From 0232c01fa4326eef55fe3bf9521da3dcae65bec2 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Thu, 10 Apr 2025 08:29:51 -0700 Subject: [PATCH 1/8] Update ownership.yaml --- ownership.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ownership.yaml b/ownership.yaml index 7bd7a4475cb4..9486ed8bc58b 100644 --- a/ownership.yaml +++ b/ownership.yaml @@ -1,7 +1,7 @@ --- version: 1 ownership: - - team: github/docs-engineering + - team: github/docs repo: https://github.com/github/docs-internal name: docs-internal kind: moda From 6d7dd81c7fd7424d629293a8a8c905ae6dbc5d0d Mon Sep 17 00:00:00 2001 From: Larissa Fortuna <56982181+lkfortuna@users.noreply.github.com> Date: Thu, 10 Apr 2025 08:25:08 -0700 Subject: [PATCH 2/8] W25 and Macos15 GA (#55117) Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- data/reusables/actions/supported-github-runners.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data/reusables/actions/supported-github-runners.md b/data/reusables/actions/supported-github-runners.md index 1a4e57921507..69224180c3e3 100644 --- a/data/reusables/actions/supported-github-runners.md +++ b/data/reusables/actions/supported-github-runners.md @@ -35,7 +35,7 @@ For public repositories, jobs using the workflow labels shown in the table below x64 windows-latest, - windows-2025[{% data variables.release-phases.public_preview_caps %}], + windows-2025, windows-2022, windows-2019 @@ -70,7 +70,7 @@ For public repositories, jobs using the workflow labels shown in the table below macos-latest, macos-14, - macos-15 [{% data variables.release-phases.public_preview_caps %}] + macos-15 @@ -116,7 +116,7 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using x64 windows-latest, - windows-2025[{% data variables.release-phases.public_preview_caps %}], + windows-2025, windows-2022, windows-2019 @@ -140,7 +140,7 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using macos-latest, macos-14, - macos-15 [{% data variables.release-phases.public_preview_caps %}] + macos-15 From cf2975559de5c774bb4bf72544086ceca9d90654 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Thu, 10 Apr 2025 16:55:12 +0100 Subject: [PATCH 3/8] Scannability: 'About self-hosted runners' article (#54175) Co-authored-by: Kevin Heis Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com> --- ...usage-limits-billing-and-administration.md | 4 +- .../about-actions-runner-controller.md | 3 +- .../about-self-hosted-runners.md | 214 ++---------------- .../adding-self-hosted-runners.md | 5 +- .../communicating-with-self-hosted-runners.md | 81 +++++++ .../managing-self-hosted-runners/index.md | 3 + ...and-troubleshooting-self-hosted-runners.md | 2 +- ...erating-systems-for-self-hosted-runners.md | 40 ++++ .../usage-limits-for-self-hosted-runners.md | 18 ++ ...using-self-hosted-runners-in-a-workflow.md | 4 + .../security-hardening-for-github-actions.md | 2 +- .../workflow-syntax-for-github-actions.md | 4 +- .../network-ports.md | 2 +- ...self-hosted-runners-for-your-enterprise.md | 2 +- ...ucing-github-actions-to-your-enterprise.md | 2 +- .../about-billing-for-github-actions.md | 2 +- .../actions/azure-vnet-procedures-prereqs.md | 2 +- .../ip-allow-list-self-hosted-runners.md | 2 +- .../jobs/section-using-jobs-in-a-workflow.md | 2 +- .../reusables/actions/oidc-further-reading.md | 4 +- .../actions/self-hosted-runner-description.md | 1 - .../actions/self-hosted-runner-locations.md | 1 - ...self-hosted-runner-networking-to-dotcom.md | 2 +- .../self-hosted-runner-security-admonition.md | 2 +- ...dependabot-runners-network-requirements.md | 2 +- 25 files changed, 189 insertions(+), 217 deletions(-) create mode 100644 content/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners.md create mode 100644 content/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners.md create mode 100644 content/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners.md diff --git a/content/actions/administering-github-actions/usage-limits-billing-and-administration.md b/content/actions/administering-github-actions/usage-limits-billing-and-administration.md index c98c46e3c593..07aaf530780d 100644 --- a/content/actions/administering-github-actions/usage-limits-billing-and-administration.md +++ b/content/actions/administering-github-actions/usage-limits-billing-and-administration.md @@ -40,7 +40,7 @@ GitHub Actions usage is free for {% data variables.product.prodname_ghe_server % There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. These limits are subject to change. > [!NOTE] -> For self-hosted runners, different usage limits apply. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits). +> For self-hosted runners, different usage limits apply. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners). * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete. {% data reusables.actions.usage-workflow-run-time %} @@ -72,7 +72,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe {% data reusables.actions.usage-workflow-queue-limits %} {% else %} -Usage limits apply to self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits). +Usage limits apply to self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners). {% endif %} {% ifversion fpt or ghec %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md index 6717dd125c2f..5fd4462e93bb 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md @@ -101,7 +101,8 @@ You can find the definition of ARC's runner image in [this Dockerfile](https://g You can create your own runner image that meets your requirements. Your runner image must fulfill the following conditions. -* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). +* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners). + * The [runner binary](https://github.com/actions/runner/releases) must be placed under `/home/runner/` and launched using `/home/runner/run.sh`. * If you use Kubernetes mode, the [runner container hooks](https://github.com/actions/runner-container-hooks/releases) must be placed under `/home/runner/k8s`. diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md index 3bdf525ad7c9..3e017eef38a7 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md @@ -12,114 +12,33 @@ versions: type: overview --- -{% data reusables.actions.enterprise-github-hosted-runners %} - ## About self-hosted runners -A self-hosted runner is a system that you deploy and manage to execute jobs from {% data variables.product.prodname_actions %} on {% data variables.product.github %}. For more information about {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghec or ghes %} and [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises).{% endif %} - -{% data reusables.actions.self-hosted-runner-description %} {% data reusables.actions.self-hosted-runner-locations %} - -You can add self-hosted runners at various levels in the management hierarchy: -* Repository-level runners are dedicated to a single repository. -* Organization-level runners can process jobs for multiple repositories in an organization. -* Enterprise-level runners can be assigned to multiple organizations in an enterprise account. - -{% data reusables.actions.self-hosted-runner-architecture %} {% data reusables.actions.runner-app-open-source %} {% ifversion fpt or ghec %} When a new version is released, the runner application automatically updates itself when a job is assigned to the runner, or within a week of release if the runner hasn't been assigned any jobs. {% else ifversion ghes %} When a new version is released, the runner application will automatically update within 24 hours. {% endif %} -{% ifversion ghes %} - -> [!NOTE] -> {% data reusables.actions.upgrade-runners-before-upgrade-ghes %} - -{% endif %} - -{% data reusables.actions.self-hosted-runner-auto-removal %} - -For more information about installing and using self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow). - -## Differences between {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners +A self-hosted runner is a system that you deploy and manage to execute jobs from {% data variables.product.prodname_actions %} on {% data variables.product.github %}. -{% data variables.product.prodname_dotcom %}-hosted runners offer a quicker, simpler way to run your workflows, while self-hosted runners are a highly configurable way to run workflows in your own custom environment. +Self-hosted runners: -**{% data variables.product.prodname_dotcom %}-hosted runners:** -* Receive automatic updates for the operating system, preinstalled packages and tools, and the self-hosted runner application. -* Are managed and maintained by {% data variables.product.prodname_dotcom %}. -* Provide a clean instance for every job execution. -* Use free minutes on your {% data variables.product.prodname_dotcom %} plan, with per-minute rates applied after surpassing the free minutes. - -**Self-hosted runners:** -* Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner. For more information about controlling runner software updates on self-hosted runners, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#controlling-runner-software-updates-on-self-hosted-runners). You are responsible for updating the operating system and all other software. +{% ifversion fpt or ghec %} +* Give you more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide.{% endif %} +* Are free to use with {% data variables.product.prodname_actions %}, but you are responsible for the cost of maintaining your runner machines. +* Let you create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network. +* Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner. * Can use cloud services or local machines that you already pay for. -* Are customizable to your hardware, operating system, software, and security requirements. -* Don't need to have a clean instance for every job execution. -* Are free to use with {% data variables.product.prodname_actions %}, but you are responsible for the cost of maintaining your runner machines.{% ifversion ghec or ghes %} -* Can be organized into groups to restrict access to specific workflows, organizations, and repositories. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %} +* Don't need to have a clean instance for every job execution.{% ifversion ghec or ghes %} +* Can be organized into groups to restrict access to specific workflows, organizations, and repositories. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %} +* Can be physical, virtual, in a container, on-premises, or in a cloud. + +You can use self-hosted runners anywhere in the management hierarchy. Repository-level runners are dedicated to a single repository, while organization-level runners can process jobs for multiple repositories in an organization. Organization owners can choose which repositories are allowed to create repository-level self-hosted runners. See [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners). Finally, enterprise-level runners can be assigned to multiple organizations in an enterprise account. -## Requirements for self-hosted runner machines +### Requirements for self-hosted runner machines You can use any machine as a self-hosted runner as long at it meets these requirements: -* You can install and run the self-hosted runner application on the machine. For more information, see [Supported architectures and operating systems for self-hosted runners](#supported-architectures-and-operating-systems-for-self-hosted-runners). -* The machine can communicate with {% data variables.product.prodname_actions %}. For more information, see [Communication between self-hosted runners and {% data variables.product.github %}](#communication-between-self-hosted-runners-and-github). +* You can install and run the self-hosted runner application on the machine. +* The machine can communicate with {% data variables.product.prodname_actions %}. * The machine has enough hardware resources for the type of workflows you plan to run. The self-hosted runner application itself only requires minimal resources. * If you want to run workflows that use Docker container actions or service containers, you must use a Linux machine and Docker must be installed. -## Autoscaling your self-hosted runners - -You can automatically increase or decrease the number of self-hosted runners in your environment in response to the webhook events you receive. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners). - -## Usage limits - -There are some limits on {% data variables.product.prodname_actions %} usage when using self-hosted runners. These limits are subject to change. - -{% ifversion fpt or ghec or ghes > 3.12 %}- **Job execution time** - Each job in a workflow can run for up to 5 days of execution time. If a job reaches this limit, the job is terminated and fails to complete.{% endif %} -{% data reusables.actions.usage-workflow-run-time %} -* **Job queue time** - Each job for self-hosted runners that has been queued for at least 24 hours will be canceled. The actual time in queue can reach up to 48 hours before cancellation occurs. If a self-hosted runner does not start executing the job within this limit, the job is terminated and fails to complete. -{% data reusables.actions.usage-api-requests %} -* **Job matrix** - {% data reusables.actions.usage-matrix-limits %} -{% data reusables.actions.usage-workflow-queue-limits %} -* **Registering self-hosted runners** - You can have a maximum of 10,000 self-hosted runners in one runner group. If this limit is reached, adding a new runner will not be possible. - -## Workflow continuity for self-hosted runners - -{% data reusables.actions.runner-workflow-continuity %} - -## Supported architectures and operating systems for self-hosted runners - -The following operating systems are supported for the self-hosted runner application. - -### Linux - -* Red Hat Enterprise Linux 8 or later -* CentOS 8 or later -* Oracle Linux 8 or later -* Fedora 29 or later -* Debian 10 or later -* Ubuntu 20.04 or later -* Linux Mint 20 or later -* openSUSE 15.2 or later -* SUSE Enterprise Linux (SLES) 15 SP2 or later - -### Windows - -* Windows 10 64-bit -* Windows 11 64-bit -* Windows Server 2016 64-bit -* Windows Server 2019 64-bit -* Windows Server 2022 64-bit - -### macOS - -* macOS 11.0 (Big Sur) or later - -### Architectures - -The following processor architectures are supported for the self-hosted runner application. - -* `x64` - Linux, macOS, Windows. -* `ARM64` - Linux, macOS{% ifversion actions-windows-arm %}, Windows (currently in {% data variables.release-phases.public_preview %}){% endif %}. -* `ARM32` - Linux. - {% ifversion ghes %} ## Supported actions on self-hosted runners @@ -129,101 +48,12 @@ Some extra configuration might be required to use actions from {% data variables {% endif %} - - -## Communication between self-hosted runners and {% data variables.product.github %} - -The self-hosted runner connects to {% ifversion fpt or ghec %}{% data variables.product.github %}{% else %}{% data variables.location.product_location_enterprise %}{% endif %} to receive job assignments and to download new versions of the runner application. The self-hosted runner uses an {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} _long poll_ that opens a connection to {% data variables.product.github %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs. - -{% data reusables.actions.self-hosted-runner-ports-protocols %} - -{% ifversion fpt or ghec %} -Since the self-hosted runner opens a connection to {% data variables.product.github %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner. -{% elsif ghes %} -Only an outbound connection from the runner to {% data variables.product.prodname_ghe_server %} is required. There is no need for an inbound connection from {% data variables.product.prodname_ghe_server %} to the runner. -For caching to work, the runner must be able to communicate with the blob storage and directly download content from it. -{%- endif %} - -{% ifversion ghes %} - -{% data variables.product.prodname_ghe_server %} must accept inbound connections from your runners over HTTP(S) at {% data variables.location.product_location %}'s hostname and API subdomain, and your runners must allow outbound connections over HTTP(S) to {% data variables.location.product_location %}'s hostname and API subdomain. - -{% endif %} - -{% ifversion fpt or ghec %} - -You must ensure that the machine has the appropriate network access with at least 70 kilobits per second upload and download speed to communicate with the {% data variables.product.prodname_dotcom %} hosts listed below. Some hosts are required for essential runner operations, while other hosts are only required for certain functionality. - -You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. For more information about the domains and IP addresses used, see [AUTOTITLE](/rest/meta/meta). - -{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} - -{% data reusables.actions.runner-essential-communications %} - -In addition, your workflow may require access to other network resources. - -If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. For more information, see [Managing allowed IP addresses for your organization](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list) or [Enforcing policies for security settings in your enterprise](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %} - -{% else %} - -{% ifversion ghes %}Self-hosted runners do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and {% data variables.product.prodname_ghe_server %}. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to {% data variables.product.prodname_ghe_server %}, with no need for traffic to traverse a public network.{% endif %} - -{% endif %} - -You can also use self-hosted runners with a proxy server. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners). - -For more information about troubleshooting common network connectivity issues, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity). - -{% ifversion ghes %} - -## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %} - -Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise). - -If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions. You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below. - -```shell copy -github.com -api.github.com -codeload.github.com -pkg.actions.githubusercontent.com -``` - -{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} - -{% endif %} - -## Self-hosted runner security - -{% ifversion fpt or ghec %} - -{% data reusables.actions.self-hosted-runner-security %} - -{% endif %} - -{% ifversion fpt or ghec %} - -This is not an issue with {% data variables.product.prodname_dotcom %}-hosted runners because each {% data variables.product.prodname_dotcom %}-hosted runner is always a clean isolated virtual machine, and it is destroyed at the end of the job execution. - -{% endif %} - -Untrusted workflows running on your self-hosted runner pose significant security risks for your machine and network environment, especially if your machine persists its environment between jobs. Some of the risks include: - -* Malicious programs running on the machine. -* Escaping the machine's runner sandbox. -* Exposing access to the machine's network environment. -* Persisting unwanted or dangerous data on the machine. - -For more information about security hardening for self-hosted runners, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners). - -### Restricting the use of self-hosted runners - -{% data reusables.actions.disable-selfhosted-runners-crossrefs %} - -{% ifversion ghec or ghes %} - ## Further reading -* [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise) - -{% endif %} +* [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners) +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow) +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners){% ifversion ghec or ghes %} +* [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise){% endif %} +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners) +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners) diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md index 6e51c2f69e23..5a5aebab5875 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md @@ -19,12 +19,10 @@ You can add a self-hosted runner to a repository, an organization, or an enterpr If you are an organization or enterprise administrator, you might want to add your self-hosted runners at the organization or enterprise level. This approach makes the runner available to multiple repositories in your organization or enterprise, and also lets you to manage your runners in one place. -For information on supported operating systems for self-hosted runners, or using self-hosted runners with a proxy server, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). - > [!WARNING] > {% data reusables.actions.self-hosted-runner-security %} > -> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories). +> For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions). You can set up automation to scale the number of self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners). @@ -105,6 +103,7 @@ For more information on changing runner group access settings, see [AUTOTITLE](/ ## Further reading +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) * [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise) {% endif %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners.md new file mode 100644 index 000000000000..29ac04bacafd --- /dev/null +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners.md @@ -0,0 +1,81 @@ +--- +title: Communicating with self-hosted runners +shortTitle: Self-hosted runner communication +intro: 'Your self-hosted runners can communicate with {% ifversion fpt or ghec %}{% data variables.product.github %}{% else %}{% data variables.location.product_location_enterprise %} and {% data variables.product.prodname_dotcom_the_website %}{% endif %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +--- + +A self-hosted runner connects to {% ifversion fpt or ghec %}{% data variables.product.github %}{% else %}{% data variables.location.product_location_enterprise %}{% endif %} to receive job assignments and to download new versions of the runner application. The self-hosted runner uses an {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} long poll that opens a connection to {% data variables.product.github %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs. + +{% data reusables.actions.runner-app-open-source %} {% ifversion fpt or ghec %} When a new version is released, the runner application automatically updates itself when a job is assigned to the runner, or within a week of release if the runner hasn't been assigned any jobs. {% else ifversion ghes %} When a new version is released, the runner application will automatically update within 24 hours. {% endif %} +{% ifversion ghes %} + +> [!NOTE] +> {% data reusables.actions.upgrade-runners-before-upgrade-ghes %} + +{% endif %} + +{% data reusables.actions.self-hosted-runner-auto-removal %} + +{% data reusables.actions.self-hosted-runner-ports-protocols %} + +{% ifversion fpt or ghec %} +Since the self-hosted runner opens a connection to {% data variables.product.github %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner. +{% elsif ghes %} +Only an outbound connection from the runner to {% data variables.product.prodname_ghe_server %} is required. There is no need for an inbound connection from {% data variables.product.prodname_ghe_server %} to the runner. +For caching to work, the runner must be able to communicate with the blob storage and directly download content from it. +{%- endif %} + +{% ifversion ghes %} + +{% data variables.product.prodname_ghe_server %} must accept inbound connections from your runners over HTTP(S) at {% data variables.location.product_location %}'s hostname and API subdomain, and your runners must allow outbound connections over HTTP(S) to {% data variables.location.product_location %}'s hostname and API subdomain. + +{% endif %} + +{% ifversion fpt or ghec %} + +You must ensure that the machine has the appropriate network access with at least 70 kilobits per second upload and download speed to communicate with the {% data variables.product.prodname_dotcom %} hosts listed below. Some hosts are required for essential runner operations, while other hosts are only required for certain functionality. + +You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. See [AUTOTITLE](/rest/meta/meta). + +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} + +{% data reusables.actions.runner-essential-communications %} + +In addition, your workflow may require access to other network resources. + +If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. See [Managing allowed IP addresses for your organization](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list) or [Enforcing policies for security settings in your enterprise](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %} + +{% else %} + +{% ifversion ghes %}Self-hosted runners do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and {% data variables.product.prodname_ghe_server %}. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to {% data variables.product.prodname_ghe_server %}, with no need for traffic to traverse a public network.{% endif %} + +{% endif %} + +{% ifversion ghes %} + +## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %} + +Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise). + +If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions. You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below. + +```shell copy +github.com +api.github.com +codeload.github.com +pkg.actions.githubusercontent.com +``` + +{% data reusables.actions.domain-name-cname-recursive-firewall-rules %} + +{% endif %} + +## Further reading + +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners) +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity) diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/index.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/index.md index 0236032f04f7..3bf69ebf202b 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/index.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/index.md @@ -8,6 +8,9 @@ versions: ghec: '*' children: - /about-self-hosted-runners + - /communicating-with-self-hosted-runners + - /supported-architectures-and-operating-systems-for-self-hosted-runners + - /usage-limits-for-self-hosted-runners - /adding-self-hosted-runners - /autoscaling-with-self-hosted-runners - /running-scripts-before-or-after-a-job diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md index 31f0ba680170..adae1d1a1d38 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md @@ -71,7 +71,7 @@ config.cmd --check --url https://github.com/YOUR-ORG/YOUR-REPO --pat GHP_ABCD123 The script tests each service, and outputs either a `PASS` or `FAIL` for each one. If you have any failing checks, you can see more details on the problem in the log file for the check. The log files are located in the `_diag` directory where you installed the runner application, and the path of the log file for each check is shown in the console output of the script. -If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-requirements). +If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners). ### Disabling TLS certificate verification diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners.md new file mode 100644 index 000000000000..6392f37450a3 --- /dev/null +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners.md @@ -0,0 +1,40 @@ +--- +title: Supported architectures and operating systems for self-hosted runners +shortTitle: Supported platforms +intro: 'The following processor architectures and operating systems are supported for the self-hosted runner application.' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +--- + +## Linux + +* Red Hat Enterprise Linux 8 or later +* CentOS 8 or later +* Oracle Linux 8 or later +* Fedora 29 or later +* Debian 10 or later +* Ubuntu 20.04 or later +* Linux Mint 20 or later +* openSUSE 15.2 or later +* SUSE Enterprise Linux (SLES) 15 SP2 or later + +## Windows + +* Windows 10 64-bit +* Windows 11 64-bit +* Windows Server 2016 64-bit +* Windows Server 2019 64-bit +* Windows Server 2022 64-bit + +## macOS + +* macOS 11.0 (Big Sur) or later + +## Supported processor architectures + +* `x64` - Linux, macOS, Windows. +* `ARM64` - Linux, macOS{% ifversion actions-windows-arm %}, Windows (currently in {% data variables.release-phases.public_preview %}){% endif %}. +* `ARM32` - Linux. diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners.md new file mode 100644 index 000000000000..a79bb96dd145 --- /dev/null +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners.md @@ -0,0 +1,18 @@ +--- +title: Usage limits for self-hosted runners +shortTitle: Usage limits +intro: 'There are some limits on {% data variables.product.prodname_actions %} usage when using self-hosted runners. These limits are subject to change.' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +--- + +{% ifversion fpt or ghec or ghes > 3.12 %}- **Job execution time** - Each job in a workflow can run for up to 5 days of execution time. If a job reaches this limit, the job is terminated and fails to complete.{% endif %} +{% data reusables.actions.usage-workflow-run-time %} +* **Job queue time** - Each job for self-hosted runners that has been queued for at least 24 hours will be canceled. The actual time in queue can reach up to 48 hours before cancellation occurs. If a self-hosted runner does not start executing the job within this limit, the job is terminated and fails to complete. +{% data reusables.actions.usage-api-requests %} +* **Job matrix** - {% data reusables.actions.usage-matrix-limits %} +{% data reusables.actions.usage-workflow-queue-limits %} +* **Registering self-hosted runners** - You can have a maximum of 10,000 self-hosted runners in one runner group. If this limit is reached, adding a new runner will not be possible. diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md index 0e64a9ed9e9e..4c7c0d644627 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md @@ -107,3 +107,7 @@ When routing a job to a self-hosted runner, {% data variables.product.prodname_d * If the runner doesn't pick up the assigned job within 60 seconds, the job is re-queued so that a new runner can accept it. * If {% data variables.product.prodname_dotcom %} doesn't find an online and idle runner that matches the job's `runs-on` labels and groups, then the job will remain queued until a runner comes online. * If the job remains queued for more than 24 hours, the job will fail. + +## Workflow run continuity + +{% data reusables.actions.runner-workflow-continuity %} diff --git a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md index 38e1d626e274..8a42702dca8f 100644 --- a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md @@ -340,7 +340,7 @@ For third-party images, such as the images for ARM-powered runners, you can find {% ifversion fpt or ghec %}**Self-hosted**{% elsif ghes %}Self-hosted{% endif %} runners for {% data variables.product.github %} do not have guarantees around running in ephemeral clean virtual machines, and can be persistently compromised by untrusted code in a workflow. -{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security) on {% data variables.product.github %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner. +{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) on {% data variables.product.github %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner. {% data reusables.actions.disable-selfhosted-runners-crossrefs %} diff --git a/content/actions/writing-workflows/workflow-syntax-for-github-actions.md b/content/actions/writing-workflows/workflow-syntax-for-github-actions.md index 40afb8c36b74..3b0be3f0ed03 100644 --- a/content/actions/writing-workflows/workflow-syntax-for-github-actions.md +++ b/content/actions/writing-workflows/workflow-syntax-for-github-actions.md @@ -416,7 +416,7 @@ jobs: A job contains a sequence of tasks called `steps`. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the runner environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. {% data variables.product.prodname_dotcom %} provides built-in steps to set up and complete a job. -{% data variables.product.prodname_dotcom %} only displays the first 1,000 checks, however, you can run an unlimited number of steps as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. +{% data variables.product.prodname_dotcom %} only displays the first 1,000 checks, however, you can run an unlimited number of steps as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits. ### Example of `jobs..steps` @@ -876,7 +876,7 @@ Fractional values are not supported. `timeout-minutes` must be a positive intege The maximum number of minutes to let a job run before {% data variables.product.prodname_dotcom %} automatically cancels it. Default: 360 -If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. +If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits. > [!NOTE] > {% data reusables.actions.github-token-expiration %} For self-hosted runners, the token may be the limiting factor if the job timeout is greater than 24 hours. For more information on the `GITHUB_TOKEN`, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#about-the-github_token-secret). diff --git a/content/admin/configuring-settings/configuring-network-settings/network-ports.md b/content/admin/configuring-settings/configuring-network-settings/network-ports.md index b394e26e0975..00df981a606d 100644 --- a/content/admin/configuring-settings/configuring-network-settings/network-ports.md +++ b/content/admin/configuring-settings/configuring-network-settings/network-ports.md @@ -56,7 +56,7 @@ Email ports must be accessible directly or via relay for inbound email support f ## {% data variables.product.prodname_actions %} ports -{% data variables.product.prodname_actions %} ports must be accessible for self-hosted runners to connect to {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-server). +{% data variables.product.prodname_actions %} ports must be accessible for self-hosted runners to connect to {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners). | Port | Service | Description | |---|---|---| diff --git a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md index a6607075c18e..de863c54c797 100644 --- a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md +++ b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md @@ -83,7 +83,7 @@ You can create a runner group to manage access to the runner that you added to y > [!WARNING] > {% data reusables.actions.self-hosted-runner-security %} > - > For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories). + > For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions). {% data reusables.actions.create-runner-group %} 1. Click the "Runners" tab. diff --git a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md index c9a4a4588297..b82ec5ad7b73 100644 --- a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md +++ b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md @@ -90,7 +90,7 @@ You may need to upgrade the CPU and memory resources for {% data variables.locat {% data variables.product.prodname_actions %} workflows require runners.{% ifversion ghec %} You can choose to use {% data variables.product.prodname_dotcom %}-hosted runners or self-hosted runners. {% data variables.product.company_short %} manages maintenance and upgrades for {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners). -To manage your own resources, configuration, or geographic location of your runner machines, use self hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). +To manage your own resources, configuration, or geographic location of your runner machines, use self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). If you want more control over the networking policies for your runners, use self-hosted runners or private networking options for {% data variables.product.prodname_dotcom %}-hosted runners. For more information about private networking options, see [AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners).{% else %} You will need to host your own runners by installing the {% data variables.product.prodname_actions %} self-hosted runner application on your own machines. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).{% endif %} diff --git a/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md b/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md index 782f23c51fe5..2018cfe34039 100644 --- a/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md +++ b/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md @@ -117,7 +117,7 @@ Jobs that run on Windows and macOS runners that {% data variables.product.prodna #### Points to note about rates for runners -* The number of jobs you can run concurrently across all repositories in your user or organization account depends on your {% data variables.product.prodname_dotcom %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. +* The number of jobs you can run concurrently across all repositories in your user or organization account depends on your {% data variables.product.prodname_dotcom %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits. * {% data reusables.user-settings.context_switcher %} * {% data reusables.actions.larger-runner-permissions %} * {% data reusables.actions.about-larger-runners-billing %} diff --git a/data/reusables/actions/azure-vnet-procedures-prereqs.md b/data/reusables/actions/azure-vnet-procedures-prereqs.md index 789759d78058..b625ac5d6476 100644 --- a/data/reusables/actions/azure-vnet-procedures-prereqs.md +++ b/data/reusables/actions/azure-vnet-procedures-prereqs.md @@ -15,7 +15,7 @@ You will use a script to automate configuring your Azure resources. If you use {% data variables.enterprise.data_residency %}, in the `AllowOutBoundGitHub` section, you must also include the ingress IP ranges for {% data variables.enterprise.data_residency_site %}. See [AUTOTITLE](/admin/data-residency/network-details-for-ghecom#ranges-for-ingress-traffic). > [!NOTE] - > As an alternative to using the following file, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.github %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud). To determine the appropriate subnet IP address range, we recommend adding a 30% buffer to the maximum job concurrency you anticipate. For instance, if your network configuration's runners are set to a maximum job concurrency of 300, it's recommended to utilize a subnet IP address range that can accommodate at least 390 runners. This buffer helps ensure that your network can handle unexpected increases in VM needs to meet job concurrency without running out of IP addresses. + > As an alternative to using the following file, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.github %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners). To determine the appropriate subnet IP address range, we recommend adding a 30% buffer to the maximum job concurrency you anticipate. For instance, if your network configuration's runners are set to a maximum job concurrency of 300, it's recommended to utilize a subnet IP address range that can accommodate at least 390 runners. This buffer helps ensure that your network can handle unexpected increases in VM needs to meet job concurrency without running out of IP addresses. ```bicep copy @description('NSG for outbound rules') diff --git a/data/reusables/actions/ip-allow-list-self-hosted-runners.md b/data/reusables/actions/ip-allow-list-self-hosted-runners.md index 3282b0f1d08d..89fb185a43be 100644 --- a/data/reusables/actions/ip-allow-list-self-hosted-runners.md +++ b/data/reusables/actions/ip-allow-list-self-hosted-runners.md @@ -1,4 +1,4 @@ > [!WARNING] -> If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. When using [Azure private networking](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise), IPs from your Azure subnet must be used. To reduce the number of required IPs, we recommend creating a load balancer to provide a single IP range for the GitHub allow list. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) {% ifversion actions-hosted-runners %} or [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners){% endif %}. +> If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. When using [Azure private networking](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise), IPs from your Azure subnet must be used. To reduce the number of required IPs, we recommend creating a load balancer to provide a single IP range for the GitHub allow list. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners) {% ifversion actions-hosted-runners %} or [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners){% endif %}. To allow your self-hosted {% ifversion actions-hosted-runners %}or larger hosted{% endif %} runners to communicate with {% data variables.product.prodname_dotcom %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise. diff --git a/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md b/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md index 229759637fc2..3a6b60c53126 100644 --- a/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md +++ b/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md @@ -2,6 +2,6 @@ A workflow run is made up of one or more `jobs`, which run in parallel by defaul Each job runs in a runner environment specified by `runs-on`. -You can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits. +You can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits. If you need to find the unique identifier of a job running in a workflow run, you can use the {% data variables.product.github %} API. For more information, see [AUTOTITLE](/rest/actions#workflow-jobs). diff --git a/data/reusables/actions/oidc-further-reading.md b/data/reusables/actions/oidc-further-reading.md index d9db3f4a05f9..fa07e5ddba85 100644 --- a/data/reusables/actions/oidc-further-reading.md +++ b/data/reusables/actions/oidc-further-reading.md @@ -1,4 +1,2 @@ * [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows) -{% ifversion fpt %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github){% endif %} -{% ifversion ghec %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud){% endif %} -{% ifversion ghes %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-server){% endif %} +* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners) diff --git a/data/reusables/actions/self-hosted-runner-description.md b/data/reusables/actions/self-hosted-runner-description.md index e865326637b4..e69de29bb2d1 100644 --- a/data/reusables/actions/self-hosted-runner-description.md +++ b/data/reusables/actions/self-hosted-runner-description.md @@ -1 +0,0 @@ -{% ifversion fpt or ghec %}Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide. {% endif %}With self-hosted runners, you can create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network, and choose an operating system{% ifversion fpt or ghec %} not offered by {% data variables.product.prodname_dotcom %}-hosted runners{% endif %}. diff --git a/data/reusables/actions/self-hosted-runner-locations.md b/data/reusables/actions/self-hosted-runner-locations.md index 5c52c17b39a1..e69de29bb2d1 100644 --- a/data/reusables/actions/self-hosted-runner-locations.md +++ b/data/reusables/actions/self-hosted-runner-locations.md @@ -1 +0,0 @@ -Self-hosted runners can be physical, virtual, in a container, on-premises, or in a cloud. diff --git a/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md b/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md index 80249f862627..0c376649cd72 100644 --- a/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md +++ b/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md @@ -1 +1 @@ -To use actions from {% data variables.product.prodname_dotcom_the_website %},{% ifversion ghes %} both {% data variables.product.prodname_ghe_server %} and{% endif %} your self-hosted runners must be able to make outbound connections to {% data variables.product.prodname_dotcom_the_website %}. No inbound connections from {% data variables.product.prodname_dotcom_the_website %} are required. For more information. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-betweens-self-hosted-runners-and-githubcom). +To use actions from {% data variables.product.prodname_dotcom_the_website %},{% ifversion ghes %} both {% data variables.product.prodname_ghe_server %} and{% endif %} your self-hosted runners must be able to make outbound connections to {% data variables.product.prodname_dotcom_the_website %}. No inbound connections from {% data variables.product.prodname_dotcom_the_website %} are required. For more information. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners#communication-between-self-hosted-runners-and-githubcom). diff --git a/data/reusables/actions/self-hosted-runner-security-admonition.md b/data/reusables/actions/self-hosted-runner-security-admonition.md index d5e9f7eaa109..234b0b521227 100644 --- a/data/reusables/actions/self-hosted-runner-security-admonition.md +++ b/data/reusables/actions/self-hosted-runner-security-admonition.md @@ -1,4 +1,4 @@ > [!WARNING] > {% data reusables.actions.self-hosted-runner-security %} > -> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories). +> For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions). diff --git a/data/reusables/dependabot/dependabot-runners-network-requirements.md b/data/reusables/dependabot/dependabot-runners-network-requirements.md index 443c054f21c5..b3bef9c1f943 100644 --- a/data/reusables/dependabot/dependabot-runners-network-requirements.md +++ b/data/reusables/dependabot/dependabot-runners-network-requirements.md @@ -1,6 +1,6 @@ {% data variables.product.prodname_dependabot %} runners require access to the public internet, {% data variables.product.prodname_dotcom_the_website %}, and any internal registries that will be used in {% data variables.product.prodname_dependabot_updates %}. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency. {% ifversion fpt or ghec %} -You must also allow outbound traffic to `dependabot-actions.githubapp.com` to prevent the jobs for {% data variables.product.prodname_dependabot_security_updates %} from failing. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github). +You must also allow outbound traffic to `dependabot-actions.githubapp.com` to prevent the jobs for {% data variables.product.prodname_dependabot_security_updates %} from failing. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners). {% endif %} From 985410fff8d77df0051ca86d7c06509be5033378 Mon Sep 17 00:00:00 2001 From: Taylor Reis Date: Thu, 10 Apr 2025 10:40:31 -0600 Subject: [PATCH 4/8] GHES SCIM Documentation Updates (Batch 1/3) (#55164) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- ...ling-automatic-user-license-sync-for-your-enterprise.md | 5 +++++ .../viewing-people-in-your-enterprise.md | 5 +++++ ...guring-authentication-and-provisioning-with-entra-id.md | 2 ++ .../configuring-scim-provisioning-for-users.md | 7 ++++--- .../user-provisioning-with-scim-on-ghes.md | 3 ++- .../about-per-user-pricing.md | 1 + .../troubleshooting-license-usage-for-github-enterprise.md | 5 +++++ data/reusables/saml/saml-supported-idps.md | 2 +- 8 files changed, 25 insertions(+), 5 deletions(-) diff --git a/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md b/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md index 41608fe4ac07..f3046944b49d 100644 --- a/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md +++ b/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md @@ -43,3 +43,8 @@ Before enabling license synchronization on {% data variables.location.product_lo 1. To the right of "License sync", click **Enable**. ![Screenshot of the "License sync" option on the GitHub Connect page. The "Enable" button is highlighted with an orange outline.](/assets/images/enterprise/site-admin-settings/enable-user-license-drop-down.png) + +{% ifversion scim-for-ghes-ga %} +> [!NOTE] +> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user). +{% endif %} diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md index d7b4203741f5..ee0fc8b8e147 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md @@ -198,8 +198,13 @@ If you use SAML authentication and SCIM provisioning, you can filter members bas 1. Select **Account Type**, then choose from the following options. * **Built-in:** Users with local accounts on {% data variables.location.product_location %} who authenticate with a username and password. +{% ifversion scim-for-ghes-ga %} + * **SAML JIT provisioned:** Users who authenticate with SAML via an identity provider and were created through just-in-time (JIT) provisioning when they first signed in. These users are not linked to SCIM identities. + * **SCIM provisioned:** Users who were created and managed through SCIM provisioning from your identity provider. These users are linked to SCIM identities. +{% else %} * **SAML linked:** Users who authenticate with SAML via an identity provider, but were not provisioned by SCIM. * **SAML and SCIM linked:** Users who authenticate with SAML via an identity provider, and were provisioned by SCIM. +{% endif %} {% endif %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md index a1cb5f77c2d2..d4fd712a4985 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md @@ -86,6 +86,8 @@ Before starting this section, ensure you have followed steps **1 to 4** in [AUTO * "Secret Token": the {% data variables.product.pat_v1 %} created for the setup user 1. Click **Test Connection**. 1. When the test is complete, click **Save**. +1. Navigate back to the "Overview" page. +1. To provision your EntraID users to your {% data variables.product.prodname_ghe_server %} appliance, Click **Start provisioning**. When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#6-disable-optional-settings). diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md index 24ca7538d116..6b91a165326f 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md @@ -57,6 +57,7 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl {% else %} +* SCIM is a server-to-server protocol. Your instance's REST API endpoints must be accessible to your SCIM provider. * For authentication, your instance must use SAML SSO, or a mix of SAML and built-in authentication. * You cannot mix SCIM with other external authentication methods. If you use CAS or LDAP, you will need to migrate to SAML before using SCIM. * After you have configured SCIM, you must keep SAML authentication enabled to continue using SCIM. @@ -73,16 +74,16 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl To ensure you can continue to sign in and configure settings when SCIM is enabled, you'll create an enterprise owner using built-in authentication. 1. Sign in to {% data variables.product.prodname_ghe_server %} as a user with access to the Management Console. -1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in setup user. Go to the "Authentication" section of the Management Console and enable the following settings: +1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in authentication user. Go to the "Authentication" section of the Management Console and enable the following settings: * Select **Allow creation of accounts with built-in authentication**, so you can create the user. * Select **Disable administrator demotion/promotion**, so admin permissions can be granted outside of your SAML provider. For help finding these settings, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso). -1. Create a built-in user account to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance). +1. Create a built-in user account{% ifversion scim-for-ghes-ga %} with the username `scim-admin`{% endif %} to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance). - >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`. + >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`.{% ifversion scim-for-ghes-ga %} You can use any username you would like for your setup user, but the `scim-admin` user will not be included in your [{% data variables.product.prodname_github_connect %}](/enterprise-cloud@latest/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise#viewing-license-usage-on-github-enterprise-cloud) license counts, while other users will.{% endif %} 1. Promote the user to an enterprise owner. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator#promoting-a-user-from-the-enterprise-settings). diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md index 95cd8992cdae..b185eab703a5 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md @@ -65,7 +65,7 @@ During the {% data variables.release-phases.private_preview %}, your account tea {% data reusables.enterprise_user_management.scim-manages-user-lifecycle %} -When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP. +When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP.{% ifversion scim-for-ghes-ga %} If an issue arises with your IdP and you need to manage a user directly, you will need to use the SCIM REST API to manage the user identities on your appliance (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)).{% endif %} To view suspended members, navigate to the "Suspended Members" tab of your enterprise settings. This page will be present when SCIM is enabled on {% data variables.product.prodname_ghe_server %}. @@ -78,6 +78,7 @@ To view suspended members, navigate to the "Suspended Members" tab of your enter If you currently use SAML SSO, and you are enabling SCIM, you should be aware of what happens to existing user accounts on {% data variables.product.prodname_ghe_server %} once SCIM is enabled. * Existing users with SAML mappings will **not be able to sign in** until their identities have been provisioned by SCIM. +* Existing users created with **Built in authentication** will only be able to sign in if **Built in authentication** is still enabled. {%- ifversion scim-for-ghes-ga %} * {% data variables.product.prodname_ghe_server %} will no longer store SAML mappings for users. Instead, SCIM identities will be stored for users when a user is provisioned. * You will no longer see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. It will not be possible to view or update SAML NameID mappings that were previously visible in this section, since these stored SAML mappings are no longer evaluated during SAML authentication when SCIM is enabled. diff --git a/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md b/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md index 27bf08249950..4c39c0396151 100644 --- a/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md +++ b/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md @@ -108,6 +108,7 @@ If your enterprise does not use {% data variables.product.prodname_emus %}, you * Guest collaborators who are not organization members or repository collaborators (see [AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#guest-collaborators)) * Users of {% data variables.visual_studio.prodname_vss_ghe %} whose accounts on {% data variables.product.prodname_dotcom %} are not linked, and who do not meet any of the other criteria for per-user pricing * Users who have been provisioned with a {% data variables.enterprise.prodname_managed_user %}, but are not members of any organizations in the enterprise +* The `scim-admin` setup user, when SCIM is enabled on your {% data variables.product.prodname_ghe_server %} appliance. For more information, see the SCIM configuration guide [AUTOTITLE](/enterprise-server@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user). ### Accounts that consume a license on {% data variables.product.prodname_ghe_server %} diff --git a/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md b/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md index e71a148670c5..0f8064bbf70a 100644 --- a/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md +++ b/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md @@ -41,6 +41,11 @@ First, we check the primary email address of each user on {% data variables.prod If there is no match, or if SAML authentication or SCIM provisioning is not in use, we attempt to match the primary email address on {% data variables.product.prodname_ghe_server %} with a verified email address for a user account on {% data variables.product.prodname_ghe_cloud %}. For more information about verification of email addresses on {% data variables.product.prodname_ghe_cloud %}, see [AUTOTITLE](/enterprise-cloud@latest/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address){% ifversion not ghec %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %} +{% ifversion scim-for-ghes-ga %} +> [!NOTE] +> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user). +{% endif %} + ## Fields in the consumed license files The {% data variables.product.prodname_ghe_cloud %} license usage report and {% data variables.product.prodname_ghe_server %} exported license usage file include a variety of fields to help you troubleshoot license usage for your enterprise. diff --git a/data/reusables/saml/saml-supported-idps.md b/data/reusables/saml/saml-supported-idps.md index e8ac638dd35b..5041b4bf68b6 100644 --- a/data/reusables/saml/saml-supported-idps.md +++ b/data/reusables/saml/saml-supported-idps.md @@ -1,6 +1,6 @@ {% data variables.product.github %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website. -{% data variables.product.company_short %} officially supports and internally tests the following IdPs. +{% data variables.product.company_short %} officially supports and internally tests the following IdPs for SAML.{% ifversion ghes %} For more information about the IdPs that are supported for SCIM on {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers).{% endif %} * Microsoft Active Directory Federation Services (AD FS) * Microsoft Entra ID (previously known as Azure AD) From fc16fa62b765e3a4277939badca3778cdb6afd39 Mon Sep 17 00:00:00 2001 From: Taylor Reis Date: Thu, 10 Apr 2025 10:41:02 -0600 Subject: [PATCH 5/8] Update SAML and SCIM mapping docs (#55190) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- .../command-line-utilities.md | 30 +++++++++++++++++++ .../viewing-people-in-your-enterprise.md | 4 +++ ...and-groups-with-scim-using-the-rest-api.md | 1 + .../user-provisioning-with-scim-on-ghes.md | 1 + .../reusables/scim/ghe-scim-identities-csv.md | 1 + 5 files changed, 37 insertions(+) create mode 100644 data/reusables/scim/ghe-scim-identities-csv.md diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md index dc3ba8775b4a..67be9adaef4a 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md @@ -287,6 +287,11 @@ ghe-reactivate-admin-login ### ghe-saml-mapping-csv +{% ifversion scim-for-ghes-ga %} +> [!NOTE] +> This utility does not work with configurations that use SAML with SCIM provisioning. For the SCIM version of this tool, please refer to [`ghe-scim-identities-csv` utility](#ghe-scim-identities-csv). +{% endif %} + This utility allows administrators to output or update the SAML `NameID` mappings for users on an instance. The utility can output a CSV file that lists all existing mappings. You can also update mappings for users on your instance by editing the resulting file, then using the utility to assign new mappings from the file. To output a CSV file containing a list of all user SAML `NameID` mappings on the instance, run the following command. @@ -311,6 +316,31 @@ To update SAML mappings on the instance with new values from the file, run the f ghe-saml-mapping-csv -u -f /PATH/TO/FILE ``` +{% ifversion scim-for-ghes-ga %} + +### ghe-scim-identities-csv + +> [!NOTE] +> This utility only works with configurations that use SAML with SCIM provisioning. For the SAML only version of this tool, please refer to the [`ghe-saml-mapping-csv` utility](#ghe-saml-mapping-csv). + +This utility allows administrators to output the SCIM identities for users on an instance. The utility can output a CSV file that lists all existing identities and the groups they are members of. + +To output CSV data containing a list of all user SCIM identities on the instance, run the following command. This will create a file located at `/data/user/tmp/scim-identities-DATE.csv` containing your SCIM identities. + +```shell +ghe-scim-identities-csv +``` + +Or, if you'd like to specify the file, run the following command. + +```shell +ghe-scim-identities-csv -f /PATH/TO/FILE +``` + +We recommend writing to a file in `/data/user/tmp`. + +{% endif %} + ### ghe-service-list This utility lists all of the services that have been started or stopped (are running or waiting) on your appliance. diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md index ee0fc8b8e147..d350de2e32fe 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md @@ -208,6 +208,10 @@ If you use SAML authentication and SCIM provisioning, you can filter members bas {% endif %} +{% ifversion scim-for-ghes-ga %} +{% data reusables.scim.ghe-scim-identities-csv %} +{% endif %} + ## Viewing members without an email address from a verified domain You can view a list of members in your enterprise who don't have an email address from a verified domain associated with their user account. diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md index 47a57d9903b5..5de095e927b0 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md @@ -169,6 +169,7 @@ Before a person with an identity on your identity management system can sign in * For an overview of the supported attributes for users, see [SCIM](/rest/enterprise-admin/scim#supported-scim-user-attributes) in the REST API documentation. * You can view provisioned users in the {% data variables.product.github %} UI. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise). +{% ifversion scim-for-ghes-ga %}* {% data reusables.scim.ghe-scim-identities-csv %}{% endif %} | Action | Method | Endpoint and more information | Events in the audit log | | :- | :- | :- | :- | diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md index b185eab703a5..63c4ae1a53f4 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md @@ -87,6 +87,7 @@ If you currently use SAML SSO, and you are enabling SCIM, you should be aware of * If a user account with a matching username does exist, {% data variables.product.prodname_ghe_server %} links the SCIM identity to this user account. * If a user account with a matching username doesn't exist, {% data variables.product.prodname_ghe_server %} creates a new user account and links it to this SCIM identity. * If {% data variables.product.prodname_dotcom %} successfully matches a user who is authenticating via SAML with an existing user account, but account details such as email address, first name, or last name don't match, the instance **overwrites the details** with values from the IdP. Any email addresses other than the primary email provisioned by SCIM will also be deleted from the user account. +{% ifversion scim-for-ghes-ga %}* {% data reusables.scim.ghe-scim-identities-csv %}{% endif %} ## What happens during SAML authentication? diff --git a/data/reusables/scim/ghe-scim-identities-csv.md b/data/reusables/scim/ghe-scim-identities-csv.md new file mode 100644 index 000000000000..d30df59a6bb0 --- /dev/null +++ b/data/reusables/scim/ghe-scim-identities-csv.md @@ -0,0 +1 @@ +Enterprise administrators with CLI access can export a full CSV of SCIM provisioned user identities using the [ghe-scim-identities-csv](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-scim-identities-csv) tool. From 185480a14837094fd3e484bbf97b923cce98199d Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Thu, 10 Apr 2025 09:50:50 -0700 Subject: [PATCH 6/8] only display X references from the cse-copilot response (#55237) --- src/search/components/input/AskAIResults.tsx | 51 ++++++++++++-------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/src/search/components/input/AskAIResults.tsx b/src/search/components/input/AskAIResults.tsx index 8f6d4f28b2f4..20aa3d49f58f 100644 --- a/src/search/components/input/AskAIResults.tsx +++ b/src/search/components/input/AskAIResults.tsx @@ -41,6 +41,8 @@ type AISearchResultEventParams = { connectedEventId?: string } +const MAX_REFERENCES_TO_SHOW = 4 + export function AskAIResults({ query, version, @@ -389,27 +391,34 @@ export function AskAIResults({ > {t('search.ai.references')} - {references.map((source, index) => ( - { - referenceOnSelect(source.url) - }} - active={index + referencesIndexOffset === selectedIndex} - > - - {source.title} - - ))} + {references + .map((source, index) => { + if (index >= MAX_REFERENCES_TO_SHOW) { + return null + } + return ( + { + referenceOnSelect(source.url) + }} + active={index + referencesIndexOffset === selectedIndex} + > + + {source.title} + + ) + }) + .filter(Boolean)} From d12af804f12bcc55f206ac49b6449d648480ebf4 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Thu, 10 Apr 2025 19:39:01 +0200 Subject: [PATCH 7/8] Code Scanning: Add sunset date for issue <> alerts (#55229) --- .../code-scanning/beta-alert-tracking-in-issues.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/data/reusables/code-scanning/beta-alert-tracking-in-issues.md b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md index d87e3a511a5c..9ed02615a6aa 100644 --- a/data/reusables/code-scanning/beta-alert-tracking-in-issues.md +++ b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md @@ -1,8 +1,12 @@ + + {% ifversion code-scanning-task-lists %} > [!NOTE] -> The tracking of {% data variables.product.prodname_code_scanning %} alerts in issues is in {% data variables.release-phases.public_preview %} and subject to change. +> The tracking of {% data variables.product.prodname_code_scanning %} alerts in issues is {% data variables.release-phases.closing_down %} on April 30th, 2025. > > This feature supports running analysis natively using {% data variables.product.prodname_actions %} or externally using existing CI/CD infrastructure, as well as third-party {% data variables.product.prodname_code_scanning %} tools, but _not_ third-party tracking tools. {% endif %} + + \ No newline at end of file From 576fe2dfbbbdde2e928bee3ce074ee7c3aa23f15 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Thu, 10 Apr 2025 10:42:02 -0700 Subject: [PATCH 8/8] Sync secret scanning data (#55238) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- src/secret-scanning/data/public-docs.yml | 8 ++++---- src/secret-scanning/lib/config.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml index 9a884058952e..6c7ce0bf738f 100644 --- a/src/secret-scanning/data/public-docs.yml +++ b/src/secret-scanning/data/public-docs.yml @@ -1713,7 +1713,7 @@ ghes: '*' isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false isduplicate: false - provider: Grafana @@ -1977,7 +1977,7 @@ ghes: '>=3.14' isPublic: false isPrivateWithGhas: true - hasPushProtection: true + hasPushProtection: false hasValidityCheck: false isduplicate: false - provider: IBM @@ -1989,7 +1989,7 @@ ghes: '>=3.14' isPublic: false isPrivateWithGhas: true - hasPushProtection: true + hasPushProtection: false hasValidityCheck: false isduplicate: false - provider: Intercom @@ -3770,7 +3770,7 @@ ghes: '*' isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: '{% ifversion fpt or ghes %}false{% else %}true{% endif %}' isduplicate: false - provider: Stripe diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json index 716bcdddf3ff..3691711cc336 100644 --- a/src/secret-scanning/lib/config.json +++ b/src/secret-scanning/lib/config.json @@ -1,5 +1,5 @@ { - "sha": "b4145ecdc18a91d474bee1fd9628de17833b4a35", - "blob-sha": "c577f9698f2c54db3054f5652f4f47ebe87b6de4", + "sha": "e5322c3dee0ad441a787d1bc0051420cf544bc24", + "blob-sha": "1ad7e3fecbf7e3fc6c67fbb61bdf8fe8c2891adb", "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns" } \ No newline at end of file