From 4af696a22d7359e6657c01660b2fbea1ea9ce20c Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Thu, 25 Apr 2024 08:58:14 -0400
Subject: [PATCH 1/3] Remove `dependency-submission-api` use from reusables
 (#49936)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../about-the-dependency-graph.md                      | 10 +++++-----
 .../exploring-the-dependencies-of-a-repository.md      |  3 +--
 .../troubleshooting-the-dependency-graph.md            | 10 +++++-----
 .../using-the-dependency-submission-api.md             |  4 +++-
 .../reusables/dependabot/about-the-dependency-graph.md |  2 +-
 ...ependency-submission-api-build-time-dependencies.md |  2 +-
 .../dependency-submission-link.md                      |  4 ++--
 7 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
index e5802d9d0584..13b01ffaa1c7 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
@@ -45,12 +45,12 @@ For more information about configuration of the dependency graph, see "[AUTOTITL
 
 ## Dependencies included
 
-The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems{% ifversion dependency-submission-api %}, as well as any dependencies that are submitted using the {% data variables.dependency-submission-api.name %} (beta){% endif %}. This includes:
+The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems, as well as any dependencies that are submitted using the {% data variables.dependency-submission-api.name %} (beta). This includes:
 
-- Direct dependencies, that are explicitly defined in a manifest or lock file {% ifversion dependency-submission-api %} or have been submitted using the {% data variables.dependency-submission-api.name %} (beta){% endif %}
+- Direct dependencies, that are explicitly defined in a manifest or lock file or have been submitted using the {% data variables.dependency-submission-api.name %} (beta)
 - Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies
 
-The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file {% ifversion dependency-submission-api %}or have been submitted using the {% data variables.dependency-submission-api.name %} (beta){% endif %}. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. {% ifversion dependency-submission-api %}If your ecosystem does not have lock files, you can use  pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)."{% endif %}
+The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file or have been submitted using the {% data variables.dependency-submission-api.name %} (beta). For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. If your ecosystem does not have lock files, you can use  pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)."
 
 For more information on how {% data variables.product.product_name %} helps you understand the dependencies in your environment, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)."
 
@@ -115,9 +115,9 @@ The recommended formats explicitly define which versions are used for all direct
 
 {% endnote %}
 
-{% ifversion dependency-submission-api %}You can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above.{% endif %} {% data reusables.dependency-graph.dependency-submission-API-short %}
+You can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. {% data reusables.dependency-graph.dependency-submission-API-short %}
 
-{% ifversion dependency-submission-api %}You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the [supported ecosystems](https://github.com/github/advisory-database#supported-ecosystems) of the {% data variables.product.prodname_advisory_database %}. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
+You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the [supported ecosystems](https://github.com/github/advisory-database#supported-ecosystems) of the {% data variables.product.prodname_advisory_database %}. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
 ## Further reading
 
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md
index b4b322fbd13c..59596e239b4f 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md
@@ -54,8 +54,7 @@ Any direct and indirect dependencies that are specified in the repository's mani
 {% endif %}
 
 {% ifversion dependency-graph-repository-view-update %}
-Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta), although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %}{% ifversion dependency-submission-api %} For more information on using the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
-{% endif %}
+Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta), although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %} For more information on using the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
 If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
 
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md
index aa64b8bc2b9a..ca6db2649ba8 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md
@@ -21,19 +21,19 @@ topics:
 
 ## Does the dependency graph only find dependencies in manifests and lockfiles?
 
-The dependency graph {% ifversion dependency-submission-api %}automatically{% endif %} includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file.
+The dependency graph automatically includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file.
 
-The dependency graph doesn't {% ifversion dependency-submission-api %}automatically{% endif %} include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile.
+The dependency graph doesn't automatically include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile.
 
-{% ifversion dependency-submission-api %}However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built.{% endif %} {% data reusables.dependency-graph.dependency-submission-API-short %} {% ifversion dependency-submission-api %}For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
+However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
 **Check**: Is the missing dependency for a component that's not specified in the repository's manifest or lockfile?
 
 ## Does the dependency graph detect dependencies specified using variables?
 
-The dependency graph analyzes manifests as they’re pushed to {% data variables.product.prodname_dotcom %}. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not {% ifversion dependency-submission-api %}automatically{% endif %} be included in the dependency graph.
+The dependency graph analyzes manifests as they’re pushed to {% data variables.product.prodname_dotcom %}. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not automatically be included in the dependency graph.
 
