diff --git a/.github/workflows/azure-preview-env-deploy.yml b/.github/workflows/azure-preview-env-deploy.yml
index c37dbedfdcce..f0cbeaffbae7 100644
--- a/.github/workflows/azure-preview-env-deploy.yml
+++ b/.github/workflows/azure-preview-env-deploy.yml
@@ -53,7 +53,7 @@ jobs:
# to link a PR to a list of environments later.
url: ${{ env.APP_URL }}
env:
- PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
+ PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER || github.run_id }}
COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
diff --git a/.github/workflows/triage-unallowed-internal-changes.yml b/.github/workflows/triage-unallowed-internal-changes.yml
index 8a2a2171cb62..00299d1ca82f 100644
--- a/.github/workflows/triage-unallowed-internal-changes.yml
+++ b/.github/workflows/triage-unallowed-internal-changes.yml
@@ -39,7 +39,7 @@ jobs:
id: filter
with:
# Base branch used to get changed files
- base: ${{ github.event.pull_request.base.ref }}
+ base: ${{ github.event.pull_request.base.ref || github.base_ref || github.ref }}
# Enables setting an output in the format in `${FILTER_NAME}_files
# with the names of the matching files formatted as JSON array
diff --git a/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-disabled.png b/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-disabled.png
new file mode 100644
index 000000000000..1d5a3ec89a5c
Binary files /dev/null and b/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-disabled.png differ
diff --git a/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-enabled.png b/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-enabled.png
new file mode 100644
index 000000000000..e0e5dcc6934a
Binary files /dev/null and b/assets/images/enterprise/site-admin-settings/site-admin-saml-debugging-enabled.png differ
diff --git a/assets/images/help/repository/previous-run-attempts.png b/assets/images/help/repository/previous-run-attempts.png
new file mode 100644
index 000000000000..cf33de5c28d5
Binary files /dev/null and b/assets/images/help/repository/previous-run-attempts.png differ
diff --git a/assets/images/help/repository/re-run-selected-job.png b/assets/images/help/repository/re-run-selected-job.png
new file mode 100644
index 000000000000..4c57b7871dcb
Binary files /dev/null and b/assets/images/help/repository/re-run-selected-job.png differ
diff --git a/assets/images/help/repository/re-run-single-job-from-log.png b/assets/images/help/repository/re-run-single-job-from-log.png
new file mode 100644
index 000000000000..26fbf9765aa8
Binary files /dev/null and b/assets/images/help/repository/re-run-single-job-from-log.png differ
diff --git a/assets/images/help/repository/rerun-failed-jobs-drop-down.png b/assets/images/help/repository/rerun-failed-jobs-drop-down.png
new file mode 100644
index 000000000000..5e7411550381
Binary files /dev/null and b/assets/images/help/repository/rerun-failed-jobs-drop-down.png differ
diff --git a/assets/images/help/saml/management-console-enable-encrypted-assertions.png b/assets/images/help/saml/management-console-enable-encrypted-assertions.png
index ff34240e05d0..e5490ab201b0 100644
Binary files a/assets/images/help/saml/management-console-enable-encrypted-assertions.png and b/assets/images/help/saml/management-console-enable-encrypted-assertions.png differ
diff --git a/assets/images/help/saml/management-console-encrypted-assertions-download-certificate.png b/assets/images/help/saml/management-console-encrypted-assertions-download-certificate.png
new file mode 100644
index 000000000000..3416a3a48d4f
Binary files /dev/null and b/assets/images/help/saml/management-console-encrypted-assertions-download-certificate.png differ
diff --git a/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png b/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png
index 61ceaa94f0ef..453f3ace93d4 100644
Binary files a/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png and b/assets/images/help/saml/management-console-encrypted-assertions-encryption-method.png differ
diff --git a/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png b/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png
index dac6dd0f8324..35680329071f 100644
Binary files a/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png and b/assets/images/help/saml/management-console-encrypted-assertions-key-transport-method.png differ
diff --git a/content/actions/managing-workflow-runs/re-running-workflows-and-jobs.md b/content/actions/managing-workflow-runs/re-running-workflows-and-jobs.md
index 1c987384209b..15900b51e5bf 100644
--- a/content/actions/managing-workflow-runs/re-running-workflows-and-jobs.md
+++ b/content/actions/managing-workflow-runs/re-running-workflows-and-jobs.md
@@ -1,6 +1,6 @@
---
title: Re-running workflows and jobs
-intro: You can re-run a workflow run up to 30 days after its initial run.
+intro: You can re-run a workflow run{% if re-run-jobs %}, all failed jobs in a workflow run, or specific jobs in a workflow run{% endif %} up to 30 days after its initial run.
permissions: People with write permissions to a repository can re-run workflows in the repository.
miniTocMaxHeadingLevel: 3
redirect_from:
@@ -15,9 +15,11 @@ versions:
{% data reusables.actions.enterprise-beta %}
{% data reusables.actions.enterprise-github-hosted-runners %}
-## Re-running all the jobs in a workflow
+## About re-running workflows and jobs
+
+Re-running a workflow{% if re-run-jobs %} or jobs in a workflow{% endif %} uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. You can re-run a workflow{% if re-run-jobs %} or jobs in a workflow{% endif %} for up to 30 days after the initial run.
-Re-running a workflow uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (Git ref) of the original event that triggered the workflow run. You can re-run a workflow for up to 30 days after the initial run.
+## Re-running all the jobs in a workflow
{% webui %}
@@ -26,7 +28,9 @@ Re-running a workflow uses the same `GITHUB_SHA` (commit SHA) and `GITHUB_REF` (
{% data reusables.repositories.navigate-to-workflow %}
{% data reusables.repositories.view-run %}
{% ifversion fpt or ghes > 3.2 or ghae-issue-4721 or ghec %}
-1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run all jobs**
+1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run all jobs**.
+
+ If no jobs failed, you will not see the **Re-run jobs** drop-down menu. Instead, click **Re-run all jobs**.
{% endif %}
{% ifversion ghes < 3.3 or ghae %}
@@ -54,8 +58,64 @@ gh run watch
{% endcli %}
+{% if re-run-jobs %}
+## Re-running failed jobs in a workflow
+
+If any jobs in a workflow run failed, you can re-run just the jobs that failed. When you re-run failed jobs in a workflow, a new workflow run will start for all failed jobs and their dependents. Any outputs for any successful jobs in the previous workflow run will be used for the re-run. Any artifacts that were created in the initial run will be available in the re-run. Any environment protection rules that passed in the previous run will automatically pass in the re-run.
+
+{% webui %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+{% data reusables.repositories.navigate-to-workflow %}
+{% data reusables.repositories.view-run %}
+1. In the upper-right corner of the workflow, use the **Re-run jobs** drop-down menu, and select **Re-run failed jobs**.
+ 
+
+{% endwebui %}
+
+{% cli %}
+
+To re-run failed jobs in a workflow run, use the `run rerun` subcommand with the `--failed` flag. Replace `run-id` with the ID of the run for which you want to re-run failed jobs. If you don't specify a `run-id`, {% data variables.product.prodname_cli %} returns an interactive menu for you to choose a recent failed run.
+
+```shell
+gh run rerun run-id --failed
+```
+
+{% endcli %}
+
+## Re-running a specific job in a workflow
+
+When you re-run a specific job in a workflow, a new workflow run will start for the job and any dependents. Any outputs for any other jobs in the previous workflow run will be used for the re-run. Any artifacts that were created in the initial run will be available in the re-run. Any environment protection rules that passed in the previous run will automatically pass in the re-run.
+
+{% webui %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+{% data reusables.repositories.navigate-to-workflow %}
+{% data reusables.repositories.view-run %}
+1. Next to the job that you want to re-run, click {% octicon "sync" aria-label="The re-run icon" %}.
+ 
+
+ Alternatively, click on a job to view the log. In the log, click {% octicon "sync" aria-label="The re-run icon" %}.
+ 
+
+{% endwebui %}
+
+{% cli %}
+
+To re-run a specific job in a workflow run, use the `run rerun` subcommand with the `--job` flag. Replace `job-id` with the ID of the job that you want to re-run.
+
+```shell
+gh run rerun --job job-id
+```
+
+{% endcli %}
+
+{% endif %}
+
{% ifversion fpt or ghes > 3.2 or ghae-issue-4721 or ghec %}
-### Reviewing previous workflow runs
+## Reviewing previous workflow runs
You can view the results from your previous attempts at running a workflow. You can also view previous workflow runs using the API. For more information, see ["Get a workflow run"](/rest/reference/actions#get-a-workflow-run).
@@ -63,8 +123,13 @@ You can view the results from your previous attempts at running a workflow. You
{% data reusables.repositories.actions-tab %}
{% data reusables.repositories.navigate-to-workflow %}
{% data reusables.repositories.view-run %}
+{%- if re-run-jobs %}
+1. Any previous run attempts are shown in the **Latest** drop-down menu.
+ 
+{%- else %}
1. Any previous run attempts are shown in the left pane.
+{%- endif %}
1. Click an entry to view its results.
{% endif %}
diff --git a/content/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs.md b/content/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs.md
index ee19cf7ffeaf..ae7c5898c8c7 100644
--- a/content/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs.md
+++ b/content/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs.md
@@ -63,6 +63,16 @@ You can download the log files from your workflow run. You can also download a w
+ {% if re-run-jobs %}
+
+ {% note %}
+
+ **Note**: When you download the log archive for a workflow that was partially re-run, the archive only includes the jobs that were re-run. To get a complete set of logs for jobs that were run from a workflow, you must download the log archives for the previous run attempts that ran the other jobs.
+
+ {% endnote %}
+
+ {% endif %}
+
## Deleting logs
You can delete the log files from your workflow run. {% data reusables.repositories.permissions-statement-write %}
diff --git a/content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md b/content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md
index 7748d92ebad8..acf035efed98 100644
--- a/content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md
+++ b/content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md
@@ -54,7 +54,7 @@ A mapping is created between the `NameID` and the {% data variables.product.prod
{% note %}
-**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign in to your {% data variables.product.prodname_ghe_server %} instance. {% ifversion ghes %}To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %} For more information, see "[Error: 'Another user already owns the account'](#error-another-user-already-owns-the-account)."{% endif %}
+**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign into {% data variables.product.product_location %}. To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."
{% endnote %}
@@ -96,6 +96,14 @@ To specify more than one value for an attribute, use multiple ` 3.3 %}
+1. Optionally, to allow {% data variables.product.product_location %} to receive encrypted assertions from your SAML IdP, select **Require encrypted assertions**. You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.product.product_location %}'s public certificate to your IdP. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
-
- {% warning %}
-
- **Warning**: Incorrectly configuring encrypted assertions can cause all authentication to {% data variables.product.product_location %} to fail.
-
- - You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.product.product_location %}'s public certificate to your IdP. For more information, see "[Enabling encrypted assertions](#enabling-encrypted-assertions)."
-
- - Before enabling encrypted assertions, {% data variables.product.company_short %} recommends testing encrypted assertions in a staging environment, and confirming that SAML authentication functions as you expect. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
-
- {% endwarning %}
+{%- endif %}
1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
@@ -153,37 +153,38 @@ To specify more than one value for an attribute, use multiple ` Another user already owns the account. Please have your administrator check the authentication log.
-The message typically indicates that the person's username or email address has changed on the IdP. {% ifversion ghes %}Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %}For help updating the `NameID` mapping, contact {% data variables.contact.contact_ent_support %}.{% endif %}
+The message typically indicates that the person's username or email address has changed on the IdP. Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."
### Error: Recipient in SAML response was blank or not valid
-If the `Recipient` does not match the ACS URL for your {% data variables.product.prodname_ghe_server %} instance, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
+If the `Recipient` does not match the ACS URL for {% data variables.product.product_location %}, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
```
Recipient in the SAML response must not be blank.
