Repo sync

.github/workflows/confirm-internal-staff-work-in-docs.yml

@@ -68,7 +68,7 @@ jobs:
               repo: process.env.TEAM_CONTENT_REPO,
               title: `@${context.payload.sender.login} confirm that \#${issueNo} should be in the public github/docs repo`,
               body: `@${context.payload.sender.login} opened https://github.com/github/docs/issues/${issueNo} publicly in the github/docs repo, instead of the private github/${process.env.TEAM_CONTENT_REPO} repo.\n\n@${context.payload.sender.login}, please confirm that this belongs in the public repo and that no sensitive information was disclosed by commenting below and closing the issue.\n\nIf this was not intentional and sensitive information was shared, please delete https://github.com/github/docs/issues/${issueNo} and notify us in the \#docs-open-source channel.\n\nThanks!`,
-              labels: ['OS confirmation'],
+              labels: ['OS confirmation', 'skip FR board'],
             });
 
             core.setOutput('did_warn', 'true')

Dockerfile

@@ -8,7 +8,7 @@
 # ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
-FROM ghcr.io/github/gh-base-image/gh-base-noble:20250319-193531-g83d4e6244 AS base
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20250407-184504-g7b9deed09 AS base
 
 # Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos

config/kubernetes/production/deployments/webapp.yaml

@@ -23,8 +23,15 @@ spec:
           image: docs-internal
           resources:
             requests:
-              cpu: 8000m
-              memory: 10Gi
+              cpu: 4000m
+              # Absolute minimum to start app is 1000m
+              # Node is single-threaded but we want more CPUs
+              # for OS and image resizing, and other binary executions
+              # Better to increase replicas or memory than CPU
+              memory: 8Gi
+              # Absolute minimum to start app is 4500Mi
+              # Would increase with more pages, versions, or languages supported
+              # The additional memory helps during traffic surges
             limits:
               cpu: 16000m
               memory: 16Gi

