Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo sync #34665

Merged
merged 3 commits into from
Sep 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ versions:

## About re-running workflows and jobs

Re-running a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. {% ifversion actions-stable-actor-ids %}The workflow will use the privileges of the actor who initially triggered the workflow, not the privileges of the actor who initiated the re-run. {% endif %}You can re-run a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.{% ifversion re-run-jobs %} You cannot re-run jobs in a workflow once its logs have passed their retention limits. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy)."{% endif %}{% ifversion debug-reruns %} When you re-run a workflow or jobs in a workflow, you can enable debug logging for the re-run. This will enable runner diagnostic logging and step debug logging for the re-run. For more information about debug logging, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging)."{% endif %}
Re-running a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. The workflow will use the privileges of the actor who initially triggered the workflow, not the privileges of the actor who initiated the re-run. You can re-run a workflow{% ifversion re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.{% ifversion re-run-jobs %} You cannot re-run jobs in a workflow once its logs have passed their retention limits. For more information, see "[AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy)."{% endif %}{% ifversion debug-reruns %} When you re-run a workflow or jobs in a workflow, you can enable debug logging for the re-run. This will enable runner diagnostic logging and step debug logging for the re-run. For more information about debug logging, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging)."{% endif %}

## Re-running all the jobs in a workflow

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ redirect_from:

You can use {% data variables.product.prodname_advanced_security %} features to harden security for the organizations in your enterprise. {% ifversion security-configurations %}{% data reusables.security-configurations.enable-security-features-with-gh-config %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

To manage individual {% data variables.product.prodname_GH_advanced_security %} features, {% else %}To streamline management of {% data variables.product.prodname_advanced_security %}, {% endif %}you can enable or disable each feature for all existing and/or new repositories within the organizations owned by your enterprise.

{% ifversion secret-scanning-enterprise-level-api %}{% data reusables.secret-scanning.secret-scanning-enterprise-level-api %}{% endif %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,6 @@ If you want to use {% data variables.product.prodname_GH_advanced_security %} fe
{% ifversion security-configurations %}
{% data reusables.security-configurations.managing-GHAS-licenses %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

{% data reusables.advanced-security.ghas-trial-availability %} For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/setting-up-a-trial-of-github-advanced-security)."
Expand All @@ -77,8 +75,6 @@ You can make extra features for code security available to users by buying and u
{% ifversion security-configurations %}
{% data reusables.security-configurations.managing-GHAS-licenses %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

{% endif %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ Each license for {% data variables.product.prodname_GH_advanced_security %} spec
{% ifversion security-configurations %}

{% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Each license for {% data variables.product.prodname_GH_advanced_security %} spec
You can estimate the number of licenses your enterprise would need to purchase {% data variables.product.prodname_GH_advanced_security %} or to enable {% data variables.product.prodname_GH_advanced_security %} for additional organizations and repositories. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/viewing-committer-information-for-github-advanced-security)."
{% endif %}

{% ifversion security-configurations-ga %}
{% ifversion security-configurations %}

{% data reusables.security-configurations.managing-GHAS-licenses %}

Expand All @@ -54,7 +54,6 @@ You can view the enterprise account's current {% ifversion ghas-billing-UI-updat

{% ifversion security-configurations %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}

{% elsif ghes %}
Expand Down Expand Up @@ -86,7 +85,6 @@ You can view the enterprise account's current {% ifversion ghas-billing-UI-updat
{% ifversion security-configurations %}

{% data reusables.security-configurations.managing-GHAS-licenses %}
> {% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}
{% endif %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,12 @@ If you haven't already enabled GHAS for your {% data variables.product.prodname_

{% endif %}

You need to enable GHAS for each pilot project, either by enabling the GHAS features for each repository or for all repositories in any organizations taking part in the pilot. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)"

{% ifversion security-configurations %}

## Piloting all {% data variables.product.prodname_GH_advanced_security %} features {% ifversion security-configurations-beta-and-pre-beta %}(beta){% endif %}
## Piloting all {% data variables.product.prodname_GH_advanced_security %} features

{% data reusables.security-configurations.enable-security-features-with-gh-config %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

## Piloting {% data variables.product.prodname_code_scanning %}
Expand Down Expand Up @@ -82,18 +78,18 @@ To enable secret scanning for your {% data variables.product.prodname_ghe_server

{% endif %}

{% ifversion security-configurations-ga %}
{% ifversion security-configurations %}

You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project. You can do this with the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."
You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."