@@ -259,7 +260,7 @@ Recipient in the SAML response must not be blank.
Recipient in the SAML response was not valid.
```
-Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com/saml/consume`.
+Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for {% data variables.product.product_location %}. For example, `https://ghe.corp.example.com/saml/consume`.
### Error: "SAML Response is not signed or has been modified"
@@ -279,4 +280,40 @@ If the IdP's response has a missing or incorrect value for `Audience`, the follo
Audience is invalid. Audience attribute does not match https://YOUR-INSTANCE-URL
```
-Ensure that you set the value for `Audience` on your IdP to the `EntityId` for your {% data variables.product.prodname_ghe_server %} instance, which is the full URL to your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com`.
+Ensure that you set the value for `Audience` on your IdP to the `EntityId` for {% data variables.product.product_location %}, which is the full URL to {% data variables.product.product_location %}. For example, `https://ghe.corp.example.com`.
+
+### Configuring SAML debugging
+
+You can configure {% data variables.product.product_name %} to write verbose debug logs to _/var/log/github/auth.log_ for every SAML authentication attempt. You may be able to troubleshoot failed authentication attempts with this extra output.
+
+{% warning %}
+
+**Warnings**:
+
+- Only enable SAML debugging temporarily, and disable debugging immediately after you finish troubleshooting. If you leave debugging enabled, the size of your log may increase much faster than usual, which can negatively impact the performance of {% data variables.product.product_name %}.
+- Test new authentication settings for {% data variables.product.product_location %} in a staging environment before you apply the settings in your production environment. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
+
+{% endwarning %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.options-tab %}
+1. Under "SAML debugging", select the drop-down and click **Enabled**.
+
+ 
+
+1. Attempt to sign into {% data variables.product.product_location %} through your SAML IdP.
+
+1. Review the debug output in _/var/log/github/auth.log_ on {% data variables.product.product_location %}.
+
+1. When you're done troubleshooting, select the drop-down and click **Disabled**.
+
+ 
+
+### Decoding responses in _auth.log_
+
+Some output in _auth.log_ may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.product.product_location %} to decode these responses. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh)."
+
+```shell
+$ base64 --decode ENCODED OUTPUT
+```
diff --git a/data/features/re-run-jobs.yml b/data/features/re-run-jobs.yml
new file mode 100644
index 000000000000..31a13136bad1
--- /dev/null
+++ b/data/features/re-run-jobs.yml
@@ -0,0 +1,7 @@
+# Issue 4722
+# Re-running failed jobs in an Actions workflow
+versions:
+ fpt: '*'
+ ghec: '*'
+ ghes: '>=3.5'
+ ghae: 'issue-4722'
diff --git a/data/release-notes/enterprise-server/3-4/0-rc1.yml b/data/release-notes/enterprise-server/3-4/0-rc1.yml
index 0d9f46c33840..9aa637db8e8d 100644
--- a/data/release-notes/enterprise-server/3-4/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-4/0-rc1.yml
@@ -1,6 +1,6 @@
date: '2022-02-15'
release_candidate: true
-deprecated: false
+deprecated: true
intro: |
{% note %}
diff --git a/data/release-notes/enterprise-server/3-4/0.yml b/data/release-notes/enterprise-server/3-4/0.yml
new file mode 100644
index 000000000000..c158cc09d870
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-4/0.yml
@@ -0,0 +1,282 @@
+date: '2022-03-15'
+intro: |
+
+ For upgrade instructions, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server)."
+
+ > This release is dedicated to our colleague and friend John, a Hubber who was always there to help. You will be greatly missed.
+ >
+ > **John "Ralph" Wiebalk 1986–2021**
+
+sections:
+ features:
+ - heading: Secret scanning REST API now returns locations
+ notes:
+ # https://github.com/github/releases/issues/1642
+ - |
+ {% data variables.product.prodname_GH_advanced_security %} customers can now use the REST API to retrieve commit details of secrets detected in private repository scans. The new endpoint returns details of a secret's first detection within a file, including the secret's location and commit SHA. For more information, see "[Secret scanning](/rest/reference/secret-scanning)" in the REST API documentation.
+
+ - heading: Export license data of committer-based billing for GitHub Advanced Security
+ notes:
+ # https://github.com/github/releases/issues/1757
+ - |
+ Enterprise and organization owners can now export their {% data variables.product.prodname_GH_advanced_security %} license usage data to a CSV file. The {% data variables.product.prodname_advanced_security %} billing data can also be retrieved via billing endpoints in the REST API. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-11-export-github-advanced-security-license-usage-data/)."
+
+ - heading: GitHub Actions reusable workflows in public beta
+ notes:
+ # https://github.com/github/releases/issues/1541
+ - |
+ You can now reuse entire workflows as if they were an action. This feature is available in public beta. Instead of copying and pasting workflow definitions across repositories, you can now reference an existing workflow with a single line of configuration. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-05-github-actions-dry-your-github-actions-configuration-by-reusing-workflows/)."
+
+ - heading: Dependabot security and version updates in public beta
+ notes:
+ # https://github.com/github/releases/issues/2004
+ - |
+ {% data variables.product.prodname_dependabot %} is now available in {% data variables.product.prodname_ghe_server %} 3.4 as a public beta, offering both version updates and security updates for several popular ecosystems. {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_ghe_server %} requires {% data variables.product.prodname_actions %} and a pool of self-hosted runners configured for {% data variables.product.prodname_dependabot %} use. {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_ghe_server %} also requires {% data variables.product.prodname_github_connect %} and {% data variables.product.prodname_dependabot %} to be enabled by an administrator. Beta feedback and suggestions can be shared in the [{% data variables.product.prodname_dependabot %} Feedback GitHub discussion](https://github.com/github/feedback/discussions/categories/dependabot-feedback). For more information and to try the beta, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
+
+ changes:
+ - heading: Administration Changes
+ notes:
+ # https://github.com/github/releases/issues/1657
+ - Users can now choose the number of spaces a tab is equal to, by setting their preferred tab size in the "Appearance" settings of their user account. All code with a tab indent will render using the preferred tab size.
+
+ # https://github.com/github/releases/issues/2062
+ - The {% data variables.product.prodname_github_connect %} data connection record now includes a count of the number of active and dormant users and the configured dormancy period.
+
+ # https://github.com/github/releases/issues/1722
+ - You can now give users access to enterprise-specific links by adding custom footers to {% data variables.product.prodname_ghe_server %}. For more information, see "[Configuring custom footers](/admin/configuration/configuring-your-enterprise/configuring-custom-footers)."
+
+ - heading: Performance Changes
+ notes:
+ # https://github.com/github/releases/issues/2031
+ - WireGuard, used to secure communication between {% data variables.product.prodname_ghe_server %} instances in a High Availability configuration, has been migrated to the Kernel implementation.
+
+ - heading: Notification Changes
+ notes:
+ # https://github.com/github/releases/issues/1801
+ - Organization owners can now unsubscribe from email notifications when new deploy keys are added to repositories belonging to their organizations. For more information, see "[Configuring notifications](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications)."
+
+ # https://github.com/github/releases/issues/1714
+ - 'Notification emails from newly created issues and pull requests now include `(Issue #xx)` or `(PR #xx)` in the email subject, so you can recognize and filter emails that reference these types of issues.'
+
+ - heading: Organization Changes
+ notes:
+ # https://github.com/github/releases/issues/1509
+ - Organizations can now display a `README.md` file on their profile Overview. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-14-readmes-for-organization-profiles/)."
+
+ # https://github.com/github/releases/issues/1883
+ - Members of organizations can now view a list of their enterprise owners under the organization's "People" tab. The enterprise owners list is also now accessible using the GraphQL API. For more information, see the "[`enterpriseOwners`](/graphql/reference/objects#organization)" field under the Organization object in the GraphQL API documentation.
+
+ - heading: Repositories changes
+ notes:
+ # https://github.com/github/releases/issues/1944
+ - |
+ A "Manage Access" section is now shown on the "Collaborators and teams" page in your repository settings. The new section makes it easier for repository administrators to see and manage who has access to their repository, and the level of access granted to each user. Administrators can now:
+
+ * Search all members, teams and collaborators who have access to the repository.
+ * View when members have mixed role assignments, granted to them directly as individuals or indirectly via a team. This is visualized through a new "mixed roles" warning, which displays the highest level role the user is granted if their permission level is higher than their assigned role.
+ * Manage access to popular repositories reliably, with page pagination and fewer timeouts when large groups of users have access.
+
+ # https://github.com/github/releases/issues/1748
+ - '{% data variables.product.prodname_ghe_server %} 3.4 includes improvements to the repository invitation experience, such as notifications for private repository invites, a UI prompt when visiting a private repository you have a pending invitation for, and a banner on a public repository overview page when there is an pending invitation.'
+
+ # https://github.com/github/releases/issues/1739
+ - You can now use single-character prefixes for custom autolinks. Autolink prefixes also now allow `.`, `-`, `_`, `+`, `=`, `:`, `/`, and `#` characters, as well as alphanumerics. For more information about custom autolinks, see "[Configuring autolinks to reference external resources](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources)."
+
+ # https://github.com/github/releases/issues/1776
+ - A `CODE_OF_CONDUCT.md` file in the root of a repository is now highlighted in the "About" sidebar on the repository overview page.
+
+ - heading: 'Releases changes'
+ notes:
+ # https://github.com/github/releases/issues/1723
+ - '{% data variables.product.prodname_ghe_server %} 3.4 includes improvements to the Releases UI, such as automatically generated release notes which display a summary of all the pull requests for a given release. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-20-improvements-to-github-releases-generally-available/)."'
+
+ # https://github.com/github/releases/issues/1606
+ - When a release is published, an avatar list is now displayed at the bottom of the release. Avatars for all user accounts mentioned in the release notes are shown. For more information, see "[Managing releases in a repository](/repositories/releasing-projects-on-github/managing-releases-in-a-repository)."
+
+ - heading: 'Markdown changes'
+ notes:
+ # https://github.com/github/releases/issues/1779
+ - You can now use the new "Accessibility" settings page to manage your keyboard shortcuts. You can choose to disable keyboard shortcuts that only use single characters like S, G C, and . (the period key). For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-16-managing-keyboard-shortcuts-using-accessibility-settings/)."
+
+ # https://github.com/github/releases/issues/1727
+ - You can now choose to use a fixed-width font in Markdown-enabled fields, like issue comments and pull request descriptions. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-12-fixed-width-font-support-in-markdown-enabled-fields/)."
+
+ # https://github.com/github/releases/issues/1761
+ - You can now paste a URL on selected text to quickly create a Markdown link. This works in all Markdown-enabled fields, such as issue comments and pull request descriptions. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-linkify-selected-text-on-url-paste/)."
+
+ # https://github.com/github/releases/issues/1758
+ - An image URL can now be appended with a theme context, such as `#gh-dark-mode-only`, to define how the Markdown image is displayed to a viewer. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-24-specify-theme-context-for-images-in-markdown/)."
+
+ # https://github.com/github/releases/issues/1686
+ - When creating or editing a gist file with the Markdown (`.md`) file extension, you can now use the "Preview" or "Preview Changes" tab to display a Markdown rendering of the file contents. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-17-preview-the-markdown-rendering-of-gists/)."
+
+ # https://github.com/github/releases/issues/1754
+ - When typing the name of a {% data variables.product.prodname_dotcom %} user in issues, pull requests and discussions, the @mention suggester now ranks existing participants higher than other {% data variables.product.prodname_dotcom %} users, so that it's more likely the user you're looking for will be listed.
+
+ # https://github.com/github/releases/issues/1636
+ - Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.
+
+ - heading: 'Issues and pull requests changes'
+ notes:
+ # https://github.com/github/releases/issues/1731
+ - The diff setting to hide whitespace changes in the pull request "Files changed" tab is now retained for your user account for that pull request. The setting you have chosen is automatically reapplied if you navigate away from the page and then revisit the "Files changed" tab of the same pull request.
+
+ # https://github.com/github/releases/issues/1663
+ - When using auto assignment for pull request code reviews, you can now choose to only notify requested team members independently of your auto assignment settings. This setting is useful in scenarios where many users are auto assigned but not all users require notification. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-team-member-pull-request-review-notifications-can-be-configured-independently-of-auto-assignment/)."
+
+ - heading: 'Branches changes'
+ notes:
+ # https://github.com/github/releases/issues/1526
+ - Organization and repository administrators can now trigger webhooks to listen for changes to branch protection rules on their repositories. For more information, see the "[branch_protection_rule](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule)" event in the webhooks events and payloads documentation.
+
+ # https://github.com/github/releases/issues/1759
+ - When configuring protected branches, you can now enforce that a required status check is provided by a specific {% data variables.product.prodname_github_app %}. If a status is then provided by a different application, or by a user via a commit status, merging is prevented. This ensures all changes are validated by the intended application. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-12-01-ensure-required-status-checks-provided-by-the-intended-app/)."
+
+ # https://github.com/github/releases/issues/1911
+ - Only users with administrator permissions are now able to rename protected branches and modify branch protection rules. Previously, with the exception of the default branch, a collaborator could rename a branch and consequently any non-wildcard branch protection rules that applied to that branch were also renamed. For more information, see "[Renaming a branch](/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/renaming-a-branch)" and "[Managing a branch protection rule](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule)."
+
+ # https://github.com/github/releases/issues/1845
+ - Administrators can now allow only specific users and teams to bypass pull request requirements. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-19-allow-bypassing-required-pull-requests/)."
+
+ # https://github.com/github/releases/issues/1850
+ - Administrators can now allow only specific users and teams to force push to a repository. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-12-21-specify-who-can-force-push-to-a-repository/)."
+
+ # https://github.com/github/releases/issues/1796
+ - When requiring pull requests for all changes to a protected branch, administrators can now choose if approved reviews are also a requirement. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-require-pull-requests-without-requiring-reviews/)."
+
+ - heading: 'GitHub Actions changes'
+ notes:
+ # https://github.com/github/releases/issues/1906
+ - '{% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} for the `create`, `deployment`, and `deployment_status` events now always receive a read-only token and no secrets. Similarly, workflows triggered by {% data variables.product.prodname_dependabot %} for the `pull_request_target` event on pull requests where the base ref was created by {% data variables.product.prodname_dependabot %}, now always receive a read-only token and no secrets. These changes are designed to prevent potentially malicious code from executing in a privileged workflow. For more information, see "[Automating {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions)."'
+
+ # https://github.com/github/releases/issues/1667
+ - Workflow runs on `push` and `pull_request` events triggered by {% data variables.product.prodname_dependabot %} will now respect the permissions specified in your workflows, allowing you to control how you manage automatic dependency updates. The default token permissions will remain read-only. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-06-github-actions-workflows-triggered-by-dependabot-prs-will-respect-permissions-key-in-workflows/)."
+
+ # https://github.com/github/releases/issues/1668
+ - '{% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} will now be sent the {% data variables.product.prodname_dependabot %} secrets. You can now pull from private package registries in your CI using the same secrets you have configured for {% data variables.product.prodname_dependabot %} to use, improving how {% data variables.product.prodname_actions %} and {% data variables.product.prodname_dependabot %} work together. For more information, see "[Automating {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions)."'
+
+ # https://github.com/github/releases/issues/1615
+ - You can now manage runner groups and see the status of your self-hosted runners using new Runners and Runner Groups pages in the UI. The Actions settings page for your repository or organization now shows a summary view of your runners, and allows you to deep dive into a specific runner to edit it or see what job it may be currently running. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-20-github-actions-experience-refresh-for-the-management-of-self-hosted-runners/)."
+
+ # https://github.com/github/releases/issues/1785
+ - 'Actions authors can now have their action run in Node.js 16 by specifying [`runs.using` as `node16` in the action''s `action.yml`](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions). This is in addition to the existing Node.js 12 support; actions can continue to specify `runs.using: node12` to use the Node.js 12 runtime.'
+
+ # https://github.com/github/releases/issues/1799
+ - 'For manually triggered workflows, {% data variables.product.prodname_actions %} now supports the `choice`, `boolean`, and `environment` input types in addition to the default `string` type. For more information, see "[`on.workflow_dispatch.inputs`](/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputs)."'
+
+ # https://github.com/github/releases/issues/1782
+ - Actions written in YAML, also known as composite actions, now support `if` conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.
+
+ # https://github.com/github/releases/issues/1919
+ - The search order behavior for self-hosted runners has now changed, so that the first available matching runner at any level will run the job in all cases. This allows jobs to be sent to self-hosted runners much faster, especially for organizations and enterprises with lots of self-hosted runners. Previously, when running a job that required a self-hosted runner, {% data variables.product.prodname_actions %} would look for self-hosted runners in the repository, organization, and enterprise, in that order.
+
+ # https://github.com/github/releases/issues/1753
+ - Runner labels for {% data variables.product.prodname_actions %} self-hosted runners can now be listed, added and removed using the REST API. For more information about using the new APIs at a repository, organization, or enterprise level, see "[Repositories](/rest/reference/actions#list-labels-for-a-self-hosted-runner-for-a-repository)", "[Organizations](/rest/reference/actions#add-custom-labels-to-a-self-hosted-runner-for-an-organization)", and "[Enterprises](/rest/reference/enterprise-admin#list-labels-for-a-self-hosted-runner-for-an-enterprise)" in the REST API documentation.
+
+ - heading: 'Dependabot and Dependency graph changes'
+ notes:
+ # https://github.com/github/releases/issues/1520
+ - Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both `pyproject.toml` and `poetry.lock` manifest files.
+
+ # https://github.com/github/releases/issues/1921
+ - When configuring {% data variables.product.prodname_dependabot %} security and version updates on GitHub Enterprise Server, we recommend you also enable {% data variables.product.prodname_dependabot %} in {% data variables.product.prodname_github_connect %}. This will allow {% data variables.product.prodname_dependabot %} to retrieve an updated list of dependencies and vulnerabilities from {% data variables.product.prodname_dotcom_the_website %}, by querying for information such as the changelogs of the public releases of open source code that you depend upon. For more information, see "[Enabling the dependency graph and Dependabot alerts for your enterprise](/admin/configuration/configuring-github-connect/enabling-the-dependency-graph-and-dependabot-alerts-for-your-enterprise)."
+
+ # https://github.com/github/releases/issues/1717
+ - '{% data variables.product.prodname_dependabot_alerts %} alerts can now be dismissed using the GraphQL API. For more information, see the "[dismissRepositoryVulnerabilityAlert](/graphql/reference/mutations#dismissrepositoryvulnerabilityalert)" mutation in the GraphQL API documentation.'
+
+ - heading: 'Code scanning and secret scanning changes'
+ notes:
+ # https://github.com/github/releases/issues/1802
+ - The {% data variables.product.prodname_codeql %} CLI now supports including markdown-rendered query help in SARIF files, so that the help text can be viewed in the {% data variables.product.prodname_code_scanning %} UI when the query generates an alert. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-23-display-help-text-for-your-custom-codeql-queries-in-code-scanning/)."
+
+ # https://github.com/github/releases/issues/1790
+ - The {% data variables.product.prodname_codeql %} CLI and {% data variables.product.prodname_vscode %} extension now support building databases and analyzing code on machines powered by Apple Silicon, such as Apple M1. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-10-codeql-now-supports-apple-silicon-m1/)."
+
+ # https://github.com/github/releases/issues/1732
+ - |
+ The depth of {% data variables.product.prodname_codeql %}'s analysis has been improved by adding support for more [libraries and frameworks](https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/) from the Python ecosystem. As a result, {% data variables.product.prodname_codeql %} can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of {% data variables.product.prodname_code_scanning %} alerts. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-11-24-codeql-code-scanning-now-recognizes-more-python-libraries-and-frameworks/)."
+
+ # https://github.com/github/releases/issues/1567
+ - Code scanning with {% data variables.product.prodname_codeql %} now includes beta support for analyzing code in all common Ruby versions, up to and including 3.02. For more information, see the "[{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-10-27-codeql-code-scanning-adds-beta-support-for-ruby/)."
+
+ # https://github.com/github/releases/issues/1764
+ - |
+ Several improvements have been made to the {% data variables.product.prodname_code_scanning %} API:
+
+ * The `fixed_at` timestamp has been added to alerts. This timestamp is the first time that the alert was not detected in an analysis.
+ * Alert results can now be sorted using `sort` and `direction` on either `created`, `updated` or `number`. For more information, see "[List code scanning alerts for a repository](/rest/reference/code-scanning#list-code-scanning-alerts-for-a-repository)."
+ * A `Last-Modified` header has been added to the alerts and alert endpoint response. For more information, see [`Last-Modified`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Last-Modified) in the Mozilla documentation.
+ * The `relatedLocations` field has been added to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the [SARIF spec](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012616) and for more information see "[Get a code scanning analysis for a repository](/rest/reference/code-scanning#get-a-code-scanning-analysis-for-a-repository)."
+ * Both `help` and `tags` data have been added to the webhook response alert rule object. For more information, see "[Code scanning alert webhooks events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)."
+ * Personal access tokens with the `public_repo` scope now have write access for code scanning endpoints on public repos, if the user has permission.
+
+ For more information, see "[Code scanning](/rest/reference/code-scanning)" in the REST API documentation.
+
+ # https://github.com/github/releases/issues/1943
+ - '{% data variables.product.prodname_GH_advanced_security %} customers can now use the REST API to retrieve private repository secret scanning results at the enterprise level. The new endpoint supplements the existing repository-level and organization-level endpoints. For more information, see "[Secret scanning](/rest/reference/secret-scanning)" in the REST API documentation.'
+
+ # No security/bug fixes for the GA release
+ # security_fixes:
+ # - PLACEHOLDER
+
+ # bugs:
+ # - PLACEHOLDER
+
+ known_issues:
+ - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+ - Custom firewall rules are removed during the upgrade process.
+ - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+ - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+ - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+ - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+ - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+ - Actions services needs to be restarted after restoring appliance from backup taken on a different host.
+
+ deprecations:
+ - heading: Deprecation of GitHub Enterprise Server 3.0
+ notes:
+ - '**{% data variables.product.prodname_ghe_server %} 3.0 was discontinued on February 16, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.'
+ - heading: Deprecation of GitHub Enterprise Server 3.1
+ notes:
+ - '**{% data variables.product.prodname_ghe_server %} 3.1 will be discontinued on June 3, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.'
+
+ - heading: Deprecation of XenServer Hypervisor support
+ notes:
+ # https://github.com/github/docs-content/issues/4439
+ - Starting in {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_ghe_server %} on XenServer was deprecated and is no longer supported. Please contact [GitHub Support](https://support.github.com) with questions or concerns.
+
+ - heading: Deprecation of the Content Attachments API preview
+ notes:
+ #
+ - Due to low usage, we have deprecated the Content References API preview in {% data variables.product.prodname_ghe_server %} 3.4. The API was previously accessible with the `corsair-preview` header. Users can continue to navigate to external URLs without this API. Any registered usages of the Content References API will no longer receive a webhook notification for URLs from your registered domain(s) and we no longer return valid response codes for attempted updates to existing content attachments.
+
+ - heading: Deprecation of the Codes of Conduct API preview
+ notes:
+ # https://github.com/github/releases/issues/1708
+ - 'The Codes of Conduct API preview, which was accessible with the `scarlet-witch-preview` header, is deprecated and no longer accessible in {% data variables.product.prodname_ghe_server %} 3.4. We instead recommend using the "[Get community profile metrics](/rest/reference/repos#get-community-profile-metrics)" endpoint to retrieve information about a repository''s code of conduct. For more information, see the "[Deprecation Notice: Codes of Conduct API preview](https://github.blog/changelog/2021-10-06-deprecation-notice-codes-of-conduct-api-preview/)" in the {% data variables.product.prodname_dotcom %} changelog.'
