: '23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/1'
-    # ipv6 addresses not included
-    # curl -i  "https://api.fastly.com/public-ip-list"
+    moda.github.net/load-balancer-type: public-external-http
+    moda.github.net/allowed-ips: 23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/16
 spec:
   ports:
     - name: http
diff --git a/src/workflows/tests/actions-workflows.ts b/src/workflows/tests/actions-workflows.ts
index ed30456c6d84..c4ee30d4d94a 100644
--- a/src/workflows/tests/actions-workflows.ts
+++ b/src/workflows/tests/actions-workflows.ts
@@ -10,7 +10,7 @@ import { chain, get } from 'lodash-es'
 const githubOwnedActionsRegex =
   /^(actions\/(cache|checkout|download-artifact|upload-artifact)@v\d+(\.\d+)*)$/
 const actionHashRegexp = /^[A-Za-z0-9-/]+@[0-9a-f]{40}$/
-const checkoutRegexp = /^[actions/checkout]+@[0-9a-f]{40}$/
+const checkoutRegexp = /^[actions/checkout]+@(v\d+(\.\d+)*|[0-9a-f]{40})$/
 const permissionsRegexp = /(read|write)/
 
 type WorkflowMeta = {

From a8a29c834c3d859b88b6cf5a01e4706714d17d74 Mon Sep 17 00:00:00 2001
From: Evan Bonsignori <ebonsignori@github.com>
Date: Tue, 4 Feb 2025 16:05:08 -0800
Subject: [PATCH 2/2] add experiments pattern (#54228)

Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>
---
 src/events/components/events.ts               |   3 +
 src/events/components/experiment.ts           |  34 ----
 src/events/components/experiments/README.md   | 172 ++++++++++++++++++
 .../experiments/experiment-event.ts           |  13 ++
 .../components/experiments/experiment.ts      | 153 ++++++++++++++++
 .../components/experiments/experiments.ts     |  39 ++++
 .../experiments/useShouldShowExperiment.ts    |  31 ++++
 src/events/lib/schema.ts                      |  10 +
 src/events/middleware.ts                      |   2 +
 src/events/types.ts                           |   1 +
 src/fixtures/helpers/turn-off-experiments.ts  |  46 +++++
 src/fixtures/tests/playwright-a11y.spec.ts    |  16 +-
 .../tests/playwright-local-dev.spec.ts        |   7 +-
 .../tests/playwright-rendering.spec.ts        |  49 ++++-
 src/frame/pages/app.tsx                       |   6 +-
 15 files changed, 539 insertions(+), 43 deletions(-)
 delete mode 100644 src/events/components/experiment.ts
 create mode 100644 src/events/components/experiments/README.md
 create mode 100644 src/events/components/experiments/experiment-event.ts
 create mode 100644 src/events/components/experiments/experiment.ts
 create mode 100644 src/events/components/experiments/experiments.ts
 create mode 100644 src/events/components/experiments/useShouldShowExperiment.ts
 create mode 100644 src/fixtures/helpers/turn-off-experiments.ts

diff --git a/src/events/components/events.ts b/src/events/components/events.ts
index b770041ec004..39996f6cd828 100644
--- a/src/events/components/events.ts
+++ b/src/events/components/events.ts
@@ -3,6 +3,7 @@ import Cookies from 'src/frame/components/lib/cookies'
 import { parseUserAgent } from './user-agent'
 import { Router } from 'next/router'
 import { isLoggedIn } from 'src/frame/components/hooks/useHasAccount'
+import { getExperimentVariationForContext } from './experiments/experiment'
 import { EventType, EventPropsByType } from '../types'
 
 const COOKIE_NAME = '_docs-events'
@@ -110,6 +111,8 @@ export function sendEvent<T extends EventType>({
       color_mode_preference: getColorModePreference(),
       os_preference: Cookies.get('osPreferred'),
       code_display_preference: Cookies.get('annotate-mode'),
+
+      experiment_variation: getExperimentVariationForContext(getMetaContent('path-language')),
     },
 
