From 22c3b9e9737f7ab41ef8a1d8b4b51bd421be9f97 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Mon, 5 May 2025 08:33:22 -0700 Subject: [PATCH 1/8] Add is_headless as a field instead of filter (#55483) --- src/events/components/events.ts | 3 +-- src/events/lib/schema.ts | 3 +++ src/events/tests/middleware.ts | 2 ++ src/events/types.ts | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/events/components/events.ts b/src/events/components/events.ts index bebb5c272ace..f968baa699cf 100644 --- a/src/events/components/events.ts +++ b/src/events/components/events.ts @@ -86,8 +86,6 @@ export function sendEvent({ eventGroupKey?: string eventGroupId?: string } & EventPropsByType[T]) { - if (isHeadless()) return - const body = { type, @@ -118,6 +116,7 @@ export function sendEvent({ // Device information // os, os_version, browser, browser_version: ...parseUserAgent(), + is_headless: isHeadless(), viewport_width: document.documentElement.clientWidth, viewport_height: document.documentElement.clientHeight, diff --git a/src/events/lib/schema.ts b/src/events/lib/schema.ts index 55ad26277ce2..deaa0790fd0e 100644 --- a/src/events/lib/schema.ts +++ b/src/events/lib/schema.ts @@ -136,6 +136,9 @@ const context = { type: 'string', description: 'The version of the browser the user is browsing with.', }, + is_headless: { + type: 'boolean', + }, viewport_width: { type: 'number', description: 'The viewport width, not the overall device size.', diff --git a/src/events/tests/middleware.ts b/src/events/tests/middleware.ts index 6da5601bdfd4..f86bde5741ad 100644 --- a/src/events/tests/middleware.ts +++ b/src/events/tests/middleware.ts @@ -41,6 +41,7 @@ describe('POST /events', () => { os_version: '18.04', browser: 'chrome', browser_version: '85.0.4183.121', + is_headless: false, viewport_width: 1418, viewport_height: 501, @@ -72,6 +73,7 @@ describe('POST /events', () => { os_version: '18.04', browser: 'chrome', browser_version: '85.0.4183.121', + is_headless: false, viewport_width: 1418, viewport_height: 501, diff --git a/src/events/types.ts b/src/events/types.ts index 8ceb69b8cfab..762dbc9a8df5 100644 --- a/src/events/types.ts +++ b/src/events/types.ts @@ -50,6 +50,7 @@ export type EventProps = { code_display_preference: string event_group_key?: string event_group_id?: string + is_headless: boolean } } From 3654df4e9567d9b0b0ba5d49b65c340a466c837d Mon Sep 17 00:00:00 2001 From: Eric Sorenson Date: Mon, 5 May 2025 09:28:43 -0700 Subject: [PATCH 2/8] Updates to dependency graph documentation with information about recent changes (#55449) Co-authored-by: Lewis Jones Co-authored-by: Felicity Chapman Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- ...-practices-for-maintaining-dependencies.md | 2 +- ...pendency-submission-for-your-repository.md | 2 ++ .../configuring-the-dependency-graph.md | 4 --- ...ency-graph-supported-package-ecosystems.md | 12 ++++--- ...s-for-dependencies-in-your-organization.md | 2 +- .../dependency-graph/dependency-submission.md | 2 ++ ...ull-request-security-vs-version-updates.md | 2 +- .../dependency-graph/deduplication.md | 9 ++++++ .../supported-package-ecosystems.md | 32 +++++++++---------- 9 files changed, 40 insertions(+), 27 deletions(-) create mode 100644 data/reusables/dependency-graph/deduplication.md diff --git a/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md b/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md index c649516b685a..52245f37ae2b 100644 --- a/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md +++ b/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md @@ -79,7 +79,7 @@ By following these practices, you can significantly reduce the risk posed by out {% data variables.product.github %} offers several security features that can help maintain the security of your codebases: -**Dependency Graph** +**Dependency graph** * Provides a tabular representation of your project's dependencies. * The graph helps you understand the dependencies of your project and {% data variables.product.github %} uses this to identify vulnerable dependencies. diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md index 8fbab640dbcd..8f841b9b7254 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md @@ -85,6 +85,8 @@ Automatic dependency submission makes a best effort to cache package downloads b If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph. +{% data reusables.dependency-graph.deduplication %} + ## Further reading * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md index 94e188d80fa5..3909d3012ea7 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md @@ -45,10 +45,6 @@ To generate a dependency graph, {% data variables.product.github %} needs read-o When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% ifversion fpt or ghec %} and every push to other repositories in the graph{% endif %}. -{% ifversion ghes %} -{% data reusables.dependency-submission.dependency-submission-link %} -{% endif %} - ## Further reading {%- ifversion maven-transitive-dependencies %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md index 831ee61ded06..8b4c67ca7211 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md @@ -20,11 +20,11 @@ versions: {% data reusables.dependabot.about-the-dependency-graph %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). -In this article, you can see what the supported ecosystems are. - ## Supported package ecosystems -The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. If you use these formats, your dependency graph is more accurate. It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies.{% ifversion fpt or ghec %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from the checks for insecure dependencies.{% endif %} +If dependency graph is enabled, it will scan your repository for manifest files used by many commonly-used programming language package ecosystems. When it finds one of the supported manifest files, it will parse the file's contents and build a representation of its contents, including each package's name and version. + +Some files explicitly define which versions are used for all direct and all indirect dependencies. They lock the package versions to those included in the build and enable Dependabot to find vulnerable versions in both direct and indirect dependencies. If you use these formats, your dependency graph is more accurate, so they're listed under the "Recommended files" column in this table.{% ifversion fpt or ghec %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from the checks for insecure dependencies.{% endif %} {% data reusables.dependency-graph.supported-package-ecosystems %} @@ -36,7 +36,7 @@ For ecosystems that resolve transitive dependencies at build-time, we recommend ## Package ecosystems supported via dependency submission actions -You can use the {% data variables.dependency-submission-api.name %} to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. Dependency information from these submitted dependencies will, in turn, flow into {% data variables.product.prodname_dependabot_updates %} and {% data variables.product.prodname_dependabot_alerts %}. +In addition to dependency graph's static analysis and auto-submission, you can use the {% data variables.dependency-submission-api.name %} to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. Dependency information from these submitted dependencies will, in turn, flow into {% data variables.product.prodname_dependabot_updates %} and {% data variables.product.prodname_dependabot_alerts %}. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). @@ -45,3 +45,7 @@ You typically use the {% data variables.dependency-submission-api.name %} in a { {% data reusables.dependency-submission.premade-action-table %} You can also create your own action. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#creating-your-own-action). + +## Deduplication of manifests + +{% data reusables.dependency-graph.deduplication %} diff --git a/content/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization.md b/content/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization.md index fb4af477f3af..c3acd66921e8 100644 --- a/content/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization.md +++ b/content/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization.md @@ -22,7 +22,7 @@ permissions: '{% data reusables.permissions.dependency-graph-view-org-insights % Dependency insights can help you track, report, and act on your organization's open source usage. > [!NOTE] -> Please make sure you have enabled the [Dependency Graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). +> Please make sure you have enabled the [dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). With dependency insights you can view vulnerabilities, licenses, and other important information for the open source projects your organization depends on. diff --git a/content/rest/dependency-graph/dependency-submission.md b/content/rest/dependency-graph/dependency-submission.md index 6e80adacdd29..695cf31ef033 100644 --- a/content/rest/dependency-graph/dependency-submission.md +++ b/content/rest/dependency-graph/dependency-submission.md @@ -18,4 +18,6 @@ You can submit dependencies in the form of a snapshot. A snapshot is a set of de You can submit multiple sets of dependencies to be included in your dependency graph. The REST API uses the `job.correlator` property and the `detector.name` category of the snapshot to ensure the latest submissions for each workflow get shown. The `correlator` property itself is the primary field you will use to keep independent submissions distinct. An example `correlator` could be a simple combination of two variables available in actions runs: ` `. +{% data reusables.dependency-graph.deduplication %} + diff --git a/data/reusables/dependabot/pull-request-security-vs-version-updates.md b/data/reusables/dependabot/pull-request-security-vs-version-updates.md index 12a1067cfc0d..42614a912e5c 100644 --- a/data/reusables/dependabot/pull-request-security-vs-version-updates.md +++ b/data/reusables/dependabot/pull-request-security-vs-version-updates.md @@ -1,4 +1,4 @@ When {% data variables.product.prodname_dependabot %} raises pull requests, these pull requests could be for _security_ or _version_ updates: * _{% data variables.product.prodname_dependabot_security_updates %}_ are automated pull requests that help you update dependencies with known vulnerabilities. -* _{% data variables.product.prodname_dependabot_version_updates %}_ are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and {% data variables.product.prodname_dependabot %}. +* _{% data variables.product.prodname_dependabot_version_updates %}_ are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the **Insights** tab of your repository, then select **Dependency Graph**, and {% data variables.product.prodname_dependabot %}. diff --git a/data/reusables/dependency-graph/deduplication.md b/data/reusables/dependency-graph/deduplication.md new file mode 100644 index 000000000000..9ec2137221bd --- /dev/null +++ b/data/reusables/dependency-graph/deduplication.md @@ -0,0 +1,9 @@ +Dependency graph can learn about dependencies in three different ways: static analysis, automatic submission, and user submission. A repository can have multiple methods configured, causing the same package manifest to be scanned multiple times, potentially with different outputs from each scan. Dependency graph uses deduplication logic to parse the outputs, prioritizing the most accurate information for each manifest file. + +Dependency graph displays only one instance of each manifest file using the following precedence rules. + +1. **User submissions** take the highest priority, because they are usually created during artifact builds they have the most complete information. + * If there are multiple manual snapshots from different detectors, they are sorted alphabetically by correlator and the first one used. + * If there are two correlators with the same detector, the resolved dependencies are merged. For more information about correlators and detectors, see [AUTOTITLE](/rest/dependency-graph/dependency-submission). +1. **Automatic submissions** have the second-highest priority since they are also created during artifact builds, but are not submitted by users. +1. **Static analysis results** are used when no other data is available. diff --git a/data/reusables/dependency-graph/supported-package-ecosystems.md b/data/reusables/dependency-graph/supported-package-ecosystems.md index 2cb534f2d017..8ae4728567a5 100644 --- a/data/reusables/dependency-graph/supported-package-ecosystems.md +++ b/data/reusables/dependency-graph/supported-package-ecosystems.md @@ -1,22 +1,22 @@ -| Package manager | Languages | Transitive dependencies | Recommended formats | All supported formats | +| Package manager | Languages | Transitive dependencies | Recommended files | Additional files | | --- | --- | --- | --- | ---| -| Cargo | Rust | {% octicon "x" aria-label="Not supported" %} | `Cargo.lock` | `Cargo.toml`, `Cargo.lock` | -| Composer | PHP | {% octicon "x" aria-label="Not supported" %} | `composer.lock` | `composer.json`, `composer.lock` | -| NuGet | .NET languages (C#, F#, VB), C++ | {% octicon "x" aria-label="Not supported" %} | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` | -| {% data variables.product.prodname_actions %} workflows | YAML | {% octicon "x" aria-label="Not supported" %} | `.yml`, `.yaml` | `.yml`, `.yaml` | -| Go modules | Go | {% octicon "x" aria-label="Not supported" %} | `go.mod`| `go.mod` | -| Maven | Java, Scala | {% octicon "check" aria-label="Supported" %} | `pom.xml` | `pom.xml` | -| npm | JavaScript | {% octicon "check" aria-label="Supported" %} | `package-lock.json` | `package-lock.json`, `package.json`| -| pip | Python | {% octicon "x" aria-label="Not supported" %} | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py` | -| pnpm | JavaScript | {% octicon "x" aria-label="Not supported" %} | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` | -| pub | Dart | {% octicon "x" aria-label="Not supported" %} | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` | -| Python Poetry | Python | {% octicon "x" aria-label="Not supported" %} | `poetry.lock` | `poetry.lock`, `pyproject.toml` | -| RubyGems | Ruby | {% octicon "x" aria-label="Not supported" %} | `Gemfile.lock` | `Gemfile.lock`, `Gemfile`, `*.gemspec` | -| Swift Package Manager | Swift | {% octicon "x" aria-label="Not supported" %} | `Package.resolved` | `Package.resolved` | -| Yarn | JavaScript | {% octicon "x" aria-label="Not supported" %} | `yarn.lock` | `package.json`, `yarn.lock` | +| Cargo | Rust | {% octicon "x" aria-label="Not supported" %} | `Cargo.lock` | `Cargo.toml` | +| Composer | PHP | {% octicon "x" aria-label="Not supported" %} | `composer.lock` | `composer.json` | +| NuGet | .NET languages (C#, F#, VB), C++ | {% octicon "x" aria-label="Not supported" %} | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `packages.config` | +| {% data variables.product.prodname_actions %} workflows | YAML | {% octicon "x" aria-label="Not supported" %} | `.yml`, `.yaml` | {% octicon "x" aria-label="None" %} | +| Go modules | Go | {% octicon "x" aria-label="Not supported" %} | `go.mod`| {% octicon "x" aria-label="None" %} | +| Maven | Java, Scala | {% octicon "check" aria-label="Supported" %} | `pom.xml` | {% octicon "x" aria-label="None" %} | +| npm | JavaScript | {% octicon "check" aria-label="Supported" %} | `package-lock.json` | `package.json`| +| pip | Python | {% octicon "x" aria-label="Not supported" %} | `requirements.txt`, `pipfile.lock` | `pipfile`, `setup.py` | +| pnpm | JavaScript | {% octicon "check" aria-label="Supported" %} | `pnpm-lock.yaml` | `package.json` | +| pub | Dart | {% octicon "x" aria-label="Not supported" %} | `pubspec.lock` | `pubspec.yaml` | +| Python Poetry | Python | {% octicon "x" aria-label="Not supported" %} | `poetry.lock` | `pyproject.toml` | +| RubyGems | Ruby | {% octicon "x" aria-label="Not supported" %} | `Gemfile.lock` | `Gemfile`, `*.gemspec` | +| Swift Package Manager | Swift | {% octicon "x" aria-label="Not supported" %} | `Package.resolved` | {% octicon "x" aria-label="None" %} | +| Yarn | JavaScript | {% octicon "check" aria-label="Supported" %} | `yarn.lock` | `package.json` | > [!NOTE]{% ifversion transitive-dependency-labeling-npm %} -> * The **Transitive dependencies** column indicates whether the dependency graph labels dependent packages in that ecosystem as direct or transitive on the dependency graph view, {% data variables.product.prodname_dependabot_alerts %}, the GraphQL API, and exported SBOMs. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %} +> * The **Transitive dependencies** column indicates whether static analysis will add `direct` and `transitive` labels for dependent packages in that ecosystem. Labels will appear on the dependency graph view, {% data variables.product.prodname_dependabot_alerts %}, the GraphQL API, and exported SBOMs. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %} > * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project. > * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). > * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). From 39aacd8814ad3f4edcb1573154a5705a79039ecf Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 5 May 2025 19:06:24 +0200 Subject: [PATCH 3/8] Remove docs for Alert Issue tracking (#55250) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- ...ode-scanning-alerts-for-your-repository.md | 14 ---- .../managing-code-scanning-alerts/index.md | 4 +- ...nning-alerts-in-issues-using-task-lists.md | 83 ------------------- .../about-task-lists.md | 6 -- .../using-issues/creating-an-issue.md | 12 +-- 5 files changed, 4 insertions(+), 115 deletions(-) delete mode 100644 content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md b/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md index 9c4c6a3c8e31..56c7ad9af9c5 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md @@ -102,20 +102,6 @@ You can search the list of alerts. This is useful if there is a large number of ![Screenshot of search field in alerts view. The field has pre-defined filters "is: open branch:main" and free text of "sql or injection" highlighted.](/assets/images/help/repository/code-scanning-search-alerts.png) 1. Press return. The alert listing will contain the open {% data variables.product.prodname_code_scanning %} alerts matching your search criteria. -{% ifversion code-scanning-task-lists %} - -## Tracking {% data variables.product.prodname_code_scanning %} alerts in issues - -{% data reusables.code-scanning.beta-alert-tracking-in-issues %} - -To quickly create an issue to track the status of a specific {% data variables.product.prodname_code_scanning %} alert, on the {% data variables.product.prodname_code_scanning %} alerts page, click the alert you would like to track. On the detailed page for that alert, click **Create issue**. Customize the autogenerated issue as desired, then click **Submit new issue**. - -Alternatively, to track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists). - -{% data reusables.code-scanning.alert-tracking-link %} - -{% endif %} - ## Auditing responses to {% data variables.product.prodname_code_scanning %} alerts {% data reusables.code-scanning.audit-code-scanning-events %} diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/index.md b/content/code-security/code-scanning/managing-code-scanning-alerts/index.md index d429e0cf5e8d..301fdb8042e2 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/index.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/index.md @@ -11,6 +11,9 @@ topics: - Code Security - Code scanning - CodeQL +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists + - /code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists children: - /about-code-scanning-alerts - /responsible-use-autofix-code-scanning @@ -20,5 +23,4 @@ children: - /best-practices-for-participating-in-a-security-campaign - /fixing-alerts-in-security-campaign - /triaging-code-scanning-alerts-in-pull-requests - - /tracking-code-scanning-alerts-in-issues-using-task-lists --- diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md b/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md deleted file mode 100644 index 54b4d9c15c49..000000000000 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Tracking code scanning alerts in issues using task lists -shortTitle: Track alerts in issues -intro: You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts. -permissions: '{% data reusables.permissions.code-scanning-all-alerts %}' -versions: - feature: code-scanning-task-lists -redirect_from: - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists -type: how_to -topics: - - Code Security - - Code scanning - - Alerts - - Repositories - - Issues ---- - -{% data reusables.code-scanning.beta-alert-tracking-in-issues %} - -## About tracking {% data variables.product.prodname_code_scanning %} alerts in issues - -{% data variables.product.prodname_code_scanning_caps %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to allow you to prioritize and track alerts with all your development work. To track a {% data variables.product.prodname_code_scanning %} alert in an existing issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists). - -You can also quickly create a new issue to track an alert: -* From a {% data variables.product.prodname_code_scanning %} alert. For more information, see [Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert). -* From the API. For more information, see [Creating a tracking issue from the API](#creating-a-tracking-issue-from-the-api). - -You can use more than one issue to track the same {% data variables.product.prodname_code_scanning %} alert, and issues can belong to different repositories from the repository where the {% data variables.product.prodname_code_scanning %} alert was found. - -{% data variables.product.github %} provides visual cues in different locations of the user interface to indicate when you are tracking {% data variables.product.prodname_code_scanning %} alerts in issues. - -* The {% data variables.product.prodname_code_scanning %} alerts list page will show which alerts are tracked in issues so that you can view at a glance which alerts still require processing and how many issues they are tracked in. - - ![Screenshot of {% data variables.product.prodname_code_scanning %} alerts view. The first and third entries include the issue icon with the issue number.](/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png) - -* A "tracked in" section will also show in the corresponding alert page. - - ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. Under the alert title, "Tracked by #1, #2" is outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png) - -* On the tracking issue, {% data variables.product.prodname_dotcom %} displays a security badge icon in the task list and on the hovercard. - - > [!NOTE] - > Only users with write permissions to the repository will see the unfurled URL to the alert in the issue, as well as the hovercard. For users with read permissions to the repository, or no permissions at all, the alert will appear as a plain URL. - - The color of the icon is grey because an alert has a status of "open" or "closed" on every branch. The issue tracks an alert, so the alert cannot have a single open/closed state in the issue. If the alert is closed on one branch, the icon color will not change. - - ![Screenshot of an issue that tracks a {% data variables.product.prodname_code_scanning %} alert. The hovercard is displayed, with a grey security badge icon.](/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png) - -The status of the tracked alert won't change if you change the checkbox state of the corresponding task list item (checked/unchecked) in the issue. - -## Creating a tracking issue - -Instead of tracking a {% data variables.product.prodname_code_scanning %} alert in an existing issue, you can create a new issue to track an alert directly. You can create tracking issues for {% data variables.product.prodname_code_scanning %} alerts from the alert itself, or from the API. - -### Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.sidebar-code-scanning-alerts %} -{% data reusables.code-scanning.explore-alert %} -1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts). -1. Towards the top of the page, on the right side, click **Create issue**. - - ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Create issue" button is outlined in dark orange.](/assets/images/help/repository/code-scanning-create-issue-for-alert.png) - - {% data variables.product.prodname_dotcom %} automatically creates an issue to track the alert and adds the alert as a task list item. - {% data variables.product.prodname_dotcom %} prepopulates the issue: - * The title contains the name of the {% data variables.product.prodname_code_scanning %} alert. - * The body contains the task list item with the full URL to the {% data variables.product.prodname_code_scanning %} alert. -1. Optionally, edit the title and the body of the issue. - - > [!WARNING] - > You may want to edit the title of the issue as it may expose security information. You can also edit the body of the issue. Make sure that you keep the task list item with a link to the alert otherwise the issue will no longer track the alert. - -1. Click **Submit new issue**. - -### Creating a tracking issue from the API - -1. Begin creating an issue through the API. For more information, see [Create an issue](/rest/issues/issues#create-an-issue). -1. Provide the code scanning link within the body of the issue. You must use the following task list syntax to create the tracked relationship: `- [ ] FULL-URL-TO-THE-CODE-SCANNING-ALERT`. - - For example, if you add `- [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17` to an issue, the issue will track the {% data variables.product.prodname_code_scanning %} alert that has an ID number of 17 in the **Security** tab of the `octocat-repo` repository in the `octocat-org` organization. diff --git a/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md b/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md index 098af9a9c027..a4faeb0fc7c9 100644 --- a/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md +++ b/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md @@ -70,9 +70,3 @@ Any issues that are referenced in a task list specify that they are tracked by t ![Screenshot of issue 3 showing the issue status of "Open" and the text "Tracked by issue #2", which is outlined in orange.](/assets/images/help/writing/task-list-tracked.png) {% endif %} - -{% ifversion code-scanning-task-lists %} - -## Further reading - -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists){% endif %} diff --git a/content/issues/tracking-your-work-with-issues/using-issues/creating-an-issue.md b/content/issues/tracking-your-work-with-issues/using-issues/creating-an-issue.md index f3734d27d237..6a006ee9f0af 100644 --- a/content/issues/tracking-your-work-with-issues/using-issues/creating-an-issue.md +++ b/content/issues/tracking-your-work-with-issues/using-issues/creating-an-issue.md @@ -145,7 +145,7 @@ You can use query parameters to open issues. Query parameters are optional parts You must have the proper permissions for any action to use the equivalent query parameter. For example, you must have permission to add a label to an issue to use the `labels` query parameter. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization). -If you create an invalid URL using query parameters, or if you don’t have the proper permissions, the URL will return a `404 Not Found` error page. If you create a URL that exceeds the server limit, the URL will return a `414 URI Too Long` error page. +If you create an invalid URL using query parameters, or if you don't have the proper permissions, the URL will return a `404 Not Found` error page. If you create a URL that exceeds the server limit, the URL will return a `414 URI Too Long` error page. Query parameter | Example --- | --- @@ -161,16 +161,6 @@ Query parameter | Example You can also use URL query parameters to fill custom text fields that you have defined in issue form templates. Query parameters for issue form fields can also be passed to the issue template chooser. For more information, see [AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema#keys). {% endif %} -{% ifversion code-scanning-task-lists %} - -## Creating an issue from a {% data variables.product.prodname_code_scanning %} alert - -{% data reusables.code-scanning.beta-alert-tracking-in-issues %} -If you're using issues to track and prioritize your work, you can use issues to track {% data variables.product.prodname_code_scanning %} alerts. -{% data reusables.code-scanning.alert-tracking-link %} - -{% endif %} - {% ifversion copilot %} ## Creating an issue from {% data variables.product.prodname_copilot_chat_short %} From d9c4f1103fbbd7776c7bab1ed52f5613b0e7367b Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 5 May 2025 10:23:55 -0700 Subject: [PATCH 4/8] Delete orphaned files (2025-05-05-16-35) (#55503) --- .../key-value-pair-order-irrelevant.md | 1 - .../replacing-a-cluster-node-mark-offline.md | 11 ----------- .../replacing-a-cluster-node-need-three-nodes.md | 1 - .../replacing-a-cluster-node-replacement-name.md | 10 ---------- .../replacing-a-cluster-node-validate-config.md | 1 - .../enterprise_site_admin_settings/click-preview.md | 1 - 6 files changed, 25 deletions(-) delete mode 100644 data/reusables/enterprise_clustering/key-value-pair-order-irrelevant.md delete mode 100644 data/reusables/enterprise_clustering/replacing-a-cluster-node-mark-offline.md delete mode 100644 data/reusables/enterprise_clustering/replacing-a-cluster-node-need-three-nodes.md delete mode 100644 data/reusables/enterprise_clustering/replacing-a-cluster-node-replacement-name.md delete mode 100644 data/reusables/enterprise_clustering/replacing-a-cluster-node-validate-config.md delete mode 100644 data/reusables/enterprise_site_admin_settings/click-preview.md diff --git a/data/reusables/enterprise_clustering/key-value-pair-order-irrelevant.md b/data/reusables/enterprise_clustering/key-value-pair-order-irrelevant.md deleted file mode 100644 index fb58841728ed..000000000000 --- a/data/reusables/enterprise_clustering/key-value-pair-order-irrelevant.md +++ /dev/null @@ -1 +0,0 @@ -The order of the key-value pairs doesn't matter. diff --git a/data/reusables/enterprise_clustering/replacing-a-cluster-node-mark-offline.md b/data/reusables/enterprise_clustering/replacing-a-cluster-node-mark-offline.md deleted file mode 100644 index 37255b65966a..000000000000 --- a/data/reusables/enterprise_clustering/replacing-a-cluster-node-mark-offline.md +++ /dev/null @@ -1,11 +0,0 @@ -1. To mark the failed node offline, on any node, modify the [cluster configuration file](/admin/enterprise-management/configuring-clustering/initializing-the-cluster#about-the-cluster-configuration-file) (`cluster.conf`) in the relevant node section to include the text `offline = true`. - - For example, this modified `cluster.conf` will mark the `ghe-data-node-3` node as offline: - - 
-   [cluster "ghe-data-node-3"]
-   hostname = ghe-data-node-3
-   offline = true
-   ipv4 = 192.168.0.6
-   # ipv6 = fd12:3456:789a:1::6
-
diff --git a/data/reusables/enterprise_clustering/replacing-a-cluster-node-need-three-nodes.md b/data/reusables/enterprise_clustering/replacing-a-cluster-node-need-three-nodes.md deleted file mode 100644 index 010905ff71be..000000000000 --- a/data/reusables/enterprise_clustering/replacing-a-cluster-node-need-three-nodes.md +++ /dev/null @@ -1 +0,0 @@ -1. If you're taking a node offline that provides data services, such as `git-server`, `pages-server`, or `storage-server`, evacuate the node. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-clustering/evacuating-a-cluster-node-running-data-services). diff --git a/data/reusables/enterprise_clustering/replacing-a-cluster-node-replacement-name.md b/data/reusables/enterprise_clustering/replacing-a-cluster-node-replacement-name.md deleted file mode 100644 index 8746dadde7aa..000000000000 --- a/data/reusables/enterprise_clustering/replacing-a-cluster-node-replacement-name.md +++ /dev/null @@ -1,10 +0,0 @@ -1. If you're replacing the primary Redis node, in `cluster.conf`, modify the `redis-master` value with the replacement node name. - - > [!NOTE] - > If your primary Redis node is also your primary MySQL node, see [Replacing the primary database node](#replacing-the-primary-database-node-mysql-or-mysql-and-mssql). - - For example, this modified `cluster.conf` file specifies a newly provisioned cluster node, `ghe-replacement-data-node-1` as the primary Redis node: - - 
-   redis-master = ghe-replacement-data-node-1
-
diff --git a/data/reusables/enterprise_clustering/replacing-a-cluster-node-validate-config.md b/data/reusables/enterprise_clustering/replacing-a-cluster-node-validate-config.md deleted file mode 100644 index 8634ab4903af..000000000000 --- a/data/reusables/enterprise_clustering/replacing-a-cluster-node-validate-config.md +++ /dev/null @@ -1 +0,0 @@ -1. From the administrative shell of the node where you modified `cluster.conf`, run `ghe-cluster-config-apply`. This will validate the configuration file, copy it to each node in the cluster, and mark the node offline. diff --git a/data/reusables/enterprise_site_admin_settings/click-preview.md b/data/reusables/enterprise_site_admin_settings/click-preview.md deleted file mode 100644 index 39a8d3eaf452..000000000000 --- a/data/reusables/enterprise_site_admin_settings/click-preview.md +++ /dev/null @@ -1 +0,0 @@ -1. To see the rendered message, click **Preview**. From 9ea29637c98a96279ccc626205a2169f4ffc2473 Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Mon, 5 May 2025 10:25:23 -0700 Subject: [PATCH 5/8] add ghes support to Copilot Search (#55487) --- .../components/experiments/experiments.ts | 5 -- .../helpers/execute-search-actions.ts | 10 +-- src/search/components/input/AskAIResults.tsx | 2 +- src/search/lib/ai-search-proxy.ts | 22 +++--- src/search/lib/elasticsearch-indexes.ts | 10 ++- .../lib/helpers/cse-copilot-docs-versions.ts | 71 +++---------------- .../search-params-objects.ts | 13 +--- src/search/tests/api-ai-search.ts | 26 +------ 8 files changed, 36 insertions(+), 123 deletions(-) diff --git a/src/events/components/experiments/experiments.ts b/src/events/components/experiments/experiments.ts index 050d134e6936..6d4e1b87df1f 100644 --- a/src/events/components/experiments/experiments.ts +++ b/src/events/components/experiments/experiments.ts @@ -24,11 +24,6 @@ export const EXPERIMENTS = { percentOfUsersToGetExperiment: 0, // 10% of users will get the experiment includeVariationInContext: true, // All events will include the `experiment_variation` of the `ai_search_experiment` limitToLanguages: ['en'], // Only users with the `en` language will be included in the experiment - limitToVersions: [ - 'free-pro-team@latest', - 'enterprise-cloud@latest', - 'enterprise-server@latest', - ], // Only enable for versions alwaysShowForStaff: true, // When set to true, staff will always see the experiment (determined by the `staffonly` cookie) turnOnWithURLParam: 'ai_search', /// When the query param `?feature=ai_search` is set, the experiment will be enabled }, diff --git a/src/search/components/helpers/execute-search-actions.ts b/src/search/components/helpers/execute-search-actions.ts index 24809ef0ca37..8c746101dc51 100644 --- a/src/search/components/helpers/execute-search-actions.ts +++ b/src/search/components/helpers/execute-search-actions.ts @@ -45,18 +45,10 @@ export function executeGeneralSearch( router.push(asPath, undefined, { shallow: false }) } -export async function executeAISearch( - router: NextRouter, - version: string, - query: string, - debug = false, -) { - let language = router.locale || 'en' - +export async function executeAISearch(version: string, query: string, debug = false) { const body = { query, version, - language, ...(debug && { debug: '1' }), } diff --git a/src/search/components/input/AskAIResults.tsx b/src/search/components/input/AskAIResults.tsx index 9ebc584b1134..d374466f9af9 100644 --- a/src/search/components/input/AskAIResults.tsx +++ b/src/search/components/input/AskAIResults.tsx @@ -167,7 +167,7 @@ export function AskAIResults({ let conversationIdBuffer = '' try { - const response = await executeAISearch(router, version, query, debug) + const response = await executeAISearch(version, query, debug) if (!response.ok) { // If there is JSON and the `upstreamStatus` key, the error is from the upstream sever (CSE) let responseJson diff --git a/src/search/lib/ai-search-proxy.ts b/src/search/lib/ai-search-proxy.ts index d7a925955f64..7c2384039a1c 100644 --- a/src/search/lib/ai-search-proxy.ts +++ b/src/search/lib/ai-search-proxy.ts @@ -1,11 +1,12 @@ -import { Request, Response } from 'express' +import { Response } from 'express' import statsd from '@/observability/lib/statsd' import got from 'got' import { getHmacWithEpoch } from '@/search/lib/helpers/get-cse-copilot-auth' import { getCSECopilotSource } from '@/search/lib/helpers/cse-copilot-docs-versions' +import type { ExtendedRequest } from '@/types' -export const aiSearchProxy = async (req: Request, res: Response) => { - const { query, version, language } = req.body +export const aiSearchProxy = async (req: ExtendedRequest, res: Response) => { + const { query, version } = req.body const errors = [] @@ -15,18 +16,12 @@ export const aiSearchProxy = async (req: Request, res: Response) => { } else if (typeof query !== 'string') { errors.push({ message: `Invalid 'query' in request body. Must be a string` }) } - if (!version) { - errors.push({ message: `Missing required key 'version' in request body` }) - } - if (!language) { - errors.push({ message: `Missing required key 'language' in request body` }) - } let docsSource = '' try { - docsSource = getCSECopilotSource(version, language) + docsSource = getCSECopilotSource(version) } catch (error: any) { - errors.push({ message: error?.message || 'Invalid version or language' }) + errors.push({ message: error?.message || 'Invalid version' }) } if (errors.length) { @@ -36,7 +31,7 @@ export const aiSearchProxy = async (req: Request, res: Response) => { const diagnosticTags = [ `version:${version}`.slice(0, 200), - `language:${language}`.slice(0, 200), + `language:${req.language}`.slice(0, 200), `queryLength:${query.length}`.slice(0, 200), ] statsd.increment('ai-search.call', 1, diagnosticTags) @@ -52,7 +47,8 @@ export const aiSearchProxy = async (req: Request, res: Response) => { } try { - const stream = got.stream.post(`${process.env.CSE_COPILOT_ENDPOINT}/answers`, { + // TODO: We temporarily add ?ai_search=1 to use a new pattern in cgs-copilot production + const stream = got.stream.post(`${process.env.CSE_COPILOT_ENDPOINT}/answers?ai_search=1`, { json: body, headers: { Authorization: getHmacWithEpoch(), diff --git a/src/search/lib/elasticsearch-indexes.ts b/src/search/lib/elasticsearch-indexes.ts index 4990d229a97b..349215ecde3b 100644 --- a/src/search/lib/elasticsearch-indexes.ts +++ b/src/search/lib/elasticsearch-indexes.ts @@ -74,7 +74,15 @@ export function getElasticSearchIndex( } // e.g. free-pro-team becomes fpt for the index name - const indexVersion = versionToIndexVersionMap[version] + let indexVersion = versionToIndexVersionMap[version] + + // TODO: For AI Search, we initially only supported the latest GHES version + // Supporting more versions would involve adding more indexes and generating the data to fill them + // As a work around, we will just use the latest version for all GHES suggestions / autocomplete + // This is a temporary fix until we can support more versions + if (type === 'aiSearchAutocomplete' && indexVersion.startsWith('ghes')) { + indexVersion = versionToIndexVersionMap['enterprise-server'] + } // In the index-test-fixtures.sh script, we use the tests_ prefix index for testing const testPrefix = process.env.NODE_ENV === 'test' ? 'tests_' : '' diff --git a/src/search/lib/helpers/cse-copilot-docs-versions.ts b/src/search/lib/helpers/cse-copilot-docs-versions.ts index 8fe490f032e0..eb2e96729785 100644 --- a/src/search/lib/helpers/cse-copilot-docs-versions.ts +++ b/src/search/lib/helpers/cse-copilot-docs-versions.ts @@ -1,5 +1,4 @@ // Versions used by cse-copilot -import { allVersions } from '@/versions/lib/all-versions' import { versionToIndexVersionMap } from '../elasticsearch-versions' const CSE_COPILOT_DOCS_VERSIONS = ['dotcom', 'ghec', 'ghes'] @@ -9,70 +8,22 @@ export function supportedCSECopilotLanguages() { return DOCS_LANGUAGES } -export function getCSECopilotSource( - version: (typeof CSE_COPILOT_DOCS_VERSIONS)[number], - language: (typeof DOCS_LANGUAGES)[number], -) { - const mappedVersion = versionToIndexVersionMap[version] - const { cseCopilotDocsVersion, ghesButNotLatest } = getVersionInfo(mappedVersion) +export function getCSECopilotSource(version: (typeof CSE_COPILOT_DOCS_VERSIONS)[number]) { + if (!version) { + throw new Error(`Missing required key 'version' in request body`) + } - if (ghesButNotLatest) { - throw new Error( - `Only the latest version of GHES is supported for cse-copilot queries. Please use 'ghes@latest'`, - ) + let mappedVersion = versionToIndexVersionMap[version] + // CSE-Copilot uses 'dotcom' as the version name for free-pro-team + if (mappedVersion === 'fpt') { + mappedVersion = 'dotcom' } - if (!CSE_COPILOT_DOCS_VERSIONS.includes(cseCopilotDocsVersion)) { + if (!CSE_COPILOT_DOCS_VERSIONS.includes(mappedVersion) && !mappedVersion?.startsWith('ghes-')) { throw new Error( `Invalid 'version' in request body: '${version}'. Must be one of: ${CSE_COPILOT_DOCS_VERSIONS.join(', ')}`, ) } - if (!DOCS_LANGUAGES.includes(language)) { - throw new Error( - `Invalid 'language' in request body '${language}'. Must be one of: ${DOCS_LANGUAGES.join(', ')}`, - ) - } - // cse-copilot uses version names in the form `docs__`, e.g. `docs_ghes_en` - return `docs_${cseCopilotDocsVersion}_${language}` -} - -function getVersionInfo(Version: string): { - cseCopilotDocsVersion: string - ghesButNotLatest: boolean -} { - const versionObject = Object.values(allVersions).find( - (info) => - info.shortName === Version || - info.plan === Version || - info.miscVersionName === Version || - info.currentRelease === Version, - ) - - let cseCopilotDocsVersion = versionObject?.shortName || '' - let ghesButNotLatest = false - if (!versionObject || !cseCopilotDocsVersion) { - return { - cseCopilotDocsVersion, - ghesButNotLatest, - } - } - - // CSE-Copilot uses 'dotcom' as the version name for free-pro-team - if (cseCopilotDocsVersion === 'fpt') { - cseCopilotDocsVersion = 'dotcom' - } - - // If ghes, we only support the latest version for cse-copilot queries - // Since that's the only version cse-copilot scrapes from our docs - if ( - versionObject.shortName === 'ghes' && - versionObject.currentRelease !== versionObject.latestRelease - ) { - ghesButNotLatest = true - } - - return { - cseCopilotDocsVersion, - ghesButNotLatest, - } + // cse-copilot uses version names in the form `docs_`, e.g. `docs_ghes-3.16` + return `docs_${mappedVersion}` } diff --git a/src/search/lib/search-request-params/search-params-objects.ts b/src/search/lib/search-request-params/search-params-objects.ts index 0fb8fa5e7cae..356e0ff9c90c 100644 --- a/src/search/lib/search-request-params/search-params-objects.ts +++ b/src/search/lib/search-request-params/search-params-objects.ts @@ -6,7 +6,6 @@ import languages from '@/languages/lib/languages' import { allIndexVersionKeys, versionToIndexVersionMap } from '@/search/lib/elasticsearch-versions' import { SearchTypes } from '@/search/types' -import { latest } from '@/versions/lib/enterprise-server-releases' import type { SearchRequestQueryParams } from '@/search/lib/search-request-params/types' @@ -120,20 +119,14 @@ const SHARED_AUTOCOMPLETE_PARAMS_OBJ: SearchRequestQueryParams[] = [ cast: (size: string) => parseInt(size, 10), validate: (size: number) => size >= 0 && size <= MAX_AUTOCOMPLETE_SIZE, }, - // We only want to enable for latest versions of fpt, ghec, and ghes { key: 'version', default_: 'free-pro-team', validate: (version: string) => { - const mappedVersion = versionToIndexVersionMap[version] - if ( - mappedVersion === 'fpt' || - mappedVersion === 'ghec' || - mappedVersion === `ghes-${latest}` - ) { - return true + if (!versionToIndexVersionMap[version]) { + throw new ValidationError(`'${version}' not in ${allIndexVersionKeys.join(', ')}`) } - return false + return true }, }, ] diff --git a/src/search/tests/api-ai-search.ts b/src/search/tests/api-ai-search.ts index 9b66f2c6db30..faba979a138a 100644 --- a/src/search/tests/api-ai-search.ts +++ b/src/search/tests/api-ai-search.ts @@ -94,24 +94,8 @@ describe('AI Search Routes', () => { ]) }) - test('should handle validation errors: language missing', async () => { - let body = { query: 'example query', version: 'dotcom' } - const response = await post('/api/ai-search/v1', { - body: JSON.stringify(body), - headers: { 'Content-Type': 'application/json' }, - }) - - const responseBody = JSON.parse(response.body) - - expect(response.ok).toBe(false) - expect(responseBody['errors']).toEqual([ - { message: `Missing required key 'language' in request body` }, - { message: `Invalid 'language' in request body 'undefined'. Must be one of: en` }, - ]) - }) - test('should handle validation errors: version missing', async () => { - let body = { query: 'example query', language: 'en' } + let body = { query: 'example query' } const response = await post('/api/ai-search/v1', { body: JSON.stringify(body), headers: { 'Content-Type': 'application/json' }, @@ -122,13 +106,10 @@ describe('AI Search Routes', () => { expect(response.ok).toBe(false) expect(responseBody['errors']).toEqual([ { message: `Missing required key 'version' in request body` }, - { - message: `Invalid 'version' in request body: 'undefined'. Must be one of: dotcom, ghec, ghes`, - }, ]) }) - test('should handle multiple validation errors: query missing, invalid language and version', async () => { + test('should handle multiple validation errors: query missing and version', async () => { let body = { language: 'fr', version: 'fpt' } const response = await post('/api/ai-search/v1', { body: JSON.stringify(body), @@ -140,9 +121,6 @@ describe('AI Search Routes', () => { expect(response.ok).toBe(false) expect(responseBody['errors']).toEqual([ { message: `Missing required key 'query' in request body` }, - { - message: `Invalid 'language' in request body 'fr'. Must be one of: en`, - }, ]) }) }) From 7f6750355e5e92e8d2921e91370b95fa8a3c7029 Mon Sep 17 00:00:00 2001 From: Brice <13542296+briceholland@users.noreply.github.com> Date: Mon, 5 May 2025 10:25:48 -0700 Subject: [PATCH 6/8] Update about-github-premium-support.md (#55495) --- .../about-github-premium-support.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/support/learning-about-github-support/about-github-premium-support.md b/content/support/learning-about-github-support/about-github-premium-support.md index 0a45627bc0c2..84ac6e2b659a 100644 --- a/content/support/learning-about-github-support/about-github-premium-support.md +++ b/content/support/learning-about-github-support/about-github-premium-support.md @@ -145,7 +145,6 @@ Premium Plus customers are eligible to receive one virtual training class per ye * {% data variables.product.prodname_copilot %} Fundamentals * {% data variables.product.prodname_copilot %} Intermediate * {% data variables.product.prodname_copilot %} Administration & Security -* {% data variables.product.prodname_enterprise %} Implementation (Server) * {% data variables.product.prodname_enterprise %} Implementation (Cloud) We recommend limiting training sessions to a maximum of 16 participants to ensure an optimal provider-to-participant ratio and a high-quality delivery experience. However, in specific cases where it makes sense, we can accommodate up to 20–25 participants while maintaining our commitment to delivering a valuable training experience for your team. From b8394b68804eb2ff4ad53af5c90407dde4a4ac19 Mon Sep 17 00:00:00 2001 From: Hirsch Singhal <1666363+hpsin@users.noreply.github.com> Date: Mon, 5 May 2025 10:27:31 -0700 Subject: [PATCH 7/8] Routinely validate your users authz (#55489) --- .../best-practices-for-creating-a-github-app.md | 4 ++-- data/reusables/apps/best-practice-validate-org-access.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app.md b/content/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app.md index dfcb1414fe8e..951608626174 100644 --- a/content/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app.md +++ b/content/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app.md @@ -74,9 +74,9 @@ An installation access token is restricted based on the {% data variables.produc Your app should never use a {% data variables.product.pat_generic %} or {% data variables.product.company_short %} password to authenticate. -## Authorize thoroughly and durably +## Check authorization thoroughly, durably, and often -After signing in a user, app developers must take additional steps to ensure that the user is meant to have access to the data in your system. Each sign in requires fresh checks around their memberships, access, and their current SSO status. +After signing in a user, app developers must take additional steps to ensure that the user is meant to have access to the data in your system. You must routinely check that their memberships, access, and their current SSO status all allow access to your application and the resources it protects. ### Use the durable, unique `id` to store the user diff --git a/data/reusables/apps/best-practice-validate-org-access.md b/data/reusables/apps/best-practice-validate-org-access.md index 3cbc9be01338..66ac777ef50f 100644 --- a/data/reusables/apps/best-practice-validate-org-access.md +++ b/data/reusables/apps/best-practice-validate-org-access.md @@ -1 +1 @@ -When you use a user access token, you should track which organizations the token is authorized for. If an organization uses SAML SSO and a user has not performed SAML SSO, the user access token will not have access to that organization. You can use the `GET /user/installations` REST API endpoint to verify which organizations a user access token has access to. If the user is not authorized to access an organization, you should prevent their access to organization owned data within your own application until they perform SAML SSO. For more information, see [AUTOTITLE](/rest/apps/installations#list-app-installations-accessible-to-the-user-access-token). +When you sign in a user, you should track which organizations the user's token is authorized for. This can change over time after sign in as users are removed from organizations. If an organization uses SAML SSO and a user has not performed SAML SSO, the user access token will not have access to that organization. You should use the `GET /user/installations` REST API endpoint regularly to verify which organizations a user access token has access to. If the user is not authorized to access an organization, you should prevent their access to organization owned data within your own application until they perform SAML SSO or rejoin the organization. For more information, see [AUTOTITLE](/rest/apps/installations#list-app-installations-accessible-to-the-user-access-token). From 0ee646d0d55bc9e586db440694691e6e75853350 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 5 May 2025 10:30:47 -0700 Subject: [PATCH 8/8] Update audit log event data (#55502) Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- src/audit-logs/data/fpt/organization.json | 5 +++++ src/audit-logs/data/ghec/enterprise.json | 5 +++++ src/audit-logs/data/ghec/organization.json | 5 +++++ src/audit-logs/lib/config.json | 2 +- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/audit-logs/data/fpt/organization.json b/src/audit-logs/data/fpt/organization.json index 1bff0a04481f..46e95fb5a73b 100644 --- a/src/audit-logs/data/fpt/organization.json +++ b/src/audit-logs/data/fpt/organization.json @@ -369,6 +369,11 @@ "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, + { + "action": "dependabot_repository_access.default_access_level_updated", + "description": "The default repository access for Dependabot was updated.", + "docs_reference_links": "N/A" + }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json index 795693e8481c..9d52f61fb56c 100644 --- a/src/audit-logs/data/ghec/enterprise.json +++ b/src/audit-logs/data/ghec/enterprise.json @@ -989,6 +989,11 @@ "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, + { + "action": "dependabot_repository_access.default_access_level_updated", + "description": "The default repository access for Dependabot was updated.", + "docs_reference_links": "N/A" + }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", diff --git a/src/audit-logs/data/ghec/organization.json b/src/audit-logs/data/ghec/organization.json index 1bff0a04481f..46e95fb5a73b 100644 --- a/src/audit-logs/data/ghec/organization.json +++ b/src/audit-logs/data/ghec/organization.json @@ -369,6 +369,11 @@ "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, + { + "action": "dependabot_repository_access.default_access_level_updated", + "description": "The default repository access for Dependabot was updated.", + "docs_reference_links": "N/A" + }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index fcbe8b94b973..4d7f6b5b1368 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -3,5 +3,5 @@ "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "apiRequestEvent": "This event is only available via audit log streaming." }, - "sha": "961356f4c2523591e15b4f0cae039ee834edfb70" + "sha": "03efba5e096f01d4d6e7d2ea9dfaf06a8128fe60" } \ No newline at end of file