Merge pull request github#15335 from github/repo-sync

repo sync

.dockerignore

@@ -10,3 +10,5 @@ tests/
 lib/rest/static/dereferenced
 # Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build
 docs-early-access/
+# During the preview deploy untrusted user code may be cloned into this directory
+user-code/

.github/workflows/azure-preview-env-deploy.yml

@@ -1,12 +1,13 @@
 name: Azure - Deploy Preview Environment
 
-# **What it does**: Build and deploy to an Azure preview environment
-# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal
+# **What it does**: Build and deploy an Azure preview environment for this PR
+# **Why we have it**: It's our preview environment deploy mechanism, to docs-internal and docs public repo
 # **Who does it impact**: All contributors.
 
-# This whole workflow is only guaranteed to be secure in the *private
-# repo* and because we repo-sync these files over the to the public one,
-# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
+# !!!
+# ! This worflow has access to secrets, runs in the public repository, and clones untrusted user code.
+# ! Modify with extreme caution
+# !!!
 
 on:
   # The advantage of 'pull_request' over 'pull_request_target' is that we
@@ -15,13 +16,17 @@ on:
   # From a security point of view, its arguably safer this way because
   # unlike 'pull_request_target', these only have secrets if the pull
   # request creator has permission to access secrets.
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
     inputs:
       PR_NUMBER:
         description: 'PR Number'
         type: string
         required: true
+      COMMIT_REF:
+        description: 'The commit SHA to build'
+        type: string
+        required: true
 
 permissions:
   contents: read
@@ -34,7 +39,6 @@ concurrency:
 
 jobs:
   build-and-deploy-azure-preview:
-    if: ${{ github.repository == 'github/docs-internal' }}
     name: Build and deploy Azure preview environment
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -47,7 +51,11 @@ jobs:
       url: ${{ env.APP_URL }}
     env:
       PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
-      ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
+      COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
+      # This may also run in forked repositories, not just 'github/docs'
+      IS_PUBLIC_BUILD: ${{ github.repository != 'github/docs-internal' }}
 
     steps:
       - name: 'Az CLI login'
@@ -65,10 +73,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
 
-      - name: Check out repo
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Check out main branch
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          ref: 'main'
+          persist-credentials: 'false'
+          lfs: 'true'
+
+      - if: ${{ env.IS_INTERNAL_BUILD }}
+        name: Check out PR code
         uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ env.COMMIT_REF }}
           # To prevent issues with cloning early access content later
           persist-credentials: 'false'
           lfs: 'true'
@@ -84,14 +101,14 @@ jobs:
       - name: 'Set env vars'
         run: |
           # Image tag is unique to each workflow run so that it always triggers a new deployment
-          echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ env.COMMIT_REF }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Determine which docs-early-access branch to clone
         id: 'check-early-access'
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
         env:
-          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+          BRANCH_NAME: ${{ env.BRANCH_NAME }}
         with:
           github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
           result-encoding: string
@@ -116,7 +133,7 @@ jobs:
               return 'main'
             }
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Clone docs-early-access
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
@@ -125,10 +142,25 @@ jobs:
           path: docs-early-access
           ref: ${{ steps.check-early-access.outputs.result }}
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Merge docs-early-access repo's folders
         run: .github/actions-scripts/merge-early-access.sh
 
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Check out user code to temp directory
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          path: ./user-code
+          ref: ${{ env.COMMIT_REF }}
+
+      # Move acceptable user changes into our main branch checkout
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Move acceptable user changes
+        run: |
+          rsync -rptovR ./user-code/content/./**/*.md ./content
+          rsync -rptovR ./user-code/assets/./**/*.png ./assets
+          rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data
+
       # In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context
       - name: 'Prune for preview env'
         run: .github/actions-scripts/prune-for-preview-env.sh

.github/workflows/azure-preview-env-destroy.yml

@@ -5,7 +5,7 @@ name: Azure - Destroy Preview Env
 # **Who does it impact**: All contributors.
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - locked
@@ -16,10 +16,12 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   destory-azure-preview-env:
     name: Destroy
-    if: ${{ github.repository == 'github/docs-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     env:
@@ -59,5 +61,6 @@ jobs:
       # Remove all GitHub deployments from this environment and remove the environment
       - uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0
         with:
+          # The token provided by the workflow does not have the permissions to delete created environments
           token: ${{ secrets.DOCUBOT_REPO_PAT }}
           environment: preview-env-${{ env.PR_NUMBER }}