     ...props,
diff --git a/src/events/components/experiment.ts b/src/events/components/experiment.ts
deleted file mode 100644
index 785931ce3155..000000000000
--- a/src/events/components/experiment.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import murmur from 'imurmurhash'
-import { getUserEventsId, sendEvent } from './events'
-import { EventType } from '../types'
-
-let initialized = false
-
-const TREATMENT = 'TREATMENT'
-const CONTROL = 'CONTROL'
-
-export function bucket(test: string) {
-  const id = getUserEventsId()
-  const hash = murmur(test).hash(id).result()
-  return hash % 2 ? TREATMENT : CONTROL
-}
-
-export function sendSuccess(test: string) {
-  return sendEvent({
-    type: EventType.experiment,
-    experiment_name: test,
-    experiment_variation: bucket(test).toLowerCase(),
-    experiment_success: true,
-  })
-}
-
-export function initializeExperiments() {
-  if (initialized) return
-  initialized = true
-  // *** Example test code ***
-  // const testName = '$test-name$'
-  // const xbucket = bucket(testName)
-  // const x = document.querySelector(...)
-  // x.addEventListener('click', () => { sendSuccess(testName) })
-  // if (xbucket === TREATMENT) applyTreatment(x)
-}
diff --git a/src/events/components/experiments/README.md b/src/events/components/experiments/README.md
new file mode 100644
index 000000000000..eee3eca8171f
--- /dev/null
+++ b/src/events/components/experiments/README.md
@@ -0,0 +1,172 @@
+# Experiments
+
+There are times when we want make a change, but aren't sure if it will provide a better user experience.
+
+In these scenarios we can run experiments.
+
+Experiments are A/B tests where A is some version of our site and B is another. When the user requests our site they are randomly served either site A or B.
+
+After the experiment is live, we gather data via [events](../../README.md) that help determine which version of the site we want to stick with.
+
+## TOC
+
+- [Experiments as feature flags](#experiments-as-feature-flags)
+- [Experiment variations](#experiment-variations)
+- [Adding an experiment](#adding-an-experiment)
+- [Implementing an experiment](#implementing-an-experiment)
+- [Toggling an experiment on or off](#toggling-an-experiment-on-or-off)
+- [Tracking results on an experiment](#tracking-results-on-an-experiment)
+  - [Via regular events](#via-regular-events)
+  - [Via the `experiment` event](#via-the-experiment-event)
+
+
+## Experiments as feature flags
+
+An additional benefit of this pattern is that it lets you turn on/off a feature in the UI and toggle it from the developer console. This is useful if you want to ship UI changes in parts, or test something in production before turning it on.
+
+## Experiment variations
+
+To clarify terminology, if a user is shown site A which is the original site _without_ the experiment they will have an `experiment_variation` value of `"control"` to indicate that they are in the control group.
+
+If the user is shown the experiment (site B), they will have an `experiment_variation` value of `"treatment"`
+
+## Adding an experiment
+
+1. Create a `key` for you experiment, e.g. `ai_search_experiment`
+2. Determine how many users will see the experiment. The default is 50% and makes sense for _most_ use cases.
+3. Add your experiment to [experiments.ts](./experiments.ts)
+
+Example,
+
+```typescript
+// Add new experiment key to this list
+export type ExperimentNames = 'example_experiment' | 'ai_search_experiment'
+
+export const EXPERIMENTS = {
+  example_experiment: { ... }
+  ai_search_experiment: {
+    key: 'ai_search_experiment',
+    isActive: true, // Set to false when the experiment is over
+    percentOfUsersToGetExperiment: 10, // Only 10% of users will get the experiment
+    limitToLanguages: ['en'], // Only users with the `en` language will be included in the experiment
+    includeVariationInContext: true, // See note below
+  },
+}
+```
+
+When `includeVariationInContext` is true **all** analytics events sent will include `experiment_variation` in their context. `experiment_variation` will be `"treatment"` or `"control"` depending on which the user was randomly assigned.
+
+> [!IMPORTANT]
+> Since the `experiment_variation` is a single key in the context, **only one experiment** can include their variations in the context e.g. only one value of `includeVariationInContext` can be `true`.
+
+## Implementing an experiment
+
+For example, let's say you are conducting an experiment that changes the search bar.
+
+In the code that displays the search bar, you can use the `shouldShowExperiment` function to determine which version of the code to show the user.
+
+Example:
+
+```typescript
