From a3d809006296d255bff735b13195a54409fde51d Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 9 Jan 2025 10:15:15 -0600 Subject: [PATCH 1/5] Bump policy-controller version referenced by documentation (#53824) Signed-off-by: Cody Soyland --- ...act-attestations-with-a-kubernetes-admission-controller.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md index 27ed0f68b719..01a913b94008 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md @@ -55,7 +55,7 @@ First, install the Helm chart that deploys the Sigstore Policy Controller: helm upgrade policy-controller --install --atomic \ --create-namespace --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \ - --version v0.10.0-github9 + --version v0.12.0-github10 ``` This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations. @@ -139,7 +139,7 @@ To see the full set of options you may configure with the Helm chart, you can ru For policy controller options: ```bash copy -helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github9 +helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.12.0-github10 ``` For trust policy options: From 8f19ef9001f95b98281085847d8655e538370b13 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Thu, 9 Jan 2025 08:49:10 -0800 Subject: [PATCH 2/5] upgrade Next to latest 14 (#53718) Co-authored-by: Kevin Heis --- package-lock.json | 99 ++++++++++++++++++++++++++--------------------- package.json | 2 +- 2 files changed, 56 insertions(+), 45 deletions(-) diff --git a/package-lock.json b/package-lock.json index aed96f326cb4..7a46a9b0847d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -69,7 +69,7 @@ "mdast-util-to-markdown": "2.1.0", "mdast-util-to-string": "^4.0.0", "morgan": "^1.10.0", - "next": "14.2.10", + "next": "^14.2.23", "ora": "^8.0.1", "parse5": "7.1.2", "quick-lru": "7.0.0", @@ -2236,17 +2236,19 @@ "integrity": "sha512-yWJKmpGE6lUURKAaIltoPIE/wrbY3TEkqQt+X0m+7fQNnAv0keydnYvbiJFP1PnMhizmIWRWOG5KLhYyc/xl+g==" }, "node_modules/@next/env": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/env/-/env-14.2.10.tgz", - "integrity": "sha512-dZIu93Bf5LUtluBXIv4woQw2cZVZ2DJTjax5/5DOs3lzEOeKLy7GxRSr4caK9/SCPdaW6bCgpye6+n4Dh9oJPw==" + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/env/-/env-14.2.23.tgz", + "integrity": "sha512-CysUC9IO+2Bh0omJ3qrb47S8DtsTKbFidGm6ow4gXIG6reZybqxbkH2nhdEm1tC8SmgzDdpq3BIML0PWsmyUYA==", + "license": "MIT" }, "node_modules/@next/swc-darwin-arm64": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-14.2.10.tgz", - "integrity": "sha512-V3z10NV+cvMAfxQUMhKgfQnPbjw+Ew3cnr64b0lr8MDiBJs3eLnM6RpGC46nhfMZsiXgQngCJKWGTC/yDcgrDQ==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-14.2.23.tgz", + "integrity": "sha512-WhtEntt6NcbABA8ypEoFd3uzq5iAnrl9AnZt9dXdO+PZLACE32z3a3qA5OoV20JrbJfSJ6Sd6EqGZTrlRnGxQQ==", "cpu": [ "arm64" ], + "license": "MIT", "optional": true, "os": [ "darwin" @@ -2256,12 +2258,13 @@ } }, "node_modules/@next/swc-darwin-x64": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-14.2.10.tgz", - "integrity": "sha512-Y0TC+FXbFUQ2MQgimJ/7Ina2mXIKhE7F+GUe1SgnzRmwFY3hX2z8nyVCxE82I2RicspdkZnSWMn4oTjIKz4uzA==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-14.2.23.tgz", + "integrity": "sha512-vwLw0HN2gVclT/ikO6EcE+LcIN+0mddJ53yG4eZd0rXkuEr/RnOaMH8wg/sYl5iz5AYYRo/l6XX7FIo6kwbw1Q==", "cpu": [ "x64" ], + "license": "MIT", "optional": true, "os": [ "darwin" @@ -2271,12 +2274,13 @@ } }, "node_modules/@next/swc-linux-arm64-gnu": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-14.2.10.tgz", - "integrity": "sha512-ZfQ7yOy5zyskSj9rFpa0Yd7gkrBnJTkYVSya95hX3zeBG9E55Z6OTNPn1j2BTFWvOVVj65C3T+qsjOyVI9DQpA==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-14.2.23.tgz", + "integrity": "sha512-uuAYwD3At2fu5CH1wD7FpP87mnjAv4+DNvLaR9kiIi8DLStWSW304kF09p1EQfhcbUI1Py2vZlBO2VaVqMRtpg==", "cpu": [ "arm64" ], + "license": "MIT", "optional": true, "os": [ "linux" @@ -2286,12 +2290,13 @@ } }, "node_modules/@next/swc-linux-arm64-musl": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-14.2.10.tgz", - "integrity": "sha512-n2i5o3y2jpBfXFRxDREr342BGIQCJbdAUi/K4q6Env3aSx8erM9VuKXHw5KNROK9ejFSPf0LhoSkU/ZiNdacpQ==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-14.2.23.tgz", + "integrity": "sha512-Mm5KHd7nGgeJ4EETvVgFuqKOyDh+UMXHXxye6wRRFDr4FdVRI6YTxajoV2aHE8jqC14xeAMVZvLqYqS7isHL+g==", "cpu": [ "arm64" ], + "license": "MIT", "optional": true, "os": [ "linux" @@ -2301,12 +2306,13 @@ } }, "node_modules/@next/swc-linux-x64-gnu": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-14.2.10.tgz", - "integrity": "sha512-GXvajAWh2woTT0GKEDlkVhFNxhJS/XdDmrVHrPOA83pLzlGPQnixqxD8u3bBB9oATBKB//5e4vpACnx5Vaxdqg==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-14.2.23.tgz", + "integrity": "sha512-Ybfqlyzm4sMSEQO6lDksggAIxnvWSG2cDWnG2jgd+MLbHYn2pvFA8DQ4pT2Vjk3Cwrv+HIg7vXJ8lCiLz79qoQ==", "cpu": [ "x64" ], + "license": "MIT", "optional": true, "os": [ "linux" @@ -2316,12 +2322,13 @@ } }, "node_modules/@next/swc-linux-x64-musl": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-14.2.10.tgz", - "integrity": "sha512-opFFN5B0SnO+HTz4Wq4HaylXGFV+iHrVxd3YvREUX9K+xfc4ePbRrxqOuPOFjtSuiVouwe6uLeDtabjEIbkmDA==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-14.2.23.tgz", + "integrity": "sha512-OSQX94sxd1gOUz3jhhdocnKsy4/peG8zV1HVaW6DLEbEmRRtUCUQZcKxUD9atLYa3RZA+YJx+WZdOnTkDuNDNA==", "cpu": [ "x64" ], + "license": "MIT", "optional": true, "os": [ "linux" @@ -2331,12 +2338,13 @@ } }, "node_modules/@next/swc-win32-arm64-msvc": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-14.2.10.tgz", - "integrity": "sha512-9NUzZuR8WiXTvv+EiU/MXdcQ1XUvFixbLIMNQiVHuzs7ZIFrJDLJDaOF1KaqttoTujpcxljM/RNAOmw1GhPPQQ==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-14.2.23.tgz", + "integrity": "sha512-ezmbgZy++XpIMTcTNd0L4k7+cNI4ET5vMv/oqNfTuSXkZtSA9BURElPFyarjjGtRgZ9/zuKDHoMdZwDZIY3ehQ==", "cpu": [ "arm64" ], + "license": "MIT", "optional": true, "os": [ "win32" @@ -2346,12 +2354,13 @@ } }, "node_modules/@next/swc-win32-ia32-msvc": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-14.2.10.tgz", - "integrity": "sha512-fr3aEbSd1GeW3YUMBkWAu4hcdjZ6g4NBl1uku4gAn661tcxd1bHs1THWYzdsbTRLcCKLjrDZlNp6j2HTfrw+Bg==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-14.2.23.tgz", + "integrity": "sha512-zfHZOGguFCqAJ7zldTKg4tJHPJyJCOFhpoJcVxKL9BSUHScVDnMdDuOU1zPPGdOzr/GWxbhYTjyiEgLEpAoFPA==", "cpu": [ "ia32" ], + "license": "MIT", "optional": true, "os": [ "win32" @@ -2361,12 +2370,13 @@ } }, "node_modules/@next/swc-win32-x64-msvc": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-14.2.10.tgz", - "integrity": "sha512-UjeVoRGKNL2zfbcQ6fscmgjBAS/inHBh63mjIlfPg/NG8Yn2ztqylXt5qilYb6hoHIwaU2ogHknHWWmahJjgZQ==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-14.2.23.tgz", + "integrity": "sha512-xCtq5BD553SzOgSZ7UH5LH+OATQihydObTrCTvVzOro8QiWYKdBVwcB2Mn2MLMo6DGW9yH1LSPw7jS7HhgJgjw==", "cpu": [ "x64" ], + "license": "MIT", "optional": true, "os": [ "win32" @@ -10947,11 +10957,12 @@ } }, "node_modules/next": { - "version": "14.2.10", - "resolved": "https://registry.npmjs.org/next/-/next-14.2.10.tgz", - "integrity": "sha512-sDDExXnh33cY3RkS9JuFEKaS4HmlWmDKP1VJioucCG6z5KuA008DPsDZOzi8UfqEk3Ii+2NCQSJrfbEWtZZfww==", + "version": "14.2.23", + "resolved": "https://registry.npmjs.org/next/-/next-14.2.23.tgz", + "integrity": "sha512-mjN3fE6u/tynneLiEg56XnthzuYw+kD7mCujgVqioxyPqbmiotUCGJpIZGS/VaPg3ZDT1tvWxiVyRzeqJFm/kw==", + "license": "MIT", "dependencies": { - "@next/env": "14.2.10", + "@next/env": "14.2.23", "@swc/helpers": "0.5.5", "busboy": "1.6.0", "caniuse-lite": "^1.0.30001579", @@ -10966,15 +10977,15 @@ "node": ">=18.17.0" }, "optionalDependencies": { - "@next/swc-darwin-arm64": "14.2.10", - "@next/swc-darwin-x64": "14.2.10", - "@next/swc-linux-arm64-gnu": "14.2.10", - "@next/swc-linux-arm64-musl": "14.2.10", - "@next/swc-linux-x64-gnu": "14.2.10", - "@next/swc-linux-x64-musl": "14.2.10", - "@next/swc-win32-arm64-msvc": "14.2.10", - "@next/swc-win32-ia32-msvc": "14.2.10", - "@next/swc-win32-x64-msvc": "14.2.10" + "@next/swc-darwin-arm64": "14.2.23", + "@next/swc-darwin-x64": "14.2.23", + "@next/swc-linux-arm64-gnu": "14.2.23", + "@next/swc-linux-arm64-musl": "14.2.23", + "@next/swc-linux-x64-gnu": "14.2.23", + "@next/swc-linux-x64-musl": "14.2.23", + "@next/swc-win32-arm64-msvc": "14.2.23", + "@next/swc-win32-ia32-msvc": "14.2.23", + "@next/swc-win32-x64-msvc": "14.2.23" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", diff --git a/package.json b/package.json index 104f43d29bce..967eaeab1657 100644 --- a/package.json +++ b/package.json @@ -305,7 +305,7 @@ "mdast-util-to-markdown": "2.1.0", "mdast-util-to-string": "^4.0.0", "morgan": "^1.10.0", - "next": "14.2.10", + "next": "^14.2.23", "ora": "^8.0.1", "parse5": "7.1.2", "quick-lru": "7.0.0", From 7c8e544172880afa7a7c76f6d233006eceef3659 Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Thu, 9 Jan 2025 16:53:25 +0000 Subject: [PATCH 3/5] Send the right `robots.txt` from the production domain. (#53822) Co-authored-by: Kevin Heis --- src/frame/middleware/robots.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/frame/middleware/robots.ts b/src/frame/middleware/robots.ts index 5cfc0cd63cad..bbec96077d4e 100644 --- a/src/frame/middleware/robots.ts +++ b/src/frame/middleware/robots.ts @@ -15,8 +15,14 @@ export default function robots(req: ExtendedRequest, res: Response, next: NextFu defaultCacheControl(res) + const host = req.get('x-host') || req.get('x-forwarded-host') || req.get('host') + // only include robots.txt when it's our production domain and adding localhost for robots-txt.js test - if (req.hostname === 'docs.github.com' || req.hostname === '127.0.0.1') { + if ( + host === 'docs.github.com' || + req.hostname === 'docs.github.com' || + req.hostname === '127.0.0.1' + ) { return res.send(defaultResponse) } From 145ef881a16c888461cfb18cd70f318093b52045 Mon Sep 17 00:00:00 2001 From: Patrick Knight Date: Thu, 9 Jan 2025 11:12:01 -0600 Subject: [PATCH 4/5] First take at creating the enterprise code rulesets docs content. (#53432) Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: isaacmbrown --- .../enforcing-policies-for-code-governance.md | 149 ++++++++++++++++++ .../index.md | 2 + .../managing-policies-for-code-governance.md | 83 ++++++++++ .../managing-rulesets/about-rulesets.md | 2 +- data/features/enterprise-code-rulesets.yml | 4 + .../repositories/create-ruleset-step.md | 3 +- .../import-a-ruleset-conceptual.md | 2 +- .../push-rules-fork-network-note.md | 2 +- 8 files changed, 242 insertions(+), 5 deletions(-) create mode 100644 content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md create mode 100644 content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance.md create mode 100644 data/features/enterprise-code-rulesets.yml diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md new file mode 100644 index 000000000000..d6bb07cae274 --- /dev/null +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md @@ -0,0 +1,149 @@ +--- +title: Enforcing code governance in your enterprise with rulesets +allowTitleToDifferFromFilename: true +intro: 'You can create a ruleset to target multiple repositories in your enterprise.' +versions: + feature: enterprise-code-rulesets +permissions: 'Enterprise owners' +shortTitle: Create rulesets +type: how_to +topics: + - Enterprise + - Policies + - Repositories + - Security +--- + +## Introduction + +>[!NOTE] Enterprise code rulesets are currently in public preview and subject to change. + +You can create rulesets to control how users can interact with code in repositories across your enterprise. You can: + +* Create a **branch or tag ruleset** to control things like who can push commits to a certain branch, how commits must be formatted, or who can delete or rename a tag. +* Create a **push ruleset** to block pushes to a private or internal repository and the repository's entire fork network. Push rulesets allow you to block pushes based on file extensions, file path lengths, file and folder paths, and file sizes. + +To learn more, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). + +## Importing prebuilt rulesets + +To import a prebuilt ruleset created by {% data variables.product.company_short %}, see [`github/ruleset-recipes`](https://github.com/github/ruleset-recipes). + +{% ifversion repo-rules-management %} +{% data reusables.repositories.import-a-ruleset-conceptual %} For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history)." +{% endif %} + +## How will I define where my ruleset applies? + +Rulesets allow you to flexibly target the organizations, repositories, and branches where you want rules to apply. + +* To target **organizations**, you can select all, choose from a list, or define a dynamic pattern for organization names using `fnmatch` syntax. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax). +* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). +* Within the repositories, you can target certain **branches or tags**: all branches, the default branch, or a dynamic list using `fnmatch` syntax. + +When you create a ruleset that targets branches in a repository, repository administrators can no longer rename branches or change the default branch in the targeted repository. They can still create and delete branches if they have the appropriate permissions. + +## How can I control the format of commits? + +In branch or tag rulesets, you can add a rule that restricts the format of commit metadata such as commit message or author email. + +If you select **Must match a given regex pattern restriction**, you can use regular expression syntax to define patterns that the metadata must or must not match. For syntax details and examples, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-regular-expressions-for-commit-metadata). + +## Using ruleset enforcement statuses + +{% data reusables.repositories.rulesets-about-enforcement-statuses %} + +## Creating a branch or tag ruleset + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +1. Under "Policies", click **Code**. +{% data reusables.repositories.create-ruleset-step %} +{% data reusables.repositories.rulesets-general-step %} + +### Granting bypass permissions for your branch or tag ruleset + +You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset. + +The following are eligible for bypass access: +* Repository admins, organization owners, and enterprise owners +* The maintain or write role, or deploy keys. + +1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**. + +1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected. + +{% data reusables.repositories.rulesets-branch-tag-bypass-optional-step %} + +### Choosing which organizations to target in your enterprise + +Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise. + +If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)." + +### Choosing which repositories to target in your enterprise + +Within the selected organizations, you can target all repositories or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). + +### Choosing which branches or tags to target + +{% data reusables.repositories.rulesets-target-branches %} + +### Selecting branch or tag protections + +In the "Branch protections" or "Tag protections" section, select the rules you want to include in the ruleset. When you select a rule, you may be able to enter additional settings for the rule. For more information on the rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)" + +### Adding metadata restrictions + +{% data reusables.repositories.rulesets-metadata-step %} + +### Finalizing your branch or tag ruleset and next steps + +{% data reusables.repositories.rulesets-create-and-insights-step %} + +{% ifversion push-rulesets %} + +## Creating a push ruleset + +{% data reusables.repositories.push-rules-fork-network-note %} + +You can create a push ruleset for private or internal repositories in your enterprise. + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**. +1. Click **New ruleset**. +1. Click **New push ruleset**. +1. Under "Ruleset name," type a name for the ruleset. +1. Optionally, to change the default enforcement status, click **Disabled** and select an enforcement status. For more information about enforcement statuses, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) + +### Granting bypass permissions for your push ruleset + +>[!NOTE] Bypass permissions for push rulesets that target a repository will be inherited by the entire fork network for this repository. {% data reusables.repositories.rulesets-push-rulesets-bypass-permissions %} + +You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset. The following are eligible for bypass access: + +* Repository admins, organization owners, and enterprise owners +* The maintain or write role, or deploy keys + +1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**. +1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected. + +### Choosing which organizations to target in your enterprise + +Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise. + +If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)." + +### Choosing which repositories to target in your enterprise + +Within your chosen organizations, you can target all repositories, or target a dynamic list using custom properties. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). + +### Selecting push protections + +{% data reusables.repositories.rulesets-push-rules-step %} + +### Finalizing your push ruleset and next steps + +{% data reusables.repositories.rulesets-create-and-insights-step %} + +{% endif %} diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md index 6b8414d2ec58..4b6d5ea647a5 100644 --- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md @@ -25,6 +25,8 @@ children: - /enforcing-policies-for-github-codespaces-in-your-enterprise - /enforcing-policies-for-code-security-and-analysis-for-your-enterprise - /enforcing-policies-for-personal-access-tokens-in-your-enterprise + - /enforcing-policies-for-code-governance + - /managing-policies-for-code-governance shortTitle: Enforce policies --- diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance.md new file mode 100644 index 000000000000..ea36de1701f6 --- /dev/null +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance.md @@ -0,0 +1,83 @@ +--- +title: Managing code rulesets for repositories in your enterprise +intro: 'You can edit, monitor, and delete existing rulesets to alter how people can interact with repositories in your enterprise.' +allowTitleToDifferFromFilename: true +versions: + feature: enterprise-code-rulesets +permissions: 'Enterprise owners' +shortTitle: Manage rulesets +--- + +After creating a ruleset at the enterprise level, you can make changes to the ruleset to alter how people can interact with the targeted repositories. For example, you can: + +* Add rules to better protect the branches or tags in those repositories +* Switch your ruleset from "Evaluate" mode to "Active" after testing its effects on the contributor experience + +{% data reusables.repositories.rulesets-anyone-can-view %} + +{% ifversion push-rule-delegated-bypass %} + +## About delegated bypass + +{% data reusables.repositories.about-push-rule-delegated-bypass %} + +{% endif %} + +## Editing a ruleset + +You can edit a ruleset to change parts of the ruleset, such as the name, bypass permissions, or rules. You can also edit a ruleset to change its status, such as if you want to enable or temporarily disable a ruleset. + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**. +1. On the "Rulesets" page, click the name of the ruleset you want to edit. +1. Change the ruleset as required. + + For information on the available rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)" + +1. At the bottom of the page, click **Save changes**. + +## Deleting a ruleset + +{% data reusables.repositories.rulesets-anyone-can-view %} + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**. +1. To the right of the ruleset's name, select {% octicon "kebab-horizontal" aria-label="Open additional options" %}, then click **{% octicon "trash" aria-hidden="true" %} Delete ruleset**. + +## Using ruleset history + +{% data reusables.repositories.ruleset-beta-note %} + +{% data reusables.repositories.ruleset-history-conceptual %} + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**. +1. To view the history of changes to the ruleset, select {% octicon "kebab-horizontal" aria-label="Open additional options" %} to the right of the ruleset's name, then click **{% octicon "history" aria-hidden="true" %} History**. +1. To the right of the specific iteration, select {% octicon "kebab-horizontal" aria-label="Open additional options" %}, then click **Compare changes**, **Restore**, or **Download**. + +## Importing a ruleset + +You can import a ruleset from another repository, organization or enterprise using the exported JSON file from the previous section. This can be useful if you want to apply the same ruleset to multiple repositories, organizations or enterprises. + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**. +1. Select the **New ruleset** dropdown, then click **Import a ruleset**. +1. Open the exported JSON file. +1. Review the imported ruleset and click **Create**. + +## Viewing insights for rulesets + +You can view insights for rulesets to see how rulesets are affecting the repositories in your enterprise. {% data reusables.repositories.about-ruleset-insights %} + +If a ruleset is running in "Evaluate" mode, you can see actions that would have passed or failed if the ruleset had been active. + +{% data reusables.enterprise-accounts.access-enterprise %} +1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**. +1. On the "Rule insights" page, use the dropdown menus at the top of the page to filter the actions by ruleset, repository, actor, and time period. +1. To see which specific rules failed or required a bypass, click {% octicon "kebab-horizontal" aria-label="View rule runs" %}, then expand the name of the ruleset. + +{% ifversion push-rule-delegated-bypass %} + +{% data reusables.repositories.managing-delegated-bypass %} + +{% endif %} diff --git a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md index b567e9988f4f..dae01d187de8 100644 --- a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md +++ b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md @@ -18,7 +18,7 @@ When you create a ruleset, you can allow certain users to bypass the rules in th {% ifversion not ghes %} -For organizations on the {% data variables.product.prodname_enterprise %} plan, you can set up rulesets at the organization level to target multiple repositories in your organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization){% ifversion ghec %}."{% else %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} +For organizations on the {% data variables.product.prodname_enterprise %} plan, you can set up rulesets at the {% ifversion enterprise-code-rulesets %} enterprise or {% endif %}organization level to target multiple repositories in your organization. See [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization){% ifversion not ghec %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}. {% endif %} diff --git a/data/features/enterprise-code-rulesets.yml b/data/features/enterprise-code-rulesets.yml new file mode 100644 index 000000000000..db8739941b3d --- /dev/null +++ b/data/features/enterprise-code-rulesets.yml @@ -0,0 +1,4 @@ +# Reference: #16569 +# Enterprise code rulesets +versions: + ghec: '*' diff --git a/data/reusables/repositories/create-ruleset-step.md b/data/reusables/repositories/create-ruleset-step.md index ae507c7511dd..c2ecd2c69ac5 100644 --- a/data/reusables/repositories/create-ruleset-step.md +++ b/data/reusables/repositories/create-ruleset-step.md @@ -1,7 +1,6 @@ {%- ifversion push-rulesets %} 1. Click **New ruleset**. -1. To create a ruleset targeting branches, click **New branch ruleset**. -1. Alternatively, to create a ruleset targeting tags, click **New tag ruleset**. +1. To create a ruleset targeting branches, click **New branch ruleset**. Alternatively, to create a ruleset targeting tags, click **New tag ruleset**. {% else %} 1. You can create a ruleset targeting branches, or a ruleset targeting tags. * To create a ruleset targeting branches, click **New branch ruleset**. diff --git a/data/reusables/repositories/import-a-ruleset-conceptual.md b/data/reusables/repositories/import-a-ruleset-conceptual.md index b002fbac6bd7..66f51a4e8e56 100644 --- a/data/reusables/repositories/import-a-ruleset-conceptual.md +++ b/data/reusables/repositories/import-a-ruleset-conceptual.md @@ -1 +1 @@ -You can import a ruleset from another repository or organization using a JSON file. This can be useful if you want to apply the same ruleset to multiple repositories or organizations. +You can import an existing ruleset using a JSON file. This can be useful if you want to apply the same ruleset to multiple repositories or organizations. diff --git a/data/reusables/repositories/push-rules-fork-network-note.md b/data/reusables/repositories/push-rules-fork-network-note.md index 51b2da98df4f..78f2b1bd0a59 100644 --- a/data/reusables/repositories/push-rules-fork-network-note.md +++ b/data/reusables/repositories/push-rules-fork-network-note.md @@ -1,2 +1,2 @@ > [!NOTE] -> This ruleset will enforce push restrictions for this repository's entire fork network. +> This ruleset will enforce push restrictions for a repository's entire fork network. From 4a2264eeff177916451fca805cefec1276134e51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:48:19 -0800 Subject: [PATCH 5/5] Bump commander from 12.1.0 to 13.0.0 (#53746) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 19 +++++++++++++++---- package.json | 2 +- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7a46a9b0847d..7551534ec9fe 100644 --- a/package-lock.json +++ b/package-lock.json @@ -133,7 +133,7 @@ "@typescript-eslint/parser": "^8.7.0", "chalk": "^5.0.1", "change-case": "^5.4.4", - "commander": "^12.1.0", + "commander": "^13.0.0", "cross-env": "^7.0.3", "csp-parse": "0.0.2", "csv-parse": "5.5.6", @@ -4817,10 +4817,11 @@ } }, "node_modules/commander": { - "version": "12.1.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz", - "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==", + "version": "13.0.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-13.0.0.tgz", + "integrity": "sha512-oPYleIY8wmTVzkvQq10AEok6YcTC4sRUBl8F9gVuwchGVUCTbl/vhLTaQqutuuySYOsu8YTgV+OxKc/8Yvx+mQ==", "dev": true, + "license": "MIT", "engines": { "node": ">=18" } @@ -9202,6 +9203,16 @@ "url": "https://opencollective.com/lint-staged" } }, + "node_modules/lint-staged/node_modules/commander": { + "version": "12.1.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz", + "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=18" + } + }, "node_modules/lint-staged/node_modules/debug": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.6.tgz", diff --git a/package.json b/package.json index 967eaeab1657..30ce006ff4ad 100644 --- a/package.json +++ b/package.json @@ -369,7 +369,7 @@ "@typescript-eslint/parser": "^8.7.0", "chalk": "^5.0.1", "change-case": "^5.4.4", - "commander": "^12.1.0", + "commander": "^13.0.0", "cross-env": "^7.0.3", "csp-parse": "0.0.2", "csv-parse": "5.5.6",