Repo sync

content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md

@@ -284,6 +284,14 @@ Untrusted workflows running on your self-hosted runner pose significant security
 
 For more information about security hardening for self-hosted runners, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)."
 
+{% ifversion actions-disable-repo-runners %}
+
+### Restricting the use of self-hosted runners
+
+{% data reusables.actions.disable-selfhosted-runners-crossrefs %} 
+
+{% endif %}
+
 {% ifversion ghec or ghes or ghae %}
 
 ## Further reading

content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md

@@ -52,6 +52,16 @@ You can register ephemeral runners that perform a single job before the registra
 
 You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, you must be an organization owner or have admin access to the repository. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
 
+{% ifversion actions-disable-repo-runners %}
+
+{% note %}
+
+**Note**: {% data reusables.actions.disable-selfhosted-runners-crossrefs %} 
+
+{% endnote %}
+
+{% endif %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.settings-sidebar-actions-runners %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md

@@ -18,6 +18,16 @@ shortTitle: Monitor & troubleshoot
 
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
+{% ifversion actions-disable-repo-runners %}
+
+## Using repository-level self-hosted runners
+
+You may not be able to create a self-hosted runner for an organization-owned repository.
+
+{% data reusables.actions.disable-selfhosted-runners-crossrefs %} 
+
+{% endif %}
+
 ## Checking the status of a self-hosted runner
 
 {% data reusables.actions.self-hosted-runner-management-permissions-required %}

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -307,6 +307,12 @@ SBOMs are available for Ubuntu, Windows, and macOS runner images. You can locate
 
 {% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.
 
+{% ifversion actions-disable-repo-runners %}
+
+{% data reusables.actions.disable-selfhosted-runners-crossrefs %} 
+
+{% endif %}
+
 When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)."
 
 You should also consider the environment of the self-hosted runner machines:

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md

@@ -87,7 +87,7 @@ You may need to upgrade the CPU and memory resources for {% data variables.locat
 
 {% ifversion ghec %}If you are using self-hosted runners, you have to decide whether you want to use physical machines, virtual machines, or containers.{% else %}Decide whether you want to use physical machines, virtual machines, or containers for your self-hosted runners.{% endif %} Physical machines will retain remnants of previous jobs, and so will virtual machines unless you use a fresh image for each job or clean up the machines after each job run. If you choose containers, you should be aware that the runner auto-updating will shut down the container, which can cause workflows to fail. You should come up with a solution for this by preventing auto-updates or skipping the command to kill the container.
 
-You also have to decide where to add each runner. You can add a self-hosted runner to an individual repository, or you can make the runner available to an entire organization or your entire enterprise. Adding runners at the organization or enterprise levels allows sharing of runners, which might reduce the size of your runner infrastructure. You can use policies to limit access to self-hosted runners at the organization and enterprise levels by assigning groups of runners to specific repositories or organizations. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)."
+You also have to decide where to add each runner. You can add a self-hosted runner to an individual repository, or you can make the runner available to an entire organization or your entire enterprise. Adding runners at the organization or enterprise levels allows sharing of runners, which might reduce the size of your runner infrastructure. You can use policies to limit access to self-hosted runners at the organization and enterprise levels by assigning groups of runners to specific repositories or organizations. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." {% ifversion actions-disable-repo-runners %}You can also use policies to prevent people using repository-level self-hosted runners. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)."{% endif %}
 
 {% ifversion ghec or ghes %}
 You should consider using autoscaling to automatically increase or decrease the number of available self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)."

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md

@@ -1086,7 +1086,8 @@ Before you'll see `git` category actions, you must enable Git events in the audi
 
 | Action | Description
 |--------|-------------
-| `repo.access`         | The visibility of a repository changed.
+| `repo.access`         | The visibility of a repository changed.{% ifversion emu-owned-repos %}
+| `repo.temporary_access_granted` | Triggered when an enterprise owner temporarily enables access to a repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}
 | `repo.actions_enabled` | {% data variables.product.prodname_actions %} was enabled for a repository.
 | `repo.add_member`     | A collaborator was added to a repository.
 | `repo.add_topic`     | A topic was added to a repository.