+import { useRouter } from 'next/router'
+import { useShouldShowExperiment } from '@/events/components/experiments/useShouldShowExperiment'
+import { EXPERIMENTS } from '@/events/components/experiments/experiments'
+import { ClassicSearchBar } from "@/search/components/ClassicSearchBar.tsx"
+import { NewSearchBar } from "@/search/components/NewSearchBar.tsx"
+
+export function SearchBar() {
+  const router = useRouter()
+  // Users who were randomly placed in the `treatment` group will be shown the experiment
+  const { shouldShow: shouldShowNewSearch } = useShouldShowExperiment(
+    EXPERIMENTS.ai_search_experiment,
+    router.locale
+  )
+
+  if (shouldShowNewSearch) {
+    return (
+      <NewSearchBar />
+    )
+  }
+  return <ClassicSearchBar />
+}
+```
+
+> [!NOTE]
+> If a user is placed in the `"treatment"` group e.g. they are shown the experiment and will continue to see the treatment across all sessions from the same browser. This is because we use a hash of user's session ID cookie to deterministically set the control group. The session cookie lasts for 365 days, otherwise they might see something different on each reload.
+
+## Toggling an experiment on or off
+
+In development every session is placed into the `"treatment"` control group so that the experiment can be developed on.
+
+However, you can change which experiment to show by calling the following function in the `Console` tab in Chrome dev tools,
+
+```javascript
+window.overrideControlGroup("<experiment_key>", "treatment" | "control");
+
+// Example to see original search experience
+window.overrideControlGroup("ai_search_experiment", "control");
+```
+
+For events, you can verify that your `experiment_variation` values are being included in the event context from the `Network` tab in Chrome dev tools.
+
+## Tracking results on an experiment
+
+### Via regular events
+
+If your experiment object in [experiments.ts](./experiments.ts) included the `includeVariationInContext: true` key (and is the ONLY object to include that key) then the `experiment_variation` of your experiment will be sent in the context of an event.
+
+This means that you can send other events, like
+
+```typescript
+sendEvent({
+  type: EventType.search,
+  search_query: "How do I open pdf?",
+  search_context: "general-search",
+});
+```
+
+And the `context` on that event will include the `experiment_variation` key and value of your experiment,
+
+e.g.
+
+```javascript
+{
+  search_query: "How do I open pdf?",
+  search_context: "general-search",
+  context: {
+    ...
+    experiment_variation: "treatment" // Could also be "control" depending on the random outcome
+  }
+}
+```
+
+### Via the `experiment` event
+
+If your experiment is specific, meaning it can be tracked with a boolean event, e.g.
+
+```javascript
+{
+    experiment_name: <string>, // e.g. `new_button_experiment` for did user click new button?
+    experiment_variation: 'treatment' | 'control',
+    experiment_success: <boolean>, // e.g. true the user is using the new button!
+}
+```
+
+Then you should omit the `includeVariationInContext` key from your experiment object and use the `sendExperimentSuccess` function to track events.
+
+Example:
+
+```typescript
+import { sendExperimentSuccess } from '@/events/components/experiments/experiment-event'
+import { EXPERIMENTS } from '@/events/components/experiments/experiments'
+
+export function MyNewComponent() {
+  return (
+    <button onClick={() => {
+      console.log("The user did the thing!")
+      sendExperimentSuccess(EXPERIMENTS.new_button_experiment)
+    }}>
+  )
+}
+
+```
diff --git a/src/events/components/experiments/experiment-event.ts b/src/events/components/experiments/experiment-event.ts
new file mode 100644
index 000000000000..7bf9dab55dc5
--- /dev/null
+++ b/src/events/components/experiments/experiment-event.ts
@@ -0,0 +1,13 @@
+import { EventType } from '@/events/types'
+import { sendEvent } from '../events'
+import { getExperimentControlGroupFromSession } from './experiment'
+import { ExperimentNames } from './experiments'
+
+export function sendExperimentSuccess(experimentKey: ExperimentNames, success = true) {
+  return sendEvent({
+    type: EventType.experiment,
+    experiment_name: experimentKey,
+    experiment_variation: getExperimentControlGroupFromSession(experimentKey).toLowerCase(),
+    experiment_success: success,
+  })
+}
diff --git a/src/events/components/experiments/experiment.ts b/src/events/components/experiments/experiment.ts
new file mode 100644
index 000000000000..404721136d9a
--- /dev/null
+++ b/src/events/components/experiments/experiment.ts
@@ -0,0 +1,153 @@
+import murmur from 'imurmurhash'
+import {
+  CONTROL_VARIATION,
+  ExperimentNames,
+  TREATMENT_VARIATION,
+  getActiveExperiments,
+} from './experiments'
+import { getUserEventsId } from '../events'
+import Cookies from 'src/frame/components/lib/cookies'
+
+let experimentsInitialized = false
+
+export function shouldShowExperiment(
+  experimentKey: ExperimentNames | { key: ExperimentNames },
+  locale: string,
+) {
+  // Accept either EXPERIMENTS.<experiment_key> or EXPERIMENTS.<experiment_key>.key
+  if (typeof experimentKey === 'object') {
+    experimentKey = experimentKey.key
+  }
+
+  // Determine if user is in treatment group. If they are, show the experiment
+  const experiments = getActiveExperiments('all')
+  for (const experiment of experiments) {
+    if (experiment.key === experimentKey) {
+      // If the user has staffonly cookie, and staff override is true, show the experiment
+      if (experiment.alwaysShowForStaff) {
+        const staffCookie = Cookies.get('staffonly')
+        if (staffCookie && staffCookie.startsWith('yes')) {
+          console.log(`Staff cookie is set, showing '${experiment.key}' experiment`)
+          return true
+        }
+      }
+
+      // If there is an override for the current session, use that
+      if (controlGroupOverride[experiment.key]) {
+        const controlGroup = getExperimentControlGroupFromSession(
+          experimentKey,
+          experiment.percentOfUsersToGetExperiment,
+        )
+        return controlGroup === TREATMENT_VARIATION
+        // Otherwise use the regular logic to determine if the user is in the treatment group
+      } else if (
+        experiment.limitToLanguages?.length &&
+        experiment.limitToLanguages.includes(locale)
+      ) {
+        return (
+          getExperimentControlGroupFromSession(
+            experimentKey,
+            experiment.percentOfUsersToGetExperiment,
+          ) === TREATMENT_VARIATION
+        )
+      }
+    }
+  }
+  return false
+}
+
+// Allow developers to override their experiment group for the current session
+export const controlGroupOverride = {} as { [key in ExperimentNames]: 'treatment' | 'control' }
+if (typeof window !== 'undefined') {
+  // @ts-expect-error
+  window.overrideControlGroup = (
+    experimentKey: ExperimentNames,
+    controlGroup: 'treatment' | 'control',
+  ): string => {
+    const activeExperiments = getActiveExperiments('all')
+    // Make sure key is valid
+    if (activeExperiments.some((experiment) => experiment.key === experimentKey)) {
+      controlGroupOverride[experimentKey] = controlGroup
+      const event = new Event('controlGroupOverrideChanged')
+      window.dispatchEvent(event)
+      return `Updated ${experimentKey}. Session is now in the "${controlGroup}" group for this session.`
+    } else {
+      throw new Error(
+        `Invalid experiment key: ${experimentKey}. Must be one of: ${activeExperiments.map((experiment) => experiment.key).join(', ')}`,
+      )
+    }
+  }
+}
+
+// Determine if the user is in the treatment or control group for a given experiment
+export function getExperimentControlGroupFromSession(
+  experimentKey: ExperimentNames,
+  percentToGetExperiment = 50,
+) {
+  if (controlGroupOverride[experimentKey]) {
+    return controlGroupOverride[experimentKey]
+  } else if (process.env.NODE_ENV === 'development') {
+    return TREATMENT_VARIATION
+  } else if (process.env.NODE_ENV === 'test') {
+    return CONTROL_VARIATION
+  }
+  // We hash the user's events ID to ensure that the user is always in the same group for a given experiment
+  // This works because the hash is a deterministic and the user's ID is stored in a cookie for 365 days
+  const id = getUserEventsId()
+  const hash = murmur(experimentKey).hash(id).result()
+  const modHash = hash % 100
+  return modHash < percentToGetExperiment ? TREATMENT_VARIATION : CONTROL_VARIATION
+}
+
+export function getExperimentVariationForContext(locale: string) {
+  const experiments = getActiveExperiments(locale)
+  for (const experiment of experiments) {
+    if (experiment.includeVariationInContext) {
+      return getExperimentControlGroupFromSession(
+        experiment.key,
+        experiment.percentOfUsersToGetExperiment,
+      )
+    }
+  }
+
+  // When no experiment has `includeVariationInContext: true`
+  return null
+}
+
+export function initializeExperiments(locale: string) {
+  if (experimentsInitialized) return
+  experimentsInitialized = true
+
+  const experiments = getActiveExperiments(locale)
+
+  if (experiments.length && process.env.NODE_ENV === 'development') {
+    console.log(
+      `In development, all users are placed in the "${TREATMENT_VARIATION}" group for experiments`,