-{% ifversion dependency-submission-api %}However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
+However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
 **Check**: Is the missing dependency declared in the manifest by using a variable for its name or version?
 
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
index 97c263d873a2..4b4868378083 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
@@ -8,7 +8,9 @@ topics:
   - Dependencies
   - REST
 versions:
-  feature: dependency-submission-api
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
 ---
 
 {% data reusables.dependency-submission.dependency-submission-api-beta %}
diff --git a/data/reusables/dependabot/about-the-dependency-graph.md b/data/reusables/dependabot/about-the-dependency-graph.md
index 665981897db9..544a458d7280 100644
--- a/data/reusables/dependabot/about-the-dependency-graph.md
+++ b/data/reusables/dependabot/about-the-dependency-graph.md
@@ -1,4 +1,4 @@
-The dependency graph is a summary of the manifest and lock files stored in a repository{% ifversion dependency-submission-api %} and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %} (beta){% endif %}. For each repository, it shows{% ifversion fpt or ghec %}:
+The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %} (beta). For each repository, it shows{% ifversion fpt or ghec %}:
 
 - Dependencies, the ecosystems and packages it depends on
 - Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on.{% endif %}
diff --git a/data/reusables/dependabot/dependency-submission-api-build-time-dependencies.md b/data/reusables/dependabot/dependency-submission-api-build-time-dependencies.md
index 3bed51c1146c..155fa49dc9df 100644
--- a/data/reusables/dependabot/dependency-submission-api-build-time-dependencies.md
+++ b/data/reusables/dependabot/dependency-submission-api-build-time-dependencies.md
@@ -1 +1 @@
-You may not see all of your dependencies represented in the dependency graph, especially if some dependencies are build-time dependencies.{% ifversion dependency-submission-api %} You can use the {% data variables.dependency-submission-api.name %} to inform {% data variables.product.prodname_dotcom %} about your other dependencies, and receive security updates for them. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
+You may not see all of your dependencies represented in the dependency graph, especially if some dependencies are build-time dependencies. You can use the {% data variables.dependency-submission-api.name %} to inform {% data variables.product.prodname_dotcom %} about your other dependencies, and receive security updates for them. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
diff --git a/data/reusables/dependency-submission/dependency-submission-link.md b/data/reusables/dependency-submission/dependency-submission-link.md
index 950b53060810..63f4d25cc108 100644
--- a/data/reusables/dependency-submission/dependency-submission-link.md
+++ b/data/reusables/dependency-submission/dependency-submission-link.md
@@ -1,2 +1,2 @@
-{% ifversion dependency-submission-api %}
-Additionally, you can use the {% data variables.dependency-submission-api.name %} (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis.{% endif %}{% ifversion dependency-graph-repository-view-update %} Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %}{% ifversion dependency-submission-api %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
+Additionally, you can use the {% data variables.dependency-submission-api.name %} (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis.
+{% ifversion dependency-graph-repository-view-update %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."

From 207484ad098b4ca0722facbc2a5d6ff3d40207e6 Mon Sep 17 00:00:00 2001
From: Sophie <29382425+sophietheking@users.noreply.github.com>
Date: Thu, 25 Apr 2024 14:59:15 +0200
Subject: [PATCH 2/3] [Improvement]: Add note about assigning at least one IDP
 user in EMU provisioning docs (#50264)

Co-authored-by: Adam Ross Russell <adamrr724@github.com>
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
---
 ...ing-saml-single-sign-on-for-enterprise-managed-users.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md
index 62de4a83d17b..6675ba90af01 100644
--- a/content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md
+++ b/content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md
@@ -44,13 +44,13 @@ To configure SAML SSO for your {% data variables.enterprise.prodname_emu_enterpr
 
 ### Configuring your IdP
 
-1. {% ifversion emu-public-scim-schema %}If you use a partner IdP, to install the {% data variables.product.prodname_emu_idp_application %} application, click one of the following links.{% else %}To install the GitHub Enterprise Managed User application, click the link for your IdP below:{% endif %}
+1. {% ifversion emu-public-scim-schema %}If you use a partner IdP, to install the {% data variables.product.prodname_emu_idp_application %} application, click one of the following links.{% else %}To install the {% data variables.product.prodname_emu_idp_application %} application, click the link for your IdP below:{% endif %}
 
     - [Microsoft Entra ID application](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.githubenterprisemanageduser?tab=Overview) in Azure Marketplace (Entra ID was previously known as Azure AD)
     - [Okta application](https://www.okta.com/integrations/github-enterprise-managed-user) in Okta's integrations directory
     - [PingFederate downloads website](https://www.pingidentity.com/en/resources/downloads/pingfederate.html)
 
-      - To download the PingFederate connector, navigate to the **Add-ons** tab and select **GitHub EMU Connector 1.0**.
+      - To download the PingFederate connector, navigate to the **Add-ons** tab and select **{% data variables.product.prodname_dotcom %} EMU Connector 1.0**.
 