+
+ - heading: Deprecation of OAuth Application API endpoints and API authentication using query parameters
+ notes:
+ # https://github.com/github/releases/issues/1316
+ - |
+ Starting with {% data variables.product.prodname_ghe_server %} 3.4, the [deprecated version of the OAuth Application API endpoints](https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/#endpoints-affected) have been removed. If you encounter 404 error messages on these endpoints, convert your code to the versions of the OAuth Application API that do not have `access_tokens` in the URL. We've also disabled the use of API authentication using query parameters. We instead recommend using [API authentication in the request header](https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#changes-to-make).
+
+ - heading: Deprecation of the CodeQL runner
+ notes:
+ # https://github.com/github/releases/issues/1632
+ - The {% data variables.product.prodname_codeql %} runner is deprecated in {% data variables.product.prodname_ghe_server %} 3.4 and is no longer supported. The deprecation only affects users who use {% data variables.product.prodname_codeql %} code scanning in third party CI/CD systems; {% data variables.product.prodname_actions %} users are not affected. We strongly recommend that customers migrate to the {% data variables.product.prodname_codeql %} CLI, which is a feature-complete replacement for the {% data variables.product.prodname_codeql %} runner. For more information, see the [{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
+
+ - heading: Deprecation of custom bit-cache extensions
+ notes:
+ # https://github.com/github/releases/issues/1415
+ - |
+ Starting in {% data variables.product.prodname_ghe_server %} 3.1, support for {% data variables.product.company_short %}'s proprietary bit-cache extensions began to be phased out. These extensions are deprecated in {% data variables.product.prodname_ghe_server %} 3.3 onwards.
+
+ Any repositories that were already present and active on {% data variables.product.product_location %} running version 3.1 or 3.2 will have been automatically updated.
+
+ Repositories which were not present and active before upgrading to {% data variables.product.prodname_ghe_server %} 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed.
+
+ To start a repository maintenance task manually, browse to `https:///stafftools/repositories///network` for each affected repository and click the Schedule button.
+
+ backups:
+ - '{% data variables.product.prodname_ghe_server %} 3.4 requires at least [GitHub Enterprise Backup Utilities 3.4.0](https://github.com/github/backup-utils) for [Backups and Disaster Recovery](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance).'
diff --git a/data/reusables/enterprise/test-in-staging.md b/data/reusables/enterprise/test-in-staging.md
new file mode 100644
index 000000000000..94eede5d3cc5
--- /dev/null
+++ b/data/reusables/enterprise/test-in-staging.md
@@ -0,0 +1 @@
+{% data variables.product.company_short %} strongly recommends that you verify any new configuration for authentication in a staging environment. An incorrect configuration could result in downtime for {% data variables.product.product_location %}. For more information, see "[Setting up a staging instance](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)."
diff --git a/data/variables/release_candidate.yml b/data/variables/release_candidate.yml
index 2352b83fd10a..026d2f7e61ab 100644
--- a/data/variables/release_candidate.yml
+++ b/data/variables/release_candidate.yml
@@ -1 +1 @@
-version: enterprise-server@3.4
+version: ''
diff --git a/docker-compose.prod.tmpl.yaml b/docker-compose.prod.tmpl.yaml
index a9d84b73da3b..d447edd1a1cc 100644
--- a/docker-compose.prod.tmpl.yaml
+++ b/docker-compose.prod.tmpl.yaml
@@ -17,6 +17,7 @@ services:
ENABLED_LANGUAGES: ${ENABLED_LANGUAGES}
DEPLOYMENT_ENV: ${DEPLOYMENT_ENV}
RATE_LIMIT_MAX: ${RATE_LIMIT_MAX}
+ SLOW_DOWN_MAX: ${SLOW_DOWN_MAX}
HEROKU_PRODUCTION_APP: true
PORT: 4000
DD_AGENT_HOST: datadog-agent
diff --git a/middleware/index.js b/middleware/index.js
index a523c64b6c69..a2bdce7f1123 100644
--- a/middleware/index.js
+++ b/middleware/index.js
@@ -9,6 +9,7 @@ import timeout from './timeout.js'
import morgan from 'morgan'
import datadog from './connect-datadog.js'
import rateLimit from './rate-limit.js'
+import slowDown from './slow-down.js'
import cors from './cors.js'
import helmet from 'helmet'
import csp from './csp.js'
@@ -212,6 +213,7 @@ export default function (app) {
}
// *** Early exits ***
+ app.use(slowDown)
app.use(rateLimit)
app.use(instrument(handleInvalidPaths, './handle-invalid-paths'))
app.use(asyncMiddleware(instrument(handleNextDataPath, './handle-next-data-path')))
diff --git a/middleware/slow-down.js b/middleware/slow-down.js
new file mode 100644
index 000000000000..d9bc8cc81ecb
--- /dev/null
+++ b/middleware/slow-down.js
@@ -0,0 +1,20 @@
+import slowDown from 'express-slow-down'
+import statsd from '../lib/statsd.js'
+
+const MAX = process.env.SLOW_DOWN_MAX ? parseInt(process.env.SLOW_DOWN_MAX, 10) : 10000
+if (isNaN(MAX)) {
+ throw new Error(`process.env.SLOW_DOWN_MAX (${process.env.SLOW_DOWN_MAX}) not a number`)
+}
+
+export default slowDown({
+ windowMs: 1 * 60 * 1000, // 1 minute window
+ delayAfter: MAX, // allow MAX requests to go at full-speed, then...
+ delayMs: 100, // MAX+1 request has a 100ms delay, MAX+2 has a 200ms delay, MAX+3 has 300ms, etc.