+    )
+  } else if (experiments.length && process.env.NODE_ENV === 'test') {
+    console.log(`In test, all users are placed in the "${CONTROL_VARIATION}" group for experiments`)
+  }
+
+  let numberOfExperimentsUsingContext = 0
+  for (const experiment of experiments) {
+    if (experiment.includeVariationInContext) {
+      // Validate the experiments object
+      numberOfExperimentsUsingContext++
+      if (numberOfExperimentsUsingContext > 1) {
+        throw new Error(
+          'Only one experiment can include its variation in the context at a time. Please update the experiments configuration.',
+        )
+      }
+    }
+
+    const controlGroup = getExperimentControlGroupFromSession(
+      experiment.key,
+      experiment.percentOfUsersToGetExperiment,
+    )
+
+    // Even in preview & prod it is useful to see if a given experiment is "on" or "off"
+    console.log(
+      `Experiment ${experiment.key} is in the "${controlGroup === TREATMENT_VARIATION ? TREATMENT_VARIATION : CONTROL_VARIATION}" group for this browser.\nCall function window.overrideControlGroup('${experiment.key}', 'treatment' | 'control') to change your group for this session.`,
+    )
+  }
+}
diff --git a/src/events/components/experiments/experiments.ts b/src/events/components/experiments/experiments.ts
new file mode 100644
index 000000000000..48498b2e6d41
--- /dev/null
+++ b/src/events/components/experiments/experiments.ts
@@ -0,0 +1,39 @@
+export const TREATMENT_VARIATION = 'treatment'
+export const CONTROL_VARIATION = 'control'
+
+type Experiment = {
+  key: ExperimentNames
+  isActive: boolean
+  // If percentOfUsersToGetExperiment is not provided, it will default to 50
+  percentOfUsersToGetExperiment?: number
+  // Only one experiment's control group (variation) can be included in the context at a time
+  includeVariationInContext?: boolean
+  limitToLanguages?: string[]
+  alwaysShowForStaff: boolean
+}
+
+// Update this with the name of the experiment, e.g. | 'example_experiment'
+export type ExperimentNames = 'ai_search_experiment'
+
+export const EXPERIMENTS = {
+  /*  Add new experiments here, example:
+  'example_experiment': {
+      key: 'example_experiment',
+      isActive: true, // Set to false when the experiment is over
+      percentOfUsersToGetExperiment: 10, // 10% of users will randomly get the experiment
+      includeVariationInContext: true, // All events will include the `experiment_variation` of the `example_experiment`
+      limitToLanguages: ['en'], // Only users with the `en` language will be included in the experiment
+      alwaysShowForStaff: true, // When set to true, staff will always see the experiment (determined by the `staffonly` cookie)
+    }
+  */
+} as Record<ExperimentNames, Experiment>
+
+export function getActiveExperiments(locale: string): Experiment[] {
+  return Object.values(EXPERIMENTS).filter((experiment) => {
+    return (
+      experiment.isActive &&
+      (locale === 'all' ||
+        (experiment.limitToLanguages?.length ? experiment.limitToLanguages.includes(locale) : true))
+    )
+  })
+}
diff --git a/src/events/components/experiments/useShouldShowExperiment.ts b/src/events/components/experiments/useShouldShowExperiment.ts
new file mode 100644
index 000000000000..bfc058346898
--- /dev/null
+++ b/src/events/components/experiments/useShouldShowExperiment.ts
@@ -0,0 +1,31 @@
+import { useEffect, useState } from 'react'
+import { shouldShowExperiment } from './experiment'
+import { ExperimentNames } from './experiments'
+
+export function useShouldShowExperiment(
+  experimentKey: ExperimentNames | { key: ExperimentNames },
+  locale: string,
+) {
+  if (typeof experimentKey === 'object') {
+    experimentKey = experimentKey.key
+  }
+
+  const [showExperiment, setShowExperiment] = useState(false)
+
+  useEffect(() => {
+    const updateShouldShow = () => {
+      setShowExperiment(shouldShowExperiment(experimentKey, locale))
+    }
+
+    updateShouldShow()
+
+    // Event listener to update when controlGroupOverride is called
+    window.addEventListener('controlGroupOverrideChanged', updateShouldShow)
+
+    return () => {
+      window.removeEventListener('controlGroupOverrideChanged', updateShouldShow)
+    }
+  }, [experimentKey])
+
+  return showExperiment
+}
diff --git a/src/events/lib/schema.ts b/src/events/lib/schema.ts
index cb48648644ef..5771fc456879 100644
--- a/src/events/lib/schema.ts
+++ b/src/events/lib/schema.ts
@@ -110,6 +110,10 @@ const context = {
       type: 'string',
       description: 'The cookie value of dotcom_user',
     },
+    is_staff: {
+      type: 'boolean',
+      description: 'The cookie value of staffonly',
+    },
 
