Merge branch 'main' into patch-1

.devcontainer/devcontainer.json

@@ -30,6 +30,7 @@
                 "streetsidesoftware.code-spell-checker",
                 "alistairchristie.open-reusables",
                 "AlistairChristie.version-identifier",
+                "peterbe.ghdocs-goer",
                 "GitHub.copilot",
                 "GitHub.copilot-chat"
             ]

.github/workflows/azure-preview-env-deploy-public.yml

@@ -112,7 +112,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-preview-env-deploy.yml

@@ -171,7 +171,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-prod-build-deploy.yml

@@ -52,9 +52,6 @@ jobs:
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
 
       - name: Check out repo
-        # If any of the steps above fail, we'll need a checkout so we
-        # have access to the `.github/actions/slack-alert/action.yml` file.
-        if: ${{ always() && github.event_name != 'workflow_dispatch' }}
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.sha }}
@@ -67,6 +64,11 @@ jobs:
           node-version-file: 'package.json'
           cache: npm
 
+      # Currently we only need this to run dependencies in
+      # src/workflows/check-canary-slots.js
+      - name: Install dependencies
+        run: npm install
+
       - name: Clone docs-early-access
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -90,7 +92,7 @@ jobs:
           token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-staging-build-deploy.yml

@@ -91,7 +91,7 @@ jobs:
         run: src/early-access/scripts/merge-early-access.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/main-preview-docker-cache.yml

@@ -68,7 +68,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/repo-sync.yml

@@ -10,7 +10,7 @@ name: Repo Sync
 on:
   workflow_dispatch:
   schedule:
-    - cron: '20,50 * * * *' # Run every hour at 20 and 50 minutes after
+    - cron: '20 */3 * * *' # Run every 3rd hour at 20 minutes after
 
 permissions:
   contents: write

content/account-and-profile/managing-subscriptions-and-notifications-on-github/managing-subscriptions-for-activity-on-github/managing-your-subscriptions.md

@@ -32,7 +32,7 @@ When you unsubscribe from notifications in your inbox, you have several other tr
 
 ### Benefits of unsubscribing from the subscriptions page
 
-When you unsubscribe from notifications on the subscriptions page, you can see more of the notifications you're subscribed to and sort them by "Most recently subscribed" or "Least recently subscribed".
+When you unsubscribe from notifications on the subscriptions page, you can see more of the notifications you're subscribed to and sort them by "Most recently subscribed" or "Least recently subscribed."
 
 The subscriptions page shows you all of the notifications that you're currently subscribed to, including notifications that you have marked as **Done** in your inbox.
 

content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md

@@ -159,7 +159,7 @@ For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptio
 
 ## Configuring your watch settings for an individual repository
 
-You can choose whether to watch or unwatch an individual repository. You can also choose to only be notified of certain event types such as {% data reusables.notifications-v2.custom-notification-types %} (if enabled for the repository) , or completely ignore an individual repository.
+You can choose whether to watch or unwatch an individual repository. You can also choose to only be notified of certain event types such as {% data reusables.notifications-v2.custom-notification-types %} (if enabled for the repository), or completely ignore an individual repository.
 
 {% data reusables.repositories.navigate-to-repo %}
 1. In the upper-right corner, select the "Watch" drop-down menu, then click a watch option.
@@ -232,9 +232,9 @@ For repositories that are set up with {% data variables.product.prodname_actions
 1. On the "Notification settings" page, under "System", then under "Actions", select the **Don't notify** dropdown menu.
 
    ![Screenshot of the "System" section of the notification settings. Under "Actions," a dropdown menu, titled "Don't notify", is highlighted with an orange outline.](/assets/images/help/notifications/github-actions-customize-notifications.png)
-1. To opt into web notifications, from the dropdown menu, select "On {% data variables.product.prodname_dotcom %}".
+1. To opt into web notifications, from the dropdown menu, select "On {% data variables.product.prodname_dotcom %}."
 
-   To opt into email notifications, from the dropdown menu, select "Email".
+   To opt into email notifications, from the dropdown menu, select "Email."
 1. Optionally, to only receive notifications for failed workflow runs, from the dropdown menu, select "Only notify for failed workflows", then click **Save**.{% endif %}
 
 {% ifversion ghes %}

content/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/customizing-a-workflow-for-triaging-your-notifications.md

@@ -27,10 +27,10 @@ For an example workflow of removing notifications that are easy to remove or tri
 Choose which type of notifications are most urgent to review and pick a time to review them that's best for you. You might consider the question "Who am I blocking?"
 