{% else %}

You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project, either by enabling the feature for each repository or for all repositories in any organizations taking part in the project. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."

{% endif %}

Next, enable push protection for each pilot project.

{% endif %}

If you plan to configure a link to a resource in the message that's displayed when a developer attempts to push a blocked secret, now would be a good time to test and start to refine the guidance that you plan to make available.

{%- ifversion security-overview-push-protection-metrics-page %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ This article is part of a series on adopting {% data variables.product.prodname_

{% data reusables.security-configurations.enable-security-features-with-gh-config %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

## Enabling code scanning
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ You can enable secret scanning for individual repositories or for all repositori

{% data reusables.security-configurations.enable-security-features-with-gh-config %}

{% data reusables.security-configurations.security-configurations-beta-note-short %}

{% endif %}

This article explains a high-level process focusing on enabling {% data variables.product.prodname_secret_scanning %} for all repositories in an organization. The principles described in this article can still be applied even if you take a more staggered approach of enabling {% data variables.product.prodname_secret_scanning %} for individual repositories.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -296,8 +296,6 @@ In this example, the default queries will be run for Java, as well as the querie

{% data reusables.code-scanning.run-additional-queries %}

{% ifversion codeql-packs %}

### Using query packs

To add one or more {% data variables.product.prodname_codeql %} query packs, add a `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" and "[AUTOTITLE](/actions/security-guides/encrypted-secrets)."
Expand All @@ -321,7 +319,6 @@ In the example below, `scope` is the organization or personal account that publi
packs: scope/pack1,scope/[email protected],scope/pack3@~3.2.1,scope/[email protected]:path/to/queries
```

{% ifversion query-pack-compatibility %}
{% note %}

**Note:** If you specify a particular version of a query pack to use,
Expand All @@ -334,7 +331,6 @@ To ensure optimal performance, if you need to specify exact query pack versions,
For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)."

{% endnote %}
{% endif %}

### Downloading {% data variables.product.prodname_codeql %} packs from {% data variables.product.prodname_ghe_server %}

Expand Down Expand Up @@ -370,7 +366,6 @@ Notice the `|` after the `registries` property name. This is important since {%

### Using queries in QL packs

{% endif %}
To add one or more queries, add a `with: queries:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. If the queries are in a private repository, use the `external-repository-token` parameter to specify a token that has access to checkout the private repository.

You can also specify query suites in the value of `queries`. Query suites are collections of queries, usually grouped by purpose or language.
Expand All @@ -388,24 +383,18 @@ You can also specify query suites in the value of `queries`. Query suites are co

{% data reusables.code-scanning.codeql-query-suites-explanation %}

{% ifversion codeql-packs %}

### Working with custom configuration files

{% endif %}

If you also use a configuration file for custom settings, any additional {% ifversion codeql-packs %}packs or {% endif %}queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional {% ifversion codeql-packs %}packs or {% endif %}queries, prefix the value of {% ifversion codeql-packs %}`packs` or {% endif %}`queries` in the workflow with the `+` symbol. For more information, see "[Using a custom configuration file](#using-a-custom-configuration-file)."
If you also use a configuration file for custom settings, any additional packs or queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional packs or queries, prefix the value of `packs` or `queries` in the workflow with the `+` symbol. For more information, see "[Using a custom configuration file](#using-a-custom-configuration-file)."

In the following example, the `+` symbol ensures that the specified additional {% ifversion codeql-packs %}packs and {% endif %}queries are used together with any specified in the referenced configuration file.
In the following example, the `+` symbol ensures that the specified additional packs and queries are used together with any specified in the referenced configuration file.