     // Device information
     os: {
@@ -172,6 +176,12 @@ const context = {
       enum: ['beside', 'inline'],
       description: 'How the user prefers to view code examples.',
     },
+
+    // Experiments
+    experiment_variation: {
+      type: 'string',
+      description: 'The variation this user we bucketed in is in, such as control or treatment.',
+    },
   },
 }
 
diff --git a/src/events/middleware.ts b/src/events/middleware.ts
index 74577cca2970..c90eb0ad0192 100644
--- a/src/events/middleware.ts
+++ b/src/events/middleware.ts
@@ -87,6 +87,8 @@ router.post(
     // Add dotcom_user to the context if it's available
     // JSON.stringify removes `undefined` values but not `null`, and we don't want to send `null` to Hydro
     body.context.dotcom_user = req.cookies?.dotcom_user ? req.cookies.dotcom_user : undefined
+    // Add if the user is a staff, using the 'staffonly' cookie
+    body.context.is_staff = Boolean(req.cookies?.staffonly)
 
     await publish({
       schema: hydroNames[type],
diff --git a/src/events/types.ts b/src/events/types.ts
index 35c7022b4165..081373022668 100644
--- a/src/events/types.ts
+++ b/src/events/types.ts
@@ -35,6 +35,7 @@ export type EventProps = {
     status: number
     is_logged_in: boolean
     dotcom_user: string
+    is_staff: boolean
     os: string
     os_version: string
     browser: string
diff --git a/src/fixtures/helpers/turn-off-experiments.ts b/src/fixtures/helpers/turn-off-experiments.ts
new file mode 100644
index 000000000000..46e7eb3d0931
--- /dev/null
+++ b/src/fixtures/helpers/turn-off-experiments.ts
@@ -0,0 +1,46 @@
+import { Page, test as Test } from '@playwright/test'
+import {
+  getActiveExperiments,
+  CONTROL_VARIATION,
+  TREATMENT_VARIATION,
+} from '@/events/components/experiments/experiments'
+
+export async function turnOffExperimentsInPage(page: Page) {
+  await alterExperimentsInPage(page, CONTROL_VARIATION)
+}
+
+export async function turnOnExperimentsInPage(page: Page) {
+  await alterExperimentsInPage(page, TREATMENT_VARIATION)
+}
+
+async function alterExperimentsInPage(
+  page: Page,
+  variation: typeof TREATMENT_VARIATION | typeof CONTROL_VARIATION,
+) {
+  const experiments = getActiveExperiments('all')
+  // Include a page.evaluate call to simulate the same # of events as if an experiment were active
+  if (!experiments.length) {
+    await page.evaluate(() => {
+      console.log('No experiments to turn off, skipping')
+    })
+    return
+  }
+  for (const experiment of getActiveExperiments('all')) {
+    await page.evaluate(
+      ({ experimentKey, variation }) => {
+        // @ts-expect-error overrideControlGroup is a custom function added to the window object
+        window.overrideControlGroup(experimentKey, variation)
+      },
+      { experimentKey: experiment.key, variation },
+    )
+  }
+}
+
+// Place Playwright tests in control group for every active experiment
+// To write a test for an experiment, explicitly turn that experiment on in the test
+export function turnOffExperimentsBeforeEach(test: typeof Test) {
+  test.beforeEach(async ({ page }) => {
+    await page.goto('/')
+    await turnOffExperimentsInPage(page)
+  })
+}
diff --git a/src/fixtures/tests/playwright-a11y.spec.ts b/src/fixtures/tests/playwright-a11y.spec.ts
index 44957ed7e560..673aeb5ec370 100644
--- a/src/fixtures/tests/playwright-a11y.spec.ts
+++ b/src/fixtures/tests/playwright-a11y.spec.ts
@@ -1,5 +1,6 @@
 import { test, expect } from '@playwright/test'
 import AxeBuilder from '@axe-core/playwright'
+import { turnOffExperimentsInPage, turnOnExperimentsInPage } from '../helpers/turn-off-experiments'
 