 1. To configure SAML SSO for {% data variables.product.prodname_emus %} on your IdP, read the following documentation. {% ifversion emu-public-scim-schema %}If you don't use a partner IdP, you can use the SAML configuration reference for {% data variables.product.product_name %} to create and configure a generic SAML 2.0 application on your IdP.{% endif %}
 
@@ -62,6 +62,9 @@ To configure SAML SSO for your {% data variables.enterprise.prodname_emu_enterpr
    {%- endif %}
 1. To test and configure your enterprise, assign yourself or the user that will configure SAML SSO for your enterprise on {% data variables.location.product_location %} to the application you configured for {% data variables.product.prodname_emus %} on your IdP.
 
+   > [!NOTE]
+   > In order to test a successful authentication connection upon configuration, at least one user must be assigned to the IdP.
+
 1. To continue configuring your enterprise on {% data variables.location.product_location %}, locate and note the following information from the application you installed on your IdP.
 
     | Value | Other names | Description |

From 3895b0fc71c21f18d0f0198c21a7a838a1ad2e80 Mon Sep 17 00:00:00 2001
From: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
Date: Thu, 25 Apr 2024 13:59:34 +0100
Subject: [PATCH 3/3] Only include publicly shipped languages in autofix
 support column. (#50298)

---
 .../generate-code-scanning-query-list.ts      | 29 +++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/code-scanning/scripts/generate-code-scanning-query-list.ts b/src/code-scanning/scripts/generate-code-scanning-query-list.ts
index 43e12dba34b1..655d43b5780e 100644
--- a/src/code-scanning/scripts/generate-code-scanning-query-list.ts
+++ b/src/code-scanning/scripts/generate-code-scanning-query-list.ts
@@ -58,6 +58,28 @@ import { program } from 'commander'
 import { getSupportedQueries } from '@github/cocofix/dist/querySuites' // eslint-disable-line import/no-extraneous-dependencies
 import { type Language } from '@github/cocofix/dist/codeql' // eslint-disable-line import/no-extraneous-dependencies
 
+/**
+ * The list of languages for which autofix support has (publicly) shipped.
+ *
+ * We don't want to add documentation about autofix support for languages that have not shipped.
+ *
+ * Note that this is conceptually different from the list of languages for which we support autofix:
+ * some languages are supported, but only staff-shipped internally (currently, `go` and `ruby`).
+ *
+ * Supporting a language is a technical decision, and reflected in the list of supported queries
+ * returned by `getSupportedQueries`. Shipping a language, on the other hand, is a product decision,
+ * and is implemented by a feature flag in the monolith, so we cannot easily check it here.
+ *
+ * Instead we hard-code the list of shipped languages here and manually keep it in sync with
+ * https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#supported-languages.
+ * This sounds worse than it is, since CodeQL only supports a total of eight languages
+ * and we are on track to ship autofix support for all of them in the next few months.
+ *
+ * Note that we never publicly ship a language for which we don't have autofix support, so if a language
+ * has been shipped, we know for sure that it is supported.
+ */
+const AUTOFIX_SHIPPED_LANGUAGES = ['csharp', 'java', 'javascript', 'python']
+
 program
   .description('Generate a reusable Markdown for for a code scanning query language')
   .option('--verbose', 'Verbose outputs')
@@ -191,11 +213,8 @@ async function main(options: Options, language: string) {
     return a.name.localeCompare(b.name)
   })
 
-  // At the moment, our chosen business logic is that we omit the Autofix
-  // column if there are no queries that support it.
-  // In a future rendition we might revisit this to make it configurable
-  // instead.
-  const includeAutofix = entries.some((query) => query.autofixSupport !== 'none')
+  // Omit the 'Autofix' column if the language has not been shipped
+  const includeAutofix = AUTOFIX_SHIPPED_LANGUAGES.includes(language)
   console.warn(`${includeAutofix ? 'Including' : 'Excluding'} 'Autofix' column for ${language}`)
   printQueries(options, entries, includeAutofix)
 }