Repo sync

.devcontainer/devcontainer.json

@@ -19,7 +19,8 @@
       // Set *default* container specific settings.json values on container create.
       "settings": {
         "terminal.integrated.shell.linux": "/bin/bash",
-        "cSpell.language": ",en"
+        "cSpell.language": ",en",
+        "git.autofetch": true
       },
       // Visual Studio Code extensions which help authoring for docs.github.com.
       "extensions": [
@@ -57,7 +58,7 @@
   },
 
   // Use 'postCreateCommand' to run commands after the container is created.
-  "postCreateCommand": "npm ci",
+  "postCreateCommand": "npm ci && npm start",
 
   // Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
   "remoteUser": "node",

.github/dependabot.yml

@@ -1,4 +1,10 @@
 version: 2
+registries:
+  ghcr: # Define access for a private registry
+    type: docker-registry
+    url: ghcr.io
+    username: PAT
+    password: ${{secrets.CONTAINER_BUILDER_TOKEN}}
 updates:
   - package-ecosystem: npm
     directory: '/'
@@ -23,11 +29,18 @@ updates:
       - dependency-name: '*'
         update-types:
           ['version-update:semver-patch', 'version-update:semver-minor']
+      - dependency-name: 'github/internal-actions'
 
   - package-ecosystem: 'docker'
+    registries:
+      - ghcr
     directory: '/'
     schedule:
       interval: weekly
       day: thursday
+    groups:
+      baseImages:
+        patterns:
+          - '*'
     ignore:
       - dependency-name: 'node'

.github/workflows/moda-ci.yaml

@@ -0,0 +1,65 @@
+name: docs-internal Moda CI
+
+# More info on CI actions setup can be found here:
+# https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'gh-readonly-queue/**'
+  merge_group:
+    types: [checks_requested]
+
+jobs:
+  moda-config-bundle:
+    if: ${{ github.repository == 'github/docs-internal' }}
+    name: ${{ matrix.ci_job.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ci_job: [{ 'job': 'docs-internal-moda-config-bundle' }]
+    uses: github/internal-actions/.github/workflows/moda.yml@main
+    with:
+      ci-formatted-job-name: ${{ matrix.ci_job.job }}
+      vault-keys: ${{ vars.VAULT_KEYS }}
+    secrets:
+      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
+      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
+
+  docker-image:
+    if: ${{ github.repository == 'github/docs-internal' }}
+    name: ${{ matrix.ci_job.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ci_job: [{ 'job': 'docs-internal-docker-image' }]
+    uses: github/internal-actions/.github/workflows/kube.yml@main
+    with:
+      ci-formatted-job-name: ${{ matrix.ci_job.job }}
+      vault-keys: ${{ vars.VAULT_KEYS }}
+    secrets:
+      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
+      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
+
+  docker-security:
+    if: ${{ github.repository == 'github/docs-internal' }}
+    name: ${{ matrix.ci_job.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ci_job: [{ 'job': 'docs-internal-docker-security' }]
+    uses: github/internal-actions/.github/workflows/docker_security.yml@main
+    with:
+      ci-formatted-job-name: ${{ matrix.ci_job.job }}
+      vault-keys: ${{ vars.VAULT_KEYS }}
+    secrets:
+      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
+      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  statuses: read
+  id-token: write

Dockerfile

@@ -10,6 +10,9 @@ FROM node:22-alpine@sha256:c13b26e7e602ef2f1074aef304ce6e9b7dd284c419b35d89fcf3c
 # This directory is owned by the node user
 ARG APP_HOME=/home/node/app
 
+# Make sure there's a translations directory available to not error the COPY command
+RUN mkdir -p translations && chown -R node:node translations
+
 # Make sure we don't run anything as the root user
 USER node
 
@@ -109,4 +112,4 @@ FROM preview AS production
 ENV ENABLED_LANGUAGES "en,zh,es,pt,ru,ja,fr,de,ko"
 
 # Copy in all translations
-COPY --chown=node:node translations ./translations
+COPY --chown=node:node --from=base translations ./translations

config/kubernetes/production/deployments/webapp.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webapp
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: webapp
+  template:
+    metadata:
+      labels:
+        app: webapp
+      annotations:
+        # If you emit structured logs, you can specify a parser to use so your logs are parsed
+        # properly and are much nicer to query in splunk. For more details, see
+        # https://thehub.github.com/engineering/development-and-ops/observability/logging/fluent-bit/
+        # fluentbit.io/parser: logfmt
+    spec:
+      dnsPolicy: Default
+      containers:
+        - name: webapp
+          image: docs-internal
+          resources:
+            requests:
+              cpu: 4000m
+              memory: 5Gi
+            limits:
+              cpu: 4000m
+              memory: 14Gi
+          ports:
+            - name: http
+              containerPort: 4000
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: vault-secrets
+            - configMapRef:
+                name: kube-cluster-metadata
+          # Zero-downtime deploys
+          # https://thehub.github.com/engineering/products-and-services/internal/moda/feature-documentation/pod-lifecycle/#required-prestop-hook
+          # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+          lifecycle:
+            preStop:
+              exec:
+                command: ['sleep', '5']
+          readinessProbe:
+            initialDelaySeconds: 5
+            httpGet:
+              # WARNING: This should be updated to a meaningful endpoint for your application which will return a 200 once the app is fully started.
+              # See: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+              path: /healthz
+              port: http

config/kubernetes/production/services/webapp.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webapp
+  labels:
+    service: webapp
+  annotations:
+    moda.github.net/domain-name: 'docs-internal.github.com'
+    moda.github.net/dns-registration-enabled: 'false'
+    moda.github.net/load-balancer-type:
+      public-external-http
+      # moda.github.net/allowed-ips: '23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/1'
+    # ipv6 addresses not included
+    # curl -i  "https://api.fastly.com/public-ip-list"
+spec:
+  ports:
+    - name: http
+      port: 4000
+      protocol: TCP
+      targetPort: http
+  selector:
+    app: webapp
+  type: LoadBalancer

config/moda/deployment.yaml

@@ -0,0 +1,13 @@
+required_builds:
+  - docs-internal-moda-config-bundle / docs-internal-moda-config-bundle
+  - docs-internal-docker-image / docs-internal-docker-image
+  - docs-internal-docker-security / docs-internal-docker-security
+environments:
+  - name: production
+    auto_deploy: true
+    cluster_selector:
+      profile: general
+      region: iad
+notifications:
+  slack_channels:
+    - '#docs-ops'

content/admin/managing-code-security/index.md

@@ -11,7 +11,7 @@ topics:
 children:
   - /managing-github-advanced-security-for-your-enterprise
   - /managing-supply-chain-security-for-your-enterprise
+  - /securing-your-enterprise
 redirect_from:
   - /admin/code-security
 ---
-

content/admin/managing-code-security/securing-your-enterprise/about-security-configurations.md

@@ -0,0 +1,43 @@
+---
+title: About security configurations
+shortTitle: Security configurations
+intro: 'Security configurations are collections of security settings that you can apply across your enterprise.'
+product: '{% data reusables.gated-features.security-configurations-enterprise %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About {% data variables.product.prodname_security_configurations %}
+
+{% data variables.product.prodname_security_configurations_caps %} simplify the rollout of {% data variables.product.company_short %} security products at scale by helping you define collections of security settings and apply them across your enterprise.
+
+{% ifversion security-configurations-cloud %}
+
+We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise)."
+
+{% endif %}
+
+With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of similar organizations to reflect their different levels of security requirements and compliance obligations. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise)."
+
+{% ifversion security-configurations-ghes-only %}
+
+When creating a security configuration, keep in mind that:
+* Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
+* {% data variables.product.prodname_GH_advanced_security %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GH_advanced_security %} license.
+* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.
+
+{% endif %}
+
+{% data reusables.security-configurations.emu-note %}
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Preserving default settings for new repositories
+
+If you had default security settings in place for newly created repositories, {% data variables.product.github %} will preserve these settings by automatically creating a "New repository default settings" security configuration for your enterprise. The configuration matches your previous enterprise-level default settings for new repositories as of December, 2024.
+
+The "New repository default settings" configuration will automatically get applied to any newly created repositories in your enterprise, if no organization-level defaults are set.

content/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise.md

@@ -0,0 +1,34 @@
+---
+title: Applying a custom security configuration to your enterprise
+shortTitle: Apply custom configuration
+intro: 'You can apply your {% data variables.product.prodname_custom_security_configuration %} to organizations and repositories in your organization to meet the specific security needs of your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Organizations
+  - Security
+---
+
+## About applying a {% data variables.product.prodname_custom_security_configuration %}
+
+After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your enterprise to enable the configuration's settings on those repositories.
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. To the right of the configuration you want to apply, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Next steps
+
+To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration)."

content/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise.md

@@ -0,0 +1,40 @@
+---
+title: Applying the GitHub-recommended security configuration to your enterprise
+shortTitle: Apply recommended configuration
+intro: 'Secure your code with the security enablement settings created, managed, and recommended by {% data variables.product.github %}.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  ghec: '*'
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About the {% data variables.product.prodname_github_security_configuration %}
+
+The {% data variables.product.prodname_github_security_configuration %} is a set of industry best practices and features that provide a robust, baseline security posture for enterprises. This configuration is created and maintained by subject matter experts at {% data variables.product.github %}, with the help of multiple industry leaders and experts. The {% data variables.product.prodname_github_security_configuration %} is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your enterprise.
+
+{% data reusables.security-configurations.github-recommended-warning-enterprise %}
+
+## Applying the {% data variables.product.prodname_github_security_configuration %} to  repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "{% data variables.product.company_short %} recommended" row of the configurations table for your enterprise, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Enforcing the {% data variables.product.prodname_github_security_configuration %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, select "{% data variables.product.company_short %} recommended".
+1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.
+
+{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}