 const pages: { [key: string]: string } = {
   category: '/actions/category',
@@ -24,9 +25,22 @@ const pages: { [key: string]: string } = {
 // create a test for each page, will eventually be separated into finer grain tests
 Object.keys(pages).forEach((pageName) => {
   test.describe(`${pageName}`, () => {
-    test('full page axe scan', async ({ page }) => {
+    test('full page axe scan without experiments', async ({ page }) => {
       await page.goto(pages[pageName])
 
+      await turnOffExperimentsInPage(page)
+
+      const accessibilityScanResults = await new AxeBuilder({ page }).analyze()
+
+      expect(accessibilityScanResults.violations).toEqual([])
+    })
+  })
+  test.describe(`${pageName} (with experiments)`, () => {
+    test('full page axe scan with experiments', async ({ page }) => {
+      await page.goto(pages[pageName])
+
+      await turnOnExperimentsInPage(page)
+
       const accessibilityScanResults = await new AxeBuilder({ page }).analyze()
 
       expect(accessibilityScanResults.violations).toEqual([])
diff --git a/src/fixtures/tests/playwright-local-dev.spec.ts b/src/fixtures/tests/playwright-local-dev.spec.ts
index 24dfaeb9f639..3e6f4635daf0 100644
--- a/src/fixtures/tests/playwright-local-dev.spec.ts
+++ b/src/fixtures/tests/playwright-local-dev.spec.ts
@@ -1,5 +1,5 @@
 /**
- * These tests assume you have starte the local dev server as a contributor
+ * These tests assume you have started the local dev server as a contributor
  * would. It does *not* use fixture data. It uses real English content
  * as seen in `main` or in the current branch. Therefore be careful
  * with what you can expect to find. Stick to known and stable content.
@@ -12,16 +12,19 @@
  */
 
 import { test, expect } from '@playwright/test'
+import { turnOffExperimentsInPage } from '../helpers/turn-off-experiments'
 
 const TEST_EARLY_ACCESS = Boolean(JSON.parse(process.env.TEST_EARLY_ACCESS || 'false'))
 
 test('view home page', async ({ page }) => {
   await page.goto('/')
+  await turnOffExperimentsInPage(page)
   await expect(page).toHaveTitle(/GitHub Docs/)
 })
 
 test('click "Get started" from home page', async ({ page }) => {
   await page.goto('/')
+  await turnOffExperimentsInPage(page)
   await page.getByRole('link', { name: 'Get started' }).click()
   await expect(page).toHaveTitle(/Get started with GitHub/)
   await expect(page).toHaveURL(/\/en\/get-started/)
@@ -29,6 +32,7 @@ test('click "Get started" from home page', async ({ page }) => {
 
 test('search "git" and get results', async ({ page }) => {
   await page.goto('/')
+  await turnOffExperimentsInPage(page)
   await page.getByTestId('site-search-input').click()
   await page.getByTestId('site-search-input').fill('git')
   await page.getByTestId('site-search-input').press('Enter')
@@ -39,6 +43,7 @@ test('view the early-access links page', async ({ page }) => {
   if (!TEST_EARLY_ACCESS) return
 
   await page.goto('/early-access')
+  await turnOffExperimentsInPage(page)
   await expect(page).toHaveURL(/\/en\/early-access/)
   await page.getByRole('heading', { name: 'Early Access documentation' }).click()
   const links = await page.$$eval(
diff --git a/src/fixtures/tests/playwright-rendering.spec.ts b/src/fixtures/tests/playwright-rendering.spec.ts
index 5674c55fe31f..37f834c1c749 100644
--- a/src/fixtures/tests/playwright-rendering.spec.ts
+++ b/src/fixtures/tests/playwright-rendering.spec.ts
@@ -1,5 +1,6 @@
 import dotenv from 'dotenv'
 import { test, expect } from '@playwright/test'
+import { turnOffExperimentsBeforeEach } from '../helpers/turn-off-experiments'
 
 // This exists for the benefit of local testing.
 // In GitHub Actions, we rely on setting the environment variable directly
@@ -10,6 +11,8 @@ import { test, expect } from '@playwright/test'
 // this out.
 dotenv.config()
 
