GitHub Enterprise Server 3.4 release candidate (github#24754)

Co-authored-by: Laura Coursen <[email protected]>
Co-authored-by: Matt Pollard <[email protected]>
Co-authored-by: Vanessa <[email protected]>
Co-authored-by: Lucas Costi <[email protected]>
Co-authored-by: Lars Schneider <[email protected]>
Co-authored-by: Jared Murrell <[email protected]>
Co-authored-by: Jules Parker <[email protected]>
Co-authored-by: Docubot <[email protected]>
Co-authored-by: Martin Lopes <[email protected]>
Co-authored-by: Laura Coursen <[email protected]>
Co-authored-by: Sarita Iyer <[email protected]>
Co-authored-by: Sarita Iyer <[email protected]>
Co-authored-by: Matt Pollard <[email protected]>
Co-authored-by: hubwriter <[email protected]>
Co-authored-by: Steve Guntrip <[email protected]>
Co-authored-by: Lucas Costi <[email protected]>
Co-authored-by: Lars Schneider <[email protected]>
Co-authored-by: Jared Murrell <[email protected]>
Co-authored-by: github-openapi-bot <[email protected]>
Co-authored-by: github-openapi-bot <[email protected]>

Author: 13 people

assets/images/enterprise/management-console/enable-dependabot-updates.png

@@ -9,6 +9,7 @@ versions:
   fpt: '*'
   ghae: 'issue-4757-and-5856'
   ghec: '*'
+  ghes: '>=3.5'
 type: how_to
 topics:
   - Workflows

assets/images/enterprise/site-admin-settings/dependabot-alerts-dropdown.png

@@ -728,6 +728,8 @@ The `inputs` context contains input properties passed to a reusable workflow. Th
 
 There are no standard properties in the `inputs` context, only those which are defined in the reusable workflow file.
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 For more information, see "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)".
 
 | Property name | Type | Description |

assets/images/enterprise/site-admin-settings/dependabot-updates-button.png

@@ -73,6 +73,8 @@ In addition to the usage limits, you must ensure that you use {% data variables.
 {% ifversion fpt or ghes > 3.3 or ghec %}
 ## Billing for reusable workflows
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 If you reuse a workflow, billing is always associated with the caller workflow. Assignment of {% data variables.product.prodname_dotcom %}-hosted runners is always evaluated using only the caller's context. The caller cannot use {% data variables.product.prodname_dotcom %}-hosted runners from the called repository. 
 
 For more information see, "[Reusing workflows](/actions/learn-github-actions/reusing-workflows)."

assets/images/help/organizations/code-review-limits-organizations-settings.png

@@ -16,6 +16,7 @@ topics:
 ---
 
 {% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.reusable-workflows-ghes-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## Overview

assets/images/help/organizations/code-review-limits-organizations.png

@@ -130,6 +130,8 @@ You can use activity types and filters to further control when your workflow wil
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## Defining inputs, outputs, and secrets for reusable workflows
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 You can define inputs and secrets that a reusable workflow should receive from a calling workflow. You can also specify outputs that a reusable workflow will make available to a calling workflow. For more information, see "[Reusing workflows](/actions/using-workflows/reusing-workflows)."
 
 {% endif %}

assets/images/help/repository/access-settings-repositories.png

@@ -56,6 +56,8 @@ The name of your workflow. {% data variables.product.prodname_dotcom %} displays
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## `on.workflow_call`
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 Use `on.workflow_call` to define the inputs and outputs for a reusable workflow. You can also map the secrets that are available to the called workflow. For more information on reusable workflows, see "[Reusing workflows](/actions/using-workflows/reusing-workflows)."
 
 ### `on.workflow_call.inputs`
@@ -881,6 +883,8 @@ Additional Docker container resource options. For a list of options, see "[`dock
 {% ifversion fpt or ghes > 3.3 or ghae-issue-4757 or ghec %}
 ## `jobs.<job_id>.uses`
 
+{% data reusables.actions.reusable-workflows-ghes-beta %}
+
 The location and version of a reusable workflow file to run as a job. {% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-6000 %}Use one of the following syntaxes:{% endif %}
 
 {% data reusables.actions.reusable-workflow-calling-syntax %}

assets/images/help/repository/code-review-limits-repositories.png

@@ -0,0 +1,13 @@
+---
+title: Managing code security for your enterprise
+shortTitle: Manage code security
+intro: "You can build security into your developers' workflow with features that keep secrets and vulnerabilities out of your codebase, and that maintain your software supply chain."
+versions:
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+children:
+  - /managing-github-advanced-security-for-your-enterprise
+  - /managing-supply-chain-security-for-your-enterprise
+---

assets/images/help/repository/limit-reviews-in-repository.png

@@ -7,6 +7,7 @@ miniTocMaxHeadingLevel: 3
 redirect_from:
   - /enterprise/admin/configuration/configuring-code-scanning-for-your-appliance
   - /admin/configuration/configuring-code-scanning-for-your-appliance
+  - /admin/advanced-security/configuring-code-scanning-for-your-appliance
 versions:
   ghes: '*'
 type: how_to

