Merge pull request #38910 from github/repo-sync

Repo sync

Author: docs-bot

content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md

@@ -85,6 +85,46 @@ ARC can use {% data variables.product.pat_v1_plural %} to register self-hosted r
 
    {% data reusables.actions.actions-runner-controller-helm-chart-options %}
 
+## Authenticating ARC with a {% data variables.product.pat_v2 %}
+
+ARC can use {% data variables.product.pat_v2_plural %} to register self-hosted runners.
+
+{% ifversion ghec or ghes %}
+
+> [!NOTE]
+> Authenticating ARC with a {% data variables.product.pat_v1 %} is the only supported authentication method to register runners at the enterprise level.
+
+{% endif %}
+
+1. Create a {% data variables.product.pat_v2 %} with the required scopes. The required scopes are different depending on whether you are registering runners at the repository or organization level. For more information on how to create a {% data variables.product.pat_v2 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token).
+
+    The following is the list of required {% data variables.product.pat_generic %} scopes for ARC runners.
+
+    * Repository runners:
+      * **Administration:** Read and write
+
+    * Organization runners:
+      * **Administration:** Read
+      * **Self-hosted runners:** Read and write
+
+1. To create a Kubernetes secret with the value of your {% data variables.product.pat_v2 %}, use the following command.
+
+   {% data reusables.actions.arc-runners-namespace %}
+
+   ```bash copy
+   kubectl create secret generic pre-defined-secret \
+      --namespace=arc-runners \
+      --from-literal=github_token='YOUR-PAT'
+   ```
+
+1. In your copy of the [`values.yaml`](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) file, pass the secret name as a reference.
+
+   ```yaml
+   githubConfigSecret: pre-defined-secret
+   ```
+
+   {% data reusables.actions.actions-runner-controller-helm-chart-options %}
+
 ## Authenticating ARC with vault secrets
 
 > [!NOTE]

content/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-private-mode.md

@@ -31,6 +31,5 @@ With private mode enabled, you can allow unauthenticated Git operations (and any
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
 1. Select **Private mode**.
 {% data reusables.enterprise_management_console.save-settings %}

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md

@@ -77,6 +77,8 @@ When specifying actions{% ifversion actions-workflow-policy %} and reusable work
    * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in organizations that start with `space-org`, use `space-org*/*`.
    * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in repositories that start with octocat, use `*/octocat**@*`.
 
+Policies never restrict access to local actions on the runner filesystem (where the `uses:` path start with `./`).
+
 ## Runners
 
 By default, anyone with admin access to a repository can add a self-hosted runner for the repository, and self-hosted runners come with risks:

data/reusables/enterprise_management_console/privacy.md

@@ -1 +1 @@
-1. In the "Settings" sidebar, click **Privacy** and uncheck **Privacy mode**.
+1. In the "Settings" sidebar, click **Privacy** and uncheck **Private mode**.