+turnOffExperimentsBeforeEach(test)
+
 const SEARCH_TESTS = !!process.env.ELASTICSEARCH_URL
 
 test('view home page', async ({ page }) => {
@@ -513,12 +516,32 @@ test.describe('test nav at different viewports', () => {
 test.describe('survey', () => {
   test('happy path, thumbs up and enter comment and email', async ({ page }) => {
     let fulfilled = 0
+    let hasSurveyPressedEvent = false
+    let hasSurveySubmittedEvent = false
+
+    const surveyComment = 'This is a comment'
+
     // Important to set this up *before* interacting with the page
     // in case of possible race conditions.
     await page.route('**/api/events', (route, request) => {
       route.fulfill({})
       expect(request.method()).toBe('POST')
+      const postData = JSON.parse(request.postData() || '{}')
+      // Skip the exit event
+      if (postData.type === 'exit') {
+        return
+      }
       fulfilled++
+      if (postData.type === 'survey' && postData.survey_vote === true) {
+        hasSurveyPressedEvent = true
+      }
+      if (
+        postData.type === 'survey' &&
+        postData.survey_vote === true &&
+        postData.survey_comment === surveyComment
+      ) {
+        hasSurveySubmittedEvent = true
+      }
       // At the time of writing you can't get the posted payload
       // when you use `navigator.sendBeacon(url, data)`.
       // So we can't make assertions about the payload.
@@ -533,23 +556,36 @@ test.describe('survey', () => {
     await expect(page.getByRole('button', { name: 'Send' })).toBeVisible()
 
     await page.locator('[for=survey-comment]').click()
-    await page.locator('[for=survey-comment]').fill('This is a comment')
+    await page.locator('[for=survey-comment]').fill(surveyComment)
     await page.locator('[name=survey-email]').click()
     await page.locator('[name=survey-email]').fill('test@example.com')
     await page.getByRole('button', { name: 'Send' }).click()
-    // One for the page view event, one for the thumbs up click, one for
-    // the submission.
-    expect(fulfilled).toBe(1 + 2)
+    // Events:
+    // 1. page view event when navigating to the page
+    // 2. Survey thumbs up event
+    // 3. Survey submit event
+    expect(fulfilled).toBe(1 + 1 + 1)
+    expect(hasSurveyPressedEvent).toBe(true)
+    expect(hasSurveySubmittedEvent).toBe(true)
     await expect(page.getByTestId('survey-end')).toBeVisible()
   })
 
   test('thumbs up without filling in the form sends an API POST', async ({ page }) => {
     let fulfilled = 0
+    let hasSurveyEvent = false
     // Important to set this up *before* interacting with the page
     // in case of possible race conditions.
     await page.route('**/api/events', (route, request) => {
       route.fulfill({})
       expect(request.method()).toBe('POST')
+      const postData = JSON.parse(request.postData() || '{}')
+      // Skip the exit event
+      if (postData.type === 'exit') {
+        return
+      }
+      if (postData.type === 'survey' && postData.survey_vote === true) {
+        hasSurveyEvent = true
+      }
       fulfilled++
       // At the time of writing you can't get the posted payload
       // when you use `navigator.sendBeacon(url, data)`.
@@ -560,8 +596,11 @@ test.describe('survey', () => {
     await page.goto('/get-started/foo/for-playwright')
 
     await page.locator('[for=survey-yes]').click()
-    // One for the page view event and one for the thumbs up click
+    // Events:
+    // 1. page view event when navigating to the page
+    // 2. the thumbs up click
     expect(fulfilled).toBe(1 + 1)
+    expect(hasSurveyEvent).toBe(true)
 
     await expect(page.getByRole('button', { name: 'Send' })).toBeVisible()
     await page.getByRole('button', { name: 'Cancel' }).click()
diff --git a/src/frame/pages/app.tsx b/src/frame/pages/app.tsx
index 01a0c1b4295a..543c6039edd0 100644
--- a/src/frame/pages/app.tsx
+++ b/src/frame/pages/app.tsx
@@ -3,9 +3,10 @@ import App from 'next/app'
 import type { AppProps, AppContext } from 'next/app'
 import Head from 'next/head'
 import { ThemeProvider } from '@primer/react'
+import { useRouter } from 'next/router'
 
 import { initializeEvents } from 'src/events/components/events'
-import { initializeExperiments } from 'src/events/components/experiment'
+import { initializeExperiments } from 'src/events/components/experiments/experiment'
 import {
   LanguagesContext,
   LanguagesContextT,
@@ -20,10 +21,11 @@ type MyAppProps = AppProps & {
 
 const MyApp = ({ Component, pageProps, languagesContext }: MyAppProps) => {
   const { theme } = useTheme()
+  const router = useRouter()
 
   useEffect(() => {
     initializeEvents()
-    initializeExperiments()
+    initializeExperiments(router.locale as string)
   }, [])
 
   useEffect(() => {