+ maxDelayMs: 9 * 1000, // slightly less than our Express timeout handler
+
+ // Function to listen the first time the limit is reached within windowMs. Defaults:
+ onLimitReached: (request) => {
+ const tags = [`url:${request.url}`, `ip:${request.ip}`]
+ statsd.increment('middleware.slow_down', 1, tags)
+ },
+})
diff --git a/package-lock.json b/package-lock.json
index 051eaf2d2eca..cc4d3ba9e6bf 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -27,6 +27,7 @@
"dotenv": "^10.0.0",
"express": "^4.17.2",
"express-rate-limit": "^6.0.4",
+ "express-slow-down": "^1.4.0",
"express-timeout-handler": "^2.2.2",
"flat": "^5.0.2",
"github-slugger": "^1.4.0",
@@ -6887,6 +6888,14 @@
"node": ">=8"
}
},
+ "node_modules/clone": {
+ "version": "1.0.4",
+ "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
+ "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4=",
+ "engines": {
+ "node": ">=0.8"
+ }
+ },
"node_modules/clone-deep": {
"version": "0.2.4",
"resolved": "https://registry.npmjs.org/clone-deep/-/clone-deep-0.2.4.tgz",
@@ -7692,6 +7701,14 @@
"node": ">=0.10.0"
}
},
+ "node_modules/defaults": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz",
+ "integrity": "sha1-xlYFHpgX2f8I7YgUd/P+QBnz730=",
+ "dependencies": {
+ "clone": "^1.0.2"
+ }
+ },
"node_modules/defer-to-connect": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/defer-to-connect/-/defer-to-connect-2.0.1.tgz",
@@ -9300,6 +9317,14 @@
"express": "^4"
}
},
+ "node_modules/express-slow-down": {
+ "version": "1.4.0",
+ "resolved": "https://registry.npmjs.org/express-slow-down/-/express-slow-down-1.4.0.tgz",
+ "integrity": "sha512-Tw5aa0plPj2STiuc2SyMw2VSjMvBgLGQHHoPhkIL4iPQcFZDueWBaiLxFZ3SrwrJhiu3b3sHNcsP6lXeWnbwAw==",
+ "dependencies": {
+ "defaults": "^1.0.3"
+ }
+ },
"node_modules/express-timeout-handler": {
"version": "2.2.2",
"resolved": "https://registry.npmjs.org/express-timeout-handler/-/express-timeout-handler-2.2.2.tgz",
@@ -27887,6 +27912,11 @@
}
}
},
+ "clone": {
+ "version": "1.0.4",
+ "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
+ "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
+ },
"clone-deep": {
"version": "0.2.4",
"resolved": "https://registry.npmjs.org/clone-deep/-/clone-deep-0.2.4.tgz",
@@ -28528,6 +28558,14 @@
"resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.2.2.tgz",
"integrity": "sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg=="
},
+ "defaults": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz",
+ "integrity": "sha1-xlYFHpgX2f8I7YgUd/P+QBnz730=",
+ "requires": {
+ "clone": "^1.0.2"
+ }
+ },
"defer-to-connect": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/defer-to-connect/-/defer-to-connect-2.0.1.tgz",
@@ -29792,6 +29830,14 @@
"integrity": "sha512-TratTfxxTAFb6ZUAxPIigqhcS0e7ql9XDTorjD+SihV5ua5h6agoKyr45iKM6m5OzTppesh9o/RCuvf5eTiwCw==",
"requires": {}
},
+ "express-slow-down": {
+ "version": "1.4.0",
+ "resolved": "https://registry.npmjs.org/express-slow-down/-/express-slow-down-1.4.0.tgz",
+ "integrity": "sha512-Tw5aa0plPj2STiuc2SyMw2VSjMvBgLGQHHoPhkIL4iPQcFZDueWBaiLxFZ3SrwrJhiu3b3sHNcsP6lXeWnbwAw==",
+ "requires": {
+ "defaults": "^1.0.3"
+ }
+ },
"express-timeout-handler": {
"version": "2.2.2",
"resolved": "https://registry.npmjs.org/express-timeout-handler/-/express-timeout-handler-2.2.2.tgz",
diff --git a/package.json b/package.json
index d031eef86469..a5c015c13a87 100644
--- a/package.json
+++ b/package.json
@@ -29,6 +29,7 @@
"dotenv": "^10.0.0",
"express": "^4.17.2",
"express-rate-limit": "^6.0.4",
+ "express-slow-down": "^1.4.0",
"express-timeout-handler": "^2.2.2",
"flat": "^5.0.2",
"github-slugger": "^1.4.0",
diff --git a/tests/content/graphql.js b/tests/content/graphql.js
index b6d2be45e8bd..488611e6950c 100644
--- a/tests/content/graphql.js
+++ b/tests/content/graphql.js
@@ -1,5 +1,3 @@
-import fs from 'fs'
-import path from 'path'
import readJsonFile from '../../lib/read-json-file.js'
import {
schemaValidator,
@@ -29,15 +27,21 @@ describe('graphql json files', () => {
})
test('schemas object validation', () => {
+ // The typeObj is repeated thousands of times in each .json file
+ // so use a cache of which we've already validated to speed this
+ // test up significantly.
+ const typeObjsTested = new Set()
graphqlVersions.forEach((version) => {
- const schemaJsonPerVersion = JSON.parse(
- fs.readFileSync(path.join(process.cwd(), `lib/graphql/static/schema-${version}.json`))
- )
+ const schemaJsonPerVersion = readJsonFile(`lib/graphql/static/schema-${version}.json`)
// all graphql types are arrays except for queries
graphqlTypes
.filter((type) => type !== 'queries')
.forEach((type) => {
schemaJsonPerVersion[type].forEach((typeObj) => {
+ const key = JSON.stringify(typeObj) + type
+ if (typeObjsTested.has(key)) return
+ typeObjsTested.add(key)
+
const { valid, errors } = revalidator.validate(typeObj, schemaValidator[type])
const errorMessage = JSON.stringify(errors, null, 2)
expect(valid, errorMessage).toBe(true)