assets/images/help/repository/manage-access-invite-button.png

@@ -6,6 +6,7 @@ product: '{% data reusables.gated-features.secret-scanning %}'
 miniTocMaxHeadingLevel: 3
 redirect_from:
   - /admin/configuration/configuring-secret-scanning-for-your-appliance
+  - /admin/advanced-security/configuring-secret-scanning-for-your-appliance
 versions:
   ghes: '*'
 type: how_to

assets/images/help/repository/manage-access-invite-choose-role-add.png

@@ -2,6 +2,8 @@
 title: Deploying GitHub Advanced Security in your enterprise
 intro: 'Learn how to plan, prepare, and implement a phased approach for rolling out {% data variables.product.prodname_GH_advanced_security %} (GHAS) in your enterprise.'
 product: '{% data reusables.gated-features.advanced-security %}'
+redirect_from:
+  - /admin/advanced-security/deploying-github-advanced-security-in-your-enterprise
 miniTocMaxHeadingLevel: 3
 versions:
   ghes: '*'

assets/images/help/repository/manage-access-invite-search-field.png

@@ -3,6 +3,8 @@ title: Enabling GitHub Advanced Security for your enterprise
 shortTitle: Enabling GitHub Advanced Security
 intro: 'You can configure {% data variables.product.product_name %} to include {% data variables.product.prodname_GH_advanced_security %}. This provides extra features that help users find and fix security problems in their code.'
 product: '{% data reusables.gated-features.ghas %}'
+redirect_from:
+  - /admin/advanced-security/enabling-github-advanced-security-for-your-enterprise
 versions:
   ghes: '*'
 type: how_to
@@ -56,7 +58,7 @@ For guidance on a phased deployment of GitHub Advanced Security, see "[Deploying
 
     - {% data variables.product.prodname_code_scanning_capc %}, see "[Configuring {% data variables.product.prodname_code_scanning %} for your appliance](/admin/advanced-security/configuring-code-scanning-for-your-appliance#prerequisites-for-code-scanning)."
     - {% data variables.product.prodname_secret_scanning_caps %}, see "[Configuring {% data variables.product.prodname_secret_scanning %} for your appliance](/admin/advanced-security/configuring-secret-scanning-for-your-appliance#prerequisites-for-secret-scanning)."{% endif %}
-    - {% data variables.product.prodname_dependabot %}, see "[Enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)." 
+    - {% data variables.product.prodname_dependabot %}, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." 
 
 ## Enabling and disabling {% data variables.product.prodname_GH_advanced_security %} features
 
@@ -91,7 +93,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled true
     ```
-    - To enable {% data variables.product.prodname_dependabot %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To enable the dependency graph, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled true
     ```
@@ -110,7 +112,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled false
     ```
-    - To disable {% data variables.product.prodname_dependabot_alerts %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To disable the dependency graph, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled false
     ```

assets/images/help/repository/manage-access-overview.png

@@ -1,11 +1,12 @@
 ---
 title: Managing GitHub Advanced Security for your enterprise
-shortTitle: Managing GitHub Advanced Security
-intro: 'You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization''s needs.'
+shortTitle: GitHub Advanced Security
+intro: "You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization's needs."
 product: '{% data reusables.gated-features.ghas %}'
 redirect_from:
   - /enterprise/admin/configuration/configuring-advanced-security-features
   - /admin/configuration/configuring-advanced-security-features
+  - /admin/advanced-security
 versions:
   ghes: '*'
   ghec: '*'

assets/images/help/saml/management-console-enable-encrypted-assertions.png

@@ -2,6 +2,8 @@
 title: Overview of GitHub Advanced Security deployment
 intro: 'Help your company successfully prepare to adopt {% data variables.product.prodname_GH_advanced_security %} (GHAS) by reviewing and understanding these best practices, rollout examples, and our enterprise-tested phased approach.'
 product: '{% data variables.product.prodname_GH_advanced_security %} is a set of security features designed to make enterprise code more secure. It is available for {% data variables.product.prodname_ghe_server %} 3.0 or higher, {% data variables.product.prodname_ghe_cloud %}, and open source repositories. To learn more about the features, included in {% data variables.product.prodname_GH_advanced_security %}, see "[About GitHub Advanced Security](/get-started/learning-about-github/about-github-advanced-security)."'
+redirect_from:
+  - /admin/advanced-security/overview-of-github-advanced-security-deployment
 miniTocMaxHeadingLevel: 3
 versions:
   ghes: '*'

assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png

@@ -0,0 +1,20 @@
+---
+title: About supply chain security for your enterprise
+intro: 'You can enable features that help your developers understand and update the dependencies their code relies on.'
+shortTitle: About supply chain security
+permissions: ''
+versions:
+  ghes: '*'
+  ghae: issue-4864
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+You can allow users to identify their projects' dependencies by enabling the dependency graph for {% data variables.product.product_location %}. For more information, see "[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."
+
+You can also allow users on {% data variables.product.product_location %} to find and fix vulnerabilities in their code dependencies by enabling {% data variables.product.prodname_dependabot_alerts %}{% ifversion ghes > 3.2 %} and {% data variables.product.prodname_dependabot_updates %}{% endif %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+After you enable {% data variables.product.prodname_dependabot_alerts %}, you can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.product_location %} and manually sync the data. For more information, see "[Viewing the vulnerability data for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/viewing-the-vulnerability-data-for-your-enterprise)."

assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png

@@ -0,0 +1,60 @@
+---
+title: Enabling the dependency graph for your enterprise
+intro: "You can allow users to identify their projects' dependencies by enabling the dependency graph."
+shortTitle: Enable dependency graph
+permissions: 'Site administrators can enable the dependency graph.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+## About the dependency graph
+
+{% data reusables.dependabot.about-the-dependency-graph %} For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"
+
+After you enable the dependency graph for your enterprise, you can enable {% data variables.product.prodname_dependabot %} to detect vulnerable dependencies in your repository{% ifversion ghes > 3.2 %} and automatically fix the vulnerabilities{% endif %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+{% ifversion ghes > 3.1 %}
+You can enable the dependency graph via the {% data variables.enterprise.management_console %} or the administrative shell. We recommend using the {% data variables.enterprise.management_console %} unless {% data variables.product.product_location %} uses clustering.
+
+## Enabling the dependency graph via the {% data variables.enterprise.management_console %}
+
+If your {% data variables.product.product_location %} uses clustering, you cannot enable the dependency graph with the {% data variables.enterprise.management_console %} and must use the administrative shell instead. For more information, see "[Enabling the dependency graph via the administrative shell](#enabling-the-dependency-graph-via-the-administrative-shell)."
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.advanced-security-tab %}
+1. Under "Security," click **Dependency graph**.
+![Checkbox to enable or disable the dependency graph](/assets/images/enterprise/3.2/management-console/enable-dependency-graph-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+1. Click **Visit your instance**.
+
+## Enabling the dependency graph via the administrative shell
+
+{% endif %}{% ifversion ghes < 3.2 %}
+## Enabling the dependency graph
+{% endif %}
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+1. In the administrative shell, enable the dependency graph on {% data variables.product.product_location %}:
+    {% ifversion ghes > 3.1 %}```shell
+    ghe-config app.dependency-graph.enabled true
+    ```
+    {% else %}```shell
+    ghe-config app.github.dependency-graph-enabled true
+  ghe-config app.github.vulnerability-alerting-and-settings-enabled true
+    ```{% endif %}
+   {% note %}
+
+   **Note**: For more information about enabling access to the administrative shell via SSH, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/configuration/accessing-the-administrative-shell-ssh)."
+
+   {% endnote %}
+2. Apply the configuration.
+    ```shell
+    $ ghe-config-apply
+    ```
+3. Return to {% data variables.product.prodname_ghe_server %}.

content/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows.md

@@ -0,0 +1,14 @@
+---
+title: Managing supply chain security for your enterprise
+shortTitle: Supply chain security
+intro: "You can visualize, maintain, and secure the dependencies in your developers' software supply chain."
+versions:
+  ghes: '*'
+  ghae: issue-4864
+topics:
+  - Enterprise
+children:
+  - /about-supply-chain-security-for-your-enterprise
+  - /enabling-the-dependency-graph-for-your-enterprise
+  - /viewing-the-vulnerability-data-for-your-enterprise
+---

content/actions/learn-github-actions/contexts.md

@@ -0,0 +1,27 @@
+---
+title: Viewing the vulnerability data for your enterprise
+intro: 'You can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.product_location %}.'
+shortTitle: View vulnerability data
+permissions: 'Site administrators can view vulnerability data on {% data variables.product.product_location %}.'
+versions:
+  ghes: '*'
+  ghae: issue-4864
+type: how_to
+topics:
+  - Enterprise
+  - Security
+  - Dependency graph
+---
+
+If {% data variables.product.prodname_dependabot_alerts %} are enabled for your enterprise, you can view all vulnerabilities that were downloaded to {% data variables.product.product_location %} from the {% data variables.product.prodname_advisory_database %}.
+
+You can manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.
+
+Before you can view vulnerability data, you must enable {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+2. In the left sidebar, click **Vulnerabilities**.
+  ![Vulnerabilities tab in the site admin sidebar](/assets/images/enterprise/business-accounts/vulnerabilities-tab.png)
+3. To sync vulnerability data, click **Sync Vulnerabilities now**.
+  ![Sync vulnerabilities now button](/assets/images/enterprise/site-admin-settings/sync-vulnerabilities-button.png)
+