 For example, you may decide to check your notifications in this order in the morning during your daily planning time:
-* Pull requests where your review is requested. (filter by `reason:review-requested`)
-* Events where your username is @mentioned, also called direct mentions. (filter by `reason:mention`)
-* Events where a team you're a member of is @mentioned, also called team mentions. (filter by `reason:team-mention`)
-* CI workflow failures for a specific repository. (filter by `reason:ci-activity` and `repo:owner/repo-name` and ensure you've enabled CI activity notifications for workflow failures in your notification settings)
+* Pull requests where your review is requested (filter by `reason:review-requested`)
+* Events where your username is @mentioned, also called direct mentions (filter by `reason:mention`)
+* Events where a team you're a member of is @mentioned, also called team mentions (filter by `reason:team-mention`)
+* CI workflow failures for a specific repository (filter by `reason:ci-activity` and `repo:owner/repo-name` and ensure you've enabled CI activity notifications for workflow failures in your notification settings)
 
   {% tip %}
 
@@ -63,8 +63,8 @@ After triaging the higher priority notifications, review the remaining notificat
 Choose which type of notifications are quickest and easiest for you to triage and remove from your inbox, ideally triaging multiple notifications at once.
 
 For example, you may decide to clear notifications in this order:
-* Participating notifications that you can unsubscribe to.
-* Repository updates that are not relevant to keep or follow-up on.
+* Participating notifications that you can unsubscribe to
+* Repository updates that are not relevant to keep or follow-up on
 
 For more information on managing multiple notifications in your inbox at the same time, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#triaging-multiple-notifications-at-the-same-time)."
 

content/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox.md

@@ -73,11 +73,12 @@ You can add up to 15 of your own custom filters.
 ## Custom filter limitations
 
 Custom filters do not currently support:
-* Full text search in your inbox, including searching for pull request or issue titles.
+
+* Full text search in your inbox, including searching for pull request or issue titles
 * Distinguishing between the `is:issue`, `is:pr`, and `is:pull-request` query filters. These queries will return both issues and pull requests.
-* Creating more than 15 custom filters.
-* Changing the default filters or their order.
-* Search [exclusion](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax#exclude-certain-results) using `NOT` or `-QUALIFIER`.
+* Creating more than 15 custom filters
+* Changing the default filters or their order
+* Search [exclusion](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax#exclude-certain-results) using `NOT` or `-QUALIFIER`
 
 ## Supported queries for custom filters
 

content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/deleting-your-personal-account.md

@@ -49,6 +49,11 @@ For more information, see the following articles.
 * "[AUTOTITLE](/organizations/managing-organization-settings/deleting-an-organization-account)"
 * "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/removing-yourself-from-an-organization)"
 
+{% ifversion ghes %}
+> [!NOTE]
+> * You should contact an enterprise owner before deleting your account on {% data variables.product.product_name %}.
+{% endif %}
+
 ## Back up your account data
 
 Before you delete your personal account, make a copy of all repositories, private forks, wikis, issues, and pull requests owned by your account. For more information, see "[AUTOTITLE](/repositories/archiving-a-github-repository/backing-up-a-repository)."

content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md

@@ -1,12 +1,12 @@
 ---
 title: Configuring custom deployment protection rules
 shortTitle: Configure custom protection rules
-intro: Use {% data variables.product.prodname_github_apps %} to automate protecting deployments with third-party systems.
+intro: 'Use {% data variables.product.prodname_github_apps %} to automate protecting deployments with third-party systems.'
 product: '{% data reusables.actions.custom-deployment-protection-rules-availability %}'
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.10'
+  ghes: '*'
 topics:
   - Actions
   - CD

content/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules.md

@@ -1,12 +1,12 @@
 ---
 title: Creating custom deployment protection rules
 shortTitle: Create custom protection rules
-intro: Use {% data variables.product.prodname_github_apps %} to automate protecting deployments with third-party systems.
+intro: 'Use {% data variables.product.prodname_github_apps %} to automate protecting deployments with third-party systems.'
 product: '{% data reusables.actions.custom-deployment-protection-rules-availability %}'
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.10'
+  ghes: '*'
 topics:
   - Actions
   - CD

content/actions/deployment/protecting-deployments/index.md

@@ -5,7 +5,7 @@ intro: You can create and configure custom deployment protection rules to approv
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.10'
+  ghes: '*'
 children:
   - /creating-custom-deployment-protection-rules
   - /configuring-custom-deployment-protection-rules

content/actions/publishing-packages/publishing-docker-images.md

@@ -52,7 +52,7 @@ In this guide, we will use the Docker `build-push-action` action to build the Do
 
 ## Publishing images to Docker Hub
 
-{% data reusables.actions.release-trigger-workflow %}
+Each time you create a new release on {% data variables.product.product_name %}, you can trigger a workflow to publish your image. The workflow in the example below runs when the `release` event triggers with the `published` activity type.
 
 In the example workflow below, we use the Docker `login-action` and `build-push-action` actions to build the Docker image and, if the build succeeds, push the built image to Docker Hub.
 
@@ -129,7 +129,7 @@ The above workflow checks out the {% data variables.product.prodname_dotcom %} r
 {% data reusables.package_registry.container-registry-ghes-beta %}
 {% endif %}
 
-{% data reusables.actions.release-trigger-workflow %}
+Each time you create a new release on {% data variables.product.product_name %}, you can trigger a workflow to publish your image. The workflow in the example below runs when a change is pushed to the `release` branch.
 
 In the example workflow below, we use the Docker `login-action`{% ifversion fpt or ghec %}, `metadata-action`,{% endif %} and `build-push-action` actions to build the Docker image, and if the build succeeds, push the built image to {% data variables.product.prodname_registry %}.
 

content/actions/publishing-packages/publishing-java-packages-with-gradle.md

@@ -31,7 +31,7 @@ For more information about creating a CI workflow for your Java project with Gra
 
 You may also find it helpful to have a basic understanding of the following:
 
-* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)"
+* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)"
 * "[AUTOTITLE](/actions/learn-github-actions/variables)"
 * "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)"
 * "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)"

content/actions/publishing-packages/publishing-java-packages-with-maven.md

@@ -31,7 +31,7 @@ For more information about creating a CI workflow for your Java project with Mav
 
 You may also find it helpful to have a basic understanding of the following:
 
-* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)"
+* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)"
 * "[AUTOTITLE](/actions/learn-github-actions/variables)"
 * "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)"
 * "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)"

content/actions/publishing-packages/publishing-nodejs-packages.md

@@ -69,6 +69,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    {% ifversion artifact-attestations %}permissions:
+      contents: read
+      id-token: write{% endif %}
     steps:
       - uses: {% data reusables.actions.action-checkout %}
       # Setup .npmrc file to publish to npm

content/actions/security-guides/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md

@@ -42,10 +42,10 @@ We have packaged the Sigstore Policy Controller as a [GitHub distributed Helm ch
 First, install the Helm chart that deploys the Sigstore Policy Controller:
 
 ```bash copy
-helm install policy-controller --atomic \
+helm upgrade policy-controller --install --atomic \
   --create-namespace --namespace artifact-attestations \
   oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \
-  --version v0.9.0-github3
+  --version v0.10.0-github5
 ```
 
 This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations.
@@ -55,10 +55,10 @@ This installs the Policy Controller into the `artifact-attestations` namespace.
 Once the policy controller has been deployed, you need to add the GitHub `TrustRoot` and a `ClusterImagePolicy` to your cluster. Use the Helm chart we provide to do this. Make sure to replace `MY-ORGANIZATION` with your GitHub organization's name (e.g., `github` or `octocat-inc`).
 
 ```bash copy
-helm install trust-policies --atomic \
+helm upgrade trust-policies --install --atomic \
  --namespace artifact-attestations \
  oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \
- --version v0.4.0 \
+ --version v0.5.0 \
  --set policy.enabled=true \
  --set policy.organization=MY-ORGANIZATION
 ```
@@ -86,19 +86,40 @@ Alternatively, you may run:
 kubectl label namespace MY-NAMESPACE policy.sigstore.dev/include=true
 ```
 
+### Matching images
+
+By default, the policy installed with the `trust-policies` Helm chart will verify attestations for all images before admitting them into the cluster. If you only intend to enforce attestations for a subset of images, you can use the Helm values `policy.images` and `policy.exemptImages` to specify a list of images to match against. These values can be set to a list of glob patterns that match the image names. The globbing syntax uses Go [filepath](https://pkg.go.dev/path/filepath#Match) semantics, with the addition of `**` to match any character sequence, including slashes.
+
+For example, to enforce attestations for images that match the pattern `ghcr.io/MY-ORGANIZATION/*` and admit `busybox` without a valid attestation, you can run:
+
+```bash copy
+helm upgrade trust-policies --install --atomic \
+ --namespace artifact-attestations \
+ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \
+ --version v0.5.0 \
+ --set policy.enabled=true \
+ --set policy.organization=MY-ORGANIZATION \
+ --set-json 'policy.exemptImages=["index.docker.io/library/busybox**"]' \
+ --set-json 'policy.images=["ghcr.io/MY-ORGANIZATION/**"]'
+ ```
+
+Note that to match `busybox`, we need to provide the fully-qualified image name with double-star glob: `index.docker.io/library/busybox**`.
+
+Also note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected.
+
 ### Advanced usage
 
 To see the full set of options you may configure with the Helm chart, you can run either of the following commands.
 For policy controller options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.9.0-github3
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github5
 ```
 
 For trust policy options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.4.0
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.5.0
 ```
 
 For more information on the Sigstore Policy Controller, see the [Sigstore Policy Controller documentation](https://docs.sigstore.dev/policy-controller/overview/).