``` yaml copy
- uses: {% data reusables.actions.action-codeql-action-init %}
with:
config-file: ./.github/codeql/codeql-config.yml
queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
{%- ifversion codeql-packs %}
packs: +scope/pack1,scope/[email protected],scope/[email protected]:path/to/queries
{%- endif %}
```
<!-- Anchor to maintain the current CodeQL CLI manual pages link: https://aka.ms/code-scanning-docs/config-file -->
<a name="using-a-custom-configuration-file"></a>
Expand All @@ -415,7 +404,7 @@ In the following example, the `+` symbol ensures that the specified additional {

## Using a custom configuration file

A custom configuration file is an alternative way to specify additional {% ifversion codeql-packs %}packs and {% endif %}queries to run. You can also use the file to disable the default queries{% ifversion code-scanning-exclude-queries-from-analysis %}, exclude or include specific queries,{% endif %} and to specify which directories to scan during analysis.
A custom configuration file is an alternative way to specify additional packs and queries to run. You can also use the file to disable the default queries, exclude or include specific queries, and to specify which directories to scan during analysis.

In the workflow file, use the `config-file` parameter of the `init` action to specify the path to the configuration file you want to use. This example loads the configuration file _./.github/codeql/codeql-config.yml_.

Expand All @@ -437,8 +426,6 @@ If the configuration file is located in an external private repository, use the

The settings in the configuration file are written in YAML format.

{% ifversion codeql-packs %}

### Specifying {% data variables.product.prodname_codeql %} query packs

You specify {% data variables.product.prodname_codeql %} query packs in an array. Note that the format is different from the format used by the workflow file.
Expand Down Expand Up @@ -482,7 +469,6 @@ packs:
```

{% endraw %}
{% endif %}

{% ifversion codeql-threat-models %}

Expand Down Expand Up @@ -511,8 +497,6 @@ Optionally, you can give each array element a name, as shown in the example conf

If you only want to run custom queries, you can disable the default security queries by using `disable-default-queries: true`.

{% ifversion code-scanning-exclude-queries-from-analysis %}

### Excluding specific queries from analysis

You can add `exclude` and `include` filters to your custom configuration file, to specify the queries you want to exclude or include in the analysis.
Expand Down Expand Up @@ -546,8 +530,6 @@ You can find another example illustrating the use of these filters in the "[Exam

For more information about using `exclude` and `include` filters in your custom configuration file, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites#filtering-the-queries-in-a-query-suite)." For information on the query metadata you can filter on, see "[Metadata for CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/)."

{% endif %}

### Specifying directories to scan

When codebases are analyzed without building the code, you can restrict {% data variables.product.prodname_code_scanning %} to files in specific directories by adding a `paths` array to the configuration file. You can also exclude the files in specific directories from analysis by adding a `paths-ignore` array. You can use this option when you run the {% data variables.product.prodname_codeql %} actions on an interpreted language (Python, Ruby, and JavaScript/TypeScript){% ifversion codeql-no-build %} or when you analyze a compiled language without building the code (currently supported for {% data variables.code-scanning.no_build_support %}){% endif %}.
Expand Down Expand Up @@ -578,8 +560,6 @@ You can quickly analyze small portions of a monorepo when you modify code in spe

{% data reusables.code-scanning.example-configuration-files %}

{% ifversion code-scanning-config-input %}

## Specifying configuration details using the `config` input

If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](#using-a-custom-configuration-file)" above.
Expand Down Expand Up @@ -619,7 +599,6 @@ In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prod
```

{% endtip %}
{% endif %}

## Configuring {% data variables.product.prodname_code_scanning %} for compiled languages

Expand Down
Loading
Loading