Repo sync

content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md

@@ -55,7 +55,7 @@ First, install the Helm chart that deploys the Sigstore Policy Controller:
 helm upgrade policy-controller --install --atomic \
   --create-namespace --namespace artifact-attestations \
   oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \
-  --version v0.10.0-github9
+  --version v0.12.0-github10
 ```
 
 This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations.
@@ -139,7 +139,7 @@ To see the full set of options you may configure with the Helm chart, you can ru
 For policy controller options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github9
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.12.0-github10
 ```
 
 For trust policy options:

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md

@@ -0,0 +1,149 @@
+---
+title: Enforcing code governance in your enterprise with rulesets
+allowTitleToDifferFromFilename: true
+intro: 'You can create a ruleset to target multiple repositories in your enterprise.'
+versions:
+  feature: enterprise-code-rulesets
+permissions: 'Enterprise owners'
+shortTitle: Create rulesets
+type: how_to
+topics:
+  - Enterprise
+  - Policies
+  - Repositories
+  - Security
+---
+
+## Introduction
+
+>[!NOTE] Enterprise code rulesets are currently in public preview and subject to change.
+
+You can create rulesets to control how users can interact with code in repositories across your enterprise. You can:
+
+* Create a **branch or tag ruleset** to control things like who can push commits to a certain branch, how commits must be formatted, or who can delete or rename a tag.
+* Create a **push ruleset** to block pushes to a private or internal repository and the repository's entire fork network. Push rulesets allow you to block pushes based on file extensions, file path lengths, file and folder paths, and file sizes.
+
+To learn more, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
+
+## Importing prebuilt rulesets
+
+To import a prebuilt ruleset created by {% data variables.product.company_short %}, see [`github/ruleset-recipes`](https://github.com/github/ruleset-recipes).
+
+{% ifversion repo-rules-management %}
+{% data reusables.repositories.import-a-ruleset-conceptual %} For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history)."
+{% endif %}
+
+## How will I define where my ruleset applies?
+
+Rulesets allow you to flexibly target the organizations, repositories, and branches where you want rules to apply.
+
+* To target **organizations**, you can select all, choose from a list, or define a dynamic pattern for organization names using `fnmatch` syntax. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax).
+* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+* Within the repositories, you can target certain **branches or tags**: all branches, the default branch, or a dynamic list using `fnmatch` syntax.
+
+When you create a ruleset that targets branches in a repository, repository administrators can no longer rename branches or change the default branch in the targeted repository. They can still create and delete branches if they have the appropriate permissions.
+
+## How can I control the format of commits?
+
+In branch or tag rulesets, you can add a rule that restricts the format of commit metadata such as commit message or author email.
+
+If you select **Must match a given regex pattern restriction**, you can use regular expression syntax to define patterns that the metadata must or must not match. For syntax details and examples, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-regular-expressions-for-commit-metadata).
+
+## Using ruleset enforcement statuses
+
+{% data reusables.repositories.rulesets-about-enforcement-statuses %}
+
+## Creating a branch or tag ruleset
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+1. Under "Policies", click **Code**.
+{% data reusables.repositories.create-ruleset-step %}
+{% data reusables.repositories.rulesets-general-step %}
+
+### Granting bypass permissions for your branch or tag ruleset
+
+You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset.
+
+The following are eligible for bypass access:
+* Repository admins, organization owners, and enterprise owners
+* The maintain or write role, or deploy keys.
+
+1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**.
+
+1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected.
+
+{% data reusables.repositories.rulesets-branch-tag-bypass-optional-step %}
+
+### Choosing which organizations to target in your enterprise
+
+Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise.
+
+If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)."
+
+### Choosing which repositories to target in your enterprise
+
+Within the selected organizations, you can target all repositories or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+
+### Choosing which branches or tags to target
+
+{% data reusables.repositories.rulesets-target-branches %}
+
+### Selecting branch or tag protections
+
+In the "Branch protections" or "Tag protections" section, select the rules you want to include in the ruleset. When you select a rule, you may be able to enter additional settings for the rule. For more information on the rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)"
+
+### Adding metadata restrictions
+
+{% data reusables.repositories.rulesets-metadata-step %}
+
+### Finalizing your branch or tag ruleset and next steps
+
+{% data reusables.repositories.rulesets-create-and-insights-step %}
+
+{% ifversion push-rulesets %}
+
+## Creating a push ruleset
+
+{% data reusables.repositories.push-rules-fork-network-note %}
+
+You can create a push ruleset for private or internal repositories in your enterprise.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**.
+1. Click **New ruleset**.
+1. Click **New push ruleset**.
+1. Under "Ruleset name," type a name for the ruleset.
+1. Optionally, to change the default enforcement status, click **Disabled** and select an enforcement status. For more information about enforcement statuses, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)
+
+### Granting bypass permissions for your push ruleset
+
+>[!NOTE] Bypass permissions for push rulesets that target a repository will be inherited by the entire fork network for this repository. {% data reusables.repositories.rulesets-push-rulesets-bypass-permissions %}
+
+You can grant certain roles, teams, or apps bypass permissions as well as the ability to approve bypass requests for your ruleset. The following are eligible for bypass access:
+
+* Repository admins, organization owners, and enterprise owners
+* The maintain or write role, or deploy keys
+
+1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **Add bypass**.
+1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click Add Selected.
+
+### Choosing which organizations to target in your enterprise
+
+Select all organizations, choose a selection of existing organizations, or set a dynamic list by name. If you use {% data variables.product.prodname_emus %}, you can also choose to target all repositories owned by users in your enterprise.
+
+If you set a dynamic list, you'll add one or more naming patterns using `fnmatch` syntax. For example, the string `*open-source` would match any organization with a name that ends with `open-source`. For syntax details, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)."
+
+### Choosing which repositories to target in your enterprise
+
+Within your chosen organizations, you can target all repositories, or target a dynamic list using custom properties. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+
+### Selecting push protections
+
+{% data reusables.repositories.rulesets-push-rules-step %}
+
+### Finalizing your push ruleset and next steps
+
+{% data reusables.repositories.rulesets-create-and-insights-step %}
+
+{% endif %}

