Merge pull request github#35197 from github/repo-sync

Repo sync

content/actions/administering-github-actions/usage-limits-billing-and-administration.md

@@ -48,6 +48,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
 * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
 {% data reusables.actions.usage-api-requests %}
+* **Webhook rate limit** - Each repository is limited to 1500 triggered events every 10 seconds.
 * **Concurrent jobs** - The number of concurrent jobs you can run in your account depends on your {% data variables.product.prodname_dotcom %} plan, as well as the type of runner used. If exceeded, any additional jobs are queued.
 
   **Standard {% data variables.product.prodname_dotcom %}-hosted runners**

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md

@@ -136,6 +136,8 @@ Anyone can fork a public repository, then submit a pull request to propose chang
 
 You can configure which pull requests require approval before they are run.
 
+>[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request.
+
 * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Requires approval for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts.
 * **Require approval for first-time contributors**. Requires approval for users who have never committed to the repository.
 * **Require approval for all outside collaborators**. Requires approval for all users who are not organization members.

data/reusables/actions/azure-vnet-procedures-prereqs.md

@@ -135,9 +135,18 @@ You will use a script to automate configuring your Azure resources.
             direction: 'Outbound'
             destinationAddressPrefixes: [
               '140.82.112.0/20'
+              '140.82.112.33/32'
+              '140.82.112.34/32'
+              '140.82.113.33/32'
+              '140.82.113.34/32'
+              '140.82.114.33/32'
+              '140.82.114.34/32'
+              '140.82.121.33/32'
+              '140.82.121.34/32'
               '143.55.64.0/20'
               '185.199.108.0/22'
               '192.30.252.0/22'
+              '192.30.255.164/31'
               '20.175.192.146/32'
               '20.175.192.147/32'
               '20.175.192.149/32'
@@ -166,6 +175,7 @@ You will use a script to automate configuring your Azure resources.
               '20.207.73.85/32'
               '20.207.73.86/32'
               '20.207.73.88/32'
+              '20.217.135.1/32'
               '20.233.83.145/32'
               '20.233.83.146/32'
               '20.233.83.147/32'
@@ -178,6 +188,7 @@ You will use a script to automate configuring your Azure resources.
               '20.248.137.55/32'
               '20.26.156.215/32'
               '20.26.156.216/32'
+              '20.26.156.211/32'
               '20.27.177.113/32'
               '20.27.177.114/32'
               '20.27.177.116/32'
@@ -198,6 +209,8 @@ You will use a script to automate configuring your Azure resources.
               '4.208.26.198/32'
               '4.208.26.199/32'
               '4.208.26.200/32'
+              '4.225.11.196/32'
+              '4.237.22.32/32'
             ]
           }
         }

data/reusables/actions/workflow-run-approve-public-fork.md

@@ -1,9 +1,12 @@
 Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes.
 
-To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows.
+To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. Depending on the "Approval for running fork pull request workflows from contributors" setting, workflows on pull requests to public repositories will not run automatically and may need approval if:
 
-{% note %}
+* The pull request is **created by** a user that requires approvals based on the selected policy.
+* The pull request event is **triggered by** a user that requires approvals based on the selected policy.
 
-**Note:** Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)."
+By default, all first-time contributors require approval to run workflows.
 
-{% endnote %}
+Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)."
+
+>[!WARNING] These workflow approval policies are intended to restrict the set of users that can execute workflows in {% data variables.product.prodname_actions %} runners that could lead to unexpected resource and compute consumption when using {% data variables.product.prodname_dotcom %}-hosted runners. If you are using self-hosted runners, potentially malicious user-controlled workflow code will execute automatically if the user is allowed to bypass approval in the set approval policy or if the pull request is approved. You must consider the risk of executing this code in your infrastructure and should review and follow the self-hosted runner security recommendations regardless of the approval settings utilized. See "[AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)."

data/reusables/actions/workflows-from-public-fork-setting.md

@@ -1,7 +1,9 @@
-1. Under **Fork pull request workflows from outside collaborators**, choose one of the options.
+1. Under **Approval for running fork pull request workflows from contributors**, choose which subset of users will require approval before running workflows on their pull requests. Both the pull request author and the actor of the pull request event triggering the workflow will be checked to determine if approval is required. If approval is required, a user with write access to the repository must approve the pull request workflow to be run. See "[AUTOTITLE](/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks)."
 
-   * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. This option requires approval to run workflows for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts.
-   * **Require approval for first-time contributors**. This option requires approval to run workflows for users who have never committed to the repository.
-   * **Require approval for all outside collaborators**. This option requires approval to run workflows for all users who are not repository collaborators. If the repository is owned by an organization, this option requires approval to run workflows for all repository collaborators who are not organization members.
+   >[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request.
+
+   * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Only users who are both new on {% data variables.product.prodname_dotcom %} and who have never had a commit or pull request merged into this repository will require approval to run workflows.  
+   * **Require approval for first-time contributors**. Only users who have never had a commit or pull request merged into this repository will require approval to run workflows.
+   * **Require approval for all external contributors** All users that are not a member or owner of this repository and not a member of the organization will require approval to run workflows.
 
 1. Click **Save** to apply the settings.

src/audit-logs/lib/config.json

@@ -3,5 +3,5 @@
     "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "apiRequestEvent": "This event is only available via audit log streaming."
   },
-  "sha": "f24d2c82d0610b6a63737094391ec356dcc54c09"
+  "sha": "4b879b4f2e7de0a99b0e5a109935b34ecd9e1cad"
 }