diff --git a/.dockerignore b/.dockerignore index bf645012d036..aa9b89a06425 100644 --- a/.dockerignore +++ b/.dockerignore @@ -10,3 +10,5 @@ tests/ lib/rest/static/dereferenced # Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build docs-early-access/ +# During the preview deploy untrusted user code may be cloned into this directory +user-code/ diff --git a/.github/workflows/azure-preview-env-deploy.yml b/.github/workflows/azure-preview-env-deploy.yml index a102730e06f0..7893e80df32b 100644 --- a/.github/workflows/azure-preview-env-deploy.yml +++ b/.github/workflows/azure-preview-env-deploy.yml @@ -1,12 +1,13 @@ name: Azure - Deploy Preview Environment -# **What it does**: Build and deploy to an Azure preview environment -# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal +# **What it does**: Build and deploy an Azure preview environment for this PR +# **Why we have it**: It's our preview environment deploy mechanism, to docs-internal and docs public repo # **Who does it impact**: All contributors. -# This whole workflow is only guaranteed to be secure in the *private -# repo* and because we repo-sync these files over the to the public one, -# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal! +# !!! +# ! This worflow has access to secrets, runs in the public repository, and clones untrusted user code. +# ! Modify with extreme caution +# !!! on: # The advantage of 'pull_request' over 'pull_request_target' is that we @@ -15,13 +16,17 @@ on: # From a security point of view, its arguably safer this way because # unlike 'pull_request_target', these only have secrets if the pull # request creator has permission to access secrets. - pull_request: + pull_request_target: workflow_dispatch: inputs: PR_NUMBER: description: 'PR Number' type: string required: true + COMMIT_REF: + description: 'The commit SHA to build' + type: string + required: true permissions: contents: read @@ -34,7 +39,6 @@ concurrency: jobs: build-and-deploy-azure-preview: - if: ${{ github.repository == 'github/docs-internal' }} name: Build and deploy Azure preview environment runs-on: ubuntu-latest timeout-minutes: 15 @@ -47,7 +51,11 @@ jobs: url: ${{ env.APP_URL }} env: PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }} - ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }} + COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }} + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }} + # This may also run in forked repositories, not just 'github/docs' + IS_PUBLIC_BUILD: ${{ github.repository != 'github/docs-internal' }} steps: - name: 'Az CLI login' @@ -65,10 +73,19 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 - - name: Check out repo + - if: ${{ env.IS_PUBLIC_BUILD }} + name: Check out main branch + uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97 + with: + ref: 'main' + persist-credentials: 'false' + lfs: 'true' + + - if: ${{ env.IS_INTERNAL_BUILD }} + name: Check out PR code uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ env.COMMIT_REF }} # To prevent issues with cloning early access content later persist-credentials: 'false' lfs: 'true' @@ -84,14 +101,14 @@ jobs: - name: 'Set env vars' run: | # Image tag is unique to each workflow run so that it always triggers a new deployment - echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV + echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ env.COMMIT_REF }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV - - if: ${{ env.ENABLE_EARLY_ACCESS }} + - if: ${{ env.IS_INTERNAL_BUILD }} name: Determine which docs-early-access branch to clone id: 'check-early-access' uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d env: - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + BRANCH_NAME: ${{ env.BRANCH_NAME }} with: github-token: ${{ secrets.DOCUBOT_REPO_PAT }} result-encoding: string @@ -116,7 +133,7 @@ jobs: return 'main' } - - if: ${{ env.ENABLE_EARLY_ACCESS }} + - if: ${{ env.IS_INTERNAL_BUILD }} name: Clone docs-early-access uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 with: @@ -125,10 +142,25 @@ jobs: path: docs-early-access ref: ${{ steps.check-early-access.outputs.result }} - - if: ${{ env.ENABLE_EARLY_ACCESS }} + - if: ${{ env.IS_INTERNAL_BUILD }} name: Merge docs-early-access repo's folders run: .github/actions-scripts/merge-early-access.sh + - if: ${{ env.IS_PUBLIC_BUILD }} + name: Check out user code to temp directory + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + with: + path: ./user-code + ref: ${{ env.COMMIT_REF }} + + # Move acceptable user changes into our main branch checkout + - if: ${{ env.IS_PUBLIC_BUILD }} + name: Move acceptable user changes + run: | + rsync -rptovR ./user-code/content/./**/*.md ./content + rsync -rptovR ./user-code/assets/./**/*.png ./assets + rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data + # In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context - name: 'Prune for preview env' run: .github/actions-scripts/prune-for-preview-env.sh diff --git a/.github/workflows/azure-preview-env-destroy.yml b/.github/workflows/azure-preview-env-destroy.yml index f26a4be14d70..94463d846fbf 100644 --- a/.github/workflows/azure-preview-env-destroy.yml +++ b/.github/workflows/azure-preview-env-destroy.yml @@ -5,7 +5,7 @@ name: Azure - Destroy Preview Env # **Who does it impact**: All contributors. on: - pull_request: + pull_request_target: types: - closed - locked @@ -16,10 +16,12 @@ on: type: string required: true +permissions: + contents: read + jobs: destory-azure-preview-env: name: Destroy - if: ${{ github.repository == 'github/docs-internal' }} runs-on: ubuntu-latest timeout-minutes: 5 env: @@ -59,5 +61,6 @@ jobs: # Remove all GitHub deployments from this environment and remove the environment - uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0 with: + # The token provided by the workflow does not have the permissions to delete created environments token: ${{ secrets.DOCUBOT_REPO_PAT }} environment: preview-env-${{ env.PR_NUMBER }} diff --git a/.github/workflows/main-preview-docker-cache.yml b/.github/workflows/main-preview-docker-cache.yml index 92bebd90cca5..a42239c1f1f8 100644 --- a/.github/workflows/main-preview-docker-cache.yml +++ b/.github/workflows/main-preview-docker-cache.yml @@ -24,8 +24,6 @@ jobs: timeout-minutes: 15 env: ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }} - NONPROD_REGISTRY_USERNAME: ghdocs - NONPROD_REGISTRY_NAME: ghdocs DOCKER_IMAGE_CACHE_REF: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview steps: @@ -38,7 +36,7 @@ jobs: uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a with: login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }} - username: ${{ env.NONPROD_REGISTRY_USERNAME }} + username: ${{ secrets.NONPROD_REGISTRY_USERNAME }} password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx diff --git a/.gitignore b/.gitignore index 510858060fe1..f017bafe2ffc 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,7 @@ blc_output.log blc_output_internal.log broken_links.md lib/redirects/.redirects-cache_*.json + +# During the preview deploy untrusted user code may be cloned into this directory +# We ignore it from git to keep things deterministic +user-code/ diff --git a/Dockerfile b/Dockerfile index 912301bc55cb..985bde3af750 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ FROM base as all_deps COPY --chown=node:node package.json package-lock.json ./ -RUN npm ci --no-optional +RUN npm ci --no-optional --registry https://registry.npmjs.org/ # For Next.js v12+ # This the appropriate necessary extra for node:16-alpine diff --git a/assets/images/help/billing/actions-packages-spending-limit-notifications.png b/assets/images/help/billing/actions-packages-spending-limit-notifications.png new file mode 100644 index 000000000000..0cd8f9cb49c5 Binary files /dev/null and b/assets/images/help/billing/actions-packages-spending-limit-notifications.png differ diff --git a/assets/images/help/billing/codespaces-spending-limit-notifications.png b/assets/images/help/billing/codespaces-spending-limit-notifications.png new file mode 100644 index 000000000000..709278c773c4 Binary files /dev/null and b/assets/images/help/billing/codespaces-spending-limit-notifications.png differ diff --git a/content/actions/using-workflows/workflow-commands-for-github-actions.md b/content/actions/using-workflows/workflow-commands-for-github-actions.md index f2cd424a8057..d9c7e21aa15f 100644 --- a/content/actions/using-workflows/workflow-commands-for-github-actions.md +++ b/content/actions/using-workflows/workflow-commands-for-github-actions.md @@ -313,7 +313,9 @@ During the execution of a workflow, the runner generates temporary files that ca {% warning %} -**Warning:** On Windows, legacy PowerShell (`shell: powershell`) does not use UTF-8 by default. Make sure you write files using the correct encoding. For example, you need to set UTF-8 encoding when you set the path: +**Warning:** On Windows, legacy PowerShell (`shell: powershell`) does not use UTF-8 by default. + +When using `shell: powershell`, you must specify UTF-8 encoding. For example: ```yaml jobs: @@ -324,21 +326,7 @@ jobs: run: echo "mypath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append ``` -Or switch to PowerShell Core, which defaults to UTF-8: - -```yaml -jobs: - modern-pwsh-example: - uses: windows-2019 - steps: - - shell: pwsh - run: echo "mypath" | Out-File -FilePath $env:GITHUB_PATH -Append # no need for -Encoding utf8 -``` - -More detail about UTF-8 and PowerShell Core found on this great [Stack Overflow answer](https://stackoverflow.com/a/40098904/162694): - -> ### Optional reading: The cross-platform perspective: PowerShell _Core_: -> [PowerShell is now cross-platform](https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2/), via its **[PowerShell _Core_](https://github.com/PowerShell/PowerShell)** edition, whose encoding - sensibly - **defaults to *BOM-less UTF-8***, in line with Unix-like platforms. +Alternatively, you can use PowerShell Core (`shell: pwsh`), which defaults to UTF-8. {% endwarning %} diff --git a/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md b/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md index 9ab94e5001d6..d3200508d65f 100644 --- a/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md +++ b/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md @@ -54,11 +54,13 @@ Enterprise owners and billing managers can manage the spending limit for {% data {% data reusables.codespaces.exporting-changes %} ## Managing usage and spending limit email notifications -Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, and 90% of your account's spending limit. +Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, 90%, and 100% of your account's spending limit. You can disable these notifications anytime by navigating to the bottom of the **Spending Limit** page. +![Screenshot of the billing email notification settings](/assets/images/help/billing/codespaces-spending-limit-notifications.png) + ## Further reading - "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)" -- "[Managing billing for Codespaces in your organization](/codespaces/managing-codespaces-for-your-organization/managing-billing-for-codespaces-in-your-organization)" \ No newline at end of file +- "[Managing billing for Codespaces in your organization](/codespaces/managing-codespaces-for-your-organization/managing-billing-for-codespaces-in-your-organization)" diff --git a/data/reusables/billing/email-notifications.md b/data/reusables/billing/email-notifications.md index 56e9d3f6ac51..8dff9b48f51b 100644 --- a/data/reusables/billing/email-notifications.md +++ b/data/reusables/billing/email-notifications.md @@ -1,3 +1,5 @@ -Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, and 90% of your account's included usage and when spending reaches 50%, 75%, and 90% of your account's spending limit. +Email notifications are sent to account owners and billing managers when spending reaches 50%, 75%, 90% and 100% of your account's included usage and when spending reaches 50%, 75%, 90%, and 100% of your account's spending limit. You can disable these notifications anytime by navigating to the bottom of the **Spending Limit** page. + +![Screenshot of the billing email notification settings](/assets/images/help/billing/actions-packages-spending-limit-notifications.png)