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md

@@ -25,6 +25,8 @@ children:
   - /enforcing-policies-for-github-codespaces-in-your-enterprise
   - /enforcing-policies-for-code-security-and-analysis-for-your-enterprise
   - /enforcing-policies-for-personal-access-tokens-in-your-enterprise
+  - /enforcing-policies-for-code-governance
+  - /managing-policies-for-code-governance
 shortTitle: Enforce policies
 ---
 

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance.md

@@ -0,0 +1,83 @@
+---
+title: Managing code rulesets for repositories in your enterprise
+intro: 'You can edit, monitor, and delete existing rulesets to alter how people can interact with repositories in your enterprise.'
+allowTitleToDifferFromFilename: true
+versions:
+  feature: enterprise-code-rulesets
+permissions: 'Enterprise owners'
+shortTitle: Manage rulesets
+---
+
+After creating a ruleset at the enterprise level, you can make changes to the ruleset to alter how people can interact with the targeted repositories. For example, you can:
+
+* Add rules to better protect the branches or tags in those repositories
+* Switch your ruleset from "Evaluate" mode to "Active" after testing its effects on the contributor experience
+
+{% data reusables.repositories.rulesets-anyone-can-view %}
+
+{% ifversion push-rule-delegated-bypass %}
+
+## About delegated bypass
+
+{% data reusables.repositories.about-push-rule-delegated-bypass %}
+
+{% endif %}
+
+## Editing a ruleset
+
+You can edit a ruleset to change parts of the ruleset, such as the name, bypass permissions, or rules. You can also edit a ruleset to change its status, such as if you want to enable or temporarily disable a ruleset.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click  **Code**, then click **Rulesets**.
+1. On the "Rulesets" page, click the name of the ruleset you want to edit.
+1. Change the ruleset as required.
+
+   For information on the available rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)"
+
+1. At the bottom of the page, click **Save changes**.
+
+## Deleting a ruleset
+
+{% data reusables.repositories.rulesets-anyone-can-view %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**.
+1. To the right of the ruleset's name, select {% octicon "kebab-horizontal" aria-label="Open additional options" %}, then click **{% octicon "trash" aria-hidden="true" %} Delete ruleset**.
+
+## Using ruleset history
+
+{% data reusables.repositories.ruleset-beta-note %}
+
+{% data reusables.repositories.ruleset-history-conceptual %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**.
+1. To view the history of changes to the ruleset, select {% octicon "kebab-horizontal" aria-label="Open additional options" %} to the right of the ruleset's name, then click **{% octicon "history" aria-hidden="true" %} History**.
+1. To the right of the specific iteration, select {% octicon "kebab-horizontal" aria-label="Open additional options" %}, then click **Compare changes**, **Restore**, or **Download**.
+
+## Importing a ruleset
+
+You can import a ruleset from another repository, organization or enterprise using the exported JSON file from the previous section. This can be useful if you want to apply the same ruleset to multiple repositories, organizations or enterprises.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**.
+1. Select the **New ruleset** dropdown, then click **Import a ruleset**.
+1. Open the exported JSON file.
+1. Review the imported ruleset and click **Create**.
+
+## Viewing insights for rulesets
+
+You can view insights for rulesets to see how rulesets are affecting the repositories in your enterprise. {% data reusables.repositories.about-ruleset-insights %}
+
+If a ruleset is running in "Evaluate" mode, you can see actions that would have passed or failed if the ruleset had been active.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+1. In the left sidebar, in the "Policies" section, click **Code**, then click **Rulesets**.
+1. On the "Rule insights" page, use the dropdown menus at the top of the page to filter the actions by ruleset, repository, actor, and time period.
+1. To see which specific rules failed or required a bypass, click {% octicon "kebab-horizontal" aria-label="View rule runs" %}, then expand the name of the ruleset.
+
+{% ifversion push-rule-delegated-bypass %}
+
+{% data reusables.repositories.managing-delegated-bypass %}
+
+{% endif %}

content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md

@@ -18,7 +18,7 @@ When you create a ruleset, you can allow certain users to bypass the rules in th
 
 {% ifversion not ghes %}
 
-For organizations on the {% data variables.product.prodname_enterprise %} plan, you can set up rulesets at the organization level to target multiple repositories in your organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization){% ifversion ghec %}."{% else %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}
+For organizations on the {% data variables.product.prodname_enterprise %} plan, you can set up rulesets at the {% ifversion enterprise-code-rulesets %} enterprise or {% endif %}organization level to target multiple repositories in your organization. See [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization){% ifversion not ghec %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
 
 {% endif %}
 

data/features/enterprise-code-rulesets.yml

@@ -0,0 +1,4 @@
+# Reference: #16569
+# Enterprise code rulesets
+versions:
+  ghec: '*'

data/reusables/repositories/create-ruleset-step.md

@@ -1,11 +1,10 @@
 {%- ifversion push-rulesets %}
 1. Click **New ruleset**.
-1. To create a ruleset targeting branches, click **New branch ruleset**.
-1. Alternatively, to create a ruleset targeting tags, click **New tag ruleset**.
+1. To create a ruleset targeting branches, click **New branch ruleset**. Alternatively, to create a ruleset targeting tags, click **New tag ruleset**.
 {% else %}
 1. You can create a ruleset targeting branches, or a ruleset targeting tags.
    * To create a ruleset targeting branches, click **New branch ruleset**.
    * To create a ruleset targeting tags, select {% octicon "triangle-down" aria-label="Open ruleset creation menu" %}, then click **New tag ruleset**.
 
      ![Screenshot of the "Rulesets" page. Next to the "New branch ruleset" button, a dropdown menu is expanded, with an option labeled "New tag ruleset" outlined in orange.](/assets/images/help/repository/new-tag-ruleset.png)
 {% endif %}

data/reusables/repositories/import-a-ruleset-conceptual.md

@@ -1 +1 @@
-You can import a ruleset from another repository or organization using a JSON file. This can be useful if you want to apply the same ruleset to multiple repositories or organizations.
+You can import an existing ruleset using a JSON file. This can be useful if you want to apply the same ruleset to multiple repositories or organizations.

data/reusables/repositories/push-rules-fork-network-note.md

@@ -1,2 +1,2 @@
 > [!NOTE]
-> This ruleset will enforce push restrictions for this repository's entire fork network.
+> This ruleset will enforce push restrictions for a repository's entire fork network.