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md

@@ -59,6 +59,32 @@ You can choose to disable {% data variables.product.prodname_actions %} for all
 {% data reusables.enterprise-accounts.actions-tab %}
 1. Under "Policies", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} to the list.
 
+{% ifversion actions-disable-repo-runners %}
+
+## Disabling repository-level self-hosted runners
+
+{% data reusables.actions.disable-selfhosted-runners-overview %} For more information on creating self-hosted runners at the repository level, see "[AUTOTITLE](/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."
+
+By default anyone with admin access to a repository can add a self-hosted runner for the repository. The enterprise settings allow you to disable the use of repository-level self-hosted runners across all repositories in your enterprise. If you allow repository-level self-hosted runners for your enterprise, organization owners can choose to allow or prevent creation of repository-level self-hosted runners for some or all repositories in their organization. For more information see, "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
+
+{% data reusables.actions.disable-selfhosted-runners-note %} 
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.actions-tab %}
+1. In the "Runners" section, select **Disable for all organizations**.{% ifversion ghec %}
+
+   {% note %}
+
+   **Note**: Owners of an {% data variables.enterprise.prodname_emu_enterprise %} can also choose to select **Disable in all Enterprise Managed User (EMU) repositories** to restrict runner creation for repositories that are owned by managed user accounts.
+
+   {% endnote %}
+
+   {% endif %}
+1. Click **Save** to apply the change.
+
+{% endif %}
+
 ## Enforcing a policy for artifact and log retention in your enterprise
 
 {% data variables.product.prodname_actions %} can store artifact and log files. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)."

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md

@@ -87,7 +87,7 @@ Across all organizations owned by your enterprise, you can allow members to crea
 If you allow members to create repositories in your organizations, you can choose which types of repositories (public, private, and internal) that members can create.
 
 {% ifversion enterprise-namespace-repo-setting %}
-{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can also prevent users from creating repositories owned by their user accounts.
+{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can also prevent users from creating repositories owned by their user accounts. {% ifversion emu-owned-repos %}If you allow users to create repositories owned by their user accounts, you can view and temporarily access those repositories at any time. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise)" and "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}
 {% endif %}
 
 {% data reusables.repositories.internal-repo-default %} For more information about internal repositories, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository)."

content/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise.md

@@ -0,0 +1,37 @@
+---
+title: Accessing user-owned repositories in your enterprise
+intro: "You can temporarily access a repository owned by a user within your enterprise."
+permissions: Enterprise owners can temporarily access user-owned repositories.
+versions:
+  feature: 'emu-owned-repos'
+type: how_to
+topics:
+  - Enterprise
+  - Repositories
+shortTitle: Access user-owned repos
+---
+
+{% note %}
+
+**Note:** Temporarily accessing user-owned repositories is currently in beta for {% data variables.product.prodname_emus %} and subject to change.
+
+{% endnote %}
+
+## About temporary access to user-owned repositories
+
+If your enterprise uses {% data variables.product.prodname_emus %}, and you've allowed users to create repositories owned by their user accounts, you can temporarily access any user-owned repository within your enterprise.
+
+When you temporarily access a repository, you get admin access to the repository for two hours. You can take all the same actions as the repository owner, including editing the repository, changing the repository's settings, transferring the repository, and deleting the repository.
+
+The repository owner will receive an email informing them that you have enabled temporary access to the repository, and a `repo.temporary_access_granted` event will be added to the audit log for your enterprise and the user's security log.
+
+## Temporarily accessing a repository
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.repositories-tab %}
+{% data reusables.enterprise.view-user-namespace-repos %}
+1. To the right of the repository you want to access, select the {% octicon "kebab-horizontal" aria-label="Access repository" %} dropdown menu, then click **Enable temporary access**.
+
+   ![Screenshot of the list of user namespace repositories. To the right of a repository, a kebab icon is outlined in dark orange.](/assets/images/help/business-accounts/user-namespace-repo-kebab.png)
+1. Read the warnings, then click **Yes, enable temporary access**.