content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md

@@ -0,0 +1,121 @@
+---
+title: Best practices for participating in a security campaign
+shortTitle: Best practices for campaigns
+intro: 'Learn how you can successfully take part in a security campaign and how it can benefit your career as well as your code.'
+allowTitleToDifferFromFilename: true
+permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
+product: '{% data reusables.gated-features.security-campaigns %}'
+type: how_to
+versions:
+  feature: security-campaigns
+topics:
+  - Code Security
+  - Code scanning
+  - Alerts
+  - Repositories
+---
+
+## What is a security campaign
+
+A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
+
+You can take part in a security campaign by fixing one or more of the alerts included in the campaign.
+
+## What are the benefits of participating in a campaign
+
+In addition to the benefit of removing an important security problem from your organization's codebase, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
+
+* You have a campaign manager on the security team to collaborate with and a specific contact link for discussing campaign activities.
+* You know that you are fixing a security alert that is important to the company.
+* Potentially, you may have access to targeted training materials.{% ifversion security-campaigns-autofix %}
+* You don't need to request a {% data variables.product.prodname_copilot_autofix %} suggestion, it is already available as a starting point.{% endif %}{% ifversion copilot %}
+* If you have access to {% data variables.product.prodname_copilot_chat %}, you can ask questions about the alert and the suggested fix.{% endif %}
+* You are improving and demonstrating your knowledge of secure coding.
+
+Adopting a few key best practices can help you participate successfully in a campaign.
+
+## Stay informed
+
+### Notification settings
+
+To receive email updates about security campaigns in repositories you have write access to, make sure that you:
+
+* **Watch** all repositories that you have write access to.
+* **Subscribe** to notifications for "All activity" or "Security alerts".
+
+### View campaign details
+
+When you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view. Click the campaign name to see the list of alerts included in the campaign and summary information on how the campaign is progressing.
+
+### Campaign-generated {% data variables.product.prodname_github_issues %}
+
+Some campaigns automatically create {% data variables.product.prodname_github_issues %} for each repository which details the campaign managers, contact URL, and due date.
+
+You can use this issue to plan and track campaign work as part of your usual workflows, such as:
+
+* Adding the issue to project boards
+* Adding assignees
+* Creating sub-issues or tasklists
+
+## Seek context
+
+Your security team may provide you with specific training ahead of participating in a campaign, so that you feel equipped to address the alerts included in the campaign.
+
+If no formal training program is available, you can request that the campaign manager shares information on:
+
+* Types of security vulnerabilities included in the campaign
+* Examples of how to fix them
+* How to test the fixes
+
+In addition, there are external resources for understanding common security issues:
+
+* The **OWASP Foundation** provides many resources for learning about the most common vulnerabilities, see [About the OWASP Foundation](https://owasp.org/about/).
+* The **MITRE Corporation** maintains a detailed list of common weaknesses, see [About CWE](https://cwe.mitre.org/about/index.html).
+
+## Group similar alerts
+
+When fixing security alerts as part of a campaign, it may be helpful to group and fix similar alerts together. By doing so, you can develop a deeper understanding of the underlying issue. As you gain confidence and efficiency in resolving a specific type of alert, it makes it easier and faster for you to resolve subsequent alerts.
+
+{% ifversion copilot %}
+
+## Leverage {% data variables.product.prodname_copilot_short %}
+
+{% ifversion code-scanning-autofix %}
+
+### {% data variables.product.prodname_copilot_autofix_short %}
+
+{% data variables.product.prodname_copilot_autofix_short %} is automatically triggered for alerts that are included in a campaign, meaning that where possible, fixes are automatically generated for you. You can commit the suggested fix to resolve the alert and then verify that continuous integration testing (CI) for the codebase is still passing. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
+
+### {% data variables.product.prodname_copilot_chat_short %}
+
+{% endif %}
+
+You can ask {% data variables.product.prodname_copilot_chat_short %} for help in understanding the vulnerability, the suggested fix, and how to test that the fix is comprehensive. To access {% data variables.product.prodname_copilot_chat_short %}, navigate to https://github.com/copilot.
+
+Alternatively, when viewing a specific alert, in the top right corner of the page, click the {% data variables.product.prodname_copilot_chat_short %} icon ({% octicon "copilot" aria-hidden="true" %}) to open a chat window, and ask {% data variables.product.prodname_copilot_short %} questions about the alert.
+
+For example:
+
+   ```text copy
+
+   Explain how this alert introduces a vulnerability into the code.
+
+   ```
+
+If you don't already have access to {% data variables.product.prodname_copilot_chat_short %} through your organization{% ifversion ghec %} or enterprise{% endif %}, you can sign up to {% data variables.product.prodname_copilot_free %}. For more information, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-copilot-free/accessing-github-copilot-free).
+
+{% endif %}
+
+## Ask questions
+
+A security campaign will generally include a contact URL, which might link you to the campaign manager, an open forum (such as a {% data variables.product.github %} Discussion), or a website of resources. You should use this space to ask questions about the campaign or specific alerts, find useful resources, and share knowledge.
+
+To find the contact URL:
+
+1. Open the **Security** tab for your repository.
+1. On the left sidebar, click the name of the campaign you are participating in.
+1. On the campaign tracking page, to the right of the campaign manager's name, click **{% octicon "comment" aria-hidden="true" %}**.
+
+## Next steps
+
+* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign)

