Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/instructions/content.instructions.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,3 +92,61 @@ Examples:
* ❌ Incorrect: "The cat – which sat on a branch – smiled with a broad grin." (en dash with spaces)
* ❌ Incorrect: "The cat-which sat on a branch-smiled with a broad grin." (hyphen without spaces)
* ❌ Incorrect: "The cat - which sat on a branch - smiled with a broad grin." (hyphen with spaces)

## Versioning

Avoid `{% ifversion fpt %}`, `{% ifversion ghec %}`, and `{% ifversion fpt or ghec %}` in content files whenever possible. Instead of suggesting or adding version-gating within an article:

* Write content that applies to all versions the article is versioned for
* If content is truly version-specific, consider whether it is low-harm to show it to all readers (e.g., an enterprise-only row in a reference table)
* Only use `{% ifversion %}` as a last resort when content would be actively misleading for readers on a different version

**FPT and GHEC content**: When dotcom content applies to both products, version the page for `fpt` and `ghec` in the frontmatter. Do NOT use in-article Liquid versioning. Do NOT suggest adding `{% ifversion fpt or ghec %}` blocks as a fix for content that mentions a dotcom-only feature. Instead, suggest rewriting the content using the alternatives to inline versioning options listed below.

**GHES content**: If versioning is necessary for GitHub Enterprise Server content, use feature-based versioning (FBV). GHES content should rely on feature flags defined in `data/features/` rather than inline `{% ifversion ghes %}` blocks. Feature flags allow centralized control of when content appears for specific GHES releases.

### Alternatives to inline versioning

Before resorting to in-article versioning, first consider whether the content is actually different across versions. Often procedures can be simplified to work at both levels.

Use these strategies instead of `{% ifversion %}`, depending on the level of content:

**At the article level:**

* When the feature is only available in certain products, use the "Who can use this feature?" box to convey that the content of the article applies only to specific products
* When an article only exists because the functionality is only available in older GHES releases (and not on {% data variables.product.prodname_dotcom_the_website %} or newer GHES releases), just remove that article

**At the heading level:**

* Use prose similar to "Who can use this feature?" to convey that the content of a section applies only to specific products

**At the paragraph or sentence level:**

* If you're briefly introducing a feature and then linking to an article, there's no need to specify versioning. Let readers learn availability when they follow the link, via the "Who can use this feature?" box
* When necessary, start sentences with "With {% data variables.product.prodname_ghe_cloud %}...", "On {% data variables.product.prodname_dotcom_the_website %}...", etc.
* End list items with "({% data variables.product.prodname_ghe_cloud %} only)", "({% data variables.product.prodname_dotcom_the_website %} only)", etc.
* Specify if the feature is not available for GHES with "NAME-OF-FEATURE is not available for {% data variables.product.prodname_ghe_server %}", "... (not available in {% data variables.product.prodname_ghe_server %})", etc.

### Example

When documenting a feature that only applies to dotcom (not GHES):

❌ Don't wrap content in version blocks:

```markdown
{% ifversion fpt or ghec %}

## Immutable subject claims

Repositories created after July 15, 2026 now use an immutable default subject format.

{% endif %}
```

✅ Do use prose to indicate availability:

```markdown
## Immutable subject claims

Repositories created after July 15, 2026 now use an immutable default subject format. This rollout does not include {% data variables.product.prodname_ghe_server %}.
```
10 changes: 10 additions & 0 deletions .github/workflows/changelog-agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,16 @@ jobs:
fs.writeFileSync('prompt.txt', userPrompt);
core.setOutput('date_str', dateStr);

- name: Set up Node.js for Copilot CLI
if: steps.check_parent.outputs.has_parent == 'true' && steps.check_existing.outputs.exists == 'false'
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 24

- name: Install GitHub Copilot CLI
if: steps.check_parent.outputs.has_parent == 'true' && steps.check_existing.outputs.exists == 'false'
run: npm install -g @github/copilot

- name: Generate changelog draft via Copilot
if: steps.check_parent.outputs.has_parent == 'true' && steps.check_existing.outputs.exists == 'false'
id: generate_draft
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/copy-api-issue-to-internal.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,9 @@ jobs:

- name: Create an issue in the docs-content repo
run: |
new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content --label "workflow-generated")"
new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY

Copied to this repo by the [$GITHUB_WORKFLOW workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)." --repo github/docs-content --label "workflow-generated")"
echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/delete-orphan-translation-files.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ jobs:
echo "Creating pull request..."
gh pr create \
--title "Delete orphan files ($current_daystamp)" \
--body '👋 humans. This PR was generated from docs-internal/.github/workflows/delete-orphan-translation-files.yml.
--body '👋 humans. This PR was generated by the [Delete orphan translation files](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run.
' \
--repo "${{ matrix.language_repo }}" \
--label "workflow-generated" \
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/generate-code-scanning-query-lists.yml
Original file line number Diff line number Diff line change
Expand Up @@ -259,4 +259,6 @@ jobs:
No action is required from the first responder for the Docs content team. This PR is automatically added to the Docs content review board. Any writer can review this by checking that the PR looks sensible. If CI does not pass or other problems arise, contact #docs-engineering on slack.


When the DRI for the CodeQL CLI release is ready to publish, they will ask us to merge this PR in #docs-content.'
When the DRI for the CodeQL CLI release is ready to publish, they will ask us to merge this PR in #docs-content.

_Generated by the [Generate code scanning query lists](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run._'
4 changes: 3 additions & 1 deletion .github/workflows/moda-allowed-ips.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ jobs:
git push
gh pr create \
--title "Update list of allowed IPs" \
--body 'This PR updates the list of allowed IPs in Moda. It is automatically generated.' \
--body "This PR updates the list of allowed IPs in Moda. It is automatically generated.

_Generated by the [Update Moda allowed IPs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run._" \
--label "workflow-generated" \
--head=$branchname
echo "Pull request created"
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/orphaned-features-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ jobs:
to make sure they aren't referenced anywhere
and then approve and merge the pull request.
For more information, see [Doc: Orphaned Features](https://github.com/github/docs-engineering/blob/main/docs/orphaned-features.md).

Generated by the [orphaned features workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID).
EOM
)

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/orphaned-files-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ jobs:
If you are the first responder, please spot check some of the unused assets to make sure they aren't referenced anywhere. Then, approve and merge the pull request.

For more information, see [Doc: Orphaned Assets](https://github.com/github/docs-engineering/blob/main/docs/orphaned-assets.md) and [Doc: Reusables CLI](https://github.com/github/docs-internal/tree/main/src/content-render/scripts/reusables-cli).

Generated by the [orphaned files workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID).
EOM
)

Expand Down
44 changes: 44 additions & 0 deletions .github/workflows/purge-fastly-all.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Purge Fastly (all)

# **What it does**: Purges the ENTIRE Fastly cache for docs (every URL) on demand.
# **Why we have it**: So docs engineering can clear a bad cache state without asking core engineering to run a purge-all in the Fastly UI.
# **Who does it impact**: All readers. Origin sees a traffic spike while the cache refills, so only run this when a targeted purge will not do.

on:
workflow_dispatch:
inputs:
confirm:
description: "Type 'purge everything' to confirm a full hard purge of the Fastly cache."
required: true

permissions:
contents: read

# Only one purge-all may run at a time. Do not cancel an in-flight purge:
# a half-finished purge leaves the cache in an unknown state.
concurrency:
group: purge-fastly-all
cancel-in-progress: false

env:
FASTLY_TOKEN: ${{ secrets.FASTLY_TOKEN }}
FASTLY_SERVICE_ID: ${{ secrets.FASTLY_SERVICE_ID }}

jobs:
purge-all:
if: github.repository == 'github/docs-internal'
runs-on: ubuntu-latest
steps:
- name: Validate confirmation input
if: ${{ inputs.confirm != 'purge everything' }}
run: |
echo "::error::Confirmation text did not match. Re-run and type exactly: purge everything"
exit 1

- name: Check out repo
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- uses: ./.github/actions/node-npm-setup

- name: Purge entire Fastly cache
run: npm run purge-fastly-all
3 changes: 3 additions & 0 deletions .github/workflows/sme-review-tracking-issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ jobs:
- Routed to another channel / team
- Reviewer stating they'll need to get back to us at a later time
- Review provided was unclear or missing key information, and a follow-up is necessary

---
_Generated by the [${context.workflow}](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) workflow run._
`,
labels: ['on track','open source', 'sme-review', 'workflow-generated'],
});
4 changes: 3 additions & 1 deletion .github/workflows/sync-openapi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,9 @@ jobs:

Docs First Responders should follow [the acting-as-the-first-responder instructions](https://github.com/github/docs-team/blob/main/contributing-to-docs/first-responder/acting-as-the-first-responder.md?plain=1#L156).

If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
If CI does not pass or other problems arise, contact #docs-engineering on slack.

_Generated by the [Sync OpenAPI schema](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run._' \
--repo github/docs-internal \
--label github-openapi-bot,workflow-generated \
--head=$branchname \
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sync-sdk-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ jobs:
> This PR is auto-generated. Do not edit it directly — make changes in the [copilot-sdk docs](https://github.com/github/copilot-sdk/tree/main/docs) instead.

---
_Generated by the [sync-sdk-docs](https://github.com/github/docs-internal/actions/workflows/sync-sdk-docs.yml) workflow._"
_Generated by the [sync-sdk-docs workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)._"

EXISTING_PR=$(gh pr list --head "$SYNC_BRANCH" --json number --jq '.[0].number' 2>/dev/null || true)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ You found suspicious code in your repository, a security researcher reported an

* Review the **Actions** tab for unexpected workflow runs, especially those triggered by unfamiliar users or at unusual times.
* Inspect workflow run logs for suspicious output.
* Review the credentials accessible to suspicious workflow runs, including the default `GITHUB_TOKEN`, any {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} tokens, or other credentials stored as secrets. The `GITHUB_TOKEN` is scoped to the job and expires when the job completes, but other credentials have their own lifecycle and do not expire with the job. Any credential that may have been exposed should be treated as compromised and rotated or replaced immediately.
* Be aware that workflow run logs only capture standard output from workflow steps. Activity that does not write to standard output (such as network calls, file system modifications, or background processes) will not appear in the logs. For a more comprehensive investigation, correlate with audit log events.
* Use {% data variables.product.github %} code search to find suspicious files or code additions, particularly in workflow files (`.github/workflows/`), shell scripts, or configuration files.
* Use the Activity view to check for pushes to unusual branch names, force pushes, pushes from unexpected actors.
* Check the audit logs for changes to security settings or disablement actions (look for events like `repository_ruleset.destroy`, `repository_secret_scanning_push_protection.disable`, or other `.delete`, `.disable`, `.destroy` events).
Expand All @@ -127,6 +129,8 @@ You found suspicious code in your repository, a security researcher reported an
### Key resources

* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat)
* [AUTOTITLE](/actions/concepts/security/github_token)
* [AUTOTITLE](/actions/reference/security/secure-use)

{% ifversion fpt or ghec %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,8 @@ Read access to the repository.

* Confirm what executed in CI/CD at a given time (such as the commands executed, or the dependency installed).
* Investigate suspicious workflow runs, such as those triggered by an unfamiliar user or at an unusual time, to see what actions were performed, which secrets were accessed, and what code was executed.
* Determine whether a workflow had access to any secrets.
* Review what credentials a workflow job had access to, including the default `GITHUB_TOKEN`, any {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} tokens, other credentials stored as secrets, and access tokens obtained during the workflow run.
* Retrieve logs programmatically via the REST API for archival, forensic, or automation purposes.

#### Permissions required

Expand All @@ -166,8 +167,22 @@ Read access to the repository.

* [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history)
* [AUTOTITLE](/actions/how-tos/monitor-workflows/use-workflow-run-logs)
* [AUTOTITLE](/actions/how-tos/manage-workflow-runs/download-workflow-artifacts)
* [AUTOTITLE](/actions/concepts/security/github_token)
* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets)
* [AUTOTITLE](/actions/reference/security/secure-use)
* [AUTOTITLE](/rest/actions/workflow-runs)
* [AUTOTITLE](/rest/actions/workflow-jobs)
* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-builds)

### Notes and limitations

* {% data variables.product.github %} automatically redacts secrets from workflow logs.
* By default, workflow logs are retained by {% data variables.product.github %} for 90 days, but you can configure this retention period to be longer (up to 400 days for private repositories).
* By default, workflow logs are retained by {% data variables.product.github %} for 90 days, but you can configure this retention period. {% ifversion fpt or ghec %}For public repositories, the maximum retention is 90 days. For private{% ifversion ghec %} and internal{% endif %} repositories, the maximum is 400 days.{% else %}The maximum retention is 400 days.{% endif %} Retention can be configured at the enterprise, organization, or repository level. If a workflow run occurred outside of your configured retention window, the logs may no longer be available. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository), [AUTOTITLE](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization), or [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise).
* Workflow runs (including their logs) can also be deleted via the REST API. To check whether a run was deleted, query for `workflows.delete_workflow_run` events in the audit log.
* The default `GITHUB_TOKEN` issued to each job is scoped to that job and expires when the job finishes or after its effective maximum lifetime (up to 24 hours on self-hosted runners). Even if a step captured the token, it cannot be reused after the job finishes. For more information, see [AUTOTITLE](/actions/concepts/security/github_token).
* Other credentials referenced in workflows, such as {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} installation tokens, or third-party API keys stored as secrets, have their own lifecycle and do not expire when the job ends. If a workflow step exposed one of these credentials, the token remains valid until it is revoked or expires according to its own policy. Any credential that may have been exposed should be treated as compromised and rotated or replaced immediately. Review the workflow file and the repository, organization, and environment secrets to determine which credentials were accessible. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets).
* You can download logs for an entire workflow run or for a specific job programmatically using the REST API. Both endpoints return a redirect URL that is valid for one minute. For more information, see [AUTOTITLE](/rest/actions/workflow-runs) and [AUTOTITLE](/rest/actions/workflow-jobs).
* Workflow run logs only capture standard output from workflow steps. Activity that does not write to standard output, such as network calls, file system modifications, or background processes, does not appear in the logs.
* For {% data variables.product.github %}-hosted runners, the runner environment is ephemeral and destroyed after the job completes. {% data variables.product.github %} does not retain any data beyond the workflow run logs for these runners. For self-hosted runners, additional host-level or network telemetry may be available from your own infrastructure.
* For a more comprehensive investigation, correlate workflow run logs with audit log events. Events such as `git.clone`, `git.fetch`, `git.push`, `protected_branch.create`, and `protected_branch.policy_override` can provide additional context. Because Git events in {% data variables.product.github %}-hosted audit logs are currently retained for only 7 days for enterprises, setting up streamed enterprise audit logs ahead of time is important for this type of investigation. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/preparing-for-security-incidents).
Loading
Loading