Merge pull request #22015 from github/repo-sync

repo sync

Author: Octomerger

assets/images/help/settings/actions-fork-pull-request-workflows-require-approval.png

@@ -0,0 +1,16 @@
+---
+title: Approving workflow runs from private forks
+intro: 'When someone without write access submits a pull request to a private repository, a maintainer may need to approve any workflow runs.'
+permissions: 'Maintainers with write access to a repository can approve workflow runs.'
+versions:
+  feature: actions-private-fork-workflow-approvals
+shortTitle: Approve private fork runs
+---
+
+## About workflow runs from private forks
+
+{% data reusables.actions.private-repository-forks-overview %} For more information, see "[Enforcing a policy for fork pull requests in private repositories](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories)."
+
+## Approving workflow runs on a pull request from a private fork
+
+{% data reusables.actions.workflows.approve-workflow-runs %}

content/actions/managing-workflow-runs/approving-workflow-runs-from-private-forks.md

@@ -17,12 +17,4 @@ Workflow runs that have been awaiting approval for more than 30 days are automat
 
 ## Approving workflow runs on a pull request from a public fork
 
-Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
-
-{% data reusables.repositories.sidebar-pr %}
-{% data reusables.repositories.choose-pr-review %}
-{% data reusables.repositories.changed-files %}
-1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
-1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
-
-   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)
+{% data reusables.actions.workflows.approve-workflow-runs %}

content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md

@@ -18,6 +18,7 @@ children:
   - /re-running-workflows-and-jobs
   - /canceling-a-workflow
   - /approving-workflow-runs-from-public-forks
+  - /approving-workflow-runs-from-private-forks
   - /reviewing-deployments
   - /disabling-and-enabling-a-workflow
   - /skipping-workflow-runs

content/actions/managing-workflow-runs/index.md

@@ -0,0 +1,7 @@
+# Reference: #8433
+# Allow admins to require approval on fork PR in private repos
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>= 3.8'
+  ghae: '>= 3.8'

data/features/actions-private-fork-workflow-approvals.yml

@@ -1,3 +1,7 @@
 1. Under **Fork pull request workflows**, select your options. For example:
-  ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows.png)
+  {% ifversion actions-private-fork-workflow-approvals %}
+   ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows-require-approval.png){% else %}
+
+   ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows.png){% endif %}
+
 1. Click **Save** to apply the settings.

data/reusables/actions/private-repository-forks-configure.md

@@ -1,3 +1,4 @@
 - **Run workflows from fork pull requests** - Allows users to run workflows from fork pull requests, using a `GITHUB_TOKEN` with read-only permission, and with no access to secrets.
 - **Send write tokens to workflows from pull requests** - Allows pull requests from forks to use a `GITHUB_TOKEN` with write permission.
-- **Send secrets to workflows from pull requests** - Makes all secrets available to the pull request.
+- **Send secrets to workflows from pull requests** - Makes all secrets available to the pull request.{% ifversion actions-private-fork-workflow-approvals %}
+- **Require approval for fork pull request workflows** - Workflow runs on pull requests from collaborators without write permission will require approval from someone with write permission before they will run.{% endif %}

data/reusables/actions/private-repository-forks-options.md

@@ -0,0 +1,9 @@
+Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
+
+{% data reusables.repositories.sidebar-pr %}
+{% data reusables.repositories.choose-pr-review %}
+{% data reusables.repositories.changed-files %}
+1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
+1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
+
+   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)

data/reusables/actions/workflows/approve-workflow-runs.md

@@ -65,13 +65,6 @@ export default async function getRest(version, category, subCategory) {
   }
 }
 
-function getDocsVersion(openApiVersion) {
-  const version = Object.values(allVersions).find(
-    (version) => version.openApiVersionName === openApiVersion
-  ).version
-  return version
-}
-
 function getOpenApiVersion(version) {
   if (!(version in allVersions)) {
     throw new Error(`Unrecognized version '${version}'. Not found in ${Object.keys(allVersions)}`)
@@ -104,14 +97,16 @@ export async function getRestMiniTocItems(
   return restOperationData.get(language).get(version).get(category).get(subCategory)
 }
 
-export async function getEnabledForApps() {
-  // The `readCompressedJsonFileFallback()` function
-  // will check for both a .br and .json extension.
-  const appsData = readCompressedJsonFileFallback(ENABLED_APPS_FILENAME)
-  for (const version in appsData) {
-    const docsVersion = getDocsVersion(version)
-    appsData[docsVersion] = appsData[version]
-    delete appsData[version]
+const enabledForApps = {}
+export async function getEnabledForApps(docsVersion) {
+  if (Object.keys(enabledForApps).length === 0) {
+    // The `readCompressedJsonFileFallback()` function
+    // will check for both a .br and .json extension.
+    Object.assign(enabledForApps, readCompressedJsonFileFallback(ENABLED_APPS_FILENAME))
+
+    // One off edge case where secret-scanning should be removed from FPT. Docs Content #6637
+    delete enabledForApps['api.github.com']['secret-scanning']
   }
-  return appsData
+  const openApiVersion = getOpenApiVersion(docsVersion)
+  return enabledForApps[openApiVersion]
 }

lib/rest/index.js

@@ -23,12 +23,6 @@ type EnabledAppCategoryT = {
   [category: string]: OperationT[]
 }
 
-type AppDataT = {
-  [version: string]: EnabledAppCategoryT
-}
-
-let enabledForApps: AppDataT | null = null
-
 type Props = {
   mainContext: MainContextT
   currentVersion: string
@@ -91,25 +85,17 @@ export default function Category({
 export const getServerSideProps: GetServerSideProps<Props> = async (context) => {
   const req = context.req as object
   const res = context.res as object
-  const currentVersion = context.query.versionId as string
   const mainContext = await getMainContext(req, res)
   const automatedPageContext = getAutomatedPageContextFromRequest(req)
+  const currentVersion = context.query.versionId as string
 
-  if (!enabledForApps) {
-    enabledForApps = (await getEnabledForApps()) as AppDataT
-  }
-
-  // One off edge case where secret-scanning should be removed from FPT. Docs Content #6637
-  const noSecretScanning = { ...enabledForApps[currentVersion] }
-  delete noSecretScanning['secret-scanning']
-  const overrideEnabledForApps =
-    currentVersion === 'free-pro-team@latest' ? noSecretScanning : enabledForApps[currentVersion]
+  const enabledForApps = await getEnabledForApps(currentVersion)
 
   return {
     props: {
       mainContext,
       currentVersion,
-      enabledForApps: overrideEnabledForApps,
+      enabledForApps,
       automatedPageContext,
       categoriesWithoutSubcategories,
     },