content/admin/user-management/managing-repositories-in-your-enterprise/index.md

@@ -1,20 +1,22 @@
 ---
 title: Managing repositories in your enterprise
-intro: You can manage the settings available to repository administrators in your enterprise.
+intro: You can manage repositories in your enterprise.
 redirect_from:
   - /enterprise/admin/user-management/repositories
   - /enterprise/admin/user-management/managing-repositories-in-your-enterprise
 versions:
+  ghec: '*'
   ghes: '*'
   ghae: '*'
 topics:
   - Enterprise
 children:
+  - /viewing-user-owned-repositories-in-your-enterprise
+  - /accessing-user-owned-repositories-in-your-enterprise
   - /configuring-git-large-file-storage-for-your-enterprise
   - /migrating-to-internal-repositories
   - /disabling-git-ssh-access-on-your-enterprise
   - /restoring-a-deleted-repository
   - /troubleshooting-service-hooks
 shortTitle: Manage repositories
 ---
-

content/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md

@@ -0,0 +1,27 @@
+---
+title: Viewing user-owned repositories in your enterprise
+intro: "You can view all repositories owned by users within your enterprise."
+permissions: Enterprise owners can view user-owned repositories.
+versions:
+  feature: 'emu-owned-repos'
+type: how_to
+topics:
+  - Enterprise
+  - Repositories
+shortTitle: View user-owned repos
+---
+
+{% note %}
+
+**Note:** Viewing user-owned repositories is currently in beta for {% data variables.product.prodname_emus %} and subject to change.
+
+{% endnote %}
+
+If your enterprise uses {% data variables.product.prodname_emus %}, and you've allowed users to create repositories owned by their user accounts, you can view all user-owned repositories within your enterprise.
+
+You can also temporarily access any user-owned repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.repositories-tab %}
+{% data reusables.enterprise.view-user-namespace-repos %}

content/authentication/keeping-your-account-and-data-secure/security-log-events.md

@@ -119,7 +119,8 @@ topics:
 
 | Action | Description
 |------------------|-------------------
-| `access` | Triggered when you [change the visibility of a repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility).
+| `access` | Triggered when you [change the visibility of a repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility).{% ifversion emu-owned-repos %}
+ | `temporary_access_granted` | Triggered when an enterprise owner enables temporary access to a repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}
 | `add_member` | Triggered when a {% data variables.product.product_name %} user is {% ifversion fpt or ghec %}[invited to have collaboration access](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository){% else %}[given collaboration access](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository){% endif %} to a repository.
 | `add_topic` | Triggered when a repository owner [adds a topic](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) to a repository.
 | `archived` | Triggered when a repository owner [archives a repository](/repositories/archiving-a-github-repository/archiving-repositories).{% ifversion ghes %}
@@ -135,7 +136,7 @@ topics:
 | `remove_member` | Triggered when a {% data variables.product.product_name %} user is [removed from a repository as a collaborator](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository).
 | `remove_topic` | Triggered when a repository owner removes a topic from a repository.
 | `rename` | Triggered when [a repository is renamed](/repositories/creating-and-managing-repositories/renaming-a-repository).
-| `staff_unlock` | Triggered when an enterprise owner or {% data variables.contact.github_support %} (with permission from a repository administrator) temporarily unlocked the repository. The visibility of the repository isn't changed.
+| `staff_unlock` | Triggered when an enterprise owner or {% data variables.contact.github_support %} (with permission from a repository administrator) temporarily unlocks the repository. The visibility of the repository isn't changed.
 | `transfer` | Triggered when [a repository is transferred](/repositories/creating-and-managing-repositories/transferring-a-repository).
 | `transfer_start` | Triggered when a repository transfer is about to occur.
 | `unarchived` | Triggered when a repository owner unarchives a repository.