.github/workflows/main-preview-docker-cache.yml

@@ -24,8 +24,6 @@ jobs:
     timeout-minutes: 15
     env:
       ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
-      NONPROD_REGISTRY_USERNAME: ghdocs
-      NONPROD_REGISTRY_NAME: ghdocs
       DOCKER_IMAGE_CACHE_REF: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview
 
     steps:
@@ -38,7 +36,7 @@ jobs:
         uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
         with:
           login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }}
-          username: ${{ env.NONPROD_REGISTRY_USERNAME }}
+          username: ${{ secrets.NONPROD_REGISTRY_USERNAME }}
           password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}
 
       - name: Set up Docker Buildx

.gitignore

@@ -17,3 +17,7 @@ blc_output.log
 blc_output_internal.log
 broken_links.md
 lib/redirects/.redirects-cache_*.json
+
+# During the preview deploy untrusted user code may be cloned into this directory
+# We ignore it from git to keep things deterministic
+user-code/

Dockerfile

@@ -23,7 +23,7 @@ FROM base as all_deps
 
 COPY --chown=node:node package.json package-lock.json ./
 
-RUN npm ci --no-optional
+RUN npm ci --no-optional --registry https://registry.npmjs.org/
 
 # For Next.js v12+
 # This the appropriate necessary extra for node:16-alpine

content/actions/using-workflows/workflow-commands-for-github-actions.md

@@ -313,7 +313,9 @@ During the execution of a workflow, the runner generates temporary files that ca
 
 {% warning %}
 
-**Warning:** On Windows, legacy PowerShell (`shell: powershell`) does not use UTF-8 by default. Make sure you write files using the correct encoding. For example, you need to set UTF-8 encoding when you set the path:
+**Warning:** On Windows, legacy PowerShell (`shell: powershell`) does not use UTF-8 by default.
+
+When using `shell: powershell`, you must specify UTF-8 encoding. For example:
 
 ```yaml
 jobs:
@@ -324,21 +326,7 @@ jobs:
         run: echo "mypath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 ```
 
-Or switch to PowerShell Core, which defaults to UTF-8: 
-
-```yaml
-jobs:
-  modern-pwsh-example:
-    uses: windows-2019
-    steps:
-      - shell: pwsh
-        run: echo "mypath" | Out-File -FilePath $env:GITHUB_PATH -Append # no need for -Encoding utf8
-```
-
-More detail about UTF-8 and PowerShell Core found on this great [Stack Overflow answer](https://stackoverflow.com/a/40098904/162694):
-
-> ### Optional reading: The cross-platform perspective: PowerShell _Core_:
-> [PowerShell is now cross-platform](https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2/), via its **[PowerShell _Core_](https://github.com/PowerShell/PowerShell)** edition, whose encoding - sensibly - **defaults to *BOM-less UTF-8***, in line with Unix-like platforms.  
+Alternatively, you can use PowerShell Core (`shell: pwsh`), which defaults to UTF-8.
 
 {% endwarning %}
 

content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md

@@ -54,11 +54,13 @@ Enterprise owners and billing managers can manage the spending limit for {% data
 {% data reusables.codespaces.exporting-changes %}
 ## Managing usage and spending limit email notifications
 
-Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, and 90% of your account's spending limit. 
+Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, 90%, and 100% of your account's spending limit. 
 
 You can disable these notifications anytime by navigating to the bottom of the **Spending Limit** page.
 
+![Screenshot of the billing email notification settings](/assets/images/help/billing/codespaces-spending-limit-notifications.png)
+
 ## Further reading
 
 - "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)"
-- "[Managing billing for Codespaces in your organization](/codespaces/managing-codespaces-for-your-organization/managing-billing-for-codespaces-in-your-organization)"
+- "[Managing billing for Codespaces in your organization](/codespaces/managing-codespaces-for-your-organization/managing-billing-for-codespaces-in-your-organization)"

data/reusables/billing/email-notifications.md

@@ -1,3 +1,5 @@
-Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, and 90% of your account's included usage and when spending reaches 50%, 75%, and 90% of your account's spending limit. 
+Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, 90% and 100% of your account's included usage and when spending reaches 50%, 75%, 90%, and 100% of your account's spending limit. 
 
 You can disable these notifications anytime by navigating to the bottom of the **Spending Limit** page.
+
+![Screenshot of the billing email notification settings](/assets/images/help/billing/actions-packages-spending-limit-notifications.png)