content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md

@@ -1,7 +1,7 @@
 ---
 title: Fixing alerts in a security campaign
 shortTitle: Fix alerts in campaign
-intro: 'Learn how you can take part in a security campaign and how it can benefit your career as well as your code.'
+intro: 'Learn how to find and fix alerts in a security campaign.'
 allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
@@ -14,32 +14,14 @@ topics:
   - Alerts
   - Repositories
 ---
-{% data reusables.security-campaigns.preview-note %}
-
-## What is a security campaign
-
-A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation. When a security campaign is created with alerts in repositories that you have write access to, you are notified if you subscribe to email notifications for "All activity" or "Security alerts". In addition, when you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view.
-
-You can take part in a security campaign by fixing one or more of the alerts chosen for the campaign.
-
-## What are the benefits of fixing alerts in a campaign
-
-In addition to the benefit of removing an important security problem from your code, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
-
-* You have a campaign manager on the security team to collaborate with and a specific contact link for discussing campaign activities.
-* You know that you are fixing a security alert that is important to the company.
-* Potentially, you may have access to targeted training materials.{% ifversion security-campaigns-autofix %}
-* You don't need to request a {% data variables.product.prodname_copilot_autofix %} suggestion, it is already available as a starting point.{% endif %}{% ifversion copilot %}
-* If you have access to {% data variables.product.prodname_copilot_chat %}, you can ask questions about the alert and the suggested fix.{% endif %}
-* You are improving and demonstrating your knowledge of secure coding.
 
 ## Viewing alerts in a security campaign
 
 When a campaign targets security alerts in a repository that you have write access to, you can navigate to the list of repository alerts in the campaign.
 
-* Display the **Security** tab for the repository and click one of the campaigns under the "Campaigns" title in the sidebar.
+* Display the **Security** tab for the repository and click one of the campaigns under "Campaigns" in the sidebar.
 * If you have enabled email notifications for "All activity" or "Security alerts" in the repository, click **View security campaign** in the campaign email.
-* If you have write access to more than one repository in the organization, display the **Security** tab for the organization and click one of the campaigns under the "Campaigns" title in the sidebar.
+* If you have write access to more than one repository in the organization, display the **Security** tab for the organization and click one of the campaigns under "Campaigns" in the sidebar.
 
 This view shows the alerts in the current repository for a campaign called "SQL injection (CWE-89)" (highlighted gray) that is managed by "octocat" (outlined in dark orange).
 
@@ -69,10 +51,6 @@ If you want to see the code that triggered the security alert and the suggested
 
 If you have access to {% data variables.product.prodname_copilot_chat_short %} then you can ask the AI questions about the vulnerability, the suggested fix, and how to test that the fix is comprehensive.
 
-To get the most out of {% data variables.product.prodname_copilot_chat_short %} when you're working with alerts, you should explicitly ask {% data variables.product.prodname_copilot_chat_short %} to use the {% data variables.product.prodname_GH_advanced_security %} skill to answer your questions.
-
-For example: "Use the {% data variables.product.prodname_GH_advanced_security %} skill to explain how this alert introduces a vulnerability into the code."
-
 > [!TIP]
 > {% data reusables.copilot.semantic-index-info %}
 

content/code-security/code-scanning/managing-code-scanning-alerts/index.md

@@ -17,6 +17,7 @@ children:
   - /disabling-autofix-for-code-scanning
   - /assessing-code-scanning-alerts-for-your-repository
   - /resolving-code-scanning-alerts
+  - /best-practices-for-participating-in-a-security-campaign
   - /fixing-alerts-in-security-campaign
   - /triaging-code-scanning-alerts-in-pull-requests
   - /tracking-code-scanning-alerts-in-issues-using-task-lists

content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md

@@ -15,8 +15,6 @@ topics:
 
 Once you have identified security alerts in the default branches of your repositories, the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code.
 
-{% data reusables.security-campaigns.preview-note %}
-
 ## Security campaigns in your day-to-day work
 
 You can use security campaigns to support many of your aims as a security leader.
@@ -30,14 +28,16 @@ You can use security campaigns to support many of your aims as a security leader
 
 A security campaign has many benefits over other ways of encouraging developers to remediate security alerts. In particular,
 
-* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to (by email during the {% data variables.release-phases.public_preview %}).
+* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to by email.
 * Developers can see the alerts you've highlighted for remediation without leaving their normal workflows.
 * Each campaign has a named point of contact for questions, reviews, and collaboration.  {% ifversion security-campaigns-autofix %}
 * {% data variables.product.prodname_copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. {% endif %}
 
-In addition, you can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
+You can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
+
+{% data reusables.code-scanning.campaigns-api %}
 
 ## Next steps
 
 * [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)
-* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)
+* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns)