From 5a30e90033bdac0289a40222d895a7e333c554e0 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 6 Jan 2025 10:28:27 -0800 Subject: [PATCH 01/11] Delete orphaned features (2025-01-06-16-29) (#53768) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- data/features/viewscreen-and-notebooks.yml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 data/features/viewscreen-and-notebooks.yml diff --git a/data/features/viewscreen-and-notebooks.yml b/data/features/viewscreen-and-notebooks.yml deleted file mode 100644 index 4fe043a4479a..000000000000 --- a/data/features/viewscreen-and-notebooks.yml +++ /dev/null @@ -1,6 +0,0 @@ -# Issues #7825 -# Standing up Viewscreen and Notebooks services to replace Render service -versions: - fpt: '*' - ghec: '*' - ghes: '>=3.7' From 42b5f9bea2c6bfbc00643a3c9a5f2b7858df2726 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 6 Jan 2025 10:42:41 -0800 Subject: [PATCH 02/11] update moda hardware config (#53773) --- config/kubernetes/production/deployments/webapp.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/kubernetes/production/deployments/webapp.yaml b/config/kubernetes/production/deployments/webapp.yaml index 35e49765e9d0..fc0bfb0feb54 100644 --- a/config/kubernetes/production/deployments/webapp.yaml +++ b/config/kubernetes/production/deployments/webapp.yaml @@ -23,10 +23,10 @@ spec: image: docs-internal resources: requests: - cpu: 4000m - memory: 5Gi + cpu: 8000m + memory: 10Gi limits: - cpu: 4000m + cpu: 16000m memory: 14Gi ports: - name: http From d2e083d63bc40f944ea52814f89f2d90d5ea2697 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 6 Jan 2025 11:33:30 -0800 Subject: [PATCH 03/11] add request headers endpoint --- src/frame/middleware/index.ts | 2 ++ src/frame/middleware/req-headers.ts | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 src/frame/middleware/req-headers.ts diff --git a/src/frame/middleware/index.ts b/src/frame/middleware/index.ts index 42c34fc6dca9..d899c34c549f 100644 --- a/src/frame/middleware/index.ts +++ b/src/frame/middleware/index.ts @@ -31,6 +31,7 @@ import healthz from './healthz' import manifestJson from './manifest-json' import remoteIP from './remote-ip' import buildInfo from './build-info' +import reqHeaders from './req-headers' import archivedEnterpriseVersions from '@/archives/middleware/archived-enterprise-versions' import robots from './robots' import earlyAccessLinks from '@/early-access/middleware/early-access-links' @@ -246,6 +247,7 @@ export default function (app: Express) { app.use('/api', api) app.get('/_ip', remoteIP) app.get('/_build', buildInfo) + app.get('/_req-headers', reqHeaders) app.use(asyncMiddleware(manifestJson)) // Things like `/api` sets their own Fastly surrogate keys. diff --git a/src/frame/middleware/req-headers.ts b/src/frame/middleware/req-headers.ts new file mode 100644 index 000000000000..1beb0acabbc6 --- /dev/null +++ b/src/frame/middleware/req-headers.ts @@ -0,0 +1,10 @@ +import type { Request, Response } from 'express' + +import { noCacheControl } from './cache-control.js' + +export default function reqHeaders(req: Request, res: Response) { + noCacheControl(res) + res.json({ + 'request-headers': req.headers, + }) +} From a8ebceb043e54a7202a0593ba2253629f07db326 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Mon, 6 Jan 2025 11:59:20 -0800 Subject: [PATCH 04/11] update host for 3.2 and later archived versions --- src/archives/middleware/archived-enterprise-versions.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/archives/middleware/archived-enterprise-versions.ts b/src/archives/middleware/archived-enterprise-versions.ts index 3bc04484758b..2b4b7bd327f2 100644 --- a/src/archives/middleware/archived-enterprise-versions.ts +++ b/src/archives/middleware/archived-enterprise-versions.ts @@ -234,8 +234,9 @@ export default async function archivedEnterpriseVersions( ) .replaceAll( `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/`, - `${req.protocol}://${req.get('x-forwarded-host') || req.get('host')}/enterprise-server@${requestedVersion}/`, + `${req.protocol}://docs.github.com/enterprise-server@${requestedVersion}/`, ) + // TODO host: req.get('x-forwarded-host') || req.get('host') } // Releases 3.1 and lower were previously hosted in the From e0147d0900b238ecfe2e13de220db709a9e2b18f Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Mon, 6 Jan 2025 12:13:14 -0800 Subject: [PATCH 05/11] include server name header (#53777) --- config/kubernetes/production/services/webapp.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/kubernetes/production/services/webapp.yaml b/config/kubernetes/production/services/webapp.yaml index 4c96ca5be8b5..4501ad76c1b8 100644 --- a/config/kubernetes/production/services/webapp.yaml +++ b/config/kubernetes/production/services/webapp.yaml @@ -7,8 +7,9 @@ metadata: annotations: moda.github.net/domain-name: 'docs-internal.github.com' moda.github.net/dns-registration-enabled: 'false' - moda.github.net/load-balancer-type: - public-external-http + moda.github.net/load-balancer-type: public-external-http + moda.github.net/send-server-name-header: + 'true' # moda.github.net/allowed-ips: '23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/1' # ipv6 addresses not included # curl -i "https://api.fastly.com/public-ip-list" From 1dac96aaf6bf7751d4b6d941e85aaacdb033a4d0 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Mon, 6 Jan 2025 12:31:51 -0800 Subject: [PATCH 06/11] Trigger Build From 2f6c20104d3612164b0cb7ee48ada9e86762f901 Mon Sep 17 00:00:00 2001 From: Usha N Date: Mon, 6 Jan 2025 14:45:45 -0600 Subject: [PATCH 07/11] Update emu-cap-public-preview.md with Iimitations (#53690) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: marichinn <37083639+marichinn@users.noreply.github.com> Co-authored-by: Felicity Chapman --- data/reusables/enterprise-accounts/emu-cap-public-preview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/data/reusables/enterprise-accounts/emu-cap-public-preview.md b/data/reusables/enterprise-accounts/emu-cap-public-preview.md index adcc16b1e947..585c6a5b06eb 100644 --- a/data/reusables/enterprise-accounts/emu-cap-public-preview.md +++ b/data/reusables/enterprise-accounts/emu-cap-public-preview.md @@ -1,3 +1,4 @@ >[!NOTE] CAP protection for web sessions is currently in {% data variables.release-phases.public_preview %} and may change. > > If IdP CAP support is already enabled for your enterprise, you can opt into extended protection for web sessions from your enterprise's "Authentication security" settings. To enable this feature, your enterprise must have 1,000 or fewer members, active or suspended. +> When web session protection is enabled and a user's IP conditions are not satisfied, they can view and filter all user-owned resources but cannot view the details of the results for notifications, searches, personal dashboards, or starred repositories. From cc2b148b11bb9ed07d03f8df94e8868a3e21f275 Mon Sep 17 00:00:00 2001 From: Ryosuke Nakayama Date: Tue, 7 Jan 2025 05:53:58 +0900 Subject: [PATCH 08/11] List required OIDC endpoints for Google Cloud Platform (#53760) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- ...figuring-openid-connect-in-google-cloud-platform.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md index 9839084bd93a..cbf49af87bdc 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md @@ -29,6 +29,16 @@ This guide gives an overview of how to configure GCP to trust {% data variables. {% data reusables.actions.oidc-on-ghecom %} +{% ifversion ghes %} +{% data reusables.actions.oidc-endpoints %} + + + > [!NOTE] + > Google Cloud Platform does not have fixed IP ranges defined for these endpoints. + +* Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see [AUTOTITLE](/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect). +{% endif %} + ## Adding a Google Cloud Workload Identity Provider To configure the OIDC identity provider in GCP, you will need to perform the following configuration. For instructions on making these changes, refer to [the GCP documentation](https://github.com/google-github-actions/auth). From c2101c4c28a1c325c08656fe97246fb8383333f5 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Mon, 6 Jan 2025 13:10:56 -0800 Subject: [PATCH 09/11] Revert "include server name header" (#53779) --- config/kubernetes/production/services/webapp.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/kubernetes/production/services/webapp.yaml b/config/kubernetes/production/services/webapp.yaml index 4501ad76c1b8..4c96ca5be8b5 100644 --- a/config/kubernetes/production/services/webapp.yaml +++ b/config/kubernetes/production/services/webapp.yaml @@ -7,9 +7,8 @@ metadata: annotations: moda.github.net/domain-name: 'docs-internal.github.com' moda.github.net/dns-registration-enabled: 'false' - moda.github.net/load-balancer-type: public-external-http - moda.github.net/send-server-name-header: - 'true' + moda.github.net/load-balancer-type: + public-external-http # moda.github.net/allowed-ips: '23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/1' # ipv6 addresses not included # curl -i "https://api.fastly.com/public-ip-list" From af2d9356feb19178def5dae133e99aecdd300acd Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Mon, 6 Jan 2025 13:11:23 -0800 Subject: [PATCH 10/11] Update to use x-host header (#53780) --- src/archives/middleware/archived-enterprise-versions.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/archives/middleware/archived-enterprise-versions.ts b/src/archives/middleware/archived-enterprise-versions.ts index 2b4b7bd327f2..5d056b1475f7 100644 --- a/src/archives/middleware/archived-enterprise-versions.ts +++ b/src/archives/middleware/archived-enterprise-versions.ts @@ -227,6 +227,9 @@ export default async function archivedEnterpriseVersions( // old Azure Blob Storage URL. These need to be rewritten to // the new archived enterprise repo URL. if (versionSatisfiesRange(requestedVersion, `>=${firstReleaseStoredInBlobStorage}`)) { + // `x-host` is a custom header set by Fastly. + // GLB automatically deletes the `x-forwarded-host` header. + const host = req.get('x-host') || req.get('x-forwarded-host') || req.get('host') r.body = r.body .replaceAll( `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/assets/cb-`, @@ -234,9 +237,8 @@ export default async function archivedEnterpriseVersions( ) .replaceAll( `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/`, - `${req.protocol}://docs.github.com/enterprise-server@${requestedVersion}/`, + `${req.protocol}://${host}/enterprise-server@${requestedVersion}/`, ) - // TODO host: req.get('x-forwarded-host') || req.get('host') } // Releases 3.1 and lower were previously hosted in the From 6e1ef802c3f93c49ac8f16e42a5c1bfbd74b4565 Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Mon, 6 Jan 2025 13:22:06 -0800 Subject: [PATCH 11/11] Update Fastly workflow to purge after a successful Moda prod deploy (#53781) --- .github/workflows/azure-prod-build-deploy.yml | 3 --- .github/workflows/purge-fastly.yml | 9 ++++----- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/azure-prod-build-deploy.yml b/.github/workflows/azure-prod-build-deploy.yml index 7e5e27bea77e..9a09b5f18599 100644 --- a/.github/workflows/azure-prod-build-deploy.yml +++ b/.github/workflows/azure-prod-build-deploy.yml @@ -5,9 +5,6 @@ name: Azure Production - Build and Deploy # **Who does it impact**: All contributors. on: - push: - branches: - - main workflow_dispatch: permissions: diff --git a/.github/workflows/purge-fastly.yml b/.github/workflows/purge-fastly.yml index b0415c6c44bd..aa02af6bf3e8 100644 --- a/.github/workflows/purge-fastly.yml +++ b/.github/workflows/purge-fastly.yml @@ -5,6 +5,7 @@ name: Purge Fastly # **Who does it impact**: Writers and engineers. on: + deployment_status: workflow_dispatch: inputs: nuke_all: @@ -16,9 +17,6 @@ on: description: "Comma separated languages. E.g. 'en,ja, es' (defaults to all)" required: false default: '' - push: - branches: - - main permissions: contents: read @@ -29,11 +27,12 @@ env: jobs: send-purges: + # Run when workflow_dispatch is the event (manual) or when deployment_status is the event (automatic) and it's a successful production deploy if: >- ${{ github.repository == 'github/docs-internal' && - (github.event_name != 'workflow_run' || - github.event.workflow_run.conclusion == 'success') + (github.event_name != 'deployment_status' || + github.event.deployment_status.state == 'success' && github.event.deployment_status.environment == 'production') }} runs-on: ubuntu-latest steps: