From 541d6259354e8abe9ee6a0a78da793b0a0232627 Mon Sep 17 00:00:00 2001
From: Rachael Sewell <rachmari@github.com>
Date: Mon, 16 Oct 2023 15:08:52 -0700
Subject: [PATCH 1/2] Update linter error message (#44525)

---
 src/content-linter/scripts/lint-content.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content-linter/scripts/lint-content.js b/src/content-linter/scripts/lint-content.js
index 99272087fc54..c875eee336af 100755
--- a/src/content-linter/scripts/lint-content.js
+++ b/src/content-linter/scripts/lint-content.js
@@ -207,7 +207,7 @@ async function main() {
       console.log('') // Just for some whitespace before the next message
       console.log(
         `Content linting found ${fixableFiles.length} ${pluralize(fixableFiles, 'file')} ` +
-          'that can be automatically fixed.\nTo apply the fixes run this command:\n',
+          'that can be automatically fixed.\nTo apply the fixes run this command and re-add the changed files:\n',
       )
       console.log(`  npm run lint-content -- --fix --paths ${fixableFiles.join(' ')}\n`)
     }

From f23c0f34d6a9af7f7342ce77b9709f84cecb19d4 Mon Sep 17 00:00:00 2001
From: Siara <108543037+SiaraMist@users.noreply.github.com>
Date: Mon, 16 Oct 2023 15:18:45 -0700
Subject: [PATCH 2/2] Prevent self reviews for secure deployments across
 Actions environments - [GA] (#44155)

---
 .../using-environments-for-deployment.md                    | 3 +++
 .../actions/managing-workflow-runs/reviewing-deployments.md | 6 ++++++
 data/features/deployments-prevent-self-approval.yml         | 6 ++++++
 3 files changed, 15 insertions(+)
 create mode 100644 data/features/deployments-prevent-self-approval.yml

diff --git a/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md b/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md
index 8566817d78c4..ed596e54f5d6 100644
--- a/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md
+++ b/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md
@@ -50,6 +50,8 @@ Third-party systems can be observability systems, change management systems, cod
 
 Use required reviewers to require a specific person or team to approve workflow jobs that reference the environment. You can list up to six users or teams as reviewers. The reviewers must have at least read access to the repository. Only one of the required reviewers needs to approve the job for it to proceed.
 
+{% ifversion deployments-prevent-self-approval %}You also have the option to prevent self-reviews for deployments to protected environments. If you enable this setting, users who initiate a deployment cannot approve the deployment job, even if they are a required reviewer. This ensures that deployments to protected environments are always reviewed by more than one person.{% endif %}
+
 For more information on reviewing jobs that reference an environment with required reviewers, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments)."
 
 {% ifversion fpt %}{% note %}
@@ -190,6 +192,7 @@ Variables stored in an environment are only available to workflow jobs that refe
 1. Optionally, specify people or teams that must approve workflow jobs that use this environment. For more information, see "[Required reviewers](#required-reviewers)."
    1. Select **Required reviewers**.
    1. Enter up to 6 people or teams. Only one of the required reviewers needs to approve the job for it to proceed.
+   {% ifversion deployments-prevent-self-approval %}1. Optionally, to prevent users from approving workflows runs that they triggered, select **Prevent self-review**.{% endif %}
    1. Click **Save protection rules**.
 1. Optionally, specify the amount of time to wait before allowing workflow jobs that use this environment to proceed. For more information, see "[Wait timer](#wait-timer)."
    1. Select **Wait timer**.
diff --git a/content/actions/managing-workflow-runs/reviewing-deployments.md b/content/actions/managing-workflow-runs/reviewing-deployments.md
index 3b605990a21a..0663969fe126 100644
--- a/content/actions/managing-workflow-runs/reviewing-deployments.md
+++ b/content/actions/managing-workflow-runs/reviewing-deployments.md
@@ -26,6 +26,12 @@ For more information about environments and required approvals, see "[AUTOTITLE]
    - To approve the job, click **Approve and deploy**. Once a job is approved (and any other deployment protection rules have passed), the job will proceed. At this point, the job can access any secrets stored in the environment.
    - To reject the job, click **Reject**. If a job is rejected, the workflow will fail.
 
+{% ifversion deployments-prevent-self-approval %}{% note %}
+
+**Note:** If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers)."
+
+{% endnote %}{% endif %}
+
 {% ifversion actions-break-glass %}
 
 ## Bypassing deployment protection rules
diff --git a/data/features/deployments-prevent-self-approval.yml b/data/features/deployments-prevent-self-approval.yml
new file mode 100644
index 000000000000..07033c526049
--- /dev/null
+++ b/data/features/deployments-prevent-self-approval.yml
@@ -0,0 +1,6 @@
+# Reference: #12088
+# Documentation for preventing self-review of deployments to protected environments
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.11'